def test_post_resource_auth(self):
# Ticket #231.
# Test that user restricted access works fine if there's no global
# level auth, which is set at resource level instead.
# no global auth.
app = Eve(settings=self.settings_file)
# set auth at resource level instead.
resource_def = app.config['DOMAIN'][self.url]
resource_def['authentication'] = ValidBasicAuth()
resource_def['auth_field'] = 'username'
# post with valid auth - must store the document with the correct
# auth_field.
r = app.test_client().post(self.url, data=self.data,
headers=self.valid_auth,
content_type='application/json')
_, status = self.parse_response(r)
# Verify that we can retrieve the same document
data, status = self.parse_response(
app.test_client().get(self.url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(len(data['_items']), 1)
self.assertEqual(data['_items'][0]['ref'],
json.loads(self.data)['ref'])
class ApiInstance(object):
"""
AIMS api instance factory
"""
def __init__(self):
try:
self.redis = StrictRedis.from_url(environ.get('REDIS_URI', 'redis://*****:*****@mongo:27017/apidemo'))
)
def get_instance(cls, settings=EVE_CONFIG, debug=DEBUG):
""" Configure and run bot instance.
"""
app = Eve(settings=settings)
app.debug = debug
return app
def run():
DIR = os.path.dirname(__file__)
host = os.environ.get('HOST', '127.0.0.1')
port = int(os.environ.get('PORT', '5000'))
app = Eve(data=SQLAlchemy, auth=TokenAuth, settings='{0}/settings.py'.format(DIR))
db = app.data.driver
Base.metadata.bind = db.engine
db.Model = Base
db.create_all()
app.run(host=host, port=port, use_reloader=False)
def setUpClass(cls):
SETTINGS['DOMAIN'] = {'eve-mongoengine':{}}
app = Eve(settings=SETTINGS)
app.debug = True
ext = EveMongoengine(app)
ext.add_model([SimpleDoc, ComplexDoc, LimitedDoc, FieldsDoc,
NonStructuredDoc, Inherited, HawkeyDoc])
cls.ext = ext
cls.client = app.test_client()
cls.app = app
def main():
app = Eve(auth=None, settings=SETTINGS, validator=ValidatorSQL, data=SQL)
# bind SQLAlchemy
db = app.data.driver
Base.metadata.bind = db.engine
db.Model = Base
db.create_all()
app.run(host='0.0.0.0', debug=True, use_reloader=True)
def get_app(config=None):
"""
App factory.
:param dict config: configuration that can override config
from `settings.py`
:return: a new SuperdeskEve app instance
"""
app_config = flask.Config('.')
# get content api default conf
app_config.from_object('content_api.app.settings')
# set some required fields
app_config.update({'DOMAIN': {}, 'SOURCES': {}})
try:
# override from settings module, but only things defined in default config
import settings as server_settings
for key in dir(server_settings):
if key.isupper() and key in app_config:
app_config[key] = getattr(server_settings, key)
except ImportError:
pass # if exists
if config:
app_config.update(config)
media_storage = SuperdeskGridFSMediaStorage
if app_config.get('AMAZON_CONTAINER_NAME'):
from superdesk.storage.amazon.amazon_media_storage import AmazonMediaStorage
media_storage = AmazonMediaStorage
app = Eve(
auth=SubscriberTokenAuth,
settings=app_config,
data=SuperdeskDataLayer,
media=media_storage,
json_encoder=MongoJSONEncoder,
validator=SuperdeskValidator
)
_set_error_handlers(app)
for module_name in app.config.get('CONTENTAPI_INSTALLED_APPS', []):
app_module = importlib.import_module(module_name)
try:
app_module.init_app(app)
except AttributeError:
pass
app.sentry = SuperdeskSentry(app)
return app
def run_daemon(self):
app = Eve()
app.on_get += general_callback
app.on_post_joke += post_joke_callback
file_handler = FileHandler('/tmp/funny_jokes_eve_server.log')
file_handler.setLevel(logging.INFO)
formatter = Formatter(
'%(asctime)s %(levelname)s: %(message)s '
'[in %(pathname)s:%(lineno)d]')
file_handler.setFormatter(formatter)
app.logger.addHandler(file_handler)
app.run(host='localhost', port=8888)
app.logger.warning("Test Loggin")
def app():
# preapre the mongodb database
connection = MongoClient(MONGO_HOST, MONGO_PORT)
connection.drop_database(MONGO_DBNAME)
# build the Eve App using the settings where the locations
# schema is configured
directory = os.path.dirname(os.path.realpath(__file__))
settings_file = os.path.join(directory, 'settings.py')
app = Eve(settings=settings_file)
# save the url
url = app.config['DOMAIN']['locations']['url']
# save a instance of test_client
app.client = app.test_client()
# treeify the resource
treeify(app, "locations", 'name')
# create a minimal tree node
# World
# + Europe
# + Andorra
world, status_code = post(
app.client, url,
{'name': 'World', 'parent': None})
europe = {
'name': 'Europe',
'parent': world["_id"]
}
response, _ = post(app.client, url, europe)
europe.update(response)
andorra = {
'name': 'Andorra',
'parent': europe["_id"]
}
response, _ = post(app.client, url, andorra)
andorra.update(response)
# return all that we need
Fixture = namedtuple("Fixture", "app client url world europe andorra")
return Fixture(
app=app, client=app.client, url=url,
world=world, europe=europe, andorra=andorra)
class TestBaseMinimal(TestCase):
def setUp(self):
settings_path = os.path.join(os.path.dirname(
os.path.realpath(__file__)), 'testsettings.py')
self.headers = {'Content-Type': 'application/json'}
self.setupDB()
self.apiapp = Eve(settings=settings_path)
self.everh = EveRestHooks(self.apiapp)
self.local_client = self.apiapp.test_client()
def setupDB(self):
self.connection = MongoClient(MONGO_HOST, MONGO_PORT)
self.connection.drop_database(MONGO_DBNAME)
if MONGO_USERNAME:
self.connection[MONGO_DBNAME].add_user(MONGO_USERNAME,
MONGO_PASSWORD)
def bulk_insert(self):
pass
def dropDB(self):
self.connection = MongoClient(MONGO_HOST, MONGO_PORT)
self.connection.drop_database(MONGO_DBNAME)
self.connection.close()
def create_app():
"""
Create an Eve Flask api application
"""
dirname = os.path.dirname(os.path.realpath(__file__))
app = Eve(
auth=RolesAuth,
settings=get_config(),
static_url_path='',
static_folder= dirname + '/static'
)
app.add_url_rule('/', 'index', index)
return app
def setUp(self):
super(TestHMACAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidHMACAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'admin:secret'),
self.content_type]
self.setUpRoles()
def test_resource_only_auth(self):
# no auth at the API level
self.app = Eve(settings=self.settings_file)
self.test_client = self.app.test_client()
# explicit auth for just one resource
self.app.config['DOMAIN']['contacts']['authentication'] = \
ValidBasicAuth()
self.app.config['DOMAIN']['empty']['authentication'] = ValidTokenAuth()
self.app.set_defaults()
basic_auth = [('Authorization', 'Basic YWRtaW46c2VjcmV0')]
token_auth = [('Authorization', 'Basic dGVzdF90b2tlbjo=')]
# 'contacts' endpoints are protected
r = self.test_client.get(self.known_resource_url)
self.assert401(r.status_code)
r = self.test_client.get(self.item_id_url)
self.assert401(r.status_code)
