def test_login_with_explicit_permission_and_roles(self):
api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_with_permission),
name='explicit_with_permission',
role_id=self.role_with_permission.get_id,
)
api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_with_permission),
name='explicit_without_permission',
role_id=self.role_without_permission.get_id,
)
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_with_permission.username,
api_key_with_explicit_permissions)))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_with_permission.username,
api_key_without_explicit_permissions)))
def test_login_with_wrong_permission_explicit_roles(self):
api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_without_permission),
name='explicit_with_permission',
role_id=self.role_with_permission.get_id,
)
api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_without_permission),
name='explicit_without_permission',
role_id=self.role_without_permission.get_id,
)
# both of these should fail since the user shouldn't be allowed API access
# to a role they don't have
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_without_permission.username,
api_key_with_explicit_permissions)))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_without_permission.username,
api_key_without_explicit_permissions)))
def setUpClass(cls):
super(APIResourceTest, cls).setUpClass()
Role.get_cache().clear()
cls.domain = Domain.get_or_create_with_name('qwerty', is_active=True)
cls.list_endpoint = cls._get_list_endpoint()
cls.username = '******'
cls.password = '******'
cls.user = WebUser.create(cls.domain.name,
cls.username,
cls.password,
None,
None,
email='*****@*****.**',
first_name='rudolph',
last_name='commcare')
cls.user.set_role(cls.domain.name, 'admin')
cls.user.save()
cls.account = BillingAccount.get_or_create_account_by_domain(
cls.domain.name, created_by="automated-test")[0]
plan = DefaultProductPlan.get_default_plan_version(
edition=SoftwarePlanEdition.ADVANCED)
cls.subscription = Subscription.new_domain_subscription(
cls.account, cls.domain.name, plan)
cls.subscription.is_active = True
cls.subscription.save()
cls.api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(cls.user))
def setUpClass(cls):
super().setUpClass()
cls.factory = RequestFactory()
cls.domain = 'api-test'
cls.project = Domain.get_or_create_with_name(cls.domain,
is_active=True)
cls.username = '******'
cls.password = '******'
cls.user = WebUser.create(cls.domain, cls.username, cls.password, None,
None)
cls.api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(cls.user))
cls.domain_api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(cls.user),
name='domain-scoped',
domain=cls.domain)
def setUpClass(cls):
super().setUpClass()
# Set up domains
cls.mirror = DomainPermissionsMirror(source='state', mirror='county')
cls.mirror.save()
create_domain('state')
create_domain('county')
# Set up users
cls.web_user_admin = WebUser.create('state',
'emma',
'badpassword',
None,
None,
email='*****@*****.**',
is_admin=True)
cls.web_user_non_admin = WebUser.create('state',
'clementine',
'worsepassword',
None,
None,
email='*****@*****.**')
cls.api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(cls.web_user_non_admin))
def test_login_with_wrong_permission(self):
api_key_without_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.user_without_permission))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.user_without_permission.username,
api_key_without_permissions)))
def test_login_with_domain_admin_default(self):
api_key_with_default_permissions, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(self.domain_admin),
name='default',
)
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(
domain=self.domain,
HTTP_AUTHORIZATION=self._construct_api_auth_header(
self.domain_admin.username,
api_key_with_default_permissions)))
def test_explicit_role_wrong_domain(self):
project = Domain.get_or_create_with_name('api-test-fail-2',
is_active=True)
self.addCleanup(project.delete)
user = WebUser.create(self.domain,
'multi_domain_admin',
'***',
None,
None,
is_admin=True)
user.add_domain_membership(project.name, is_admin=True)
user.save()
self.addCleanup(user.delete, self.domain, deleted_by=None)
unscoped_api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(user),
name='unscoped',
)
# this key should only be able to access default project, not new one
scoped_api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(user),
name='explicit_with_permission_wrong_domain',
role_id=self.role_with_permission.get_id,
)
unscoped_auth_header = self._construct_api_auth_header(
user.username, unscoped_api_key)
scoped_auth_header = self._construct_api_auth_header(
