def test_mask_credentials(self): body = { # regular request information shouldn't be modified "code": 400, "detail": "Some error with potential password leak.", "type": "application/json", "path": "/users/random-test-user", "url": "http://localhost:2001/magpie/users/random-test-user", "method": "PATCH", # flagged password matches should be redacted "password": "******", # noqa # nosec "param": { "password_list": ["a", "b", "c"], # noqa # nosec "conditions": { "not_in": False }, "value": 4, "name": "password", # noqa # nosec "password": "******", # noqa # nosec "compare": "range(0, 12)", "very": { "very": { "deep": { "passwords": ["x", "y", "z"], # noqa # nosec "nested": [ { "password": "******", "else": "x" }, # noqa # nosec { "password": "******", "else": "y" }, # noqa # nosec { "password": "******", "else": "z" }, # noqa # nosec ] } } } } } redact = "[REDACTED]" expect = copy.deepcopy(body) expect["password"] = redact # noqa # nosec expect["param"]["password"] = redact # noqa # nosec expect["param"]["password_list"] = [redact, redact, redact] # noqa # nosec expect["param"]["very"]["very"]["deep"]["passwords"] = [ redact, redact, redact ] # noqa # nosec for item in expect["param"]["very"]["very"]["deep"]["nested"]: # noqa item["password"] = redact # noqa # nosec masked = mask_credentials(body, redact=redact) utils.check_val_equal(masked, expect)
def mock_get_post(real_func, *args, **kwargs): if args[1] != "password": return real_func(*args, **kwargs) request, args = args[0], args[1:] utils.check_val_equal( request.url, base_url + _paths.pop(0), "Proxied path should have been auto-resolved [URL: {}].". format(url)) return real_func(request, *args, **kwargs)
def test_get_header_split(self): headers = { "Content-Type": "{}; charset=UTF-8".format(CONTENT_TYPE_JSON) } for name in [ "content_type", "content-type", "Content_Type", "Content-Type", "CONTENT_TYPE", "CONTENT-TYPE" ]: for split in [";,", ",;", ";", (",", ";"), [";", ","]]: utils.check_val_equal(get_header(name, headers, split=split), CONTENT_TYPE_JSON)
def test_magpie_prefix_direct_request(self): base_url = "http://localhost" for url in ["http://localhost", "http://localhost/magpie"]: app = utils.get_test_magpie_app({"magpie.url": url}) path = "/version" resp = utils.test_request(app, "GET", path) utils.check_response_basic_info(resp) utils.check_val_equal( resp.request.url, base_url + path, "Proxied path should have been auto-resolved [URL: {}].". format(url))
def check_ui_resource_permissions(perm_form, resource_id, permissions): select_res_id = "permission_resource_{}".format(resource_id) select_options = perm_form.fields[ select_res_id] # contains multiple select, one per applicable permission utils.check_val_equal( len(select_options), 2, msg="Always 2 select combobox expected (read and write).") select_values = [select.value for select in select_options] if not permissions: utils.check_all_equal( ["", ""], select_values, msg="When no permission is selected, values are empty") return # value must match exactly the *explicit* permission representation for r_perm in permissions: utils.check_val_is_in(r_perm, select_values)
def test_register_permissions_existing_group_without_intermediate_entries( self): utils.TestSetup.create_TestService( self, override_service_name=self.test_perm_svc_name, override_service_type=ServiceAPI.service_type) utils.TestSetup.create_TestGroup( self, override_group_name=self.test_perm_grp_name) session = get_db_session_from_settings(self.app.app.registry.settings) res1_name = "test-resource" res2_name = "sub-test-resource" res3_name = "sub-sub-test-resource" res3_perm = Permission.WRITE_MATCH perm_config = { "permissions": [ { "service": self.test_perm_svc_name, # exists "resource": res1_name + "/" + res2_name + "/" + res3_name, # none exist, all created for perm "permission": res3_perm.value, # perm only to lowest child "action": "create", "group": self.test_perm_grp_name, }, ] } utils.check_no_raise( lambda: register.magpie_register_permissions_from_config( perm_config, db_session=session)) # check that all service, resources, group are created correctly services = utils.TestSetup.get_RegisteredServicesList(self) utils.check_val_is_in(self.test_perm_svc_name, [s["service_name"] for s in services]) groups = utils.TestSetup.get_RegisteredGroupsList(self) utils.check_val_is_in(self.test_perm_grp_name, groups) resp = utils.test_request( self.app, "GET", "/services/{}/resources".format(self.test_perm_svc_name)) body = utils.check_response_basic_info(resp) svc_res = body[self.test_perm_svc_name]["resources"] svc_res_id = body[self.test_perm_svc_name]["resource_id"] utils.check_val_is_in(res1_name, [svc_res[r]["resource_name"] for r in svc_res]) res1_id = [ svc_res[r]["resource_id"] for r in svc_res if svc_res[r]["resource_name"] == res1_name ][0] res1_sub = svc_res[str(res1_id)]["children"] utils.check_val_is_in(res2_name, [res1_sub[r]["resource_name"] for r in res1_sub]) res2_id = [ res1_sub[r]["resource_id"] for r in res1_sub if res1_sub[r]["resource_name"] == res2_name ][0] res2_sub = res1_sub[str(res2_id)]["children"] utils.check_val_is_in(res3_name, [res2_sub[r]["resource_name"] for r in res2_sub]) res3_id = [ res2_sub[r]["resource_id"] for r in res2_sub if res2_sub[r]["resource_name"] == res3_name ][0] # check that all permissions are created correctly (only for final item) path = "/groups/{}/resources/{}/permissions".format( self.test_perm_grp_name, svc_res_id) resp = utils.test_request(self.app, "GET", path) body = utils.check_response_basic_info(resp) utils.check_val_equal(body["permission_names"], []) path = "/groups/{}/resources/{}/permissions".format( self.test_perm_grp_name, res1_id) resp = utils.test_request(self.app, "GET", path) body = utils.check_response_basic_info(resp) utils.check_val_equal(body["permission_names"], []) path = "/groups/{}/resources/{}/permissions".format( self.test_perm_grp_name, res2_id) resp = utils.test_request(self.app, "GET", path) body = utils.check_response_basic_info(resp) utils.check_val_equal(body["permission_names"], []) path = "/groups/{}/resources/{}/permissions".format( self.test_perm_grp_name, res3_id) resp = utils.test_request(self.app, "GET", path) body = utils.check_response_basic_info(resp) utils.check_all_equal(body["permission_names"], [res3_perm.value])
def test_compare_and_sort_operations(self): perm_ram = PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH) perm_rar = PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE) perm_rdm = PermissionSet(Permission.READ, Access.DENY, Scope.MATCH) perm_rdr = PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE) perm_wam = PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH) perm_war = PermissionSet(Permission.WRITE, Access.ALLOW, Scope.RECURSIVE) perm_wdm = PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH) perm_wdr = PermissionSet(Permission.WRITE, Access.DENY, Scope.RECURSIVE) perm_sorted = [ perm_ram, perm_rar, perm_rdm, perm_rdr, perm_wam, perm_war, perm_wdm, perm_wdr ] perm_random = [ perm_rdr, perm_wam, perm_wdm, perm_rar, perm_war, perm_ram, perm_wdr, perm_rdm ] utils.check_val_equal( perm_rar, Permission.READ, msg="Should be equal because of defaults and name conversion") utils.check_val_not_equal(perm_rar, Permission.WRITE, msg="Not equal because of mismatch name") utils.check_val_equal( perm_rar, perm_rar.json(), msg="Pre-convert any known representation before equal check") utils.check_all_equal(list(sorted(perm_random)), perm_sorted, any_order=False) # cannot sort elements with other type representations although 'PermissionSet' can, because they don't know it # (ie: str.