Add verb security tests and fix small issues

2017-03-22 18:29:53 -04:00 · 2017-03-22 18:29:53 -04:00 · df1e7f90e0
commit df1e7f90e0
parent d5fa2ad0c0
4 changed files with 206 additions and 4 deletions
--- a/test/specs.py
+++ b/test/specs.py
@ -508,3 +508,101 @@ def build_v2_index_specs():
    IndexV2TestSpec('v2.cancel_upload', 'DELETE', ANOTHER_ORG_REPO, upload_uuid=FAKE_UPLOAD_ID).
      request_status(401, 401, 401, 401, 404),
  ]
+
+
+class VerbTestSpec(object):
+  def __init__(self, index_name, method_name, repo_name, rpath=False, **kwargs):
+    self.index_name = index_name
+    self.repo_name = repo_name
+    self.method_name = method_name
+    self.single_repository_path = rpath
+
+    self.kwargs = kwargs
+
+    self.anon_code = 401
+    self.no_access_code = 403
+    self.read_code = 200
+    self.admin_code = 200
+    self.creator_code = 200
+
+  def request_status(self, anon_code=401, no_access_code=403, read_code=200, creator_code=200,
+                     admin_code=200):
+    self.anon_code = anon_code
+    self.no_access_code = no_access_code
+    self.read_code = read_code
+    self.creator_code = creator_code
+    self.admin_code = admin_code
+    return self
+
+  def get_url(self):
+    if self.single_repository_path:
+      return url_for(self.index_name, repository=self.repo_name, **self.kwargs)
+    else:
+      (namespace, repo_name) = self.repo_name.split('/')
+      return url_for(self.index_name, namespace=namespace, repository=repo_name, **self.kwargs)
+
+  def gen_basic_auth(self, username, password):
+    encoded = b64encode('%s:%s' % (username, password))
+    return 'basic %s' % encoded
+
+ACI_ARGS = {
+  'server': 'someserver',
+  'tag': 'fake',
+  'os': 'linux',
+  'arch': 'x64',
+}
+
+def build_verbs_specs():
+  return [
+    # get_aci_signature
+    VerbTestSpec('verbs.get_aci_signature', 'GET', PUBLIC_REPO, **ACI_ARGS).
+      request_status(404, 404, 404, 404, 404),
+
+    VerbTestSpec('verbs.get_aci_signature', 'GET', PRIVATE_REPO, **ACI_ARGS).
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_aci_signature', 'GET', ORG_REPO, **ACI_ARGS).
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_aci_signature', 'GET', ANOTHER_ORG_REPO, **ACI_ARGS).
+      request_status(403, 403, 403, 403, 404),
+
+    # get_aci_image
+    VerbTestSpec('verbs.get_aci_image', 'GET', PUBLIC_REPO, **ACI_ARGS).
+      request_status(404, 404, 404, 404, 404),
+
+    VerbTestSpec('verbs.get_aci_image', 'GET', PRIVATE_REPO, **ACI_ARGS).
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_aci_image', 'GET', ORG_REPO, **ACI_ARGS).
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_aci_image', 'GET', ANOTHER_ORG_REPO, **ACI_ARGS).
+      request_status(403, 403, 403, 403, 404),
+
+    # get_squashed_tag
+    VerbTestSpec('verbs.get_squashed_tag', 'GET', PUBLIC_REPO, tag='fake').
+      request_status(404, 404, 404, 404, 404),
+
+    VerbTestSpec('verbs.get_squashed_tag', 'GET', PRIVATE_REPO, tag='fake').
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_squashed_tag', 'GET', ORG_REPO, tag='fake').
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_squashed_tag', 'GET', ANOTHER_ORG_REPO, tag='fake').
+      request_status(403, 403, 403, 403, 404),
+
+    # get_tag_torrent
+    VerbTestSpec('verbs.get_tag_torrent', 'GET', PUBLIC_REPO, digest='sha256:1234', rpath=True).
+      request_status(404, 404, 404, 404, 404),
+
+    VerbTestSpec('verbs.get_tag_torrent', 'GET', PRIVATE_REPO, digest='sha256:1234', rpath=True).
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_tag_torrent', 'GET', ORG_REPO, digest='sha256:1234', rpath=True).
+      request_status(403, 403, 404, 403, 404),
+
+    VerbTestSpec('verbs.get_tag_torrent', 'GET', ANOTHER_ORG_REPO, digest='sha256:1234', rpath=True).
+      request_status(403, 403, 403, 403, 404),
+  ]