fa071bcd6e
# What this PR does Inspired by [this discussion](https://github.com/grafana/oncall/pull/5307#discussion_r1862449480). _tldr;_ ensures that if any of our tests try making an external network call, they will fail. Setup an example test: ```python def test_external_network_call(): import requests response = requests.get('https://www.example.com') assert response.status_code == 200 ``` and it worked (failed; [example CI test run](https://github.com/grafana/oncall/actions/runs/12106416991/job/33752144727?pr=5315#step:6:389)) as expected: ```bash __________________________ test_external_network_call __________________________ def test_external_network_call(): import requests > response = requests.get('https://www.example.com') requests = <module 'requests' from '/opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/__init__.py'> apps/test_joey.py:4: _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/api.py:73: in get return request("get", url, params=params, **kwargs) kwargs = {} params = None url = 'https://www.example.com' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/api.py:59: in request return session.request(method=method, url=url, **kwargs) kwargs = {'params': None} method = 'get' session = <requests.sessions.Session object at 0x7f10ebaada90> url = 'https://www.example.com' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/sessions.py:589: in request resp = self.send(prep, **send_kwargs) allow_redirects = True auth = None cert = None cookies = None data = None files = None headers = None hooks = None json = None method = 'get' params = None prep = <PreparedRequest [GET]> proxies = {} req = <Request [GET]> self = <requests.sessions.Session object at 0x7f10ebaada90> send_kwargs = {'allow_redirects': True, 'cert': None, 'proxies': OrderedDict(), 'stream': False, ...} settings = {'cert': None, 'proxies': OrderedDict(), 'stream': False, 'verify': True} stream = None timeout = None url = 'https://www.example.com' verify = None /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/sessions.py:703: in send r = adapter.send(request, **kwargs) adapter = <requests.adapters.HTTPAdapter object at 0x7f10ebaada30> allow_redirects = True hooks = {'response': []} kwargs = {'cert': None, 'proxies': OrderedDict(), 'stream': False, 'timeout': None, ...} request = <PreparedRequest [GET]> self = <requests.sessions.Session object at 0x7f10ebaada90> start = 1733064371.649901 stream = False /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/requests/adapters.py:667: in send resp = conn.urlopen( cert = None chunked = False conn = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> proxies = OrderedDict() request = <PreparedRequest [GET]> self = <requests.adapters.HTTPAdapter object at 0x7f10ebaada30> stream = False timeout = Timeout(connect=None, read=None, total=None) url = '/' verify = True /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connectionpool.py:715: in urlopen httplib_response = self._make_request( assert_same_host = False body = None body_pos = None chunked = False clean_exit = False conn = None destination_scheme = None err = None headers = {'User-Agent': 'python-requests/2.32.3', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'} http_tunnel_required = False is_new_proxy_conn = False method = 'GET' parsed_url = Url(scheme=None, auth=None, host=None, port=None, path='/', query=None, fragment=None) pool_timeout = None redirect = False release_conn = False release_this_conn = True response_kw = {'decode_content': False, 'preload_content': False} retries = Retry(total=0, connect=None, read=False, redirect=None, status=None) self = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> timeout = Timeout(connect=None, read=None, total=None) timeout_obj = Timeout(connect=None, read=None, total=None) url = '/' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connectionpool.py:404: in _make_request self._validate_conn(conn) chunked = False conn = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> httplib_request_kw = {'body': None, 'headers': {'User-Agent': 'python-requests/2.32.3', 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Connection': 'keep-alive'}} method = 'GET' self = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> timeout = Timeout(connect=None, read=None, total=None) timeout_obj = Timeout(connect=None, read=None, total=None) url = '/' /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connectionpool.py:1060: in _validate_conn conn.connect() __class__ = <class 'urllib3.connectionpool.HTTPSConnectionPool'> conn = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> self = <urllib3.connectionpool.HTTPSConnectionPool object at 0x7f10ebaadd30> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connection.py:363: in connect self.sock = conn = self._new_conn() self = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/connection.py:174: in _new_conn conn = connection.create_connection( extra_kw = {'socket_options': [(6, 1, 1)]} self = <urllib3.connection.HTTPSConnection object at 0x7f10ebaadd60> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/urllib3/util/connection.py:85: in create_connection sock.connect(sa) address = ('www.example.com', 443) af = <AddressFamily.AF_INET: 2> canonname = '' err = None family = <AddressFamily.AF_UNSPEC: 0> host = 'www.example.com' port = 443 proto = 6 res = (<AddressFamily.AF_INET: 2>, <SocketKind.SOCK_STREAM: 1>, 6, '', ('93.184.215.14', 443)) sa = ('93.184.215.14', 443) sock = <socket.socket fd=12, family=2, type=1, proto=6, laddr=('0.0.0.0', 0)> socket_options = [(6, 1, 1)] socktype = <SocketKind.SOCK_STREAM: 1> source_address = None timeout = None _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ inst = <socket.socket fd=12, family=2, type=1, proto=6, laddr=('0.0.0.0', 0)> args = (('93.184.215.14', 443),), host = '93.184.215.14' def guarded_connect(inst, *args): host = host_from_connect_args(args) if host in allowed_ip_hosts_and_hostnames or ( _is_unix_socket(inst.family) and allow_unix_socket ): return _true_connect(inst, *args) > raise SocketConnectBlockedError(allowed_list, host) E pytest_socket.SocketConnectBlockedError: A test tried to use socket.socket.connect() with host "93.184.215.14" (allowed: "calendar.google.com (142.251.167.100,142.251.167.101,142.251.167.102,142.251.167.113,142.251.167.138,142.251.167.139,2607:f8b0:4004:c09::65,2607:f8b0:4004:c09::66,2607:f8b0:4004:c09::71,2607:f8b0:4004:c09::8b),localhost (127.0.0.1,::1),oncall-dev-mariadb ()"). allow_unix_socket = False allowed_ip_hosts_and_hostnames = {'127.0.0.1', '142.251.167.100', '142.251.167.101', '142.251.167.102', '142.251.167.113', '142.251.167.138', ...} allowed_list = ['calendar.google.com (142.251.167.100,142.251.167.101,142.251.167.102,142.251.167.113,142.251.167.138,142.251.167.139...8b0:4004:c09::66,2607:f8b0:4004:c09::71,2607:f8b0:4004:c09::8b)', 'localhost (127.0.0.1,::1)', 'oncall-dev-mariadb ()'] args = (('93.184.215.14', 443),) host = '93.184.215.14' inst = <socket.socket fd=12, family=2, type=1, proto=6, laddr=('0.0.0.0', 0)> /opt/hostedtoolcache/Python/3.12.3/x64/lib/python3.12/site-packages/pytest_socket.py:252: SocketConnectBlockedError ``` ## Checklist - [x] Unit, integration, and e2e (if applicable) tests updated - [x] Documentation added (or `pr:no public docs` PR label added if not required) - [x] Added the relevant release notes label (see labels prefixed w/ `release:`). These labels dictate how your PR will show up in the autogenerated release notes.
