def test_reg_user_cannot_view_users_org_dne(reg_user_headers):
""" regular users cannot view users of an organization that doesn't exist """
org = str(uuid.uuid4())
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/users',
headers=reg_user_headers)
assert res.status_code == 404
response_contains_json(res, 'error', 'ORG_DNE_PARAM')
def test_reg_user_cannot_view_user_from_another_org(reg_user_headers):
""" regular users cannot view users from another organization """
org, user = create_new_user_with_new_org_by_uuid()
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=reg_user_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_reg_user_cannot_view_another_org(reg_user_headers):
""" regular users cannot view an organization they don't belong to """
org = str(uuid.uuid4())
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}',
headers=reg_user_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_org_admin_get_another_org_user_info(org_admin_headers):
""" services api prevents org admin users from viewing another org user's info """
org, user = create_new_user_with_new_org_by_uuid()
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_org_admin_cannot_update_user_for_another_org(org_admin_headers):
""" services api prevents org admins from updating a user from a diff org """
org, user = create_new_user_with_new_org_by_uuid()
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT')
def test_org_admin_update_own_user_roles_name(org_admin_headers):
""" allows admin users to update its own name and remove role """
org = org_admin_headers['CVE-API-ORG']
user = org_admin_headers['CVE-API-USER']
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.remove=admin', # removing role
headers=org_admin_headers)
assert res.status_code == 200
assert json.loads(
res.content.decode())['updated']['authority']['active_roles'] == []
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.add=admin', # adding role
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(
res, 'error', 'NOT_ORG_ADMIN_OR_SECRETARIAT'
) # cannot add role because org admin doesn't have "ADMIN" role anymore
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.add=admin', # adding "ADMIN" role back to org admin user
headers=utils.BASE_HEADERS)
assert res.status_code == 200
assert json.loads(
res.content.decode())['updated']['authority']['active_roles'] == [
"ADMIN"
]
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?name.first=t&name.last=e&name.middle=s&name.suffix=t&name.surname=s', # updating name
headers=org_admin_headers)
assert res.status_code == 200
assert json.loads(res.content.decode())['updated']['name']['first'] == 't'
assert json.loads(res.content.decode())['updated']['name']['last'] == 'e'
assert json.loads(res.content.decode())['updated']['name']['middle'] == 's'
assert json.loads(res.content.decode())['updated']['name']['suffix'] == 't'
assert json.loads(
res.content.decode())['updated']['name']['surname'] == 's'
def test_org_admin_get_secretariat_id_quota_info(org_admin_headers):
""" services api rejects requests for secretariat by non-secretariat users """
res = requests.get(
f'{env.AWG_BASE_URL}{ORG_URL}/mitre/id_quota', # the secretariat's org
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_reg_user_cannot_update_org(reg_user_headers):
""" regular user cannot update an organization """
org = str(uuid.uuid4())
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}',
headers=reg_user_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'SECRETARIAT_ONLY')
def test_org_admin_cannot_update_org(org_admin_headers):
""" services api does not allow org admins to update their own orgs """
res = requests.post(f'{env.AWG_BASE_URL}{ORG_URL}',
headers=org_admin_headers,
params={'name': str(uuid.uuid4())})
assert res.status_code == 403
response_contains_json(res, 'error', 'SECRETARIAT_ONLY')
def test_org_admin_get_mitre_user_info(org_admin_headers):
""" services api prevents org users from viewing secretariat user info """
res = requests.get(
f'{env.AWG_BASE_URL}{ORG_URL}/mitre/user/{env.AWG_USER_NAME}',
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_put_cve_id_id_state(org_admin_headers):
""" org admin cannot update id's state """
res = requests.put(f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}',
headers=org_admin_headers,
params={'state': 'PUBLIC'})
assert res.status_code == 403
response_contains_json(res, 'error', 'SECRETARIAT_ONLY')
def test_post_cve_id_bad_amount(reg_user_headers):
""" api rejects non-numeric amount when requesting IDs """
res = get_reserve_cve_ids('a', utils.CURRENT_YEAR, reg_user_headers['CVE-API-USER'])
assert res.status_code == 400
assert res.reason == 'Bad Request'
response_contains_json(res, 'error', 'BAD_INPUT')
assert_contains(res, 'amount')
def test_put_update_user_org_short_name():
""" services api allows users org to be updated by secretariat """
org, user = create_new_user_with_new_org_by_uuid()
new_org = str(uuid.uuid4())
new_org_res = post_new_org(new_org, new_org)
assert new_org_res.status_code == 200
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=utils.BASE_HEADERS,
params={'org_shortname': new_org})
assert res.status_code == 200
response_contains_json(res, 'message', f'{user} was successfully updated.')
