Ejemplo n.º 1
0
def create_app(config_name):
    config_obj = config[config_name]
    app = create_woodbox(config_obj)

    from .api_v1 import blueprint as api_v1_blueprint
    app.register_blueprint(api_v1_blueprint, url_prefix='/api/v1')

    add_session_management_urls(app)

    return app
Ejemplo n.º 2
0
    def setUp(self):
        super(SessionTestCase, self).setUp()

        add_session_management_urls(self.app)

        with self.app.test_request_context('/'):
            db.initialize()

            # Create a user
            self.u1 = WBUserModel(username='******', password='******', roles=[])
            db.session.add(self.u1)
            db.session.commit()

            self.u1 = self.u1.id
Ejemplo n.º 3
0
    def setUp(self):
        super(SessionTestCase, self).setUp()

        add_session_management_urls(self.app)

        with self.app.test_request_context('/'):
            db.initialize()

            # Create a user
            self.u1 = WBUserModel(username='******', password='******', roles=[])
            db.session.add(self.u1)
            db.session.commit()

            self.u1 = self.u1.id
Ejemplo n.º 4
0
    def setUp(self):
        super(AuthenticatorTestCase, self).setUp()

        add_session_management_urls(self.app)
        self.app.add_url_rule('/test', 'test', needs_authenticated_user_function, methods=['GET'])

        with self.app.test_request_context('/'):
            db.initialize()

            # Create a user
            self.u1 = WBUserModel(username='******', password='******', roles=[])
            db.session.add(self.u1)
            db.session.commit()

            self.u1 = self.u1.id
Ejemplo n.º 5
0
    def setUp(self):
        super(AuthenticatorTestCase, self).setUp()

        add_session_management_urls(self.app)
        self.app.add_url_rule('/test',
                              'test',
                              needs_authenticated_user_function,
                              methods=['GET'])

        with self.app.test_request_context('/'):
            db.initialize()

            # Create a user
            self.u1 = WBUserModel(username='******', password='******', roles=[])
            db.session.add(self.u1)
            db.session.commit()

            self.u1 = self.u1.id
Ejemplo n.º 6
0
    def test_record_api_with_acl_user_2(self):
        add_session_management_urls(self.app)

        make_api(
            self.api,
            "Test",
            MyTestModel,
            MyTestSchema,
            record_authorizer=IsOwner(),
            api_authorizers=[my_test_acl.authorize],
        )

        with self.app.test_client() as c:
            response = c.post("/authenticate", data={"username": "******", "password": "******"})
            response = json.loads(response.data)
            session_id = response["session_id"]
            secret = response["session_secret"]

            # get all Bob's records
            headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests")
            response = c.get("/my-tests", headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}]}\n',
            )

            # get one allowed record
            headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d2))
            response = c.get("/my-tests/{}".format(self.d2), headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}}\n',
            )

            # patch records
            patch_data = json.dumps({"data": {"attributes": {"title": "SpongeBob SquarePants"}, "type": "my-tests"}})
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                "/my-tests/{}".format(self.d2),
                method="PATCH",
                content_type="application/vnd.api+json",
                body=patch_data,
            )
            headers["Content-Type"] = "application/vnd.api+json"
            response = c.patch("/my-tests/{}".format(self.d2), data=patch_data, headers=headers)
            self.assertEqual(response.status_code, 405)

            # delete own file
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, "/my-tests/{}".format(self.d2), method="DELETE"
            )
            response = c.delete("/my-tests/{}".format(self.d2), headers=headers)
            self.assertEqual(response.status_code, 405)

            # post
            post_data = json.dumps(
                {
                    "data": {
                        "attributes": {"title": "Dennis the Menace", "author": "Hank Ketcham", "owner_id": "2"},
                        "type": "my-tests",
                    }
                }
            )
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, "/my-tests", method="POST", content_type="application/vnd.api+json", body=post_data
            )
            headers["Content-Type"] = "application/vnd.api+json"
            response = c.post("/my-tests", data=post_data, headers=headers)
            self.assertEqual(response.status_code, 405)
Ejemplo n.º 7
0
    def test_record_api_with_acl_user_1(self):
        add_session_management_urls(self.app)

        make_api(
            self.api,
            "Test",
            MyTestModel,
            MyTestSchema,
            record_authorizer=IsOwner(),
            api_authorizers=[my_test_acl.authorize],
        )

        with self.app.test_client() as c:
            response = c.post("/authenticate", data={"username": "******", "password": "******"})
            response = json.loads(response.data)
            session_id = response["session_id"]
            secret = response["session_secret"]

