def test_create_scan_with_credential(self):
scan = Scan(self.user.email, self.TEST_PLAN["name"],
{"target": self.target_url})
res = scan.create()
expected_top_keys = (
'success',
'scan',
)
self.assertEqual(res.json()["success"], True)
expected_scan_keys = set(['id', 'state', 'created', 'queued', 'started', \
'finished', 'plan', 'configuration', 'sessions', 'meta'])
self.assertEqual(set(res.json()["scan"].keys()), expected_scan_keys)
meta = res.json()['scan']['meta']
# this scan is not tagged
self.assertEqual(meta['tags'], [])
# bug #106 add owner of the scan
self.assertEqual(meta['user'], self.user.email)
self.assertEqual(res.json()['scan']['configuration']['target'],
self.target_url)
scan = res.json()['scan']
expected_session_keys = ['id', 'state', 'plugin', 'configuration', \
'description', 'artifacts', 'issues', 'created', 'started', \
'queued', 'finished', 'progress']
for session in scan['sessions']:
self.assertEqual(set(session.keys()), set(expected_session_keys))
self.assertEqual(session['configuration']['target'],
self.target_url)
self.assertEqual(session['state'], 'CREATED')
self.assertEqual(session['artifacts'], {})
self.assertEqual(session['issues'], [])
for name in ('queued', 'started', 'finished', 'progress'):
self.assertEqual(session[name], None)
def test_create_scan_with_credential(self):
scan = Scan(self.user.email, self.TEST_PLAN["name"], {"target": self.target_url})
res = scan.create()
expected_top_keys = ('success', 'scan',)
self.assertEqual(res.json()["success"], True)
expected_scan_keys = set(['id', 'state', 'created', 'queued', 'started', \
'finished', 'plan', 'configuration', 'sessions', 'meta'])
self.assertEqual(set(res.json()["scan"].keys()), expected_scan_keys)
meta = res.json()['scan']['meta']
# this scan is not tagged
self.assertEqual(meta['tags'], [])
# bug #106 add owner of the scan
self.assertEqual(meta['user'], self.user.email)
self.assertEqual(res.json()['scan']['configuration']['target'],
self.target_url)
scan = res.json()['scan']
expected_session_keys = ['id', 'state', 'plugin', 'configuration', \
'description', 'artifacts', 'issues', 'created', 'started', \
'queued', 'finished', 'progress']
for session in scan['sessions']:
self.assertEqual(set(session.keys()), set(expected_session_keys))
self.assertEqual(session['configuration']['target'], self.target_url)
self.assertEqual(session['state'], 'CREATED')
self.assertEqual(session['artifacts'], {})
self.assertEqual(session['issues'], [])
for name in ('queued', 'started', 'finished', 'progress'):
self.assertEqual(session[name], None)
def test_get_scan_details_filter_with_nonexistent_user(self):
# If we give a non-existent user in the request argument, it will return user not found
scan = Scan(self.user.email, self.TEST_PLAN["name"], {"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
res2 = scan.get_scan_details(scan_id, email="*****@*****.**")
self.assertEqual(res2.json()["success"], False)
self.assertEqual(res2.json()["reason"], "user-does-not-exist")
def test_get_scan_details_filter_with_nonexistent_user(self):
# If we give a non-existent user in the request argument, it will return user not found
scan = Scan(self.user.email, self.TEST_PLAN["name"],
{"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
res2 = scan.get_scan_details(scan_id,
email="*****@*****.**")
self.assertEqual(res2.json()["success"], False)
self.assertEqual(res2.json()["reason"], "user-does-not-exist")
def test_get_scan_details(self):
scan = Scan(self.user.email, self.TEST_PLAN["name"], {"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
res2 = scan.get_scan_details(scan_id)
# since scan hasn't started, should == res1
self.assertEqual(res2.json(), res1.json())
# bug #140 and bug #146
res3 = scan.get_scan_details(scan_id, email=self.user.email)
self.assertEqual(res3.json(), res2.json())
def test_get_scan_details(self):
scan = Scan(self.user.email, self.TEST_PLAN["name"],
{"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
res2 = scan.get_scan_details(scan_id)
# since scan hasn't started, should == res1
self.assertEqual(res2.json(), res1.json())
# bug #140 and bug #146
res3 = scan.get_scan_details(scan_id, email=self.user.email)
self.assertEqual(res3.json(), res2.json())
def test_get_scan_details_filter_with_incorrect_user(self):
