import pytest from flask import url_for from endpoints.test.shared import conduct_call, gen_basic_auth from test.fixtures import * NO_ACCESS_USER = 'freshuser' READ_ACCESS_USER = 'reader' ADMIN_ACCESS_USER = 'devtable' CREATOR_ACCESS_USER = 'creator' PUBLIC_REPO = 'public/publicrepo' PRIVATE_REPO = 'devtable/shared' ORG_REPO = 'buynlarge/orgrepo' ANOTHER_ORG_REPO = 'buynlarge/anotherorgrepo' ACI_ARGS = { 'server': 'someserver', 'tag': 'fake', 'os': 'linux', 'arch': 'x64', } @pytest.mark.parametrize('user', [ (0, None), (1, NO_ACCESS_USER), (2, READ_ACCESS_USER), (3, CREATOR_ACCESS_USER), (4, ADMIN_ACCESS_USER), ]) @pytest.mark.parametrize('endpoint,method,repository,single_repo_path,params,expected_statuses', [ ('get_aci_signature', 'GET', PUBLIC_REPO, False, ACI_ARGS, (404, 404, 404, 404, 404)), ('get_aci_signature', 'GET', PRIVATE_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)), ('get_aci_signature', 'GET', ORG_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)), ('get_aci_signature', 'GET', ANOTHER_ORG_REPO, False, ACI_ARGS, (403, 403, 403, 403, 404)), # get_aci_image ('get_aci_image', 'GET', PUBLIC_REPO, False, ACI_ARGS, (404, 404, 404, 404, 404)), ('get_aci_image', 'GET', PRIVATE_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)), ('get_aci_image', 'GET', ORG_REPO, False, ACI_ARGS, (403, 403, 404, 403, 404)), ('get_aci_image', 'GET', ANOTHER_ORG_REPO, False, ACI_ARGS, (403, 403, 403, 403, 404)), # get_squashed_tag ('get_squashed_tag', 'GET', PUBLIC_REPO, False, dict(tag='fake'), (404, 404, 404, 404, 404)), ('get_squashed_tag', 'GET', PRIVATE_REPO, False, dict(tag='fake'), (403, 403, 404, 403, 404)), ('get_squashed_tag', 'GET', ORG_REPO, False, dict(tag='fake'), (403, 403, 404, 403, 404)), ('get_squashed_tag', 'GET', ANOTHER_ORG_REPO, False, dict(tag='fake'), (403, 403, 403, 403, 404)), # get_tag_torrent ('get_tag_torrent', 'GET', PUBLIC_REPO, True, dict(digest='sha256:1234'), (404, 404, 404, 404, 404)), ('get_tag_torrent', 'GET', PRIVATE_REPO, True, dict(digest='sha256:1234'), (403, 403, 404, 403, 404)), ('get_tag_torrent', 'GET', ORG_REPO, True, dict(digest='sha256:1234'), (403, 403, 404, 403, 404)), ('get_tag_torrent', 'GET', ANOTHER_ORG_REPO, True, dict(digest='sha256:1234'), (403, 403, 403, 403, 404)), ]) def test_verbs_security(user, endpoint, method, repository, single_repo_path, params, expected_statuses, app, client): headers = {} if user[1] is not None: headers['Authorization'] = gen_basic_auth(user[1], 'password') if single_repo_path: params['repository'] = repository else: (namespace, repo_name) = repository.split('/') params['namespace'] = namespace params['repository'] = repo_name conduct_call(client, 'verbs.' + endpoint, url_for, method, params, expected_code=expected_statuses[user[0]], headers=headers)