            # get all Alice's records
            headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests")
            response = c.get("/my-tests", headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}]}\n',
            )

            # get one allowed record
            headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d1))
            response = c.get("/my-tests/{}".format(self.d1), headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}}\n',
            )

            # get a forbidden record
            headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d2))
            response = c.get("/my-tests/{}".format(self.d2), headers=headers)
            self.assertEqual(response.status_code, 403)

            # patch Alice's records
            patch_data = json.dumps(
                {"data": {"attributes": {"title": "Alice's Adventures in Wonderland"}, "type": "my-tests"}}
            )
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                "/my-tests/{}".format(self.d1),
                method="PATCH",
                content_type="application/vnd.api+json",
                body=patch_data,
            )
            headers["Content-Type"] = "application/vnd.api+json"
            response = c.patch("/my-tests/{}".format(self.d1), data=patch_data, headers=headers)
            self.assertEqual(response.status_code, 204)
            self.assertEqual(response.headers["Content-Location"], "/my-tests/{}".format(self.d1))

            # patch someone else's record: this is forbidden (because not owner)
            patch_data = json.dumps({"data": {"attributes": {"title": "SpongeBob SquarePants"}, "type": "my-tests"}})
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                "/my-tests/{}".format(self.d2),
                method="PATCH",
                content_type="application/vnd.api+json",
                body=patch_data,
            )
            headers["Content-Type"] = "application/vnd.api+json"
            response = c.patch("/my-tests/{}".format(self.d2), data=patch_data, headers=headers)
            self.assertEqual(response.status_code, 403, response.data)

            # delete own file
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, "/my-tests/{}".format(self.d1), method="DELETE"
            )
            response = c.delete("/my-tests/{}".format(self.d1), headers=headers)
            self.assertEqual(response.status_code, 204)
            self.assertEqual(response.data, "")

            # delete someone else file
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, "/my-tests/{}".format(self.d2), method="DELETE"
            )
            response = c.delete("/my-tests/{}".format(self.d2), headers=headers)
            self.assertEqual(response.status_code, 403)

            # post
            post_data = json.dumps(
                {
                    "data": {
                        "attributes": {"title": "Dennis the Menace", "author": "Hank Ketcham", "owner_id": "2"},
                        "type": "my-tests",
                    }
                }
            )
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, "/my-tests", method="POST", content_type="application/vnd.api+json", body=post_data
            )
            headers["Content-Type"] = "application/vnd.api+json"
            response = c.post("/my-tests", data=post_data, headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(response.headers["Content-Location"], "/my-tests/4")
Ejemplo n.º 8
0
    def test_record_api_with_acl_user_2(self):
        add_session_management_urls(self.app)

        make_api(self.api,
                 'Test',
                 MyTestModel,
                 MyTestSchema,
                 record_authorizer=IsOwner(),
                 api_authorizers=[my_test_acl.authorize])

        with self.app.test_client() as c:
            response = c.post('/authenticate',
                              data={
                                  'username': '******',
                                  'password': '******'
                              })
            response = json.loads(response.data)
            session_id = response['session_id']
            secret = response['session_secret']

            # get all Bob's records
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, '/my-tests')
            response = c.get('/my-tests', headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}]}\n'
            )

            # get one allowed record
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, '/my-tests/{}'.format(self.d2))
            response = c.get('/my-tests/{}'.format(self.d2), headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}}\n'
            )

            # patch records
            patch_data = json.dumps({
                "data": {
                    "attributes": {
                        "title": "SpongeBob SquarePants"
                    },
                    "type": "my-tests"
                }
            })
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests/{}'.format(self.d2),
                method='PATCH',
                content_type='application/vnd.api+json',
                body=patch_data)
            headers['Content-Type'] = 'application/vnd.api+json'
            response = c.patch('/my-tests/{}'.format(self.d2),
                               data=patch_data,
                               headers=headers)
            self.assertEqual(response.status_code, 405)

