def test_remove_tag_without_permissions(self): unauthorized_user = UserFactory() unauthorized_user.set_password("api-testing") unauthorized_user.save() unauthorized_user.user_permissions.add(*Permission.objects.all()) remove_perm_from_user(unauthorized_user, "testcases.delete_testcasetag") rpc_client = xmlrpc.TCMSXmlrpc( unauthorized_user.username, "api-testing", f"{self.live_server_url}/xml-rpc/", ).server with self.assertRaisesRegex(ProtocolError, "403 Forbidden"): rpc_client.TestCase.remove_tag(self.testcase.pk, self.tag0.name) # tags were not modified tag_exists = TestCase.objects.filter(pk=self.testcase.pk, tag__pk=self.tag0.pk).exists() self.assertTrue(tag_exists) tag_exists = TestCase.objects.filter(pk=self.testcase.pk, tag__pk=self.tag1.pk).exists() self.assertFalse(tag_exists)
class APIPermissionsTestCase(PermissionsTestMixin, test.LiveServerTestCase): http_method_names = ['api'] permission_label = None serialized_rollback = True # NOTE: see comment in APITestCase._fixture_setup() def _fixture_setup(self): # restore the serialized data from initial migrations # this includes default groups and permissions super()._fixture_setup() self.check_mandatory_attributes() self.tester = UserFactory() self.tester.set_password('password') self.tester.save() # this is the XML-RPC ServerProxy with cookies support self.rpc_client = tcms_api.xmlrpc.TCMSXmlrpc( self.tester.username, 'password', '%s/xml-rpc/' % self.live_server_url, ).server def verify_api_with_permission(self): """ Call your RPC method under test here and assert the results """ self.fail('Not implemented') def verify_api_without_permission(self): """ Call your RPC method under test here and assert the results """ self.fail('Not implemented')
def create_request_user(username=None, password=None): if username: user = UserFactory(username=username) else: user = UserFactory() if password: user.set_password(password) else: user.set_password('password') user.save() return user
def test_check_unapplied_migrations(self): call_command("migrate", "bugs", "zero", verbosity=2, interactive=False) tester = UserFactory() tester.set_password("password") tester.save() self.client.login( # nosec:B106:hardcoded_password_funcarg username=tester.username, password="******", ) response = self.client.get("/", follow=True) self.assertContains(response, self.unapplied_migration_message)
def test_add_case_without_permissions(self): unauthorized_user = UserFactory() unauthorized_user.set_password('api-testing') unauthorized_user.save() unauthorized_user.user_permissions.add(*Permission.objects.all()) remove_perm_from_user(unauthorized_user, 'testruns.add_testcaserun') rpc_client = TCMSXmlrpc(unauthorized_user.username, 'api-testing', '%s/xml-rpc/' % self.live_server_url).server with self.assertRaisesRegex(ProtocolError, '403 Forbidden'): rpc_client.TestRun.add_case(self.test_run.pk, self.test_case.pk) exists = TestCaseRun.objects.filter(run=self.test_run.pk, case=self.test_case.pk).exists() self.assertFalse(exists)
def test_add_tag_without_permissions(self): unauthorized_user = UserFactory() unauthorized_user.set_password('api-testing') unauthorized_user.save() unauthorized_user.user_permissions.add(*Permission.objects.all()) remove_perm_from_user(unauthorized_user, 'testcases.add_testcasetag') rpc_client = xmlrpc.TCMSXmlrpc(unauthorized_user.username, 'api-testing', '%s/xml-rpc/' % self.live_server_url).server with self.assertRaisesRegex(ProtocolError, '403 Forbidden'): rpc_client.TestCase.add_tag(self.testcase.pk, self.tag1.name) # tags were not modified tag_exists = TestCase.objects.filter(pk=self.testcase.pk, tag__pk=self.tag1.pk).exists() self.assertFalse(tag_exists)
def test_add_case_without_permissions(self): unauthorized_user = UserFactory() unauthorized_user.set_password("api-testing") unauthorized_user.save() unauthorized_user.user_permissions.add(*Permission.objects.all()) remove_perm_from_user(unauthorized_user, "testruns.add_testexecution") rpc_client = xmlrpc.TCMSXmlrpc( unauthorized_user.username, "api-testing", "%s/xml-rpc/" % self.live_server_url, ).server with self.assertRaisesRegex(ProtocolError, "403 Forbidden"): rpc_client.TestRun.add_case(self.test_run.pk, self.test_case.pk) exists = TestExecution.objects.filter(run=self.test_run.pk, case=self.test_case.pk).exists() self.assertFalse(exists)
