encode/django-rest-framework
1
1
Fork 0
mirror of https://github.com/encode/django-rest-framework.git synced 2024-09-21 11:29:01 +03:00
Code Issues Packages Projects Releases Wiki Activity
247954d497
django-rest-framework/tests/test_authentication.py

526 lines
19 KiB
Python
Raw Normal View History

Handle invalid characters in headers
2015-06-03 20:55:34 +03:00
# coding: utf-8
3.2, 3.3 compat
2013-02-01 18:03:28 +04:00
from __future__ import unicode_literals
Sort imports with isort
2015-06-25 23:55:51 +03:00
import base64
Add tests for BasicAuthentication and TokenAuthentication (#4837) * Add tests for BasicAuthentication * Add tests for Token authentication * Adjust test to pass on Django 1.8
2017-01-23 18:08:59 +03:00
import pytest
Sort imports with isort
2015-06-25 23:55:51 +03:00
from django.conf.urls import include, url
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
from django.contrib.auth.models import User
fix import order
2016-01-05 19:20:22 +03:00
from django.db import models
urls, patterns, include imports move to compat to support incoming 1.3 thru 1.6 import compatability
2012-12-20 03:12:27 +04:00
from django.http import HttpResponse
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
from django.test import TestCase, override_settings
Moved OAuth support out of DRF and into a separate package, per #1767
2014-09-06 02:30:01 +04:00
from django.utils import six
Sort imports with isort
2015-06-25 23:55:51 +03:00
from rest_framework import (
HTTP_HEADER_ENCODING, exceptions, permissions, renderers, status
)
Auth is no longer lazy. Closes #667. More consistent auth failure behavior.
2013-02-28 21:58:58 +04:00
from rest_framework.authentication import (
Sort imports with isort
2015-06-25 23:55:51 +03:00
BaseAuthentication, BasicAuthentication, SessionAuthentication,
TokenAuthentication
Auth is no longer lazy. Closes #667. More consistent auth failure behavior.
2013-02-28 21:58:58 +04:00
)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
from rest_framework.authtoken.models import Token
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
from rest_framework.authtoken.views import obtain_auth_token
Version 3.5 (#4525) * Start test case * Added 'requests' test client * Address typos * Graceful fallback if requests is not installed. * Add cookie support * Tests for auth and CSRF * Py3 compat * py3 compat * py3 compat * Add get_requests_client * Added SchemaGenerator.should_include_link * add settings for html cutoff on related fields * Router doesn't work if prefix is blank, though project urls.py handles prefix * Fix Django 1.10 to-many deprecation * Add django.core.urlresolvers compatibility * Update django-filter & django-guardian * Check for empty router prefix; adjust URL accordingly It's easiest to fix this issue after we have made the regex. To try to fix it before would require doing something different for List vs Detail, which means we'd have to know which type of url we're constructing before acting accordingly. * Fix misc django deprecations * Use TOC extension instead of header * Fix deprecations for py3k * Add py3k compatibility to is_simple_callable * Add is_simple_callable tests * Drop python 3.2 support (EOL, Dropped by Django) * schema_renderers= should *set* the renderers, not append to them. * API client (#4424) * Fix release notes * Add note about 'User account is disabled.' vs 'Unable to log in' * Clean up schema generation (#4527) * Handle multiple methods on custom action (#4529) * RequestsClient, CoreAPIClient * exclude_from_schema * Added 'get_schema_view()' shortcut * Added schema descriptions * Better descriptions for schemas * Add type annotation to schema generation * Coerce schema 'pk' in path to actual field name * Deprecations move into assertion errors * Use get_schema_view in tests * Updte CoreJSON media type * Handle schema structure correctly when path prefixs exist. Closes #4401 * Add PendingDeprecation to Router schema generation. * Added SCHEMA_COERCE_PATH_PK and SCHEMA_COERCE_METHOD_NAMES * Renamed and documented 'get_schema_fields' interface.
2016-10-10 15:03:46 +03:00
from rest_framework.compat import is_authenticated
Sort imports with isort
2015-06-25 23:55:51 +03:00
from rest_framework.response import Response
from rest_framework.test import APIClient, APIRequestFactory
urls, patterns, include imports move to compat to support incoming 1.3 thru 1.6 import compatability
2012-12-20 03:12:27 +04:00
from rest_framework.views import APIView
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
Added APIRequestFactory
2013-06-28 20:17:39 +04:00
factory = APIRequestFactory()
Auth is no longer lazy. Closes #667. More consistent auth failure behavior.
