-
Notifications
You must be signed in to change notification settings - Fork 115
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for invalidating users JWTs #17465
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -17,6 +17,7 @@ | |
from fauxfactory import gen_email, gen_string | ||
import pytest | ||
|
||
from robottelo.config import user_nailgun_config | ||
from robottelo.constants import DEFAULT_ORG, PERMISSIONS, ROLES | ||
|
||
|
||
|
@@ -307,6 +308,94 @@ def test_positive_create_product_with_limited_user_permission( | |
assert newsession.product.search(product_name)[0]['Name'] == product_name | ||
|
||
|
||
@pytest.mark.rhel_ver_match('8') | ||
def test_positive_invalidate_jwt( | ||
session, module_target_sat, module_org, module_location, rhel_contenthost, module_activation_key | ||
): | ||
"""Perform an end-to-end testing for jwt | ||
|
||
:id: be328fd7-b640-4080-9373-25f96ba2aef6 | ||
|
||
:steps: | ||
1. Create an admin user and a non-admin user with "edit_users" and "view_users" permissions. | ||
2. Generate a token for the user to register the host. | ||
3. Login to UI with admin user and navigate to Administer -> Users and invalidate the token for the non-admin user from the dropdown. | ||
4. Try to use the previously generated token to register the host and verify that the token is invalid for registration. | ||
5. Repeat the steps 2,3,and 4 with non_admin user and verify the same as in Step 4. | ||
|
||
|
||
:expectedresults: Tokens which are invalidated cannot be used for registration. | ||
|
||
:Verifies: SAT-27537, SAT-27538, SAT-27539 | ||
|
||
:CaseImportance: High | ||
shweta83 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
""" | ||
password = gen_string('alpha') | ||
roles = [module_target_sat.api.Role().create()] | ||
amolpati30 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
user_permissions = { | ||
'User': ['view_users', 'edit_users'], | ||
} | ||
module_target_sat.api_factory.create_role_permissions(roles[0], user_permissions) | ||
# Create an admin user and invalidate token using that user | ||
admin_user = module_target_sat.api.User( | ||
location=[module_location], | ||
organization=[module_org], | ||
password=password, | ||
login=gen_string('alpha'), | ||
admin=True, | ||
).create() | ||
# Create a non-admin user with (edit_users and view_users) permissions and invalidate token using that user | ||
non_admin_user = module_target_sat.api.User( | ||
role=roles, | ||
location=[module_location], | ||
organization=[module_org], | ||
password=password, | ||
login=gen_string('alpha'), | ||
).create() | ||
login_details = { | ||
'username': non_admin_user.login, | ||
'password': password, | ||
} | ||
role = module_target_sat.cli.Role.info({'name': 'Register hosts'}) | ||
module_target_sat.cli.User.add_role({'id': non_admin_user.id, 'role-id': role['id']}) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Can you add the role while creating the user? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. This was intentionally done . There are 2 roles in it. |
||
# Login with admin user and invalidate non_admin token and verify the token is invalid for registration after invalidating it. | ||
with module_target_sat.ui_session(user=admin_user.login, password=password) as session: | ||
session.organization.select(module_org.name) | ||
session.location.select(module_location.name) | ||
user_cfg = user_nailgun_config(non_admin_user.login, password) | ||
command = module_target_sat.api.RegistrationCommand( | ||
server_config=user_cfg, | ||
organization=module_org, | ||
location=module_location, | ||
activation_keys=[module_activation_key.name], | ||
force=True, | ||
).create() | ||
result = rhel_contenthost.execute(command.strip('\n')) | ||
assert result.status == 0, f'Failed to register host: {result.stderr}' | ||
session.user.invalidate_jwt(non_admin_user.login) | ||
result = rhel_contenthost.execute(command.strip('\n')) | ||
assert result.status == 1, f'Failed to register host: {result.stderr}' | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. There is probably a wrong error message when this fails. Also, it may be worth it checking more than just status. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Agree. Updated |
||
assert "ERROR: unauthorized" in result.stdout | ||
result = session.login.logout() | ||
|
||
# Login with non-admin user and invalidate admin token and verify the token is invalid for registration after invalidating it. | ||
session.login.login(login_details) | ||
user_cfg = user_nailgun_config(admin_user.login, password) | ||
command = module_target_sat.api.RegistrationCommand( | ||
server_config=user_cfg, | ||
organization=module_org, | ||
location=module_location, | ||
activation_keys=[module_activation_key.name], | ||
force=True, | ||
).create() | ||
result = rhel_contenthost.execute(command.strip('\n')) | ||
assert result.status == 0, f'Failed to register host: {result.stderr}' | ||
session.user.invalidate_jwt(admin_user.login) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You don't assert anything after invalidating admin's token. There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Yes, I missed that. Updated. |
||
result = rhel_contenthost.execute(command.strip('\n')) | ||
assert result.status == 1, f'Failed to register host: {result.stderr}' | ||
assert "ERROR: unauthorized" in result.stdout | ||
|
||
|
||
@pytest.mark.tier2 | ||
@pytest.mark.stubbed | ||
def test_personal_access_token_admin(): | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Missing tier decorator
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we really need tier decorator now? What is the purpose to use it. I thought it has become obsolete now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Frankly, I don't know. At least for consistency, I would expect it to be there. Best to ask CI team what is expected regarding tier decorators.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I remember a discussion over it and I think it is not required but would like to have some thoughts on it.
@devendra104 wdyt?