# user doesn't exist at this endpoint because its under a new org
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=utils.BASE_HEADERS,
params={'org_shortname': new_org})
assert res.status_code == 404
response_contains(res,
'designated by the username parameter does not exist.')
response_contains_json(res, 'error', 'USER_DNE')
# but we can get the new user
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{new_org}/user/{user}',
headers=utils.BASE_HEADERS)
ok_response_contains(res, user)
def test_post_cve_id_reserve_nonsequential_over_limit(org_admin_headers):
""" the services api enforces a max non-sequential limit of 10 """
res = get_reserve_cve_ids(11, utils.CURRENT_YEAR,
org_admin_headers['CVE-API-ORG'],
'nonsequential')
assert res.status_code == 403
response_contains_json(res, 'error', 'OVER_NONSEQUENTIAL_MAX_AMOUNT')
def test_org_admin_reset_secret_org_dne(org_admin_headers):
org = org_admin_headers['CVE-API-ORG']
user = str(uuid.uuid4())
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret',
headers=org_admin_headers)
assert res.status_code == 404
response_contains_json(res, 'error', 'USER_DNE')
def test_org_admin_cannot_update_user_dne(org_admin_headers):
""" services api prevents org admins from updating a user that doesn't exist """
user = str(uuid.uuid4())
org = org_admin_headers['CVE-API-ORG']
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=org_admin_headers)
assert res.status_code == 404
response_contains_json(res, 'error', 'USER_DNE')
def test_org_admin_reset_diff_org_secret(org_admin_headers):
""" services api prevents admin users to reset the secret of users of different org"""
org, user = create_new_user_with_new_org_by_uuid()
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret',
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT')
def test_reg_user_cannot_view_user_dne(reg_user_headers):
""" regular user cannot view user that doesn't exist """
org = reg_user_headers['CVE-API-ORG']
user = str(uuid.uuid4())
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=reg_user_headers)
assert res.status_code == 404
response_contains_json(res, 'error', 'USER_DNE')
def test_post_cve_id_range_already_exists(choose_year):
""" ranges for 1999 to the current year must exist """
res = requests.post(f'{env.AWG_BASE_URL}{CVE_ID_RANGE_URL}/{choose_year}',
headers=utils.BASE_HEADERS)
assert res.status_code == 400
response_contains(res, (f'document for year {choose_year} was not created '
'because it already exists.'))
response_contains_json(res, 'error', 'YEAR_RANGE_EXISTS')
def test_update_mitre_id_quota():
""" a secretariat user can update its own ID quota """
# NOTE: this test makes sure MITRE can reserve IDs for reservation tests
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/mitre?id_quota=100000',
headers=utils.BASE_HEADERS)
assert res.status_code == 200
response_contains_json(res, 'message',
'mitre organization was successfully updated.')
def test_regular_user_cannot_update_user_org_dne(reg_user_headers):
""" regular user cannot update a user from an org that doesn't exist """
org = str(uuid.uuid4())
user = reg_user_headers['CVE-API-USER']
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=reg_user_headers)
assert res.status_code == 404
response_contains_json(res, 'error', 'ORG_DNE_PARAM')
def test_put_update_org_that_does_not_exist():
""" cve services api will not update orgs that don't exist """
uid = str(uuid.uuid4())
res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{uid}?id_quota=100',
headers=utils.BASE_HEADERS)
assert res.status_code == 404
response_contains_json(res, 'error', 'ORG_DNE_PARAM')
assert_contains(res, 'by the shortname parameter does not exist')
def test_post_new_org_user_duplicate():
""" cve services new org user endpoint fails for a duplicate user """
res = requests.post(f'{env.AWG_BASE_URL}{ORG_URL}/mitre/user',
headers=utils.BASE_HEADERS,
json={'username': env.AWG_USER_NAME})
assert res.status_code == 400
response_contains_json(
res, 'message', f"The user \'{env.AWG_USER_NAME}\' already exists.")
def test_get_cve_id_page_limit(org_admin_headers):
""" page must be greater than or equal to 1' """
res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}',
headers=org_admin_headers,
params={
'page': '-1',
})
assert res.status_code == 400
response_contains_json(res, 'error', 'BAD_INPUT')
def test_post_new_org_user_empty_params():
""" an empty new org user parameters is invalid for username """
res = requests.post(f'{env.AWG_BASE_URL}{ORG_URL}/mitre/user',
headers=utils.BASE_HEADERS,
json={'username': ''})
assert res.status_code == 400
assert 'username' in res.content.decode()
assert len(json.loads(res.content.decode())['details']) == 1
response_contains_json(res, 'message', 'Parameters were invalid')
def test_get_cve_id_state_in_choices(org_admin_headers):
""" state parameter can only be 'REJECT', 'PUBLIC' or 'RESERVED' """
res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}',
headers=org_admin_headers,
params={
'state': 'TEST',
})
assert res.status_code == 400
response_contains_json(res, 'error', 'BAD_INPUT')
def test_get_cve_id_year_format_with_letters(org_admin_headers):
""" cve_id_year format cannot have letters """
res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}',
headers=org_admin_headers,
params={
'cve_id_year': 'test',
})
assert res.status_code == 400
response_contains_json(res, 'error', 'BAD_INPUT')
def test_get_cve_id_year_format_with_digits(org_admin_headers):
""" cve_id_year format must be 4 digits only """
res = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}',
headers=org_admin_headers,
params={
'cve_id_year': '20111',
})
assert res.status_code == 400
response_contains_json(res, 'error', 'BAD_INPUT')
def test_org_admin_get_another_org_id_quota_info(org_admin_headers):
""" services api rejects requests for any org by another org user """
different_org = str(uuid.uuid4()) # name of an org
res = post_new_org(different_org, different_org) # create an org
assert res.status_code == 200
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{different_org}/id_quota',
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
def test_org_admin_get_another_org_users_info(org_admin_headers):
""" services api prevents org admin users from viewing all other org's user info """
org = str(uuid.uuid4())
res = post_new_org(org, org)
assert res.status_code == 200
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/users',
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_ORG_OR_SECRETARIAT')