2013-02-28 21:58:58 +04:00
test custom token model
2016-01-05 18:58:16 +03:00
class CustomToken(models.Model):
key = models.CharField(max_length=40, primary_key=True)
Clean up existing deprecation warnings. (#4166) * Add Meta.fields = '__all__' to serializer classes where required. * Add explicit on_delete=models.CASCADE to ForeignKey fields. * Use '.remote_field' and '.model' in preference to '.rel' and '.to' when inspecting model fields. * Use new value_from_object in preference to internal _get_val_from_obj
2016-06-02 16:39:10 +03:00
user = models.OneToOneField(User, on_delete=models.CASCADE)
test custom token model
2016-01-05 18:58:16 +03:00
class CustomTokenAuthentication(TokenAuthentication):
model = CustomToken
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
class CustomKeywordTokenAuthentication(TokenAuthentication):
keyword = 'Bearer'
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
class MockView(APIView):
permission_classes = (permissions.IsAuthenticated,)
Auth is no longer lazy. Closes #667. More consistent auth failure behavior.
2013-02-28 21:58:58 +04:00
def get(self, request):
return HttpResponse({'a': 1, 'b': 2, 'c': 3})
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def post(self, request):
return HttpResponse({'a': 1, 'b': 2, 'c': 3})
def put(self, request):
return HttpResponse({'a': 1, 'b': 2, 'c': 3})
Auth is no longer lazy. Closes #667. More consistent auth failure behavior.
2013-02-28 21:58:58 +04:00
Remove `django.conf.urls.pattern` as it'll be removed in Django 2.0
2015-06-11 01:45:23 +03:00
urlpatterns = [
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
url(
r'^session/$',
MockView.as_view(authentication_classes=[SessionAuthentication])
),
url(
r'^basic/$',
MockView.as_view(authentication_classes=[BasicAuthentication])
),
url(
r'^token/$',
MockView.as_view(authentication_classes=[TokenAuthentication])
),
url(
r'^customtoken/$',
MockView.as_view(authentication_classes=[CustomTokenAuthentication])
),
url(
r'^customkeywordtoken/$',
MockView.as_view(
authentication_classes=[CustomKeywordTokenAuthentication]
)
),
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
url(r'^auth-token/$', obtain_auth_token),
Define the `urlpatterns` as a list of `url()....
2015-06-11 02:01:47 +03:00
url(r'^auth/', include('rest_framework.urls', namespace='rest_framework')),
Remove `django.conf.urls.pattern` as it'll be removed in Django 2.0
2015-06-11 01:45:23 +03:00
]
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
Code linting and added runtests.py
2014-08-19 16:28:07 +04:00
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
@override_settings(ROOT_URLCONF='tests.test_authentication')
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
class BasicAuthTests(TestCase):
"""Basic authentication"""
def setUp(self):
Added APIClient
2013-06-28 20:50:30 +04:00
self.csrf_client = APIClient(enforce_csrf_checks=True)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
self.username = 'john'
self.email = 'lennon@thebeatles.com'
self.password = 'password'
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
self.user = User.objects.create_user(
self.username, self.email, self.password
)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_form_passing_basic_auth(self):
"""Ensure POSTing json over basic auth with correct credentials passes and does not require CSRF"""
3.2, 3.3 compat
2013-02-01 18:03:28 +04:00
credentials = ('%s:%s' % (self.username, self.password))
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
base64_credentials = base64.b64encode(
credentials.encode(HTTP_HEADER_ENCODING)
).decode(HTTP_HEADER_ENCODING)
3.2, 3.3 compat
2013-02-01 18:03:28 +04:00
auth = 'Basic %s' % base64_credentials
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
'/basic/',
{'example': 'example'},
HTTP_AUTHORIZATION=auth
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_200_OK
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_json_passing_basic_auth(self):
"""Ensure POSTing form over basic auth with correct credentials passes and does not require CSRF"""
3.2, 3.3 compat
2013-02-01 18:03:28 +04:00
credentials = ('%s:%s' % (self.username, self.password))
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
base64_credentials = base64.b64encode(
credentials.encode(HTTP_HEADER_ENCODING)
).decode(HTTP_HEADER_ENCODING)
3.2, 3.3 compat
2013-02-01 18:03:28 +04:00
auth = 'Basic %s' % base64_credentials
