From d971a8360185de1f4483ea040b55fa7b6595bc0f Mon Sep 17 00:00:00 2001
From: Noah Moss <32746338+noahmoss@users.noreply.github.com>
Date: Thu, 13 Jun 2024 14:22:37 -0400
Subject: [PATCH] Minor refactoring in JWT/SAML tests (#43866)
* little bit of refactoring in sso test code
* use :once instead of :each
---
.../sso/integrations/jwt_test.clj | 177 +++++++++---------
.../sso/integrations/saml_test.clj | 123 ++++++------
src/metabase/api/setup.clj | 22 +--
3 files changed, 159 insertions(+), 163 deletions(-)
diff --git a/enterprise/backend/test/metabase_enterprise/sso/integrations/jwt_test.clj b/enterprise/backend/test/metabase_enterprise/sso/integrations/jwt_test.clj
index 2f1df644f6b..cc538639aba 100644
--- a/enterprise/backend/test/metabase_enterprise/sso/integrations/jwt_test.clj
+++ b/enterprise/backend/test/metabase_enterprise/sso/integrations/jwt_test.clj
@@ -9,6 +9,7 @@
[metabase-enterprise.sso.integrations.saml-test :as saml-test]
[metabase-enterprise.sso.integrations.sso-settings :as sso-settings]
[metabase.config :as config]
+ [metabase.http-client :as client]
[metabase.models.permissions-group :refer [PermissionsGroup]]
[metabase.models.permissions-group-membership
:refer [PermissionsGroupMembership]]
@@ -30,17 +31,17 @@
(use-fixtures :each disable-other-sso-types)
+(defn- disable-api-url-prefix
+ [thunk]
+ (binding [client/*url-prefix* ""]
+ (thunk)))
+
+(use-fixtures :each disable-api-url-prefix)
+
(def ^:private default-idp-uri "http://test.idp.metabase.com")
(def ^:private default-redirect-uri "/")
(def ^:private default-jwt-secret (crypto-random/hex 32))
-(defmacro with-sso-jwt-token
- "Stubs the [[premium-features/*token-features*]] function to simulate a premium token with the `:sso-jwt` feature.
- This needs to be included to test any of the JWT features."
- [& body]
- `(mt/with-additional-premium-features #{:sso-jwt}
- ~@body))
-
(defn- call-with-default-jwt-config [f]
(let [current-features (premium-features/*token-features*)]
(mt/with-additional-premium-features #{:sso-jwt}
@@ -61,7 +62,7 @@
(mt/with-premium-features #{:audit-app}
(disable-other-sso-types
(fn []
- (with-sso-jwt-token
+ (mt/with-additional-premium-features #{:sso-jwt}
(saml-test/call-with-login-attributes-cleared!
(fn []
(call-with-default-jwt-config
@@ -69,55 +70,55 @@
~@body))))))))))
(deftest sso-prereqs-test
- (with-sso-jwt-token
+ (mt/with-additional-premium-features #{:sso-jwt}
(testing "SSO requests fail if JWT hasn't been configured or enabled"
(mt/with-temporary-setting-values [jwt-enabled false
jwt-identity-provider-uri nil
jwt-shared-secret nil]
(is (= "SSO has not been enabled and/or configured"
- (saml-test/client :get 400 "/auth/sso")))
+ (client/client :get 400 "/auth/sso")))
(testing "SSO requests fail if they don't have a valid premium-features token"
(with-default-jwt-config
(mt/with-premium-features #{}
(is (= "SSO has not been enabled and/or configured"
- (saml-test/client :get 400 "/auth/sso"))))))))
+ (client/client :get 400 "/auth/sso"))))))))
(testing "SSO requests fail if JWT is enabled but hasn't been configured"
(mt/with-temporary-setting-values [jwt-enabled true
jwt-identity-provider-uri nil]
(is (= "SSO has not been enabled and/or configured"
- (saml-test/client :get 400 "/auth/sso")))))
+ (client/client :get 400 "/auth/sso")))))
(testing "SSO requests fail if JWT is configured but hasn't been enabled"
(mt/with-temporary-setting-values [jwt-enabled false
jwt-identity-provider-uri default-idp-uri
jwt-shared-secret default-jwt-secret]
(is (= "SSO has not been enabled and/or configured"
- (saml-test/client :get 400 "/auth/sso")))))
+ (client/client :get 400 "/auth/sso")))))
(testing "The JWT Shared Secret must also be included for SSO to be configured"
(mt/with-temporary-setting-values [jwt-enabled true
jwt-identity-provider-uri default-idp-uri
jwt-shared-secret nil]
(is (= "SSO has not been enabled and/or configured"
- (saml-test/client :get 400 "/auth/sso")))))))
+ (client/client :get 400 "/auth/sso")))))))
(deftest redirect-test
(testing "with JWT configured, a GET request should result in a redirect to the IdP"
(with-jwt-default-setup
