def test_authenticator_invalid_session(self):
with self.app.test_client() as c:
response = c.post('/authenticate', data={'username': '******', 'password': '******'})
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
c.post('/invalidate-session', data={'session_id': session_id})
auth_headers = HMACAuthenticator.get_authorization_headers(session_id, secret, '/test')
response = c.get('/test', headers=auth_headers)
self.assertEqual(g.user_reason, 'Invalid credential.')
self.assertEqual(response.data, 'anonymous', g.user_reason)
def test_authenticator_user1(self):
with self.app.test_client() as c:
response = c.post('/authenticate', data={'username': '******', 'password': '******'})
self.assertEqual(response.headers['content-type'], 'application/json', response.data)
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
auth_headers = HMACAuthenticator.get_authorization_headers(session_id,
secret,
'/test',
query_string='c=3&a=2&b=1')
response = c.get('/test?b=1&a=2&c=3', headers=auth_headers)
self.assertEqual(g.user_reason, 'Authenticated')
self.assertEqual(response.data, '1', g.user_reason)
def test_authenticator_user1(self):
with self.app.test_client() as c:
response = c.post('/authenticate',
data={
'username': '******',
'password': '******'
})
self.assertEqual(response.headers['content-type'],
'application/json', response.data)
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
auth_headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/test', query_string='c=3&a=2&b=1')
response = c.get('/test?b=1&a=2&c=3', headers=auth_headers)
self.assertEqual(g.user_reason, 'Authenticated')
self.assertEqual(response.data, '1', g.user_reason)
def test_authenticator_invalid_session(self):
with self.app.test_client() as c:
response = c.post('/authenticate',
data={
'username': '******',
'password': '******'
})
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
c.post('/invalidate-session', data={'session_id': session_id})
auth_headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/test')
response = c.get('/test', headers=auth_headers)
self.assertEqual(g.user_reason, 'Invalid credential.')
self.assertEqual(response.data, 'anonymous', g.user_reason)
def test_record_api_with_acl_user_2(self):
add_session_management_urls(self.app)
make_api(
self.api,
"Test",
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize],
)
with self.app.test_client() as c:
response = c.post("/authenticate", data={"username": "******", "password": "******"})
response = json.loads(response.data)
session_id = response["session_id"]
secret = response["session_secret"]
# get all Bob's records
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests")
response = c.get("/my-tests", headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}]}\n',
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d2))
response = c.get("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}}\n',
)
# patch records
patch_data = json.dumps({"data": {"attributes": {"title": "SpongeBob SquarePants"}, "type": "my-tests"}})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
"/my-tests/{}".format(self.d2),
method="PATCH",
content_type="application/vnd.api+json",
body=patch_data,
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.patch("/my-tests/{}".format(self.d2), data=patch_data, headers=headers)
self.assertEqual(response.status_code, 405)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests/{}".format(self.d2), method="DELETE"
)
response = c.delete("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 405)
# post
post_data = json.dumps(
{
"data": {
"attributes": {"title": "Dennis the Menace", "author": "Hank Ketcham", "owner_id": "2"},
"type": "my-tests",
}
}
)
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests", method="POST", content_type="application/vnd.api+json", body=post_data
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.post("/my-tests", data=post_data, headers=headers)
self.assertEqual(response.status_code, 405)
def test_record_api_with_acl_user_1(self):
add_session_management_urls(self.app)
make_api(
self.api,
"Test",
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize],
)
with self.app.test_client() as c:
response = c.post("/authenticate", data={"username": "******", "password": "******"})
response = json.loads(response.data)
session_id = response["session_id"]
secret = response["session_secret"]
# get all Alice's records
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests")
response = c.get("/my-tests", headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}]}\n',
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d1))
response = c.get("/my-tests/{}".format(self.d1), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}}\n',
)
# get a forbidden record
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d2))
response = c.get("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 403)
# patch Alice's records
patch_data = json.dumps(
{"data": {"attributes": {"title": "Alice's Adventures in Wonderland"}, "type": "my-tests"}}
)
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
"/my-tests/{}".format(self.d1),
method="PATCH",
content_type="application/vnd.api+json",
body=patch_data,
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.patch("/my-tests/{}".format(self.d1), data=patch_data, headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.headers["Content-Location"], "/my-tests/{}".format(self.d1))
# patch someone else's record: this is forbidden (because not owner)
patch_data = json.dumps({"data": {"attributes": {"title": "SpongeBob SquarePants"}, "type": "my-tests"}})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
