From a7a80da928fff9b61639dd5388aa4debf0208e4e Mon Sep 17 00:00:00 2001 From: Matthias Date: Fri, 13 May 2022 01:22:51 +0200 Subject: [PATCH 1/9] Add unittests for auth stack Fixes #2980 --- InvenTree/InvenTree/test_middleware.py | 49 ++++++++++++++++++++++++++ 1 file changed, 49 insertions(+) create mode 100644 InvenTree/InvenTree/test_middleware.py diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py new file mode 100644 index 0000000000..fbf08eb172 --- /dev/null +++ b/InvenTree/InvenTree/test_middleware.py @@ -0,0 +1,49 @@ +"""Tests for middleware functions""" + +from django.test import TestCase + +from django.contrib.auth import get_user_model +from django.urls import reverse + + +class MiddlewareTests(TestCase): + """Test for middleware functions""" + + def check_path(self, url, code=200, **kwargs): + response = self.client.get(url, HTTP_ACCEPT='application/json', **kwargs) + self.assertEqual(response.status_code, code) + return response + + def setUp(self): + super().setUp() + + # Create a user + user = get_user_model() + + self.user = user.objects.create_user(username='username', email='user@email.com', password='password') + self.client.login(username='username', password='password') + + def test_AuthRequiredMiddleware(self): + """Test the auth middleware""" + + # test that /api/ routes go through + self.check_path(reverse('api-inventree-info')) + + # logout + self.client.logout() + + # check that static files go through + self.check_path('/static/admin/fonts/LICENSE.txt') + + # check that account things go through + self.check_path(reverse('account_login')) + + # logout goes diretly to login + self.check_path(reverse('account_logout')) + + # check that frontend code is redirected to login + response = self.check_path(reverse('stats'), 302) + self.assertEqual(response.url, '/accounts/login/?next=/stats/') + + # check that a 401 is raised + self.check_path(reverse('settings.js'), 401) From 6b550e05474c6a8ca6730638a4d2770f9a3da0f8 Mon Sep 17 00:00:00 2001 From: Matthias Date: Fri, 13 May 2022 01:23:12 +0200 Subject: [PATCH 2/9] Tests for token Auth --- InvenTree/InvenTree/test_middleware.py | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py index fbf08eb172..8728955b1c 100644 --- a/InvenTree/InvenTree/test_middleware.py +++ b/InvenTree/InvenTree/test_middleware.py @@ -47,3 +47,20 @@ class MiddlewareTests(TestCase): # check that a 401 is raised self.check_path(reverse('settings.js'), 401) + + def test_token_auth(self): + """Test auth with token auth""" + # get token + response = self.client.get(reverse('api-token'), format='json', data={}) + token = response.data['token'] + + # logout + self.client.logout() + # this should raise a 401 + self.check_path(reverse('settings.js'), 401) + + # request with token + self.check_path(reverse('settings.js'), HTTP_Authorization= f'Token {token}') + + # should still fail without token + self.check_path(reverse('settings.js'), 401) From 80a2dad34e6f4f041a04479f3b5f3f6f4d887a08 Mon Sep 17 00:00:00 2001 From: Matthias Date: Fri, 13 May 2022 01:23:25 +0200 Subject: [PATCH 3/9] remove dead code --- InvenTree/InvenTree/middleware.py | 4 ---- 1 file changed, 4 deletions(-) diff --git a/InvenTree/InvenTree/middleware.py b/InvenTree/InvenTree/middleware.py index b6550379e2..eca078e163 100644 --- a/InvenTree/InvenTree/middleware.py +++ b/InvenTree/InvenTree/middleware.py @@ -71,10 +71,6 @@ class AuthRequiredMiddleware(object): # No authorization was found for the request if not authorized: - # A logout request will redirect the user to the login screen - if request.path_info == reverse_lazy('account_logout'): - return HttpResponseRedirect(reverse_lazy('account_login')) - path = request.path_info # List of URL endpoints we *do not* want to redirect to From 53712c2d6c9b70f9ab25fe14b2e8d1c432d9cc60 Mon Sep 17 00:00:00 2001 From: Matthias Date: Fri, 13 May 2022 01:29:32 +0200 Subject: [PATCH 4/9] PEP fix --- InvenTree/InvenTree/middleware.py | 1 - InvenTree/InvenTree/test_middleware.py | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/InvenTree/InvenTree/middleware.py b/InvenTree/InvenTree/middleware.py index eca078e163..5e122d4689 100644 --- a/InvenTree/InvenTree/middleware.py +++ b/InvenTree/InvenTree/middleware.py @@ -3,7 +3,6 @@ from django.conf import settings from django.contrib.auth.middleware import PersistentRemoteUserMiddleware from django.http import HttpResponse -from