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
'/basic/',
{'example': 'example'},
format='json',
HTTP_AUTHORIZATION=auth
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_200_OK
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
Handle incorrectly padded HTTP basic auth header (#4090)
2016-05-03 11:24:55 +03:00
def test_regression_handle_bad_base64_basic_auth_header(self):
"""Ensure POSTing JSON over basic auth with incorrectly padded Base64 string is handled correctly"""
# regression test for issue in 'rest_framework.authentication.BasicAuthentication.authenticate'
# https://github.com/tomchristie/django-rest-framework/issues/4089
auth = 'Basic =a='
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
'/basic/',
{'example': 'example'},
format='json',
HTTP_AUTHORIZATION=auth
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_401_UNAUTHORIZED
Handle incorrectly padded HTTP basic auth header (#4090)
2016-05-03 11:24:55 +03:00
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_form_failing_basic_auth(self):
"""Ensure POSTing form over basic auth without correct credentials fails"""
WWW-Authenticate responses
2013-01-22 01:29:49 +04:00
response = self.csrf_client.post('/basic/', {'example': 'example'})
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_401_UNAUTHORIZED
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_json_failing_basic_auth(self):
"""Ensure POSTing json over basic auth without correct credentials fails"""
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
'/basic/',
{'example': 'example'},
format='json'
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_401_UNAUTHORIZED
assert response['WWW-Authenticate'] == 'Basic realm="api"'
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
Add tests for BasicAuthentication and TokenAuthentication (#4837) * Add tests for BasicAuthentication * Add tests for Token authentication * Adjust test to pass on Django 1.8
2017-01-23 18:08:59 +03:00
def test_fail_post_if_credentials_are_missing(self):
response = self.csrf_client.post(
'/basic/', {'example': 'example'}, HTTP_AUTHORIZATION='Basic ')
assert response.status_code == status.HTTP_401_UNAUTHORIZED
def test_fail_post_if_credentials_contain_spaces(self):
response = self.csrf_client.post(
'/basic/', {'example': 'example'},
HTTP_AUTHORIZATION='Basic foo bar'
)
assert response.status_code == status.HTTP_401_UNAUTHORIZED
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
@override_settings(ROOT_URLCONF='tests.test_authentication')
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
class SessionAuthTests(TestCase):
"""User session authentication"""
def setUp(self):
Added APIClient
2013-06-28 20:50:30 +04:00
self.csrf_client = APIClient(enforce_csrf_checks=True)
self.non_csrf_client = APIClient(enforce_csrf_checks=False)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
self.username = 'john'
self.email = 'lennon@thebeatles.com'
self.password = 'password'
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
self.user = User.objects.create_user(
self.username, self.email, self.password
)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def tearDown(self):
self.csrf_client.logout()
Regression for #1810: Test login view renders
2014-09-01 12:07:05 +04:00
def test_login_view_renders_on_get(self):
"""
Ensure the login template renders for a basic GET.
cf. [#1810](https://github.com/tomchristie/django-rest-framework/pull/1810)
"""
response = self.csrf_client.get('/auth/login/')
fix authentication_test pytest failure
2016-12-05 21:47:58 +03:00
content = response.content.decode('utf8')
assert '<label for="id_username">Username:</label>' in content
Regression for #1810: Test login view renders
2014-09-01 12:07:05 +04:00
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_form_session_auth_failing_csrf(self):
"""
Ensure POSTing form over session authentication without CSRF token fails.
"""
self.csrf_client.login(username=self.username, password=self.password)
WWW-Authenticate responses
2013-01-22 01:29:49 +04:00
response = self.csrf_client.post('/session/', {'example': 'example'})
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_403_FORBIDDEN
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_form_session_auth_passing(self):
"""
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
Ensure POSTing form over session authentication with logged in
user and CSRF token passes.
