def setup_test_public_workspace_variable(self):
username = self.username
user_authz_headers = self.user_authz_headers
env_vars = dict(process.AUTHN_SETTINGS)
process.ensure_layman_function(env_vars)
process_client.reserve_username(username, headers=user_authz_headers)
yield
def test_check_user_wms():
user = '******' + settings.LAYMAN_GS_WMS_WORKSPACE_POSTFIX
auth_headers = process_client.get_authz_headers(user)
with pytest.raises(LaymanError) as exc_info:
process_client.reserve_username(user, headers=auth_headers)
assert exc_info.value.http_code == 400
assert exc_info.value.code == 45
assert exc_info.value.data['workspace_name'] == user
def setup_user_layer(username, layername, authn_headers):
process_client.reserve_username(username, headers=authn_headers)
process_client.publish_workspace_layer(
username,
layername,
file_paths=[
'tmp/naturalearth/110m/cultural/ne_110m_admin_0_countries.geojson',
],
headers=authn_headers)
def test_wfs_proxy():
username = '******'
layername1 = 'ne_countries'
username2 = 'testproxy2'
authn_headers1 = get_authz_headers(username)
process_client.reserve_username(username, headers=authn_headers1)
process_client.publish_workspace_layer(username,
layername1,
headers=authn_headers1)
data_xml = data_wfs.get_wfs20_insert_points(username, layername1)
process_client.post_wfst(data_xml,
headers=authn_headers1,
workspace=username)
# Testing, that user1 is able to write his own layer through general WFS endpoint
process_client.post_wfst(data_xml, headers=authn_headers1)
# Testing, that user2 is not able to write to layer of user1
authn_headers2 = get_authz_headers(username2)
process_client.reserve_username(username2, headers=authn_headers2)
with pytest.raises(GS_Error) as exc:
process_client.post_wfst(data_xml,
headers=authn_headers2,
workspace=username)
assert exc.value.data['status_code'] == 400
# Testing, that user2 is not able to write user1's layer through general WFS endpoint
with pytest.raises(GS_Error) as exc:
process_client.post_wfst(data_xml, headers=authn_headers2)
assert exc.value.data['status_code'] == 400
# Test anonymous
with pytest.raises(GS_Error) as exc:
process_client.post_wfst(data_xml, workspace=username)
assert exc.value.data['status_code'] == 400
# Test fraud header
headers_fraud = {
settings.LAYMAN_GS_AUTHN_HTTP_HEADER_ATTRIBUTE: username,
}
with pytest.raises(GS_Error) as exc:
process_client.post_wfst(data_xml, headers=headers_fraud)
assert exc.value.data['status_code'] == 400
process_client.delete_workspace_layer(username,
layername1,
headers=authn_headers1)
def test_missing_attribute_authz():
username = '******'
layername1 = 'testmissingattr_authz_layer'
username2 = 'testmissingattr_authz2'
authn_headers1 = get_authz_headers(username)
authn_headers2 = get_authz_headers(username2)
def do_test(wfs_query, attribute_names):
# Test, that unauthorized user will not cause new attribute
with app.app_context():
old_db_attributes = db.get_all_column_names(username, layername1)
for attr_name in attribute_names:
assert attr_name not in old_db_attributes, f"old_db_attributes={old_db_attributes}, attr_name={attr_name}"
with pytest.raises(GS_Error) as exc:
process_client.post_wfst(wfs_query,
headers=authn_headers2,
workspace=username)
assert exc.value.data['status_code'] == 400
with app.app_context():
new_db_attributes = db.get_all_column_names(username, layername1)
for attr_name in attribute_names:
assert attr_name not in new_db_attributes, f"new_db_attributes={new_db_attributes}, attr_name={attr_name}"
# Test, that authorized user will cause new attribute
process_client.post_wfst(wfs_query,
headers=authn_headers1,
workspace=username)
with app.app_context():
new_db_attributes = db.get_all_column_names(username, layername1)
for attr_name in attribute_names:
assert attr_name in new_db_attributes, f"new_db_attributes={new_db_attributes}, attr_name={attr_name}"