            # delete own file
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests/{}'.format(self.d2),
                method='DELETE')
            response = c.delete('/my-tests/{}'.format(self.d2),
                                headers=headers)
            self.assertEqual(response.status_code, 405)

            # post
            post_data = json.dumps({
                "data": {
                    "attributes": {
                        "title": "Dennis the Menace",
                        "author": "Hank Ketcham",
                        "owner_id": "2",
                    },
                    "type": "my-tests"
                }
            })
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests',
                method='POST',
                content_type='application/vnd.api+json',
                body=post_data)
            headers['Content-Type'] = 'application/vnd.api+json'
            response = c.post('/my-tests', data=post_data, headers=headers)
            self.assertEqual(response.status_code, 405)
Ejemplo n.º 9
0
    def test_record_api_with_acl_user_1(self):
        add_session_management_urls(self.app)

        make_api(self.api,
                 'Test',
                 MyTestModel,
                 MyTestSchema,
                 record_authorizer=IsOwner(),
                 api_authorizers=[my_test_acl.authorize])

        with self.app.test_client() as c:
            response = c.post('/authenticate',
                              data={
                                  'username': '******',
                                  'password': '******'
                              })
            response = json.loads(response.data)
            session_id = response['session_id']
            secret = response['session_secret']

            # get all Alice's records
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, '/my-tests')
            response = c.get('/my-tests', headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}]}\n'
            )

            # get one allowed record
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, '/my-tests/{}'.format(self.d1))
            response = c.get('/my-tests/{}'.format(self.d1), headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(
                response.data,
                '{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}}\n'
            )

            # get a forbidden record
            headers = HMACAuthenticator.get_authorization_headers(
                session_id, secret, '/my-tests/{}'.format(self.d2))
            response = c.get('/my-tests/{}'.format(self.d2), headers=headers)
            self.assertEqual(response.status_code, 403)

            # patch Alice's records
            patch_data = json.dumps({
                "data": {
                    "attributes": {
                        "title": "Alice's Adventures in Wonderland"
                    },
                    "type": "my-tests"
                }
            })
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests/{}'.format(self.d1),
                method='PATCH',
                content_type='application/vnd.api+json',
                body=patch_data)
            headers['Content-Type'] = 'application/vnd.api+json'
            response = c.patch('/my-tests/{}'.format(self.d1),
                               data=patch_data,
                               headers=headers)
            self.assertEqual(response.status_code, 204)
            self.assertEqual(response.headers['Content-Location'],
                             '/my-tests/{}'.format(self.d1))

            # patch someone else's record: this is forbidden (because not owner)
            patch_data = json.dumps({
                "data": {
                    "attributes": {
                        "title": "SpongeBob SquarePants"
                    },
                    "type": "my-tests"
                }
            })
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests/{}'.format(self.d2),
                method='PATCH',
                content_type='application/vnd.api+json',
                body=patch_data)
            headers['Content-Type'] = 'application/vnd.api+json'
            response = c.patch('/my-tests/{}'.format(self.d2),
                               data=patch_data,
                               headers=headers)
            self.assertEqual(response.status_code, 403, response.data)

            # delete own file
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests/{}'.format(self.d1),
                method='DELETE')
            response = c.delete('/my-tests/{}'.format(self.d1),
                                headers=headers)
            self.assertEqual(response.status_code, 204)
            self.assertEqual(response.data, '')

            # delete someone else file
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests/{}'.format(self.d2),
                method='DELETE')
            response = c.delete('/my-tests/{}'.format(self.d2),
                                headers=headers)
            self.assertEqual(response.status_code, 403)

            # post
            post_data = json.dumps({
                "data": {
                    "attributes": {
                        "title": "Dennis the Menace",
                        "author": "Hank Ketcham",
                        "owner_id": "2",
                    },
                    "type": "my-tests"
                }
            })
            headers = HMACAuthenticator.get_authorization_headers(
                session_id,
                secret,
                '/my-tests',
                method='POST',
                content_type='application/vnd.api+json',
                body=post_data)
            headers['Content-Type'] = 'application/vnd.api+json'
            response = c.post('/my-tests', data=post_data, headers=headers)
            self.assertEqual(response.status_code, 200)
            self.assertEqual(response.headers['Content-Location'],
                             '/my-tests/4')