From 2a849f631b3558af1f8beb76f7bd662ea36b2249 Mon Sep 17 00:00:00 2001 From: yackob03 Date: Wed, 6 Nov 2013 17:56:31 -0500 Subject: [PATCH] Add the next batch of tests and fixes. --- endpoints/api.py | 44 ++-- test/specs.py | 429 ++++++++++++++++++++++++++++++++++++++ test/test_api_security.py | 293 +++----------------------- 3 files changed, 477 insertions(+), 289 deletions(-) create mode 100644 test/specs.py diff --git a/endpoints/api.py b/endpoints/api.py index 7eea1ad84..36a32053f 100644 --- a/endpoints/api.py +++ b/endpoints/api.py @@ -112,7 +112,7 @@ def change_user_details(): user_data = request.get_json(); try: - if user_data['password']: + if 'password' in user_data: logger.debug('Changing password for user: %s', user.username) model.change_password(user, user_data['password']) except model.InvalidPasswordException, ex: @@ -283,26 +283,29 @@ def team_view(orgname, t): @app.route('/api/organization/', methods=['GET']) @api_login_required def get_organization(orgname): - user = current_user.db_user() + permission = OrganizationMemberPermission(orgname) + if permission.can(): + user = current_user.db_user() - def org_view(o, teams): - admin_org = AdministerOrganizationPermission(orgname) - is_admin = admin_org.can() - return { - 'name': o.username, - 'gravatar': compute_hash(o.email), - 'teams': {t.name : team_view(orgname, t) for t in teams}, - 'is_admin': is_admin - } + def org_view(o, teams): + admin_org = AdministerOrganizationPermission(orgname) + is_admin = admin_org.can() + return { + 'name': o.username, + 'gravatar': compute_hash(o.email), + 'teams': {t.name : team_view(orgname, t) for t in teams}, + 'is_admin': is_admin + } - try: - org = model.get_organization(orgname) - except model.InvalidOrganizationException: - abort(404) + try: + org = model.get_organization(orgname) + except model.InvalidOrganizationException: + abort(404) - teams = model.get_teams_within_org(org) - return jsonify(org_view(org, teams)) + teams = model.get_teams_within_org(org) + return jsonify(org_view(org, teams)) + abort(403) @app.route('/api/organization//private', methods=['GET']) @api_login_required @@ -578,7 +581,7 @@ def change_repo_visibility_api(namespace, repository): 'success': True }) - abort(404) + abort(403) @app.route('/api/repository/', methods=['DELETE']) @@ -591,7 +594,7 @@ def delete_repository(namespace, repository): registry.delete_repository_storage(namespace, repository) return make_response('Deleted', 204) - abort(404) + abort(403) def image_view(image): @@ -649,7 +652,7 @@ def get_repo_api(namespace, repository): 'is_organization': bool(organization) }) - abort(404) # Not fount + abort(404) # Not found abort(403) # Permission denied @@ -689,6 +692,7 @@ def get_repo_builds(namespace, repository): @app.route('/api/filedrop/', methods=['POST']) @api_login_required +@required_json_args('mimeType') def get_filedrop_url(): mime_type = request.get_json()['mimeType'] (url, file_id) = user_files.prepare_for_drop(mime_type) diff --git a/test/specs.py b/test/specs.py new file mode 100644 index 000000000..c0d10938b --- /dev/null +++ b/test/specs.py @@ -0,0 +1,429 @@ +import json + +from flask import url_for +from collections import OrderedDict +from uuid import uuid4 + + +PUBLIC_REPO = 'public/publicrepo' + +PRIVATE_REPO = 'devtable/complex' + +ORG = 'devtableorg' +ORG_REPO = ORG + '/orgrepo' +ORG_OWNERS = 'owners' +ORG_READERS = 'readers' +ORG_OWNER = 'devtable' + +FAKE_IMAGE_ID = uuid4() +FAKE_TAG_NAME = uuid4() +FAKE_USERNAME = uuid4() +FAKE_TEAMNAME = uuid4() +FAKE_TOKEN = uuid4() + + +def open_kwargs(method='GET', json_object=None): + kwargs = { + 'method': method, + } + + if json_object is not None: + kwargs['data'] = json.dumps(json_object) + kwargs['content_type'] = 'application/json' + + elif method == 'POST' or method == 'PUT': + kwargs['data'] = json.dumps({ + 'fake': 