quay/endpoints/v2/test/test_v2_tuf.py

import pytest
import flask

from flask_principal import Identity, Principal
from mock import Mock

from auth import permissions
from endpoints.v2.v2auth import get_tuf_root
from test import testconfig
from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT


def admin_identity(namespace, reponame):
  identity = Identity('admin')
  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'admin'))
  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'admin'))
  return identity


def write_identity(namespace, reponame):
  identity = Identity('writer')
  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'write'))
  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'write'))
  return identity


def read_identity(namespace, reponame):
  identity = Identity('reader')
  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'read'))
  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'read'))
  return identity


def app_with_principal():
  app = flask.Flask(__name__)
  app.config.from_object(testconfig.TestConfig())
  principal = Principal(app)
  return app, principal


@pytest.mark.parametrize('identity,expected', [
  (Identity('anon'), QUAY_TUF_ROOT),
  (read_identity("namespace", "repo"), QUAY_TUF_ROOT),
  (read_identity("different", "repo"), QUAY_TUF_ROOT),
  (admin_identity("different", "repo"), QUAY_TUF_ROOT),
  (write_identity("different", "repo"), QUAY_TUF_ROOT),
  (admin_identity("namespace", "repo"), SIGNER_TUF_ROOT),
  (write_identity("namespace", "repo"), SIGNER_TUF_ROOT),
])
def test_get_tuf_root(identity, expected):
  app, principal = app_with_principal()
  with app.test_request_context('/'):
    principal.set_identity(identity)
    actual = get_tuf_root(Mock(), "namespace", "repo")
    assert actual == expected, "should be %s, but was %s" % (expected, actual)


@pytest.mark.parametrize('trust_enabled,tuf_root', [
  (True, QUAY_TUF_ROOT),
  (False, DISABLED_TUF_ROOT),
])
def test_trust_disabled(trust_enabled,tuf_root):
  app, principal = app_with_principal()
  with app.test_request_context('/'):
    principal.set_identity(read_identity("namespace", "repo"))
    actual = get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")
    assert actual == tuf_root, "should be %s, but was %s" % (tuf_root, actual)
Adding in what metadata_root_name to JWT 2017-02-22 19:35:11 +00:00			`import pytest`
Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`import flask`
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00
Refactor tests, no g required 2017-03-22 14:30:48 +00:00			`from flask_principal import Identity, Principal`
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00			`from mock import Mock`
Adding in what metadata_root_name to JWT 2017-02-22 19:35:11 +00:00
Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`from auth import permissions`
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00			`from endpoints.v2.v2auth import get_tuf_root`
Add flag to enable trust per repo (#2541) * Add flag to enable trust per repo * Add api for enabling/disabling trust * Add new LogEntryKind for changing repo trust settings Also add tests for repo trust api * Add `set_trust` method to repository * Expose new logkind to UI * Fix registry tests * Rebase migrations and regen test.db * Raise downstreamissue if trust metadata can't be removed * Refactor change_repo_trust * Add show_if to change_repo_trust endpoint 2017-04-15 12:26:33 +00:00			`from test import testconfig`
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00			`from util.security.registry_jwt import QUAY_TUF_ROOT, SIGNER_TUF_ROOT, DISABLED_TUF_ROOT`

Add flag to enable trust per repo (#2541) * Add flag to enable trust per repo * Add api for enabling/disabling trust * Add new LogEntryKind for changing repo trust settings Also add tests for repo trust api * Add `set_trust` method to repository * Expose new logkind to UI * Fix registry tests * Rebase migrations and regen test.db * Raise downstreamissue if trust metadata can't be removed * Refactor change_repo_trust * Add show_if to change_repo_trust endpoint 2017-04-15 12:26:33 +00:00

Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`def admin_identity(namespace, reponame):`
			`identity = Identity('admin')`
			`identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'admin'))`
			`identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'admin'))`
			`return identity`
Adding in what metadata_root_name to JWT 2017-02-22 19:35:11 +00:00
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00
Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`def write_identity(namespace, reponame):`
			`identity = Identity('writer')`
			`identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'write'))`
			`identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'write'))`
			`return identity`
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00

Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`def read_identity(namespace, reponame):`
			`identity = Identity('reader')`
			`identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'read'))`
			`identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'read'))`
			`return identity`

test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00
Refactor tests, no g required 2017-03-22 14:30:48 +00:00			`def app_with_principal():`
			`app = flask.Flask(__name__)`
Add flag to enable trust per repo (#2541) * Add flag to enable trust per repo * Add api for enabling/disabling trust * Add new LogEntryKind for changing repo trust settings Also add tests for repo trust api * Add `set_trust` method to repository * Expose new logkind to UI * Fix registry tests * Rebase migrations and regen test.db * Raise downstreamissue if trust metadata can't be removed * Refactor change_repo_trust * Add show_if to change_repo_trust endpoint 2017-04-15 12:26:33 +00:00			`app.config.from_object(testconfig.TestConfig())`
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00			`principal = Principal(app)`
Refactor tests, no g required 2017-03-22 14:30:48 +00:00			`return app, principal`

test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00
Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`@pytest.mark.parametrize('identity,expected', [`
Use constants for TUF roots 2017-03-22 20:14:56 +00:00			`(Identity('anon'), QUAY_TUF_ROOT),`
			`(read_identity("namespace", "repo"), QUAY_TUF_ROOT),`
			`(read_identity("different", "repo"), QUAY_TUF_ROOT),`
			`(admin_identity("different", "repo"), QUAY_TUF_ROOT),`
			`(write_identity("different", "repo"), QUAY_TUF_ROOT),`
			`(admin_identity("namespace", "repo"), SIGNER_TUF_ROOT),`
			`(write_identity("namespace", "repo"), SIGNER_TUF_ROOT),`
Adding in what metadata_root_name to JWT 2017-02-22 19:35:11 +00:00			`])`
Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`def test_get_tuf_root(identity, expected):`
Refactor tests, no g required 2017-03-22 14:30:48 +00:00			`app, principal = app_with_principal()`
Determine which TUF root to show based on actual access, not requested access 2017-03-22 11:38:52 +00:00			`with app.test_request_context('/'):`
Refactor tests, no g required 2017-03-22 14:30:48 +00:00			`principal.set_identity(identity)`
Add flag to enable trust per repo (#2541) * Add flag to enable trust per repo * Add api for enabling/disabling trust * Add new LogEntryKind for changing repo trust settings Also add tests for repo trust api * Add `set_trust` method to repository * Expose new logkind to UI * Fix registry tests * Rebase migrations and regen test.db * Raise downstreamissue if trust metadata can't be removed * Refactor change_repo_trust * Add show_if to change_repo_trust endpoint 2017-04-15 12:26:33 +00:00			`actual = get_tuf_root(Mock(), "namespace", "repo")`
Refactor tests, no g required 2017-03-22 14:30:48 +00:00			`assert actual == expected, "should be %s, but was %s" % (expected, actual)`
test: convert registry auth test to pytest This also moves them into the auth package. 2017-07-05 19:20:47 +00:00

Add flag to enable trust per repo (#2541) * Add flag to enable trust per repo * Add api for enabling/disabling trust * Add new LogEntryKind for changing repo trust settings Also add tests for repo trust api * Add `set_trust` method to repository * Expose new logkind to UI * Fix registry tests * Rebase migrations and regen test.db * Raise downstreamissue if trust metadata can't be removed * Refactor change_repo_trust * Add show_if to change_repo_trust endpoint 2017-04-15 12:26:33 +00:00			`@pytest.mark.parametrize('trust_enabled,tuf_root', [`
			`(True, QUAY_TUF_ROOT),`
			`(False, DISABLED_TUF_ROOT),`
			`])`
			`def test_trust_disabled(trust_enabled,tuf_root):`
			`app, principal = app_with_principal()`
			`with app.test_request_context('/'):`
			`principal.set_identity(read_identity("namespace", "repo"))`
			`actual = get_tuf_root(Mock(trust_enabled=trust_enabled), "namespace", "repo")`
			`assert actual == tuf_root, "should be %s, but was %s" % (tuf_root, actual)`