208 lines
7.7 KiB
Python
208 lines
7.7 KiB
Python
import json
|
|
from unittest.mock import patch
|
|
|
|
import pytest
|
|
from django.utils import timezone
|
|
from rest_framework.exceptions import AuthenticationFailed
|
|
from rest_framework.test import APIRequestFactory
|
|
|
|
from apps.auth_token.auth import BasePluginAuthentication, PluginAuthentication
|
|
|
|
INSTANCE_CONTEXT = '{"stack_id": 42, "org_id": 24, "grafana_token": "abc"}'
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_plugin_authentication_self_hosted_success(make_organization, make_user, make_token_for_organization):
|
|
organization = make_organization(stack_id=42, org_id=24)
|
|
user = make_user(organization=organization, user_id=12)
|
|
token, token_string = make_token_for_organization(organization)
|
|
|
|
headers = {
|
|
"HTTP_AUTHORIZATION": token_string,
|
|
"HTTP_X-Instance-Context": INSTANCE_CONTEXT,
|
|
"HTTP_X-Grafana-Context": '{"UserId": 12}',
|
|
}
|
|
request = APIRequestFactory().get("/", **headers)
|
|
|
|
assert PluginAuthentication().authenticate(request) == (user, token)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_plugin_authentication_gcom_success(make_organization, make_user, make_token_for_organization):
|
|
# Setting gcom_token_org_last_time_synced to now, so it doesn't try to sync with gcom
|
|
organization = make_organization(
|
|
stack_id=42, org_id=24, gcom_token="123", api_token="abc", gcom_token_org_last_time_synced=timezone.now()
|
|
)
|
|
user = make_user(organization=organization, user_id=12)
|
|
|
|
headers = {
|
|
"HTTP_AUTHORIZATION": "gcom:123",
|
|
"HTTP_X-Instance-Context": INSTANCE_CONTEXT,
|
|
"HTTP_X-Grafana-Context": '{"UserId": 12}',
|
|
}
|
|
request = APIRequestFactory().get("/", **headers)
|
|
|
|
ret_user, ret_token = PluginAuthentication().authenticate(request)
|
|
assert ret_user == user
|
|
assert ret_token.organization == organization
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("grafana_context", [None, "", "non-json", '"string"', "{}", '{"UserId": 1}'])
|
|
def test_plugin_authentication_fail_grafana_context(
|
|
make_organization, make_user, make_token_for_organization, grafana_context
|
|
):
|
|
organization = make_organization(stack_id=42, org_id=24)
|
|
token, token_string = make_token_for_organization(organization)
|
|
|
|
headers = {"HTTP_AUTHORIZATION": token_string, "HTTP_X-Instance-Context": INSTANCE_CONTEXT}
|
|
if grafana_context is not None:
|
|
headers["HTTP_X-Grafana-Context"] = grafana_context
|
|
|
|
request = APIRequestFactory().get("/", **headers)
|
|
with pytest.raises(AuthenticationFailed):
|
|
PluginAuthentication().authenticate(request)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize("authorization", [None, "", "123", "gcom:123"])
|
|
@pytest.mark.parametrize(
|
|
"instance_context", [None, "", "non-json", '"string"', "{}", '{"stack_id": 1, "org_id": 1, "grafana_token": "abc"}']
|
|
)
|
|
def test_plugin_authentication_fail(authorization, instance_context):
|
|
headers = {}
|
|
|
|
if authorization is not None:
|
|
headers["HTTP_AUTHORIZATION"] = authorization
|
|
|
|
if instance_context is not None:
|
|
headers["HTTP_X-Instance-Context"] = instance_context
|
|
|
|
request = APIRequestFactory().get("/", **headers)
|
|
|
|
class MockCheckTokenResponse:
|
|
organization = None
|
|
|
|
with patch("apps.auth_token.auth.check_token", return_value=MockCheckTokenResponse):
|
|
with pytest.raises(AuthenticationFailed):
|
|
PluginAuthentication().authenticate(request)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_plugin_authentication_inactive_user(make_organization, make_user, make_token_for_organization):
|
|
organization = make_organization(stack_id=42, org_id=24)
|
|
token, token_string = make_token_for_organization(organization)
|
|
user = make_user(organization=organization, user_id=12)
|
|
# user is set to inactive if deleted via queryset (ie. during sync)
|
|
user.is_active = False
|
|
user.save()
|
|
|
|
headers = {
