quay/endpoints/api/test/test_security.py

from mock import patch

import pytest
from flask_principal import AnonymousIdentity

from endpoints.api import api
from endpoints.api.repositorynotification import RepositoryNotification
from endpoints.api.permission import RepositoryUserTransitivePermission
from endpoints.api.team import OrganizationTeamSyncing
from endpoints.api.test.shared import conduct_api_call
from endpoints.api.repository import RepositoryTrust
from endpoints.api.signing import RepositorySignatures
from endpoints.api.search import ConductRepositorySearch
from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
from endpoints.api.superuser import SuperUserRepositoryBuildStatus
from endpoints.api.appspecifictokens import AppTokens, AppToken
from endpoints.test.shared import client_with_identity, toggle_feature

from test.fixtures import *

TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
BUILD_PARAMS = {'build_uuid': 'test-1234'}
REPO_PARAMS = {'repository': 'devtable/someapp'}
SEARCH_PARAMS = {'query': ''}
NOTIFICATION_PARAMS = {'namespace': 'devtable', 'repository': 'devtable/simple', 'uuid': 'some uuid'}
TOKEN_PARAMS = {'token_uuid': 'someuuid'}

@pytest.mark.parametrize('resource,method,params,body,identity,expected', [
  (AppTokens, 'GET', {}, {}, None, 401),
  (AppTokens, 'GET', {}, {}, 'freshuser', 200),
  (AppTokens, 'GET', {}, {}, 'reader', 200),
  (AppTokens, 'GET', {}, {}, 'devtable', 200),

  (AppTokens, 'POST', {}, {}, None, 403),
  (AppTokens, 'POST', {}, {}, 'freshuser', 400),
  (AppTokens, 'POST', {}, {}, 'reader', 400),
  (AppTokens, 'POST', {}, {}, 'devtable', 400),

  (AppToken, 'GET', TOKEN_PARAMS, {}, None, 401),
  (AppToken, 'GET', TOKEN_PARAMS, {}, 'freshuser', 404),
  (AppToken, 'GET', TOKEN_PARAMS, {}, 'reader', 404),
  (AppToken, 'GET', TOKEN_PARAMS, {}, 'devtable', 404),

  (AppToken, 'DELETE', TOKEN_PARAMS, {}, None, 403),
  (AppToken, 'DELETE', TOKEN_PARAMS, {}, 'freshuser', 404),
  (AppToken, 'DELETE', TOKEN_PARAMS, {}, 'reader', 404),
  (AppToken, 'DELETE', TOKEN_PARAMS, {}, 'devtable', 404),

  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),
  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'freshuser', 403),
  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'reader', 403),
  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'devtable', 400),

  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, None, 403),
  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'freshuser', 403),
  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'reader', 403),
  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'devtable', 200),

  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, None, 200),
  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'freshuser', 200),
  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'reader', 200),
  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'devtable', 200),

  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, None, 401),
  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'reader', 403),
  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'devtable', 400),

  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, None, 401),
  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'reader', 403),
  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'devtable', 400),

  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, None, 401),
  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403),
  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None,  'devtable', 404),

  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'freshuser', 403),
  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'reader', 403),
  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 404),

  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, None, 403),
  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'freshuser', 403),
  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'reader', 403),
  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'devtable', 400),

  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, None, 403),
  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'freshuser', 403),
  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'reader', 403),
  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'devtable', 404),
  
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, None, 401),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'freshuser', 403),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'reader', 403),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'devtable', 403),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, None, 401),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'freshuser', 403),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'reader', 403),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'devtable', 404),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, None, 401),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/shared'}, None, 'devtable', 200),
  (RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/nope'}, None, 'devtable', 404),
])
def test_api_security(resource, method, params, body, identity, expected, client):
  with client_with_identity(identity, client) as cl:
    conduct_api_call(cl, resource, method, params, body, expected)


