def test_find_by_x(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope("read:fullprofile display:all") result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) profile = result.json["Items"][0] for field in indexed_fields: # data classification: ALL, display scope: ALL, display parameter: - token = f.generate_bearer_with_scope( "read:fullprofile display:all") query = self.app.get( "/v2/user/{}/{}".format(field, profile[field]["value"]), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert query.json.get("access_information").get( "access_provider") is not None assert query.json.get("staff_information").get( "cost_center") is not None assert query.json.get("uuid") is not None assert query.json.get("active").get("value") is True
def test_users_with_dispaly_level_params_and_scopes(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk # data classification: ALL, display scope: PUBLIC token = f.generate_bearer_with_scope("read:fullprofile display:public") query = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) for profile in query.json["Items"]: assert profile.get("access_information").get( "access_provider") is None assert profile.get("staff_information").get("cost_center") is None assert profile.get("uuid") is not None # data classification: ALL, display scope: STAFF token = f.generate_bearer_with_scope("read:fullprofile display:staff") query = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) for profile in query.json["Items"]: assert profile.get("access_information").get( "access_provider") is None assert profile.get("staff_information").get( "cost_center") is not None assert profile.get("uuid") is not None
def test_profiles_returns_a_list(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope("read:fullprofile display:all") result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) assert result.json is not None total_users_retrieved = len(result.json["Items"]) assert total_users_retrieved > 20 logger.info("Paginated query to all users returned: {}".format(len(result.json["Items"]))) assert result.json["nextPage"] is not None assert result.json["nextPage"] != "" next_page = result.json["nextPage"] # Follow the paginator paged_query = self.app.get( "/v2/users?nextPage={}".format(json.dumps(next_page)), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert len(paged_query.json["Items"]) >= 1 sample_primary_email = result.json["Items"][0]["primary_email"]["value"] primary_email_query = self.app.get( "/v2/users?primaryEmail={}".format(sample_primary_email), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert len(primary_email_query.json["Items"]) == 1 token = f.generate_bearer_with_scope("read:profile display:all") public_data_class_query = self.app.get( "/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True ) for profile in public_data_class_query.json["Items"]: assert profile.get("access_information").get("hris") is None token = f.generate_bearer_with_scope("read:profile display:all") single_user_public_data_class_query = self.app.get( "/v2/user/user_id/{}".format(result.json["Items"][0]["user_id"]["value"]), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert single_user_public_data_class_query.json.get("access_information").get("hris") is None token = f.generate_bearer_with_scope("read:fullprofile display:all") single_user_all_data_class_query = self.app.get( "/v2/user/user_id/{}".format(result.json["Items"][0]["user_id"]["value"]), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert single_user_all_data_class_query.json.get("access_information")
def test_users_with_scopes(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk # data classification: PUBLIC, display scope: ALL token = f.generate_bearer_with_scope("display:all") query = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) for profile in query.json["Items"]: assert profile.get("access_information").get( "access_provider") is None assert profile.get("staff_information").get("cost_center") is None assert profile.get("uuid") is not None # data classification: STAFF, display scope: ALL token = f.generate_bearer_with_scope( "classification:workgroup:staff_only display:all") query = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) for profile in query.json["Items"]: assert profile.get("access_information").get( "access_provider") is None assert profile.get("staff_information").get( "cost_center") is not None assert profile.get("staff_information").get("title") is None assert profile.get("uuid") is not None # data classification: STAFF + MOZILLA_CONFIDENTIAL, display scope: ALL token = f.generate_bearer_with_scope( "classification:workgroup:staff_only classification:mozilla_confidential display:all" ) query = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) for profile in query.json["Items"]: assert profile.get("access_information").get( "access_provider") is None assert profile.get("staff_information").get( "cost_center") is not None assert profile.get("staff_information").get("title") is not None assert profile.get("uuid") is not None
def test_returning_query_by_any_staff_only_active_true(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope( "read:fullprofile display:all search:all") logger.info("Attempting to query all staff.") result = self.app.get( f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True", headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) logger.info("All staff users returned.") assert result.json["users"] is not None if result.json["nextPage"]: next_page = result.json["nextPage"] result = self.app.get( f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True&nextPage={next_page}", headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) logger.info("An additional page of all staff users returned") assert result.json["users"] is not None
