class TestPrivateLink(OsfTestCase): def setUp(self): super(TestPrivateLink, self).setUp() self.flaskapp = Flask('testing_private_links') @self.flaskapp.route('/project/<pid>/') @must_be_contributor def project_get(**kwargs): return 'success', 200 self.app = TestApp(self.flaskapp) self.user = AuthUserFactory() self.project = ProjectFactory(is_public=False) self.link = PrivateLinkFactory() self.link.nodes.append(self.project) self.link.save() @mock.patch('website.project.decorators.Auth.from_kwargs') def test_has_private_link_key(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.project._primary_key), {'view_only': self.link.key}) res = res.follow() assert_equal(res.status_code, 200) assert_equal(res.body, 'success') @mock.patch('website.project.decorators.Auth.from_kwargs') def test_does_not_have_key(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.project._primary_key), {'key': None}) assert_is_redirect(res)
class TestMenbibAuthViews(OsfTestCase): def setUp(self): self.app = TestApp(app) self.user = AuthUserFactory() self.app.authenticate(*self.user.auth) def test_menbib_oauth_start(self): url = api_url_for('menbib_oauth_start_user') res = self.app.get(url) assert_is_redirect(res) @mock.patch('website.addons.menbib.views.auth.finish_auth') def test_menbib_oauth_finish(self, mock_finish): mock_finish.return_value = AuthResult('mytokenabc', 'myrefreshabc', 'cool', '3600') url = api_url_for('menbib_oauth_finish') res = self.app.get(url) assert_is_redirect(res) def test_menbib_oauth_delete_user(self): self.user.add_addon('menbib') user_settings = self.user.get_addon('menbib') user_settings.access_token = '12345abc' assert_true(user_settings.has_auth) self.user.save() url = api_url_for('menbib_oauth_delete_user') res = self.app.delete(url) user_settings.reload() assert_false(user_settings.has_auth)
class TestSmartFolderViews(OsfTestCase): def setUp(self): super(TestSmartFolderViews, self).setUp() self.app = TestApp(app) self.dash = DashboardFactory() self.user = self.dash.creator self.auth = AuthFactory(user=self.user) @mock.patch('website.project.decorators.get_api_key') @mock.patch('website.project.decorators.Auth.from_kwargs') def test_adding_project_to_dashboard_increases_json_size_by_one( self, mock_from_kwargs, mock_get_api_key): mock_get_api_key.return_value = 'api_keys_lol' mock_from_kwargs.return_value = Auth(user=self.user) with app.test_request_context(): url = api_url_for('get_dashboard') res = self.app.get(url + ALL_MY_PROJECTS_ID) import pprint pp = pprint.PrettyPrinter() init_len = len(res.json[u'data']) ProjectFactory(creator=self.user) res = self.app.get(url + ALL_MY_PROJECTS_ID) assert_equal(len(res.json[u'data']), init_len + 1) @mock.patch('website.project.decorators.get_api_key') @mock.patch('website.project.decorators.Auth.from_kwargs') def test_adding_registration_to_dashboard_increases_json_size_by_one( self, mock_from_kwargs, mock_get_api_key): mock_get_api_key.return_value = 'api_keys_lol' mock_from_kwargs.return_value = Auth(user=self.user) with app.test_request_context(): url = api_url_for('get_dashboard') res = self.app.get(url + ALL_MY_REGISTRATIONS_ID) init_len = len(res.json[u'data']) RegistrationFactory(creator=self.user) res = self.app.get(url + ALL_MY_REGISTRATIONS_ID) assert_equal(len(res.json[u'data']), init_len + 1)
class TestSmartFolderViews(OsfTestCase): def setUp(self): super(TestSmartFolderViews, self).setUp() self.app = TestApp(app) self.dash = DashboardFactory() self.user = self.dash.creator self.auth = AuthFactory(user=self.user) @mock.patch('website.project.decorators.get_api_key') @mock.patch('website.project.decorators.Auth.from_kwargs') def test_adding_project_to_dashboard_increases_json_size_by_one(self, mock_from_kwargs, mock_get_api_key): mock_get_api_key.return_value = 'api_keys_lol' mock_from_kwargs.return_value = Auth(user=self.user) with app.test_request_context(): url = api_url_for('get_dashboard') res = self.app.get(url + ALL_MY_PROJECTS_ID) import pprint;pp = pprint.PrettyPrinter() init_len = len(res.json[u'data']) ProjectFactory(creator=self.user) res = self.app.get(url + ALL_MY_PROJECTS_ID) assert_equal(len(res.json[u'data']), init_len + 1) @mock.patch('website.project.decorators.get_api_key') @mock.patch('website.project.decorators.Auth.from_kwargs') def test_adding_registration_to_dashboard_increases_json_size_by_one(self, mock_from_kwargs, mock_get_api_key): mock_get_api_key.return_value = 'api_keys_lol' mock_from_kwargs.return_value = Auth(user=self.user) with app.test_request_context(): url = api_url_for('get_dashboard') res = self.app.get(url + ALL_MY_REGISTRATIONS_ID) init_len = len(res.json[u'data']) RegistrationFactory(creator=self.user) res = self.app.get(url + ALL_MY_REGISTRATIONS_ID) assert_equal(len(res.json[u'data']), init_len + 1)
