Exemple #1
0
    def test_remove_tag_without_permissions(self):
        unauthorized_user = UserFactory()
        unauthorized_user.set_password("api-testing")
        unauthorized_user.save()

        unauthorized_user.user_permissions.add(*Permission.objects.all())
        remove_perm_from_user(unauthorized_user,
                              "testcases.delete_testcasetag")

        rpc_client = xmlrpc.TCMSXmlrpc(
            unauthorized_user.username,
            "api-testing",
            f"{self.live_server_url}/xml-rpc/",
        ).server

        with self.assertRaisesRegex(ProtocolError, "403 Forbidden"):
            rpc_client.TestCase.remove_tag(self.testcase.pk, self.tag0.name)

        # tags were not modified
        tag_exists = TestCase.objects.filter(pk=self.testcase.pk,
                                             tag__pk=self.tag0.pk).exists()
        self.assertTrue(tag_exists)

        tag_exists = TestCase.objects.filter(pk=self.testcase.pk,
                                             tag__pk=self.tag1.pk).exists()
        self.assertFalse(tag_exists)
Exemple #2
0
class APIPermissionsTestCase(PermissionsTestMixin, test.LiveServerTestCase):
    http_method_names = ['api']
    permission_label = None
    serialized_rollback = True

    # NOTE: see comment in APITestCase._fixture_setup()
    def _fixture_setup(self):
        # restore the serialized data from initial migrations
        # this includes default groups and permissions
        super()._fixture_setup()

        self.check_mandatory_attributes()

        self.tester = UserFactory()
        self.tester.set_password('password')
        self.tester.save()

        # this is the XML-RPC ServerProxy with cookies support
        self.rpc_client = tcms_api.xmlrpc.TCMSXmlrpc(
            self.tester.username,
            'password',
            '%s/xml-rpc/' % self.live_server_url,
        ).server

    def verify_api_with_permission(self):
        """
            Call your RPC method under test here and assert the results
        """
        self.fail('Not implemented')

    def verify_api_without_permission(self):
        """
            Call your RPC method under test here and assert the results
        """
        self.fail('Not implemented')
Exemple #3
0
def create_request_user(username=None, password=None):
    if username:
        user = UserFactory(username=username)
    else:
        user = UserFactory()
    if password:
        user.set_password(password)
    else:
        user.set_password('password')
    user.save()
    return user
Exemple #4
0
 def test_check_unapplied_migrations(self):
     call_command("migrate", "bugs", "zero", verbosity=2, interactive=False)
     tester = UserFactory()
     tester.set_password("password")
     tester.save()
     self.client.login(  # nosec:B106:hardcoded_password_funcarg
         username=tester.username,
         password="******",
     )
     response = self.client.get("/", follow=True)
     self.assertContains(response, self.unapplied_migration_message)
Exemple #5
0
def create_request_user(username=None, password=None):
    if username:
        user = UserFactory(username=username)
    else:
        user = UserFactory()
    if password:
        user.set_password(password)
    else:
        user.set_password('password')
    user.save()
    return user
Exemple #6
0
    def test_add_case_without_permissions(self):
        unauthorized_user = UserFactory()
        unauthorized_user.set_password('api-testing')
        unauthorized_user.save()

        unauthorized_user.user_permissions.add(*Permission.objects.all())
        remove_perm_from_user(unauthorized_user, 'testruns.add_testcaserun')

        rpc_client = TCMSXmlrpc(unauthorized_user.username,
                                'api-testing',
                                '%s/xml-rpc/' % self.live_server_url).server

        with self.assertRaisesRegex(ProtocolError, '403 Forbidden'):
            rpc_client.TestRun.add_case(self.test_run.pk, self.test_case.pk)

        exists = TestCaseRun.objects.filter(run=self.test_run.pk, case=self.test_case.pk).exists()
        self.assertFalse(exists)
Exemple #7
0
    def test_add_tag_without_permissions(self):
        unauthorized_user = UserFactory()
        unauthorized_user.set_password('api-testing')
        unauthorized_user.save()

        unauthorized_user.user_permissions.add(*Permission.objects.all())
        remove_perm_from_user(unauthorized_user, 'testcases.add_testcasetag')

        rpc_client = xmlrpc.TCMSXmlrpc(unauthorized_user.username,
                                       'api-testing',
                                       '%s/xml-rpc/' % self.live_server_url).server

        with self.assertRaisesRegex(ProtocolError, '403 Forbidden'):
            rpc_client.TestCase.add_tag(self.testcase.pk, self.tag1.name)

