Use 401 for bad or missing credentials, 403 for forbidden access

endpoints/appr/test/test_api_security.py

@@ -15,64 +15,64 @@ CHANNEL_ARGS = {'channel_name': 'c'}
 CHANNEL_RELEASE_ARGS = {'channel_name': 'c', 'release': 'r'}
 
 @pytest.mark.parametrize('resource,method,params,owned_by,is_public,identity,expected', [
-  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', False, 'public', 401),
+  ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', False, 'public', 403),
   ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', False, 'devtable', 404),
   ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', True, 'public', 404),
   ('appr.blobs', 'GET', BLOB_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', False, 'public', 403),
   ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', True, 'public', 401),
+  ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', True, 'public', 403),
   ('appr.delete_package', 'DELETE', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 403),
   ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
   ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', True, 'public', 404),
   ('appr.show_package', 'GET', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.show_package_releases', 'GET', {}, 'devtable', False, 'public', 401),
+  ('appr.show_package_releases', 'GET', {}, 'devtable', False, 'public', 403),
   ('appr.show_package_releases', 'GET', {}, 'devtable', False, 'devtable', 200),
   ('appr.show_package_releases', 'GET', {}, 'devtable', True, 'public', 200),
   ('appr.show_package_releases', 'GET', {}, 'devtable', True, 'devtable', 200),
 
-  ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', False, 'public', 403),
   ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', False, 'devtable', 200),
   ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', True, 'public', 200),
   ('appr.show_package_releasse_manifests', 'GET', RELEASE_ARGS, 'devtable', True, 'devtable', 200),
 
-  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', False, 'public', 403),
   ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', False, 'devtable', 404),
   ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', True, 'public', 404),
   ('appr.pull', 'GET', PACKAGE_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.push', 'POST', {}, 'devtable', False, 'public', 401),
+  ('appr.push', 'POST', {}, 'devtable', False, 'public', 403),
   ('appr.push', 'POST', {}, 'devtable', False, 'devtable', 400),
-  ('appr.push', 'POST', {}, 'devtable', True, 'public', 401),
+  ('appr.push', 'POST', {}, 'devtable', True, 'public', 403),
   ('appr.push', 'POST', {}, 'devtable', True, 'devtable', 400),
 
-  ('appr.list_channels', 'GET', {}, 'devtable', False, 'public', 401),
+  ('appr.list_channels', 'GET', {}, 'devtable', False, 'public', 403),
   ('appr.list_channels', 'GET', {}, 'devtable', False, 'devtable', 200),
   ('appr.list_channels', 'GET', {}, 'devtable', True, 'public', 200),
   ('appr.list_channels', 'GET', {}, 'devtable', True, 'devtable', 200),
 
-  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', False, 'public', 401),
+  ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', False, 'public', 403),
   ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', False, 'devtable', 404),
   ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', True, 'public', 404),
   ('appr.show_channel', 'GET', CHANNEL_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', False, 'public', 401),
+  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', False, 'public', 403),
   ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', True, 'public', 401),
+  ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', True, 'public', 403),
   ('appr.delete_channel', 'DELETE', CHANNEL_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 403),
   ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 401),
+  ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 403),
   ('appr.add_channel_release', 'POST', CHANNEL_RELEASE_ARGS, 'devtable', True, 'devtable', 404),
 
-  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 401),
+  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', False, 'public', 403),
   ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', False, 'devtable', 404),
-  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 401),
+  ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', True, 'public', 403),
   ('appr.delete_channel_release', 'DELETE', CHANNEL_RELEASE_ARGS, 'devtable', True, 'devtable', 404),
 ])
 def test_api_security(resource, method, params, owned_by, is_public, identity, expected, app, client):
@@ -95,4 +95,3 @@ def test_api_security(resource, method, params, owned_by, is_public, identity, e
 
     rv = cl.open(url, headers=headers, method=method)
     assert rv.status_code == expected
-