b0fbd576fc
* ATH-01-001: resolve path and check start before loading blueprints
This is even less of an issue since 411ef239f6, since with that commit we only allow files that the listing returns
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ATH-01-010: fix missing user filter for webauthn device
This prevents an attack that is only possible when an attacker can intercept HTTP traffic and in the case of HTTPS decrypt it.
* ATH-01-008: fix web forms not submitting correctly when pressing enter
When submitting some forms with the Enter key instead of clicking "Confirm"/etc, the form would not get submitted correctly
This would in the worst case is when setting a user's password, where the new password can end up in the URL, but the password was not actually saved to the user.
* ATH-01-004: remove env from admin system endpoint
this endpoint already required admin access, but for debugging the env variables are used very little
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ATH-01-003 / ATH-01-012: disable htmlLabels in mermaid
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ATH-01-005: use hmac.compare_digest for secret_key authentication
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ATH-01-009: migrate impersonation to use API
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ATH-01-010: rework
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ATH-01-014: save authenticator validation state in flow context
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
bugfixes
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* ATH-01-012: escape quotation marks
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* add website
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* update release ntoes
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* update with all notes
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
* fix format
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
---------
Signed-off-by: Jens Langhammer <jens@goauthentik.io>
61 lines
2.2 KiB
Python
61 lines
2.2 KiB
Python
"""impersonation tests"""
|
|
from json import loads
|
|
|
|
from django.urls import reverse
|
|
from rest_framework.test import APITestCase
|
|
|
|
from authentik.core.models import User
|
|
from authentik.core.tests.utils import create_test_admin_user
|
|
|
|
|
|
class TestImpersonation(APITestCase):
|
|
"""impersonation tests"""
|
|
|
|
def setUp(self) -> None:
|
|
super().setUp()
|
|
self.other_user = User.objects.create(username="to-impersonate")
|
|
self.user = create_test_admin_user()
|
|
|
|
def test_impersonate_simple(self):
|
|
"""test simple impersonation and un-impersonation"""
|
|
# test with an inactive user to ensure that still works
|
|
self.other_user.is_active = False
|
|
self.other_user.save()
|
|
self.client.force_login(self.user)
|
|
|
|
self.client.post(
|
|
reverse(
|
|
"authentik_api:user-impersonate",
|
|
kwargs={"pk": self.other_user.pk},
|
|
)
|
|
)
|
|
|
|
response = self.client.get(reverse("authentik_api:user-me"))
|
|
response_body = loads(response.content.decode())
|
|
self.assertEqual(response_body["user"]["username"], self.other_user.username)
|
|
self.assertEqual(response_body["original"]["username"], self.user.username)
|
|
|
|
self.client.get(reverse("authentik_api:user-impersonate-end"))
|
|
|
|
response = self.client.get(reverse("authentik_api:user-me"))
|
|
response_body = loads(response.content.decode())
|
|
self.assertEqual(response_body["user"]["username"], self.user.username)
|
|
self.assertNotIn("original", response_body)
|
|
|
|
def test_impersonate_denied(self):
|
|
"""test impersonation without permissions"""
|
|
self.client.force_login(self.other_user)
|
|
|
|
self.client.get(reverse("authentik_api:user-impersonate", kwargs={"pk": self.user.pk}))
|
|
|
|
response = self.client.get(reverse("authentik_api:user-me"))
|
|
response_body = loads(response.content.decode())
|
|
self.assertEqual(response_body["user"]["username"], self.other_user.username)
|
|
|
|
def test_un_impersonate_empty(self):
|
|
"""test un-impersonation without impersonating first"""
|
|
self.client.force_login(self.other_user)
|
|
|
|
response = self.client.get(reverse("authentik_api:user-impersonate-end"))
|
|
self.assertEqual(response.status_code, 204)
|