def test_mobile_version(app_dev):
testapp = app_dev.test_client()
upgrade_header = app_dev.config.VERSION_UPGRADE_HEADER
version_header = app_dev.config.VERSION_API_HEADER
mobile_version = app_dev.config.VERSION_HEADER_KEY
agent_header = app_dev.config.VERSION_AGENT_HEADER
headers = {
app_dev.config.LIMITER.BYPASS_KEY: app_dev.config.LIMITER.BYPASS_VALUE,
agent_header: "ios",
}
res = testapp.get(h.url_for("web.index"),
headers={
mobile_version: "0.0.0",
**headers
})
h.Asserter.assert_header(res, upgrade_header, "0")
h.Asserter.assert_header(res, version_header, "1.0.0")
url = h.url_for("api.mobile_release",
ver="1.0.1",
critical="true",
agent="ios")
res = testapp.post(url, headers=headers)
h.Asserter.assert_status_code(res)
res = testapp.get(h.url_for("web.index"),
headers={
mobile_version: "0.0.0",
**headers
})
h.Asserter.assert_header(res, upgrade_header, "1")
res = testapp.get("/web-page-not-found")
h.Asserter.assert_not_in(upgrade_header, list(res.headers.keys()))
h.Asserter.assert_not_in(version_header, list(res.headers.keys()))
def test_method_override(testapp):
res = testapp.post(
h.url_for("test.method_override_post"),
headers={"X-HTTP-Method-Override": h.HttpMethod.PUT},
)
h.Asserter.assert_status_code(res)
res = testapp.post(
h.url_for("test.method_override_post", _method_override="PUT"))
h.Asserter.assert_status_code(res)
def test_apidoc(test_client, views):
headers = h.basic_auth_header()
res = test_client.get(h.url_for(views.apidocs), headers=headers)
h.Asserter.assert_status_code(res)
h.Asserter.assert_content_type(res, h.CTS.html)
res = test_client.get(h.url_for(views.api_spec), headers=headers)
h.Asserter.assert_status_code(res)
h.Asserter.assert_different(res.json, {})
h.Asserter.assert_content_type(res, h.CTS.json)
def test_app_dev(app_dev):
h.Asserter.assert_equals(app_dev.config.FLASK_ENV, "development")
h.Asserter.assert_equals(app_dev.config.SECRET_KEY,
"fake_very_complex_string")
client = TestHttpCall(app_dev.test_client())
client.perform(request={"url": h.url_for("web.index")})
client = TestHttpApi(app_dev.test_client())
client.perform(request={"url": h.url_for("test.test_https")})
h.Asserter.assert_equals(client.json.scheme, "https")
h.Asserter.assert_true(client.json.url_for.startswith("https"))
def test_proxy_view(app_dev):
testapp = app_dev.test_client()
res = testapp.post(h.url_for("api.proxyview", p="v1"),
json={"test": "test"})
h.Asserter.assert_status_code(res)
h.Asserter.assert_equals(res.json.json.test, "test")
h.Asserter.assert_equals(res.json.args.p, "v1")
res = testapp.get(h.url_for("api.confproxy"))
h.Asserter.assert_status_code(res)
h.Asserter.assert_equals(res.json.headers.k, "v")
h.Asserter.assert_equals(res.json.params.k, "v")
def test_apidoc(testapp):
res = testapp.get(h.url_for("api.apidocs"))
h.Asserter.assert_status_code(res)
h.Asserter.assert_content_type(res, h.CTS.html)
res = testapp.get(h.url_for("api.apispec"))
h.Asserter.assert_status_code(res)
h.Asserter.assert_content_type(res, h.CTS.json)
h.Asserter.assert_equals(res.json.info.version, "1.0.0")
h.Asserter.assert_equals(res.json.servers[0].variables.context.default,
"/")
h.Asserter.assert_equals(res.json.servers[0].variables.host.default,
"https://127.0.0.1:5000")
def test_jsonrpc_proxy_view(app_dev):