# both with BasicAuth.
_, status = self.parse_response(
self.test_client.get(self.known_resource_url, headers=basic_auth))
self.assert200(status)
_, status = self.parse_response(
self.test_client.get(self.item_id_url, headers=basic_auth))
self.assert200(status)
# 'empty' resource endpoint is also protected
r = self.test_client.get(self.empty_resource_url)
self.assert401(r.status_code)
# but with TokenAuth
r = self.test_client.get(self.empty_resource_url, headers=token_auth)
self.assert200(r.status_code)
# other resources are not protected
r = self.test_client.get(self.readonly_resource_url)
self.assert200(r.status_code)
def initialize(self, debug=False, subcommand='run'):
self.log.setLevel(debug)
self.get_settings_from_ini()
self.settings['DOMAIN'] = register_models()
self.settings['RESOURCE_METHODS'] = ['GET', 'POST', 'DELETE']
self.settings['ITEM_METHODS'] = ['GET', 'PATCH', 'PUT', 'DELETE']
self.settings['XML'] = False
self.settings['X_DOMAINS'] = '*'
self.settings['X_HEADERS'] = (
'Authorization, If-Match,'
' X-HTTP-Method-Override, Content-Type'
)
self.settings['PAGINATION_LIMIT'] = 200
self.settings['MONGO_HOST'] = 'localhost'
self.settings['MONGO_PORT'] = 27017
# self.settings['MONGO_USERNAME'] = '******'
# self.settings['MONGO_PASSWORD'] = '******'
self.settings['MONGO_DBNAME'] = 'alignak-backend'
self.app = Eve(
settings=self.settings
)
Bootstrap(self.app)
self.app.register_blueprint(eve_docs, url_prefix='/docs')
self.log.debug(pformat(self.app.settings))
self.app.debug = debug
def setUp(self):
super(TestTokenAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidTokenAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic dGVzdF90b2tlbjo='),
self.content_type]
self.setUpRoles()
def setUp(self):
self.setupDB()
self.settings_file = 'eve/tests/test_settings.py'
self.app = Eve(settings=self.settings_file)
self.test_client = self.app.test_client()
self.domain = self.app.config['DOMAIN']
self.known_resource = 'contacts'
self.known_resource_url = ('/%s/' %
self.domain[self.known_resource]['url'])
self.empty_resource = 'empty'
self.empty_resource_url = '/%s/' % self.empty_resource
self.unknown_resource = 'unknown'
self.unknown_resource_url = '/%s/' % self.unknown_resource
self.unknown_item_id = '4f46445fc88e201858000000'
self.unknown_item_name = 'unknown'
self.unknown_item_id_url = ('/%s/%s/' %
(self.domain[self.known_resource]['url'],
self.unknown_item_id))
self.unknown_item_name_url = ('/%s/%s/' %
(self.domain[self.known_resource]['url'],
self.unknown_item_name))
self.readonly_resource = 'payments'
self.readonly_resource_url = (
'/%s/' % self.domain[self.readonly_resource]['url'])
self.different_resource = 'users'
self.different_resource_url = ('/%s/' %
self.domain[
self.different_resource]['url'])
class TestHMACAuth(TestBasicAuth):
def setUp(self):
super(TestHMACAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidHMACAuth)
self.test_client = self.app.test_client()
self.valid_auth = [("Authorization", "admin:secret"), self.content_type]
self.valid_media_auth = [
("Authorization", "admin:secret"),
("Content-Type", "multipart/form-data"),
]
self.setUpRoles()
def test_custom_auth(self):
self.assertTrue(isinstance(self.app.auth, ValidHMACAuth))
def test_bad_auth_class(self):
self.app = Eve(settings=self.settings_file, auth=BadHMACAuth)
self.test_client = self.app.test_client()
r = self.test_client.get("/", headers=self.valid_auth)
# will fail because check_auth() is not implemented in the custom class
self.assert500(r.status_code)
def test_rfc2617_response(self):
r = self.test_client.get("/")
self.assert401(r.status_code)
def test_post_resource_hmac_auth(self):
# Test that user restricted access works with HMAC auth.
resource_def = self.app.config["DOMAIN"]["restricted"]
resource_def["auth_field"] = "username"
url = resource_def["url"]
data = {"ref": "0123456789123456789012345"}
r = self.app.test_client().post(
url,
data=json.dumps(data),
headers=self.valid_auth,
content_type="application/json",
)
# Verify that we can retrieve the same document
r, status = self.parse_response(
self.app.test_client().get(url, headers=self.valid_auth)
)
self.assert200(status)
self.assertEqual(len(r["_items"]), 1)
self.assertEqual(r["_items"][0]["ref"], data["ref"])
def setUp(self):
""" Prepare the test fixture
"""
self.setupDB()
super(TestMinimal, self).setUp()
self.app = Eve(settings='settings.py', auth=run.Auth)
self.test_client = self.app.test_client()
self.domain = self.app.config['DOMAIN']
def get_app(config=None):
"""
App factory.
:param dict config: configuration that can override config
from `settings.py`
:return: a new SuperdeskEve app instance
"""
if config is None:
config = {}
config.setdefault('SOURCES', {})
config['APP_ABSPATH'] = os.path.dirname(os.path.abspath(os.path.dirname(__file__)))
for key in dir(settings):
if key.isupper():
config.setdefault(key, getattr(settings, key))
media_storage = SuperdeskGridFSMediaStorage
if config.get('AMAZON_CONTAINER_NAME'):
from superdesk.storage.amazon.amazon_media_storage import AmazonMediaStorage
media_storage = AmazonMediaStorage
app = Eve(
auth=BearerAuth,
settings=config,
data=SuperdeskDataLayer,
media=media_storage,
json_encoder=MongoJSONEncoder,
validator=SuperdeskValidator
)
superdesk.app = app
_set_error_handlers(app)
app.mail = Mail(app)
if config.get('REDIS_URL'):
app.redis = StrictRedis.from_url(config['REDIS_URL'], 0)
for module_name in app.config['INSTALLED_APPS']:
app_module = importlib.import_module(module_name)
try:
app_module.init_app(app)
except AttributeError:
pass
for resource in config['DOMAIN']:
app.register_resource(resource, config['DOMAIN'][resource])
for blueprint in superdesk.BLUEPRINTS:
prefix = app.api_prefix or None
app.register_blueprint(blueprint, url_prefix=prefix)
app.sentry = sentry
sentry.init_app(app)
return app
def setUp(self):
super(TestHMACAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidHMACAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'admin:secret'),
self.content_type]
self.valid_media_auth = [('Authorization', 'admin:secret'),
('Content-Type', 'multipart/form-data')]
self.setUpRoles()
class TestTokenAuth(TestBasicAuth):
def setUp(self):
super(TestTokenAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidTokenAuth)
self.test_client = self.app.test_client()
self.valid_auth = [("Authorization", "Basic dGVzdF90b2tlbjo=")]
def test_custom_auth(self):
self.assertEqual(type(self.app.auth), ValidTokenAuth)
def test_put_resource_auth(self):
# no global auth.
self.app = Eve(settings=self.settings_file)