__lt__ and dict.__ls__ could be called with 'other' being 'PermissionSet' depending on random order) # can still do the individual compares though if the reference object is 'PermissionSet' and other is anything utils.check_val_equal(perm_sorted[0] < perm_sorted[1], True) utils.check_val_equal(perm_sorted[0] < perm_sorted[1].json(), True) utils.check_val_equal( perm_sorted[0] < perm_sorted[1].implicit_permission, True) utils.check_val_equal( perm_sorted[0] < perm_sorted[1].explicit_permission, True) utils.check_val_equal(perm_sorted[0] > perm_sorted[1], False) utils.check_val_equal(perm_sorted[0] > perm_sorted[1].json(), False) utils.check_val_equal( perm_sorted[0] > perm_sorted[1].implicit_permission, False) utils.check_val_equal( perm_sorted[0] > perm_sorted[1].explicit_permission, False) # validate similarity comparison with inplace conversion at the same time for perm_1, perm_2 in itertools.product(perm_sorted[0:4], perm_sorted[0:4]): utils.check_val_equal(perm_1.like(perm_2.json()), True, msg="Expected {!r} ~ {!r}".format( perm_1, perm_2)) for perm_1, perm_2 in itertools.product(perm_sorted[0:4], perm_sorted[4:8]): utils.check_val_equal(perm_1.like(perm_2.json()), False, msg="Expected {!r} !~ {!r}".format( perm_1, perm_2))
def test_permission_convert_from_acl(self): """ Conversion from Pyramid ACL definition. Validate various implicit conversion of permission elements to explicit definition. """ utils.warn_version(__meta__.__version__, "permission set conversion", "3.0", skip=True) perm = PermissionSet((Allow, 1, "write-deny-match")) utils.check_val_equal(perm.name, Permission.WRITE) utils.check_val_equal( perm.access, Access.DENY, msg="Explicit permission name prioritized over ACL access") utils.check_val_equal(perm.scope, Scope.MATCH) utils.check_val_equal(perm.type, PermissionType.DIRECT, msg="Should infer direct from user ID.") perm = PermissionSet((Deny, "group:1", "read")) utils.check_val_equal(perm.name, Permission.READ) utils.check_val_equal(perm.access, Access.DENY) utils.check_val_equal(perm.scope, Scope.RECURSIVE) utils.check_val_equal( perm.type, PermissionType.INHERITED, msg="Should infer inherited from group specifier.") utils.check_raises( lambda: PermissionSet((Allow, "group:1", ALL_PERMISSIONS)), TypeError, msg= "Don't allow any object that makes the permission name not explicitly defined." )
def test_permission_convert_from_tuple(self): """ Conversion from Ziggurat :class:`PermissionTuple` object. Validate various implicit conversion of permission elements to explicit definition. """ utils.warn_version(__meta__.__version__, "permission set conversion", "3.0", skip=True) perm = PermissionSet( PermissionTuple( "user-name", "write-deny-match", "user", # important: perm-name & type "group_id", "resource_id", "owner", "allowed")) # these doesn't matter utils.check_val_equal(perm.name, Permission.WRITE) utils.check_val_equal(perm.access, Access.DENY) utils.check_val_equal(perm.scope, Scope.MATCH) utils.check_val_equal( perm.type, PermissionType.DIRECT, msg="PermissionTuple should also help identify type") perm = PermissionSet( PermissionTuple( "user-name", "write-deny-match", "group", # important: perm-name & type "group_id", "resource_id", "owner", "allowed")) # these doesn't matter utils.check_val_equal(perm.name, Permission.WRITE) utils.check_val_equal(perm.access, Access.DENY) utils.check_val_equal(perm.scope, Scope.MATCH) utils.check_val_equal( perm.type, PermissionType.INHERITED, msg="PermissionTuple should also help identify type")