testapp = app_dev.test_client()
res = testapp.post(h.url_for("api.jsonrpc_proxyview"),
json={"test": "test"})
h.Asserter.assert_status_code(res, h.httpcode.NO_CONTENT)
res = testapp.get(h.url_for("api.jsonrpc_proxyview", param1=1, param2=2))
h.Asserter.assert_status_code(res)
response = json.loads(res.json.data)
h.Asserter.assert_schema(response, schemas.SCHEMAS.JSONRPC.REQUEST)
h.Asserter.assert_equals(response["method"], "jsonrpc_method")
h.Asserter.assert_equals(response["params"]["param1"], "1")
h.Asserter.assert_equals(response["params"]["param2"], "2")
def test_reverse_proxy(testapp):
res = testapp.get(h.url_for("test.test_proxy"),
headers={"X-Forwarded-Prefix": "/test"})
h.Asserter.assert_status_code(res)
h.Asserter.assert_true(bool(res.json.request_id))
h.Asserter.assert_equals(res.json.script_name, "/test")
h.Asserter.assert_equals(res.json.original.SCRIPT_NAME, "")
def test_api_jsonrpc_notification(app_dev):
url = h.url_for("api.jsonrpc")
testapp = app_dev.test_client()
headers = dict(headers={
app_dev.config.LIMITER.BYPASS_KEY:
app_dev.config.LIMITER.BYPASS_VALUE
})
res = testapp.jsonrpc_batch(
url,
requests=(
dict(method="MyJsonRPC.testAction1", params={}),
dict(method="MyJsonRPC.NotFoundMethod"),
),
**headers,
)
h.Asserter.assert_status_code(res, h.httpcode.NO_CONTENT)
res = testapp.jsonrpc_batch(
url,
requests=(
dict(method="MyJsonRPC.testAction1", call_id=1, params={}),
dict(method="MyJsonRPC.NotFoundMethod"),
),
**headers,
)
h.Asserter.assert_status_code(res)
h.Asserter.assert_equals(len(res.json), 1)
def test_api_jsonrpc_params(app_dev):
url = h.url_for("api.jsonrpc")
method = "MyJsonRPC.testInvalidParams"
testapp = app_dev.test_client()
response_schema = schemas.SCHEMAS.JSONRPC.RESPONSE
headers = dict(headers={
app_dev.config.LIMITER.BYPASS_KEY:
app_dev.config.LIMITER.BYPASS_VALUE
})
res = testapp.jsonrpc(url,
method=method,
call_id=1,
params={"param": "testparam"},
**headers)
h.Asserter.assert_status_code(res)
h.Asserter.assert_schema(res.json, response_schema)
h.Asserter.assert_not_in("error", res.json)
res = testapp.jsonrpc(url,
method=method,
call_id=1,
params={"params": None},
**headers)
h.Asserter.assert_status_code(res)
h.Asserter.assert_schema(res.json, response_schema)
h.Asserter.assert_equals(res.json.error.code, rpc.RPCInvalidParams().code)
def test_api_jsonrpc_batch(app_dev):
url = h.url_for("api.jsonrpc")
testapp = app_dev.test_client()
headers = dict(headers={
app_dev.config.LIMITER.BYPASS_KEY:
app_dev.config.LIMITER.BYPASS_VALUE
})
res = testapp.jsonrpc_batch(
url,
requests=(
dict(method="MyJsonRPC.testAction1", call_id=1, params={}),
dict(method="MyJsonRPC.NotFoundMethod", call_id=2),
),
**headers,
)
h.Asserter.assert_status_code(res, h.httpcode.MULTI_STATUS)
h.Asserter.assert_true(res.json[0].result.action1)
h.Asserter.assert_equals(res.json[1].error.code,
rpc.RPCMethodNotFound().code)
res = testapp.jsonrpc_batch(
url,
requests=(
dict(method="MyJsonRPC.testAction1", call_id=1, params={}),
dict(method="MyJsonRPC.NotFoundMethod", call_id=2),
dict(method="MyJsonRPC.NotFoundMethod", call_id=3),
),
**headers,
)
h.Asserter.assert_status_code(res, h.httpcode.REQUEST_ENTITY_TOO_LARGE)
def test_api_resources(testapp):
res = testapp.get(h.url_for("api.resource_api"),
headers={"Accept": h.CTS.xml})