- (let [result (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :redirect default-redirect-uri)
+ (let [result (client/client-full-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :redirect default-redirect-uri)
redirect-url (get-in result [:headers "Location"])]
(is (str/starts-with? redirect-url default-idp-uri)))))
(testing (str "JWT configured with a redirect-uri containing query params, "
"a GET request should result in a redirect to the IdP as a correctly formatted URL (#13078)")
(with-jwt-default-setup
(mt/with-temporary-setting-values [jwt-identity-provider-uri "http://test.idp.metabase.com/login?some_param=yes"]
- (let [result (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :redirect default-redirect-uri)
+ (let [result (client/client-full-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :redirect default-redirect-uri)
redirect-url (get-in result [:headers "Location"])]
(is (str/includes? redirect-url "&return_to=")))))))
@@ -125,15 +126,15 @@
(with-jwt-default-setup
(saml-test/with-saml-default-setup
(testing "with SAML and JWT configured, a GET request with JWT params should sign in correctly"
- (let [response (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt (jwt/sign {:email "rasta@metabase.com"
- :first_name "Rasta"
- :last_name "Toucan"
- :extra "keypairs"
- :are "also present"}
- default-jwt-secret))]
+ (let [response (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt (jwt/sign {:email "rasta@metabase.com"
+ :first_name "Rasta"
+ :last_name "Toucan"
+ :extra "keypairs"
+ :are "also present"}
+ default-jwt-secret))]
(is (saml-test/successful-login? response))
(testing "redirect URI"
(is (= default-redirect-uri
@@ -143,23 +144,23 @@
(t2/select-one-fn :login_attributes User :email "rasta@metabase.com"))))))
(testing "with SAML and JWT configured, a GET request without JWT params should redirect to SAML IdP"
- (let [response (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri)]
+ (let [response (client/client-full-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri)]
(is (not (saml-test/successful-login? response))))))))
(deftest happy-path-test
(testing (str "Happy path login, valid JWT, checks to ensure the user was logged in successfully and the redirect to "
"the right location")
(with-jwt-default-setup
- (let [response (saml-test/client-full-response :get 302 "/auth/sso" {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt (jwt/sign {:email "rasta@metabase.com"
- :first_name "Rasta"
- :last_name "Toucan"
- :extra "keypairs"
- :are "also present"}
- default-jwt-secret))]
+ (let [response (client/client-real-response :get 302 "/auth/sso" {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt (jwt/sign {:email "rasta@metabase.com"
+ :first_name "Rasta"
+ :last_name "Toucan"
+ :extra "keypairs"
+ :are "also present"}
+ default-jwt-secret))]
(is (saml-test/successful-login? response))
(testing "redirect URI"
(is (= default-redirect-uri
@@ -174,7 +175,7 @@
(doseq [redirect-uri ["https://badsite.com"
"//badsite.com"]]
(is (= "Invalid redirect URL"
- (-> (saml-test/client
+ (-> (client/client
:get 400 "/auth/sso" {:request-options {:redirect-strategy :none}}
:return_to redirect-uri
:jwt (jwt/sign {:email "rasta@metabase.com"
@@ -189,11 +190,11 @@
(testing "Check an expired JWT"
(with-jwt-default-setup
(is (= "Token is older than max-age (180)"
- (:message (saml-test/client :get 401 "/auth/sso" {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt (jwt/sign {:email "test@metabase.com", :first_name "Test" :last_name "User"
- :iat (- (buddy-util/now) (u/minutes->seconds 5))}
- default-jwt-secret))))))))
+ (:message (client/client :get 401 "/auth/sso" {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt (jwt/sign {:email "test@metabase.com", :first_name "Test" :last_name "User"
+ :iat (- (buddy-util/now) (u/minutes->seconds 5))}
+ default-jwt-secret))))))))
(defmacro with-users-with-email-deleted {:style/indent 1} [user-email & body]
`(try
@@ -208,15 +209,15 @@
(letfn [(new-user-exists? []
(boolean (seq (t2/select User :%lower.email "newuser@metabase.com"))))]
(is (false? (new-user-exists?)))
