def test_owners_can_read_given_hidden(self):
"""Test the owner of a project can read it despite being hidden"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(hidden=1, owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'read', project)
def test_sign(self):
"""Test sign works."""
rsa = M2Crypto.RSA.gen_key(2048, 65537)
salt = 'salt'
data = {"flags": 8,
"name": "MyAwesomeVM",
"ram": 512,
"secret": "mg041na39123",
"userData": "[amiconfig]\nplugins=cernvm\n[cernvm]\nusers=user:users;password",
"vcpus": 1,
"version": "1.5"}
strBuffer = vmcp.calculate_buffer(data, salt)
digest = hashlib.new('sha512', strBuffer).digest()
with patch('M2Crypto.RSA.load_key', return_value=rsa):
out = vmcp.sign(data, salt, 'key')
err_msg = "There should be a key named signature"
assert out.get('signature'), err_msg
err_msg = "The signature should not be empty"
assert out['signature'] is not None, err_msg
assert out['signature'] != '', err_msg
err_msg = "The signature should be the same"
signature = base64.b64decode(out['signature'])
assert rsa.verify(digest, signature, 'sha512') == 1, err_msg
# The output must be convertible into json object
import json
assert_not_raises(Exception, json.dumps, out)
def test_sign(self):
"""Test sign works."""
# rsa_pk = M2Crypto.RSA.gen_key(2048, 65537)
rsa_keys = rsa.newkeys(2048, 65537)
rsa_pk = rsa_keys[1]
rsa_pub = rsa_keys[0]
salt = 'salt'
data = {"flags": 8,
"name": "MyAwesomeVM",
"ram": 512,
"secret": "mg041na39123",
"userData": "[amiconfig]\nplugins=cernvm\n[cernvm]\nusers=user:users;password",
"vcpus": 1,
"version": "1.5"}
strBuffer = vmcp.calculate_buffer(data, salt)
with patch('rsa.PrivateKey.load_pkcs1', return_value=rsa_pk):
with patch('pybossa.vmcp.open', mock_open(read_data=''), create=True) as m:
out = vmcp.sign(data, salt, 'testkey')
err_msg = "There should be a key named signature"
assert out.get('signature'), err_msg
err_msg = "The signature should not be empty"
assert out['signature'] is not None, err_msg
assert out['signature'] != '', err_msg
err_msg = "The signature should be the same"
signature = base64.b64decode(out['signature'])
assert rsa.verify(strBuffer, signature, rsa_pub) == 1, err_msg
# The output must be convertible into json object
import json
assert_not_raises(Exception, json.dumps, out)
def test_owner_user_cannot_read_project_webhooks(self):
"""Test owner users can read webhooks of a specific project"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert_not_raises(Exception, ensure_authorized_to, 'read', Webhook, project_id=project.id)
def test_anonymous_user_read_given_blogpost(self):
"""Test anonymous users can read a given blogpost"""
project = ProjectFactory.create(published=True)
blogpost = BlogpostFactory.create(project=project)
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
def test_admin_delete_user_taskrun(self):
"""Test admins can delete taskruns posted by authenticated users"""
user_taskrun = TaskRunFactory.create()
assert self.mock_admin.id != user_taskrun.user.id, user_taskrun.user.id
assert_not_raises(Exception,
ensure_authorized_to, 'delete', user_taskrun)
def test_admin_can_read_given_hidden(self):
"""Test an admin can read a project despite being hidden"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(hidden=1, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').read, project)
def test_owner_can_delete(self):
"""Test owners can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'delete', project)
def test_anonymous_user_create_repeated_taskrun(self):
"""Test anonymous user cannot create a taskrun for a task to which
he has previously posted a taskrun"""
with self.flask_app.test_request_context('/'):
self.configure_fixtures()
taskrun1 = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="some taskrun info")
db.session.add(taskrun1)
db.session.commit()
taskrun2 = TaskRun(app_id=self.app.id,
task_id=self.task.id,
user_ip='127.0.0.0',
info="a different taskrun info")
assert_raises(Forbidden,
getattr(require, 'taskrun').create,
taskrun2)
# But the user can still create taskruns for different tasks
task2 = Task(app_id=self.app.id, state='0', n_answers=10)
task2.app = self.app
db.session.add(task2)
db.session.commit()
taskrun3 = TaskRun(app_id=self.app.id,
task_id=task2.id,
user_ip='127.0.0.0',
info="some taskrun info")
assert_not_raises(Exception,
getattr(require, 'taskrun').create,
taskrun3)
def test_owner_can_delete(self):
"""Test owners can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').delete, project)
def test_admin_delete_anonymous_taskrun(self):
"""Test admins can delete anonymously posted taskruns"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_not_raises(Exception,
ensure_authorized_to, 'delete', anonymous_taskrun)
def test_admin_can_delete(self):
"""Test an admin can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(hidden=1, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').delete, project)
def test_anonymous_user_read_given_blogpost(self):
"""Test anonymous users can read a given blogpost"""
app = AppFactory.create()
blogpost = BlogpostFactory.create(app=app)
assert_not_raises(Exception, getattr(require, 'blogpost').read, blogpost)