user.username, scoped_api_key)
for domain in [self.domain, project.name]:
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(domain=domain,
HTTP_AUTHORIZATION=unscoped_auth_header))
self.assertAuthenticationSuccess(
self.require_edit_data,
self._get_request(domain=self.domain,
HTTP_AUTHORIZATION=scoped_auth_header))
self.assertAuthenticationFail(
self.require_edit_data,
self._get_request(domain=project.name,
HTTP_AUTHORIZATION=scoped_auth_header))
def _get_api_key_auth_headers(self, headers=None, username=None):
if headers and 'HTTP_AUTHORIZATION' in headers:
return {}
username = username or self.username
api_key = self.api_key.key
if username != self.username:
web_user = WebUser.get_by_username(username)
api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(web_user))
api_key = api_key.key
return {'HTTP_AUTHORIZATION': f'apikey {username}:{api_key}'}
def _api_url(self, url, username=None):
if 'api_key' in url:
return url
username = username or self.username
api_key = self.api_key.key
if username != self.username:
web_user = WebUser.get_by_username(username)
api_key, _ = ApiKey.objects.get_or_create(user=WebUser.get_django_user(web_user))
api_key = api_key.key
api_params = urlencode({'username': username, 'api_key': api_key})
if "?" in url:
api_url = "%s&%s" % (url, api_params)
else:
api_url = "%s?%s" % (url, api_params)
return api_url
def test_wrong_user_api_key(self):
username = "******"
password = "******"
other_user = WebUser.create(self.domain.name, username, password)
other_user.set_role(self.domain.name, "admin")
other_user.save()
django_user = WebUser.get_django_user(other_user)
other_api_key, _ = ApiKey.objects.get_or_create(user=django_user)
endpoint = "%s?%s" % (
self.single_endpoint(self.user._id),
urlencode({"username": self.user.username, "api_key": other_api_key.key}),
)
response = self.client.get(endpoint)
self.assertEqual(response.status_code, 401)
other_api_key.delete()
other_user.delete()
def test_wrong_user_api_key(self):
username = '******'
password = '******'
other_user = WebUser.create(self.domain.name, username, password)
other_user.set_role(self.domain.name, 'admin')
other_user.save()
self.addCleanup(other_user.delete)
django_user = WebUser.get_django_user(other_user)
other_api_key, _ = ApiKey.objects.get_or_create(user=django_user)
self.addCleanup(other_api_key.delete)
endpoint = "%s?%s" % (self.single_endpoint(self.user._id),
urlencode({
"username": self.user.username,
"api_key": other_api_key.key
}))
response = self.client.get(endpoint)
self.assertEqual(response.status_code, 401)
def setUpClass(cls):
super(APIResourceTest, cls).setUpClass()
Role.get_cache().clear()
cls.domain = Domain.get_or_create_with_name('qwerty', is_active=True)
cls.list_endpoint = cls._get_list_endpoint()
cls.username = '******'
cls.password = '******'
cls.user = WebUser.create(cls.domain.name, cls.username, cls.password)
cls.user.set_role(cls.domain.name, 'admin')
cls.user.save()
cls.account = BillingAccount.get_or_create_account_by_domain(cls.domain.name, created_by="automated-test")[0]
plan = DefaultProductPlan.get_default_plan_version(edition=SoftwarePlanEdition.ADVANCED)
cls.subscription = Subscription.new_domain_subscription(cls.account, cls.domain.name, plan)
cls.subscription.is_active = True
cls.subscription.save()
cls.api_key, _ = ApiKey.objects.get_or_create(user=WebUser.get_django_user(cls.user))
def setUpClass(cls):
super().setUpClass()
# Set up domains
cls.domain = 'state'
create_domain(cls.domain)
create_domain('county')
create_domain('staging')
# Set up users
cls.master_role = UserRole.create(
"state",
"role1",
permissions=Permissions(
view_web_users=True,
edit_web_users=False,
view_groups=True,
edit_groups=False,
edit_apps=True, # needed for InternalFixtureResource
view_apps=True,
))
cls.web_user_admin = WebUser.create('state',
'emma',
'badpassword',
None,
None,
email='*****@*****.**',
is_admin=True)
cls.web_user_non_admin = WebUser.create('state',
'clementine',
'worsepassword',
None,
None,
email='*****@*****.**')
cls.web_user_non_admin.set_role('state',
cls.master_role.get_qualified_id())
cls.web_user_non_admin.save()
cls.api_key, _ = HQApiKey.objects.get_or_create(
user=WebUser.get_django_user(cls.web_user_non_admin))
# Set up permissions
create_enterprise_permissions(cls.web_user_admin.username, 'state',
['county'], ['staging'])
def setUpClass(cls):
super(TestApiKey, cls).setUpClass()
django_user = WebUser.get_django_user(cls.user)
cls.api_key, _ = ApiKey.objects.get_or_create(user=django_user)
def setUpClass(cls):
super(TestApiKey, cls).setUpClass()
django_user = WebUser.get_django_user(cls.user)
cls.api_key, _ = ApiKey.objects.get_or_create(user=django_user)