- (let [response (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt (jwt/sign {:email "newuser@metabase.com"
- :first_name "New"
- :last_name "User"
- :more "stuff"
- :for "the new user"}
- default-jwt-secret))]
+ (let [response (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt (jwt/sign {:email "newuser@metabase.com"
+ :first_name "New"
+ :last_name "User"
+ :more "stuff"
+ :for "the new user"}
+ default-jwt-secret))]
(is (saml-test/successful-login? response))
(let [new-user (t2/select-one User :email "newuser@metabase.com")]
(testing "new user"
@@ -248,11 +249,11 @@
(boolean (seq (t2/select User :%lower.email "newuser@metabase.com"))))]
(is (= false
(new-user-exists?)))
- (let [response (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt (jwt/sign {:email "newuser@metabase.com"}
- default-jwt-secret))]
+ (let [response (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt (jwt/sign {:email "newuser@metabase.com"}
+ default-jwt-secret))]
(is (saml-test/successful-login? response))
(testing "new user with no first or last name"
(is (= [{:email "newuser@metabase.com"
@@ -265,13 +266,13 @@
:common_name "newuser@metabase.com"}]
(->> (mt/boolean-ids-and-timestamps (t2/select User :email "newuser@metabase.com"))
(map #(dissoc % :last_login)))))))
- (let [response (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt (jwt/sign {:email "newuser@metabase.com"
- :first_name "New"
- :last_name "User"}
- default-jwt-secret))]
+ (let [response (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt (jwt/sign {:email "newuser@metabase.com"
+ :first_name "New"
+ :last_name "User"}
+ default-jwt-secret))]
(is (saml-test/successful-login? response))
(testing "update user first and last name"
(is (= [{:email "newuser@metabase.com"
@@ -287,7 +288,7 @@
(deftest group-mappings-test
(testing "make sure our setting for mapping group names -> IDs works"
- (with-sso-jwt-token
+ (mt/with-additional-premium-features #{:sso-jwt}
(mt/with-temporary-setting-values [jwt-group-mappings {"group_1" [1 2 3]
"group_2" [3 4]
"group_3" [5]}]
@@ -310,16 +311,16 @@
jwt-group-mappings {"my_group" [(u/the-id my-group)]}
jwt-attribute-groups "GrOuPs"]
(with-users-with-email-deleted "newuser@metabase.com"
- (let [response (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt (jwt/sign {:email "newuser@metabase.com"
- :first_name "New"
- :last_name "User"
- :more "stuff"
- :GrOuPs ["my_group"]
- :for "the new user"}
- default-jwt-secret))]
+ (let [response (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt (jwt/sign {:email "newuser@metabase.com"
+ :first_name "New"
+ :last_name "User"
+ :more "stuff"
+ :GrOuPs ["my_group"]
+ :for "the new user"}
+ default-jwt-secret))]
(is (saml-test/successful-login? response))
(is (= #{"All Users"
":metabase-enterprise.sso.integrations.jwt-test/my-group"}
@@ -350,9 +351,9 @@
:iat jwt-iat-time
:exp jwt-exp-time}
default-jwt-secret)
- result (saml-test/client-full-response :get 200 "/auth/sso"
- :token true
- :jwt jwt-payload)]
+ result (client/client-real-response :get 200 "/auth/sso"
+ :token true
+ :jwt jwt-payload)]
(is (=? {:id (mt/malli=? ms/NonBlankString)
:iat jwt-iat-time
:exp jwt-exp-time}
@@ -371,9 +372,9 @@
:iat jwt-iat-time
:exp jwt-exp-time}
default-jwt-secret)
- result (saml-test/client-full-response :get 400 "/auth/sso"
- :token true
- :jwt jwt-payload)]
+ result (client/client-real-response :get 400 "/auth/sso"
+ :token true
+ :jwt jwt-payload)]
(is result nil)))))
(testing "should not return a session token when token=false"
@@ -389,8 +390,8 @@
:iat jwt-iat-time
:exp jwt-exp-time}
default-jwt-secret)
- result (saml-test/client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :return_to default-redirect-uri
- :jwt jwt-payload)]
+ result (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :return_to default-redirect-uri
+ :jwt jwt-payload)]
(is result nil))))))