def test_admin_can_read_given_hidden(self):
"""Test an admin can read a project despite being hidden"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(hidden=1, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'read', project)
def test_admin_can_delete(self):
"""Test an admin can delete a project"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(hidden=1, owner=owner)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'delete', project)
def test_anonymous_user_create_first_taskrun(self):
"""Test anonymous user can create a taskrun for a given task if he
hasn't already done it"""
task = TaskFactory.create()
taskrun = AnonymousTaskRunFactory.build(task=task)
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun)
def test_owners_can_read_given_hidden(self):
"""Test the owner of a project can read it despite being hidden"""
owner = UserFactory.build_batch(2)[1]
project = AppFactory.create(hidden=1, owner=owner)
assert project.owner.id == self.mock_authenticated.id, project.owner
assert_not_raises(Exception, getattr(require, 'app').read, project)
def test_admin_read_blogposts_for_given_draft_project(self):
"""Test admin can read blogposts of a given draft project"""
admin = UserFactory.create()
project = ProjectFactory.create(published=False)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
def test_admin_authenticated_user_delete_blogpost(self):
"""Test authenticated user can delete any blogpost if is admin"""
admin = UserFactory.create()
blogpost = BlogpostFactory.create()
assert self.mock_admin.id != blogpost.owner.id
assert_not_raises(Exception, getattr(require, 'blogpost').delete, blogpost)
def test_admin_read_blogposts_for_given_hidden_app(self):
"""Test admin can read blogposts of a given hidden project"""
admin = UserFactory.create()
app = AppFactory.create(hidden=1)
assert self.mock_admin.id != app.owner.id
assert_not_raises(Exception, getattr(require, 'blogpost').read, app_id=app.id)
def test_admin_authenticated_user_delete_blogpost(self):
"""Test authenticated user can delete any blogpost if is admin"""
admin = UserFactory.create()
blogpost = BlogpostFactory.create()
assert self.mock_admin.id != blogpost.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', blogpost)
def test_anonymous_user_read(self):
"""Test anonymous user can read any taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
user_taskrun = TaskRunFactory.create()
assert_not_raises(Exception,
ensure_authorized_to, 'read', anonymous_taskrun)
assert_not_raises(Exception, ensure_authorized_to, 'read', user_taskrun)
def test_authenticated_user_can_create_taskrun_for_draft_project(self):
"""Test authenticated users can create a taskrun for a project that
is a draft"""
project = ProjectFactory.create(published=False)
task = TaskFactory.create(project=project)
taskrun = TaskRunFactory.build(task_id=task.id, project_id=project.id)
assert_not_raises(Forbidden, ensure_authorized_to, 'create', taskrun)
def test_authenticated_user_create_taskrun_non_allow_anonymous_contrib(self):
"""Test authenticated user can create a taskrun for a project that does
not allow for anonymous contributors"""
project = ProjectFactory.create(allow_anonymous_contributors=False)
task = TaskFactory.create(project=project)
taskrun = TaskRunFactory.build(task_id=task.id, project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun)
def test_admin_user_can_read_project_webhooks(self):
"""Test admin users can read webhooks from a project"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert self.mock_admin.id != project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', Webhook, project_id=project.id)
def test_admin_delete_anonymous_taskrun(self):
"""Test admins can delete anonymously posted taskruns"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
assert_not_raises(Exception,
getattr(require, 'taskrun').delete,
anonymous_taskrun)
def test_blogpost_owner_is_nullable(self):
"""Test BLOGPOST a blogpost owner can be none
(if the user is removed from the system)"""
self.configure_fixtures()
blogpost = Blogpost(title='title', body="body", app=self.app, owner=None)
db.session.add(blogpost)
assert_not_raises(IntegrityError, db.session.commit)
def test_admins_can_delete_any_user(self):
"""Test admins users can delete any given user"""
himself = UserFactory.create()
other_user = UserFactory.create()
assert himself.id == self.mock_admin.id
assert other_user.id != self.mock_admin.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', other_user)
def test_pro_user_can_read_project_auditlogs(self):
"""Test pro users cannot read auditlogs from an owned project"""
owner = UserFactory.create_batch(2, pro=True)[1]
project = ProjectFactory.create(owner=owner)
assert self.mock_pro.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', Auditlog, project_id=project.id)
def test_admin_can_publish_if_project_has_tasks_and_presenter(self):
"""Test admins can publish a project that has tasks and a presenter"""
owner = UserFactory.build_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=False)
TaskFactory.create(project=project)