        # tags were not modified
        tag_exists = TestCase.objects.filter(pk=self.testcase.pk, tag__pk=self.tag1.pk).exists()
        self.assertFalse(tag_exists)
Exemple #8
0
    def test_add_case_without_permissions(self):
        unauthorized_user = UserFactory()
        unauthorized_user.set_password("api-testing")
        unauthorized_user.save()

        unauthorized_user.user_permissions.add(*Permission.objects.all())
        remove_perm_from_user(unauthorized_user, "testruns.add_testexecution")

        rpc_client = xmlrpc.TCMSXmlrpc(
            unauthorized_user.username,
            "api-testing",
            "%s/xml-rpc/" % self.live_server_url,
        ).server

        with self.assertRaisesRegex(ProtocolError, "403 Forbidden"):
            rpc_client.TestRun.add_case(self.test_run.pk, self.test_case.pk)

        exists = TestExecution.objects.filter(run=self.test_run.pk,
                                              case=self.test_case.pk).exists()
        self.assertFalse(exists)
Exemple #9
0
class TestUserUpdate(APITestCase):
    """Test User.update"""
    def _fixture_setup(self):
        super()._fixture_setup()

        self.another_user = UserFactory()
        self.another_user.set_password('another-password')
        self.another_user.save()

        self.user_new_attrs = {
            'first_name': 'new first name',
            'last_name': 'new last name',
            'email': 'new email',
        }

    def setUp(self):
        super().setUp()
        # clear permissions b/c we set them inside individual tests
        self.api_user.user_permissions.all().delete()

    def tearDown(self):
        super().tearDown()
        self.api_user.set_password('api-testing')
        self.api_user.save()

    def test_update_myself(self):
        data = self.rpc_client.User.update(self.api_user.pk,
                                           self.user_new_attrs)
        self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
        self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
        self.assertEqual(data['email'], self.user_new_attrs['email'])

    def test_update_myself_without_passing_id(self):
        data = self.rpc_client.User.update(None, self.user_new_attrs)
        self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
        self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
        self.assertEqual(data['email'], self.user_new_attrs['email'])

    def test_update_other_missing_permission(self):
        new_values = {'some_attr': 'xxx'}
        with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
            self.rpc_client.User.update(self.another_user.pk, new_values)

    def test_update_other_with_proper_permission(self):
        user_should_have_perm(self.api_user, 'auth.change_user')

        data = self.rpc_client.User.update(self.another_user.pk,
                                           self.user_new_attrs)
        self.another_user.refresh_from_db()
        self.assertEqual(data['first_name'], self.another_user.first_name)
        self.assertEqual(data['last_name'], self.another_user.last_name)
        self.assertEqual(data['email'], self.another_user.email)

    def test_update_own_password(self):
        user_new_attrs = self.user_new_attrs.copy()
        new_password = '******'  # nosec:B105:hardcoded_password_string
        user_new_attrs[
            'password'] = new_password  # nosec:B105:hardcoded_password_string

        with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'):
            self.rpc_client.User.update(self.api_user.pk, user_new_attrs)

        user_new_attrs['old_password'] = '******'  # nosec:B105
        with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
            self.rpc_client.User.update(self.api_user.pk, user_new_attrs)

        user_new_attrs[
            'old_password'] = '******'  # nosec:B105:hardcoded_password_string
        data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
        self.assertTrue('password' not in data)
        self.assertEqual(data['first_name'], user_new_attrs['first_name'])
        self.assertEqual(data['last_name'], user_new_attrs['last_name'])
        self.assertEqual(data['email'], user_new_attrs['email'])

        self.api_user.refresh_from_db()
        self.assertTrue(self.api_user.check_password(new_password))

    def test_update_another_user_password(self):
        user_should_have_perm(self.api_user, 'auth.change_user')

        user_new_attrs = self.user_new_attrs.copy()
        user_new_attrs[
            'password'] = '******'  # nosec:B105:hardcoded_password_string

        with self.assertRaisesRegex(
                XmlRPCFault,
                'Password updates for other users are not allowed via RPC!'):
            self.rpc_client.User.update(self.another_user.pk, user_new_attrs)
Exemple #10
0
class TestUserUpdate(XmlrpcAPIBaseTest):
    '''Test User.update'''
    def _fixture_setup(self):
        super(TestUserUpdate, self)._fixture_setup()

        self.another_user = UserFactory()
        self.another_user.set_password('another-password')
        self.another_user.save()

        self.user_new_attrs = {
            'first_name': 'new first name',
            'last_name': 'new last name',
            'email': 'new email',
        }

    def setUp(self):
        super(TestUserUpdate, self).setUp()
        # clear permissions b/c we set them inside individual tests
        self.api_user.user_permissions.all().delete()

    def tearDown(self):
        super(TestUserUpdate, self).tearDown()
        self.api_user.set_password('api-testing')
        self.api_user.save()

    def test_update_myself(self):
        data = self.rpc_client.User.update(self.user_new_attrs,
                                           self.api_user.pk)
        self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
        self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
        self.assertEqual(data['email'], self.user_new_attrs['email'])

    def test_update_myself_without_passing_id(self):
        data = self.rpc_client.User.update(self.user_new_attrs)
        self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
        self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
        self.assertEqual(data['email'], self.user_new_attrs['email'])

    def test_update_other_missing_permission(self):
        new_values = {'some_attr': 'xxx'}
        with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
            self.rpc_client.User.update(new_values, self.another_user.pk)

    def test_update_other_with_proper_permission(self):
        user_should_have_perm(self.api_user, 'auth.change_user')