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
"""
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
self.non_csrf_client.login(
username=self.username, password=self.password
)
response = self.non_csrf_client.post(
'/session/', {'example': 'example'}
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_200_OK
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_put_form_session_auth_passing(self):
"""
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
Ensure PUTting form over session authentication with
logged in user and CSRF token passes.
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
"""
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
self.non_csrf_client.login(
username=self.username, password=self.password
)
response = self.non_csrf_client.put(
'/session/', {'example': 'example'}
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_200_OK
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_form_session_auth_failing(self):
"""
Ensure POSTing form over session authentication without logged in user fails.
"""
WWW-Authenticate responses
2013-01-22 01:29:49 +04:00
response = self.csrf_client.post('/session/', {'example': 'example'})
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_403_FORBIDDEN
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
test custom token model
2016-01-05 18:58:16 +03:00
class BaseTokenAuthTests(object):
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
"""Token authentication"""
test custom token model
2016-01-05 18:58:16 +03:00
model = None
path = None
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
header_prefix = 'Token '
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def setUp(self):
Added APIClient
2013-06-28 20:50:30 +04:00
self.csrf_client = APIClient(enforce_csrf_checks=True)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
self.username = 'john'
self.email = 'lennon@thebeatles.com'
self.password = 'password'
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
self.user = User.objects.create_user(
self.username, self.email, self.password
)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
self.key = 'abcd1234'
test custom token model
2016-01-05 18:58:16 +03:00
self.token = self.model.objects.create(key=self.key, user=self.user)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_form_passing_token_auth(self):
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
"""
Ensure POSTing json over token auth with correct
credentials passes and does not require CSRF
"""
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
auth = self.header_prefix + self.key
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_200_OK
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
Add tests for BasicAuthentication and TokenAuthentication (#4837) * Add tests for BasicAuthentication * Add tests for Token authentication * Adjust test to pass on Django 1.8
2017-01-23 18:08:59 +03:00
def test_fail_authentication_if_user_is_not_active(self):
user = User.objects.create_user('foo', 'bar', 'baz')
user.is_active = False
user.save()
self.model.objects.create(key='foobar_token', user=user)
response = self.csrf_client.post(
self.path, {'example': 'example'},
HTTP_AUTHORIZATION=self.header_prefix + 'foobar_token'
)
assert response.status_code == status.HTTP_401_UNAUTHORIZED
update invalid token case
2016-01-05 18:42:22 +03:00
def test_fail_post_form_passing_nonexistent_token_auth(self):
# use a nonexistent token key
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
auth = self.header_prefix + 'wxyz6789'
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_401_UNAUTHORIZED
update invalid token case
2016-01-05 18:42:22 +03:00
Add tests for BasicAuthentication and TokenAuthentication (#4837) * Add tests for BasicAuthentication * Add tests for Token authentication * Adjust test to pass on Django 1.8
2017-01-23 18:08:59 +03:00
def test_fail_post_if_token_is_missing(self):
response = self.csrf_client.post(
self.path, {'example': 'example'},
HTTP_AUTHORIZATION=self.header_prefix)
assert response.status_code == status.HTTP_401_UNAUTHORIZED
def test_fail_post_if_token_contains_spaces(self):
response = self.csrf_client.post(
self.path, {'example': 'example'},
HTTP_AUTHORIZATION=self.header_prefix + 'foo bar'
)
assert response.status_code == status.HTTP_401_UNAUTHORIZED
Handle invalid characters in headers
2015-06-03 20:55:34 +03:00
def test_fail_post_form_passing_invalid_token_auth(self):
# add an 'invalid' unicode character
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
auth = self.header_prefix + self.key + "¸"
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
self.path, {'example': 'example'}, HTTP_AUTHORIZATION=auth
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_401_UNAUTHORIZED
Handle invalid characters in headers
2015-06-03 20:55:34 +03:00
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_json_passing_token_auth(self):
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
"""
Ensure POSTing form over token auth with correct
credentials passes and does not require CSRF
"""
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
auth = self.header_prefix + self.key
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = self.csrf_client.post(
self.path, {'example': 'example'},
format='json', HTTP_AUTHORIZATION=auth
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_200_OK
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
Prefetching the user object when getting the token in TokenAuthentication. Since the user object is fetched 4 lines after getting Token from the database, this removes a DB query for each token-authenticated request.