class TestJSONRenderer(unittest.TestCase): def setUp(self): self.app = Flask(__name__) self.app.debug = True self.wt = TestApp(self.app) def test_error_handling(self): rule = Rule(['/error/'], 'get', error_view, renderer=json_renderer) process_rules(self.app, [rule]) res = self.wt.get('/error/', expect_errors=True) assert_equal(res.status_code, 400) assert_true(isinstance(res.json, dict)) def test_error_handling_with_message(self): rule = Rule(['/error/'], 'get', error_with_msg, renderer=json_renderer) process_rules(self.app, [rule]) res = self.wt.get('/error/', expect_errors=True) assert_equal(res.status_code, 400) data = res.json assert_equal(data['message_short'], 'Invalid') assert_equal(data['message_long'], 'Invalid request')
class TestTestApp(unittest.TestCase): def setUp(self): self.app = TestApp(app) self.auth = ("admin", "secret") def test_auth_get(self): res = self.app.get("/foo/bar/", auth=self.auth) assert_equal(res.status_code, 200) def test_bad_auth_get(self): # /foo/bar/ requires HTTP basic auth res = self.app.get("/foo/bar/", expect_errors=True) assert_equal(res.status_code, 401) bad_auth = ("no", "go") res = self.app.get("/foo/bar/", auth=bad_auth, expect_errors=True) assert_equal(res.status_code, 401) def test_auth_post(self): res = self.app.post("/foo/bar/baz/", auth=self.auth) assert_equal(res.status_code, 200) def test_auto_follow(self): res = self.app.get("/redirect/", auto_follow=True) assert_equal(res.status_code, 200) def test_authorize(self): self.app.authenticate(username='******', password='******') res = self.app.get("/foo/bar/") assert_equal(res.status_code, 200) self.app.deauthenticate() res = self.app.get("/foo/bar/", expect_errors=True) assert_equal(res.status_code, 401) def test_auth_put(self): assert_equal(self.app.put("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.put("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_patch(self): assert_equal(self.app.patch("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.patch("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_options(self): assert_equal(self.app.options("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.options("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_delete(self): assert_equal(self.app.delete("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.delete("/foo/bar/baz/", auth=self.auth).status_code, 200)
class TestMustBeContributorOrPublicButNotAnonymizedDecorator(AuthAppTestCase): def setUp(self): super(TestMustBeContributorOrPublicButNotAnonymizedDecorator, self).setUp() self.contrib = AuthUserFactory() self.non_contrib = AuthUserFactory() admin = UserFactory() self.public_project = ProjectFactory(is_public=True) self.public_project.add_contributor( admin, auth=Auth(self.public_project.creator), permissions=['read', 'write', 'admin']) self.private_project = ProjectFactory(is_public=False) self.private_project.add_contributor( admin, auth=Auth(self.private_project.creator), permissions=['read', 'write', 'admin']) self.public_project.add_contributor(self.contrib, auth=Auth( self.public_project.creator)) self.private_project.add_contributor(self.contrib, auth=Auth( self.private_project.creator)) self.public_project.save() self.private_project.save() self.anonymized_link_to_public_project = PrivateLinkFactory( anonymous=True) self.anonymized_link_to_private_project = PrivateLinkFactory( anonymous=True) self.anonymized_link_to_public_project.nodes.append( self.public_project) self.anonymized_link_to_public_project.save() self.anonymized_link_to_private_project.nodes.append( self.private_project) self.anonymized_link_to_private_project.save() self.flaskapp = Flask('Testing decorator') @self.flaskapp.route('/project/<pid>/') @must_be_contributor_or_public_but_not_anonymized def project_get(**kwargs): return 'success', 200 self.app = TestApp(self.flaskapp) def test_must_be_contributor_when_user_is_contributor_and_public_project( self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=self.contrib) assert_equal(result, self.public_project) def test_must_be_contributor_when_user_is_not_contributor_and_public_project( self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=self.non_contrib) assert_equal(result, self.public_project) def