def test_profile_put_writes_audit_log_if_not_own_profile(
profile, other_profile, api_client, caplog):
# A forbidden "UPDATE" event should be left if a user
# tries to update another person's profile.
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
url = reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), ))
api_client.put(
url,
{
**PROFILE_TEST_DATA, "first_name": "Maija",
"street_address": "Kauppakatu 23"
},
)
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "USER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "UPDATE"
assert audit_event["target"] == {
"id": str(other_profile.pk),
"type": "Profile"
}
assert audit_event["status"] == "FORBIDDEN"
def test_application_post_writes_audit_log_if_not_authenticated(api_client, caplog):
data = create_application_data(ProfileFactory())
api_client.post(reverse("application_form:application-list"), data, format="json")
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {"role": "ANONYMOUS", "profile_id": None}
assert audit_event["operation"] == "CREATE"
assert audit_event["target"] == {"id": None, "type": "Application"}
assert audit_event["status"] == "FORBIDDEN"
def test_profile_post_writes_audit_log(api_client, caplog):
api_client.post(reverse("users:profile-list"), PROFILE_TEST_DATA)
profile = Profile.objects.get()
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {"role": "ANONYMOUS", "profile_id": None}
assert audit_event["operation"] == "CREATE"
assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"}
assert audit_event["status"] == "SUCCESS"
def test_profile_get_detail_writes_audit_log_if_not_authenticated(
profile, api_client, caplog):
# A forbidden "READ" entry should be left if an unauthenticated user
# tries to view somebody's profile.
api_client.get(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )))
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {"role": "ANONYMOUS", "profile_id": None}
assert audit_event["operation"] == "READ"
assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"}
assert audit_event["status"] == "FORBIDDEN"
def test_application_post_writes_audit_log(api_client, caplog):
profile = ProfileFactory()
api_client.credentials(HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
data = create_application_data(profile)
api_client.post(reverse("application_form:application-list"), data, format="json")
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {"role": "USER", "profile_id": str(profile.pk)}
assert audit_event["operation"] == "CREATE"
assert audit_event["target"] == {
"id": data["application_uuid"],
"type": "Application",
}
assert audit_event["status"] == "SUCCESS"
def test_profile_delete_writes_audit_log_if_not_authenticated(
profile, api_client, caplog):
# A forbidden "DELETE" event should be written if an unauthenticated user
# tries to delete a user's profile.
api_client.delete(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )),
PROFILE_TEST_DATA,
)
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {"role": "ANONYMOUS", "profile_id": None}
assert audit_event["operation"] == "DELETE"
assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"}
assert audit_event["status"] == "FORBIDDEN"
def test_profile_get_detail_writes_audit_log(profile, api_client, caplog):
# A successful "READ" entry should be left when the user views their own profile
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
api_client.get(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )))
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "OWNER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "READ"
assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"}
assert audit_event["status"] == "SUCCESS"
def test_profile_get_detail_writes_audit_log_if_not_own_profile(
profile, other_profile, api_client, caplog):
# A forbidden "READ" entry should be left if the user
# attemps to view someone else's profile.
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
api_client.get(
reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), )))
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "USER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "READ"
assert audit_event["target"] == {
"id": str(other_profile.pk),
"type": "Profile"
}
assert audit_event["status"] == "FORBIDDEN"
def test_profile_delete_writes_audit_log_if_not_own_profile(
profile, other_profile, api_client, caplog):
# A forbidden "DELETE" entry should be written if a user
# tries to delete another person's profile.
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
api_client.delete(
reverse("users:profile-detail", args=(mask_uuid(other_profile.pk), )))
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "USER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "DELETE"
assert audit_event["target"] == {
"id": str(other_profile.pk),
"type": "Profile"
}
assert audit_event["status"] == "FORBIDDEN"
def test_profile_put_writes_audit_log(profile, api_client, caplog):
# A successful "UPDATE" entry should be left when the user updates their own profile
api_client.credentials(
HTTP_AUTHORIZATION=f"Bearer {_create_token(profile)}")
api_client.put(
reverse("users:profile-detail", args=(mask_uuid(profile.pk), )),
{
**PROFILE_TEST_DATA, "first_name": "Maija",
"address": "Kauppakatu 23"
},
)
audit_event = get_audit_log_event(caplog)
assert audit_event is not None, "no audit log entry was written"
assert audit_event["actor"] == {
"role": "OWNER",
"profile_id": str(profile.pk)
}
assert audit_event["operation"] == "UPDATE"
assert audit_event["target"] == {"id": str(profile.pk), "type": "Profile"}
assert audit_event["status"] == "SUCCESS"