assert project.owner.id != self.mock_admin.id, project.owner
assert_not_raises(Exception, ensure_authorized_to, 'publish', project)
def test_non_owner_authenticated_user_read_blogposts_for_given_project(self):
"""Test authenticated user can read blogposts of a given project if
is not the project owner"""
project = ProjectFactory.create()
user = UserFactory.create()
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
def test_admin_can_crud(self):
"""Test admin user can crud categories"""
category = CategoryFactory.build()
assert_not_raises(Forbidden, ensure_authorized_to, 'create', category)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', category)
assert_not_raises(Forbidden, ensure_authorized_to, 'read', Category)
assert_not_raises(Forbidden, ensure_authorized_to, 'update', category)
assert_not_raises(Forbidden, ensure_authorized_to, 'delete', category)
def test_anonymous_user_cannot_crud(self):
"""Test anonymous users cannot crud categories"""
category = CategoryFactory.build()
assert_raises(Unauthorized, ensure_authorized_to, 'create', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', Category)
assert_raises(Unauthorized, ensure_authorized_to, 'update', category)
assert_raises(Unauthorized, ensure_authorized_to, 'delete', category)
def test_owner_delete_blogpost(self):
"""Test authenticated user can delete a blogpost if is the post owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create()
blogpost = BlogpostFactory.create(project=project, owner=owner)
assert self.mock_authenticated.id == blogpost.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'delete', blogpost)
def test_owner_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is the project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner, published=True)
blogpost = BlogpostFactory.create(project=project)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
def test_non_owner_authenticated_user_read_given_page(self):
"""Test authenticated user can read a given page
if is not the project owner"""
project = ProjectFactory.create(published=True)
page = PageFactory.create(project_id=project.id)
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', page)
def test_admin_user_can_read_auditlog(self):
"""Test admin users can read an auditlog"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
log = AuditlogFactory.create(project_id=project.id)
assert self.mock_admin.id != project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', log)
def test_admins_can_delete_any_user(self):
"""Test admins users can delete any given user"""
himself = UserFactory.create()
other_user = UserFactory.create()
assert himself.id == self.mock_admin.id
assert other_user.id != self.mock_admin.id
assert_not_raises(Exception, ensure_authorized_to, 'delete',
other_user)
def test_non_owner_authenticated_user_read_given_blogpost(self):
"""Test authenticated user can read a given blogpost if is not the project owner"""
project = ProjectFactory.create()
user = UserFactory.create()
blogpost = BlogpostFactory.create(project=project)
assert self.mock_authenticated.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
def test_owner_update_blogpost(self):
"""Test authenticated user can update blogpost if is the post owner"""
owner = UserFactory.create(id=self.mock_authenticated.id, admin=False)
project = ProjectFactory.create()
blogpost = BlogpostFactory.create(project=project, owner=owner)
assert self.mock_authenticated.id == blogpost.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'update', blogpost)
def test_owner_update_page(self):
"""Test authenticated user can update page
if it's the project's page owner"""
owner = UserFactory.create(id=2)
project = ProjectFactory.create(owner=owner)
page = PageFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'update', page)
def test_authenticated_user_create_first_taskrun(self):
"""Test authenticated user can create a taskrun for a given task if he
hasn't already done it"""
taskrun = TaskRunFactory.build()
assert self.mock_authenticated.id == taskrun.user.id
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun)
def test_admin_user_can_read_webhook(self):
"""Test admin users can read a webhook"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
webhook = WebhookFactory.create(project_id=project.id)
assert self.mock_admin.id != project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', webhook)
def test_admin_read_given_page_draft_project(self):
"""Test admin can read a given page of a draft project"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner, published=False)
page = PageFactory.create(project_id=project.id)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', page)
def test_pro_user_can_read_auditlog(self):
"""Test pro users can read an auditlog from an owned project"""
owner = UserFactory.create_batch(2, pro=True)[1]
project = ProjectFactory.create(owner=owner)
log = AuditlogFactory.create(project_id=project.id)
assert self.mock_pro.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'read', log)
def test_pro_user_can_read_auditlog(self):
"""Test pro users can read auditlogs from owned projects"""
