def test_accepted_dev_cant_authenticate(self, tenants_users_devices): dacd = ApiClient(deviceauth.URL_DEVICES) devauthm = ApiClient(deviceauth_v2.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) tc = ApiClient(tenantadm.URL_INTERNAL) # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text aset = device.authsets[0] change_authset_status(devauthm, aset.did, aset.id, 'accepted', utoken) # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # try requesting auth body, sighdr = deviceauth.auth_req( aset.id_data, aset.pubkey, aset.privkey, tenants_users_devices[0].tenant_token) r = dacd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 assert r.json()['error'] == 'Account suspended'
def check_access_file_transfer(self, auth, devid, forbid=False): devconn = ApiClient( host=get_container_manager().get_mender_gateway(), base_url=deviceconnect.URL_MGMT, ) res = devconn.call( "GET", deviceconnect.URL_MGMT_FDOWNLOAD, headers=auth.get_auth_token(), path_params={"id": devid}, qs_params={"path": "/etc/mender/mender.conf"}, ) if forbid: assert res.status_code == 403 else: assert res.ok res = devconn.call( "PUT", deviceconnect.URL_MGMT_FUPLOAD, headers=auth.get_auth_token(), path_params={"id": devid}, qs_params={"path": "/etc/mender/mender.conf"}, ) if forbid: assert res.status_code == 403 else: assert res.status_code != 403
def test_user_cannot_log_in(self, tenants_users): tc = ApiClient(tenantadm.URL_INTERNAL) uc = ApiClient(useradm.URL_MGMT) for u in tenants_users[0].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200 # tenant's users can log in for u in tenants_users[0].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200 assert r.status_code == 200 # suspend tenant r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users[0].id}) assert r.status_code == 200 time.sleep(10) # none of tenant's users can log in for u in tenants_users[0].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 401 # but other users still can for u in tenants_users[1].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200
def test_authenticated_user_is_rejected(self, tenants): tc = ApiClient(tenantadm.URL_INTERNAL, host=tenantadm.HOST, schema="http://") uc = ApiClient(useradm.URL_MGMT) dc = ApiClient(deviceauth.URL_MGMT) u = tenants[0].users[0] # log in r = uc.call("POST", useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200 token = r.text # check can access an api r = dc.with_auth(token).call("GET", deviceauth.URL_MGMT_DEVICES) assert r.status_code == 200 # suspend tenant r = tc.call( "PUT", tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status("suspended"), path_params={"tid": tenants[0].id}, ) assert r.status_code == 200 time.sleep(10) # check token is rejected r = dc.with_auth(token).call("GET", deviceauth.URL_MGMT_DEVICES) assert r.status_code == 401
def test_authenticated_user_is_rejected(self, tenants): tc = ApiClient(tenantadm.URL_INTERNAL) uc = ApiClient(useradm.URL_MGMT) dc = ApiClient(deviceauth_v2.URL_MGMT) u = tenants[0].users[0] # log in r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200 token = r.text # check can access an api r = dc.with_auth(token).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 200 # suspend tenant r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants[0].id}) assert r.status_code == 200 time.sleep(10) # check token is rejected r = dc.with_auth(token).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 401
def initialize_os_setup(env): """ Seed the OS setup with all operational data - users and devices. Return {"os_devs": [...], "os_users": [...]} """ uadmm = ApiClient(useradm.URL_MGMT, host=env.get_mender_gateway()) dauthd = ApiClient(deviceauth.URL_DEVICES, host=env.get_mender_gateway()) dauthm = ApiClient(deviceauth.URL_MGMT, host=env.get_mender_gateway()) users = [ create_user("*****@*****.**", "correcthorse", containers_namespace=env.name), create_user("*****@*****.**", "correcthorse", containers_namespace=env.name), ] r = uadmm.call("POST", useradm.URL_LOGIN, auth=(users[0].name, users[0].pwd)) assert r.status_code == 200 utoken = r.text # create and accept some devs; save tokens devs = [] for _ in range(10): devs.append(make_accepted_device(dauthd, dauthm, utoken)) # get tokens for all for d in devs: body, sighdr = deviceauth.auth_req( d.id_data, d.authsets[0].pubkey, d.authsets[0].privkey ) r = dauthd.call("POST", deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 d.token = r.text return {"os_devs": devs, "os_users": users}