h.Asserter.assert_status_code(res)
h.Asserter.assert_content_type(res, h.CTS.xml)
res = testapp.get(h.url_for("api.resource_api", res_id=1))
h.Asserter.assert_status_code(res)
h.Asserter.assert_content_type(res, h.CTS.json)
res = testapp.get(
h.url_for("api.resource_api", res_id=1, sub_resource="items"))
h.Asserter.assert_status_code(res)
h.Asserter.assert_content_type(res, h.CTS.json)
res = testapp.get(
h.url_for("api.resource_api", res_id=1, sub_resource="not-found"))
h.Asserter.assert_status_code(res, h.httpcode.NOT_FOUND)
h.Asserter.assert_content_type(res, h.CTS.json_problem)
h.Asserter.assert_schema(res.json, schemas.SCHEMAS.API_PROBLEM)
h.Asserter.assert_equals(res.json.detail, "not found")
res = testapp.get(
h.url_for("api.resource_api", res_id=1, sub_resource="not-found"))
h.Asserter.assert_status_code(res, h.httpcode.TOO_MANY_REQUESTS)
time.sleep(int(res.headers.get("Retry-After") or 0)) # check rate limit
res = testapp.delete(h.url_for("api.resource_api", res_id=1))
h.Asserter.assert_status_code(res, h.httpcode.NO_CONTENT)
data = dict(item="test")
res = testapp.put(h.url_for("api.resource_api", res_id=1), json=data)
h.Asserter.assert_status_code(res)
res = testapp.post(h.url_for("api.resource_api"), json=data)
h.Asserter.assert_status_code(res, h.httpcode.CREATED)
res = testapp.post(h.url_for("api.resource_api",
res_id=1,
sub_resource="items"),
json=data)
h.Asserter.assert_status_code(res, h.httpcode.CREATED)
res = testapp.post(h.url_for("api.resource_api"), json={})
h.Asserter.assert_status_code(res, h.httpcode.UNPROCESSABLE_ENTITY)
h.Asserter.assert_allin(res.json.response.reason,
("cause", "message", "path"))
def test_utils_uuid(testapp):
res = testapp.get(h.url_for("test.return_uuid"))
h.Asserter.assert_false(uuid.check_uuid("fake uuid"))
h.Asserter.assert_true(uuid.check_uuid(uuid.get_uuid(hexify=False)))
h.Asserter.assert_true(uuid.check_uuid(res.json.get("uuid1"), ver=1))
h.Asserter.assert_true(uuid.check_uuid(res.json.get("uuid3"), ver=3))
h.Asserter.assert_true(uuid.check_uuid(res.json.get("uuid4")))
h.Asserter.assert_true(uuid.check_uuid(res.json.get("uuid5"), ver=5))
def test_api_jsonrpc_success(app_dev):
call_id = 1
url = h.url_for("api.jsonrpc")
client = TestJsonRPC(app_dev.test_client(), endpoint=url)
client.perform(request=dict(method="MyJsonRPC.testAction1", id=call_id))
h.Asserter.assert_equals(client.json.id, call_id)
h.Asserter.assert_true(client.json.result.action1)
res = app_dev.test_client().jsonrpc(url, method="MyJsonRPC.testAction2")
h.Asserter.assert_status_code(res, h.httpcode.NO_CONTENT)
def test_proxy_schema(app_dev):
view = "api.schema_proxy"
testapp = app_dev.test_client()
bypass = {
app_dev.config.LIMITER.BYPASS_KEY: app_dev.config.LIMITER.BYPASS_VALUE
}
_ = h.api_tester(
testapp,
h.url_for(view, filepath="pippo"),
status=h.httpcode.NOT_FOUND,
headers=bypass,
)
res = h.api_tester(testapp, h.url_for(view,
filepath="jsonrpc/request.json"))
h.Asserter.assert_equals(res.json, app_dev.config.SCHEMAS.JSONRPC.REQUEST)
res = h.api_tester(testapp, h.url_for(view, filepath="api_problem"))
h.Asserter.assert_equals(res.json, app_dev.config.SCHEMAS.API_PROBLEM)
def test_mobile_views(app_dev):
testapp = app_dev.test_client()
url = h.url_for("api.mobile_logger")
