def test_login_with_explicit_permission_and_roles(self): api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_with_permission), name='explicit_with_permission', role_id=self.role_with_permission.get_id, ) api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_with_permission), name='explicit_without_permission', role_id=self.role_without_permission.get_id, ) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_with_permission.username, api_key_with_explicit_permissions))) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_with_permission.username, api_key_without_explicit_permissions)))
def test_login_with_wrong_permission_explicit_roles(self): api_key_with_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_without_permission), name='explicit_with_permission', role_id=self.role_with_permission.get_id, ) api_key_without_explicit_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_without_permission), name='explicit_without_permission', role_id=self.role_without_permission.get_id, ) # both of these should fail since the user shouldn't be allowed API access # to a role they don't have self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_without_permission.username, api_key_with_explicit_permissions))) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_without_permission.username, api_key_without_explicit_permissions)))
def setUpClass(cls): super(APIResourceTest, cls).setUpClass() Role.get_cache().clear() cls.domain = Domain.get_or_create_with_name('qwerty', is_active=True) cls.list_endpoint = cls._get_list_endpoint() cls.username = '******' cls.password = '******' cls.user = WebUser.create(cls.domain.name, cls.username, cls.password, None, None, email='*****@*****.**', first_name='rudolph', last_name='commcare') cls.user.set_role(cls.domain.name, 'admin') cls.user.save() cls.account = BillingAccount.get_or_create_account_by_domain( cls.domain.name, created_by="automated-test")[0] plan = DefaultProductPlan.get_default_plan_version( edition=SoftwarePlanEdition.ADVANCED) cls.subscription = Subscription.new_domain_subscription( cls.account, cls.domain.name, plan) cls.subscription.is_active = True cls.subscription.save() cls.api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(cls.user))
def setUpClass(cls): super().setUpClass() cls.factory = RequestFactory() cls.domain = 'api-test' cls.project = Domain.get_or_create_with_name(cls.domain, is_active=True) cls.username = '******' cls.password = '******' cls.user = WebUser.create(cls.domain, cls.username, cls.password, None, None) cls.api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(cls.user)) cls.domain_api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(cls.user), name='domain-scoped', domain=cls.domain)
def setUpClass(cls): super().setUpClass() # Set up domains cls.mirror = DomainPermissionsMirror(source='state', mirror='county') cls.mirror.save() create_domain('state') create_domain('county') # Set up users cls.web_user_admin = WebUser.create('state', 'emma', 'badpassword', None, None, email='*****@*****.**', is_admin=True) cls.web_user_non_admin = WebUser.create('state', 'clementine', 'worsepassword', None, None, email='*****@*****.**') cls.api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(cls.web_user_non_admin))
def test_login_with_wrong_permission(self): api_key_without_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.user_without_permission)) self.assertAuthenticationFail( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.user_without_permission.username, api_key_without_permissions)))
def test_login_with_domain_admin_default(self): api_key_with_default_permissions, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(self.domain_admin), name='default', ) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request( domain=self.domain, HTTP_AUTHORIZATION=self._construct_api_auth_header( self.domain_admin.username, api_key_with_default_permissions)))
def test_explicit_role_wrong_domain(self): project = Domain.get_or_create_with_name('api-test-fail-2', is_active=True) self.addCleanup(project.delete) user = WebUser.create(self.domain, 'multi_domain_admin', '***', None, None, is_admin=True) user.add_domain_membership(project.name, is_admin=True) user.save() self.addCleanup(user.delete, self.domain, deleted_by=None) unscoped_api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(user), name='unscoped', ) # this key should only be able to access default project, not new one scoped_api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(user), name='explicit_with_permission_wrong_domain', role_id=self.role_with_permission.get_id, ) unscoped_auth_header = self._construct_api_auth_header( user.username, unscoped_api_key) scoped_auth_header = self._construct_api_auth_header( user.username, scoped_api_key) for domain in [self.domain, project.name]: self.assertAuthenticationSuccess( self.require_edit_data, self._get_request(domain=domain, HTTP_AUTHORIZATION=unscoped_auth_header)) self.assertAuthenticationSuccess( self.require_edit_data, self._get_request(domain=self.domain, HTTP_AUTHORIZATION=scoped_auth_header)) self.assertAuthenticationFail( self.require_edit_data, self._get_request(domain=project.name, HTTP_AUTHORIZATION=scoped_auth_header))