'json', + 'data': 'here', + }) + kwargs['content_type'] = 'application/json' + + return kwargs + + +def build_anon_spec(): + return OrderedDict([ + (url_for('welcome'), (200, open_kwargs())), + + (url_for('plans_list'), (200, open_kwargs())), + + (url_for('get_logged_in_user'), (200, open_kwargs())), + + (url_for('change_user_details'), (401, open_kwargs('PUT'))), + + (url_for('create_user_api'), (400, open_kwargs('POST'))), + + (url_for('signin_api'), (400, open_kwargs('POST'))), + + (url_for('send_recovery'), (400, open_kwargs('POST'))), + + (url_for('get_matching_users', prefix='dev'), (401, open_kwargs())), + + (url_for('get_matching_entities', prefix='dev'), (401, open_kwargs())), + + (url_for('get_organization', orgname=ORG), (401, open_kwargs())), + + (url_for('get_organization_private_allowed', orgname=ORG), + (401, open_kwargs())), + + (url_for('update_organization_team', orgname=ORG, teamname=ORG_OWNERS), + (401, open_kwargs('PUT'))), + + (url_for('delete_organization_team', orgname=ORG, teamname=ORG_OWNERS), + (401, open_kwargs('DELETE'))), + + (url_for('get_organization_team_members', orgname=ORG, + teamname=ORG_OWNERS), (401, open_kwargs())), + + (url_for('update_organization_team_member', orgname=ORG, + teamname=ORG_OWNERS, membername=ORG_OWNER), + (401, open_kwargs('PUT'))), + + (url_for('delete_organization_team_member', orgname=ORG, + teamname=ORG_OWNERS, membername=ORG_OWNER), + (401, open_kwargs('DELETE'))), + + (url_for('create_repo_api'), (401, open_kwargs('POST'))), + + (url_for('match_repos_api'), (200, open_kwargs())), + + (url_for('list_repos_api'), (200, open_kwargs())), + + (url_for('update_repo_api', repository=PUBLIC_REPO), + (401, open_kwargs('PUT'))), + (url_for('update_repo_api', repository=ORG_REPO), + (401, open_kwargs('PUT'))), + (url_for('update_repo_api', repository=PRIVATE_REPO), + (401, open_kwargs('PUT'))), + + (url_for('change_repo_visibility_api', repository=PUBLIC_REPO), + (401, open_kwargs('POST'))), + (url_for('change_repo_visibility_api', repository=ORG_REPO), + (401, open_kwargs('POST'))), + (url_for('change_repo_visibility_api', repository=PRIVATE_REPO), + (401, open_kwargs('POST'))), + + (url_for('delete_repository', repository=PUBLIC_REPO), + (401, open_kwargs('DELETE'))), + (url_for('delete_repository', repository=ORG_REPO), + (401, open_kwargs('DELETE'))), + (url_for('delete_repository', repository=PRIVATE_REPO), + (401, open_kwargs('DELETE'))), + + (url_for('get_repo_api', repository=PUBLIC_REPO),(200, open_kwargs())), + (url_for('get_repo_api', repository=ORG_REPO), (403, open_kwargs())), + (url_for('get_repo_api', repository=PRIVATE_REPO), (403, open_kwargs())), + + (url_for('get_repo_builds', repository=PUBLIC_REPO), + (401, open_kwargs())), + (url_for('get_repo_builds', repository=ORG_REPO), (401, open_kwargs())), + (url_for('get_repo_builds', repository=PRIVATE_REPO), + (401, open_kwargs())), + + (url_for('get_filedrop_url'), (401, open_kwargs('POST'))), + + (url_for('request_repo_build', repository=PUBLIC_REPO), + (401, open_kwargs('POST'))), + (url_for('request_repo_build', repository=ORG_REPO), + (401, open_kwargs('POST'))), + (url_for('request_repo_build', repository=PRIVATE_REPO), + (401, open_kwargs('POST'))), + + (url_for('list_repository_images', repository=PUBLIC_REPO), + (200, open_kwargs())), + (url_for('list_repository_images', repository=ORG_REPO), + (403, open_kwargs())), + (url_for('list_repository_images', repository=PRIVATE_REPO), + (403, open_kwargs())), + + (url_for('get_image', repository=PUBLIC_REPO, image_id=FAKE_IMAGE_ID), + (404, open_kwargs())), + (url_for('get_image', repository=ORG_REPO, image_id=FAKE_IMAGE_ID), + (403, open_kwargs())), + (url_for('get_image', repository=PRIVATE_REPO, image_id=FAKE_IMAGE_ID), + (403, open_kwargs())), + + (url_for('get_image_changes', repository=PUBLIC_REPO, + image_id