data = {"stacktrace": "exception"}
res = testapp.post(url, json=data)
h.Asserter.assert_status_code(res, h.httpcode.NO_CONTENT)
res = testapp.post(f"{url}?debug", json=data)
h.Asserter.assert_status_code(res)
h.Asserter.assert_equals(res.json, data)
def test_useragent(testapp):
res = testapp.get(h.url_for("test.useragent"))
h.Asserter.assert_status_code(res)
h.Asserter.assert_allin(res.json.keys(),
("browser", "device", "os", "raw"))
ua_string = """
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko)
Chrome/70.0.3538.77 Safari/537.36
"""
res = useragent.UserAgent().parse(ua_string)
h.Asserter.assert_equals(res.raw, ua_string)
def test_mobile_release(app_dev):
agent = {"agent": "ios"}
version = "1.0.0"
testapp = app_dev.test_client()
res = testapp.delete(h.url_for("api.mobile_release", **agent))
h.Asserter.assert_status_code(res)
res = testapp.delete(h.url_for("api.mobile_release", all="true", **agent))
h.Asserter.assert_status_code(res, h.httpcode.NO_CONTENT)
res = testapp.post(h.url_for("api.mobile_release", ver=version, **agent))
h.Asserter.assert_status_code(res)
h.Asserter.assert_equals(res.json, 1)
h.Asserter.assert_allin(res.json[0], ("critical", "version"))
res = testapp.get(h.url_for("api.mobile_release", all="true", **agent))
h.Asserter.assert_status_code(res)
h.Asserter.assert_allin(res.json[0], ("critical", "version"))
res = testapp.post(h.url_for("api.mobile_release", ver=version, **agent))
h.Asserter.assert_status_code(res, h.httpcode.BAD_REQUEST)
bypass = {
app_dev.config.LIMITER.BYPASS_KEY: app_dev.config.LIMITER.BYPASS_VALUE
}
res = testapp.get(h.url_for("api.mobile_release", ver="latest", **agent),
headers=bypass)
h.Asserter.assert_status_code(res)
h.Asserter.assert_header(res, "Content-Type", h.CTS.text)
h.Asserter.assert_equals(res.data, version.encode())
def get_access_token(token=None, email=None, password=None, in_query=True):
if token is not None:
if in_query is True:
return f"jwt={token}"
return dict(Authorization=f"Bearer {token}")
credentials = dict(
email=email or h.config.ADMIN_EMAIL,
password=password or h.config.ADMIN_PASSWORD,
)
tokens = test_client.post(h.url_for(views.access_token), json=credentials)
if in_query is True:
return f"jwt={tokens.json.access_token}"
return dict(Authorization=f"Bearer {tokens.json.access_token}")
def test_utils_send_file(testapp):
filename = "MANIFEST.in"
url = h.url_for("test.download") + "?filename={}"
res = testapp.get(url.format(filename))
h.Asserter.assert_status_code(res)
h.Asserter.assert_header(res, "Content-Disposition",
f"attachment; filename={filename}")
h.Asserter.assert_header(res, "X-Accel-Redirect", f"./{filename}")
h.Asserter.assert_true(res.headers.get("X-Sendfile").endswith(filename))
h.Asserter.assert_equals(res.data, b"")
res = testapp.get(url.format("nofile.txt"))
h.Asserter.assert_status_code(res, h.httpcode.NOT_FOUND)
h.Asserter.assert_content_type(res, h.CTS.html)
def test_api_jsonrpc_error(app_dev):
call_id = 1
url = h.url_for("api.jsonrpc")
testapp = app_dev.test_client()
response_schema = schemas.SCHEMAS.JSONRPC.RESPONSE
headers = dict(headers={
app_dev.config.LIMITER.BYPASS_KEY:
app_dev.config.LIMITER.BYPASS_VALUE
})
res = testapp.jsonrpc(url,
method="NotFoundMethod",
call_id=call_id,
**headers)
h.Asserter.assert_status_code(res)
