2017-07-21 15:06:21 +00:00
|
|
|
from mock import patch
|
|
|
|
|
2017-01-27 16:22:40 +00:00
|
|
|
import pytest
|
2017-04-07 20:12:28 +00:00
|
|
|
from flask_principal import AnonymousIdentity
|
2017-01-27 16:22:40 +00:00
|
|
|
|
2017-02-17 23:20:23 +00:00
|
|
|
from endpoints.api import api
|
2018-03-12 20:42:42 +00:00
|
|
|
from endpoints.api.organization import OrganizationCollaboratorList
|
2017-05-18 21:52:50 +00:00
|
|
|
from endpoints.api.repositorynotification import RepositoryNotification
|
2017-08-01 15:34:31 +00:00
|
|
|
from endpoints.api.permission import RepositoryUserTransitivePermission
|
2017-02-17 23:20:23 +00:00
|
|
|
from endpoints.api.team import OrganizationTeamSyncing
|
2017-06-28 08:38:36 +00:00
|
|
|
from endpoints.api.test.shared import conduct_api_call
|
2017-04-07 21:25:44 +00:00
|
|
|
from endpoints.api.repository import RepositoryTrust
|
|
|
|
from endpoints.api.signing import RepositorySignatures
|
|
|
|
from endpoints.api.search import ConductRepositorySearch
|
2017-01-27 16:22:40 +00:00
|
|
|
from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
|
|
|
|
from endpoints.api.superuser import SuperUserRepositoryBuildStatus
|
2017-12-08 22:05:59 +00:00
|
|
|
from endpoints.api.appspecifictokens import AppTokens, AppToken
|
2018-03-28 20:03:18 +00:00
|
|
|
from endpoints.api.manifest import RepositoryManifest
|
2017-10-17 21:01:59 +00:00
|
|
|
from endpoints.api.trigger import BuildTrigger
|
2017-07-21 15:06:21 +00:00
|
|
|
from endpoints.test.shared import client_with_identity, toggle_feature
|
2017-04-24 17:49:29 +00:00
|
|
|
|
|
|
|
from test.fixtures import *
|
2017-01-27 16:22:40 +00:00
|
|
|
|
2018-03-12 20:42:42 +00:00
|
|
|
ORG_PARAMS = {'orgname': 'buynlarge'}
|
2017-03-22 18:30:13 +00:00
|
|
|
TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
|
|
|
|
BUILD_PARAMS = {'build_uuid': 'test-1234'}
|
2017-04-07 20:12:28 +00:00
|
|
|
REPO_PARAMS = {'repository': 'devtable/someapp'}
|
2017-04-07 21:25:44 +00:00
|
|
|
SEARCH_PARAMS = {'query': ''}
|
2017-05-18 21:52:50 +00:00
|
|
|
NOTIFICATION_PARAMS = {'namespace': 'devtable', 'repository': 'devtable/simple', 'uuid': 'some uuid'}
|
2017-12-08 22:05:59 +00:00
|
|
|
TOKEN_PARAMS = {'token_uuid': 'someuuid'}
|
2017-10-17 21:01:59 +00:00
|
|
|
TRIGGER_PARAMS = {'repository': 'devtable/simple', 'trigger_uuid': 'someuuid'}
|
2018-03-28 20:03:18 +00:00
|
|
|
MANIFEST_PARAMS = {'repository': 'devtable/simple', 'manifestref': 'sha256:deadbeef'}
|
2017-01-27 16:22:40 +00:00
|
|
|
|
2017-03-22 18:30:13 +00:00
|
|
|
@pytest.mark.parametrize('resource,method,params,body,identity,expected', [
|
2017-12-08 22:05:59 +00:00
|
|
|
(AppTokens, 'GET', {}, {}, None, 401),
|
|
|
|
(AppTokens, 'GET', {}, {}, 'freshuser', 200),
|
|
|
|
(AppTokens, 'GET', {}, {}, 'reader', 200),
|
|
|
|
(AppTokens, 'GET', {}, {}, 'devtable', 200),
|
|
|
|
|
|
|
|
(AppTokens, 'POST', {}, {}, None, 403),
|
|
|
|
(AppTokens, 'POST', {}, {}, 'freshuser', 400),
|
|
|
|
(AppTokens, 'POST', {}, {}, 'reader', 400),
|
|
|
|
(AppTokens, 'POST', {}, {}, 'devtable', 400),
|
|
|
|
|
|
|
|
(AppToken, 'GET', TOKEN_PARAMS, {}, None, 401),
|
|
|
|
(AppToken, 'GET', TOKEN_PARAMS, {}, 'freshuser', 404),
|
|
|
|
(AppToken, 'GET', TOKEN_PARAMS, {}, 'reader', 404),
|
|
|
|
(AppToken, 'GET', TOKEN_PARAMS, {}, 'devtable', 404),
|
|
|
|
|
|
|
|
(AppToken, 'DELETE', TOKEN_PARAMS, {}, None, 403),
|
|
|
|
(AppToken, 'DELETE', TOKEN_PARAMS, {}, 'freshuser', 404),
|
|
|
|
(AppToken, 'DELETE', TOKEN_PARAMS, {}, 'reader', 404),
|
|
|
|
(AppToken, 'DELETE', TOKEN_PARAMS, {}, 'devtable', 404),
|
|
|
|
|
2018-03-28 20:03:18 +00:00
|
|
|
(RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, None, 401),
|
|
|
|
(RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, 'reader', 403),
|
|
|
|
(RepositoryManifest, 'GET', MANIFEST_PARAMS, {}, 'devtable', 404),
|
|
|
|
|
2018-03-12 20:42:42 +00:00
|
|
|
(OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, None, 401),
|
|
|
|
(OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, 'freshuser', 403),
|
|
|
|
(OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, 'reader', 403),
|
|
|
|
(OrganizationCollaboratorList, 'GET', ORG_PARAMS, None, 'devtable', 200),
|
|
|
|
|
2017-02-17 23:20:23 +00:00
|
|
|
(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),
|
|
|
|
(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'reader', 403),
|
|
|
|
(OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'devtable', 400),
|
|
|
|
|
|
|
|
(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, None, 403),
|
|
|
|
(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'reader', 403),
|
|
|
|
(OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'devtable', 200),
|
|
|
|
|
2017-04-07 21:25:44 +00:00
|
|
|
(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, None, 200),
|
|
|
|
(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'freshuser', 200),
|
|
|
|
(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'reader', 200),
|
|
|
|
(ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'devtable', 200),
|
|
|
|
|
2017-03-22 18:30:13 +00:00
|
|
|
(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, None, 401),