# set auth at resource level instead.
resource_def = self.app.config['DOMAIN'][self.url]
resource_def['authentication'] = ValidBasicAuth
resource_def['auth_field'] = 'username'
# post
r = self.app.test_client().post(self.url, data=self.data,
headers=self.valid_auth,
content_type='application/json')
data, status = self.parse_response(r)
# retrieve document metadata
url = '%s/%s' % (self.url, data['_id'])
response = self.app.test_client().get(url, headers=self.valid_auth)
etag = response.headers['ETag']
new_ref = "9999999999999999999999999"
changes = json.dumps({"ref": new_ref})
# put
headers = [('If-Match', etag), self.valid_auth[0]]
response, status = self.parse_response(
self.app.test_client().put(url, data=json.dumps(changes),
headers=headers,
content_type='application/json'))
self.assert200(status)
etag = '"%s"' % response['_etag']
# document still accessible with same auth
data, status = self.parse_response(
self.app.test_client().get(url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(data['ref'], new_ref)
# put on same item with different auth fails
original_auth_val = resource_def['authentication'].request_auth_value
resource_def['authentication'].request_auth_value = 'alt'
alt_auth = ('Authorization', 'Basic YWx0OnNlY3JldA==')
alt_changes = {"ref": "1111111111111111111111111"}
headers = [('If-Match', etag), alt_auth]
response, status = self.parse_response(
self.app.test_client().put(url, data=json.dumps(alt_changes),
headers=headers,
content_type='application/json'))
self.assert403(status)
# document still accessible with original auth
resource_def['authentication'].request_auth_value = original_auth_val
data, status = self.parse_response(
self.app.test_client().get(url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(data['ref'], new_ref)
def setUp(self):
super(TestBasicAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidBasicAuth)
self.test_client = self.app.test_client()
self.valid_auth = [("Authorization", "Basic YWRtaW46c2VjcmV0")]
self.invalid_auth = [("Authorization", "Basic IDontThinkSo")]
for resource, schema in self.app.config["DOMAIN"].items():
schema["allowed_roles"] = ["admin"]
schema["allowed_item_roles"] = ["admin"]
self.app.set_defaults()
def setUp(self):
super(TestHMACAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidHMACAuth)
self.test_client = self.app.test_client()
self.valid_auth = [("Authorization", "admin:secret"), self.content_type]
self.valid_media_auth = [
("Authorization", "admin:secret"),
("Content-Type", "multipart/form-data"),
]
self.setUpRoles()
def setUp(self):
# set up eve
self.app = Eve(settings=settings)
self.app.config['TESTING'] = True
StatsD(self.app)
self.test_client = self.app.test_client()
# set up statsd mock
self.server = StatsdMockServer()
self.server.start()
def setUp(self):
super(TestUserRestrictedAccess, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidBasicAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic YWRtaW46c2VjcmV0')]
self.invalid_auth = [('Authorization', 'Basic IDontThinkSo')]
self.field_name = 'auth_username_field'
self.data = {'item1': json.dumps({"ref": "0123456789123456789012345"})}
for resource, schema in self.app.config['DOMAIN'].items():
schema[self.field_name] = 'username'
class TestTokenAuth(TestBasicAuth):
def setUp(self):
super(TestTokenAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidTokenAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic dGVzdF90b2tlbjo='),
self.content_type]
def test_custom_auth(self):
self.assertTrue(isinstance(self.app.auth, ValidTokenAuth))
def setUp(self):
super(TestBasicAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidBasicAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic YWRtaW46c2VjcmV0')]
self.invalid_auth = [('Authorization', 'Basic IDontThinkSo')]
for resource, schema in self.app.config['DOMAIN'].items():
schema['allowed_roles'] = ['admin']
schema['allowed_item_roles'] = ['admin']
self.app.set_defaults()
class TestBase(unittest.TestCase):
def setUp(self):
# set up eve
self.app = Eve(settings=settings)
self.app.config['TESTING'] = True
StatsD(self.app)
self.test_client = self.app.test_client()
# set up statsd mock
self.server = StatsdMockServer()
self.server.start()
def tearDown(self):
# Hook
self.server.stop()
del self.server
super(TestBase, self).tearDown()
def test_counter(self):
r = self.test_client.get('/foo')
# let's check statsd mock
self.assertEqual(r.status_code, 200)
self.server.wait('foo.counter.get', 1)
self.server.wait('foo.counter.all', 1)
data = list(self.server.metrics['foo.counter.get'])
self.assertEqual(len(data), 1)
self.assertEqual(data[0]['value'], '1')
self.assertEqual(data[0]['type'], 'counter')
data = list(self.server.metrics['foo.counter.all'])
self.assertEqual(len(data), 1)
self.assertEqual(data[0]['value'], '1')
self.assertEqual(data[0]['type'], 'counter')
self.test_client.get('/foo')
self.server.wait('foo.counter.get', 2)
data = list(self.server.metrics['foo.counter.get'])
self.assertEqual(len(data), 2)
def test_timer(self):
r = self.test_client.get('/foo')
# let's check statsd mock
self.assertEqual(r.status_code, 200)
self.server.wait('foo.timing.get', 1)
data = list(self.server.metrics['foo.timing.get'])
self.assertEqual(len(data), 1)
self.assertEqual(data[0]['type'], 'timer')
class TestHMACAuth(TestBasicAuth):
def setUp(self):
super(TestHMACAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidHMACAuth)
self.test_client = self.app.test_client()
self.valid_auth = [("Authorization", "admin:secret")]
def test_custom_auth(self):
self.assertEqual(type(self.app.auth), ValidHMACAuth)
def test_bad_auth_class(self):
self.app = Eve(settings=self.settings_file, auth=BadHMACAuth)
self.test_client = self.app.test_client()
r = self.test_client.get("/", headers=self.valid_auth)
# will fail because check_auth() is not implemented in the custom class
self.assert500(r.status_code)
def test_rfc2617_response(self):
r = self.test_client.get("/")
self.assert401(r.status_code)
import os
import subprocess
import psutil
import json
from eve import Eve
from eve.auth import BasicAuth
from properties import retrieve_service_auth, retrieve_service_username, retrieve_service_password, \
retrieve_service_host, retrieve_service_port
from flask_cors import CORS, cross_origin
class MyBasicAuth(BasicAuth):
def check_auth(self, username, password, allowed_roles, resource, method):
return username == retrieve_service_username and password == retrieve_service_password
if(retrieve_service_auth):
app = Eve(auth = MyBasicAuth, settings="RetrieveSettings.py")
else:
app = Eve(settings="RetrieveSettings.py")
CORS(app, support_credentials = True)
if __name__ == '__main__':
app.run(host = retrieve_service_host, port = retrieve_service_port)
class TestUserRestrictedAccess(TestBase):
def setUp(self):
super(TestUserRestrictedAccess, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidBasicAuth)
# remove the datasource filter to make the whole collection available
# to a GET request.
resource = self.app.config['DOMAIN'][self.known_resource]
del (resource['datasource']['filter'])
self.app.set_defaults()
self.app._add_url_rules()
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic YWRtaW46c2VjcmV0')]
self.invalid_auth = [('Authorization', 'Basic IDontThinkSo')]
self.field_name = 'auth_username_field'
self.data = {'item1': json.dumps({"ref": "0123456789123456789012345"})}
for resource, settings in self.app.config['DOMAIN'].items():
settings[self.field_name] = 'username'
def test_get(self):
data, status = self.parse_response(
self.test_client.get(self.known_resource_url,
headers=self.valid_auth))
self.assert200(status)