@pytest.mark.parametrize('is_superuser', [
  (True),
  (False),
])
@pytest.mark.parametrize('allow_nonsuperuser', [
  (True),
  (False),
])
@pytest.mark.parametrize('method, expected', [
  ('POST', 400),
  ('DELETE', 200),
])
def test_team_sync_security(is_superuser, allow_nonsuperuser, method, expected, client):
  def is_superuser_method(_):
    return is_superuser

  with patch('auth.permissions.superusers.is_superuser', is_superuser_method):
    with toggle_feature('NONSUPERUSER_TEAM_SYNCING_SETUP', allow_nonsuperuser):
      with client_with_identity('devtable', client) as cl:
        expect_success = is_superuser or allow_nonsuperuser
        expected_status = expected if expect_success else 403
        conduct_api_call(cl, OrganizationTeamSyncing, method, TEAM_PARAMS, {}, expected_status)
Add feature flag to enable team syncing setup when not a superuser 2017-07-21 15:06:21 +00:00			`from mock import patch`

update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00			`import pytest`
Return hashes and expiration when fetching signed tags 2017-04-07 20:12:28 +00:00			`from flask_principal import AnonymousIdentity`
update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00
Add ability to enable, disable and view team syncing in UI and API Also extracts out some common testing infrastructure to make testing APIs easier now using pytest 2017-02-17 23:20:23 +00:00			`from endpoints.api import api`
feat(full-stack): disable notifications after 3 failures This stops notifications from firing over and over again if they are repeatedly failing. [TESTING -> locally with docker compose, DATABASE MIGRATION -> there is a single migration] Issue: https://www.pivotaltracker.com/story/show/b144646649n - [ ] It works! - [ ] Comments provide sufficient explanations for the next contributor - [ ] Tests cover changes and corner cases - [ ] Follows Quay syntax patterns and format 2017-05-18 21:52:50 +00:00			`from endpoints.api.repositorynotification import RepositoryNotification`
Convert RepositoryUserTransitivePermission security tests to pytest 2017-08-01 15:34:31 +00:00			`from endpoints.api.permission import RepositoryUserTransitivePermission`
Add ability to enable, disable and view team syncing in UI and API Also extracts out some common testing infrastructure to make testing APIs easier now using pytest 2017-02-17 23:20:23 +00:00			`from endpoints.api.team import OrganizationTeamSyncing`
Move conduct_call into a common test lib for all endpoints 2017-06-28 08:38:36 +00:00			`from endpoints.api.test.shared import conduct_api_call`
Implement new search UI We now have both autocomplete-based searching for quick results, as well as a full search page for a full listing of results 2017-04-07 21:25:44 +00:00			`from endpoints.api.repository import RepositoryTrust`
			`from endpoints.api.signing import RepositorySignatures`
			`from endpoints.api.search import ConductRepositorySearch`
update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00			`from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource`
			`from endpoints.api.superuser import SuperUserRepositoryBuildStatus`
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2017-12-08 22:05:59 +00:00			`from endpoints.api.appspecifictokens import AppTokens, AppToken`
Add feature flag to enable team syncing setup when not a superuser 2017-07-21 15:06:21 +00:00			`from endpoints.test.shared import client_with_identity, toggle_feature`
Switch fixture imports to wildcard in prep for full db test fixes 2017-04-24 17:49:29 +00:00
			`from test.fixtures import *`
update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00
Disallow non-apps-supported APIs for application repositories 2017-03-22 18:30:13 +00:00			`TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}`
			`BUILD_PARAMS = {'build_uuid': 'test-1234'}`
Return hashes and expiration when fetching signed tags 2017-04-07 20:12:28 +00:00			`REPO_PARAMS = {'repository': 'devtable/someapp'}`
Implement new search UI We now have both autocomplete-based searching for quick results, as well as a full search page for a full listing of results 2017-04-07 21:25:44 +00:00			`SEARCH_PARAMS = {'query': ''}`
feat(full-stack): disable notifications after 3 failures This stops notifications from firing over and over again if they are repeatedly failing. [TESTING -> locally with docker compose, DATABASE MIGRATION -> there is a single migration] Issue: https://www.pivotaltracker.com/story/show/b144646649n - [ ] It works! - [ ] Comments provide sufficient explanations for the next contributor - [ ] Tests cover changes and corner cases - [ ] Follows Quay syntax patterns and format 2017-05-18 21:52:50 +00:00			`NOTIFICATION_PARAMS = {'namespace': 'devtable', 'repository': 'devtable/simple', 'uuid': 'some uuid'}`
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2017-12-08 22:05:59 +00:00			`TOKEN_PARAMS = {'token_uuid': 'someuuid'}`
update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00
Disallow non-apps-supported APIs for application repositories 2017-03-22 18:30:13 +00:00			`@pytest.mark.parametrize('resource,method,params,body,identity,expected', [`
Add an AppSpecificAuthToken data model for app-specific auth tokens. These will be used for the Docker CLI in place of username+password 2017-12-08 22:05:59 +00:00			`(AppTokens, 'GET', {}, {}, None, 401),`
			`(AppTokens, 'GET', {}, {}, 'freshuser', 200),`
			`(AppTokens, 'GET', {}, {}, 'reader', 200),`
			`(AppTokens, 'GET', {}, {}, 'devtable', 200),`