class TestUserUpdate(APITestCase): """Test User.update""" def _fixture_setup(self): super()._fixture_setup() self.another_user = UserFactory() self.another_user.set_password('another-password') self.another_user.save() self.user_new_attrs = { 'first_name': 'new first name', 'last_name': 'new last name', 'email': 'new email', } def setUp(self): super().setUp() # clear permissions b/c we set them inside individual tests self.api_user.user_permissions.all().delete() def tearDown(self): super().tearDown() self.api_user.set_password('api-testing') self.api_user.save() def test_update_myself(self): data = self.rpc_client.User.update(self.api_user.pk, self.user_new_attrs) self.assertEqual(data['first_name'], self.user_new_attrs['first_name']) self.assertEqual(data['last_name'], self.user_new_attrs['last_name']) self.assertEqual(data['email'], self.user_new_attrs['email']) def test_update_myself_without_passing_id(self): data = self.rpc_client.User.update(None, self.user_new_attrs) self.assertEqual(data['first_name'], self.user_new_attrs['first_name']) self.assertEqual(data['last_name'], self.user_new_attrs['last_name']) self.assertEqual(data['email'], self.user_new_attrs['email']) def test_update_other_missing_permission(self): new_values = {'some_attr': 'xxx'} with self.assertRaisesRegex(XmlRPCFault, "Permission denied"): self.rpc_client.User.update(self.another_user.pk, new_values) def test_update_other_with_proper_permission(self): user_should_have_perm(self.api_user, 'auth.change_user') data = self.rpc_client.User.update(self.another_user.pk, self.user_new_attrs) self.another_user.refresh_from_db() self.assertEqual(data['first_name'], self.another_user.first_name) self.assertEqual(data['last_name'], self.another_user.last_name) self.assertEqual(data['email'], self.another_user.email) def test_update_own_password(self): user_new_attrs = self.user_new_attrs.copy() new_password = '******' # nosec:B105:hardcoded_password_string user_new_attrs[ 'password'] = new_password # nosec:B105:hardcoded_password_string with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs['old_password'] = '******' # nosec:B105 with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs[ 'old_password'] = '******' # nosec:B105:hardcoded_password_string data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs) self.assertTrue('password' not in data) self.assertEqual(data['first_name'], user_new_attrs['first_name']) self.assertEqual(data['last_name'], user_new_attrs['last_name']) self.assertEqual(data['email'], user_new_attrs['email']) self.api_user.refresh_from_db() self.assertTrue(self.api_user.check_password(new_password)) def test_update_another_user_password(self): user_should_have_perm(self.api_user, 'auth.change_user') user_new_attrs = self.user_new_attrs.copy() user_new_attrs[ 'password'] = '******' # nosec:B105:hardcoded_password_string with self.assertRaisesRegex( XmlRPCFault, 'Password updates for other users are not allowed via RPC!'): self.rpc_client.User.update(self.another_user.pk, user_new_attrs)
class TestUserUpdate(XmlrpcAPIBaseTest): '''Test User.update''' def _fixture_setup(self): super(TestUserUpdate, self)._fixture_setup() self.another_user = UserFactory() self.another_user.set_password('another-password') self.another_user.save() self.user_new_attrs = { 'first_name': 'new first name', 'last_name': 'new last name', 'email': 'new email', } def setUp(self): super(TestUserUpdate, self).setUp() # clear permissions b/c we set them inside individual tests self.api_user.user_permissions.all().delete() def tearDown(self): super(TestUserUpdate, self).tearDown() self.api_user.set_password('api-testing') self.api_user.save() def test_update_myself(self): data = self.rpc_client.User.update(self.user_new_attrs, self.api_user.pk) self.assertEqual(data['first_name'], self.user_new_attrs['first_name']) self.assertEqual(data['last_name'], self.user_new_attrs['last_name']) self.assertEqual(data['email'], self.user_new_attrs['email']) def test_update_myself_without_passing_id(self): data = self.rpc_client.User.update(self.user_new_attrs) self.assertEqual(data['first_name'], self.user_new_attrs['first_name']) self.assertEqual(data['last_name'], self.user_new_attrs['last_name']) self.assertEqual(data['email'], self.user_new_attrs['email']) def test_update_other_missing_permission(self): new_values = {'some_attr': 'xxx'} with self.assertRaisesRegex(XmlRPCFault, "Permission denied"): self.rpc_client.User.update(new_values, self.another_user.pk) def test_update_other_with_proper_permission(self): user_should_have_perm(self.api_user, 'auth.change_user') data = self.rpc_client.User.update(self.user_new_attrs, self.another_user.pk) updated_user = User.objects.get(pk=self.another_user.pk) self.assertEqual(data['first_name'], updated_user.first_name) self.assertEqual(data['last_name'], updated_user.last_name) self.assertEqual(data['email'], updated_user.email) def test_update_own_password(self): user_new_attrs = self.user_new_attrs.copy() new_password = '******' user_new_attrs['password'] = new_password with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'): self.rpc_client.User.update(user_new_attrs, self.api_user.pk) user_new_attrs['old_password'] = '******' with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"): self.rpc_client.User.update(user_new_attrs, self.api_user.pk) user_new_attrs['old_password'] = '******' data = self.rpc_client.User.update(user_new_attrs, self.api_user.pk) self.assertTrue('password' not in data) self.assertEqual(data['first_name'], user_new_attrs['first_name']) self.assertEqual(data['last_name'], user_new_attrs['last_name']) self.assertEqual(data['email'], user_new_attrs['email']) user = User.objects.get(pk=self.api_user.pk) self.assertTrue(user.check_password(new_password)) def test_update_another_user_password(self): user_should_have_perm(self.api_user, 'auth.change_user') user_new_attrs = self.user_new_attrs.copy() user_new_attrs['password'] = '******' with self.assertRaisesRegex( XmlRPCFault, 'Password updates for other users are not allowed via RPC!'): self.rpc_client.User.update(user_new_attrs, self.another_user.pk)
class TestUserUpdate(APITestCase): """Test User.update""" def _fixture_setup(self): super()._fixture_setup() self.another_user = UserFactory() self.another_user.set_password("another-password") self.another_user.save() self.user_new_attrs = { "first_name": "new first name", "last_name": "new last name", "email": "new email", } def setUp(self): super().setUp() # clear permissions b/c we set them inside individual tests self.api_user.user_permissions.all().delete() def tearDown(self): super().tearDown() self.api_user.set_password("api-testing") self.api_user.save() def test_update_myself(self): data = self.rpc_client.User.update(self.api_user.pk, self.user_new_attrs) self.assertEqual(data["first_name"], self.user_new_attrs["first_name"]) self.assertEqual(data["last_name"], self.user_new_attrs["last_name"]) self.assertEqual(data["email"], self.user_new_attrs["email"]) def test_update_myself_without_passing_id(self): data = self.rpc_client.User.update(None, self.user_new_attrs) self.assertEqual(data["first_name"], self.user_new_attrs["first_name"]) self.assertEqual(data["last_name"], self.user_new_attrs["last_name"]) self.assertEqual(data["email"], self.user_new_attrs["email"]) def test_update_other_missing_permission(self): new_values = {"some_attr": "xxx"} with self.assertRaisesRegex(XmlRPCFault, "Permission denied"): self.rpc_client.User.update(self.another_user.pk, new_values) def test_update_other_with_proper_permission(self): user_should_have_perm(self.api_user, "auth.change_user") data = self.rpc_client.User.update(self.another_user.pk, self.user_new_attrs) self.another_user.refresh_from_db() self.assertEqual(data["first_name"], self.another_user.first_name) self.assertEqual(data["last_name"], self.another_user.last_name) self.assertEqual(data["email"], self.another_user.email) def test_update_own_password(self): user_new_attrs = self.user_new_attrs.copy() new_password = "******" # nosec:B105:hardcoded_password_string user_new_attrs["password" # nosec:B105:hardcoded_password_string ] = new_password with self.assertRaisesRegex(XmlRPCFault, "Old password is required"): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs["old_password"] = "******" # nosec:B105 with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"): self.rpc_client.User.update(self.api_user.pk, user_new_attrs) user_new_attrs["old_password" # nosec:B105:hardcoded_password_string ] = "api-testing" data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs) self.assertTrue("password" not in data) self.assertEqual(data["first_name"], user_new_attrs["first_name"]) self.assertEqual(data["last_name"], user_new_attrs["last_name"]) self.assertEqual(data["email"], user_new_attrs["email"]) self.api_user.refresh_from_db() self.assertTrue(self.api_user.check_password(new_password)) def test_update_another_user_password(self): user_should_have_perm(self.api_user, "auth.change_user") user_new_attrs = self.user_new_attrs.copy() user_new_attrs["password" # nosec:B105:hardcoded_password_string ] = "new password" with self.assertRaisesRegex( XmlRPCFault, "Password updates for other users are not allowed via RPC!"): self.rpc_client.User.update(self.another_user.pk, user_new_attrs)