def test_reg_user_cannot_view_users_org_dne(reg_user_headers): """ regular users cannot view users of an organization that doesn't exist """ org = str(uuid.uuid4()) res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/users', headers=reg_user_headers) assert res.status_code == 404 response_contains_json(res, 'error', 'ORG_DNE_PARAM')
def test_reg_user_cannot_view_user_from_another_org(reg_user_headers): """ regular users cannot view users from another organization """ org, user = create_new_user_with_new_org_by_uuid() res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=reg_user_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_reg_user_cannot_view_another_org(reg_user_headers): """ regular users cannot view an organization they don't belong to """ org = str(uuid.uuid4()) res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}', headers=reg_user_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_org_admin_get_another_org_user_info(org_admin_headers): """ services api prevents org admin users from viewing another org user's info """ org, user = create_new_user_with_new_org_by_uuid() res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=org_admin_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_org_admin_cannot_update_user_for_another_org(org_admin_headers): """ services api prevents org admins from updating a user from a diff org """ org, user = create_new_user_with_new_org_by_uuid() res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=org_admin_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT')
def test_org_admin_update_own_user_roles_name(org_admin_headers): """ allows admin users to update its own name and remove role """ org = org_admin_headers['CVE-API-ORG'] user = org_admin_headers['CVE-API-USER'] res = requests.put( f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.remove=admin', # removing role headers=org_admin_headers) assert res.status_code == 200 assert json.loads( res.content.decode())['updated']['authority']['active_roles'] == [] res = requests.put( f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.add=admin', # adding role headers=org_admin_headers) assert res.status_code == 403 response_contains_json( res, 'error', 'NOT_ORG_ADMIN_OR_SECRETARIAT' ) # cannot add role because org admin doesn't have "ADMIN" role anymore res = requests.put( f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.add=admin', # adding "ADMIN" role back to org admin user headers=utils.BASE_HEADERS) assert res.status_code == 200 assert json.loads( res.content.decode())['updated']['authority']['active_roles'] == [ "ADMIN" ] res = requests.put( f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?name.first=t&name.last=e&name.middle=s&name.suffix=t&name.surname=s', # updating name headers=org_admin_headers) assert res.status_code == 200 assert json.loads(res.content.decode())['updated']['name']['first'] == 't' assert json.loads(res.content.decode())['updated']['name']['last'] == 'e' assert json.loads(res.content.decode())['updated']['name']['middle'] == 's' assert json.loads(res.content.decode())['updated']['name']['suffix'] == 't' assert json.loads( res.content.decode())['updated']['name']['surname'] == 's'
def test_org_admin_get_secretariat_id_quota_info(org_admin_headers): """ services api rejects requests for secretariat by non-secretariat users """ res = requests.get( f'{env.AWG_BASE_URL}{ORG_URL}/mitre/id_quota', # the secretariat's org headers=org_admin_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_reg_user_cannot_update_org(reg_user_headers): """ regular user cannot update an organization """ org = str(uuid.uuid4()) res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}', headers=reg_user_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'SECRETARIAT_ONLY')
def test_org_admin_cannot_update_org(org_admin_headers): """ services api does not allow org admins to update their own orgs """ res = requests.post(f'{env.AWG_BASE_URL}{ORG_URL}', headers=org_admin_headers, params={'name': str(uuid.uuid4())}) assert res.status_code == 403 response_contains_json(res, 'error', 'SECRETARIAT_ONLY')
def test_org_admin_get_mitre_user_info(org_admin_headers): """ services api prevents org users from viewing secretariat user info """ res = requests.get( f'{env.AWG_BASE_URL}{ORG_URL}/mitre/user/{env.AWG_USER_NAME}', headers=org_admin_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_put_cve_id_id_state(org_admin_headers): """ org admin cannot update id's state """ res = requests.put(f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}', headers=org_admin_headers, params={'state': 'PUBLIC'}) assert res.status_code == 403 response_contains_json(res, 'error', 'SECRETARIAT_ONLY')
def test_post_cve_id_bad_amount(reg_user_headers): """ api rejects non-numeric amount when requesting IDs """ res = get_reserve_cve_ids('a', utils.CURRENT_YEAR, reg_user_headers['CVE-API-USER']) assert res.status_code == 400 assert res.reason == 'Bad Request' response_contains_json(res, 'error', 'BAD_INPUT') assert_contains(res, 'amount')
def test_put_update_user_org_short_name(): """ services api allows users org to be updated by secretariat """ org, user = create_new_user_with_new_org_by_uuid() new_org = str(uuid.uuid4()) new_org_res = post_new_org(new_org, new_org) assert new_org_res.status_code == 200 res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=utils.BASE_HEADERS, params={'org_shortname': new_org}) assert res.status_code == 200 response_contains_json(res, 'message', f'{user} was successfully updated.') # user doesn't exist at this endpoint because its under a new org res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=utils.BASE_HEADERS, params={'org_shortname': new_org}) assert res.status_code == 404 response_contains(res, 'designated by the username parameter does not exist.') response_contains_json(res, 'error', 'USER_DNE') # but we can get the new user res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{new_org}/user/{user}', headers=utils.BASE_HEADERS) ok_response_contains(res, user)