2015-02-04 17:08:41 +03:00
def test_post_json_makes_one_db_query(self):
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
"""
Ensure that authenticating a user using a
token performs only one DB query
"""
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
auth = self.header_prefix + self.key
Fixes for latest version of pep8
2015-02-09 20:43:20 +03:00
def func_to_test():
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
return self.csrf_client.post(
self.path, {'example': 'example'},
format='json', HTTP_AUTHORIZATION=auth
)
Fixes for latest version of pep8
2015-02-09 20:43:20 +03:00
Prefetching the user object when getting the token in TokenAuthentication. Since the user object is fetched 4 lines after getting Token from the database, this removes a DB query for each token-authenticated request.
2015-02-04 17:08:41 +03:00
self.assertNumQueries(1, func_to_test)
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_form_failing_token_auth(self):
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
"""
Ensure POSTing form over token auth without correct credentials fails
"""
test custom token model
2016-01-05 18:58:16 +03:00
response = self.csrf_client.post(self.path, {'example': 'example'})
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_401_UNAUTHORIZED
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_post_json_failing_token_auth(self):
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
"""
Ensure POSTing json over token auth without correct credentials fails
"""
response = self.csrf_client.post(
self.path, {'example': 'example'}, format='json'
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_401_UNAUTHORIZED
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
test custom token model
2016-01-05 18:58:16 +03:00
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
@override_settings(ROOT_URLCONF='tests.test_authentication')
test custom token model
2016-01-05 18:58:16 +03:00
class TokenAuthTests(BaseTokenAuthTests, TestCase):
model = Token
path = '/token/'
Change package name: djangorestframework -> rest_framework
2012-09-20 16:06:27 +04:00
def test_token_has_auto_assigned_key_if_none_provided(self):
"""Ensure creating a token with no key will auto-assign a key"""
Tweak authtoken
2012-10-09 12:57:31 +04:00
self.token.delete()
test custom token model
2016-01-05 18:58:16 +03:00
token = self.model.objects.create(user=self.user)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert bool(token.key)
Added authtoken login/logout urlpatterns and views
2012-11-11 04:17:50 +04:00
Ensure Token.generate_key returns a string.
2014-04-28 15:35:55 +04:00
def test_generate_key_returns_string(self):
"""Ensure generate_key returns a string"""
test custom token model
2016-01-05 18:58:16 +03:00
token = self.model()
Ensure Token.generate_key returns a string.
2014-04-28 15:35:55 +04:00
key = token.generate_key()
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert isinstance(key, six.string_types)
Ensure Token.generate_key returns a string.
2014-04-28 15:35:55 +04:00
Added authtoken login/logout urlpatterns and views
2012-11-11 04:17:50 +04:00
def test_token_login_json(self):
"""Ensure token login view using JSON POST works."""
Added APIClient
2013-06-28 20:50:30 +04:00
client = APIClient(enforce_csrf_checks=True)
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = client.post(
'/auth-token/',
{'username': self.username, 'password': self.password},
format='json'
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_200_OK
assert response.data['token'] == self.key
Added authtoken login/logout urlpatterns and views
2012-11-11 04:17:50 +04:00
def test_token_login_json_bad_creds(self):
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
"""
Ensure token login view using JSON POST fails if
bad credentials are used
"""
Added APIClient
2013-06-28 20:50:30 +04:00
client = APIClient(enforce_csrf_checks=True)
Style fix of tests (#4154) Clean up code style.
2016-06-01 12:40:54 +03:00
response = client.post(
'/auth-token/',
{'username': self.username, 'password': "badpass"},
format='json'
)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == 400
Added authtoken login/logout urlpatterns and views
2012-11-11 04:17:50 +04:00
def test_token_login_json_missing_fields(self):
"""Ensure token login view using JSON POST fails if missing fields."""
Added APIClient
2013-06-28 20:50:30 +04:00
client = APIClient(enforce_csrf_checks=True)
Reverted #458 When incorrect parameters are supplied to the obtain auth token view 400 *is* the correct response.
2012-12-08 02:25:16 +04:00
response = client.post('/auth-token/',
Added APIClient
2013-06-28 20:50:30 +04:00
{'username': self.username}, format='json')
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == 400
Added authtoken login/logout urlpatterns and views
2012-11-11 04:17:50 +04:00
def test_token_login_form(self):
"""Ensure token login view using form POST works."""