def do_test_delete_device_ok(self, devs_authsets, user, tenant_token=""): devapim = ApiClient(deviceauth_v2.URL_MGMT) devapid = ApiClient(deviceauth_v1.URL_DEVICES) userapi = ApiClient(useradm.URL_MGMT) depapi = ApiClient(deployments.URL_DEVICES) # log in user r = userapi.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # decommission a pending device dev_pending = filter_and_page_devs(devs_authsets, status="pending")[0] r = devapim.with_auth(utoken).call( "DELETE", deviceauth_v2.URL_DEVICE, path_params={"id": dev_pending.id} ) assert r.status_code == 204 # only verify the device is gone r = devapim.with_auth(utoken).call( "GET", deviceauth_v2.URL_DEVICE, path_params={"id": dev_pending.id} ) assert r.status_code == 404 # log in an accepted device dev_acc = filter_and_page_devs(devs_authsets, status="accepted")[0] body, sighdr = deviceauth_v1.auth_req( dev_acc.id_data, dev_acc.authsets[0].pubkey, dev_acc.authsets[0].privkey, tenant_token, ) r = devapid.call("POST", deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # decommission the accepted device r = devapim.with_auth(utoken).call( "DELETE", deviceauth_v2.URL_DEVICE, path_params={"id": dev_acc.id} ) assert r.status_code == 204 # verify the device lost access r = depapi.with_auth(dtoken).call( "GET", deployments.URL_NEXT, qs_params={"device_type": "foo", "artifact_name": "bar"}, ) assert r.status_code == 401 # verify the device is gone r = devapim.with_auth(utoken).call( "GET", deviceauth_v2.URL_DEVICE, path_params={"id": dev_acc.id} ) assert r.status_code == 404
def test_success_with_plan(self, clean_migrated_mongo): tc = ApiClient(tenantadm.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) tenantadmi = ApiClient(tenantadm.URL_INTERNAL) devauthi = ApiClient(deviceauth_v1.URL_INTERNAL) logging.info("Starting TestCreateOrganizationEnterprise") tenant = "tenant{}".format(randstr()) email = "some.user@{}.com".format(tenant) payload = { "request_id": "123456", "organization": tenant, "email": email, "password": "******", "g-recaptcha-response": "foobar", "plan": "professional", "token": "tok_visa", } r = tc.post(tenantadm.URL_MGMT_TENANTS, data=payload) assert r.status_code == 202 # Try log in every second for 5 minutes. # Creating organization is an async job # and may take some time to complete. for i in range(5 * 60): rsp = uc.call( "POST", useradm.URL_LOGIN, auth=(email, "asdfqwer1234"), ) if rsp.status_code == 200: break time.sleep(1) if rsp.status_code != 200: raise ValueError( "User could not log in within five minutes after organization has been created." ) # get the tenant id (and verify that only one tenant exists) r = tenantadmi.call("GET", tenantadm.URL_INTERNAL_TENANTS) assert r.status_code == 200 api_tenants = r.json() assert len(api_tenants) == 1 # verify the device limit via internal api # the device limit for professional plan should be 250 r = devauthi.call( "GET", deviceauth_v1.URL_LIMITS_MAX_DEVICES, path_params={"tid": api_tenants[0]["id"]}, ) assert r.status_code == 200 assert r.json()["limit"] == 250 self._cleanup_stripe(email)
def do_test_ok(self, user, tenant_token=""): useradmm = ApiClient(useradm.URL_MGMT) devauthm = ApiClient(deviceauth_v2.