# Scan is started by Bob and only Bob's group has access to target_url.
# Alice does not belong to Bob's group so she has no permission to the scan
scan = Scan(self.user.email, self.TEST_PLAN["name"], {"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
alice = User("*****@*****.**")
res2 = alice.create()
self.assertEqual(res2.json()["success"], True)
res2 = scan.get_scan_details(scan_id, email=alice.email)
self.assertEqual(res2.json()["success"], False)
self.assertEqual(res2.json()["reason"], "not-found")
def test_get_scan_details_filter_with_incorrect_user(self):
# Scan is started by Bob and only Bob's group has access to target_url.
# Alice does not belong to Bob's group so she has no permission to the scan
scan = Scan(self.user.email, self.TEST_PLAN["name"],
{"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
alice = User("*****@*****.**")
res2 = alice.create()
self.assertEqual(res2.json()["success"], True)
res2 = scan.get_scan_details(scan_id, email=alice.email)
self.assertEqual(res2.json()["success"], False)
self.assertEqual(res2.json()["reason"], "not-found")
def test_scan(self):
"""
This is a comprehensive test that runs through the following
endpoints:
1. POST /scans
2. GET /scans/<scan_id>
3. PUT /scans/<scan_id>/control
4. GET /scans/<scan_id>/summary
5. GET /reports/history
6. GET /reports/status
7. GET /reports/issues
"""
# Create user, site, group, plan and site
# This is already handled in setUp call.
# POST /scans
# create a scan on target_url based on our
# test plan (which runs HelloWorldPlugin)
scan = Scan(self.user.email, self.TEST_PLAN["name"], {"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
# PUT /scans/<scan_id>/control
# Start the scan now.
res2 = scan.start(scan_id)
self.assertEqual(res2.json()['success'], True)
# GET /scans/<scan_id>
# Check the status. It should be in QUEUED (hopefully it doesn't go too fast)
res3 = scan.get_scan_details(scan_id)
self.assertEqual(res3.json()["scan"]["state"], "QUEUED")
# POST and GET scan details should have the same set of keys at the top-level
# and at the "scan" level
self.assertEqual(set(res3.json().keys()), set(res1.json().keys()))
self.assertEqual(set(res3.json()["scan"].keys()), set(res1.json()["scan"].keys()))
# give scanner a few seconds
time.sleep(6)
# GET /scans/<scan_id>
# now check if the scan has completed or not
res4 = scan.get_scan_details(scan_id)
self.assertEqual(res4.json()['scan']['state'], 'FINISHED')
# GET /scans/<scan_id>/summary
res5 = scan.get_summary(scan_id)
# bug #106 include scan creator in the output
self.assertEqual(res5.json()['summary']['meta'],
{'user': self.email, 'tags': []})
# GET /reports/history
res6 = Reports().get_history()
self.assertEqual(res6.json()["success"], True)
expected_inner_keys = set(['configuration', 'created', 'finished', 'id',
'issues', "meta", 'plan', 'queued', 'sessions', 'state'])
self.assertEqual(set(res6.json()['report'][0].keys()), expected_inner_keys)
self.assertEqual(res6.json()['report'][0]['id'], scan_id)
# GET /reports/status
res7 = Reports().get_status(user=self.user.email)
self.assertEqual(res7.json()["success"], True)
expected_inner_keys = set(['plan', 'scan', 'target'])
self.assertEqual(set(res7.json()['report'][0].keys()), expected_inner_keys)
self.assertEqual(res7.json()['report'][0]['plan'], self.plan.plan["name"])
self.assertEqual(res7.json()['report'][0]['target'], self.target_url)
# GET /reports/issues
res8 = Reports().get_issues(user=self.user.email)
self.assertEqual(res8.json()["success"], True)
expected_inner_keys = ('issues', 'target',)
self.assertEqual(set(res8.json()['report'][0].keys()), set(["issues", "target"]))
issues = res8.json()['report'][0]['issues']
# DelayPlugin emits only one issue
self.assertEqual(len(issues), 1)
self.assertEqual(issues[0]["summary"], "Hello World")
self.assertEqual('Info', issues[0]['severity'])
self.assertEqual(issues[0]["severity"], "Info")
self.assertEqual(res8.json()['report'][0]['target'], self.target_url)
def test_scan(self):
"""
This is a comprehensive test that runs through the following
endpoints:
1. POST /scans
2. GET /scans/<scan_id>
3. PUT /scans/<scan_id>/control
4. GET /scans/<scan_id>/summary
5. GET /reports/history
6. GET /reports/status
7. GET /reports/issues
"""