# no data has been saved by user 'admin' yet, so we get an empyy
# resulset back.
self.assertEqual(len(data['_items']), 0)
def test_post(self):
response, status = self.post()
self.assert200(status)
data, status = self.parse_response(
self.test_client.get(self.known_resource_url,
headers=self.valid_auth))
self.assert200(status)
# len of 1 as there are is only 1 doc saved by user
self.assertEqual(len(data['_items']), 1)
def test_patch(self):
changes = {"ref": "9999999999999999999999999"}
data, status = self.post()
url = '%s%s/' % (self.known_resource_url, data['item1']['_id'])
response = self.test_client.get(url, headers=self.valid_auth)
etag = response.headers['ETag']
headers = [('If-Match', etag),
('Content-Type', 'application/x-www-form-urlencoded'),
('Authorization', 'Basic YWRtaW46c2VjcmV0')]
response, status = self.parse_response(
self.test_client.patch(url,
data={'item1': json.dumps(changes)},
headers=headers))
self.assert200(status)
data, status = self.parse_response(
self.test_client.get(url, headers=self.valid_auth))
self.assert200(status)
def test_delete(self):
data, status = self.post()
url = '%s%s/' % (self.known_resource_url, data['item1']['_id'])
response = self.test_client.get(url, headers=self.valid_auth)
etag = response.headers['ETag']
headers = [('If-Match', etag),
('Authorization', 'Basic YWRtaW46c2VjcmV0')]
response, status = self.parse_response(
self.test_client.delete(url, headers=headers))
self.assert200(status)
def post(self):
headers = [('Content-Type', 'application/x-www-form-urlencoded'),
('Authorization', 'Basic YWRtaW46c2VjcmV0')]
r = self.test_client.post(self.known_resource_url,
data=self.data,
headers=headers)
return self.parse_response(r)
# auto fill _created_by and _modified_by user fields
created_by_field = '_created_by'
modified_by_field = '_modified_by'
for resource in settings['DOMAIN']:
settings['DOMAIN'][resource]['schema'][created_by_field] = {
'type': 'string'
}
settings['DOMAIN'][resource]['schema'][modified_by_field] = {
'type': 'string'
}
def before_insert(resource, documents):
user = g.get('user', None)
if user is not None:
for document in documents:
document[created_by_field] = user
document[modified_by_field] = user
def before_replace(resource, document):
user = g.get('user', None)
if user is not None:
document[modified_by_field] = user
# create eve app
from eve import Eve
app = Eve(settings=settings, auth=TokenAuth)
app.on_insert += before_insert
app.on_replace += before_replace
def test_bad_auth_class(self):
self.app = Eve(settings=self.settings_file, auth=BadHMACAuth)
self.test_client = self.app.test_client()
r = self.test_client.get('/', headers=self.valid_auth)
# will fail because check_auth() is not implemented in the custom class
self.assert500(r.status_code)
from os import environ
from flask import send_from_directory
from eve import Eve
from settings import API_NAME
app = Eve(API_NAME)
@app.route('/scripts/<path:filename>')
def scripts(filename):
return send_from_directory(app.root_path + '/dist/scripts/', filename)
@app.route('/styles/<path:filename>')
def styles(filename):
return send_from_directory(app.root_path + '/dist/styles/', filename)
@app.route('/images/<path:filename>')
def images(filename):
return send_from_directory(app.root_path + '/dist/images/', filename)
@app.route('/views/<path:filename>')
def views(filename):
return send_from_directory(app.root_path + '/dist/views/', filename)
@app.route('/fonts/<path:filename>')
return True
elif username == 'admin' and password == 'admin':
return True
else:
# use Eve's own db driver; no additional connections/resources are used
accounts = app.data.driver.db['accounts']
account = accounts.find_one({'username': username})
# set 'auth_field' value to the account's ObjectId
# (instead of _id, you might want to use ID_FIELD)
if account and '_id' in account:
self.set_request_auth_value(account['_id'])
return account and bcrypt.hashpw(password.encode('utf-8'), account['salt']) == account['password']
def create_user(documents):
for document in documents:
document['salt'] = bcrypt.gensalt(4)
password = document['password'].encode('utf-8')
document['password'] = bcrypt.hashpw(password, document['salt'])
app = Flask(__name__)
app = Eve(auth=BCryptAuth, settings = '/home/jenkitay/mysite/deployed_settings.py')
app.on_insert_accounts += create_user
Bootstrap(app)
app.register_blueprint(eve_docs, url_prefix='/docs')
@app.route('/')
def index():
# return 'Hello World'
return app
from functools import wraps
from eve import Eve
from pymongo import MongoClient
from flask import jsonify
import json
import datetime
import dateutil.parser
from bson.objectid import ObjectId
client = MongoClient('localhost', 27017)
db = client.benchmark
template_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'templates')
public_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'public')
app = Eve(template_folder=template_dir, static_folder=public_dir)
app.secret_key = "VPN@dmin2016+!"
def login_required(f):
@wraps(f)
def decorated_function(*args, **kwargs):
#print session['is_logged_in']
if 'is_logged_in' in session:
if session['is_logged_in'] != 'loggedin':
return redirect('/login')
else:
session['is_logged_in'] = 'loggedout'
return f(*args, **kwargs)
return decorated_function
from eve import Eve
from ext.user import before_save_user
from ext.token import parse_token
from eve.auth import TokenAuth
from bson.objectid import ObjectId
class Auth(TokenAuth):
def check_auth(self, token, allowed_roles, resource, method):
claim = parse_token(token)
if claim:
users = app.data.driver.db['user']
user = users.find_one({"_id":ObjectId(claim['uid'])})
return user
app = Eve(auth=Auth)
app.on_insert_user += before_save_user
from eve import Eve
app = Eve(settings="settings.py")
if __name__ == '__main__':
app.run(host="0.0.0.0", port=80)
def create_app():
app = Eve(data=SQL, auth=TokenAuth, validator=ValidatorSQL)
app.auth.app = app
register_routes(app)
return app
import copy
from bson import objectid
from eve import Eve
from flask import request, current_app, abort
app = Eve(settings="settings.py")
mongo = app.data.driver
def update_frames(frames, pins_knocked_down):
"""Add a new roll to a set of frames
Args:
frames (list(list)): A list of frames in the game. Cannot be more than 10.
pins_knocked_down (number): The number of pins knocked down on this roll
Returns:
list: The updated frame
"""
# if no previous frames return new frame
if not frames:
return [[pins_knocked_down]]
if len(frames) > 10:
abort(400, "A game cannot have more than 10 frames.")
if len(frames) == 10 and len(frames[-1]) > 2:
abort(400, "Last frame cannot have more than three rolls.")