test_must_be_contributor_when_user_is_contributor_and_private_project( self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=self.contrib) assert_equal(result, self.private_project) def test_must_be_contributor_when_user_is_not_contributor_and_private_project_raise_error( self): with assert_raises(HTTPError): view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=self.non_contrib) def test_must_be_contributor_no_user_and_public_project(self): res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=None, ) assert_equal(res, self.public_project) def test_must_be_contributor_no_user_and_private_project(self): res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=None, ) assert_is_redirect(res) # redirects to login url redirect_url = res.headers['Location'] login_url = cas.get_login_url(service_url='http://localhost/') assert_equal(redirect_url, login_url) def test_must_be_contributor_parent_admin_and_public_project(self): user = UserFactory() node = NodeFactory(parent=self.public_project, creator=user) res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._id, nid=node._id, user=self.public_project.creator, ) assert_equal(res, node) def test_must_be_contributor_parent_admin_and_private_project(self): user = UserFactory() node = NodeFactory(parent=self.private_project, creator=user) res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._id, nid=node._id, user=self.private_project.creator, ) assert_equal(res, node) def test_must_be_contributor_parent_write_public_project(self): user = UserFactory() node = NodeFactory(parent=self.public_project, creator=user) self.public_project.set_permissions(self.public_project.creator, ['read', 'write']) self.public_project.save() with assert_raises(HTTPError) as exc_info: view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._id, nid=node._id, user=self.public_project.creator, ) assert_equal(exc_info.exception.code, 403) def test_must_be_contributor_parent_write_private_project(self): user = UserFactory() node = NodeFactory(parent=self.private_project, creator=user) self.private_project.set_permissions(self.private_project.creator, ['read', 'write']) self.private_project.save() with assert_raises(HTTPError) as exc_info: view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._id, nid=node._id, user=self.private_project.creator, ) assert_equal(exc_info.exception.code, 403) @mock.patch('website.project.decorators.Auth.from_kwargs') def test_decorator_does_allow_anonymous_link_public_project( self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get( '/project/{0}'.format(self.public_project._primary_key), {'view_only': self.anonymized_link_to_public_project.key}) res = res.follow() assert_equal(res.status_code, 200) @mock.patch('website.project.decorators.Auth.from_kwargs') def test_decorator_does_not_allow_anonymous_link_private_project( self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get( '/project/{0}'.format(self.private_project._primary_key), {'view_only': self.anonymized_link_to_private_project.key}) res = res.follow(expect_errors=True) assert_equal(res.status_code, 500)
class TestMustBeContributorOrPublicButNotAnonymizedDecorator(AuthAppTestCase): def setUp(self): super(TestMustBeContributorOrPublicButNotAnonymizedDecorator, self).setUp() self.contrib = AuthUserFactory() self.non_contrib = AuthUserFactory() admin = UserFactory() self.public_project = ProjectFactory(is_public=True) self.public_project.add_contributor(admin, auth=Auth(self.public_project.creator), permissions=['read', 'write', 'admin']) self.private_project = ProjectFactory(is_public=False) self.private_project.add_contributor(admin, auth=Auth(self.private_project.creator), permissions=['read', 'write', 'admin']) self.public_project.add_contributor(self.contrib, auth=Auth(self.public_project.creator)) self.private_project.add_contributor(self.contrib, auth=Auth(self.private_project.creator)) self.public_project.save() self.private_project.save() self.anonymized_link_to_public_project = PrivateLinkFactory(anonymous=True) self.anonymized_link_to_private_project = PrivateLinkFactory(anonymous=True) self.anonymized_link_to_public_project.nodes.add(self.public_project) self.anonymized_link_to_public_project.save() self.anonymized_link_to_private_project.nodes.add(self.private_project) self.anonymized_link_to_private_project.save() self.flaskapp = Flask('Testing decorator') @self.flaskapp.route('/project/<pid>/') @must_be_contributor_or_public_but_not_anonymized def project_get(**kwargs): return 'success', 200 self.app = WebtestApp(self.flaskapp) def