django.shortcuts import HttpResponseRedirect from django.shortcuts import redirect from django.urls import reverse_lazy, Resolver404 from django.urls import include, re_path diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py index 8728955b1c..2bb459bba1 100644 --- a/InvenTree/InvenTree/test_middleware.py +++ b/InvenTree/InvenTree/test_middleware.py @@ -60,7 +60,7 @@ class MiddlewareTests(TestCase): self.check_path(reverse('settings.js'), 401) # request with token - self.check_path(reverse('settings.js'), HTTP_Authorization= f'Token {token}') + self.check_path(reverse('settings.js'), HTTP_Authorization=f'Token {token}') # should still fail without token self.check_path(reverse('settings.js'), 401) From bf2b9d2beb732876f2a49367059fa8cd4b53fd54 Mon Sep 17 00:00:00 2001 From: Matthias Mair Date: Fri, 13 May 2022 19:37:09 +0200 Subject: [PATCH 5/9] Update test_middleware.py --- InvenTree/InvenTree/test_middleware.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py index 2bb459bba1..41c148515b 100644 --- a/InvenTree/InvenTree/test_middleware.py +++ b/InvenTree/InvenTree/test_middleware.py @@ -33,7 +33,7 @@ class MiddlewareTests(TestCase): self.client.logout() # check that static files go through - self.check_path('/static/admin/fonts/LICENSE.txt') + self.check_path('/static/admin/css/login.css') # check that account things go through self.check_path(reverse('account_login')) From f3bf12641592f5c7924f794e65400483ddffa120 Mon Sep 17 00:00:00 2001 From: Matthias Date: Sat, 14 May 2022 00:11:18 +0200 Subject: [PATCH 6/9] maybe this ressource can be found in the cloud --- InvenTree/InvenTree/test_middleware.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py index 41c148515b..a622d01193 100644 --- a/InvenTree/InvenTree/test_middleware.py +++ b/InvenTree/InvenTree/test_middleware.py @@ -33,7 +33,7 @@ class MiddlewareTests(TestCase): self.client.logout() # check that static files go through - self.check_path('/static/admin/css/login.css') + self.check_path('/static/css/inventree.css') # check that account things go through self.check_path(reverse('account_login')) From 2483b746cf1e9a11b2f9bbe3cab36a7fb0cdd89a Mon Sep 17 00:00:00 2001 From: Matthias Date: Sun, 15 May 2022 00:08:46 +0200 Subject: [PATCH 7/9] remove static test --- InvenTree/InvenTree/test_middleware.py | 3 --- 1 file changed, 3 deletions(-) diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py index a622d01193..2e5944200e 100644 --- a/InvenTree/InvenTree/test_middleware.py +++ b/InvenTree/InvenTree/test_middleware.py @@ -32,9 +32,6 @@ class MiddlewareTests(TestCase): # logout self.client.logout() - # check that static files go through - self.check_path('/static/css/inventree.css') - # check that account things go through self.check_path(reverse('account_login')) From 40fa86152e3ac67fea14ca88b86dbc351feafaea Mon Sep 17 00:00:00 2001 From: Matthias Date: Sun, 15 May 2022 00:44:26 +0200 Subject: [PATCH 8/9] Add test for wrong token --- InvenTree/InvenTree/test_middleware.py | 3 +++ 1 file changed, 3 insertions(+) diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py index 2e5944200e..6b8e8ec658 100644 --- a/InvenTree/InvenTree/test_middleware.py +++ b/InvenTree/InvenTree/test_middleware.py @@ -59,5 +59,8 @@ class MiddlewareTests(TestCase): # request with token self.check_path(reverse('settings.js'), HTTP_Authorization=f'Token {token}') + # Request with broken token + self.check_path(reverse('settings.js'), 401, HTTP_Authorization=f'Token abcd123') + # should still fail without token self.check_path(reverse('settings.js'), 401) From 2ae5fcf6a8fac89f284a23c564a252eb4fc41858 Mon Sep 17 00:00:00 2001 From: Matthias Date: Sun, 15 May 2022 00:46:56 +0200 Subject: [PATCH 9/9] PEP fix --- InvenTree/InvenTree/test_middleware.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/InvenTree/InvenTree/test_middleware.py b/InvenTree/InvenTree/test_middleware.py index 6b8e8ec658..bced2eb079 100644 --- a/InvenTree/InvenTree/test_middleware.py +++ b/InvenTree/InvenTree/test_middleware.py @@ -60,7 +60,7 @@ class MiddlewareTests(TestCase): self.check_path(reverse('settings.js'), HTTP_Authorization=f'Token {token}') # Request with broken token - self.check_path(reverse('settings.js'), 401, HTTP_Authorization=f'Token abcd123') + self.check_path(reverse('settings.js'), 401, HTTP_Authorization='Token abcd123') # should still fail without token self.check_path(reverse('settings.js'), 401)