if pins_knocked_down > 10:
from eve import Eve from eve_sqlalchemy import SQL from eve_sqlalchemy.validation import ValidatorSQL from many_to_many.domain import Base, Child, Parent app = Eve(validator=ValidatorSQL, data=SQL) db = app.data.driver Base.metadata.bind = db.engine db.Model = Base db.create_all() children = [Child() for _ in range(20)] parents = [Parent(children=children[:n]) for n in range(10)] db.session.add_all(parents) db.session.commit() # using reloader will destroy in-memory sqlite db app.run(debug=True, use_reloader=False)
import os
from eve import Eve
from flask_bootstrap import Bootstrap
from eve_docs import eve_docs
SETTINGS_PATH = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'settings.py')
app = Eve(settings=SETTINGS_PATH)
Bootstrap(app)
app.register_blueprint(eve_docs, url_prefix='/docs')
if __name__ == '__main__':
app.run()
SETTINGS = {
'DEBUG':
True,
'SQLALCHEMY_DATABASE_URI':
'sqlite://',
'SQLALCHEMY_TRACK_MODIFICATIONS':
False,
'DOMAIN':
DomainConfig({
'people': ResourceConfig(People),
'tracks': ResourceConfig(Tracks),
'events': ResourceConfig(Events)
}).render()
}
app = Eve(auth=None, settings=SETTINGS, validator=ValidatorSQL, data=SQL)
# bind SQLAlchemy
db = app.data.driver
Base.metadata.bind = db.engine
db.Model = Base
db.create_all()
# Insert some example data in the db
if not db.session.query(People).count():
db.session.add_all([
People(firstname=u'George',
lastname=u'Washington',
gender=u'Male',
phonenumber=u'123-123-1234',
pace=u'480',
import redis
from bson.objectid import ObjectId
from eve.io.mongo import mongo
from eve import Eve
r = redis.StrictRedis(host='localhost', port=6379, db=0)
app = Eve(settings='settings.py', redis=r)
mongo = app.data.driver
def after_fetching_document(response):
list_id = response['_id']
f = {'list_id': ObjectId(list_id)}
rr = response['items']
print(f'response items = {rr}')
print(f'list = {list(mongo.db.items.find(f))}')
# def before_returning_items(resource_name, response):
# print('About to return items from "%s" ' % resource_name)
# print('About to return items from "%s" ' % response)
# return resource_name
# def before_returning_item(resource_name, response):
# print('About to return an item from "%s" ' % resource_name)
# return resource_name
def pre_document_get_callback(request, lookup):
},
]
def push_systemvthings_locally(request, payload):
itms = json.loads(payload.get_data()).get('_items')
for itm in itms:
itm["id"] = itm["id"].replace("/", ":")
with app.test_request_context():
post_internal('batchentitiesUpdatePOSTendpoint', itms)
# i have to materialize redundantly here because the hook is not fired
# when using the post_internal. And the call to db requires the context
app.data.driver.db.entities.aggregate(latestentities_pipeline)
app = Eve()
app.on_fetched_item += remove_secret_fields
app.on_fetched_resource += remove_secret_fields_in_list
# we now want to trigger the aggegation that creates the "materialized view" named
# latestentities, AFTER each time items are inserted, updated, replaced, deleted into the entities collection
app.on_post_POST_entitiesPOSTDELETEendpoint += materialize_latestentities_via_aggregation
app.on_post_POST_entitiesPOSTattrsendpoint += materialize_latestentities_via_aggregation
# here we push into a local collection whatever we GET from the remote
# system database vthings endpoint. So, whenever we get, we push them locally
app.on_post_GET_systemvthingsendpoint += push_systemvthings_locally
# we can use the following to customize connection to cluster system database
app.config.update({"SYSMONGO_PORT": 30219})
# -*- coding: utf-8 -*-
from eve import Eve
from flask import request
import json
port = 8080
host = '127.0.0.1'
app = Eve()
@app.after_request
def add_correct_headers(response):
path = request.path
if path == '/json':
response.headers['Content-Type'] = 'application/json'
elif path == '/plaintext':
response.headers['Content-Type'] = 'text/plain'
return response
@app.route('/plaintext')
def hello_world():
return 'Hello, World!'
@app.route('/json')
def jsonHello():
hello = {'message': 'Hello, World!'}
return json.dumps(hello)
from eve import Eve app = Eve()
from eve import Eve
app = Eve(settings="eve_settings.py")
if __name__ == "__main__":
app.run()
made explicitly public (by fiddling with some settings you can open one or
more resources and/or methods to public access -see docs).
Checkout Eve at https://github.com/nicolaiarocci/eve
This snippet by Nicola Iarocci can be used freely for anything you like.
Consider it public domain.
"""
from eve import Eve
from eve.auth import TokenAuth
from settings_security import SETTINGS
class TokenAuth(TokenAuth):
def check_auth(self, token, allowed_roles, resource, method):
"""For the purpose of this example the implementation is as simple as
possible. A 'real' token should probably contain a hash of the
username/password combo, which sould then validated against the account
data stored on the DB.
"""
# use Eve's own db driver; no additional connections/resources are used
accounts = app.data.driver.db['accounts']
return accounts.find_one({'token': token})
if __name__ == '__main__':
app = Eve(auth=TokenAuth, settings=SETTINGS)
app.run()
from eve import Eve
from flask import send_from_directory
from werkzeug.routing import BaseConverter
app = Eve(__name__, static_folder = 'build')
class RegexConverter(BaseConverter):
def __init__(self, url_map, *items):
super(RegexConverter, self).__init__(url_map)
self.regex = items[0]
app.url_map.converters['regex'] = RegexConverter
@app.route('/')
def send_index():
return send_from_directory('build', 'index.html')
@app.route('/<regex("(?!api)[a-z0-9-_/.]*"):path>')
def send_static(path):
print(path)
return send_from_directory('build', path)
if __name__ == '__main__':
app.run()
#!flask/bin/python
from eve import Eve
from flask.ext.bootstrap import Bootstrap
if __name__ == '__main__':
app = Eve()
app.run(debug=True)
def setUp(self):
super(TestTokenAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidTokenAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic dGVzdF90b2tlbjo=')]
app.logger.info('We just answered to a PATCH request!')
def log_every_put(resource, request, payload):
# custom INFO-level message is sent to the log file
app.logger.info('We just answered to a PUT request!')
def log_every_delete(resource, request, payload):
# custom INFO-level message is sent to the log file
app.logger.info('We just answered to a DELETE request!')
#app = Eve(auth=HMACAuth)
app = Eve(__name__,
auth=HMACAuth,
template_folder='templates',
validator=MyValidator)
#app.on_insert_accounts += create_user
#app.on_post_GET += log_every_get
#app.on_post_POST += log_every_post
#app.on_post_PATCH += log_every_patch
#app.on_post_PUT += log_every_put
#app.on_post_DELETE += log_every_delete
@app.route('/index')
def index():
return render_template('index.html')
@app.route('/form')
def setUp(self):
super(TestHMACAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidHMACAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'admin:secret')]
class TestUserRestrictedAccess(TestBase):
def setUp(self):
super(TestUserRestrictedAccess, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidBasicAuth)
# using this endpoint since it is a copy of 'contacts' with
# no filter on the datasource
self.url = 'restricted'
self.resource = self.app.config['DOMAIN'][self.url]
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic YWRtaW46c2VjcmV0')]
self.invalid_auth = [('Authorization', 'Basic IDontThinkSo')]
self.field_name = 'auth_field'
self.data = json.dumps({"ref": "0123456789123456789012345"})
for _, settings in self.app.config['DOMAIN'].items():
settings[self.field_name] = 'username'
self.resource['public_methods'] = []
def test_get(self):
data, status = self.parse_response(
self.test_client.get(self.url, headers=self.valid_auth))
self.assert200(status)
# no data has been saved by user 'admin' yet,
# so assert we get an empty result set back.
self.assertEqual(len(data['_items']), 0)
# Add a user belonging to `admin`
new_user = self.random_contacts(1)[0]
new_user['username'] = '******'
_db = self.connection[self.app.config['MONGO_DBNAME']]
_db.contacts.insert(new_user)
# Verify that we can retrieve it
data2, status2 = self.parse_response(
self.test_client.get(self.url, headers=self.valid_auth))
self.assert200(status2)
self.assertEqual(len(data2['_items']), 1)
def test_get_by_auth_field_criteria(self):
""" If we attempt to retrieve an object by the same field
that is in `auth_field`, then the request is /unauthorized/,
and should fail and return 401.
This test verifies that the `auth_field` does not overwrite
a `client_filter` or url param.