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) # log in user r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # preauth device priv, pub = testutils.util.crypto.rsa_get_keypair() id_data = {"mac": "pretenditsamac"} body = deviceauth_v2.preauth_req(id_data, pub) r = devauthm.with_auth(utoken).call("POST", deviceauth_v2.URL_DEVICES, body) assert r.status_code == 201 # device appears in device list r = devauthm.with_auth(utoken).call("GET", deviceauth_v2.URL_DEVICES) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == 1 api_dev = api_devs[0] assert api_dev["status"] == "preauthorized" assert api_dev["identity_data"] == id_data assert len(api_dev["auth_sets"]) == 1 aset = api_dev["auth_sets"][0] assert aset["identity_data"] == id_data assert testutils.util.crypto.rsa_compare_keys(aset["pubkey"], pub) assert aset["status"] == "preauthorized" # actual device can obtain auth token body, sighdr = deviceauth_v1.auth_req(id_data, pub, priv, tenant_token) r = devauthd.call("POST", deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 # device and authset changed status to 'accepted' r = devauthm.with_auth(utoken).call( "GET", deviceauth_v2.URL_DEVICES, path_params={"id": api_dev["id"]} ) api_devs = r.json() assert len(api_devs) == 1 api_dev = api_devs[0] assert api_dev["status"] == "accepted" assert len(api_dev["auth_sets"]) == 1 aset = api_dev["auth_sets"][0] assert aset["status"] == "accepted"
def test_devs_ok(self, migrated_enterprise_setup): mender_gateway = migrated_enterprise_setup.get_mender_gateway() uadmm = ApiClient( "https://{}/api/management/v1/useradm".format(mender_gateway)) dauthd = ApiClient( "https://{}/api/devices/v1/authentication".format(mender_gateway)) dauthm = ApiClient( "https://{}/api/management/v2/devauth".format(mender_gateway)) depld = ApiClient( "https://{}/api/devices/v1/deployments".format(mender_gateway)) # current dev tokens don't work right off the bat # the deviceauth db is empty for d in migrated_enterprise_setup.init_data["os_devs"]: resp = depld.with_auth(d.token).call( "GET", deployments.URL_NEXT, qs_params={ "artifact_name": "foo", "device_type": "bar" }, ) assert resp.status_code == 401 # but even despite the 'dummy' tenant token # os devices can get into the deviceauth db for acceptance ent_user = migrated_enterprise_setup.init_data["tenant"].users[0] r = uadmm.call("POST", useradm.URL_LOGIN, auth=(ent_user.name, ent_user.pwd)) assert r.status_code == 200 utoken = r.text for d in migrated_enterprise_setup.init_data["os_devs"]: body, sighdr = deviceauth_v1.auth_req( d.id_data, d.authsets[0].pubkey, d.authsets[0].privkey, tenant_token="dummy", ) r = dauthd.call("POST", deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 r = dauthm.with_auth(utoken).call("GET", deviceauth_v2.URL_DEVICES, path_params={"id": d.id}) assert r.status_code == 200 assert len(r.json()) == len( migrated_enterprise_setup.init_data["os_devs"])
def test_authenticated_dev_is_rejected(self, tenants_users_devices): dacd = ApiClient(deviceauth.URL_DEVICES) devauthm = ApiClient(deviceauth_v2.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) tc = ApiClient(tenantadm.URL_INTERNAL) dc = ApiClient(deployments.URL_DEVICES) # accept a dev user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text aset = tenants_users_devices[0].devices[0].authsets[0] change_authset_status(devauthm, aset.did, aset.id, 'accepted', utoken) # request auth body, sighdr = deviceauth.auth_req(aset.id_data, aset.pubkey, aset.privkey, tenants_users_devices[0].tenant_token) r = dacd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # check device can access APIs r = dc.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 204 # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # check device is rejected r = dc.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 401
def test_users_ok(self, migrated_enterprise_setup): mender_gateway = migrated_enterprise_setup.get_mender_gateway() uadmm = ApiClient(useradm.URL_MGMT, host=mender_gateway) # os users can't log in for u in migrated_enterprise_setup.init_data["os_users"]: r = uadmm.call("POST", useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 401 # but enterprise user can ent_user = migrated_enterprise_setup.init_data["tenant"].users[0] r = uadmm.call("POST", useradm.URL_LOGIN, auth=(ent_user.name, ent_user.pwd)) assert r.status_code == 200
def test_users_ok(self, migrated_enterprise_setup): uadmm = ApiClient('https://{}/api/management/v1/useradm'.format(get_mender_gateway())) # os users can't log in for u in migrated_enterprise_setup["os_users"]: r = uadmm.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 401 # but enterprise user can ent_user = migrated_enterprise_setup["tenant"].users[0] r = uadmm.call('POST', useradm.URL_LOGIN, auth=(ent_user.name, ent_user.pwd)) assert r.status_code == 200