def test_post_cve_id_reserve_nonsequential_over_limit(org_admin_headers): """ the services api enforces a max non-sequential limit of 10 """ res = get_reserve_cve_ids(11, utils.CURRENT_YEAR, org_admin_headers['CVE-API-ORG'], 'nonsequential') assert res.status_code == 403 response_contains_json(res, 'error', 'OVER_NONSEQUENTIAL_MAX_AMOUNT')
def test_org_admin_reset_secret_org_dne(org_admin_headers): org = org_admin_headers['CVE-API-ORG'] user = str(uuid.uuid4()) res = requests.put( f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret', headers=org_admin_headers) assert res.status_code == 404 response_contains_json(res, 'error', 'USER_DNE')
def test_org_admin_cannot_update_user_dne(org_admin_headers): """ services api prevents org admins from updating a user that doesn't exist """ user = str(uuid.uuid4()) org = org_admin_headers['CVE-API-ORG'] res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=org_admin_headers) assert res.status_code == 404 response_contains_json(res, 'error', 'USER_DNE')
def test_org_admin_reset_diff_org_secret(org_admin_headers): """ services api prevents admin users to reset the secret of users of different org""" org, user = create_new_user_with_new_org_by_uuid() res = requests.put( f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret', headers=org_admin_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT')
def test_reg_user_cannot_view_user_dne(reg_user_headers): """ regular user cannot view user that doesn't exist """ org = reg_user_headers['CVE-API-ORG'] user = str(uuid.uuid4()) res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=reg_user_headers) assert res.status_code == 404 response_contains_json(res, 'error', 'USER_DNE')
def test_post_cve_id_range_already_exists(choose_year): """ ranges for 1999 to the current year must exist """ res = requests.post(f'{env.AWG_BASE_URL}{CVE_ID_RANGE_URL}/{choose_year}', headers=utils.BASE_HEADERS) assert res.status_code == 400 response_contains(res, (f'document for year {choose_year} was not created ' 'because it already exists.')) response_contains_json(res, 'error', 'YEAR_RANGE_EXISTS')
def test_update_mitre_id_quota(): """ a secretariat user can update its own ID quota """ # NOTE: this test makes sure MITRE can reserve IDs for reservation tests res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/mitre?id_quota=100000', headers=utils.BASE_HEADERS) assert res.status_code == 200 response_contains_json(res, 'message', 'mitre organization was successfully updated.')
def test_regular_user_cannot_update_user_org_dne(reg_user_headers): """ regular user cannot update a user from an org that doesn't exist """ org = str(uuid.uuid4()) user = reg_user_headers['CVE-API-USER'] res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=reg_user_headers) assert res.status_code == 404 response_contains_json(res, 'error', 'ORG_DNE_PARAM')
def test_put_update_org_that_does_not_exist(): """ cve services api will not update orgs that don't exist """ uid = str(uuid.uuid4()) res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{uid}?id_quota=100', headers=utils.BASE_HEADERS) assert res.status_code == 404 response_contains_json(res, 'error', 'ORG_DNE_PARAM') assert_contains(res, 'by the shortname parameter does not exist')
def test_post_new_org_user_duplicate(): """ cve services new org user endpoint fails for a duplicate user """ res = requests.post(f'{env.AWG_BASE_URL}{ORG_URL}/mitre/user', headers=utils.BASE_HEADERS, json={'username': env.AWG_USER_NAME}) assert res.status_code == 400 response_contains_json( res, 'message', f"The user \'{env.AWG_USER_NAME}\' already exists.")
def test_get_cve_id_page_limit(org_admin_headers): """ page must be greater than or equal to 1' """ res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}', headers=org_admin_headers, params={ 'page': '-1', }) assert res.status_code == 400 response_contains_json(res, 'error', 'BAD_INPUT')
def test_post_new_org_user_empty_params(): """ an empty new org user parameters is invalid for username """ res = requests.post(f'{env.AWG_BASE_URL}{ORG_URL}/mitre/user', headers=utils.BASE_HEADERS, json={'username': ''}) assert res.status_code == 400 assert 'username' in res.content.decode() assert len(json.loads(res.content.decode())['details']) == 1 response_contains_json(res, 'message', 'Parameters were invalid')
def test_get_cve_id_state_in_choices(org_admin_headers): """ state parameter can only be 'REJECT', 'PUBLIC' or 'RESERVED' """ res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}', headers=org_admin_headers, params={ 'state': 'TEST', }) assert res.status_code == 400 response_contains_json(res, 'error', 'BAD_INPUT')
def test_get_cve_id_year_format_with_letters(org_admin_headers): """ cve_id_year format cannot have letters """ res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}', headers=org_admin_headers, params={ 'cve_id_year': 'test', }) assert res.status_code == 400 response_contains_json(res, 'error', 'BAD_INPUT')
def test_get_cve_id_year_format_with_digits(org_admin_headers): """ cve_id_year format must be 4 digits only """ res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}', headers=org_admin_headers, params={ 'cve_id_year': '20111', }) assert res.status_code == 400 response_contains_json(res, 'error', 'BAD_INPUT')
def test_org_admin_get_another_org_id_quota_info(org_admin_headers): """ services api rejects requests for any org by another org user """ different_org = str(uuid.uuid4()) # name of an org res = post_new_org(different_org, different_org) # create an org assert res.status_code == 200 res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{different_org}/id_quota', headers=org_admin_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_org_admin_get_another_org_users_info(org_admin_headers): """ services api prevents org admin users from viewing all other org's user info """ org = str(uuid.uuid4()) res = post_new_org(org, org) assert res.status_code == 200 res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/users', headers=org_admin_headers) assert res.status_code == 403 response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')