"""
_, status = self.parse_response(
self.test_client.get(self.user_username_url,
headers=self.valid_auth))
self.assert401(status)
def test_get_by_auth_field_id(self):
""" To test handling of ObjectIds
"""
# set auth_field to `_id`
self.domain['users'][self.field_name] = \
self.domain['users']['id_field']
_, status = self.parse_response(
self.test_client.get(self.user_id_url, headers=self.valid_auth))
self.assert401(status)
def test_filter_by_auth_field_id(self):
""" To test handling of ObjectIds when using a `where` clause
We need to make sure we *match* an object ID when it is the
same
"""
_id = ObjectId('deadbeefdeadbeefdeadbeef')
resource_def = self.app.config['DOMAIN']['users']
resource_def['authentication'].request_auth_value = _id
# set auth_field to `_id`
resource_def[self.field_name] = '_id'
# Retrieving a /different user/ by id returns 401
user_url = '/users/'
filter_by_id = 'where=_id==ObjectId("%s")'
filter_query = filter_by_id % self.user_id
_, status = self.parse_response(
self.test_client.get('%s?%s' % (user_url, filter_query),
headers=self.valid_auth))
self.assert401(status)
# Create a user account belonging to admin
new_user = self.random_contacts(1)[0]
new_user['_id'] = _id
new_user['username'] = '******'
_db = self.connection[self.app.config['MONGO_DBNAME']]
_db.contacts.insert(new_user)
# Retrieving /the same/ user by id returns OK
filter_query_2 = filter_by_id % 'deadbeefdeadbeefdeadbeef'
data2, status2 = self.parse_response(
self.test_client.get('%s?%s' % (user_url, filter_query_2),
headers=self.valid_auth))
self.assert200(status2)
self.assertEqual(len(data2['_items']), 1)
def test_collection_get_public(self):
""" Test that if GET is in `public_methods` the `auth_field`
criteria is overruled
"""
self.resource['public_methods'].append('GET')
data, status = self.parse_response(self.test_client.get(
self.url)) # no auth
self.assert200(status)
# no data has been saved by user 'admin' yet,
# but we should get all the other results back
self.assertEqual(len(data['_items']), 25)
def test_item_get_public(self):
""" Test that if GET is in `public_item_methods` the `auth_field`
criteria is overruled
"""
self.resource['public_item_methods'].append('GET')
data, status = self.parse_response(
self.test_client.get(self.item_id_url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(data['_id'], self.item_id)
def test_post(self):
_, status = self.post()
self.assert201(status)
data, status = self.parse_response(
self.test_client.get(self.url, headers=self.valid_auth))
self.assert200(status)
# len of 1 as there are is only 1 doc saved by user
def test_unique_to_user_on_post(self):
# make the field unique to user, not globally.
self.resource['schema']['ref']['unique'] = False
self.resource['schema']['ref']['unique_to_user'] = True
# first post as 'admin' is a success.
_, status = self.post()
self.assert201(status)
# second post as 'admin' fails since value is not unique to user.
_, status = self.post()
self.assert422(status)
self.resource['authentication'].request_auth_value = 'alt'
# first post as 'alt' succeeds as value is unique to this user.
alt_auth = [('Authorization', 'Basic YWx0OnNlY3JldA==')]
r = self.test_client.post(self.url,
data=self.data,
headers=alt_auth,
content_type='application/json')
self.assert201(r.status_code)
# second post as 'alt' fails since value is not unique to user anymore.
r = self.test_client.post(self.url,
data=self.data,
headers=alt_auth,
content_type='application/json')
# post succeeds since value is unique to 'alt' user
self.assert422(r.status_code)
def test_post_resource_auth(self):
# Ticket #231.
# Test that user restricted access works fine if there's no global
# level auth, which is set at resource level instead.
# no global auth.
self.app = Eve(settings=self.settings_file)
# set auth at resource level instead.
resource_def = self.app.config['DOMAIN'][self.url]
resource_def['authentication'] = ValidBasicAuth
resource_def['auth_field'] = 'username'
# post with valid auth - must store the document with the correct
# auth_field.
r = self.app.test_client().post(self.url,
data=self.data,
headers=self.valid_auth,
content_type='application/json')
_, status = self.parse_response(r)
# Verify that we can retrieve the same document
data, status = self.parse_response(self.app.test_client().get(
self.url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(len(data['_items']), 1)
self.assertEqual(data['_items'][0]['ref'],
json.loads(self.data)['ref'])
def test_post_bandwidth_saver_off_resource_auth(self):
""" Test that when BANDWIDTH_SAVER is turned off the auth_field is
not exposed in the response payload
"""
self.app.config['BANDWIDTH_SAVER'] = False
r = self.app.test_client().post(self.url,
data=self.data,
headers=self.valid_auth,
content_type='application/json')
r, status = self.parse_response(r)
self.assertTrue('username' not in r)
def test_put(self):
new_ref = "9999999999999999999999999"
changes = json.dumps({"ref": new_ref})
# post document
data, status = self.post()
# retrieve document metadata
url = '%s/%s' % (self.url, data['_id'])
response = self.test_client.get(url, headers=self.valid_auth)
etag = response.headers['ETag']
# perform put
headers = [('If-Match', etag), self.valid_auth[0]]
response, status = self.parse_response(
self.test_client.put(url,
data=json.dumps(changes),
headers=headers,
content_type='application/json'))
self.assert200(status)
# document still accessible with same auth
data, status = self.parse_response(
self.test_client.get(url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(data['ref'], new_ref)
def test_put_resource_auth(self):
# no global auth.
self.app = Eve(settings=self.settings_file)
# set auth at resource level instead.
resource_def = self.app.config['DOMAIN'][self.url]
resource_def['authentication'] = ValidBasicAuth
resource_def['auth_field'] = 'username'
# post
r = self.app.test_client().post(self.url,
data=self.data,
headers=self.valid_auth,
content_type='application/json')
data, status = self.parse_response(r)
# retrieve document metadata
url = '%s/%s' % (self.url, data['_id'])
response = self.app.test_client().get(url, headers=self.valid_auth)
etag = response.headers['ETag']
new_ref = "9999999999999999999999999"
changes = json.dumps({"ref": new_ref})
# put
headers = [('If-Match', etag), self.valid_auth[0]]
response, status = self.parse_response(self.app.test_client().put(
url,
data=json.dumps(changes),
headers=headers,
content_type='application/json'))
self.assert200(status)
# document still accessible with same auth
data, status = self.parse_response(self.app.test_client().get(
url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(data['ref'], new_ref)
def test_put_bandwidth_saver_off_resource_auth(self):
""" Test that when BANDWIDTH_SAVER is turned off the auth_field is
not exposed in the response payload
"""
self.app.config['BANDWIDTH_SAVER'] = False
new_ref = "9999999999999999999999999"
changes = json.dumps({"ref": new_ref})
# post document
data, status = self.post()
url = '%s/%s' % (self.url, data['_id'])
# perform put
headers = [('If-Match', data['_etag']), self.valid_auth[0]]
response, status = self.parse_response(
self.test_client.put(url,
data=json.dumps(changes),
headers=headers,
content_type='application/json'))
self.assertTrue('username' not in response)
def test_patch(self):
new_ref = "9999999999999999999999999"
changes = json.dumps({"ref": new_ref})
data, status = self.post()
url = '%s/%s' % (self.url, data['_id'])
response = self.test_client.get(url, headers=self.valid_auth)
etag = response.headers['ETag']
headers = [('If-Match', etag), self.valid_auth[0]]
response, status = self.parse_response(
self.test_client.patch(url,
data=json.dumps(changes),
headers=headers,
content_type='application/json'))
self.assert200(status)
data, status = self.parse_response(
self.test_client.get(url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(data['ref'], new_ref)
def test_delete(self):
_db = self.connection[MONGO_DBNAME]
# make sure that other documents in the collections are untouched.
cursor = _db.contacts.find()
docs_num = cursor.count()
_, _ = self.post()
# after the post we only get back 1 document as it's the only one we
# inserted directly (others are filtered out).
response, status = self.parse_response(
self.test_client.get(self.url, headers=self.valid_auth))
self.assert200(status)
self.assertEqual(len(response[self.app.config['ITEMS']]), 1)
# delete the document we just inserted
response, status = self.parse_response(
self.test_client.delete(self.url, headers=self.valid_auth))
self.assert204(status)
