def test_personal_access_token_admin_user(self, default_sat):
"""Personal access token for admin user
:id: f2d3813f-e477-4b6b-8507-246b08fcb3b4
:steps:
1. Create an admin user and add personal access token
2. Use any api endpoint with the token
3. Revoke the token and check for the result.
:expectedresults:
1. Should show output of the api endpoint
2. When revoked, authentication error
:CaseLevel: System
:CaseImportance: High
"""
user = make_user({'admin': '1'})
token_name = gen_alphanumeric()
result = User.access_token(
action="create", options={'name': token_name, 'user-id': user['id']}
)
token_value = result[0]['message'].split(':')[-1]
curl_command = f'curl -k -u {user["login"]}:{token_value} {default_sat.url}/api/v2/users'
command_output = default_sat.execute(curl_command)
assert user['login'] in command_output.stdout
assert user['email'] in command_output.stdout
User.access_token(action="revoke", options={'name': token_name, 'user-id': user['id']})
command_output = default_sat.execute(curl_command)
assert f'Unable to authenticate user {user["login"]}' in command_output.stdout
def test_custom_personal_access_token_role(self, default_sat):
"""Personal access token for non admin user with custom role
:id: dcbd22df-2641-4d3e-a1ad-76f36642e31b
:steps:
1. Create role with PAT and View Users
2. Create non admin user and assign the role
3. Create PAT for the user and test with the end point
4. Revoke the token and then test for end point.
:expectedresults: Non admin user is able to view only the assigned entity
:CaseLevel: System
:CaseImportance: High
:BZ: 1974685, 1996048
"""
role = make_role()
permissions = [
permission['name'] for permission in Filter.available_permissions(
{'search': 'resource_type=PersonalAccessToken'})
]
permissions = ','.join(permissions)
make_filter({'role-id': role['id'], 'permissions': permissions})
make_filter({'role-id': role['id'], 'permissions': 'view_users'})
user = make_user()
User.add_role({'login': user['login'], 'role': role['name']})
token_name = gen_alphanumeric()
result = User.access_token(action="create",
options={
'name': token_name,
'user-id': user['id']
})
token_value = result[0]['message'].split(':')[-1]
command_output = default_sat.execute(
f'curl -k -u {user["login"]}:{token_value} {default_sat.url}/api/v2/users'
)
assert user['login'] in command_output.stdout
assert user['email'] in command_output.stdout
User.access_token(action="revoke",
options={
'name': token_name,
'user-id': user['id']
})
command_output = default_sat.execute(
f'curl -k -u {user["login"]}:{token_value} {default_sat.url}/api/v2/users'
)
assert f'Unable to authenticate user {user["login"]}' in command_output.stdout
def test_expired_personal_access_token(self, default_sat):
"""Personal access token expired for the user.
:id: cb07b096-aba4-4a95-9a15-5413f32b597b
:steps:
1. Set the expired time to +x seconds from the current time.
2. Wait +x seconds
3. Try using the token with any end point.
:expectedresults: Authentication error
:CaseLevel: System
:CaseImportance: Medium
"""
user = make_user()
User.add_role({'login': user['login'], 'role': 'View hosts'})
token_name = gen_alphanumeric()
datetime_now = datetime.datetime.utcnow()
datetime_expire = datetime_now + datetime.timedelta(seconds=20)
datetime_expire = datetime_expire.strftime("%Y-%m-%d %H:%M:%S")
result = User.access_token(
action="create",
options={
'name': token_name,
'user-id': user['id'],
'expires-at': datetime_expire
},
)
token_value = result[0]['message'].split('\n')[-1]
curl_command = (
f'curl -k -u {user["login"]}:{token_value} https://{default_sat.hostname}/api/v2/hosts'
)
command_output = default_sat.execute(curl_command)
assert default_sat.hostname in command_output.stdout
sleep(20)
curl_command = (
f'curl -k -u {user["login"]}:{token_value} https://{default_sat.hostname}/api/v2/users'
)
command_output = default_sat.execute(curl_command)
assert f'Unable to authenticate user {user["login"]}' in command_output.stdout
def test_positive_personal_access_token_user_with_role(self, default_sat):
"""Personal access token for user with a role
:id: b9fe7ddd-d1e4-4d76-9966-d223b02768ec
:steps:
1. Create a new user. Assign a role to it and create personal
access token
2. Use an api endpoint to that specific role and other roles.
3. Revoke the access token
:expectedresults:
1. When used with the correct role and end point, corresponding
output should be displayed.
2. When an incorrect role and end point is used, missing
permission should be displayed.
:CaseLevel: System
:CaseImportance: High
"""
user = make_user()
User.add_role({'login': user['login'], 'role': 'View hosts'})
token_name = gen_alphanumeric()
result = User.access_token(action="create",
options={
'name': token_name,
'user-id': user['id']
})
token_value = result[0]['message'].split('\n')[-1]
curl_command = (
f'curl -k -u {user["login"]}:{token_value} https://{default_sat.hostname}/api/v2/hosts'
)
command_output = default_sat.execute(curl_command)
assert default_sat.hostname in command_output.stdout
curl_command = (
f'curl -k -u {user["login"]}:{token_value} https://{default_sat.hostname}/api/v2/users'
)
command_output = default_sat.execute(curl_command)
assert 'Access denied' in command_output.stdout
