def test_put_update_user_org_short_name(): """ services api allows users org to be updated by secretariat """ org, user = create_new_user_with_new_org_by_uuid() new_org = str(uuid.uuid4()) new_org_res = post_new_org(new_org, new_org) assert new_org_res.status_code == 200 res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=utils.BASE_HEADERS, params={'org_shortname': new_org}) assert res.status_code == 200 response_contains_json(res, 'message', f'{user} was successfully updated.') # user doesn't exist at this endpoint because its under a new org res = requests.put(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}', headers=utils.BASE_HEADERS, params={'org_shortname': new_org}) assert res.status_code == 404 response_contains(res, 'designated by the username parameter does not exist.') response_contains_json(res, 'error', 'USER_DNE') # but we can get the new user res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{new_org}/user/{user}', headers=utils.BASE_HEADERS) ok_response_contains(res, user)
def test_get_mitre_cna(): """ the cve services api contains the mitre cna """ res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/mitre', headers=utils.BASE_HEADERS) ok_response_contains(res, 'SECRETARIAT') ok_response_contains_json(res, 'name', 'MITRE Corporation') ok_response_contains_json(res, 'short_name', 'mitre')
def test_get_cve_id(reg_user_headers): """ the first ID from 1999 should always exist """ res = requests.get( f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}', headers=reg_user_headers ) ok_response_contains(res, cve_id)
def test_regular_user_reset_secret(reg_user_headers): """ regular users can update their secret """ org = reg_user_headers['CVE-API-ORG'] user = reg_user_headers['CVE-API-USER'] res = requests.put( f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret', headers=reg_user_headers) ok_response_contains(res, 'API-secret')
def test_post_cve_id_reservation(batch_type, amount, reg_user_headers): """ sequential ids can be reserved on behalf of the mitre org """ res = get_reserve_cve_ids(amount, utils.CURRENT_YEAR, reg_user_headers['CVE-API-ORG'], batch_type) ok_response_contains(res, f'CVE-{utils.CURRENT_YEAR}-') assert json.loads(res.content.decode())['cve_ids'] assert len(json.loads(res.content.decode())['cve_ids']) == amount # cna and user must exist assert 'cna' in res.content.decode() assert 'user' in res.content.decode()
def test_put_cve_id_id_no_params(): """ cve id endpoint ... accepts an empty query set? """ res = requests.put( f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}', headers=utils.BASE_HEADERS ) # NOTE: should this behave as if an update was successful, when no params # were included and nothing was actually updated? ok_response_contains(res, f'{cve_id} was successfully updated.')
def test_post_cve_id_reserve_priority(org_admin_headers): """ priority ids can be reserved on behalf of the admin's org """ res = requests.post(f'{env.AWG_BASE_URL}{CVE_ID_URL}', headers=org_admin_headers, params={ 'amount': '1', 'cve_year': f'{utils.CURRENT_YEAR}', 'short_name': org_admin_headers['CVE-API-ORG'] }) ok_response_contains(res, f'CVE-{utils.CURRENT_YEAR}-') assert json.loads(res.content.decode())['cve_ids'] assert len(json.loads(res.content.decode())['cve_ids']) == 1 priority_id = json.loads(res.content.decode())['cve_ids'][0]['cve_id'] assert int(priority_id.split('-')[-1]) < 20000
def test_put_cve_id_id(): """ an id can be updated to reject or public """ res = requests.put( f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}', headers=utils.BASE_HEADERS, params={'state':'REJECT'} ) ok_response_contains(res, f'{cve_id} was successfully updated.') res = requests.put( f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}', headers=utils.BASE_HEADERS, params={'state':'PUBLIC'} ) ok_response_contains(res, f'{cve_id} was successfully updated.')
def test_get_mitre_id_quota(): """ the cve services api's mitre cna has a valid id quota """ res = get_org_id_data('mitre') ok_response_contains(res, 'id_quota') body = json.loads(res.content.decode()) quota = body['id_quota'] available = body['available'] reserved = body['total_reserved'] assert quota >= 0 assert available >= 0 assert reserved >= 0 assert quota <= 100000 assert quota == available + reserved
def test_put_cve_id_id_state_reserved(): """ an id's state cannot be set back to reserved """ res = requests.put( f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}', headers=utils.BASE_HEADERS, params={'state':'REJECT'} ) ok_response_contains(res, f'{cve_id} was successfully updated.') res = requests.put( f'{env.AWG_BASE_URL}{CVE_ID_URL}/{cve_id}', headers=utils.BASE_HEADERS, params={'state':'RESERVED'} ) assert res.status_code == 400 response_contains_json( res, 'message', 'Cannot change the state to RESERVED.')
def test_get_cve_id_by_time_modified(org_admin_headers): """ we can get ids immediately after reserving them using the time they're reserved (noting that this may not work against a shared integration environment, we check that at least this many have been reserved) """ n_ids = 10 time.sleep(1) t_before = dt.datetime.now().strftime('%Y-%m-%dT%H:%M:%S') time.sleep(1) res_ids = get_reserve_cve_ids(n_ids, utils.CURRENT_YEAR, org_admin_headers['CVE-API-ORG']) time.sleep(1) t_after = dt.datetime.now().strftime('%Y-%m-%dT%H:%M:%S') res_get_ids = requests.get(f'{env.AWG_BASE_URL}{CVE_ID_URL}', headers=utils.BASE_HEADERS, params={ 'time_modified.lt': t_after, 'time_modified.gt': t_before }) ok_response_contains(res_get_ids, f'CVE-{utils.CURRENT_YEAR}-') assert len(json.loads(res_get_ids.content.decode())['cve_ids']) == n_ids
def test_reg_user_can_get_org_id_quota(reg_user_headers): """ regular users can see their organization's cve id quota """ org = reg_user_headers['CVE-API-ORG'] res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/id_quota', headers=reg_user_headers) ok_response_contains(res, 'id_quota') ok_response_contains(res, 'total_reserved') ok_response_contains(res, 'available')
def test_get_all_orgs(): """ secretariat users can request a list of all organizations """ res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}', headers=utils.BASE_HEADERS) ok_response_contains(res, '"active_roles":["SECRETARIAT","CNA"]') assert len(json.loads(res.content.decode())['organizations']) >= 1
def test_post_new_org(): """ cve services new org endpoint works for unique data """ uid = str(uuid.uuid4()) quota = random.randint(0, 100000) res = post_new_org(uid, uid, quota) ok_response_contains(res, f'{uid} organization was successfully created')