# we now get an empty items list (other documents in collection are
# filtered by auth).
response, status = self.parse_response(
self.test_client.get(self.url, headers=self.valid_auth))
self.assert200(status)
# if it's a dict, we only got 1 item back which is expected
self.assertEqual(len(response[self.app.config['ITEMS']]), 0)
# make sure no other document has been deleted.
cursor = _db.contacts.find()
self.assertEqual(cursor.count(), docs_num)
def test_delete_item(self):
_db = self.connection[MONGO_DBNAME]
# make sure that other documents in the collections are untouched.
cursor = _db.contacts.find()
docs_num = cursor.count()
data, _ = self.post()
# get back the document with its new etag
url = '%s/%s' % (self.url, data['_id'])
response = self.test_client.get(url, headers=self.valid_auth)
etag = response.headers['ETag']
headers = [('If-Match', etag),
('Authorization', 'Basic YWRtaW46c2VjcmV0')]
# delete the document
response, status = self.parse_response(
self.test_client.delete(url, headers=headers))
self.assert204(status)
# make sure no other document has been deleted.
cursor = _db.contacts.find()
self.assertEqual(cursor.count(), docs_num)
def post(self):
r = self.test_client.post(self.url,
data=self.data,
headers=self.valid_auth,
content_type='application/json')
return self.parse_response(r)
from eve import Eve
app = Eve()
if __name__ == '__main__':
app.run()
from wtforms import TextField
from wtforms import validators
from settings import GOOGLE_API_KEY
tmpl_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)),
'templates')
static_dir = os.path.join(os.path.dirname(os.path.abspath(__file__)), 'static')
if 'PORT' in os.environ:
port = int(os.environ.get('PORT'))
host = '0.0.0.0'
else:
port = 5000
host = '127.0.0.1'
app = Eve(template_folder=tmpl_dir, static_folder=static_dir)
@app.route('/s', methods=['GET', 'POST'])
def slash():
if request.method == 'GET':
form = NumberAddressForm()
return render_template('slash.html', form=form)
elif request.method == 'POST':
form = NumberAddressForm(request.form)
if form.validate():
phone = ''.join(e for e in form.phone.data if e.isalnum())
headers = {'Content-Type': 'application/json'}
phone_endpoint = 'http://%s:%s/%s/' % (host, port, "phones")
response = requests.get(phone_endpoint + phone, headers=headers)
class TestBasicAuth(TestBase):
def setUp(self):
super(TestBasicAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidBasicAuth)
self.test_client = self.app.test_client()
self.content_type = ('Content-Type', 'application/json')
self.valid_auth = [('Authorization', 'Basic YWRtaW46c2VjcmV0'),
self.content_type]
self.invalid_auth = [('Authorization', 'Basic IDontThinkSo'),
self.content_type]
self.setUpRoles()
self.app.set_defaults()
def setUpRoles(self):
for _, schema in self.app.config['DOMAIN'].items():
schema['allowed_roles'] = ['admin']
schema['allowed_read_roles'] = ['reader']
schema['allowed_item_roles'] = ['admin']
schema['allowed_item_read_roles'] = ['reader']
schema['allowed_item_write_roles'] = ['editor']
def test_custom_auth(self):
self.assertTrue(isinstance(self.app.auth, ValidBasicAuth))
def test_restricted_home_access(self):
r = self.test_client.get('/')
self.assert401(r.status_code)
def test_restricted_resource_access(self):
r = self.test_client.get(self.known_resource_url)
self.assert401(r.status_code)
r = self.test_client.post(self.known_resource_url)
self.assert401(r.status_code)
r = self.test_client.delete(self.known_resource_url)
self.assert401(r.status_code)
def test_restricted_item_access(self):
r = self.test_client.get(self.item_id_url)
self.assert401(r.status_code)
r = self.test_client.patch(self.item_id_url)
self.assert401(r.status_code)
r = self.test_client.delete(self.item_id_url)
self.assert401(r.status_code)
def test_authorized_home_access(self):
r = self.test_client.get('/', headers=self.valid_auth)
self.assert200(r.status_code)
def test_authorized_resource_access(self):
r = self.test_client.get(self.known_resource_url,
headers=self.valid_auth)
self.assert200(r.status_code)
r = self.test_client.post(self.known_resource_url,
data=json.dumps({"k": "value"}),
headers=self.valid_auth)
self.assertValidationErrorStatus(r.status_code)
r = self.test_client.delete(self.known_resource_url,
headers=self.valid_auth)
self.assert204(r.status_code)
def test_authorized_item_access(self):
r = self.test_client.get(self.item_id_url, headers=self.valid_auth)
self.assert200(r.status_code)
r = self.test_client.patch(self.item_id_url,
data=json.dumps({"k": "value"}),
headers=self.valid_auth)
self.assert428(r.status_code)
r = self.test_client.delete(self.item_id_url, headers=self.valid_auth)
self.assert428(r.status_code)
def test_authorized_schema_access(self):
self.app.config['SCHEMA_ENDPOINT'] = 'schema'
self.app._init_schema_endpoint()
r = self.test_client.get('/schema/%s' % self.known_resource,
headers=self.valid_auth)
self.assert200(r.status_code)
def test_unauthorized_home_access(self):
r = self.test_client.get('/', headers=self.invalid_auth)
self.assert401(r.status_code)
def test_unauthorized_resource_access(self):
r = self.test_client.get(self.known_resource_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.post(self.known_resource_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.delete(self.known_resource_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
def test_unauthorized_item_access(self):
r = self.test_client.get(self.item_id_url, headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.patch(self.item_id_url, headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.delete(self.item_id_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
def test_unauthorized_schema_access(self):
self.app.config['SCHEMA_ENDPOINT'] = 'schema'
self.app._init_schema_endpoint()
r = self.test_client.get('/schema/%s' % self.known_resource,
headers=self.invalid_auth)
self.assert401(r.status_code)
def test_home_public_methods(self):
self.app.config['PUBLIC_METHODS'] = ['GET']
r = self.test_client.get('/')
self.assert200(r.status_code)
self.test_restricted_resource_access()
self.test_restricted_item_access()
def test_public_methods_resource(self):
self.app.config['PUBLIC_METHODS'] = ['GET']
domain = self.app.config['DOMAIN']
for resource, settings in domain.items():
del (settings['public_methods'])
self.app.set_defaults()
del (domain['peopleinvoices'])
del (domain['peoplerequiredinvoices'])
del (domain['peoplesearches'])
del (domain['internal_transactions'])
del (domain['child_products'])
for resource in domain:
url = self.app.config['URLS'][resource]
r = self.test_client.get(url)
self.assert200(r.status_code)
r = self.test_client.post(url, data={'key1': 'value1'})
self.assert401or405(r.status_code)
r = self.test_client.delete(url)
self.assert401or405(r.status_code)
self.test_restricted_item_access()
def test_public_methods_but_locked_resource(self):
self.app.config['PUBLIC_METHODS'] = ['GET']
domain = self.app.config['DOMAIN']
for _, settings in domain.items():
del (settings['public_methods'])
self.app.set_defaults()
domain[self.known_resource]['public_methods'] = []
r = self.test_client.get(self.known_resource_url)
self.assert401(r.status_code)
def test_public_methods_but_locked_item(self):
self.app.config['PUBLIC_ITEM_METHODS'] = ['GET']
domain = self.app.config['DOMAIN']
for _, settings in domain.items():
del (settings['public_item_methods'])
self.app.set_defaults()
domain[self.known_resource]['public_item_methods'] = []
r = self.test_client.get(self.item_id_url)
self.assert401(r.status_code)
def test_public_methods_item(self):
self.app.config['PUBLIC_ITEM_METHODS'] = ['GET']
for _, settings in self.app.config['DOMAIN'].items():
del (settings['public_item_methods'])
self.app.set_defaults()
# we're happy with testing just one client endpoint, but for sake of
# completeness we shold probably test item endpoints for every resource
r = self.test_client.get(self.item_id_url)
self.assert200(r.status_code)
r = self.test_client.patch(self.item_id_url)
self.assert401(r.status_code)
r = self.test_client.delete(self.item_id_url)
self.assert401(r.status_code)
def test_bad_auth_class(self):
self.app = Eve(settings=self.settings_file, auth=BadBasicAuth)
self.test_client = self.app.test_client()
r = self.test_client.get('/', headers=self.valid_auth)
# will fail because check_auth() is not implemented in the custom class
self.assert500(r.status_code)
def test_instanced_auth(self):
