def test_oidc_revoke_bearer_tokens(client, keycloak_mock):
"""
User with correct credentials should be allowed to revoke tokens.
"""
nb_tokens = 3
for _ in range(nb_tokens):
_generate_and_test_bearer_token(client, keycloak_mock)
url = reverse("oidc-revoke-bearer-tokens")
check_http_post_response(
client,
url,
status_code=200,
data={"token_ids": [1]},
)
assert len(OIDCUserOfflineTokens.objects.all()) == 2
check_http_post_response(
client,
url,
status_code=200,
data={"token_ids": [2, 3]},
)
assert len(OIDCUserOfflineTokens.objects.all()) == 0
def test_reject_pending_save_request(client, mocker):
mock_scheduler = mocker.patch("swh.web.common.origin_save.scheduler")
visit_type = "git"
origin_url = "https://wikipedia.com"
save_request_url = reverse(
"api-1-save-origin",
url_args={
"visit_type": visit_type,
"origin_url": origin_url
},
)
response = check_http_post_response(client,
save_request_url,
status_code=200)
assert response.data["save_request_status"] == SAVE_REQUEST_PENDING
reject_request_url = reverse(
"admin-origin-save-request-reject",
url_args={
"visit_type": visit_type,
"origin_url": origin_url
},
)
check_not_login(client, reject_request_url)
client.login(username=_user_name, password=_user_password)
response = check_http_post_response(client,
reject_request_url,
status_code=200)
tasks_data = [{
"priority": "high",
"policy": "oneshot",
"type": "load-git",
"arguments": {
"kwargs": {
"repo_url": origin_url
},
"args": []
},
"status": "next_run_not_scheduled",
"id": 1,
}]
mock_scheduler.create_tasks.return_value = tasks_data
mock_scheduler.get_tasks.return_value = tasks_data
response = check_http_get_response(client,
save_request_url,
status_code=200)
assert response.data[0]["save_request_status"] == SAVE_REQUEST_REJECTED
def test_remove_authorized_origin_url(client):
assert can_save_origin(_authorized_origin_url) == SAVE_REQUEST_ACCEPTED
url = reverse(
"admin-origin-save-remove-authorized-url",
url_args={"origin_url": _authorized_origin_url},
)
check_not_login(client, url)
assert can_save_origin(_authorized_origin_url) == SAVE_REQUEST_ACCEPTED
client.login(username=_user_name, password=_user_password)
check_http_post_response(client, url, status_code=200)
assert can_save_origin(_authorized_origin_url) == SAVE_REQUEST_PENDING
def test_add_authorized_origin_url(client):
authorized_url = "https://scm.adullact.net/anonscm/"
assert can_save_origin(authorized_url) == SAVE_REQUEST_PENDING
url = reverse("admin-origin-save-add-authorized-url",
url_args={"origin_url": authorized_url})
check_not_login(client, url)
assert can_save_origin(authorized_url) == SAVE_REQUEST_PENDING
client.login(username=_user_name, password=_user_password)
check_http_post_response(client, url, status_code=200)
assert can_save_origin(authorized_url) == SAVE_REQUEST_ACCEPTED
def test_add_unauthorized_origin_url(client):
unauthorized_url = "https://www.yahoo./"
assert can_save_origin(unauthorized_url) == SAVE_REQUEST_PENDING
url = reverse(
"admin-origin-save-add-unauthorized-url",
url_args={"origin_url": unauthorized_url},
)
check_not_login(client, url)
assert can_save_origin(unauthorized_url) == SAVE_REQUEST_PENDING
client.login(username=_user_name, password=_user_password)
check_http_post_response(client, url, status_code=200)
assert can_save_origin(unauthorized_url) == SAVE_REQUEST_REJECTED
def test_remove_save_request(client):
sor = SaveOriginRequest.objects.create(
visit_type="git",
origin_url="https://wikipedia.com",
status=SAVE_REQUEST_PENDING,
)
assert SaveOriginRequest.objects.count() == 1
remove_request_url = reverse("admin-origin-save-request-remove",
