class XmlrpcAPIBaseTest(test.LiveServerTestCase):
serialized_rollback = True
# NOTE: we setup the required DB data and API objects here
# because this method is executed *AFTER* setUpClass() and the
# serialized rollback is not yet available during setUpClass()
# execution
def _fixture_setup(self):
# restore the serialized data from initial migrations
# this includes default groups and permissions
super(XmlrpcAPIBaseTest, self)._fixture_setup()
self.api_user = UserFactory()
self.api_user.set_password('api-testing')
initiate_user_with_default_setups(self.api_user)
# reset connection to server b/c the address changes for
# every test and the client caches this as a class attribute
tcms_api.TCMS._connection = None
# WARNING: for now we override the config file
# until we can pass the testing configuration
# TODO: change config values instead of overwriting files on disk
conf_path = os.path.expanduser('~/.tcms.conf')
conf_fh = open(conf_path, 'w')
conf_fh.write("""[tcms]
url = %s/xml-rpc/
username = %s
password = %s
""" % (self.live_server_url, self.api_user.username, 'api-testing'))
conf_fh.close()
# this is the XML-RPC ServerProxy with cookies support
self.rpc_client = tcms_api.TCMS()
class APIPermissionsTestCase(PermissionsTestMixin, test.LiveServerTestCase):
http_method_names = ['api']
permission_label = None
serialized_rollback = True
# NOTE: see comment in APITestCase._fixture_setup()
def _fixture_setup(self):
# restore the serialized data from initial migrations
# this includes default groups and permissions
super()._fixture_setup()
self.check_mandatory_attributes()
self.tester = UserFactory()
self.tester.set_password('password')
self.tester.save()
# this is the XML-RPC ServerProxy with cookies support
self.rpc_client = tcms_api.xmlrpc.TCMSXmlrpc(
self.tester.username,
'password',
'%s/xml-rpc/' % self.live_server_url,
).server
def verify_api_with_permission(self):
"""
Call your RPC method under test here and assert the results
"""
self.fail('Not implemented')
def verify_api_without_permission(self):
"""
Call your RPC method under test here and assert the results
"""
self.fail('Not implemented')
def test_remove_tag_without_permissions(self):
unauthorized_user = UserFactory()
unauthorized_user.set_password("api-testing")
unauthorized_user.save()
unauthorized_user.user_permissions.add(*Permission.objects.all())
remove_perm_from_user(unauthorized_user,
"testcases.delete_testcasetag")
rpc_client = xmlrpc.TCMSXmlrpc(
unauthorized_user.username,
"api-testing",
f"{self.live_server_url}/xml-rpc/",
).server
with self.assertRaisesRegex(ProtocolError, "403 Forbidden"):
rpc_client.TestCase.remove_tag(self.testcase.pk, self.tag0.name)
# tags were not modified
tag_exists = TestCase.objects.filter(pk=self.testcase.pk,
tag__pk=self.tag0.pk).exists()
self.assertTrue(tag_exists)
tag_exists = TestCase.objects.filter(pk=self.testcase.pk,
tag__pk=self.tag1.pk).exists()
self.assertFalse(tag_exists)
def create_request_user(username=None, password=None):
if username:
user = UserFactory(username=username)
else:
user = UserFactory()
if password:
user.set_password(password)
else:
user.set_password('password')
user.save()
return user
def test_check_unapplied_migrations(self):
call_command("migrate", "bugs", "zero", verbosity=2, interactive=False)
tester = UserFactory()
tester.set_password("password")
tester.save()
self.client.login( # nosec:B106:hardcoded_password_funcarg
username=tester.username,
password="******",
)
response = self.client.get("/", follow=True)
self.assertContains(response, self.unapplied_migration_message)
def create_request_user(username=None, password=None):
if username:
user = UserFactory(username=username)
else:
user = UserFactory()
if password:
user.set_password(password)
else:
user.set_password('password')
user.save()
return user
def test_add_case_without_permissions(self):
unauthorized_user = UserFactory()