=FAKE_IMAGE_ID), (404, open_kwargs())), + (url_for('get_image_changes', repository=ORG_REPO, + image_id=FAKE_IMAGE_ID), (403, open_kwargs())), + (url_for('get_image_changes', repository=PRIVATE_REPO, + image_id=FAKE_IMAGE_ID), (403, open_kwargs())), + + (url_for('list_tag_images', repository=PUBLIC_REPO, tag=FAKE_TAG_NAME), + (404, open_kwargs())), + (url_for('list_tag_images', repository=ORG_REPO, tag=FAKE_TAG_NAME), + (403, open_kwargs())), + (url_for('list_tag_images', repository=PRIVATE_REPO, tag=FAKE_TAG_NAME), + (403, open_kwargs())), + + (url_for('list_repo_team_permissions', repository=PUBLIC_REPO), + (401, open_kwargs())), + (url_for('list_repo_team_permissions', repository=ORG_REPO), + (401, open_kwargs())), + (url_for('list_repo_team_permissions', repository=PRIVATE_REPO), + (401, open_kwargs())), + + (url_for('list_repo_user_permissions', repository=PUBLIC_REPO), + (401, open_kwargs())), + (url_for('list_repo_user_permissions', repository=ORG_REPO), + (401, open_kwargs())), + (url_for('list_repo_user_permissions', repository=PRIVATE_REPO), + (401, open_kwargs())), + + (url_for('get_user_permissions', repository=PUBLIC_REPO, + username=FAKE_USERNAME), (401, open_kwargs())), + (url_for('get_user_permissions', repository=ORG_REPO, + username=FAKE_USERNAME), (401, open_kwargs())), + (url_for('get_user_permissions', repository=PRIVATE_REPO, + username=FAKE_USERNAME), (401, open_kwargs())), + + (url_for('get_team_permissions', repository=PUBLIC_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs())), + (url_for('get_team_permissions', repository=ORG_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs())), + (url_for('get_team_permissions', repository=PRIVATE_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs())), + + (url_for('change_user_permissions', repository=PUBLIC_REPO, + username=FAKE_USERNAME), (401, open_kwargs('PUT'))), + (url_for('change_user_permissions', repository=ORG_REPO, + username=FAKE_USERNAME), (401, open_kwargs('PUT'))), + (url_for('change_user_permissions', repository=PRIVATE_REPO, + username=FAKE_USERNAME), (401, open_kwargs('PUT'))), + + (url_for('change_team_permissions', repository=PUBLIC_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs('PUT'))), + (url_for('change_team_permissions', repository=ORG_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs('PUT'))), + (url_for('change_team_permissions', repository=PRIVATE_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs('PUT'))), + + (url_for('delete_user_permissions', repository=PUBLIC_REPO, + username=FAKE_USERNAME), (401, open_kwargs('DELETE'))), + (url_for('delete_user_permissions', repository=ORG_REPO, + username=FAKE_USERNAME), (401, open_kwargs('DELETE'))), + (url_for('delete_user_permissions', repository=PRIVATE_REPO, + username=FAKE_USERNAME), (401, open_kwargs('DELETE'))), + + (url_for('delete_team_permissions', repository=PUBLIC_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs('DELETE'))), + (url_for('delete_team_permissions', repository=ORG_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs('DELETE'))), + (url_for('delete_team_permissions', repository=PRIVATE_REPO, + teamname=FAKE_TEAMNAME), (401, open_kwargs('DELETE'))), + + (url_for('list_repo_tokens', repository=PUBLIC_REPO), + (401, open_kwargs())), + (url_for('list_repo_tokens', repository=ORG_REPO), (401, open_kwargs())), + (url_for('list_repo_tokens', repository=PRIVATE_REPO), + (401, open_kwargs())), + + (url_for('get_tokens', repository=PUBLIC_REPO, code=FAKE_TOKEN), + (401, open_kwargs())), + (url_for('get_tokens', repository=ORG_REPO, code=FAKE_TOKEN), + (401, open_kwargs())), + (url_for('get_tokens', repository=PRIVATE_REPO, code=FAKE_TOKEN), + (401, open_kwargs())), + + (url_for('create_token', repository=PUBLIC_REPO), + (401, open_kwargs('POST'))), + (url_for('create_token', repository=ORG_REPO), + (401, open_kwargs('POST'))), + (url_for('create_token', repository=PRIVATE_REPO), + (401, open_kwargs('POST'))), + + (url_for('change_token', repository=PUBLIC_REPO, code=FAKE_TOKEN), + (401, open_kwargs('PUT'))), + (url_for('change_token', repository=ORG_REPO, code=FAKE_TOKEN), + (401, open_kwargs('PUT'))), + (url_for('change_token', repository=PRIVATE_REPO, code=FAKE_TOKEN), + (401, open_kwargs('PUT'))), + + (url_for('delete_token', repository=PUBLIC_REPO, code=FAKE_TOKEN), + (401, open_kwargs('DELETE'))), + (url_for('delete_token', repository=ORG_REPO, code=FAKE_TOKEN), + (401, open_kwargs('DELETE'))), + (url_for('delete_token', repository=PRIVATE_REPO, code=FAKE_TOKEN), + (401, open_kwargs('DELETE'))), + + (url_for('subscribe_api'), (401, open_kwargs('PUT'))), + + (url_for('subscribe_org_api', orgname=ORG), (401, open_kwargs('PUT'))), + + (url_for('get_subscription'), (401, open_kwargs())), + + (url_for('get_org_subscription', orgname=ORG), (401, open_kwargs())), + ]) + + +def build_no_access_spec(): + changes = OrderedDict([ + (url_for('change_user_details'), (200, open_kwargs('PUT'))), + + (url_for('get_matching_users', prefix='dev'), (200, open_kwargs())), + + (url_for('get_matching_entities', prefix='dev'), (200, open_kwargs())), + + (url_for('get_organization', orgname=ORG), (403, open_kwargs())), + + (url_for('get_organization_private_allowed', orgname=ORG), + (403, open_kwargs())), + + (url_for('update_organization_team', orgname=ORG, teamname=ORG_OWNERS), + (403, open_kwargs('PUT'))), + + (url_for('delete_organization_team', orgname=ORG, teamname=ORG_OWNERS), + (403, open_kwargs('DELETE'))), + + (url_for('get_organization_team_members', orgname=ORG, + teamname=ORG_OWNERS), (403, open_kwargs())), + + (url_for('update_organization_team_member', orgname=ORG, + teamname=ORG_OWNERS, membername=ORG_OWNER), + (403, open_kwargs('PUT'))), + + (url_for('delete_organization_team_member', orgname=ORG, + teamname=ORG_OWNERS, membername=ORG_OWNER), + (403, open_kwargs('DELETE'))), + + (url_for('create_repo_api'), (403, open_kwargs('POST'))), + + (url_for('update_repo_api', repository=PUBLIC_REPO), + (403, open_kwargs('PUT'))), + (url_for('update_repo_api', repository=ORG_REPO), + (403, open_kwargs('PUT'))), + (url_for('update_repo_api', repository=PRIVATE_REPO), + (403, open_kwargs('PUT'))), + + (url_for('change_repo_visibility_api', repository=PUBLIC_REPO), + (403, open_kwargs('POST'))), + (url_for('change_repo_visibility_api', repository=ORG_REPO), + (403, open_kwargs('POST'))), + (url_for('change_repo_visibility_api', repository=PRIVATE_REPO), + (403, open_kwargs('POST'))), + + (url_for('delete_repository', repository=PUBLIC_REPO), + (403, open_kwargs('DELETE'))), + (url_for('delete_repository', repository=ORG_REPO), + (403, open_kwargs('DELETE'))), + (url_for('delete_repository', repository=PRIVATE_REPO), + (403, open_kwargs('DELETE'))), + + (url_for('get_repo_builds', repository=PUBLIC_REPO), + (403, open_kwargs())), + (url_for('get_repo_builds', repository=ORG_REPO), (403, open_kwargs())), + (url_for('get_repo_builds', repository=PRIVATE_REPO), + (403, open_kwargs())), + + (url_for('get_filedrop_url'), (400, open_kwargs('POST'))), + + (url_for('request_repo_build', repository=PUBLIC_REPO), + (403, open_kwargs('POST'))), + (url_for('request_repo_build', repository=ORG_REPO), + (403, open_kwargs('POST'))), + (url_for('request_repo_build', repository=PRIVATE_REPO), + (403, open_kwargs('POST'))), + + (url_for('list_repo_team_permissions', repository=PUBLIC_REPO), + (403, open_kwargs())), + (url_for('list_repo_team_permissions', repository=ORG_REPO), + (403, open_kwargs())), + (url_for('list_repo_team_permissions', repository=PRIVATE_REPO), + (403, open_kwargs())), + + (url_for('list_repo_user_permissions', repository=PUBLIC_REPO), + (403, open_kwargs())), + (url_for('list_repo_user