diff --git a/enterprise/backend/test/metabase_enterprise/sso/integrations/saml_test.clj b/enterprise/backend/test/metabase_enterprise/sso/integrations/saml_test.clj
index d3007c75859..9e25de410fd 100644
--- a/enterprise/backend/test/metabase_enterprise/sso/integrations/saml_test.clj
+++ b/enterprise/backend/test/metabase_enterprise/sso/integrations/saml_test.clj
@@ -45,6 +45,13 @@
(use-fixtures :each disable-other-sso-types)
+(defn- disable-api-url-prefix
+ [thunk]
+ (binding [client/*url-prefix* ""]
+ (thunk)))
+
+(use-fixtures :once disable-api-url-prefix)
+
(def ^:private default-idp-uri "http://test.idp.metabase.com")
(def ^:private default-redirect-uri "http://localhost:3000/test")
(def ^:private default-idp-uri-with-param (str default-idp-uri "?someparam=true"))
@@ -87,18 +94,6 @@
(fn []
~@body)))))))
-(defn client
- "Same as `client/client` but doesn't include the `/api` in the URL prefix"
- [& args]
- (binding [client/*url-prefix* ""]
- (apply client/real-client args)))
-
-(defn client-full-response
- "Same as `client/client-full-response` but doesn't include the `/api` in the URL prefix"
- [& args]
- (binding [client/*url-prefix* ""]
- (apply client/client-real-response args)))
-
(defn successful-login?
"Return true if the response indicates a successful user login"
[resp]
@@ -136,7 +131,7 @@
(mt/with-premium-features #{}
(with-default-saml-config
(is (= "SSO has not been enabled and/or configured"
- (client :get 400 "/auth/sso")))))))
+ (client/client :get 400 "/auth/sso")))))))
(deftest require-saml-enabled-test
(mt/with-premium-features #{:sso-saml}
@@ -144,24 +139,24 @@
(mt/with-temporary-setting-values [saml-enabled false
saml-identity-provider-uri nil
saml-identity-provider-certificate nil]
- (is (some? (client :get 400 "/auth/sso")))))
+ (is (some? (client/client :get 400 "/auth/sso")))))
(testing "SSO requests fail if SAML has been configured but not enabled"
(mt/with-temporary-setting-values [saml-enabled false
saml-identity-provider-uri default-idp-uri
saml-identity-provider-certificate default-idp-cert]
- (is (some? (client :get 400 "/auth/sso")))))
+ (is (some? (client/client :get 400 "/auth/sso")))))
(testing "SSO requests fail if SAML is enabled but hasn't been configured"
(mt/with-temporary-setting-values [saml-enabled true
saml-identity-provider-uri nil]
- (is (some? (client :get 400 "/auth/sso")))))
+ (is (some? (client/client :get 400 "/auth/sso")))))
(testing "The IDP provider certificate must also be included for SSO to be configured"
(mt/with-temporary-setting-values [saml-enabled true
saml-identity-provider-uri default-idp-uri
saml-identity-provider-certificate nil]
- (is (some? (client :get 400 "/auth/sso")))))))
+ (is (some? (client/client :get 400 "/auth/sso")))))))
;; TODO - maybe this belongs in a util namespace?
(defn- uri->params-map
@@ -188,9 +183,9 @@
(:request-id m))))
(mt/with-clock #t "2020-09-30T17:53:32Z"
(orig (assoc m :request-id "id-419507d5-1d2a-43c4-bcde-3e5b9746bb47"))))]
- (let [request (client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :redirect default-redirect-uri)
+ (let [request (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :redirect default-redirect-uri)
location (get-in request [:headers "Location"])
base-64 (-> location uri->params-map :SAMLRequest)
xml (-> base-64
@@ -215,9 +210,9 @@
(deftest redirect-test
(testing "With SAML configured, a GET request should result in a redirect to the IDP"
(with-saml-default-setup
- (let [result (client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :redirect default-redirect-uri)
+ (let [result (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :redirect default-redirect-uri)
redirect-url (get-in result [:headers "Location"])]
(is (str/starts-with? redirect-url default-idp-uri))))))
@@ -226,9 +221,9 @@
"append more parameters onto the query string (rather than always include a `?newparam=here`).")