"/my-tests/{}".format(self.d2),
method="PATCH",
content_type="application/vnd.api+json",
body=patch_data,
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.patch("/my-tests/{}".format(self.d2), data=patch_data, headers=headers)
self.assertEqual(response.status_code, 403, response.data)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests/{}".format(self.d1), method="DELETE"
)
response = c.delete("/my-tests/{}".format(self.d1), headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.data, "")
# delete someone else file
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests/{}".format(self.d2), method="DELETE"
)
response = c.delete("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 403)
# post
post_data = json.dumps(
{
"data": {
"attributes": {"title": "Dennis the Menace", "author": "Hank Ketcham", "owner_id": "2"},
"type": "my-tests",
}
}
)
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests", method="POST", content_type="application/vnd.api+json", body=post_data
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.post("/my-tests", data=post_data, headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.headers["Content-Location"], "/my-tests/4")
def test_record_api_with_acl_user_2(self):
add_session_management_urls(self.app)
make_api(self.api,
'Test',
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize])
with self.app.test_client() as c:
response = c.post('/authenticate',
data={
'username': '******',
'password': '******'
})
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
# get all Bob's records
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests')
response = c.get('/my-tests', headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}]}\n'
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests/{}'.format(self.d2))
response = c.get('/my-tests/{}'.format(self.d2), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}}\n'
)
# patch records
patch_data = json.dumps({
"data": {
"attributes": {
"title": "SpongeBob SquarePants"
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='PATCH',
content_type='application/vnd.api+json',
body=patch_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.patch('/my-tests/{}'.format(self.d2),
data=patch_data,
headers=headers)
self.assertEqual(response.status_code, 405)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='DELETE')
response = c.delete('/my-tests/{}'.format(self.d2),
headers=headers)
self.assertEqual(response.status_code, 405)
# post
post_data = json.dumps({
"data": {
"attributes": {
"title": "Dennis the Menace",
"author": "Hank Ketcham",
"owner_id": "2",
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests',
method='POST',
content_type='application/vnd.api+json',
body=post_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.post('/my-tests', data=post_data, headers=headers)
self.assertEqual(response.status_code, 405)
def test_record_api_with_acl_user_1(self):
add_session_management_urls(self.app)
make_api(self.api,
'Test',
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize])
with self.app.test_client() as c:
response = c.post('/authenticate',
data={
'username': '******',
'password': '******'
})
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
# get all Alice's records
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests')
response = c.get('/my-tests', headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}]}\n'
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests/{}'.format(self.d1))
response = c.get('/my-tests/{}'.format(self.d1), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}}\n'
)
# get a forbidden record
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests/{}'.format(self.d2))
response = c.get('/my-tests/{}'.format(self.d2), headers=headers)
self.assertEqual(response.status_code, 403)
# patch Alice's records
patch_data = json.dumps({
"data": {
"attributes": {
"title": "Alice's Adventures in Wonderland"
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d1),
method='PATCH',
content_type='application/vnd.api+json',
body=patch_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.patch('/my-tests/{}'.format(self.d1),
data=patch_data,
headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.headers['Content-Location'],
'/my-tests/{}'.format(self.d1))
# patch someone else's record: this is forbidden (because not owner)
patch_data = json.dumps({
"data": {
"attributes": {
"title": "SpongeBob SquarePants"
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='PATCH',
content_type='application/vnd.api+json',
body=patch_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.patch('/my-tests/{}'.format(self.d2),
data=patch_data,
headers=headers)
self.assertEqual(response.status_code, 403, response.data)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d1),
method='DELETE')
response = c.delete('/my-tests/{}'.format(self.d1),
headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.data, '')
# delete someone else file
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='DELETE')
response = c.delete('/my-tests/{}'.format(self.d2),
headers=headers)
self.assertEqual(response.status_code, 403)
# post
post_data = json.dumps({
"data": {
"attributes": {
"title": "Dennis the Menace",
"author": "Hank Ketcham",
"owner_id": "2",
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests',
method='POST',
content_type='application/vnd.api+json',
body=post_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.post('/my-tests', data=post_data, headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.headers['Content-Location'],
'/my-tests/4')