def test_change_endpoint_fails_with_invalid_token_and_jwt_validation_false( self, fake_jwks): os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_ENVIRONMENT"] = "local" os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port os.environ["CIS_REGION_NAME"] = "us-west-2" from cis_change_service import api os.environ["CIS_JWT_VALIDATION"] = "false" f = FakeBearer() bad_claims = { "iss": "https://auth-dev.mozilla.auth0.com/", "sub": "mc1l0G4sJI2eQfdWxqgVNcRAD9EAgHib@clients", "aud": "https://hacks", "iat": (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"), "exp": (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"), "scope": "read:allthething", "gty": "client-credentials", } fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope("read:profile", bad_claims) api.app.testing = True self.app = api.app.test_client() result = self.app.get( "/v2/user", headers={"Authorization": "Bearer " + token}, data=json.dumps(self.user_profile), content_type="application/json", follow_redirects=True, ) assert result.status_code == 200
def test_change_endpoint_fails_with_invalid_token(self, fake_jwks): from cis_change_service import api f = FakeBearer() bad_claims = { "iss": "https://auth-dev.mozilla.auth0.com/", "sub": "mc1l0G4sJI2eQfdWxqgVNcRAD9EAgHib@clients", "aud": "https://hacks", "iat": (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"), "exp": (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"), "scope": "read:allthething", "gty": "client-credentials", } fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope("read:profile", bad_claims) api.app.testing = True self.app = api.app.test_client() result = self.app.get("/v2/user", headers={"Authorization": "Bearer " + token}, follow_redirects=True) assert result.status_code == 401
def test_returning_all(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope("read:fullprofile display:all") result = self.app.get( "/v2/users/id/all?connectionMethod=email", headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert isinstance(result.json["users"], list) assert isinstance(result.json["users"][0], dict) assert len(result.json["users"]) > 0
def test_metadata_by_primary_email(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope("read:fullprofile display:all") result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) query = self.app.get( "/v2/user/metadata/{}".format(result.json["Items"][0]["primary_email"]["value"]), follow_redirects=True, ) assert query.json.get("exists").get("cis") == True assert query.json.get("exists").get("ldap") == True
def test_users_with_all(self, fake_jwks): os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk # data classification: ALL, display scope: ALL token = f.generate_bearer_with_scope("read:fullprofile display:all") query = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) for profile in query.json["Items"]: assert profile.get("access_information").get( "access_provider") is not None assert profile.get("staff_information").get( "cost_center") is not None assert profile.get("uuid") is not None
def test_returning_query_by_any_find_ldap_members(self, fake_jwks): os.environ["AWS_XRAY_SDK_ENABLED"] = "false" os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope( "read:fullprofile display:all search:all") logger.info("Attempting to query all staff.") result = self.app.get( f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True&fullProfiles=True", headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) logger.info("All staff users returned.") assert result.json["users"] is not None ldap_groups = {} # Go find a user with an ldap group for user in result.json["users"]: if user["profile"]["access_information"]["ldap"]["values"] != {}: ldap_groups = user["profile"]["access_information"]["ldap"][ "values"] break else: continue for k in ldap_groups: logger.info("Attempting to query for: {}".format(k)) result = self.app.get( f"/v2/users/id/all/by_attribute_contains?access_information.ldap={k}&active=True&fullProfiles=False", headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert len(result.json["users"]) > 0
def test_find_by_x_with_dispaly_level_params_and_scopes(self, fake_jwks): os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini" f = FakeBearer() fake_jwks.return_value = json_form_of_pk token = f.generate_bearer_with_scope("read:fullprofile display:all") result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True) profile = result.json["Items"][0] for field in indexed_fields: # data classification: ALL, display scope: PUBLIC, display parameter: - token = f.generate_bearer_with_scope( "read:fullprofile display:public") query = self.app.get( "/v2/user/{}/{}".format(field, profile[field]["value"]), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert query.json.get("access_information").get( "access_provider") is None assert query.json.get("staff_information").get( "cost_center") is None assert query.json.get("uuid") is not None # data classification: ALL, display scope: STAFF, display parameter: - token = f.generate_bearer_with_scope( "read:fullprofile display:staff") query = self.app.get( "/v2/user/{}/{}".format(field, profile[field]["value"]), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert query.json.get("access_information").get( "access_provider") is None assert query.json.get("staff_information").get( "cost_center") is not None assert query.json.get("uuid") is not None # data classification: ALL, display scope: STAFF, display parameter: PUBLIC token = f.generate_bearer_with_scope( "read:fullprofile display:staff") query = self.app.get( "/v2/user/{}/{}?filterDisplay=public".format( field, profile[field]["value"]), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert not query.json.get("access_information").get( "access_provider") assert not query.json.get("staff_information").get("cost_center") assert query.json.get("uuid") # data classification: ALL, display scope: PUBLIC, display parameter: STAFF token = f.generate_bearer_with_scope( "read:fullprofile display:public") query = self.app.get( "/v2/user/{}/{}?filterDisplay=staff".format( field, profile[field]["value"]), headers={"Authorization": "Bearer " + token}, follow_redirects=True, ) assert not query.json.get("access_information").get( "access_provider") assert not query.json.get("staff_information").get("cost_center") assert query.json.get("uuid")