_permissions', repository=ORG_REPO), + (403, open_kwargs())), + (url_for('list_repo_user_permissions', repository=PRIVATE_REPO), + (403, open_kwargs())), + + (url_for('get_user_permissions', repository=PUBLIC_REPO, + username=FAKE_USERNAME), (403, open_kwargs())), + (url_for('get_user_permissions', repository=ORG_REPO, + username=FAKE_USERNAME), (403, open_kwargs())), + (url_for('get_user_permissions', repository=PRIVATE_REPO, + username=FAKE_USERNAME), (403, open_kwargs())), + + (url_for('get_team_permissions', repository=PUBLIC_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs())), + (url_for('get_team_permissions', repository=ORG_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs())), + (url_for('get_team_permissions', repository=PRIVATE_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs())), + + (url_for('change_user_permissions', repository=PUBLIC_REPO, + username=FAKE_USERNAME), (403, open_kwargs('PUT'))), + (url_for('change_user_permissions', repository=ORG_REPO, + username=FAKE_USERNAME), (403, open_kwargs('PUT'))), + (url_for('change_user_permissions', repository=PRIVATE_REPO, + username=FAKE_USERNAME), (403, open_kwargs('PUT'))), + + (url_for('change_team_permissions', repository=PUBLIC_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs('PUT'))), + (url_for('change_team_permissions', repository=ORG_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs('PUT'))), + (url_for('change_team_permissions', repository=PRIVATE_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs('PUT'))), + + (url_for('delete_user_permissions', repository=PUBLIC_REPO, + username=FAKE_USERNAME), (403, open_kwargs('DELETE'))), + (url_for('delete_user_permissions', repository=ORG_REPO, + username=FAKE_USERNAME), (403, open_kwargs('DELETE'))), + (url_for('delete_user_permissions', repository=PRIVATE_REPO, + username=FAKE_USERNAME), (403, open_kwargs('DELETE'))), + + (url_for('delete_team_permissions', repository=PUBLIC_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs('DELETE'))), + (url_for('delete_team_permissions', repository=ORG_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs('DELETE'))), + (url_for('delete_team_permissions', repository=PRIVATE_REPO, + teamname=FAKE_TEAMNAME), (403, open_kwargs('DELETE'))), + + (url_for('list_repo_tokens', repository=PUBLIC_REPO), + (403, open_kwargs())), + (url_for('list_repo_tokens', repository=ORG_REPO), (403, open_kwargs())), + (url_for('list_repo_tokens', repository=PRIVATE_REPO), + (403, open_kwargs())), + + (url_for('get_tokens', repository=PUBLIC_REPO, code=FAKE_TOKEN), + (403, open_kwargs())), + (url_for('get_tokens', repository=ORG_REPO, code=FAKE_TOKEN), + (403, open_kwargs())), + (url_for('get_tokens', repository=PRIVATE_REPO, code=FAKE_TOKEN), + (403, open_kwargs())), + + (url_for('create_token', repository=PUBLIC_REPO), + (403, open_kwargs('POST'))), + (url_for('create_token', repository=ORG_REPO), + (403, open_kwargs('POST'))), + (url_for('create_token', repository=PRIVATE_REPO), + (403, open_kwargs('POST'))), + + (url_for('change_token', repository=PUBLIC_REPO, code=FAKE_TOKEN), + (403, open_kwargs('PUT'))), + (url_for('change_token', repository=ORG_REPO, code=FAKE_TOKEN), + (403, open_kwargs('PUT'))), + (url_for('change_token', repository=PRIVATE_REPO, code=FAKE_TOKEN), + (403, open_kwargs('PUT'))), + + (url_for('delete_token', repository=PUBLIC_REPO, code=FAKE_TOKEN), + (403, open_kwargs('DELETE'))), + (url_for('delete_token', repository=ORG_REPO, code=FAKE_TOKEN), + (403, open_kwargs('DELETE'))), + (url_for('delete_token', repository=PRIVATE_REPO, code=FAKE_TOKEN), + (403, open_kwargs('DELETE'))), + + (url_for('subscribe_api'), (403, open_kwargs('PUT'))), + + (url_for('subscribe_org_api', orgname=ORG), (403, open_kwargs('PUT'))), + + (url_for('get_subscription'), (200, open_kwargs())), + + (url_for('get_org_subscription', orgname=ORG), (403, open_kwargs())), + ]) + + to_update = build_anon_spec() + to_update.update(changes) + return to_update \ No newline at end of file diff --git a/test/test_api_security.py b/test/test_api_security.py index 527e0e7b6..f63d92c5c 100644 --- a/test/test_api_security.py +++ b/test/test_api_security.py @@ -1,265 +1,15 @@ import unittest import json -from flask import url_for -from uuid import uuid4 -from collections import OrderedDict - import endpoints.api from app import app from data import model from initdb import wipe_database, initialize_database, populate_database +from specs import build_anon_spec, build_no_access_spec -PUBLIC_REPO = 'public/publicrepo' -PRIVATE_REPO = 'devtable/complex' -ORG = 'devtableorg' -ORG_REPO = ORG + '/orgrepo' -ORG_OWNERS = 'owners' -ORG_READERS = 'readers' -ORG_OWNER = 'devtable' -FAKE_IMAGE_ID = uuid4() -FAKE_TAG_NAME = uuid4() -FAKE_USERNAME = uuid4() -FAKE_TEAMNAME = uuid4() -FAKE_TOKEN = uuid4() - - -def open_kwargs(method='GET', json_object=None): - kwargs = { - 'method': method, - } - - if json_object is not None: - kwargs['data'] = json.dumps(json_object) - kwargs['content_type'] = 'application/json' - - elif method == 'POST' or method == 'PUT': - kwargs['data'] = json.dumps({ - 'fake': 'json', - 'data': 'here', - }) - kwargs['content_type'] = 'application/json' - - return kwargs - -with app.test_request_context() as ctx: - ANON_SPEC = OrderedDict([ - (url_for('welcome'), (200, open_kwargs())), - - (url_for('plans_list'), (200, open_kwargs())), - - (url_for('get_logged_in_user'), (200, open_kwargs())), - - (url_for('change_user_details'), (401, open_kwargs('PUT'))), - - (url_for('create_user_api'), (400, open_kwargs('POST'))), - - (url_for('signin_api'), (400, open_kwargs('POST'))), - - (url_for('logout'), (401, open_kwargs('POST'))), - - (url_for('send_recovery'), (400, open_kwargs('POST'))), - - (url_for('get_matching_users', prefix='dev'), (401, open_kwargs())), - - (url_for('get_matching_entities', prefix='dev'), (401, open_kwargs())), - - (url_for('get_organization', orgname=ORG), (401, open_kwargs())), - - (url_for('get_organization_private_allowed', orgname=ORG), - (401, open_kwargs())), - - (url_for('update_organization_team', orgname=ORG, teamname=ORG_OWNERS), - (401, open_kwargs('PUT'))), - - (url_for('delete_organization_team', orgname=ORG, teamname=ORG_OWNERS), - (401, open_kwargs('DELETE'))), - - (url_for('get_organization_team_members', orgname=ORG, - teamname=ORG_OWNERS), (401, open_kwargs())), - - (url_for('update_organization_team_member', orgname=ORG, - teamname=ORG_OWNERS, membername=ORG_OWNER), - (401, open_kwargs('PUT'))), - - (url_for('delete_organization_team_member', orgname=ORG, - teamname=ORG_OWNERS, membername=ORG_OWNER), - (401, open_kwargs('DELETE'))), - - (url_for('create_repo_api'), (401, open_kwargs('POST'))), - - (url_for('match_repos_api'), (200, open_kwargs())), - - (url_for('list_repos_api'), (200, open_kwargs())), - - (url_for('update_repo_api', repository=PUBLIC_REPO), - (401, open_kwargs('PUT'))), - (url_for('update_repo_api', repository=ORG_REPO), - (401, open_kwargs('PUT'))), - (url_for('update_repo_api', repository=PRIVATE_REPO), - (401, open_kwargs('PUT'))), - - (url_for('change_repo_visibility_api', repository=PUBLIC_REPO), - (401, open_kwargs('POST'))), - (url_for('change_repo_visibility_api', repository=ORG_REPO), - (401, open_kwargs('POST'))), - (url_for('change_repo_visibility_api', repository=PRIVATE_REPO), - (401, open_kwargs('POST'))), - - (url_for('delete_repository', repository=PUBLIC_REPO), - (401, open_kwargs('DELETE'))), - (url_for('delete_repository', repository=ORG_REPO), - (401, open_kwargs('DELETE'))), - (url_for('delete_repository', repository=PRIVATE_REPO), - (401, open_kwargs('DELETE'))), - - (url_for('get_repo_api', repository=PUBLIC_REPO),(200, open_kwargs