def _get_api_key_auth_headers(self, headers=None, username=None): if headers and 'HTTP_AUTHORIZATION' in headers: return {} username = username or self.username api_key = self.api_key.key if username != self.username: web_user = WebUser.get_by_username(username) api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(web_user)) api_key = api_key.key return {'HTTP_AUTHORIZATION': f'apikey {username}:{api_key}'}
def _api_url(self, url, username=None): if 'api_key' in url: return url username = username or self.username api_key = self.api_key.key if username != self.username: web_user = WebUser.get_by_username(username) api_key, _ = ApiKey.objects.get_or_create(user=WebUser.get_django_user(web_user)) api_key = api_key.key api_params = urlencode({'username': username, 'api_key': api_key}) if "?" in url: api_url = "%s&%s" % (url, api_params) else: api_url = "%s?%s" % (url, api_params) return api_url
def test_wrong_user_api_key(self): username = "******" password = "******" other_user = WebUser.create(self.domain.name, username, password) other_user.set_role(self.domain.name, "admin") other_user.save() django_user = WebUser.get_django_user(other_user) other_api_key, _ = ApiKey.objects.get_or_create(user=django_user) endpoint = "%s?%s" % ( self.single_endpoint(self.user._id), urlencode({"username": self.user.username, "api_key": other_api_key.key}), ) response = self.client.get(endpoint) self.assertEqual(response.status_code, 401) other_api_key.delete() other_user.delete()
def test_wrong_user_api_key(self): username = '******' password = '******' other_user = WebUser.create(self.domain.name, username, password) other_user.set_role(self.domain.name, 'admin') other_user.save() self.addCleanup(other_user.delete) django_user = WebUser.get_django_user(other_user) other_api_key, _ = ApiKey.objects.get_or_create(user=django_user) self.addCleanup(other_api_key.delete) endpoint = "%s?%s" % (self.single_endpoint(self.user._id), urlencode({ "username": self.user.username, "api_key": other_api_key.key })) response = self.client.get(endpoint) self.assertEqual(response.status_code, 401)
def setUpClass(cls): super(APIResourceTest, cls).setUpClass() Role.get_cache().clear() cls.domain = Domain.get_or_create_with_name('qwerty', is_active=True) cls.list_endpoint = cls._get_list_endpoint() cls.username = '******' cls.password = '******' cls.user = WebUser.create(cls.domain.name, cls.username, cls.password) cls.user.set_role(cls.domain.name, 'admin') cls.user.save() cls.account = BillingAccount.get_or_create_account_by_domain(cls.domain.name, created_by="automated-test")[0] plan = DefaultProductPlan.get_default_plan_version(edition=SoftwarePlanEdition.ADVANCED) cls.subscription = Subscription.new_domain_subscription(cls.account, cls.domain.name, plan) cls.subscription.is_active = True cls.subscription.save() cls.api_key, _ = ApiKey.objects.get_or_create(user=WebUser.get_django_user(cls.user))
def setUpClass(cls): super().setUpClass() # Set up domains cls.domain = 'state' create_domain(cls.domain) create_domain('county') create_domain('staging') # Set up users cls.master_role = UserRole.create( "state", "role1", permissions=Permissions( view_web_users=True, edit_web_users=False, view_groups=True, edit_groups=False, edit_apps=True, # needed for InternalFixtureResource view_apps=True, )) cls.web_user_admin = WebUser.create('state', 'emma', 'badpassword', None, None, email='*****@*****.**', is_admin=True) cls.web_user_non_admin = WebUser.create('state', 'clementine', 'worsepassword', None, None, email='*****@*****.**') cls.web_user_non_admin.set_role('state', cls.master_role.get_qualified_id()) cls.web_user_non_admin.save() cls.api_key, _ = HQApiKey.objects.get_or_create( user=WebUser.get_django_user(cls.web_user_non_admin)) # Set up permissions create_enterprise_permissions(cls.web_user_admin.username, 'state', ['county'], ['staging'])
def setUpClass(cls): super(TestApiKey, cls).setUpClass() django_user = WebUser.get_django_user(cls.user) cls.api_key, _ = ApiKey.objects.get_or_create(user=django_user)
def setUpClass(cls): super(TestApiKey, cls).setUpClass() django_user = WebUser.get_django_user(cls.user) cls.api_key, _ = ApiKey.objects.get_or_create(user=django_user)