test_must_be_contributor_when_user_is_contributor_and_public_project(self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=self.contrib) assert_equal(result, self.public_project) def test_must_be_contributor_when_user_is_not_contributor_and_public_project(self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=self.non_contrib) assert_equal(result, self.public_project) def test_must_be_contributor_when_user_is_contributor_and_private_project(self): result = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=self.contrib) assert_equal(result, self.private_project) def test_must_be_contributor_when_user_is_not_contributor_and_private_project_raise_error(self): with assert_raises(HTTPError): view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=self.non_contrib ) def test_must_be_contributor_no_user_and_public_project(self): res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._primary_key, user=None, ) assert_equal(res, self.public_project) def test_must_be_contributor_no_user_and_private_project(self): res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._primary_key, user=None, ) assert_is_redirect(res) # redirects to login url redirect_url = res.headers['Location'] login_url = cas.get_login_url(service_url='http://localhost/') assert_equal(redirect_url, login_url) def test_must_be_contributor_parent_admin_and_public_project(self): user = UserFactory() node = NodeFactory(parent=self.public_project, creator=user) res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._id, nid=node._id, user=self.public_project.creator, ) assert_equal(res, node) def test_must_be_contributor_parent_admin_and_private_project(self): user = UserFactory() node = NodeFactory(parent=self.private_project, creator=user) res = view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._id, nid=node._id, user=self.private_project.creator, ) assert_equal(res, node) def test_must_be_contributor_parent_write_public_project(self): user = UserFactory() node = NodeFactory(parent=self.public_project, creator=user) self.public_project.set_permissions(self.public_project.creator, ['read', 'write']) self.public_project.save() with assert_raises(HTTPError) as exc_info: view_that_needs_contributor_or_public_but_not_anonymized( pid=self.public_project._id, nid=node._id, user=self.public_project.creator, ) assert_equal(exc_info.exception.code, 403) def test_must_be_contributor_parent_write_private_project(self): user = UserFactory() node = NodeFactory(parent=self.private_project, creator=user) self.private_project.set_permissions(self.private_project.creator, ['read', 'write']) self.private_project.save() with assert_raises(HTTPError) as exc_info: view_that_needs_contributor_or_public_but_not_anonymized( pid=self.private_project._id, nid=node._id, user=self.private_project.creator, ) assert_equal(exc_info.exception.code, 403) @mock.patch('website.project.decorators.Auth.from_kwargs') def test_decorator_does_allow_anonymous_link_public_project(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.public_project._primary_key), {'view_only': self.anonymized_link_to_public_project.key}) res = res.follow() assert_equal(res.status_code, 200) @mock.patch('website.project.decorators.Auth.from_kwargs') def test_decorator_does_not_allow_anonymous_link_private_project(self, mock_from_kwargs): mock_from_kwargs.return_value = Auth(user=None) res = self.app.get('/project/{0}'.format(self.private_project._primary_key), {'view_only': self.anonymized_link_to_private_project.key}) res = res.follow(expect_errors=True) assert_equal(res.status_code, 500)
class TestTestApp(unittest.TestCase): def setUp(self): self.app = TestApp(app) self.auth = ("admin", "secret") def test_auth_get(self): res = self.app.get("/foo/bar/", auth=self.auth) assert_equal(res.status_code, 200) def test_bad_auth_get(self): # /foo/bar/ requires HTTP basic auth res = self.app.get("/foo/bar/", expect_errors=True) assert_equal(res.status_code, 401) bad_auth = ("no", "go") res = self.app.get("/foo/bar/", auth=bad_auth, expect_errors=True) assert_equal(res.status_code, 401) def test_auth_post(self): res = self.app.post("/foo/bar/baz/", auth=self.auth) assert_equal(res.status_code, 200) def test_auto_follow(self): res = self.app.get("/redirect/", auto_follow=True) assert_equal(res.status_code, 200) def test_authorize(self): self.app.authenticate(username='******', password='******') res = self.app.get("/foo/bar/") assert_equal(res.status_code, 200) self.app.deauthenticate() res = self.app.get("/foo/bar/", expect_errors=True) assert_equal(res.status_code, 401) def