def do_test_fail_duplicate(self, user, devices): useradmm = ApiClient(useradm.URL_MGMT) devauthm = ApiClient(deviceauth_v2.URL_MGMT) # log in user r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # preauth duplicate device priv, pub = testutils.util.crypto.rsa_get_keypair() id_data = devices[0].id_data body = deviceauth_v2.preauth_req(id_data, pub) r = devauthm.with_auth(utoken).call("POST", deviceauth_v2.URL_DEVICES, body) assert r.status_code == 409 # device list is unmodified r = devauthm.with_auth(utoken).call("GET", deviceauth_v2.URL_DEVICES) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == len(devices) # existing device has no new auth sets existing = [d for d in api_devs if d["identity_data"] == id_data] assert len(existing) == 1 existing = existing[0] assert len(existing["auth_sets"]) == 1 aset = existing["auth_sets"][0] assert testutils.util.crypto.rsa_compare_keys(aset["pubkey"], devices[0].pubkey) assert aset["status"] == "pending"
def make_accepted_device( dauthd1: ApiClient, dauthm: ApiClient, utoken: str, tenant_token: str = "", test_type: str = "regular", ) -> Device: """Create one device with "accepted" status.""" test_types = ["regular", "azure"] if test_type not in test_types: raise RuntimeError("Given test type is not allowed") dev = make_pending_device(dauthd1, dauthm, utoken, tenant_token=tenant_token) aset_id = dev.authsets[0].id change_authset_status(dauthm, dev.id, aset_id, "accepted", utoken) aset = dev.authsets[0] aset.status = "accepted" # TODO: very bad workaround for Azure IoT Hub backend test; following part is responsible for creating # TODO: additonal, unnecessary auth set which causes Azure test to fail if test_type == "regular": # obtain auth token body, sighdr = deviceauth.auth_req( aset.id_data, aset.pubkey, aset.privkey, tenant_token ) r = dauthd1.call("POST", deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dev.token = r.text dev.status = "accepted" return dev
def do_test_get_device(self, devs_authsets, user): da = ApiClient(deviceauth_v2.URL_MGMT) ua = ApiClient(useradm.URL_MGMT) # log in user r = ua.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # existing devices for dev in devs_authsets: r = da.with_auth(utoken).call( "GET", deviceauth_v2.URL_DEVICE, path_params={"id": dev.id} ) assert r.status_code == 200 api_dev = r.json() self._compare_dev(dev, api_dev) # non-existent devices for id in ["foo", "bar"]: r = da.with_auth(utoken).call( "GET", deviceauth_v2.URL_DEVICE, path_params={"id": id} ) assert r.status_code == 404
def setup_devices_and_management(nr_devices=100): """ Sets up user and tenant and creates authorized devices. """ tenant = create_tenant('acme') user = create_tenant_user('bugs-bunny', tenant) useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) api_mgmt_deploy = ApiClient(deployments.URL_MGMT) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # Upload a dummy artifact to the server upload_image("/tests/test-artifact.mender", utoken) # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, nr_devices, tenant.tenant_token) # wait for devices to be provisioned time.sleep(3) # Check that the number of devices were created r = invm.with_auth(utoken).call( 'GET', inventory.URL_DEVICES, qs_params={ 'per_page': nr_devices }) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == nr_devices return user, tenant, utoken, devs
def test_fail_no_attr_value(self, user): useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) invd = ApiClient(inventory.URL_DEV) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, 1) # wait for devices to be provisioned time.sleep(3) for i, d in enumerate(devs): payload = [{ "name": "mac", }] r = invd.with_auth(d.token).call('PATCH', inventory.URL_DEVICE_ATTRIBUTES, payload) assert r.status_code == 400