(with-saml-default-setup
(mt/with-temporary-setting-values [saml-identity-provider-uri default-idp-uri-with-param]
- (let [result (client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :redirect default-redirect-uri)
+ (let [result (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :redirect default-redirect-uri)
redirect-url (get-in result [:headers "Location"])]
(is (= #{:someparam :SAMLRequest :RelayState}
(set (keys (uri->params-map redirect-url))))))))))
@@ -240,9 +235,9 @@
(with-saml-default-setup
(do-with-some-validators-disabled
(fn []
- (let [result (client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :redirect default-redirect-uri)
+ (let [result (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :redirect default-redirect-uri)
redirect-url (get-in result [:headers "Location"])]
(testing (format "result = %s" (pr-str result))
(is (string? redirect-url))
@@ -301,7 +296,7 @@
"`/auth/sso` route.")
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= default-redirect-uri
(get-in response [:headers "Location"])))
@@ -316,7 +311,7 @@
(fn []
(let [req-options (saml-post-request-options (saml-test-response)
default-redirect-uri)
- response (client-full-response :post 401 "/auth/sso" req-options)]
+ response (client/client-real-response :post 401 "/auth/sso" req-options)]
(testing (format "response =\n%s" (u/pprint-to-str response))
(is (not (successful-login? response))))))))))
@@ -327,7 +322,7 @@
(fn []
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (is (not (successful-login? (client-full-response :post 401 "/auth/sso" req-options))))))))
+ (is (not (successful-login? (client/client-real-response :post 401 "/auth/sso" req-options))))))))
(testing "If we time-travel then the sample responses *should* work"
(let [orig saml/validate]
(with-redefs [saml/validate (fn [& args]
@@ -337,7 +332,7 @@
(fn []
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (is (successful-login? (client-full-response :post 302 "/auth/sso" req-options)))))))))))
+ (is (successful-login? (client/client-real-response :post 302 "/auth/sso" req-options)))))))))))
(deftest validate-recipient-test
(with-saml-default-setup
@@ -349,12 +344,12 @@
(mt/with-temporary-setting-values [site-url "http://localhost:9876"]
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (is (not (successful-login? (client-full-response :post 401 "/auth/sso" req-options)))))))
+ (is (not (successful-login? (client/client-real-response :post 401 "/auth/sso" req-options)))))))
(testing "with correct acs-url"
(mt/with-temporary-setting-values [site-url "http://localhost:3000"]
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (is (successful-login? (client-full-response :post 302 "/auth/sso" req-options)))))))))))
+ (is (successful-login? (client/client-real-response :post 302 "/auth/sso" req-options)))))))))))
(deftest validate-issuer-test
(with-saml-default-setup
@@ -363,7 +358,7 @@
(letfn [(login [expected-status-code]
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (client-full-response :post expected-status-code "/auth/sso" req-options)))]
+ (client/client-real-response :post expected-status-code "/auth/sso" req-options)))]
(fn []
(testing "<Issuer> matches saml-identity-provider-issuer"
(mt/with-temporary-setting-values [saml-identity-provider-issuer "urn:saml-metabase-test.auth0.com"]
@@ -384,7 +379,7 @@
(fn []
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= default-redirect-uri
(get-in response [:headers "Location"])))
@@ -396,7 +391,7 @@
(fn []
(let [req-options (saml-post-request-options (whitespace-response)
(saml/str->base64 default-redirect-uri))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= default-redirect-uri
(get-in response [:headers "Location"])))
@@ -411,7 +406,7 @@
(fn []
(let [req-options (saml-post-request-options (saml-test-response)
(saml/str->base64 default-redirect-uri))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= default-redirect-uri
(get-in response [:headers "Location"])))
@@ -432,7 +427,7 @@
(do-with-some-validators-disabled
(fn []
(let [req-options (saml-post-request-options (saml-test-response) relay-state)
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= (public-settings/site-url)
(get-in response [:headers "Location"])))
@@ -446,7 +441,7 @@
(mt/with-temporary-setting-values [site-url "http://localhost:3000"]
(do-with-some-validators-disabled
(fn []