|
|
"HTTP_AUTHORIZATION": token_string,
|
|
"HTTP_X-Instance-Context": INSTANCE_CONTEXT,
|
|
"HTTP_X-Grafana-Context": '{"UserId": 12}',
|
|
}
|
|
request = APIRequestFactory().get("/", **headers)
|
|
|
|
with pytest.raises(AuthenticationFailed):
|
|
PluginAuthentication().authenticate(request)
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_plugin_authentication_gcom_setup_new_user(make_organization):
|
|
# Setting gcom_token_org_last_time_synced to now, so it doesn't try to sync with gcom
|
|
organization = make_organization(
|
|
stack_id=42, org_id=24, gcom_token="123", api_token="abc", gcom_token_org_last_time_synced=timezone.now()
|
|
)
|
|
assert organization.users.count() == 0
|
|
# user = make_user(organization=organization, user_id=12)
|
|
|
|
# logged in user data available through header
|
|
user_data = {
|
|
"id": 12,
|
|
"name": "Test User",
|
|
"login": "test_user",
|
|
"email": "test@test.com",
|
|
"role": "Admin",
|
|
"avatar_url": "http://test.com/avatar.png",
|
|
"permissions": None,
|
|
"teams": None,
|
|
}
|
|
|
|
headers = {
|
|
"HTTP_AUTHORIZATION": "gcom:123",
|
|
"HTTP_X-Instance-Context": INSTANCE_CONTEXT,
|
|
"HTTP_X-Grafana-Context": '{"UserId": 12}',
|
|
"HTTP_X-Oncall-User-Context": json.dumps(user_data),
|
|
}
|
|
request = APIRequestFactory().get("/", **headers)
|
|
|
|
ret_user, ret_token = PluginAuthentication().authenticate(request)
|
|
|
|
assert ret_user.user_id == 12
|
|
assert ret_token.organization == organization
|
|
assert organization.users.count() == 1
|
|
|
|
|
|
@pytest.mark.django_db
|
|
def test_plugin_authentication_self_hosted_setup_new_user(make_organization, make_token_for_organization):
|
|
# Setting gcom_token_org_last_time_synced to now, so it doesn't try to sync with gcom
|
|
organization = make_organization(stack_id=42, org_id=24)
|
|
token, token_string = make_token_for_organization(organization)
|
|
assert organization.users.count() == 0
|
|
|
|
# logged in user data available through header
|
|
user_data = {
|
|
"id": 12,
|
|
"name": "Test User",
|
|
"login": "test_user",
|
|
"email": "test@test.com",
|
|
"role": "Admin",
|
|
"avatar_url": "http://test.com/avatar.png",
|
|
"permissions": None,
|
|
"teams": None,
|
|
}
|
|
|
|
headers = {
|
|
"HTTP_AUTHORIZATION": token_string,
|
|
"HTTP_X-Instance-Context": INSTANCE_CONTEXT,
|
|
"HTTP_X-Grafana-Context": '{"UserId": 12}',
|
|
"HTTP_X-Oncall-User-Context": json.dumps(user_data),
|
|
}
|
|
request = APIRequestFactory().get("/", **headers)
|
|
|
|
ret_user, ret_token = PluginAuthentication().authenticate(request)
|
|
|
|
assert ret_user.user_id == 12
|
|
assert ret_token.organization == organization
|
|
assert organization.users.count() == 1
|
|
|
|
|
|
@pytest.mark.django_db
|
|
@pytest.mark.parametrize(
|
|
"role,expected_raises", [("Admin", False), ("Editor", True), ("Viewer", True), ("Other", True)]
|
|
)
|
|
def test_plugin_authentication_service_account(make_organization, role, expected_raises):
|
|
# Setting gcom_token_org_last_time_synced to now, so it doesn't try to sync with gcom
|
|
organization = make_organization(
|
|
stack_id=42, org_id=24, gcom_token="123", api_token="abc", gcom_token_org_last_time_synced=timezone.now()
|
|
)
|
|
|
|
headers = {
|
|
"HTTP_AUTHORIZATION": "gcom:123",
|
|
"HTTP_X-Instance-Context": INSTANCE_CONTEXT,
|
|
"HTTP_X-Grafana-Context": json.dumps({"UserId": 12, "Role": role, "IsServiceAccount": True}),
|
|
}
|
|
request = APIRequestFactory().get("/", **headers)
|
|
|
|
if expected_raises:
|
|
with pytest.raises(AuthenticationFailed):
|
|
BasePluginAuthentication().authenticate(request)
|
|
else:
|
|
ret_user, ret_token = BasePluginAuthentication().authenticate(request)
|
|
assert ret_user is None
|
|
assert ret_token.organization == organization
|
|
|
|
# PluginAuthentication should always raise an exception if the request comes from a service account
|
|
with pytest.raises(AuthenticationFailed):
|
|
PluginAuthentication().authenticate(request)
|