quay/endpoints/api/test/test_security.py

import pytest
from flask_principal import AnonymousIdentity

from endpoints.api import api
from endpoints.api.repositorynotification import RepositoryNotification
from endpoints.api.team import OrganizationTeamSyncing
from endpoints.api.test.shared import conduct_api_call
from endpoints.api.repository import RepositoryTrust
from endpoints.api.signing import RepositorySignatures
from endpoints.api.search import ConductRepositorySearch
from endpoints.api.superuser import SuperUserRepositoryBuildLogs, SuperUserRepositoryBuildResource
from endpoints.api.superuser import SuperUserRepositoryBuildStatus
from endpoints.test.shared import client_with_identity

from test.fixtures import *

TEAM_PARAMS = {'orgname': 'buynlarge', 'teamname': 'owners'}
BUILD_PARAMS = {'build_uuid': 'test-1234'}
REPO_PARAMS = {'repository': 'devtable/someapp'}
SEARCH_PARAMS = {'query': ''}
NOTIFICATION_PARAMS = {'namespace': 'devtable', 'repository': 'devtable/simple', 'uuid': 'some uuid'}


@pytest.mark.parametrize('resource,method,params,body,identity,expected', [
  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, None, 403),
  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'freshuser', 403),
  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'reader', 403),
  (OrganizationTeamSyncing, 'POST', TEAM_PARAMS, {}, 'devtable', 400),

  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, None, 403),
  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'freshuser', 403),
  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'reader', 403),
  (OrganizationTeamSyncing, 'DELETE', TEAM_PARAMS, {}, 'devtable', 200),

  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, None, 200),
  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'freshuser', 200),
  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'reader', 200),
  (ConductRepositorySearch, 'GET', SEARCH_PARAMS, None, 'devtable', 200),

  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, None, 401),
  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'reader', 403),
  (SuperUserRepositoryBuildLogs, 'GET', BUILD_PARAMS, None, 'devtable', 400),

  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, None, 401),
  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'reader', 403),
  (SuperUserRepositoryBuildStatus, 'GET', BUILD_PARAMS, None, 'devtable', 400),

  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, None, 401),
  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'freshuser', 403),
  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403),
  (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None,  'devtable', 404),

  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'freshuser', 403),
  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'reader', 403),
  (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 404),

  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, None, 403),
  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'freshuser', 403),
  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'reader', 403),
  (RepositoryNotification, 'POST', NOTIFICATION_PARAMS, {}, 'devtable', 204),

  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, None, 403),
  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'freshuser', 403),
  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'reader', 403),
  (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'devtable', 404),
])
def test_api_security(resource, method, params, body, identity, expected, client):
  with client_with_identity(identity, client) as cl:
    conduct_api_call(cl, resource, method, params, body, expected)