unauthorized_user.set_password('api-testing')
unauthorized_user.save()
unauthorized_user.user_permissions.add(*Permission.objects.all())
remove_perm_from_user(unauthorized_user, 'testruns.add_testcaserun')
rpc_client = TCMSXmlrpc(unauthorized_user.username,
'api-testing',
'%s/xml-rpc/' % self.live_server_url).server
with self.assertRaisesRegex(ProtocolError, '403 Forbidden'):
rpc_client.TestRun.add_case(self.test_run.pk, self.test_case.pk)
exists = TestCaseRun.objects.filter(run=self.test_run.pk, case=self.test_case.pk).exists()
self.assertFalse(exists)
def test_add_tag_without_permissions(self):
unauthorized_user = UserFactory()
unauthorized_user.set_password('api-testing')
unauthorized_user.save()
unauthorized_user.user_permissions.add(*Permission.objects.all())
remove_perm_from_user(unauthorized_user, 'testcases.add_testcasetag')
rpc_client = xmlrpc.TCMSXmlrpc(unauthorized_user.username,
'api-testing',
'%s/xml-rpc/' % self.live_server_url).server
with self.assertRaisesRegex(ProtocolError, '403 Forbidden'):
rpc_client.TestCase.add_tag(self.testcase.pk, self.tag1.name)
# tags were not modified
tag_exists = TestCase.objects.filter(pk=self.testcase.pk, tag__pk=self.tag1.pk).exists()
self.assertFalse(tag_exists)
def test_add_case_without_permissions(self):
unauthorized_user = UserFactory()
unauthorized_user.set_password("api-testing")
unauthorized_user.save()
unauthorized_user.user_permissions.add(*Permission.objects.all())
remove_perm_from_user(unauthorized_user, "testruns.add_testexecution")
rpc_client = xmlrpc.TCMSXmlrpc(
unauthorized_user.username,
"api-testing",
"%s/xml-rpc/" % self.live_server_url,
).server
with self.assertRaisesRegex(ProtocolError, "403 Forbidden"):
rpc_client.TestRun.add_case(self.test_run.pk, self.test_case.pk)
exists = TestExecution.objects.filter(run=self.test_run.pk,
case=self.test_case.pk).exists()
self.assertFalse(exists)
class APITestCase(test.LiveServerTestCase):
serialized_rollback = True
# NOTE: we setup the required DB data and API objects here
# because this method is executed *AFTER* setUpClass() and the
# serialized rollback is not yet available during setUpClass()
# execution
def _fixture_setup(self):
# restore the serialized data from initial migrations
# this includes default groups and permissions
super()._fixture_setup()
self.api_user = UserFactory()
self.api_user.set_password('api-testing')
initiate_user_with_default_setups(self.api_user)
# this is the XML-RPC ServerProxy with cookies support
self.rpc_client = tcms_api.xmlrpc.TCMSXmlrpc(
self.api_user.username,
'api-testing',
'%s/xml-rpc/' % self.live_server_url,
).server
class TestUserUpdate(APITestCase):
"""Test User.update"""
def _fixture_setup(self):
super()._fixture_setup()
self.another_user = UserFactory()
self.another_user.set_password('another-password')
self.another_user.save()
self.user_new_attrs = {
'first_name': 'new first name',
'last_name': 'new last name',
'email': 'new email',
}
def setUp(self):
super().setUp()
# clear permissions b/c we set them inside individual tests
self.api_user.user_permissions.all().delete()
def tearDown(self):
super().tearDown()
self.api_user.set_password('api-testing')
self.api_user.save()
def test_update_myself(self):
data = self.rpc_client.User.update(self.api_user.pk,
self.user_new_attrs)
self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
self.assertEqual(data['email'], self.user_new_attrs['email'])
def test_update_myself_without_passing_id(self):
data = self.rpc_client.User.update(None, self.user_new_attrs)
self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
self.assertEqual(data['email'], self.user_new_attrs['email'])
def test_update_other_missing_permission(self):
new_values = {'some_attr': 'xxx'}
with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
self.rpc_client.User.update(self.another_user.pk, new_values)
def test_update_other_with_proper_permission(self):