def test_permission_convert_from_json(self): """ Conversion by JSON definition. Validate various implicit conversion of permission JSON definition. """ utils.warn_version(__meta__.__version__, "permission set conversion", "3.0", skip=True) perm = PermissionSet({ "name": Permission.WRITE, "access": Access.DENY, "scope": Scope.MATCH }) utils.check_val_equal(perm.name, Permission.WRITE) utils.check_val_equal(perm.access, Access.DENY) utils.check_val_equal(perm.scope, Scope.MATCH) perm = PermissionSet({ "name": Permission.WRITE.value, "access": Access.DENY.value, "scope": Scope.MATCH.value }) utils.check_val_equal(perm.name, Permission.WRITE) utils.check_val_equal(perm.access, Access.DENY) utils.check_val_equal(perm.scope, Scope.MATCH)
def test_permission_convert_from_enum(self): """ Conversion by enum values. Validate various implicit conversion of permission name string to explicit definition. """ utils.warn_version(__meta__.__version__, "permission set conversion", "3.0", skip=True) perm = PermissionSet(Permission.READ) utils.check_val_equal(perm.name, Permission.READ) utils.check_val_equal(perm.access, Access.ALLOW) utils.check_val_equal(perm.scope, Scope.RECURSIVE) perm = PermissionSet(Permission.WRITE, access="deny") utils.check_val_equal(perm.name, Permission.WRITE) utils.check_val_equal(perm.access, Access.DENY) utils.check_val_equal(perm.scope, Scope.RECURSIVE)
def test_permission_convert_from_string(self): """ Conversion by implicit/explicit name. Validate various implicit conversion of permission name string to explicit definition. """ utils.warn_version(__meta__.__version__, "permission set conversion", "3.0", skip=True) perm = PermissionSet("read") # old implicit format utils.check_val_equal(perm.name, Permission.READ) utils.check_val_equal(perm.access, Access.ALLOW) utils.check_val_equal(perm.scope, Scope.RECURSIVE) perm = PermissionSet("read-match") # old format utils.check_val_equal(perm.name, Permission.READ) utils.check_val_equal(perm.access, Access.ALLOW) utils.check_val_equal(perm.scope, Scope.MATCH) perm = PermissionSet("read-allow-match") # new explicit format utils.check_val_equal(perm.name, Permission.READ) utils.check_val_equal(perm.access, Access.ALLOW) utils.check_val_equal(perm.scope, Scope.MATCH) perm = PermissionSet("read-allow-recursive") utils.check_val_equal(perm.name, Permission.READ) utils.check_val_equal(perm.access, Access.ALLOW) utils.check_val_equal(perm.scope, Scope.RECURSIVE) perm = PermissionSet("read-deny-match") utils.check_val_equal(perm.name, Permission.READ) utils.check_val_equal(perm.access, Access.DENY) utils.check_val_equal(perm.scope, Scope.MATCH)
def test_guess_target_format_default(self): request = utils.mock_request() content_type, where = ag.guess_target_format(request) utils.check_val_equal(content_type, CONTENT_TYPE_JSON) utils.check_val_equal(where, True)
def test_enum_get_by_value(self): utils.check_val_equal(DummyEnum.get("value-1"), DummyEnum.VALUE1) utils.check_val_equal(DummyEnum.get("VALUE1"), DummyEnum.VALUE1) utils.check_val_equal(DummyEnum.get("random"), None) utils.check_val_equal(DummyEnum.get("random", "something"), "something")
def test_get_query_param(self): resp = utils.mock_request("/some/path") v = ar.get_query_param(resp, "value") utils.check_val_equal(v, None) resp = utils.mock_request("/some/path?other=test") v = ar.get_query_param(resp, "value") utils.check_val_equal(v, None) resp = utils.mock_request("/some/path?other=test") v = ar.get_query_param(resp, "value", True) utils.check_val_equal(v, True) resp = utils.mock_request("/some/path?value=test") v = ar.get_query_param(resp, "value", True) utils.check_val_equal(v, "test") resp = utils.mock_request("/some/path?query=value") v = ar.get_query_param(resp, "query") utils.check_val_equal(v, "value") resp = utils.mock_request("/some/path?QUERY=VALUE") v = ar.get_query_param(resp, "query") utils.check_val_equal(v, "VALUE") resp = utils.mock_request("/some/path?QUERY=VALUE") v = asbool(ar.get_query_param(resp, "query")) utils.check_val_equal(v, False) resp = utils.mock_request("/some/path?Query=TRUE") v = asbool(ar.get_query_param(resp, "query")) utils.check_val_equal(v, True)