process_client.reserve_username(username, headers=authn_headers1)
process_client.publish_workspace_layer(
username,
layername1,
file_paths=[
'tmp/naturalearth/110m/cultural/ne_110m_admin_0_countries.geojson',
],
headers=authn_headers1)
# Testing, that user2 is not able to write to layer of user1
process_client.reserve_username(username2, headers=authn_headers2)
# INSERT
attr_names = ['inexisting_attribute_auth1', 'inexisting_attribute_auth2']
data_xml = data_wfs.get_wfs20_insert_points_new_attr(
username, layername1, attr_names)
do_test(data_xml, attr_names)
# UPDATE
attr_names = ['inexisting_attribute_auth3', 'inexisting_attribute_auth4']
data_xml = data_wfs.get_wfs20_update_points_new_attr(
username, layername1, attr_names)
do_test(data_xml, attr_names)
process_client.delete_workspace_layer(username,
layername1,
headers=authn_headers1)
def test_map_with_unauthorized_layer():
username1 = 'test_map_with_unauthorized_layer_user1'
layername1 = 'test_map_with_unauthorized_layer_layer1'
mapname1 = 'test_map_with_unauthorized_layer_map1'
username2 = 'test_map_with_unauthorized_layer_user2'
layername2 = 'test_map_with_unauthorized_layer_layer2'
user1_authz_headers = process_client.get_authz_headers(username1)
user2_authz_headers = process_client.get_authz_headers(username2)
process_client.reserve_username(username1, headers=user1_authz_headers)
process_client.reserve_username(username2, headers=user2_authz_headers)
process_client.publish_workspace_layer(username1,
layername1,
headers=user1_authz_headers)
process_client.publish_workspace_layer(username2,
layername2,
headers=user2_authz_headers)
# assert users have access only to their own layer
process_client.assert_workspace_layers(username1, [layername1],
headers=user1_authz_headers)
process_client.assert_workspace_layers(username1, [],
headers=user2_authz_headers)
process_client.assert_workspace_layers(username2, [layername2],
headers=user2_authz_headers)
process_client.assert_workspace_layers(username2, [],
headers=user1_authz_headers)
# publish map composed of layers of both users, read for everyone
process_client.publish_workspace_map(
username1,
mapname1,
file_paths=['sample/layman.map/internal_url_unauthorized_layer.json'],
access_rights={
'read': 'EVERYONE',
'write': f"{username1},{username2}",
},
headers=user1_authz_headers,
)
process_client.assert_workspace_maps(username1, [mapname1],
headers=user1_authz_headers)
process_client.assert_workspace_maps(username1, [mapname1],
headers=user2_authz_headers)
layer1_uuid = process_client.get_workspace_layer(
username1, layername1, headers=user1_authz_headers)['uuid']
layer2_uuid = process_client.get_workspace_layer(
username2, layername2, headers=user2_authz_headers)['uuid']
# assert that metadata property operates_on contains only layers visible to publisher, whoever is asking and has read access to the map
assert_operates_on(username1,
mapname1, [(layer1_uuid, layername1)],
authz_headers=user1_authz_headers)
assert_operates_on(username1,
mapname1, [(layer1_uuid, layername1)],
authz_headers=user2_authz_headers)
process_client.patch_workspace_map(username1,
mapname1,
headers=user2_authz_headers)
# assert that metadata property operates_on contains only layers visible to last publisher, whoever is asking and has read access to the map
assert_operates_on(username1,
mapname1, [(layer2_uuid, layername2)],
authz_headers=user1_authz_headers)
assert_operates_on(username1,
mapname1, [(layer2_uuid, layername2)],
authz_headers=user2_authz_headers)
# clean up
process_client.delete_workspace_map(username1,
mapname1,
headers=user1_authz_headers)
process_client.delete_workspace_layer(username1,
layername1,
headers=user1_authz_headers)
process_client.delete_workspace_layer(username2,
layername2,
headers=user2_authz_headers)