h.Asserter.assert_equals(res.json.error.code, rpc.RPCMethodNotFound().code)
h.Asserter.assert_schema(res.json, response_schema)
h.Asserter.assert_equals(res.json.id, call_id)
h.Asserter.assert_true(res.json.error.message)
res = testapp.jsonrpc(url, json={}, **headers)
h.Asserter.assert_status_code(res, h.httpcode.BAD_REQUEST)
h.Asserter.assert_schema(res.json, response_schema)
h.Asserter.assert_equals(res.json.error.code, rpc.RPCParseError().code)
res = testapp.jsonrpc(url, json={"params": None}, **headers)
h.Asserter.assert_status_code(res, h.httpcode.BAD_REQUEST)
h.Asserter.assert_schema(res.json, response_schema)
h.Asserter.assert_equals(res.json.error.code, rpc.RPCInvalidRequest().code)
res = testapp.jsonrpc(url,
json={
"jsonrpc": 1,
"method": "MyJsonRPC.testAction1"
},
**headers)
h.Asserter.assert_status_code(res, h.httpcode.BAD_REQUEST)
h.Asserter.assert_schema(res.json, response_schema)
h.Asserter.assert_equals(res.json.error.code, rpc.RPCInvalidRequest().code)
res = testapp.jsonrpc(url,
method="MyJsonRPC.testInternalError",
call_id=call_id,
**headers)
h.Asserter.assert_status_code(res)
h.Asserter.assert_schema(res.json, response_schema)
h.Asserter.assert_equals(res.json.error.code, rpc.RPCInternalError().code)
def get_access_token(
token: Optional[str] = None,
token_type: str = "Bearer",
is_query: bool = False,
credentials: Optional[Union[Dict[str, str], Tuple[str, str]]] = None,
access_view: str = "auth.token_access",
):
if token is not None:
return dict(Authorization=f"Bearer {token}")
if not credentials:
config = test_client.application.config
credentials = dict(email=config.ADMIN_EMAIL,
password=config.ADMIN_PASSWORD)
if isinstance(credentials, tuple):
credentials = dict(email=credentials[0], password=credentials[1])
tokens = test_client.post(url_for(access_view), json=credentials)
if is_query is True:
return dict(jwt={tokens.json.access_token})
return dict(Authorization=f"{token_type} {tokens.json.access_token}")
def test_api_cors(testapp):
client = TestHttpApi(testapp)
client.perform(
request={"url": h.url_for("api.resource_api")},
response={
"status": {
"code": h.httpcode.TOO_MANY_REQUESTS
},
"headers": {
"Access-Control-Allow-Origin": {
"value": "*"
},
"Content-Type": {
"value": h.CTS.json_problem
},
},
},
)
headers = testapp.application.config.CORS_EXPOSE_HEADERS
res = h.api_tester(testapp, url="/")
h.Asserter.assert_header(res, "Access-Control-Allow-Origin", "*")
h.Asserter.assert_allin(
res.headers["Access-Control-Expose-Headers"].split(", "), headers)
def test_restful(app_dev):
h.restful_tester(
app_dev.test_client(),
view="api.items",
schema_read=schemas.SCHEMAS.ITEM,
schema_collection=schemas.SCHEMAS.ITEM_LIST,
body_create=dict(item="test"),
headers={
app_dev.config.LIMITER.BYPASS_KEY:
app_dev.config.LIMITER.BYPASS_VALUE,
**h.basic_auth_header(),
},
)
client = TestRestApi(app_dev.test_client(),
endpoint=h.url_for("api.items"))
client.test_post(
request=dict(json=dict(item="test"), headers=h.basic_auth_header()),
response=dict(schema=schemas.SCHEMAS.ITEM),
)
res_id = client.json.id
client.test_get(
res_id,
request=dict(headers=h.basic_auth_header()),
response=dict(schema=schemas.SCHEMAS.ITEM),
)
client.test_put(
res_id,
request=dict(json=dict(item="test"), headers=h.basic_auth_header()),
