core: fix token's set_key accessing data incorrectly

also add tests
closes #4551

Signed-off-by: Jens Langhammer <jens@goauthentik.io>
This commit is contained in:
Jens Langhammer 2023-01-27 23:57:35 +01:00
parent 6e5ad60cea
commit ecb1ce8135
No known key found for this signature in database
2 changed files with 26 additions and 2 deletions

View File

@ -134,9 +134,10 @@ class TokenViewSet(UsedByMixin, ModelViewSet):
) )
@action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"]) @action(detail=True, pagination_class=None, filter_backends=[], methods=["POST"])
def set_key(self, request: Request, identifier: str) -> Response: def set_key(self, request: Request, identifier: str) -> Response:
"""Return token key and log access""" """Set token key. Action is logged as event. `authentik_core.set_token_key` permission
is required."""
token: Token = self.get_object() token: Token = self.get_object()
key = request.POST.get("key") key = request.data.get("key")
if not key: if not key:
return Response(status=400) return Response(status=400)
token.key = key token.key = key

View File

@ -7,6 +7,7 @@ from rest_framework.test import APITestCase
from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents, User from authentik.core.models import USER_ATTRIBUTE_TOKEN_EXPIRING, Token, TokenIntents, User
from authentik.core.tests.utils import create_test_admin_user from authentik.core.tests.utils import create_test_admin_user
from authentik.lib.generators import generate_id
class TestTokenAPI(APITestCase): class TestTokenAPI(APITestCase):
@ -30,6 +31,28 @@ class TestTokenAPI(APITestCase):
self.assertEqual(token.expiring, True) self.assertEqual(token.expiring, True)
self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token)) self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
def test_token_set_key(self):
"""Test token creation endpoint"""
response = self.client.post(
reverse("authentik_api:token-list"), {"identifier": "test-token"}
)
self.assertEqual(response.status_code, 201)
token = Token.objects.get(identifier="test-token")
self.assertEqual(token.user, self.user)
self.assertEqual(token.intent, TokenIntents.INTENT_API)
self.assertEqual(token.expiring, True)
self.assertTrue(self.user.has_perm("authentik_core.view_token_key", token))
self.client.force_login(self.admin)
new_key = generate_id()
response = self.client.post(
reverse("authentik_api:token-set-key", kwargs={"identifier": token.identifier}),
{"key": new_key},
)
self.assertEqual(response.status_code, 204)
token.refresh_from_db()
self.assertEqual(token.key, new_key)
def test_token_create_invalid(self): def test_token_create_invalid(self):
"""Test token creation endpoint (invalid data)""" """Test token creation endpoint (invalid data)"""
response = self.client.post( response = self.client.post(