Added APIClient
2013-06-28 20:50:30 +04:00
client = APIClient(enforce_csrf_checks=True)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
response = client.post(
'/auth-token/',
{'username': self.username, 'password': self.password}
)
assert response.status_code == status.HTTP_200_OK
assert response.data['token'] == self.key
Auth is no longer lazy. Closes #667. More consistent auth failure behavior.
2013-02-28 21:58:58 +04:00
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
@override_settings(ROOT_URLCONF='tests.test_authentication')
test custom token model
2016-01-05 18:58:16 +03:00
class CustomTokenAuthTests(BaseTokenAuthTests, TestCase):
model = CustomToken
path = '/customtoken/'
Django 1.10 support. (#4158) * Added TEMPLATES setting to tests * Remove deprecated view-string in URL conf * Replace 'urls = ...' in test classes with override_settings('ROOT_URLCONF=...') * Refactor UsingURLPatterns to use override_settings(ROOT_URLCONF=...) style * Get model managers and names in a version-compatible manner. * Apply override_settings to a TestCase, not a mixin class * Use '.callback' property instead of private attributes when inspecting urlpatterns * Pass 'user' to template explicitly * Correct sorting of import statements. * Remove unused TEMPLATE_LOADERS setting, in favor of TEMPLATES. * Remove code style issue * BaseFilter test requires a concrete model * Resolve tox.ini issues * Resolve isort differences between local and tox environments
2016-06-01 17:31:00 +03:00
@override_settings(ROOT_URLCONF='tests.test_authentication')
TokenAuthentication: Allow custom keyword in the header (#4097) This allows subclassing TokenAuthentication and setting custom keyword, thus allowing the Authorization header to be for example: Bearer 956e252a-513c-48c5-92dd-bfddc364e812 It doesn't change the behavior of TokenAuthentication itself, it simply allows to reuse the logic of TokenAuthentication without the need of copy pasting the class and changing one hardcoded string. Related: #4080
2016-05-04 12:53:34 +03:00
class CustomKeywordTokenAuthTests(BaseTokenAuthTests, TestCase):
model = Token
path = '/customkeywordtoken/'
header_prefix = 'Bearer '
Auth is no longer lazy. Closes #667. More consistent auth failure behavior.
2013-02-28 21:58:58 +04:00
class IncorrectCredentialsTests(TestCase):
def test_incorrect_credentials(self):
"""
If a request contains bad authentication credentials, then
authentication should run and error, even if no permissions
are set on the view.
"""
class IncorrectCredentialsAuth(BaseAuthentication):
def authenticate(self, request):
raise exceptions.AuthenticationFailed('Bad credentials')
request = factory.get('/')
view = MockView.as_view(
authentication_classes=(IncorrectCredentialsAuth,),
permission_classes=()
)
response = view(request)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_403_FORBIDDEN
assert response.data == {'detail': 'Bad credentials'}
Merge & clean OAuth support
2013-03-07 13:01:53 +04:00
request.user should be still be accessible in renderer context if authentication fails
2013-06-03 15:32:57 +04:00
class FailingAuthAccessedInRenderer(TestCase):
def setUp(self):
class AuthAccessingRenderer(renderers.BaseRenderer):
media_type = 'text/plain'
format = 'txt'
def render(self, data, media_type=None, renderer_context=None):
request = renderer_context['request']
Version 3.5 (#4525) * Start test case * Added 'requests' test client * Address typos * Graceful fallback if requests is not installed. * Add cookie support * Tests for auth and CSRF * Py3 compat * py3 compat * py3 compat * Add get_requests_client * Added SchemaGenerator.should_include_link * add settings for html cutoff on related fields * Router doesn't work if prefix is blank, though project urls.py handles prefix * Fix Django 1.10 to-many deprecation * Add django.core.urlresolvers compatibility * Update django-filter & django-guardian * Check for empty router prefix; adjust URL accordingly It's easiest to fix this issue after we have made the regex. To try to fix it before would require doing something different for List vs Detail, which means we'd have to know which type of url we're constructing before acting accordingly. * Fix misc django deprecations * Use TOC extension instead of header * Fix deprecations for py3k * Add py3k compatibility to is_simple_callable * Add is_simple_callable tests * Drop python 3.2 support (EOL, Dropped by Django) * schema_renderers= should *set* the renderers, not append to them. * API client (#4424) * Fix release notes * Add note about 'User account is disabled.' vs 'Unable to log in' * Clean up schema generation (#4527) * Handle multiple methods on custom action (#4529) * RequestsClient, CoreAPIClient * exclude_from_schema * Added 'get_schema_view()' shortcut * Added schema descriptions * Better descriptions for schemas * Add type annotation to schema generation * Coerce schema 'pk' in path to actual field name * Deprecations move into assertion errors * Use get_schema_view in tests * Updte CoreJSON media type * Handle schema structure correctly when path prefixs exist. Closes #4401 * Add PendingDeprecation to Router schema generation. * Added SCHEMA_COERCE_PATH_PK and SCHEMA_COERCE_METHOD_NAMES * Renamed and documented 'get_schema_fields' interface.