|
|
|
|
(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
|
|
|
|
(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'reader', 403),
|
|
|
|
(SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'devtable', 400),
|
2017-01-27 16:22:40 +00:00
|
|
|
|
2017-03-22 18:30:13 +00:00
|
|
|
(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, None, 401),
|
|
|
|
(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
|
|
|
|
(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'reader', 403),
|
|
|
|
(SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'devtable', 400),
|
2017-01-27 16:22:40 +00:00
|
|
|
|
2017-03-22 18:30:13 +00:00
|
|
|
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, None, 401),
|
|
|
|
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
|
|
|
|
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403),
|
|
|
|
(SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'devtable', 404),
|
2017-04-17 22:03:32 +00:00
|
|
|
|
2017-04-07 20:12:28 +00:00
|
|
|
(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'reader', 403),
|
2017-04-17 22:03:32 +00:00
|
|
|
(RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 404),
|
|
|
|
|
2017-05-18 21:52:50 +00:00
|
|
|
(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, None, 403),
|
|
|
|
(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'reader', 403),
|
2017-07-17 21:56:32 +00:00
|
|
|
(RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'devtable', 400),
|
2017-05-18 21:52:50 +00:00
|
|
|
|
2017-04-15 12:26:33 +00:00
|
|
|
(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, None, 403),
|
|
|
|
(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'freshuser', 403),
|
|
|
|
(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'reader', 403),
|
|
|
|
(RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'devtable', 404),
|
2017-10-17 21:01:59 +00:00
|
|
|
|
|
|
|
(BuildTrigger, 'GET', TRIGGER_PARAMS, {}, None, 401),
|
|
|
|
(BuildTrigger, 'GET', TRIGGER_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(BuildTrigger, 'GET', TRIGGER_PARAMS, {}, 'reader', 403),
|
|
|
|
(BuildTrigger, 'GET', TRIGGER_PARAMS, {}, 'devtable', 404),
|
|
|
|
|
|
|
|
(BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, None, 403),
|
|
|
|
(BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, 'reader', 403),
|
|
|
|
(BuildTrigger, 'DELETE', TRIGGER_PARAMS, {}, 'devtable', 404),
|
|
|
|
|
|
|
|
(BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, None, 403),
|
|
|
|
(BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, 'freshuser', 403),
|
|
|
|
(BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, 'reader', 403),
|
|
|
|
(BuildTrigger, 'PUT', TRIGGER_PARAMS, {}, 'devtable', 400),
|
|
|
|
|
2017-08-01 15:34:31 +00:00
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, None, 401),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'freshuser', 403),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'reader', 403),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'public/publicrepo'}, None, 'devtable', 403),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, None, 401),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'freshuser', 403),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'reader', 403),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'devtable/shared'}, None, 'devtable', 404),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, None, 401),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'freshuser', 403),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'reader', 403),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'A2O9','repository': 'buynlarge/orgrepo'}, None, 'devtable', 404),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/shared'}, None, 'devtable', 200),
|
|
|
|
(RepositoryUserTransitivePermission, 'GET', {'username': 'devtable','repository': 'devtable/nope'}, None, 'devtable', 404),
|
2017-01-27 16:22:40 +00:00
|
|
|
])
|
2017-03-22 18:30:13 +00:00
|
|
|
def test_api_security(resource, method, params, body, identity, expected, client):
|
|
|
|
with client_with_identity(identity, client) as cl:
|
|
|
|
conduct_api_call(cl, resource, method, params, body, expected)
|
2017-07-21 15:06:21 +00:00
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize('is_superuser', [
|
|
|
|
(True),
|
|
|
|
(False),
|
|
|
|
])
|
|
|
|
@pytest.mark.parametrize('allow_nonsuperuser', [
|
|
|
|
(True),
|
|
|
|
(False),
|
|
|
|
])
|
|
|
|
@pytest.mark.parametrize('method, expected', [
|
|
|
|
('POST', 400),
|
|
|
|
('DELETE', 200),
|
|
|
|
])
|
|
|
|
def test_team_sync_security(is_superuser, allow_nonsuperuser, method, expected, client):
|
|
|
|
def is_superuser_method(_):
|
|
|
|
return is_superuser
|
|
|
|
|
|
|
|
with patch('auth.permissions.superusers.is_superuser', is_superuser_method):
|
|
|
|
with toggle_feature('NONSUPERUSER_TEAM_SYNCING_SETUP', allow_nonsuperuser):
|
|
|
|
with client_with_identity('devtable', client) as cl:
|
|
|
|
expect_success = is_superuser or allow_nonsuperuser
|
|
|
|
expected_status = expected if expect_success else 403
|
|
|
|
conduct_api_call(cl, OrganizationTeamSyncing, method, TEAM_PARAMS, {}, expected_status)
|