def test_put_update_user_org_short_name():
""" services api allows users org to be updated by secretariat """
org, user = create_new_user_with_new_org_by_uuid()
new_org = str(uuid.uuid4())
new_org_res = post_new_org(new_org, new_org)
assert new_org_res.status_code == 200
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=utils.BASE_HEADERS,
params={'org_shortname': new_org})
assert res.status_code == 200
response_contains_json(res, 'message', f'{user} was successfully updated.')
# user doesn't exist at this endpoint because its under a new org
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=utils.BASE_HEADERS,
params={'org_shortname': new_org})
assert res.status_code == 404
response_contains(res,
'designated by the username parameter does not exist.')
response_contains_json(res, 'error', 'USER_DNE')
# but we can get the new user
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{new_org}/user/{user}',
headers=utils.BASE_HEADERS)
ok_response_contains(res, user)
def test_get_mitre_cna():
""" the cve services api contains the mitre cna """
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/mitre',
headers=utils.BASE_HEADERS)
ok_response_contains(res, 'SECRETARIAT')
ok_response_contains_json(res, 'name', 'MITRE Corporation')
ok_response_contains_json(res, 'short_name', 'mitre')
def test_get_cve_id(reg_user_headers):
""" the first ID from 1999 should always exist """
res = requests.get(
f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}',
headers=reg_user_headers
)
ok_response_contains(res, cve_id)
def test_regular_user_reset_secret(reg_user_headers):
""" regular users can update their secret """
org = reg_user_headers['CVE-API-ORG']
user = reg_user_headers['CVE-API-USER']
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret',
headers=reg_user_headers)
ok_response_contains(res, 'API-secret')
def test_post_cve_id_reservation(batch_type, amount, reg_user_headers):
""" sequential ids can be reserved on behalf of the mitre org """
res = get_reserve_cve_ids(amount, utils.CURRENT_YEAR, reg_user_headers['CVE-API-ORG'], batch_type)
ok_response_contains(res, f'CVE-{utils.CURRENT_YEAR}-')
assert json.loads(res.content.decode())['cve_ids']
assert len(json.loads(res.content.decode())['cve_ids']) == amount
# cna and user must exist
assert 'cna' in res.content.decode()
assert 'user' in res.content.decode()
def test_put_cve_id_id_no_params():
""" cve id endpoint ... accepts an empty query set? """
res = requests.put(
f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}',
headers=utils.BASE_HEADERS
)
# NOTE: should this behave as if an update was successful, when no params
# were included and nothing was actually updated?
ok_response_contains(res, f'{cve_id} was successfully updated.')
def test_post_cve_id_reserve_priority(org_admin_headers):
""" priority ids can be reserved on behalf of the admin's org """
res = requests.post(f'{env.AWG_BASE_URL}{CVE_ID_URL}',
headers=org_admin_headers,
params={
'amount': '1',
'cve_year': f'{utils.CURRENT_YEAR}',
'short_name': org_admin_headers['CVE-API-ORG']
})
ok_response_contains(res, f'CVE-{utils.CURRENT_YEAR}-')
assert json.loads(res.content.decode())['cve_ids']
assert len(json.loads(res.content.decode())['cve_ids']) == 1
priority_id = json.loads(res.content.decode())['cve_ids'][0]['cve_id']
assert int(priority_id.split('-')[-1]) < 20000
def test_put_cve_id_id():
""" an id can be updated to reject or public """
res = requests.put(
f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}',
headers=utils.BASE_HEADERS,
params={'state':'REJECT'}
)
ok_response_contains(res, f'{cve_id} was successfully updated.')
res = requests.put(
f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}',
headers=utils.BASE_HEADERS,
params={'state':'PUBLIC'}
)
ok_response_contains(res, f'{cve_id} was successfully updated.')
def test_get_mitre_id_quota():
""" the cve services api's mitre cna has a valid id quota """
res = get_org_id_data('mitre')
ok_response_contains(res, 'id_quota')
body = json.loads(res.content.decode())
quota = body['id_quota']
available = body['available']
reserved = body['total_reserved']
assert quota >= 0
assert available >= 0
assert reserved >= 0
assert quota <= 100000
assert quota == available + reserved
def test_put_cve_id_id_state_reserved():
""" an id's state cannot be set back to reserved """
res = requests.put(
f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}',
headers=utils.BASE_HEADERS,
params={'state':'REJECT'}
)
ok_response_contains(res, f'{cve_id} was successfully updated.')
res = requests.put(
f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}',
headers=utils.BASE_HEADERS,
params={'state':'RESERVED'}
)
assert res.status_code == 400
response_contains_json(
res, 'message',
'Cannot change the state to RESERVED.')
def test_get_cve_id_by_time_modified(org_admin_headers):
""" we can get ids immediately after reserving them using the time they're
reserved (noting that this may not work against a shared integration
environment, we check that at least this many have been reserved) """
n_ids = 10
time.sleep(1)
t_before = dt.datetime.now().strftime('%Y-%m-%dT%H:%M:%S')
time.sleep(1)
res_ids = get_reserve_cve_ids(n_ids, utils.CURRENT_YEAR,
org_admin_headers['CVE-API-ORG'])
time.sleep(1)
t_after = dt.datetime.now().strftime('%Y-%m-%dT%H:%M:%S')
res_get_ids = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}',
headers=utils.BASE_HEADERS,
params={
'time_modified.lt': t_after,
'time_modified.gt': t_before
})
ok_response_contains(res_get_ids, f'CVE-{utils.CURRENT_YEAR}-')
assert len(json.loads(res_get_ids.content.decode())['cve_ids']) == n_ids
def test_reg_user_can_get_org_id_quota(reg_user_headers):
""" regular users can see their organization's cve id quota """
org = reg_user_headers['CVE-API-ORG']
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/id_quota',
headers=reg_user_headers)
ok_response_contains(res, 'id_quota')
ok_response_contains(res, 'total_reserved')
ok_response_contains(res, 'available')
def test_get_all_orgs():
""" secretariat users can request a list of all organizations """
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}',
headers=utils.BASE_HEADERS)
ok_response_contains(res, '"active_roles":["SECRETARIAT","CNA"]')
assert len(json.loads(res.content.decode())['organizations']) >= 1
def test_post_new_org():
""" cve services new org endpoint works for unique data """
uid = str(uuid.uuid4())
quota = random.randint(0, 100000)
res = post_new_org(uid, uid, quota)
ok_response_contains(res, f'{uid} organization was successfully created')