owner = UserFactory.create_batch(2, pro=True)[1]
app = AppFactory.create(owner=owner)
log = AuditlogFactory.create(app_id=app.id)
assert self.mock_pro.id == app.owner_id
assert_not_raises(Exception, getattr(require, 'auditlog').read, log)
def test_anonymous_user_read_blogposts_for_given_project(self):
"""Test anonymous users can read blogposts of a given project"""
project = ProjectFactory.create(published=True)
assert_not_raises(Exception,
ensure_authorized_to,
'read',
Blogpost,
project_id=project.id)
def test_admin_user_can_read_auditlog(self):
"""Test admin users can read auditlogs"""
owner = UserFactory.create_batch(2)[1]
app = AppFactory.create(owner=owner)
log = AuditlogFactory.create(app_id=app.id)
assert self.mock_admin.id != app.owner_id
assert_not_raises(Exception, getattr(require, 'auditlog').read, log)
def test_admin_read_given_blogpost_draft_project(self):
"""Test admin can read a given blogpost of a draft project"""
admin = UserFactory.create()
project = ProjectFactory.create(published=False)
blogpost = BlogpostFactory.create(project=project)
assert self.mock_admin.id != project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', blogpost)
def test_anonymous_user_read(self):
"""Test anonymous user can read any taskrun"""
anonymous_taskrun = AnonymousTaskRunFactory.create()
user_taskrun = TaskRunFactory.create()
assert_not_raises(Exception, ensure_authorized_to, 'read',
anonymous_taskrun)
assert_not_raises(Exception, ensure_authorized_to, 'read',
user_taskrun)
def test_owner_create_given_blogpost(self):
"""Test authenticated user can create a given blogpost if is project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
blogpost = BlogpostFactory.build(project=project, owner=owner)
assert self.mock_authenticated.id == project.owner_id
assert_not_raises(Exception, ensure_authorized_to, 'create', blogpost)
def test_anonymous_user_can_create_taskrun_for_draft_project(self):
"""Test anonymous users can create a taskrun for a project that
is a draft"""
project = ProjectFactory.create(published=False)
task = TaskFactory.create(project=project)
taskrun = AnonymousTaskRunFactory.build(task_id=task.id,
project_id=project.id)
assert_not_raises(Forbidden, ensure_authorized_to, 'create', taskrun)
def test_authenticated_user_can_crud(self):
"""Test authenticated users cannot crud categories"""
category = CategoryFactory.build()
assert_raises(Forbidden, ensure_authorized_to, 'create', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', category)
assert_not_raises(Exception, ensure_authorized_to, 'read', Category)
assert_raises(Forbidden, ensure_authorized_to, 'update', category)
assert_raises(Forbidden, ensure_authorized_to, 'delete', category)
def test_anonymous_user_create_first_taskrun(self):
"""Test anonymous user can create a taskrun for a given task if he
hasn't already done it"""
task = TaskFactory.create()
taskrun = AnonymousTaskRunFactory.build(task=task)
assert_not_raises(Exception,
getattr(require, 'taskrun').create, taskrun)
def test_authenticated_user_create_taskrun_non_allow_anonymous_contrib(
self):
"""Test authenticated user can create a taskrun for a project that does
not allow for anonymous contributors"""
project = ProjectFactory.create(allow_anonymous_contributors=False)
task = TaskFactory.create(project=project)
taskrun = TaskRunFactory.build(task_id=task.id, project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun)
def test_anonymous_user_create_taskrun(self):
"""Test anonymous user can create a taskrun for a task even though
he has posted taskruns for different tasks in the same project"""
tasks = TaskFactory.create_batch(2)
taskrun1 = AnonymousTaskRunFactory.create(task=tasks[0])
taskrun2 = AnonymousTaskRunFactory.build(task_id=tasks[1].id)
assert_not_raises(Exception, ensure_authorized_to, 'create', taskrun2)
def test_owner_read_blogposts_for_given_hidden_project(self):
"""Test authenticated user can read blogposts of a given hidden project if
is the project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner, hidden=1)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'read', Blogpost, project_id=project.id)
def test_admin_authenticated_user_delete_blogpost(self):
"""Test authenticated user can delete any blogpost if is admin"""
admin = UserFactory.create()
blogpost = BlogpostFactory.create()
assert self.mock_admin.id != blogpost.owner.id
assert_not_raises(Exception,
getattr(require, 'blogpost').delete, blogpost)
def test_owner_create_blogpost_for_given_project(self):
"""Test authenticated user can create blogposts for a given project
if is project owner"""
owner = UserFactory.create_batch(2)[1]
project = ProjectFactory.create(owner=owner)
assert self.mock_authenticated.id == project.owner.id
assert_not_raises(Exception, ensure_authorized_to, 'create', Blogpost, project_id=project.id)
def test_admin_update_page(self):
"""Test admins can update page
even if it's not the post owner"""
owner = UserFactory.create(id=5)
project = ProjectFactory.create(owner=owner)
page = PageFactory.create(project_id=project.id)
assert_not_raises(Exception, ensure_authorized_to, 'update', page)