			`(AppTokens, 'POST', {}, {}, None, 403),`
			`(AppTokens, 'POST', {}, {}, 'freshuser', 400),`
			`(AppTokens, 'POST', {}, {}, 'reader', 400),`
			`(AppTokens, 'POST', {}, {}, 'devtable', 400),`

			`(AppToken, 'GET', TOKEN_PARAMS, {}, None, 401),`
			`(AppToken, 'GET', TOKEN_PARAMS, {}, 'freshuser', 404),`
			`(AppToken, 'GET', TOKEN_PARAMS, {}, 'reader', 404),`
			`(AppToken, 'GET', TOKEN_PARAMS, {}, 'devtable', 404),`

			`(AppToken, 'DELETE', TOKEN_PARAMS, {}, None, 403),`
			`(AppToken, 'DELETE', TOKEN_PARAMS, {}, 'freshuser', 404),`
			`(AppToken, 'DELETE', TOKEN_PARAMS, {}, 'reader', 404),`
			`(AppToken, 'DELETE', TOKEN_PARAMS, {}, 'devtable', 404),`

Add ability to enable, disable and view team syncing in UI and API Also extracts out some common testing infrastructure to make testing APIs easier now using pytest 2017-02-17 23:20:23 +00:00			`(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),`
			`(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'freshuser', 403),`
			`(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'reader', 403),`
			`(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'devtable', 400),`

			`(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, None, 403),`
			`(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'freshuser', 403),`
			`(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'reader', 403),`
			`(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'devtable', 200),`

Implement new search UI We now have both autocomplete-based searching for quick results, as well as a full search page for a full listing of results 2017-04-07 21:25:44 +00:00			`(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, None, 200),`
			`(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'freshuser', 200),`
			`(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'reader', 200),`
			`(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'devtable', 200),`

Disallow non-apps-supported APIs for application repositories 2017-03-22 18:30:13 +00:00			`(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, None, 401),`
			`(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'freshuser', 403),`
			`(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'reader', 403),`
			`(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'devtable', 400),`
update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00
Disallow non-apps-supported APIs for application repositories 2017-03-22 18:30:13 +00:00			`(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, None, 401),`
			`(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'freshuser', 403),`
			`(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'reader', 403),`
			`(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'devtable', 400),`
update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00
Disallow non-apps-supported APIs for application repositories 2017-03-22 18:30:13 +00:00			`(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, None, 401),`
			`(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'freshuser', 403),`
			`(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403),`
			`(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'devtable', 404),`
Small fixes to signing related APIs 2017-04-17 22:03:32 +00:00
Return hashes and expiration when fetching signed tags 2017-04-07 20:12:28 +00:00			`(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'freshuser', 403),`
			`(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'reader', 403),`
Small fixes to signing related APIs 2017-04-17 22:03:32 +00:00			`(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 404),`