2016-10-10 15:03:46 +03:00
if is_authenticated(request.user):
request.user should be still be accessible in renderer context if authentication fails
2013-06-03 15:32:57 +04:00
return b'authenticated'
return b'not authenticated'
class FailingAuth(BaseAuthentication):
def authenticate(self, request):
raise exceptions.AuthenticationFailed('authentication failed')
class ExampleView(APIView):
authentication_classes = (FailingAuth,)
renderer_classes = (AuthAccessingRenderer,)
def get(self, request):
return Response({'foo': 'bar'})
self.view = ExampleView.as_view()
def test_failing_auth_accessed_in_renderer(self):
"""
When authentication fails the renderer should still be able to access
`request.user` without raising an exception. Particularly relevant
to HTML responses that might reasonably access `request.user`.
"""
request = factory.get('/')
response = self.view(request)
content = response.render().content
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert content == b'not authenticated'
No auth view failing permission should raise 403 A view with no `authentication_classes` set and that fails a permission check should raise a 403 with the message from the failing permission.
2016-04-07 18:24:26 +03:00
class NoAuthenticationClassesTests(TestCase):
def test_permission_message_with_no_authentication_classes(self):
"""
Fixed various typos (#4366)
2016-08-08 11:32:22 +03:00
An unauthenticated request made against a view that contains no
No auth view failing permission should raise 403 A view with no `authentication_classes` set and that fails a permission check should raise a 403 with the message from the failing permission.
2016-04-07 18:24:26 +03:00
`authentication_classes` but do contain `permissions_classes` the error
code returned should be 403 with the exception's message.
"""
class DummyPermission(permissions.BasePermission):
message = 'Dummy permission message'
def has_permission(self, request, view):
return False
request = factory.get('/')
view = MockView.as_view(
authentication_classes=(),
permission_classes=(DummyPermission,),
)
response = view(request)
converted authentication_test asserts to pytest
2016-12-05 21:33:13 +03:00
assert response.status_code == status.HTTP_403_FORBIDDEN
assert response.data == {'detail': 'Dummy permission message'}
Add tests for BasicAuthentication and TokenAuthentication (#4837) * Add tests for BasicAuthentication * Add tests for Token authentication * Adjust test to pass on Django 1.8
2017-01-23 18:08:59 +03:00
class BasicAuthenticationUnitTests(TestCase):
def test_base_authentication_abstract_method(self):
with pytest.raises(NotImplementedError):
BaseAuthentication().authenticate({})
def test_basic_authentication_raises_error_if_user_not_found(self):
auth = BasicAuthentication()
with pytest.raises(exceptions.AuthenticationFailed):
auth.authenticate_credentials('invalid id', 'invalid password')
def test_basic_authentication_raises_error_if_user_not_active(self):
from rest_framework import authentication
class MockUser(object):
is_active = False
old_authenticate = authentication.authenticate
authentication.authenticate = lambda **kwargs: MockUser()
auth = authentication.BasicAuthentication()
with pytest.raises(exceptions.AuthenticationFailed) as error:
auth.authenticate_credentials('foo', 'bar')
assert 'User inactive or deleted.' in str(error)
authentication.authenticate = old_authenticate
Reference in New Issue Copy Permalink