def verify_devices_unmodified(self, user, in_devices): devauthm = ApiClient(deviceauth_v2.URL_MGMT) useradmm = ApiClient(useradm.URL_MGMT) r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text r = devauthm.with_auth(utoken).call("GET", deviceauth_v2.URL_DEVICES) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == len(in_devices) for ad in api_devs: assert ad["status"] == "pending" orig_device = [d for d in in_devices if d.id_data == ad["identity_data"]] assert len(orig_device) == 1 orig_device = orig_device[0] assert len(ad["auth_sets"]) == 1 aset = ad["auth_sets"][0] assert testutils.util.crypto.rsa_compare_keys( aset["pubkey"], orig_device.pubkey )
def do_test_get_devices_ok(self, user, tenant_token=''): useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) invd = ApiClient(inventory.URL_DEV) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, 40, tenant_token) # wait for devices to be provisioned time.sleep(3) r = invm.with_auth(utoken).call('GET', inventory.URL_DEVICES, qs_params={'per_page': 100}) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == 40
def add_devices_to_user(user, dev_inventories): try: user.devices except AttributeError: user.devices = [] useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth.URL_DEVICES) devauthm = ApiClient(deviceauth.URL_MGMT) invd = ApiClient(inventory.URL_DEV) utoken = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)).text assert utoken != "" user.api_token = utoken for inv in dev_inventories: device = make_accepted_device(devauthd, devauthm, utoken) user.devices.append(device) attrs = dict_to_inventoryattrs(inv) rsp = invd.with_auth(device.token).call( "PATCH", inventory.URL_DEVICE_ATTRIBUTES, body=attrs ) assert rsp.status_code == 200 device.inventory = inv return user
def create_tenant(name, docker_prefix=None): """ Create a tenant via cli, record its id and token for further use. """ cli = CliTenantadm(docker_prefix) api = ApiClient(tenantadm.URL_INTERNAL) id = cli.create_tenant(name) page = 0 per_page = 20 qs_params = {} found = None while True: page = page + 1 qs_params['page'] = page qs_params['per_page'] = per_page r = api.call('GET', tenantadm.URL_INTERNAL_TENANTS, qs_params=qs_params) assert r.status_code == 200 api_tenants = r.json() found = [at for at in api_tenants if at['id'] == id] if len(found) > 0: break if len(api_tenants) == 0: break assert len(found) == 1 token = found[0]['tenant_token'] return Tenant(name, id, token)
def create_org(name, username, password, plan="os"): cli = CliTenantadm() user_id = None tenant_id = cli.create_org(name, username, password, plan=plan) tenant_token = json.loads(cli.get_tenant(tenant_id))["tenant_token"] api = ApiClient(useradm.URL_MGMT) # Try log in every second for 3 minutes. # - There usually is a slight delay (in order of ms) for propagating # the created user to the db. for i in range(3 * 60): rsp = api.call("POST", useradm.URL_LOGIN, auth=(username, password)) if rsp.status_code == 200: break time.sleep(1) if rsp.status_code != 200: raise ValueError( "User could not log in within three minutes after organization has been created." ) user_token = rsp.text rsp = api.with_auth(user_token).call("GET", useradm.URL_USERS) users = json.loads(rsp.text) for user in users: if user["email"] == username: user_id = user["id"] break if user_id == None: raise ValueError("Error retrieving user id.") tenant = Tenant(name, tenant_id, tenant_token) user = User(user_id, username, password) tenant.users.append(user) return tenant
def do_test_get_authset_status(self, devs_authsets, user): devauthm = ApiClient(deviceauth_v2.URL_MGMT) useradmm = ApiClient(useradm.URL_MGMT) # log in user r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # try valid authsets for d in devs_authsets: for a in d.authsets: r = devauthm.with_auth(utoken).call( "GET", deviceauth_v2.URL_AUTHSET_STATUS, path_params={"did": d.id, "aid": a.id}, ) assert r.status_code == 200 assert r.json()["status"] == a.status # invalid authset or device for did, aid in [(devs_authsets[0].id, "foo"), ("foo", "bar")]: r = devauthm.with_auth(utoken).call( "GET", deviceauth_v2.URL_AUTHSET_STATUS, path_params={"did": did, "aid": aid}, ) assert r.status_code == 404
