github.com/amrnt/deis@v1.3.1/controller/api/tests/test_perm.py (about) 1 2 from __future__ import unicode_literals 3 import json 4 5 from django.contrib.auth.models import User 6 from django.test import TestCase 7 from rest_framework.authtoken.models import Token 8 9 10 class TestAdminPerms(TestCase): 11 12 def test_first_signup(self): 13 # register a first user 14 username, password = 'firstuser', 'password' 15 email = 'autotest@deis.io' 16 submit = { 17 'username': username, 18 'password': password, 19 'email': email, 20 } 21 url = '/v1/auth/register' 22 response = self.client.post(url, json.dumps(submit), content_type='application/json') 23 self.assertEqual(response.status_code, 201) 24 self.assertTrue(response.data['is_superuser']) 25 # register a second user 26 username, password = 'seconduser', 'password' 27 email = 'autotest@deis.io' 28 submit = { 29 'username': username, 30 'password': password, 31 'email': email, 32 } 33 url = '/v1/auth/register' 34 response = self.client.post(url, json.dumps(submit), content_type='application/json') 35 self.assertEqual(response.status_code, 201) 36 self.assertFalse(response.data['is_superuser']) 37 38 def test_list(self): 39 submit = { 40 'username': 'firstuser', 41 'password': 'password', 42 'email': 'autotest@deis.io', 43 } 44 url = '/v1/auth/register' 45 response = self.client.post(url, json.dumps(submit), content_type='application/json') 46 self.assertEqual(response.status_code, 201) 47 self.assertTrue(response.data['is_superuser']) 48 user = User.objects.get(username='firstuser') 49 token = Token.objects.get(user=user).key 50 response = self.client.get('/v1/admin/perms', content_type='application/json', 51 HTTP_AUTHORIZATION='token {}'.format(token)) 52 self.assertEqual(response.status_code, 200) 53 self.assertEqual(len(response.data['results']), 1) 54 self.assertEqual(response.data['results'][0]['username'], 'firstuser') 55 self.assertTrue(response.data['results'][0]['is_superuser']) 56 # register a non-superuser 57 submit = { 58 'username': 'seconduser', 59 'password': 'password', 60 'email': 'autotest@deis.io', 61 } 62 url = '/v1/auth/register' 63 response = self.client.post(url, json.dumps(submit), content_type='application/json') 64 self.assertEqual(response.status_code, 201) 65 self.assertFalse(response.data['is_superuser']) 66 user = User.objects.get(username='seconduser') 67 token = Token.objects.get(user=user).key 68 response = self.client.get('/v1/admin/perms', content_type='application/json', 69 HTTP_AUTHORIZATION='token {}'.format(token)) 70 self.assertEqual(response.status_code, 403) 71 self.assertIn('You do not have permission', response.data['detail']) 72 73 def test_create(self): 74 submit = { 75 'username': 'first', 76 'password': 'password', 77 'email': 'autotest@deis.io', 78 } 79 url = '/v1/auth/register' 80 response = self.client.post(url, json.dumps(submit), content_type='application/json') 81 self.assertEqual(response.status_code, 201) 82 self.assertTrue(response.data['is_superuser']) 83 submit = { 84 'username': 'second', 85 'password': 'password', 86 'email': 'autotest@deis.io', 87 } 88 url = '/v1/auth/register' 89 response = self.client.post(url, json.dumps(submit), content_type='application/json') 90 self.assertEqual(response.status_code, 201) 91 self.assertFalse(response.data['is_superuser']) 92 user = User.objects.get(username='first') 93 token = Token.objects.get(user=user).key 94 # grant user 2 the superuser perm 95 url = '/v1/admin/perms' 96 body = {'username': 'second'} 97 response = self.client.post(url, json.dumps(body), content_type='application/json', 98 HTTP_AUTHORIZATION='token {}'.format(token)) 99 self.assertEqual(response.status_code, 201) 100 response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(token)) 101 self.assertEqual(response.status_code, 200) 102 self.assertEqual(len(response.data['results']), 2) 103 self.assertIn('second', str(response.data['results'])) 104 105 def test_delete(self): 106 submit = { 107 'username': 'first', 108 'password': 'password', 109 'email': 'autotest@deis.io', 110 } 111 url = '/v1/auth/register' 112 response = self.client.post(url, json.dumps(submit), content_type='application/json') 113 self.assertEqual(response.status_code, 201) 114 self.assertTrue(response.data['is_superuser']) 115 submit = { 116 'username': 'second', 117 'password': 'password', 118 'email': 'autotest@deis.io', 119 } 120 url = '/v1/auth/register' 121 response = self.client.post(url, json.dumps(submit), content_type='application/json') 122 self.assertEqual(response.status_code, 201) 123 self.assertFalse(response.data['is_superuser']) 124 user = User.objects.get(username='first') 125 token = Token.objects.get(user=user).key 126 # grant user 2 the superuser perm 127 url = '/v1/admin/perms' 128 body = {'username': 'second'} 129 response = self.client.post(url, json.dumps(body), content_type='application/json', 130 HTTP_AUTHORIZATION='token {}'.format(token)) 131 self.assertEqual(response.status_code, 201) 132 # revoke the superuser perm 133 response = self.client.delete(url + '/second', HTTP_AUTHORIZATION='token {}'.format(token)) 134 self.assertEqual(response.status_code, 204) 135 response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(token)) 136 self.assertEqual(response.status_code, 200) 137 self.assertEqual(len(response.data['results']), 1) 138 self.assertNotIn('two', str(response.data['results'])) 139 140 141 class TestAppPerms(TestCase): 142 143 fixtures = ['test_sharing.json'] 144 145 def setUp(self): 146 self.user = User.objects.get(username='autotest-1') 147 self.token = Token.objects.get(user=self.user).key 148 self.user2 = User.objects.get(username='autotest-2') 149 self.token2 = Token.objects.get(user=self.user2).key 150 151 def test_create(self): 152 # check that user 1 sees her lone app and user 2's app 153 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token)) 154 self.assertEqual(response.status_code, 200) 155 self.assertEqual(len(response.data['results']), 2) 156 app_id = response.data['results'][0]['id'] 157 # check that user 2 can only see his app 158 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token2)) 159 self.assertEqual(len(response.data['results']), 1) 160 # check that user 2 can't see any of the app's builds, configs, 161 # containers, limits, or releases 162 for model in ['builds', 'config', 'containers', 'releases']: 163 response = self.client.get("/v1/apps/{}/{}/".format(app_id, model), 164 HTTP_AUTHORIZATION='token {}'.format(self.token2)) 165 msg = "Failed: status '%s', and data '%s'" % (response.status_code, response.data) 166 self.assertEqual(response.status_code, 403, msg=msg) 167 self.assertEqual(response.data['detail'], 168 'You do not have permission to perform this action.', msg=msg) 169 # TODO: test that git pushing to the app fails 170 # give user 2 permission to user 1's app 171 url = "/v1/apps/{}/perms".format(app_id) 172 body = {'username': 'autotest-2'} 173 response = self.client.post(url, json.dumps(body), content_type='application/json', 174 HTTP_AUTHORIZATION='token {}'.format(self.token)) 175 self.assertEqual(response.status_code, 201) 176 # check that user 2 can see the app 177 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token2)) 178 self.assertEqual(response.status_code, 200) 179 self.assertEqual(len(response.data['results']), 2) 180 # check that user 2 sees (empty) results now for builds, containers, 181 # and releases. (config and limit will still give 404s since we didn't 182 # push a build here.) 183 for model in ['builds', 'containers', 'releases']: 184 response = self.client.get("/v1/apps/{}/{}/".format(app_id, model), 185 HTTP_AUTHORIZATION='token {}'.format(self.token2)) 186 self.assertEqual(len(response.data['results']), 0) 187 # TODO: check that user 2 can git push the app 188 189 def test_create_errors(self): 190 # check that user 1 sees her lone app 191 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token)) 192 app_id = response.data['results'][0]['id'] 193 # check that user 2 can't create a permission 194 url = "/v1/apps/{}/perms".format(app_id) 195 body = {'username': 'autotest-2'} 196 response = self.client.post(url, json.dumps(body), content_type='application/json', 197 HTTP_AUTHORIZATION='token {}'.format(self.token2)) 198 self.assertEqual(response.status_code, 403) 199 200 def test_delete(self): 201 # give user 2 permission to user 1's app 202 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token)) 203 app_id = response.data['results'][0]['id'] 204 url = "/v1/apps/{}/perms".format(app_id) 205 body = {'username': 'autotest-2'} 206 response = self.client.post(url, json.dumps(body), content_type='application/json', 207 HTTP_AUTHORIZATION='token {}'.format(self.token)) 208 self.assertEqual(response.status_code, 201) 209 # check that user 2 can see the app as well as his own 210 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token2)) 211 self.assertEqual(response.status_code, 200) 212 self.assertEqual(len(response.data['results']), 2) 213 # try to delete the permission as user 2 214 url = "/v1/apps/{}/perms/{}".format(app_id, 'autotest-2') 215 response = self.client.delete(url, content_type='application/json', 216 HTTP_AUTHORIZATION='token {}'.format(self.token2)) 217 self.assertEqual(response.status_code, 403) 218 # delete permission to user 1's app 219 response = self.client.delete(url, content_type='application/json', 220 HTTP_AUTHORIZATION='token {}'.format(self.token)) 221 self.assertEqual(response.status_code, 204) 222 self.assertIsNone(response.data) 223 # check that user 2 can only see his app 224 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token2)) 225 self.assertEqual(len(response.data['results']), 1) 226 # delete permission to user 1's app again, expecting an error 227 response = self.client.delete(url, content_type='application/json', 228 HTTP_AUTHORIZATION='token {}'.format(self.token)) 229 self.assertEqual(response.status_code, 403) 230 231 def test_list(self): 232 # check that user 1 sees her lone app and user 2's app 233 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token)) 234 self.assertEqual(response.status_code, 200) 235 self.assertEqual(len(response.data['results']), 2) 236 app_id = response.data['results'][0]['id'] 237 # create a new object permission 238 url = "/v1/apps/{}/perms".format(app_id) 239 body = {'username': 'autotest-2'} 240 response = self.client.post(url, json.dumps(body), content_type='application/json', 241 HTTP_AUTHORIZATION='token {}'.format(self.token)) 242 self.assertEqual(response.status_code, 201) 243 # list perms on the app 244 response = self.client.get( 245 "/v1/apps/{}/perms".format(app_id), content_type='application/json', 246 HTTP_AUTHORIZATION='token {}'.format(self.token)) 247 self.assertEqual(response.data, {'users': ['autotest-2']}) 248 249 def test_admin_can_list(self): 250 """Check that an administrator can list an app's perms""" 251 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token)) 252 self.assertEqual(response.status_code, 200) 253 self.assertEqual(len(response.data['results']), 2) 254 255 def test_list_errors(self): 256 response = self.client.get('/v1/apps', HTTP_AUTHORIZATION='token {}'.format(self.token)) 257 app_id = response.data['results'][0]['id'] 258 # login as user 2, list perms on the app 259 response = self.client.get( 260 "/v1/apps/{}/perms".format(app_id), content_type='application/json', 261 HTTP_AUTHORIZATION='token {}'.format(self.token2)) 262 self.assertEqual(response.status_code, 403) 263 264 def test_unauthorized_user_cannot_modify_perms(self): 265 """ 266 An unauthorized user should not be able to modify other apps' permissions. 267 268 Since an unauthorized user should not know about the application at all, these 269 requests should return a 404. 270 """ 271 app_id = 'autotest' 272 url = '/v1/apps' 273 body = {'id': app_id} 274 response = self.client.post(url, json.dumps(body), content_type='application/json', 275 HTTP_AUTHORIZATION='token {}'.format(self.token)) 276 unauthorized_user = self.user2 277 unauthorized_token = self.token2 278 url = '{}/{}/perms'.format(url, app_id) 279 body = {'username': unauthorized_user.username} 280 response = self.client.post(url, json.dumps(body), content_type='application/json', 281 HTTP_AUTHORIZATION='token {}'.format(unauthorized_token)) 282 self.assertEqual(response.status_code, 403)