def test_accepted_dev_cant_authenticate(self, tenants_users_devices):
dacd = ApiClient(deviceauth.URL_DEVICES)
uc = ApiClient(useradm.URL_MGMT)
tc = ApiClient(tenantadm.URL_INTERNAL)
# accept a dev
device = tenants_users_devices[0].devices[0]
user = tenants_users_devices[0].users[0]
r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
aset = device.authsets[0]
change_authset_status(aset.did, aset.id, 'accepted', utoken)
# suspend
r = tc.call('PUT',
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status('suspended'),
path_params={'tid': tenants_users_devices[0].id})
assert r.status_code == 200
time.sleep(10)
# try requesting auth
body, sighdr = deviceauth.auth_req(
aset.id_data, aset.pubkey, aset.privkey,
tenants_users_devices[0].tenant_token)
r = dacd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 401
assert r.json()['error'] == 'Account suspended'
def make_rejected_device(utoken, num_auth_sets=1, tenant_token=''):
dev = make_pending_device(utoken, num_auth_sets, tenant_token=tenant_token)
for i in range(num_auth_sets):
aset_id = dev.authsets[i].id
change_authset_status(dev.id, aset_id, 'rejected', utoken)
dev.authsets[i].status = 'rejected'
dev.status = 'rejected'
return dev
def test_authenticated_dev_is_rejected(self, tenants_users_devices):
dacd = ApiClient(deviceauth.URL_DEVICES)
uc = ApiClient(useradm.URL_MGMT)
tc = ApiClient(tenantadm.URL_INTERNAL)
dc = ApiClient(deployments.URL_DEVICES)
# accept a dev
user = tenants_users_devices[0].users[0]
r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
aset = tenants_users_devices[0].devices[0].authsets[0]
change_authset_status(aset.did, aset.id, 'accepted', utoken)
# request auth
body, sighdr = deviceauth.auth_req(
aset.id_data, aset.pubkey, aset.privkey,
tenants_users_devices[0].tenant_token)
r = dacd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 200
dtoken = r.text
# check device can access APIs
r = dc.with_auth(dtoken).call('GET',
deployments.URL_NEXT,
qs_params={
'device_type': 'foo',
'artifact_name': 'bar'
})
assert r.status_code == 204
# suspend
r = tc.call('PUT',
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status('suspended'),
path_params={'tid': tenants_users_devices[0].id})
assert r.status_code == 200
time.sleep(10)
# check device is rejected
r = dc.with_auth(dtoken).call('GET',
deployments.URL_NEXT,
qs_params={
'device_type': 'foo',
'artifact_name': 'bar'
})
assert r.status_code == 401
def make_accepted_device(utoken, devauthd, tenant_token=''):
dev = make_pending_device(utoken, tenant_token=tenant_token)
aset_id = dev.authsets[0].id
change_authset_status(dev.id, aset_id, 'accepted', utoken)
aset = dev.authsets[0]
aset.status = 'accepted'
# obtain auth token
body, sighdr = deviceauth_v1.auth_req(aset.id_data, aset.pubkey,
aset.privkey, tenant_token)
r = devauthd.call('POST',
deviceauth_v1.URL_AUTH_REQS,
body,
headers=sighdr)
assert r.status_code == 200
dev.token = r.text
dev.status = 'accepted'
return dev
def do_test_put_status_reject(self, devs_authsets, user, tenant_token=''):
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
devauthd = ApiClient(deviceauth_v1.URL_DEVICES)
useradmm = ApiClient(useradm.URL_MGMT)
deploymentsd = ApiClient(deployments.URL_DEVICES)
# log in user
r = useradmm.call('POST',
useradm.URL_LOGIN,
auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
devs = []
for status in ['pending',
'accepted',
'preauthorized']:
found = filter_and_page_devs(devs_authsets, status=status)
devs.extend(found)
for dev in devs:
aset = None
dtoken = None