# Create user, site, group, plan and site
# This is already handled in setUp call.
# POST /scans
# create a scan on target_url based on our
# test plan (which runs HelloWorldPlugin)
scan = Scan(self.user.email, self.TEST_PLAN["name"],
{"target": self.target_url})
res1 = scan.create()
scan_id = res1.json()['scan']['id']
# PUT /scans/<scan_id>/control
# Start the scan now.
res2 = scan.start(scan_id)
self.assertEqual(res2.json()['success'], True)
# GET /scans/<scan_id>
# Check the status. It should be in QUEUED (hopefully it doesn't go too fast)
res3 = scan.get_scan_details(scan_id)
self.assertEqual(res3.json()["scan"]["state"], "QUEUED")
# POST and GET scan details should have the same set of keys at the top-level
# and at the "scan" level
self.assertEqual(set(res3.json().keys()), set(res1.json().keys()))
self.assertEqual(set(res3.json()["scan"].keys()),
set(res1.json()["scan"].keys()))
# give scanner a few seconds
time.sleep(6)
# GET /scans/<scan_id>
# now check if the scan has completed or not
res4 = scan.get_scan_details(scan_id)
self.assertEqual(res4.json()['scan']['state'], 'FINISHED')
# GET /scans/<scan_id>/summary
res5 = scan.get_summary(scan_id)
# bug #106 include scan creator in the output
self.assertEqual(res5.json()['summary']['meta'], {
'user': self.email,
'tags': []
})
# GET /reports/history
res6 = Reports().get_history()
self.assertEqual(res6.json()["success"], True)
expected_inner_keys = set([
'configuration', 'created', 'finished', 'id', 'issues', "meta",
'plan', 'queued', 'sessions', 'state'
])
self.assertEqual(set(res6.json()['report'][0].keys()),
expected_inner_keys)
self.assertEqual(res6.json()['report'][0]['id'], scan_id)
# GET /reports/status
res7 = Reports().get_status(user=self.user.email)
self.assertEqual(res7.json()["success"], True)
expected_inner_keys = set(['plan', 'scan', 'target'])
self.assertEqual(set(res7.json()['report'][0].keys()),
expected_inner_keys)
self.assertEqual(res7.json()['report'][0]['plan'],
self.plan.plan["name"])
self.assertEqual(res7.json()['report'][0]['target'], self.target_url)
# GET /reports/issues
res8 = Reports().get_issues(user=self.user.email)
self.assertEqual(res8.json()["success"], True)
expected_inner_keys = (
'issues',
'target',
)
self.assertEqual(set(res8.json()['report'][0].keys()),
set(["issues", "target"]))
issues = res8.json()['report'][0]['issues']
# DelayPlugin emits only one issue
self.assertEqual(len(issues), 1)
self.assertEqual(issues[0]["summary"], "Hello World")
self.assertEqual('Info', issues[0]['severity'])
self.assertEqual(issues[0]["severity"], "Info")
self.assertEqual(res8.json()['report'][0]['target'], self.target_url)