- (let [get-response (client :get 400 "/auth/sso"
+ (let [get-response (client/client :get 400 "/auth/sso"
{:request-options {:redirect-strategy :none}}
:redirect redirect-url)]
(is (= "Invalid redirect URL" (:message get-response)))))))))))
@@ -461,7 +456,7 @@
(is (not (t2/exists? User :%lower.email "newuser@metabase.com")))
(let [req-options (saml-post-request-options (new-user-saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (is (successful-login? (client-full-response :post 302 "/auth/sso" req-options))))
+ (is (successful-login? (client/client-real-response :post 302 "/auth/sso" req-options))))
(let [new-user (t2/select-one User :email "newuser@metabase.com")]
(is (= {:email "newuser@metabase.com"
:first_name "New"
@@ -500,7 +495,7 @@
;; login with a user with no givenname or surname attributes
(let [req-options (saml-post-request-options (new-user-no-names-saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (is (successful-login? (client-full-response :post 302 "/auth/sso" req-options)))
+ (is (successful-login? (client/client-real-response :post 302 "/auth/sso" req-options)))
(is (= [{:email "newuser@metabase.com"
:first_name nil
:is_qbnewb true
@@ -514,7 +509,7 @@
;; login with the same user, but now givenname and surname attributes exist
(let [req-options (saml-post-request-options (new-user-saml-test-response)
(saml/str->base64 default-redirect-uri))]
- (is (successful-login? (client-full-response :post 302 "/auth/sso" req-options)))
+ (is (successful-login? (client/client-real-response :post 302 "/auth/sso" req-options)))
(is (= [{:email "newuser@metabase.com"
:first_name "New"
:is_qbnewb true
@@ -546,7 +541,7 @@
(is (not (t2/select-one-pk User :%lower.email "newuser@metabase.com")))
(let [req-options (saml-post-request-options (new-user-with-single-group-saml-test-response)
(saml/str->base64 default-redirect-uri))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= #{"All Users"
":metabase-enterprise.sso.integrations.saml-test/group-1"}
@@ -571,7 +566,7 @@
(is (not (t2/select-one-pk User :%lower.email "newuser@metabase.com"))))
(let [req-options (saml-post-request-options (new-user-with-groups-saml-test-response)
(saml/str->base64 default-redirect-uri))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= #{"All Users"
":metabase-enterprise.sso.integrations.saml-test/group-1"
@@ -594,7 +589,7 @@
(is (not (t2/select-one-pk User :%lower.email "newuser@metabase.com"))))
(let [req-options (saml-post-request-options (new-user-with-groups-in-separate-attribute-nodes-saml-test-response)
(saml/str->base64 default-redirect-uri))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= #{"All Users"
":metabase-enterprise.sso.integrations.saml-test/group-1"
@@ -611,9 +606,9 @@
default-redirect-uri
"http://localhost:3001/"]]
(testing (format "\nredirect URL = %s" redirect-url)
- (let [result (client-full-response :get 302 "/auth/sso"
- {:request-options {:redirect-strategy :none}}
- :redirect redirect-url)
+ (let [result (client/client-real-response :get 302 "/auth/sso"
+ {:request-options {:redirect-strategy :none}}
+ :redirect redirect-url)
location (get-in result [:headers "Location"])
_ (is (string? location))
params-map (uri->params-map location)]
@@ -626,7 +621,7 @@
(fn []
(let [req-options (saml-post-request-options (saml-test-response)
(:RelayState params-map))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= redirect-url
(get-in response [:headers "Location"]))))))))))))))
@@ -639,7 +634,7 @@
"/"]]
(testing (format "\nredirect URL = %s" redirect-url)
(mt/with-temporary-setting-values [site-url "http://localhost:3001/path"]
- (let [result (client-full-response :get 302 "/auth/sso"
+ (let [result (client/client-real-response :get 302 "/auth/sso"
{:request-options {:redirect-strategy :none}}
:redirect redirect-url)
location (get-in result [:headers "Location"])
@@ -651,7 +646,7 @@
(fn []
(let [req-options (saml-post-request-options (saml-test-response)
(:RelayState params-map))
- response (client-full-response :post 302 "/auth/sso" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso" req-options)]
(is (successful-login? response))
(is (= (str "http://localhost:3001/path" redirect-url)
(get-in response [:headers "Location"])))))))))))))))
@@ -659,15 +654,15 @@
(deftest create-new-saml-user-no-user-provisioning-test
(testing "When user provisioning is disabled, throw an error if we attempt to create a new user."