())), - (url_for('get_repo_api', repository=ORG_REPO), (403, open_kwargs())), - (url_for('get_repo_api', repository=PRIVATE_REPO), (403, open_kwargs())), - - (url_for('get_repo_builds', repository=PUBLIC_REPO), - (401, open_kwargs())), - (url_for('get_repo_builds', repository=ORG_REPO), (401, open_kwargs())), - (url_for('get_repo_builds', repository=PRIVATE_REPO), - (401, open_kwargs())), - - (url_for('get_filedrop_url'), (401, open_kwargs('POST'))), - - (url_for('request_repo_build', repository=PUBLIC_REPO), - (401, open_kwargs('POST'))), - (url_for('request_repo_build', repository=ORG_REPO), - (401, open_kwargs('POST'))), - (url_for('request_repo_build', repository=PRIVATE_REPO), - (401, open_kwargs('POST'))), - - (url_for('list_repository_images', repository=PUBLIC_REPO), - (200, open_kwargs())), - (url_for('list_repository_images', repository=ORG_REPO), - (403, open_kwargs())), - (url_for('list_repository_images', repository=PRIVATE_REPO), - (403, open_kwargs())), - - (url_for('get_image', repository=PUBLIC_REPO, image_id=FAKE_IMAGE_ID), - (404, open_kwargs())), - (url_for('get_image', repository=ORG_REPO, image_id=FAKE_IMAGE_ID), - (403, open_kwargs())), - (url_for('get_image', repository=PRIVATE_REPO, image_id=FAKE_IMAGE_ID), - (403, open_kwargs())), - - (url_for('get_image_changes', repository=PUBLIC_REPO, - image_id=FAKE_IMAGE_ID), (404, open_kwargs())), - (url_for('get_image_changes', repository=ORG_REPO, - image_id=FAKE_IMAGE_ID), (403, open_kwargs())), - (url_for('get_image_changes', repository=PRIVATE_REPO, - image_id=FAKE_IMAGE_ID), (403, open_kwargs())), - - (url_for('list_tag_images', repository=PUBLIC_REPO, tag=FAKE_TAG_NAME), - (404, open_kwargs())), - (url_for('list_tag_images', repository=ORG_REPO, tag=FAKE_TAG_NAME), - (403, open_kwargs())), - (url_for('list_tag_images', repository=PRIVATE_REPO, tag=FAKE_TAG_NAME), - (403, open_kwargs())), - - (url_for('list_repo_team_permissions', repository=PUBLIC_REPO), - (401, open_kwargs())), - (url_for('list_repo_team_permissions', repository=ORG_REPO), - (401, open_kwargs())), - (url_for('list_repo_team_permissions', repository=PRIVATE_REPO), - (401, open_kwargs())), - - (url_for('list_repo_user_permissions', repository=PUBLIC_REPO), - (401, open_kwargs())), - (url_for('list_repo_user_permissions', repository=ORG_REPO), - (401, open_kwargs())), - (url_for('list_repo_user_permissions', repository=PRIVATE_REPO), - (401, open_kwargs())), - - (url_for('get_user_permissions', repository=PUBLIC_REPO, - username=FAKE_USERNAME), (401, open_kwargs())), - (url_for('get_user_permissions', repository=ORG_REPO, - username=FAKE_USERNAME), (401, open_kwargs())), - (url_for('get_user_permissions', repository=PRIVATE_REPO, - username=FAKE_USERNAME), (401, open_kwargs())), - - (url_for('get_team_permissions', repository=PUBLIC_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs())), - (url_for('get_team_permissions', repository=ORG_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs())), - (url_for('get_team_permissions', repository=PRIVATE_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs())), - - (url_for('change_user_permissions', repository=PUBLIC_REPO, - username=FAKE_USERNAME), (401, open_kwargs('PUT'))), - (url_for('change_user_permissions', repository=ORG_REPO, - username=FAKE_USERNAME), (401, open_kwargs('PUT'))), - (url_for('change_user_permissions', repository=PRIVATE_REPO, - username=FAKE_USERNAME), (401, open_kwargs('PUT'))), - - (url_for('change_team_permissions', repository=PUBLIC_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs('PUT'))), - (url_for('change_team_permissions', repository=ORG_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs('PUT'))), - (url_for('change_team_permissions', repository=PRIVATE_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs('PUT'))), - - (url_for('delete_user_permissions