user_should_have_perm(self.api_user, 'auth.change_user')
data = self.rpc_client.User.update(self.another_user.pk,
self.user_new_attrs)
self.another_user.refresh_from_db()
self.assertEqual(data['first_name'], self.another_user.first_name)
self.assertEqual(data['last_name'], self.another_user.last_name)
self.assertEqual(data['email'], self.another_user.email)
def test_update_own_password(self):
user_new_attrs = self.user_new_attrs.copy()
new_password = '******' # nosec:B105:hardcoded_password_string
user_new_attrs[
'password'] = new_password # nosec:B105:hardcoded_password_string
with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs['old_password'] = '******' # nosec:B105
with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs[
'old_password'] = '******' # nosec:B105:hardcoded_password_string
data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
self.assertTrue('password' not in data)
self.assertEqual(data['first_name'], user_new_attrs['first_name'])
self.assertEqual(data['last_name'], user_new_attrs['last_name'])
self.assertEqual(data['email'], user_new_attrs['email'])
self.api_user.refresh_from_db()
self.assertTrue(self.api_user.check_password(new_password))
def test_update_another_user_password(self):
user_should_have_perm(self.api_user, 'auth.change_user')
user_new_attrs = self.user_new_attrs.copy()
user_new_attrs[
'password'] = '******' # nosec:B105:hardcoded_password_string
with self.assertRaisesRegex(
XmlRPCFault,
'Password updates for other users are not allowed via RPC!'):
self.rpc_client.User.update(self.another_user.pk, user_new_attrs)
class TestUserUpdate(XmlrpcAPIBaseTest):
'''Test User.update'''
def _fixture_setup(self):
super(TestUserUpdate, self)._fixture_setup()
self.another_user = UserFactory()
self.another_user.set_password('another-password')
self.another_user.save()
self.user_new_attrs = {
'first_name': 'new first name',
'last_name': 'new last name',
'email': 'new email',
}
def setUp(self):
super(TestUserUpdate, self).setUp()
# clear permissions b/c we set them inside individual tests
self.api_user.user_permissions.all().delete()
def tearDown(self):
super(TestUserUpdate, self).tearDown()
self.api_user.set_password('api-testing')
self.api_user.save()
def test_update_myself(self):
data = self.rpc_client.User.update(self.user_new_attrs,
self.api_user.pk)
self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
self.assertEqual(data['email'], self.user_new_attrs['email'])
def test_update_myself_without_passing_id(self):
data = self.rpc_client.User.update(self.user_new_attrs)
self.assertEqual(data['first_name'], self.user_new_attrs['first_name'])
self.assertEqual(data['last_name'], self.user_new_attrs['last_name'])
self.assertEqual(data['email'], self.user_new_attrs['email'])
def test_update_other_missing_permission(self):
new_values = {'some_attr': 'xxx'}
with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
self.rpc_client.User.update(new_values, self.another_user.pk)
def test_update_other_with_proper_permission(self):
user_should_have_perm(self.api_user, 'auth.change_user')
data = self.rpc_client.User.update(self.user_new_attrs,
self.another_user.pk)
updated_user = User.objects.get(pk=self.another_user.pk)
self.assertEqual(data['first_name'], updated_user.first_name)
self.assertEqual(data['last_name'], updated_user.last_name)
self.assertEqual(data['email'], updated_user.email)
def test_update_own_password(self):
user_new_attrs = self.user_new_attrs.copy()
new_password = '******'
user_new_attrs['password'] = new_password
with self.assertRaisesRegex(XmlRPCFault, 'Old password is required'):
self.rpc_client.User.update(user_new_attrs, self.api_user.pk)
user_new_attrs['old_password'] = '******'
with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
self.rpc_client.User.update(user_new_attrs, self.api_user.pk)
user_new_attrs['old_password'] = '******'
data = self.rpc_client.User.update(user_new_attrs, self.api_user.pk)
