tests: deduplicate password hash API assertions

2026-04-25 17:15:26 +02:00 · 2026-04-22 20:44:21 -04:00
parent 2d28213117
commit a62fb7f267
1 changed files with 16 additions and 14 deletions
--- a/authentik/core/tests/test_users_api.py
+++ b/authentik/core/tests/test_users_api.py
@@ -27,6 +27,9 @@ from authentik.flows.models import FlowAuthenticationRequirement, FlowDesignatio
 from authentik.lib.generators import generate_id, generate_key
 from authentik.stages.email.models import EmailStage

+INVALID_PASSWORD_HASH = "not-a-valid-hash"
+INVALID_PASSWORD_HASH_ERROR = "Invalid password hash format. Must be a valid Django password hash."
+

 class TestUsersAPI(APITestCase):
    """Test Users API"""
@@ -41,6 +44,14 @@ class TestUsersAPI(APITestCase):
            data={"password": password_hash},
        )

+    def _assert_password_hash_set(
+        self, user: User, password: str, password_hash: str, response
+    ) -> None:
+        self.assertEqual(response.status_code, 204, response.data)
+        user.refresh_from_db()
+        self.assertEqual(user.password, password_hash)
+        self.assertTrue(user.check_password(password))
+
    def test_filter_type(self):
        """Test API filtering by type"""
        self.client.force_login(self.admin)
@@ -127,20 +138,17 @@ class TestUsersAPI(APITestCase):
        password_hash = make_password(password)
        response = self._set_password_hash(self.user, password_hash)

-        self.assertEqual(response.status_code, 204)
-        self.user.refresh_from_db()
-        self.assertEqual(self.user.password, password_hash)
-        self.assertTrue(self.user.check_password(password))
+        self._assert_password_hash_set(self.user, password, password_hash, response)

    def test_set_password_hash_invalid(self):
        """Test invalid password hashes are rejected."""
        self.client.force_login(self.admin)
-        response = self._set_password_hash(self.user, "not-a-valid-hash")
+        response = self._set_password_hash(self.user, INVALID_PASSWORD_HASH)

        self.assertEqual(response.status_code, 400)
        self.assertJSONEqual(
            response.content,
-            {"password": ["Invalid password hash format. Must be a valid Django password hash."]},
+            {"password": [INVALID_PASSWORD_HASH_ERROR]},
        )

    def test_set_password_hash_requires_separate_permission(self):
@@ -165,10 +173,7 @@ class TestUsersAPI(APITestCase):
        password = generate_key()
        password_hash = make_password(password)
        response = self._set_password_hash(self.user, password_hash, client)
-        self.assertEqual(response.status_code, 204, response.data)
-        self.user.refresh_from_db()
-        self.assertEqual(self.user.password, password_hash)
-        self.assertTrue(self.user.check_password(password))
+        self._assert_password_hash_set(self.user, password, password_hash, response)

    def test_recovery(self):
        """Test user recovery link"""
@@ -339,10 +344,7 @@ class TestUsersAPI(APITestCase):
        password_hash = make_password(password)
        response = self._set_password_hash(user, password_hash)

-        self.assertEqual(response.status_code, 204, response.data)
-        user.refresh_from_db()
-        self.assertEqual(user.password, password_hash)
-        self.assertTrue(user.check_password(password))
+        self._assert_password_hash_set(user, password, password_hash, response)

    def test_service_account_no_expire(self):
        """Service account creation without token expiration"""