|
6 | 6 | from unittest.mock import MagicMock, patch |
7 | 7 | from urllib.parse import parse_qs, urlencode, urlparse |
8 | 8 |
|
| 9 | +import pytest |
9 | 10 | import pytz |
10 | 11 | from dateutil.relativedelta import relativedelta |
11 | 12 | from django.db.models import Q |
|
22 | 23 | from apps.constants import CODE_CHALLENGE_METHOD_S256, PATIENT_SCOPE |
23 | 24 | from apps.dot_ext.constants import ( |
24 | 25 | APPLICATION_HAS_CLIENT_CREDENTIALS_ENABLED_NON_CLIENT_CREDENTIALS_AUTH_CALL_MADE, |
| 26 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
25 | 27 | CLIENT_CREDENTIALS_TYPE, |
26 | 28 | ) |
27 | 29 | from apps.dot_ext.models import Application, ArchivedToken |
@@ -1885,3 +1887,92 @@ def test_fail_when_app_only_allowed_client_credentials(self): |
1885 | 1887 | ), |
1886 | 1888 | }, |
1887 | 1889 | ) |
| 1890 | + |
| 1891 | + |
| 1892 | +@pytest.mark.parametrize( |
| 1893 | + 'scope, auth_url, enable_auditevents_switch_active, expected_message', |
| 1894 | + [ |
| 1895 | + ( |
| 1896 | + 'patient/Patient.rs patient/AuditEvent.rs', |
| 1897 | + 'oauth2_provider:authorize', |
| 1898 | + True, |
| 1899 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
| 1900 | + ), |
| 1901 | + ('patient/Patient.rs patient/AuditEvent.s', 'oauth2_provider:authorize', True, AUDIT_EVENT_SCOPE_ERROR_MESSAGE), |
| 1902 | + ('patient/Patient.rs patient/AuditEvent.r', 'oauth2_provider:authorize', True, AUDIT_EVENT_SCOPE_ERROR_MESSAGE), |
| 1903 | + ( |
| 1904 | + 'patient/Patient.rs patient/AuditEvent.rs', |
| 1905 | + 'oauth2_provider_v2:authorize-v2', |
| 1906 | + True, |
| 1907 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
| 1908 | + ), |
| 1909 | + ( |
| 1910 | + 'patient/Patient.rs patient/AuditEvent.s', |
| 1911 | + 'oauth2_provider_v2:authorize-v2', |
| 1912 | + True, |
| 1913 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
| 1914 | + ), |
| 1915 | + ( |
| 1916 | + 'patient/Patient.rs patient/AuditEvent.r', |
| 1917 | + 'oauth2_provider_v2:authorize-v2', |
| 1918 | + True, |
| 1919 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
| 1920 | + ), |
| 1921 | + ( |
| 1922 | + 'patient/Patient.rs patient/AuditEvent.rs', |
| 1923 | + 'oauth2_provider_v3:authorize-v3', |
| 1924 | + True, |
| 1925 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
| 1926 | + ), |
| 1927 | + ( |
| 1928 | + 'patient/Patient.rs patient/AuditEvent.s', |
| 1929 | + 'oauth2_provider_v3:authorize-v3', |
| 1930 | + True, |
| 1931 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
| 1932 | + ), |
| 1933 | + ( |
| 1934 | + 'patient/Patient.rs patient/AuditEvent.r', |
| 1935 | + 'oauth2_provider_v3:authorize-v3', |
| 1936 | + True, |
| 1937 | + AUDIT_EVENT_SCOPE_ERROR_MESSAGE, |
| 1938 | + ), |
| 1939 | + ('patient/Patient.rs patient/AuditEvent.rs', 'oauth2_provider:authorize', False, 'Invalid scopes.'), |
| 1940 | + ('patient/Patient.rs patient/AuditEvent.s', 'oauth2_provider:authorize', False, 'Invalid scopes.'), |
| 1941 | + ('patient/Patient.rs patient/AuditEvent.r', 'oauth2_provider:authorize', False, 'Invalid scopes.'), |
| 1942 | + ('patient/Patient.rs patient/AuditEvent.rs', 'oauth2_provider_v2:authorize-v2', False, 'Invalid scopes.'), |
| 1943 | + ('patient/Patient.rs patient/AuditEvent.s', 'oauth2_provider_v2:authorize-v2', False, 'Invalid scopes.'), |
| 1944 | + ('patient/Patient.rs patient/AuditEvent.r', 'oauth2_provider_v2:authorize-v2', False, 'Invalid scopes.'), |
| 1945 | + ('patient/Patient.rs patient/AuditEvent.rs', 'oauth2_provider_v3:authorize-v3', False, 'Invalid scopes.'), |
| 1946 | + ('patient/Patient.rs patient/AuditEvent.s', 'oauth2_provider_v3:authorize-v3', False, 'Invalid scopes.'), |
| 1947 | + ('patient/Patient.rs patient/AuditEvent.r', 'oauth2_provider_v3:authorize-v3', False, 'Invalid scopes.'), |
| 1948 | + ], |
| 1949 | +) |
| 1950 | +@override_switch('v3_endpoints', active=True) |
| 1951 | +def test_failure_on_authorize_non_v3_with_audit_event_scope( |
| 1952 | + create_application, scope, auth_url, enable_auditevents_switch_active, expected_message |
| 1953 | +): |
| 1954 | + """Ensure a bad request 400 error, with message equal to Invalid scopes is raised |
| 1955 | + when there is a v1, 2, or 3 auth request that includes any AuditEvent scope in the scopes param |
| 1956 | + and regardless of if the enable_auditevents switch is true or false |
| 1957 | + """ |
| 1958 | + with override_switch('enable_auditevents', active=enable_auditevents_switch_active): |
| 1959 | + redirect_uri = 'http://localhost' |
| 1960 | + |
| 1961 | + # create an application via fixture |
| 1962 | + application = create_application('an app') |
| 1963 | + payload = { |
| 1964 | + 'client_id': application.client_id, |
| 1965 | + 'response_type': 'code', |
| 1966 | + 'redirect_uri': redirect_uri, |
| 1967 | + 'scope': [scope], |
| 1968 | + 'expires_in': 86400, |
| 1969 | + 'allow': True, |
| 1970 | + 'state': '0123456789abcdef', |
| 1971 | + 'code_challenge': 'sZrievZsrYqxdnu2NVD603EiYBM18CuzZpwB-pOSZjo', |
| 1972 | + 'code_challenge_method': CODE_CHALLENGE_METHOD_S256, |
| 1973 | + } |
| 1974 | + |
| 1975 | + response = Client().post(reverse(auth_url), data=payload) |
| 1976 | + |
| 1977 | + assert response.status_code == HTTPStatus.BAD_REQUEST |
| 1978 | + assert response.json()['message'] == expected_message |
0 commit comments