Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add support for invalidating users JWTs #17465

Merged
merged 1 commit into from
Feb 6, 2025
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
89 changes: 89 additions & 0 deletions tests/foreman/ui/test_user.py
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@
from fauxfactory import gen_email, gen_string
import pytest

from robottelo.config import user_nailgun_config
from robottelo.constants import DEFAULT_ORG, PERMISSIONS, ROLES


Expand Down Expand Up @@ -307,6 +308,94 @@ def test_positive_create_product_with_limited_user_permission(
assert newsession.product.search(product_name)[0]['Name'] == product_name


@pytest.mark.rhel_ver_match('8')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Missing tier decorator

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we really need tier decorator now? What is the purpose to use it. I thought it has become obsolete now.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Frankly, I don't know. At least for consistency, I would expect it to be there. Best to ask CI team what is expected regarding tier decorators.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I remember a discussion over it and I think it is not required but would like to have some thoughts on it.
@devendra104 wdyt?

def test_positive_invalidate_jwt(
session, module_target_sat, module_org, module_location, rhel_contenthost, module_activation_key
):
"""Perform an end-to-end testing for jwt

:id: be328fd7-b640-4080-9373-25f96ba2aef6

:steps:
1. Create an admin user and a non-admin user with "edit_users" and "view_users" permissions.
2. Generate a token for the user to register the host.
3. Login to UI with admin user and navigate to Administer -> Users and invalidate the token for the non-admin user from the dropdown.
4. Try to use the previously generated token to register the host and verify that the token is invalid for registration.
5. Repeat the steps 2,3,and 4 with non_admin user and verify the same as in Step 4.


:expectedresults: Tokens which are invalidated cannot be used for registration.

:Verifies: SAT-27537, SAT-27538, SAT-27539

:CaseImportance: High
shweta83 marked this conversation as resolved.
Show resolved Hide resolved
"""
password = gen_string('alpha')
roles = [module_target_sat.api.Role().create()]
amolpati30 marked this conversation as resolved.
Show resolved Hide resolved
user_permissions = {
'User': ['view_users', 'edit_users'],
}
module_target_sat.api_factory.create_role_permissions(roles[0], user_permissions)
# Create an admin user and invalidate token using that user
admin_user = module_target_sat.api.User(
location=[module_location],
organization=[module_org],
password=password,
login=gen_string('alpha'),
admin=True,
).create()
# Create a non-admin user with (edit_users and view_users) permissions and invalidate token using that user
non_admin_user = module_target_sat.api.User(
role=roles,
location=[module_location],
organization=[module_org],
password=password,
login=gen_string('alpha'),
).create()
login_details = {
'username': non_admin_user.login,
'password': password,
}
role = module_target_sat.cli.Role.info({'name': 'Register hosts'})
module_target_sat.cli.User.add_role({'id': non_admin_user.id, 'role-id': role['id']})
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you add the role while creating the user?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was intentionally done . There are 2 roles in it.

# Login with admin user and invalidate non_admin token and verify the token is invalid for registration after invalidating it.
with module_target_sat.ui_session(user=admin_user.login, password=password) as session:
session.organization.select(module_org.name)
session.location.select(module_location.name)
user_cfg = user_nailgun_config(non_admin_user.login, password)
command = module_target_sat.api.RegistrationCommand(
server_config=user_cfg,
organization=module_org,
location=module_location,
activation_keys=[module_activation_key.name],
force=True,
).create()
result = rhel_contenthost.execute(command.strip('\n'))
assert result.status == 0, f'Failed to register host: {result.stderr}'
session.user.invalidate_jwt(non_admin_user.login)
result = rhel_contenthost.execute(command.strip('\n'))
assert result.status == 1, f'Failed to register host: {result.stderr}'
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There is probably a wrong error message when this fails. Also, it may be worth it checking more than just status.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree. Updated

assert "ERROR: unauthorized" in result.stdout
result = session.login.logout()

# Login with non-admin user and invalidate admin token and verify the token is invalid for registration after invalidating it.
session.login.login(login_details)
user_cfg = user_nailgun_config(admin_user.login, password)
command = module_target_sat.api.RegistrationCommand(
server_config=user_cfg,
organization=module_org,
location=module_location,
activation_keys=[module_activation_key.name],
force=True,
).create()
result = rhel_contenthost.execute(command.strip('\n'))
assert result.status == 0, f'Failed to register host: {result.stderr}'
session.user.invalidate_jwt(admin_user.login)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You don't assert anything after invalidating admin's token.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, I missed that. Updated.

result = rhel_contenthost.execute(command.strip('\n'))
assert result.status == 1, f'Failed to register host: {result.stderr}'
assert "ERROR: unauthorized" in result.stdout


@pytest.mark.tier2
@pytest.mark.stubbed
def test_personal_access_token_admin():
Expand Down