def do_test_device_count(self, devs_authsets, user): ua = ApiClient(useradm.URL_MGMT) da = ApiClient(deviceauth_v2.URL_MGMT) # log in user r = ua.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # test cases: successful counts for status in [None, "pending", "accepted", "rejected", "preauthorized"]: qs_params = {} if status is not None: qs_params = {"status": status} r = da.with_auth(utoken).call( "GET", deviceauth_v2.URL_DEVICES_COUNT, qs_params=qs_params ) assert r.status_code == 200 count = r.json() ref_devs = filter_and_page_devs(devs_authsets, status=status) ref_count = len(ref_devs) assert ref_count == count["count"] # fail: bad request r = da.with_auth(utoken).call( "GET", deviceauth_v2.URL_DEVICES_COUNT, qs_params={"status": "foo"} ) assert r.status_code == 400
def test_ok(self, user): useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) invd = ApiClient(inventory.URL_DEV) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, 3) # wait for devices to be provisioned time.sleep(3) for i, d in enumerate(devs): payload = [ { "name": "mac", "value": "mac-new-" + str(d.id) }, { #empty value for existing "name": "sn", "value": "", }, { #empty value for new "name": "new-empty", "value": "", } ] r = invd.with_auth(d.token).call('PATCH', inventory.URL_DEVICE_ATTRIBUTES, payload) assert r.status_code == 200 for d in devs: r = invm.with_auth(utoken).call('GET', inventory.URL_DEVICE, path_params={'id': d.id}) assert r.status_code == 200 api_dev = r.json() assert len(api_dev['attributes']) == 3 for a in api_dev['attributes']: if a['name'] == 'mac': assert a['value'] == 'mac-new-' + str(api_dev['id']) elif a['name'] == 'sn': assert a['value'] == '' elif a['name'] == 'new-empty': assert a['value'] == '' else: assert False, 'unexpected attribute ' + a['name']
def initialize_os_setup(): """ Seed the OS setup with all operational data - users and devices. Return {"os_devs": [...], "os_users": [...]} """ uadmm = ApiClient('https://{}/api/management/v1/useradm'.format( get_mender_gateway())) dauthd = ApiClient('https://{}/api/devices/v1/authentication'.format( get_mender_gateway())) dauthm = ApiClient('https://{}/api/management/v2/devauth'.format( get_mender_gateway())) users = [ create_user("*****@*****.**", "correcthorse", docker_prefix=docker_compose_instance), create_user("*****@*****.**", "correcthorse", docker_prefix=docker_compose_instance) ] r = uadmm.call('POST', useradm.URL_LOGIN, auth=(users[0].name, users[0].pwd)) assert r.status_code == 200 utoken = r.text # create and accept some devs; save tokens devs = [] for i in range(10): devs.append(make_accepted_device(dauthd, dauthm, utoken)) # get tokens for all for d in devs: body, sighdr = deviceauth_v1.auth_req(d.id_data, d.authsets[0].pubkey, d.authsets[0].privkey) r = dauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 d.token = r.text return {"os_devs": devs, "os_users": users}
def login_tenant_users(tenant): useradm_MGMT = ApiClient(useradm.URL_MGMT) for user in tenant.users: rsp = useradm_MGMT.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert rsp.status_code == 200, "Failed to setup test environment" user.token = rsp.text
def test_accepted_dev_cant_authenticate(self, tenants_users_devices): dacd = ApiClient(deviceauth.URL_DEVICES) devauthm = ApiClient(deviceauth.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) tc = ApiClient(tenantadm.URL_INTERNAL, host=tenantadm.HOST, schema="http://") # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text aset = device.authsets[0] change_authset_status(devauthm, aset.did, aset.id, "accepted", utoken) # suspend r = tc.call( "PUT", tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status("suspended"), path_params={"tid": tenants_users_devices[0].id}, ) assert r.status_code == 200 time.sleep(10) # try requesting auth body, sighdr = deviceauth.auth_req( aset.id_data, aset.pubkey, aset.privkey, tenants_users_devices[0].tenant_token, ) r = dacd.call("POST", deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 assert r.json()["error"] == "Account suspended"
def check_access_rbac(self, auth, forbid=False): uadm = ApiClient( host=get_container_manager().get_mender_gateway(), base_url=useradm.URL_MGMT, ) res = uadm.call("GET", useradm.URL_ROLES, headers=auth.get_auth_token(),) if forbid: assert res.status_code == 403 else: assert res.ok