self.assertTrue('password' not in data)
self.assertEqual(data['first_name'], user_new_attrs['first_name'])
self.assertEqual(data['last_name'], user_new_attrs['last_name'])
self.assertEqual(data['email'], user_new_attrs['email'])
user = User.objects.get(pk=self.api_user.pk)
self.assertTrue(user.check_password(new_password))
def test_update_another_user_password(self):
user_should_have_perm(self.api_user, 'auth.change_user')
user_new_attrs = self.user_new_attrs.copy()
user_new_attrs['password'] = '******'
with self.assertRaisesRegex(
XmlRPCFault,
'Password updates for other users are not allowed via RPC!'):
self.rpc_client.User.update(user_new_attrs, self.another_user.pk)
class TestUserUpdate(APITestCase):
"""Test User.update"""
def _fixture_setup(self):
super()._fixture_setup()
self.another_user = UserFactory()
self.another_user.set_password("another-password")
self.another_user.save()
self.user_new_attrs = {
"first_name": "new first name",
"last_name": "new last name",
"email": "new email",
}
def setUp(self):
super().setUp()
# clear permissions b/c we set them inside individual tests
self.api_user.user_permissions.all().delete()
def tearDown(self):
super().tearDown()
self.api_user.set_password("api-testing")
self.api_user.save()
def test_update_myself(self):
data = self.rpc_client.User.update(self.api_user.pk,
self.user_new_attrs)
self.assertEqual(data["first_name"], self.user_new_attrs["first_name"])
self.assertEqual(data["last_name"], self.user_new_attrs["last_name"])
self.assertEqual(data["email"], self.user_new_attrs["email"])
def test_update_myself_without_passing_id(self):
data = self.rpc_client.User.update(None, self.user_new_attrs)
self.assertEqual(data["first_name"], self.user_new_attrs["first_name"])
self.assertEqual(data["last_name"], self.user_new_attrs["last_name"])
self.assertEqual(data["email"], self.user_new_attrs["email"])
def test_update_other_missing_permission(self):
new_values = {"some_attr": "xxx"}
with self.assertRaisesRegex(XmlRPCFault, "Permission denied"):
self.rpc_client.User.update(self.another_user.pk, new_values)
def test_update_other_with_proper_permission(self):
user_should_have_perm(self.api_user, "auth.change_user")
data = self.rpc_client.User.update(self.another_user.pk,
self.user_new_attrs)
self.another_user.refresh_from_db()
self.assertEqual(data["first_name"], self.another_user.first_name)
self.assertEqual(data["last_name"], self.another_user.last_name)
self.assertEqual(data["email"], self.another_user.email)
def test_update_own_password(self):
user_new_attrs = self.user_new_attrs.copy()
new_password = "******" # nosec:B105:hardcoded_password_string
user_new_attrs["password" # nosec:B105:hardcoded_password_string
] = new_password
with self.assertRaisesRegex(XmlRPCFault, "Old password is required"):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs["old_password"] = "******" # nosec:B105
with self.assertRaisesRegex(XmlRPCFault, "Password is incorrect"):
self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
user_new_attrs["old_password" # nosec:B105:hardcoded_password_string
] = "api-testing"
data = self.rpc_client.User.update(self.api_user.pk, user_new_attrs)
self.assertTrue("password" not in data)
self.assertEqual(data["first_name"], user_new_attrs["first_name"])
self.assertEqual(data["last_name"], user_new_attrs["last_name"])
self.assertEqual(data["email"], user_new_attrs["email"])
self.api_user.refresh_from_db()
self.assertTrue(self.api_user.check_password(new_password))
def test_update_another_user_password(self):
user_should_have_perm(self.api_user, "auth.change_user")
user_new_attrs = self.user_new_attrs.copy()
user_new_attrs["password" # nosec:B105:hardcoded_password_string
] = "new password"
with self.assertRaisesRegex(
XmlRPCFault,
"Password updates for other users are not allowed via RPC!"):
self.rpc_client.User.update(self.another_user.pk, user_new_attrs)