response=dict(schema=schemas.SCHEMAS.ITEM),
)
client.test_collection(
request=dict(headers=h.basic_auth_header()),
response=dict(schema=schemas.SCHEMAS.ITEM_LIST),
)
client.test_delete(res_id, request=dict(headers=h.basic_auth_header()))
def test_force_https(testapp):
_ = testapp.get(h.url_for("test.test_https"))
client = TestHttpApi(testapp)
client.perform(request={"url": h.url_for("test.test_https")})
h.Asserter.assert_equals(client.json.scheme, "https")
h.Asserter.assert_true(client.json.url_for.startswith("https"))
def test_converters(testapp):
res = testapp.get(h.url_for("test.list_converter", data=["a", "b", "c"]))
h.Asserter.assert_status_code(res)
h.Asserter.assert_equals(res.json, 3)
def test_utils_get_json(testapp):
res = testapp.post(h.url_for("test.get_invalid_json"))
h.Asserter.assert_status_code(res, h.httpcode.BAD_REQUEST)
def test_crypto(testapp):
passwd = "my-favourite-password"
crypto = ExtProxy("argon2")
res = testapp.get(h.url_for("test.crypt", passwd=passwd))
h.Asserter.assert_true(crypto.verify_hash(res.data, passwd))
h.Asserter.assert_false(crypto.verify_hash(res.data, "wrong-pass"))
def test_jwt(app_dev):
testapp = app_dev.test_client()
conf = testapp.application.config
bypass = {conf.LIMITER.BYPASS_KEY: conf.LIMITER.BYPASS_VALUE}
tokens = testapp.post(
h.url_for("api.token_access", expires_access=1),
json=dict(email=conf.BASIC_AUTH_USERNAME,
password=conf.BASIC_AUTH_PASSWORD),
)
h.Asserter.assert_status_code(tokens)
check = testapp.get(
h.url_for("api.token_check"),
headers={
"Authorization": f"Bearer {tokens.json.access_token}",
**bypass
},
)
h.Asserter.assert_status_code(check)
time.sleep(2)
check = testapp.get(
h.url_for("api.token_check"),
headers={
"Authorization": f"Bearer {tokens.json.access_token}",
**bypass
},
)
h.Asserter.assert_status_code(check, h.httpcode.UNAUTHORIZED)
tokens = testapp.post(
h.url_for("api.token_access"),
json=dict(email=conf.BASIC_AUTH_USERNAME,
password=conf.BASIC_AUTH_PASSWORD),
headers=bypass,
)
h.Asserter.assert_status_code(tokens)
h.Asserter.assert_allin(
tokens.json.keys(),
(
"access_token",
"refresh_token",
"expires_in",
"issued_at",
"token_type",
"scope",
),
)
res = testapp.post(
h.url_for("api.token_refresh"),
headers={
"Authorization": f"Bearer {tokens.json.refresh_token}",
**bypass
},
)
h.Asserter.assert_status_code(res)
h.Asserter.assert_allin(
res.json.keys(),
("access_token", "expires_in", "issued_at", "token_type", "scope"),
)
check = testapp.get(
h.url_for("api.token_check"),
headers={
"Authorization": f"Bearer {res.json.access_token}",
**bypass
},
)
h.Asserter.assert_status_code(check)
unauth = testapp.get(
h.url_for("api.token_check"),
headers={
"Authorization": "Bearer invalid-token",
**bypass
},
)
h.Asserter.assert_status_code(unauth, h.httpcode.UNAUTHORIZED)
revoked = testapp.post(
h.url_for("api.token_revoke"),
headers={
"Authorization": f"Bearer {tokens.json.access_token}",
**bypass
},
json={
"access_token": tokens.json.access_token,
"refresh_token": tokens.json.refresh_token,
},
)
h.Asserter.assert_status_code(revoked, h.httpcode.NO_CONTENT)
res = testapp.get(
h.url_for("api.token_check"),
headers={
"Authorization": f"Bearer {tokens.json.access_token}",
**bypass
},
)
h.Asserter.assert_status_code(res, h.httpcode.UNAUTHORIZED)