(with-saml-default-setup
- (with-redefs [sso-settings/saml-user-provisioning-enabled? (constantly false)
- public-settings/site-name (constantly "test")]
- (is
- (thrown-with-msg?
- clojure.lang.ExceptionInfo
- #"Sorry, but you'll need a test account to view this page. Please contact your administrator."
- (#'saml.mt/fetch-or-create-user! {:first-name "Test"
- :last-name "user"
- :email "test1234@metabsae.com"})))))))
+ (with-redefs [sso-settings/saml-user-provisioning-enabled? (constantly false)
+ public-settings/site-name (constantly "test")]
+ (is
+ (thrown-with-msg?
+ clojure.lang.ExceptionInfo
+ #"Sorry, but you'll need a test account to view this page. Please contact your administrator."
+ (#'saml.mt/fetch-or-create-user! {:first-name "Test"
+ :last-name "user"
+ :email "test1234@metabsae.com"})))))))
(deftest logout-should-delete-session-test
(testing "Successful SAML SLO logouts should delete the user's session."
@@ -681,7 +676,7 @@
(saml/str->base64 default-redirect-uri))
;; Client sends their session cookie during the SLO request redirect from the IDP.
(assoc-in [:request-options :cookies mw.session/metabase-session-cookie :value] session-id))
- response (client-full-response :post 302 "/auth/sso/handle_slo" req-options)]
+ response (client/client-real-response :post 302 "/auth/sso/handle_slo" req-options)]
(is (str/blank? (get-in response [:cookies mw.session/metabase-session-cookie :value]))
"After a successful log-out, you don't have a session")
(is (not (t2/exists? :model/Session :id session-id))
@@ -697,5 +692,5 @@
(saml-test-response)
(saml/str->base64 default-redirect-uri))
(assoc-in [:request-options :cookies mw.session/metabase-session-cookie :value] session-id))]
- (client :post "/auth/sso/logout" req-options)
+ (client/client :post "/auth/sso/logout" req-options)
(is (not (t2/exists? :model/Session :id session-id))))))))
diff --git a/src/metabase/api/setup.clj b/src/metabase/api/setup.clj
index 873b7920c51..4b8d6bbadfd 100644
--- a/src/metabase/api/setup.clj
+++ b/src/metabase/api/setup.clj
@@ -183,18 +183,18 @@
:from [[(t2/table-name :model/Table) :t]]
:join [[(t2/table-name :model/Database) :d] [:= :d.id :t.db_id]]
:where (mi/exclude-internal-content-hsql :model/Database :table-alias :d)})))}
- :exists {:non-sample-db (t2/exists? :model/Database {:where (mi/exclude-internal-content-hsql :model/Database)})
- :dashboard (t2/exists? :model/Dashboard {:where (mi/exclude-internal-content-hsql :model/Dashboard)})
- :pulse (t2/exists? :model/Pulse)
- :hidden-table (t2/exists? :model/Table {:where [:and
- [:not= :visibility_type nil]
- (mi/exclude-internal-content-hsql :model/Table)]})
- :collection (t2/exists? :model/Collection {:where (mi/exclude-internal-content-hsql :model/Collection)})
- :model (t2/exists? :model/Card {:where [:and
- [:= :type "model"]
- (mi/exclude-internal-content-hsql :model/Card)]})
+ :exists {:non-sample-db (t2/exists? :model/Database {:where (mi/exclude-internal-content-hsql :model/Database)})
+ :dashboard (t2/exists? :model/Dashboard {:where (mi/exclude-internal-content-hsql :model/Dashboard)})
+ :pulse (t2/exists? :model/Pulse)
+ :hidden-table (t2/exists? :model/Table {:where [:and
+ [:not= :visibility_type nil]
+ (mi/exclude-internal-content-hsql :model/Table)]})
+ :collection (t2/exists? :model/Collection {:where (mi/exclude-internal-content-hsql :model/Collection)})
+ :model (t2/exists? :model/Card {:where [:and
+ [:= :type "model"]
+ (mi/exclude-internal-content-hsql :model/Card)]})
:embedded-resource (or (t2/exists? :model/Card :enable_embedding true)
- (t2/exists? :model/Dashboard :enable_embedding true))}})
+ (t2/exists? :model/Dashboard :enable_embedding true))}})
(defn- get-connected-tasks
[{:keys [configured counts exists embedding] :as _info}]
--
GitLab