feat(full-stack): disable notifications after 3 failures This stops notifications from firing over and over again if they are repeatedly failing. [TESTING -> locally with docker compose, DATABASE MIGRATION -> there is a single migration] Issue: https://www.pivotaltracker.com/story/show/b144646649n - [ ] It works! - [ ] Comments provide sufficient explanations for the next contributor - [ ] Tests cover changes and corner cases - [ ] Follows Quay syntax patterns and format 2017-05-18 21:52:50 +00:00			`(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, None, 403),`
			`(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'freshuser', 403),`
			`(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'reader', 403),`
Add tests for repository notification api 2017-07-17 21:56:32 +00:00			`(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'devtable', 400),`
feat(full-stack): disable notifications after 3 failures This stops notifications from firing over and over again if they are repeatedly failing. [TESTING -> locally with docker compose, DATABASE MIGRATION -> there is a single migration] Issue: https://www.pivotaltracker.com/story/show/b144646649n - [ ] It works! - [ ] Comments provide sufficient explanations for the next contributor - [ ] Tests cover changes and corner cases - [ ] Follows Quay syntax patterns and format 2017-05-18 21:52:50 +00:00
Add flag to enable trust per repo (#2541) * Add flag to enable trust per repo * Add api for enabling/disabling trust * Add new LogEntryKind for changing repo trust settings Also add tests for repo trust api * Add `set_trust` method to repository * Expose new logkind to UI * Fix registry tests * Rebase migrations and regen test.db * Raise downstreamissue if trust metadata can't be removed * Refactor change_repo_trust * Add show_if to change_repo_trust endpoint 2017-04-15 12:26:33 +00:00			`(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, None, 403),`
			`(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'freshuser', 403),`
			`(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'reader', 403),`
			`(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'devtable', 404),`
Convert RepositoryUserTransitivePermission security tests to pytest 2017-08-01 15:34:31 +00:00
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, None, 401),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'freshuser', 403),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'reader', 403),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'devtable', 403),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, None, 401),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'freshuser', 403),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'reader', 403),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'devtable', 404),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, None, 401),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'reader', 403),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/shared'}, None, 'devtable', 200),`
			`(RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/nope'}, None, 'devtable', 404),`
update(security_test.py): moving tests to new framework We should be moving tests over to pytest [none] 2017-01-27 16:22:40 +00:00			`])`
Disallow non-apps-supported APIs for application repositories 2017-03-22 18:30:13 +00:00			`def test_api_security(resource, method, params, body, identity, expected, client):`
			`with client_with_identity(identity, client) as cl:`
			`conduct_api_call(cl, resource, method, params, body, expected)`
Add feature flag to enable team syncing setup when not a superuser 2017-07-21 15:06:21 +00:00

			`@pytest.mark.parametrize('is_superuser', [`
			`(True),`
			`(False),`
			`])`
			`@pytest.mark.parametrize('allow_nonsuperuser', [`
			`(True),`
			`(False),`
			`])`
			`@pytest.mark.parametrize('method, expected', [`
			`('POST', 400),`
			`('DELETE', 200),`
			`])`
			`def test_team_sync_security(is_superuser, allow_nonsuperuser, method, expected, client):`
			`def is_superuser_method(_):`
			`return is_superuser`

			`with patch('auth.permissions.superusers.is_superuser', is_superuser_method):`
			`with toggle_feature('NONSUPERUSER_TEAM_SYNCING_SETUP', allow_nonsuperuser):`
			`with client_with_identity('devtable', client) as cl:`
			`expect_success = is_superuser or allow_nonsuperuser`
			`expected_status = expected if expect_success else 403`
			`conduct_api_call(cl, OrganizationTeamSyncing, method, TEAM_PARAMS, {}, expected_status)`