# tests that the 'auth' argument can also be a class instance. See
# #248.
# current self.app instance has an instanced auth class already, and it
# is consistent with the super class running the test (Token, HMAC or
# Basic), so we are just going to use it (self.app.auth) on a new Eve
# instance.
auth = self.app.auth
self.app = Eve(settings=self.settings_file, auth=auth)
self.test_client = self.app.test_client()
r = self.test_client.get('/', headers=self.valid_auth)
self.assert200(r.status_code)
def test_rfc2617_response(self):
r = self.test_client.get('/')
self.assert401(r.status_code)
self.assertTrue(('WWW-Authenticate', 'Basic realm="%s"' %
eve.__package__) in r.headers.to_wsgi_list())
def test_allowed_roles_does_not_change(self):
self.test_client.get(self.known_resource_url)
resource = self.app.config['DOMAIN'][self.known_resource]
self.assertEqual(resource['allowed_roles'], ['admin'])
def test_allowed_item_roles_does_not_change(self):
self.test_client.get(self.item_id_url)
resource = self.app.config['DOMAIN'][self.known_resource]
self.assertEqual(resource['allowed_item_roles'], ['admin'])
def test_ALLOWED_ROLES_does_not_change(self):
self.app.config['ALLOWED_ROLES'] = ['admin']
self.app.config['ALLOWED_READ_ROLES'] = ['reader']
self.test_client.get('/')
self.assertEqual(self.app.config['ALLOWED_ROLES'], ['admin'])
class TestBasicAuth(TestBase):
def setUp(self):
super(TestBasicAuth, self).setUp()
self.app = Eve(settings=self.settings_file, auth=ValidBasicAuth)
self.test_client = self.app.test_client()
self.valid_auth = [('Authorization', 'Basic YWRtaW46c2VjcmV0')]
self.invalid_auth = [('Authorization', 'Basic IDontThinkSo')]
for resource, schema in self.app.config['DOMAIN'].items():
schema['allowed_roles'] = ['admin']
schema['allowed_item_roles'] = ['admin']
self.app.set_defaults()
def test_custom_auth(self):
self.assertEqual(type(self.app.auth), ValidBasicAuth)
def test_restricted_home_access(self):
r = self.test_client.get('/')
self.assert401(r.status_code)
def test_restricted_resource_access(self):
r = self.test_client.get(self.known_resource_url)
self.assert401(r.status_code)
r = self.test_client.post(self.known_resource_url)
self.assert401(r.status_code)
r = self.test_client.delete(self.known_resource_url)
self.assert401(r.status_code)
def test_restricted_item_access(self):
r = self.test_client.get(self.item_id_url)
self.assert401(r.status_code)
r = self.test_client.patch(self.item_id_url)
self.assert401(r.status_code)
r = self.test_client.delete(self.item_id_url)
self.assert401(r.status_code)
def test_authorized_home_access(self):
r = self.test_client.get('/', headers=self.valid_auth)
self.assert200(r.status_code)
def test_authorized_resource_access(self):
r = self.test_client.get(self.known_resource_url,
headers=self.valid_auth)
self.assert200(r.status_code)
r = self.test_client.post(self.known_resource_url,
data={"item1": json.dumps({"k": "value"})},
headers=self.valid_auth)
self.assert200(r.status_code)
r = self.test_client.delete(self.known_resource_url,
headers=self.valid_auth)
self.assert200(r.status_code)
def test_authorized_item_access(self):
r = self.test_client.get(self.item_id_url, headers=self.valid_auth)
self.assert200(r.status_code)
r = self.test_client.patch(self.item_id_url,
data={'key1': 'value'},
headers=self.valid_auth)
self.assert403(r.status_code)
r = self.test_client.delete(self.item_id_url, headers=self.valid_auth)
self.assert403(r.status_code)
def test_unauthorized_home_access(self):
r = self.test_client.get('/', headers=self.invalid_auth)
self.assert401(r.status_code)
def test_unauthorized_resource_access(self):
r = self.test_client.get(self.known_resource_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.post(self.known_resource_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.delete(self.known_resource_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
def test_unauthorized_item_access(self):
r = self.test_client.get(self.item_id_url, headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.patch(self.item_id_url, headers=self.invalid_auth)
self.assert401(r.status_code)
r = self.test_client.delete(self.item_id_url,
headers=self.invalid_auth)
self.assert401(r.status_code)
def test_home_public_methods(self):
self.app.config['PUBLIC_METHODS'] = ['GET']
r = self.test_client.get('/')
self.assert200(r.status_code)
self.test_restricted_resource_access()
self.test_restricted_item_access()
def test_public_methods_resource(self):
self.app.config['PUBLIC_METHODS'] = ['GET']
domain = self.app.config['DOMAIN']
for resource, settings in domain.items():
del (settings['public_methods'])
self.app.set_defaults()
for resource in domain:
url = '/%s/' % self.app.config['URLS'][resource]
r = self.test_client.get(url)
self.assert200(r.status_code)
r = self.test_client.post(url, data={'key1': 'value1'})
self.assert401or405(r.status_code)
r = self.test_client.delete(url)
self.assert401or405(r.status_code)
self.test_restricted_item_access()
def test_public_methods_but_locked_resource(self):
self.app.config['PUBLIC_METHODS'] = ['GET']
domain = self.app.config['DOMAIN']
for resource, settings in domain.items():
del (settings['public_methods'])
self.app.set_defaults()
domain[self.known_resource]['public_methods'] = []
r = self.test_client.get(self.known_resource_url)
self.assert401(r.status_code)
def test_public_methods_but_locked_item(self):
self.app.config['PUBLIC_ITEM_METHODS'] = ['GET']
domain = self.app.config['DOMAIN']
for resource, settings in domain.items():
del (settings['public_item_methods'])
self.app.set_defaults()
domain[self.known_resource]['public_item_methods'] = []
r = self.test_client.get(self.item_id_url)
self.assert401(r.status_code)
def test_public_methods_item(self):
self.app.config['PUBLIC_ITEM_METHODS'] = ['GET']
for resource, settings in self.app.config['DOMAIN'].items():
del (settings['public_item_methods'])
self.app.set_defaults()
# we're happy with testing just one client endpoint, but for sake of
# completeness we shold probably test item endpoints for every resource
r = self.test_client.get(self.item_id_url)
self.assert200(r.status_code)
r = self.test_client.patch(self.item_id_url)
self.assert401(r.status_code)
r = self.test_client.delete(self.item_id_url)
self.assert401(r.status_code)
def test_bad_auth_class(self):
self.app = Eve(settings=self.settings_file, auth=BadBasicAuth)
self.test_client = self.app.test_client()
r = self.test_client.get('/', headers=self.valid_auth)
# will fail because check_auth() is not implemented in the custom class
self.assert500(r.status_code)
def test_rfc2617_response(self):
r = self.test_client.get('/')
self.assert401(r.status_code)
self.assertTrue(('WWW-Authenticate', 'Basic realm:"%s"' %
eve.__package__) in r.headers.to_list())