url_args={"sor_id": sor.id})
check_not_login(client, remove_request_url)
client.login(username=_user_name, password=_user_password)
check_http_post_response(client, remove_request_url, status_code=200)
assert SaveOriginRequest.objects.count() == 0
def test_api_vault_cook_uppercase_hash(api_client, directory, revision):
for obj_type, obj_id in (
("directory", directory),
("revision_gitfast", revision),
):
url = reverse(
f"api-1-vault-cook-{obj_type}-uppercase-checksum",
url_args={f"{obj_type[:3]}_id": obj_id.upper()},
)
rv = check_http_post_response(api_client,
url,
data={"email": "*****@*****.**"},
status_code=302)
redirect_url = reverse(f"api-1-vault-cook-{obj_type}",
url_args={f"{obj_type[:3]}_id": obj_id})
assert rv["location"] == redirect_url
fetch_url = reverse(
f"api-1-vault-fetch-{obj_type}-uppercase-checksum",
url_args={f"{obj_type[:3]}_id": obj_id.upper()},
)
rv = check_http_get_response(api_client, fetch_url, status_code=302)
redirect_url = reverse(
f"api-1-vault-fetch-{obj_type}",
url_args={f"{obj_type[:3]}_id": obj_id},
)
assert rv["location"] == redirect_url
def test_save_request_form_csrf_token(client, mocker):
mock_create_save_origin_request = mocker.patch(
"swh.web.misc.origin_save.create_save_origin_request")
_mock_create_save_origin_request(mock_create_save_origin_request)
url = reverse(
"origin-save-request",
url_args={
"visit_type": visit_type,
"origin_url": origin["url"]
},
)
check_http_post_response(client, url, status_code=403)
data = _get_csrf_token(client, reverse("origin-save"))
check_api_post_response(client, url, data=data, status_code=200)
def test_oidc_get_bearer_token(client, keycloak_mock):
"""
User with correct credentials should be allowed to display a token.
"""
nb_tokens = 3
for i in range(nb_tokens):
token = _generate_and_test_bearer_token(client, keycloak_mock)
url = reverse("oidc-get-bearer-token")
response = check_http_post_response(
client,
url,
status_code=200,
data={"token_id": i + 1},
content_type="text/plain",
)
assert response.content == token
def test_api_endpoints_have_cors_headers(client, content, directory, revision):
url = reverse("api-1-stat-counters")
resp = check_http_get_response(client,
url,
status_code=200,
http_origin="https://example.org")
assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
swhids = [
gen_swhid(CONTENT, content["sha1_git"]),
gen_swhid(DIRECTORY, directory),
gen_swhid(REVISION, revision),
]
url = reverse("api-1-known")
ac_request_method = "POST"
ac_request_headers = "Content-Type"
resp = client.options(
url,
HTTP_ORIGIN="https://example.org",
HTTP_ACCESS_CONTROL_REQUEST_METHOD=ac_request_method,
HTTP_ACCESS_CONTROL_REQUEST_HEADERS=ac_request_headers,
)
assert resp.status_code == 200
assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
assert ACCESS_CONTROL_ALLOW_METHODS in resp
assert ac_request_method in resp[ACCESS_CONTROL_ALLOW_METHODS]
assert ACCESS_CONTROL_ALLOW_HEADERS in resp
assert ac_request_headers.lower() in resp[ACCESS_CONTROL_ALLOW_HEADERS]
resp = resp = check_http_post_response(client,
url,
data=swhids,
status_code=200,
http_origin="https://example.org")
assert ACCESS_CONTROL_ALLOW_ORIGIN in resp
def check_not_login(client, url):
login_url = reverse("login", query_params={"next": url})
resp = check_http_post_response(client, url, status_code=302)
assert unquote(resp.url) == login_url
def test_oidc_revoke_bearer_tokens_anonymous_user(client):
"""
Anonymous user should be refused access with forbidden response.
"""
url = reverse("oidc-revoke-bearer-tokens")
check_http_post_response(client, url, status_code=403)