def test_delegate_set_delegate_rule(): # delegate cannot set delegate rule req = {"user_email": email, "user_role":'delegate'} r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 403 req1 = {"user_email": email, "user_role":'data ingester', "item_id":resource_id, "item_type":"resourcegroup"} req2 = {"user_email": email, "user_role":'delegate'} r = alt_provider.provider_access([req1, req2], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 403
def test_deleted_delegate(): # provider deletes delegate global consumer_id r = untrusted.delete_rule([{"id": delegate_id}]) assert r['success'] == True assert r['status_code'] == 200 # deleted delegate cannot do anything req = { "user_email": email, "user_role": 'consumer', "item_id": resource_id, "item_type": "resourcegroup" } req["capabilities"] = ['complex'] r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 401 r = alt_provider.get_provider_access('*****@*****.**') assert r['success'] == False assert r['status_code'] == 401 body = {"id": consumer_id} r = alt_provider.delete_rule([body], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 401
def test_delegate_set_delegate_rule(): # delegate cannot set delegate rule req = {"user_email": email, "user_role": 'delegate'} r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 403
def test_set_rule_unassigned_delegate(): # token request should fail body = {"id": resource_id + "/someitem", "apis": ["/ngsi-ld/v1/entities"]} r = consumer.get_token(body) assert r['success'] is False # set temporal consumer rule as delegate req = { "user_email": email, "user_role": 'consumer', "item_id": resource_id, "item_type": "resourcegroup" } req["capabilities"] = ['temporal'] # should fail because unapproved delegate r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 401 # check if unreg'd delegate can use delegate API r = alt_provider.get_delegate_providers() assert r['success'] == False assert r['status_code'] == 404
def test_delegate_invalid_provider_email(): req = {"user_email": email, "user_role":'consumer', "item_id":resource_id, "item_type":"resourcegroup"} req["capabilities"] = ['temporal'] # fail because provider_email missing r = alt_provider.provider_access([req]) assert r['success'] == False assert r['status_code'] == 400 # invalid provider_email r = alt_provider.provider_access([req], 'abc.xyz@rbccps$$.') assert r['success'] == False assert r['status_code'] == 400 # non-existent provider r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 401
def test_multiple_delegates(): # tests with 2 delegates # make consumer a delegate req = {"user_email": email, "user_role": 'delegate'} r = untrusted.provider_access([req]) assert r['success'] == True assert r['status_code'] == 200 resource_group = ''.join( random.choice(string.ascii_lowercase) for _ in range(10)) resource_id = provider_id + '/rs.example.com/' + resource_group req = { "user_email": email, "user_role": 'consumer', "item_id": resource_id, "item_type": "resourcegroup" } req["capabilities"] = ['complex'] r = consumer.provider_access([req], '*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 # cannot update rule set by other provider req["capabilities"] = ['subscription'] r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 r = consumer.get_provider_access('*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 rules = r['response'] for r in rules: if r['email'] == email and r[ 'role'] == 'consumer' and resource_id == r['item']['cat_id']: consumer_id = r['id'] # delegate can delete other delegate's rule body = {"id": consumer_id} r = alt_provider.delete_rule([body], '*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 # already deleted body = {"id": consumer_id} r = consumer.delete_rule([body], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 403 # delegate cannot delete delegate rule r = consumer.delete_rule([{"id": delegate_id}], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 403
def test_delegate_set_consumer_rule(): req = {"user_email": email, "user_role":'consumer', "item_id":resource_id, "item_type":"resourcegroup"} req["capabilities"] = ['temporal'] r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 body = {"request" : [resource_id + "/someitem"]} r = consumer.get_token(body) assert r['success'] is True
def test_delegate_set_ingester_rule(): # delegate can set ingester rule body = {"request" : [diresource_id + "/someitem"]} # data ingester token request should fail r = consumer.get_token(body) assert r['success'] is False req = {"user_email": email, "user_role":'data ingester', "item_id":diresource_id, "item_type":"resourcegroup"} r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 # without adapter API r = consumer.get_token(body) assert r['success'] is True
def test_delegate_set_onboarder_rule(): # delegate can set onboarder rule body = {"id": provider_id + "/catalogue.iudx.io/catalogue/crud"} # onboarder token request should fail r = consumer.get_token(body) assert r['success'] is False req = {"user_email": email, "user_role": 'onboarder'} r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 r = consumer.get_token(body) assert r['success'] is True assert None != r['response']['token']
def test_delegate_update_provider_rule(): # delegate can update rule set by provider req = {"user_email": email, "user_role":'consumer', "item_id":pr_resource_id, "item_type":"resourcegroup"} req["capabilities"] = ['complex']; r = untrusted.provider_access([req]) assert r['success'] == True assert r['status_code'] == 200 req = {"user_email": email, "user_role":'consumer', "item_id":pr_resource_id, "item_type":"resourcegroup"} req["capabilities"] = ['temporal']; r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == True assert r['status_code'] == 200 body = {"request" : [pr_resource_id + "/someitem"]} r = consumer.get_token(body) assert r['success'] is True
def test_different_provider_tokens(): resource_id = set_policy() # let alt_provider set a policy resource_id_alt = "iisc.ac.in/2052f450ac2dde345335fb18b82e21da92e3388c/rs.iudx.io/" + rand_rsg( ) access_req = { "user_email": email, "user_role": 'consumer', "item_id": resource_id_alt, "item_type": "resourcegroup", "capabilities": ["complex", "subscription", "temporal"] } r = alt_provider.provider_access([access_req]) assert r['success'] == True assert r['status_code'] == 200 body = {} body['request'] = [resource_id, resource_id_alt] r = consumer.get_token(body) assert r['success'] is True assert r['status_code'] == 200 token = r['response']['token'] s = token.split("/") uuid = s[3] r = consumer.view_tokens() check = False for tokens in r['response']: if uuid == tokens['uuid']: assert len(tokens['request']) == 2 resources = [i['cat_id'] for i in tokens['request']] assert set(resources) == set(body['request']) check = True assert check is True
# token request should fail body = {"id": resource_id + "/someitem", "apis": ["/ngsi-ld/v1/entities"]} r = consumer.get_token(body) assert r['success'] is False # set temporal consumer rule as delegate req = { "user_email": email, "user_role": 'consumer', "item_id": resource_id, "item_type": "resourcegroup" } req["capabilities"] = ['temporal'] # should fail because unapproved delegate r = alt_provider.provider_access([req], '*****@*****.**') assert r['success'] == False assert r['status_code'] == 401 req = {"user_email": delegate_email, "user_role": 'delegate'} r = untrusted.provider_access([req]) assert r['success'] == True assert r['status_code'] == 200 req = { "user_email": email, "user_role": 'consumer', "item_id": resource_id, "item_type": "resourcegroup" } req["capabilities"] = ['temporal']