Determine which TUF root to show based on actual access, not requested

access
2017-03-22 07:38:52 -04:00 · 2017-03-22 07:38:52 -04:00 · 43dd974dca
commit 43dd974dca
parent 7b411b2c25
5 changed files with 61 additions and 38 deletions
--- a/endpoints/v2/test/test_v2auth.py
+++ b/endpoints/v2/test/test_v2auth.py
@ -1,18 +1,43 @@
 import pytest

-from endpoints.v2.v2auth import attach_metadata_root_name, CLAIM_APOSTILLE_ROOT
+import flask
+from flask import g
+from flask_principal import Identity

+from endpoints.v2.v2auth import get_tuf_root
+from auth import permissions
+  
+def admin_identity(namespace, reponame):
+  identity = Identity('admin')
+  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'admin'))
+  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'admin'))
+  return identity

-@pytest.mark.parametrize('context,access,expected', [
-  ({}, None, {}),
-  ({}, [], {}),
-  ({}, [{}], {}),
-  ({}, [{"actions": None}], {}),
-  ({}, [{"actions": []}], {}),
-  ({}, [{"actions": ["pull"]}], {CLAIM_APOSTILLE_ROOT: 'quay'}),
-  ({}, [{"actions": ["push"]}], {CLAIM_APOSTILLE_ROOT: 'signer'}),
-  ({}, [{"actions": ["pull", "push"]}], {CLAIM_APOSTILLE_ROOT: 'signer'}),
+def write_identity(namespace, reponame):
+  identity = Identity('writer')
+  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'write'))
+  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'write'))
+  return identity
+  
+def read_identity(namespace, reponame):
+  identity = Identity('reader')
+  identity.provides.add(permissions._RepositoryNeed(namespace, reponame, 'read'))
+  identity.provides.add(permissions._OrganizationRepoNeed(namespace, 'read'))
+  return identity
+
+@pytest.mark.parametrize('identity,expected', [
+  (Identity('anon'), 'quay'),
+  (read_identity("namespace", "repo"), 'quay'),
+  (read_identity("different", "repo"), 'quay'),
+  (admin_identity("different", "repo"), 'quay'),
+  (write_identity("different", "repo"), 'quay'),
+  (admin_identity("namespace", "repo"), 'signer'),
+  (write_identity("namespace", "repo"), 'signer'),
 ])
-def test_attach_metadata_root_name(context, access, expected):
-  actual = attach_metadata_root_name(context, access)
+def test_get_tuf_root(identity, expected):
+  app = flask.Flask(__name__)
+
+  with app.test_request_context('/'):
+    g.identity = identity
+    actual = get_tuf_root("namespace", "repo")
  assert actual == expected, "should be %s, but was %s" % (expected, actual)