test_auth_put(self): assert_equal(self.app.put("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.put("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_patch(self): assert_equal(self.app.patch("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.patch("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_options(self): assert_equal(self.app.options("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.options("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_delete(self): assert_equal(self.app.delete("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal(self.app.delete("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_post_json(self): assert_equal(self.app.post_json("/secretjson/", {"name": "Steve"}, expect_errors=True).status_code, 401) res = self.app.post_json("/secretjson/", {"name": "Steve"}, auth=self.auth) assert_equal(res.request.content_type, "application/json") assert_equal(res.status_code, 200) def test_click_with_auth(self): res = self.app.get("/") assert_raises(AppError, lambda: res.click("Bar")) res = self.app.get("/") res = res.click("Bar", auth=self.auth) assert_equal(res.status_code, 200) def test_click_with_authenticate(self): self.app.authenticate(username=self.auth[0], password=self.auth[1]) res = self.app.get('/') res = res.click("Bar") assert_equal(res.status_code, 200) def test_clickbutton_with_auth(self): res = self.app.get("/") assert_raises(AppError, lambda: res.clickbutton("Click me")) res = self.app.get('/') res = res.clickbutton("Click me", auth=self.auth) def test_clickbutton_with_authenticate(self): self.app.authenticate(username=self.auth[0], password=self.auth[1]) res = self.app.get('/') res = res.clickbutton("Click me") assert_equal(res.status_code, 200) assert_equal(res.request.path, "/foo/bar/")
class TestTestApp(unittest.TestCase): def setUp(self): self.app = TestApp(app) self.auth = ("admin", "secret") def test_auth_get(self): res = self.app.get("/foo/bar/", auth=self.auth) assert_equal(res.status_code, 200) def test_bad_auth_get(self): # /foo/bar/ requires HTTP basic auth res = self.app.get("/foo/bar/", expect_errors=True) assert_equal(res.status_code, 401) bad_auth = ("no", "go") res = self.app.get("/foo/bar/", auth=bad_auth, expect_errors=True) assert_equal(res.status_code, 401) def test_auth_post(self): res = self.app.post("/foo/bar/baz/", auth=self.auth) assert_equal(res.status_code, 200) def test_auto_follow(self): res = self.app.get("/redirect/", auto_follow=True) assert_equal(res.status_code, 200) def test_authorize(self): self.app.authenticate(username='******', password='******') res = self.app.get("/foo/bar/") assert_equal(res.status_code, 200) self.app.deauthenticate() res = self.app.get("/foo/bar/", expect_errors=True) assert_equal(res.status_code, 401) def test_auth_put(self): assert_equal( self.app.put("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal( self.app.put("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_patch(self): assert_equal( self.app.patch("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal( self.app.patch("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_options(self): assert_equal( self.app.options("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal( self.app.options("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_delete(self): assert_equal( self.app.delete("/foo/bar/baz/", expect_errors=True).status_code, 401) assert_equal( self.app.delete("/foo/bar/baz/", auth=self.auth).status_code, 200) def test_auth_post_json(self): assert_equal( self.app.post_json("/secretjson/", { "name": "Steve" }, expect_errors=True).status_code, 401) res = self.app.post_json("/secretjson/", {"name": "Steve"}, auth=self.auth) assert_equal(res.request.content_type, "application/json") assert_equal(res.status_code, 200) def test_click_with_auth(self): res = self.app.get("/") assert_raises(AppError, lambda: res.click("Bar")) res = self.app.get("/") res = res.click("Bar", auth=self.auth) assert_equal(res.status_code, 200) def test_click_with_authenticate(self): self.app.authenticate(username=self.auth[0], password=self.auth[1]) res = self.app.get('/') res = res.click("Bar") assert_equal(res.status_code, 200) def test_clickbutton_with_auth(self): res = self.app.get("/") assert_raises(AppError, lambda: res.clickbutton("Click me")) res = self.app.get('/') res = res.clickbutton("Click me", auth=self.auth) def test_clickbutton_with_authenticate(self): self.app.authenticate(username=self.auth[0], password=self.auth[1]) res = self.app.get('/') res = res.clickbutton("Click me") assert_equal(res.status_code, 200) assert_equal(res.request.path, "/foo/bar/")