def test_register_permissions_multiple_resource_type_possible(self): """ Verify that service that allows multiple resource-types children retrieves ``type`` field for their creation. """ svc_type = ServiceTHREDDS.service_type svc_name = "unittest-service-thredds-register-children-resources" utils.TestSetup.create_TestService(self, override_service_name=svc_name, override_service_type=svc_type) utils.TestSetup.create_TestGroup( self, override_group_name=self.test_perm_grp_name) session = get_db_session_from_settings(self.app.app.registry.settings) res1_name = "test-resource" res2_name = "sub-test-resource" res3_name = "sub-sub-test-resource" res3_perm = "write-deny-recursive" res3_path = res1_name + "/" + res2_name + "/" + res3_name # none exist, all created for final permission perm_config = { "permissions": [ { "service": svc_name, # exists "resource": res3_path, "permission": res3_perm, # perm only on lowest child "type": Directory. resource_type_name, # without this, fails because cannot infer Directory/File "action": "create", "group": self.test_perm_grp_name, }, ] } utils.check_no_raise( lambda: register.magpie_register_permissions_from_config( perm_config, db_session=session)) # check that all service, resources, group are created correctly services = utils.TestSetup.get_RegisteredServicesList(self) utils.check_val_is_in(svc_name, [s["service_name"] for s in services]) groups = utils.TestSetup.get_RegisteredGroupsList(self) utils.check_val_is_in(self.test_perm_grp_name, groups) resp = utils.test_request(self.app, "GET", "/services/{}/resources".format(svc_name)) body = utils.check_response_basic_info(resp) svc_res = body[svc_name]["resources"] # type: JSON utils.check_val_is_in(res1_name, [svc_res[r]["resource_name"] for r in svc_res]) res1_id = [ svc_res[r]["resource_id"] for r in svc_res if svc_res[r]["resource_name"] == res1_name ][0] res1_sub = svc_res[str(res1_id)]["children"] # type: JSON utils.check_val_is_in(res2_name, [res1_sub[r]["resource_name"] for r in res1_sub]) res2_id = [ res1_sub[r]["resource_id"] for r in res1_sub if res1_sub[r]["resource_name"] == res2_name ][0] res2_sub = res1_sub[str(res2_id)]["children"] # type: JSON utils.check_val_is_in(res3_name, [res2_sub[r]["resource_name"] for r in res2_sub]) res3_id = [ res2_sub[r]["resource_id"] for r in res2_sub if res2_sub[r]["resource_name"] == res3_name ][0] path = "/groups/{}/resources/{}/permissions".format( self.test_perm_grp_name, res3_id) resp = utils.test_request(self.app, "GET", path) body = utils.check_response_basic_info(resp) utils.check_val_is_in(res3_perm, body["permission_names"]) # validate that without the 'type', similar resource would not be created due to missing information res_missing_type_name = "missing-type" res_missing_type_path = res3_path.replace("/" + res3_name, "/" + res_missing_type_name) missing_type_perm_config = copy.deepcopy(perm_config) # type: JSON missing_type_perm_config["permissions"][0].pop("type") missing_type_perm_config["permissions"][0][ "resource"] = res_missing_type_path utils.check_no_raise( lambda: register.magpie_register_permissions_from_config( missing_type_perm_config, db_session=session)) resp = utils.test_request(self.app, "GET", "/resources/{}".format(res2_id)) body = utils.check_response_basic_info(resp) res_children = body["resource"]["children"] res_found = [ res for _, res in res_children.items() if res["resource_name"] == res_missing_type_name ] utils.check_val_equal(res_found, [])