        data = self.rpc_client.User.update(self.user_new_attrs,
                                           self.another_user.pk)
        updated_user = User.objects.get(pk=self.another_user.pk)
        self.assertEqual(data['first_name'], updated_user.first_name)
        self.assertEqual(data['last_name'], updated_user.last_name)
        self.assertEqual(data['email'], updated_user.email)

    def test_update_own_password(self):
        user_new_attrs = self.user_new_attrs.copy()
        new_password = '******'
        user_new_attrs['password'] = new_password

        with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'):
            self.rpc_client.User.update(user_new_attrs, self.api_user.pk)

        user_new_attrs['old_password'] = '******'
        with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
            self.rpc_client.User.update(user_new_attrs, self.api_user.pk)

        user_new_attrs['old_password'] = '******'
        data = self.rpc_client.User.update(user_new_attrs, self.api_user.pk)
        self.assertTrue('password' not in data)
        self.assertEqual(data['first_name'], user_new_attrs['first_name'])
        self.assertEqual(data['last_name'], user_new_attrs['last_name'])
        self.assertEqual(data['email'], user_new_attrs['email'])

        user = User.objects.get(pk=self.api_user.pk)
        self.assertTrue(user.check_password(new_password))

    def test_update_another_user_password(self):
        user_should_have_perm(self.api_user, 'auth.change_user')

        user_new_attrs = self.user_new_attrs.copy()
        user_new_attrs['password'] = '******'

        with self.assertRaisesRegex(
                XmlRPCFault,
                'Password updates for other users are not allowed via RPC!'):
            self.rpc_client.User.update(user_new_attrs, self.another_user.pk)
Exemple #11
0
class TestUserUpdate(APITestCase):
    """Test User.update"""
    def _fixture_setup(self):
        super()._fixture_setup()

        self.another_user = UserFactory()
        self.another_user.set_password("another-password")
        self.another_user.save()

        self.user_new_attrs = {
            "first_name": "new first name",
            "last_name": "new last name",
            "email": "new email",
        }

    def setUp(self):
        super().setUp()
        # clear permissions b/c we set them inside individual tests
        self.api_user.user_permissions.all().delete()

    def tearDown(self):
        super().tearDown()
        self.api_user.set_password("api-testing")
        self.api_user.save()

    def test_update_myself(self):
        data = self.rpc_client.User.update(self.api_user.pk,
                                           self.user_new_attrs)
        self.assertEqual(data["first_name"], self.user_new_attrs["first_name"])
        self.assertEqual(data["last_name"], self.user_new_attrs["last_name"])
        self.assertEqual(data["email"], self.user_new_attrs["email"])

    def test_update_myself_without_passing_id(self):
        data = self.rpc_client.User.update(None, self.user_new_attrs)
        self.assertEqual(data["first_name"], self.user_new_attrs["first_name"])
        self.assertEqual(data["last_name"], self.user_new_attrs["last_name"])
        self.assertEqual(data["email"], self.user_new_attrs["email"])

    def test_update_other_missing_permission(self):
        new_values = {"some_attr": "xxx"}
        with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
            self.rpc_client.User.update(self.another_user.pk, new_values)

    def test_update_other_with_proper_permission(self):
        user_should_have_perm(self.api_user, "auth.change_user")

        data = self.rpc_client.User.update(self.another_user.pk,
                                           self.user_new_attrs)
        self.another_user.refresh_from_db()
        self.assertEqual(data["first_name"], self.another_user.first_name)
        self.assertEqual(data["last_name"], self.another_user.last_name)
        self.assertEqual(data["email"], self.another_user.email)

    def test_update_own_password(self):
        user_new_attrs = self.user_new_attrs.copy()
        new_password = "******"  # nosec:B105:hardcoded_password_string
        user_new_attrs["password"  # nosec:B105:hardcoded_password_string
                       ] = new_password

        with self.assertRaisesRegex(XmlRPCFault, "Old password is required"):
            self.rpc_client.User.update(self.api_user.pk, user_new_attrs)

        user_new_attrs["old_password"] = "******"  # nosec:B105
        with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
            self.rpc_client.User.update(self.api_user.pk, user_new_attrs)

        user_new_attrs["old_password"  # nosec:B105:hardcoded_password_string
                       ] = "api-testing"
        data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
        self.assertTrue("password" not in data)
        self.assertEqual(data["first_name"], user_new_attrs["first_name"])
        self.assertEqual(data["last_name"], user_new_attrs["last_name"])
        self.assertEqual(data["email"], user_new_attrs["email"])

        self.api_user.refresh_from_db()
        self.assertTrue(self.api_user.check_password(new_password))

    def test_update_another_user_password(self):
        user_should_have_perm(self.api_user, "auth.change_user")

        user_new_attrs = self.user_new_attrs.copy()
        user_new_attrs["password"  # nosec:B105:hardcoded_password_string
                       ] = "new password"

        with self.assertRaisesRegex(
                XmlRPCFault,
                "Password updates for other users are not allowed via RPC!"):
            self.rpc_client.User.update(self.another_user.pk, user_new_attrs)