# for accepted or preauthd devs, reject the accepted/preauthd set
# otherwise just select something
if dev.status in ['accepted', 'preauthorized']:
aset = [a for a in dev.authsets if a.status == dev.status]
assert len(aset) == 1
aset = aset[0]
else:
aset = dev.authsets[0]
# for accepted devs, also have an active device and check it loses api access
if dev.status == 'accepted':
body, sighdr = deviceauth_v1.auth_req(aset.id_data,
aset.pubkey,
aset.privkey,
tenant_token)
r = devauthd.call('POST',
deviceauth_v1.URL_AUTH_REQS,
body,
headers=sighdr)
assert r.status_code == 200
dtoken = r.text
# reject the authset
change_authset_status(dev.id, aset.id, 'rejected', utoken)
# the given authset always changes to 'rejected'
aset.status='rejected'
# if all other asets are also rejected, the device becomes too
# otherwise it's 'pending'
rej_asets = [a for a in dev.authsets if a.id != aset.id and a.status == 'rejected']
if len(rej_asets) == len(dev.authsets) - 1:
dev.status = 'rejected'
else:
dev.status = 'pending'
# check if the api device is consistent
self.verify_dev_after_status_update(dev, utoken)
# if we rejected an accepted, active device, check that it lost access
if dtoken is not None:
r = deploymentsd.with_auth(dtoken).call('GET',
deployments.URL_NEXT,
qs_params={'device_type': 'foo',
'artifact_name': 'bar'})
assert r.status_code == 401
def do_test_put_status_accept(self, devs_authsets, user, tenant_token=''):
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
devauthd = ApiClient(deviceauth_v1.URL_DEVICES)
useradmm = ApiClient(useradm.URL_MGMT)
deploymentsd = ApiClient(deployments.URL_DEVICES)
# log in user
r = useradmm.call('POST',
useradm.URL_LOGIN,
auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# select interesting devices - pending, rejected, or accepted/preauthd with extra authsets
devs = []
for status in ['pending',
'rejected',
'accepted',
'preauthorized']:
found = filter_and_page_devs(devs_authsets, status=status)
if status == 'accepted' or status == 'preauthorized':
found = [d for d in found if len(d.authsets) > 1]
devs.extend(found)
# test acceptance for various kinds of devs
for dev in devs:
# for accepted devs - first actually get a device token
dtoken = None
if dev.status == 'accepted':
accepted = [a for a in dev.authsets if a.status == 'accepted'][0]
body, sighdr = deviceauth_v1.auth_req(accepted.id_data,
accepted.pubkey,
accepted.privkey,
tenant_token)
r = devauthd.call('POST',
deviceauth_v1.URL_AUTH_REQS,
body,
headers=sighdr)
assert r.status_code == 200
dtoken = r.text
# find some pending or rejected authset
aset = [a for a in dev.authsets if a.status == 'pending' or a.status == 'rejected'][0]
# accept the authset
change_authset_status(dev.id, aset.id, 'accepted', utoken)
# in case of originally preauthd/accepted devs: the original authset must be rejected now
if dev.status in ['accepted', 'preauthorized']:
aset_to_reject = [a for a in dev.authsets if a.status == dev.status]
assert len(aset_to_reject) == 1
aset_to_reject[0].status = 'rejected'
# in all cases, device is now 'accepted', along with the just accepted authset
dev.status = 'accepted'
aset.status = 'accepted'
# verify device is correct in the api
self.verify_dev_after_status_update(dev, utoken)
# if the device used to be accepted - check it lost access
if dtoken is not None:
r = deploymentsd.with_auth(dtoken).call('GET',
deployments.URL_NEXT,
qs_params={'device_type': 'foo',
'artifact_name': 'bar'})
assert r.status_code == 401
# device should also be provisioned in inventory
time.sleep(1)
self.verify_dev_provisioned(dev, utoken)