', repository=PUBLIC_REPO, - username=FAKE_USERNAME), (401, open_kwargs('DELETE'))), - (url_for('delete_user_permissions', repository=ORG_REPO, - username=FAKE_USERNAME), (401, open_kwargs('DELETE'))), - (url_for('delete_user_permissions', repository=PRIVATE_REPO, - username=FAKE_USERNAME), (401, open_kwargs('DELETE'))), - - (url_for('delete_team_permissions', repository=PUBLIC_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs('DELETE'))), - (url_for('delete_team_permissions', repository=ORG_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs('DELETE'))), - (url_for('delete_team_permissions', repository=PRIVATE_REPO, - teamname=FAKE_TEAMNAME), (401, open_kwargs('DELETE'))), - - (url_for('list_repo_tokens', repository=PUBLIC_REPO), - (401, open_kwargs())), - (url_for('list_repo_tokens', repository=ORG_REPO), (401, open_kwargs())), - (url_for('list_repo_tokens', repository=PRIVATE_REPO), - (401, open_kwargs())), - - (url_for('get_tokens', repository=PUBLIC_REPO, code=FAKE_TOKEN), - (401, open_kwargs())), - (url_for('get_tokens', repository=ORG_REPO, code=FAKE_TOKEN), - (401, open_kwargs())), - (url_for('get_tokens', repository=PRIVATE_REPO, code=FAKE_TOKEN), - (401, open_kwargs())), - - (url_for('create_token', repository=PUBLIC_REPO), - (401, open_kwargs('POST'))), - (url_for('create_token', repository=ORG_REPO), - (401, open_kwargs('POST'))), - (url_for('create_token', repository=PRIVATE_REPO), - (401, open_kwargs('POST'))), - - (url_for('change_token', repository=PUBLIC_REPO, code=FAKE_TOKEN), - (401, open_kwargs('PUT'))), - (url_for('change_token', repository=ORG_REPO, code=FAKE_TOKEN), - (401, open_kwargs('PUT'))), - (url_for('change_token', repository=PRIVATE_REPO, code=FAKE_TOKEN), - (401, open_kwargs('PUT'))), - - (url_for('delete_token', repository=PUBLIC_REPO, code=FAKE_TOKEN), - (401, open_kwargs('DELETE'))), - (url_for('delete_token', repository=ORG_REPO, code=FAKE_TOKEN), - (401, open_kwargs('DELETE'))), - (url_for('delete_token', repository=PRIVATE_REPO, code=FAKE_TOKEN), - (401, open_kwargs('DELETE'))), - - (url_for('subscribe_api'), (401, open_kwargs('PUT'))), - - (url_for('subscribe_org_api', orgname=ORG), (401, open_kwargs('PUT'))), - - (url_for('get_subscription'), (401, open_kwargs())), - - (url_for('get_org_subscription', orgname=ORG), (401, open_kwargs())), - ]) +NO_ACCESS_USER = 'freshuser' class ApiTestCase(unittest.TestCase): @@ -268,27 +18,32 @@ class ApiTestCase(unittest.TestCase): initialize_database() populate_database() - self.client = app.test_client() - - def signin(self, username, password): - args = { - 'username': username, - 'password': password, - } - return self.client.post('/signin', data=json.dumps(args), - follow_redirects=True) - - def signout(self): - return self.client.get('/signout', follow_redirects=True) - class TestAnonymousAccess(ApiTestCase): - def test_anonymous_public_access(self): - for url, (expected_status, open_kwargs) in ANON_SPEC.items(): - rv = self.client.open(url, **open_kwargs) + def __runspec(self, client, spec): + for url, (expected_status, open_kwargs) in spec.items(): + rv = client.open(url, **open_kwargs) msg = '%s %s: %s expected: %s' % (open_kwargs['method'], url, rv.status_code, expected_status) - self.assertEqual(rv.status_code, expected_status, msg) + self.assertEqual(rv.status_code, expected_status, msg) + + def test_anonymous_public_access(self): + with app.test_request_context() as ctx: + spec = build_anon_spec() + + with app.test_client() as c: + self.__runspec(c, spec) + + def test_authenticated_but_not_authorized(self): + with app.test_request_context() as ctx: + spec = build_no_access_spec() + + with app.test_client() as c: + with c.session_transaction() as sess: + sess['user_id'] = NO_ACCESS_USER + + self.__runspec(c, spec) + if __name__ == '__main__': unittest.main() \ No newline at end of file