def test_find_by_x(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope("read:fullprofile display:all")
result = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
profile = result.json["Items"][0]
for field in indexed_fields:
# data classification: ALL, display scope: ALL, display parameter: -
token = f.generate_bearer_with_scope(
"read:fullprofile display:all")
query = self.app.get(
"/v2/user/{}/{}".format(field, profile[field]["value"]),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert query.json.get("access_information").get(
"access_provider") is not None
assert query.json.get("staff_information").get(
"cost_center") is not None
assert query.json.get("uuid") is not None
assert query.json.get("active").get("value") is True
def test_users_with_dispaly_level_params_and_scopes(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
# data classification: ALL, display scope: PUBLIC
token = f.generate_bearer_with_scope("read:fullprofile display:public")
query = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
for profile in query.json["Items"]:
assert profile.get("access_information").get(
"access_provider") is None
assert profile.get("staff_information").get("cost_center") is None
assert profile.get("uuid") is not None
# data classification: ALL, display scope: STAFF
token = f.generate_bearer_with_scope("read:fullprofile display:staff")
query = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
for profile in query.json["Items"]:
assert profile.get("access_information").get(
"access_provider") is None
assert profile.get("staff_information").get(
"cost_center") is not None
assert profile.get("uuid") is not None
def test_profiles_returns_a_list(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope("read:fullprofile display:all")
result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True)
assert result.json is not None
total_users_retrieved = len(result.json["Items"])
assert total_users_retrieved > 20
logger.info("Paginated query to all users returned: {}".format(len(result.json["Items"])))
assert result.json["nextPage"] is not None
assert result.json["nextPage"] != ""
next_page = result.json["nextPage"]
# Follow the paginator
paged_query = self.app.get(
"/v2/users?nextPage={}".format(json.dumps(next_page)),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert len(paged_query.json["Items"]) >= 1
sample_primary_email = result.json["Items"][0]["primary_email"]["value"]
primary_email_query = self.app.get(
"/v2/users?primaryEmail={}".format(sample_primary_email),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert len(primary_email_query.json["Items"]) == 1
token = f.generate_bearer_with_scope("read:profile display:all")
public_data_class_query = self.app.get(
"/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True
)
for profile in public_data_class_query.json["Items"]:
assert profile.get("access_information").get("hris") is None
token = f.generate_bearer_with_scope("read:profile display:all")
single_user_public_data_class_query = self.app.get(
"/v2/user/user_id/{}".format(result.json["Items"][0]["user_id"]["value"]),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert single_user_public_data_class_query.json.get("access_information").get("hris") is None
token = f.generate_bearer_with_scope("read:fullprofile display:all")
single_user_all_data_class_query = self.app.get(
"/v2/user/user_id/{}".format(result.json["Items"][0]["user_id"]["value"]),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert single_user_all_data_class_query.json.get("access_information")
def test_users_with_scopes(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
# data classification: PUBLIC, display scope: ALL
token = f.generate_bearer_with_scope("display:all")
query = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
for profile in query.json["Items"]:
assert profile.get("access_information").get(
"access_provider") is None
assert profile.get("staff_information").get("cost_center") is None
assert profile.get("uuid") is not None
# data classification: STAFF, display scope: ALL
token = f.generate_bearer_with_scope(
"classification:workgroup:staff_only display:all")
query = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
for profile in query.json["Items"]:
assert profile.get("access_information").get(
"access_provider") is None
assert profile.get("staff_information").get(
"cost_center") is not None
assert profile.get("staff_information").get("title") is None
assert profile.get("uuid") is not None
# data classification: STAFF + MOZILLA_CONFIDENTIAL, display scope: ALL
token = f.generate_bearer_with_scope(
"classification:workgroup:staff_only classification:mozilla_confidential display:all"
)
query = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
for profile in query.json["Items"]:
assert profile.get("access_information").get(
"access_provider") is None
assert profile.get("staff_information").get(
"cost_center") is not None
assert profile.get("staff_information").get("title") is not None
assert profile.get("uuid") is not None
def test_returning_query_by_any_staff_only_active_true(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope(
"read:fullprofile display:all search:all")
logger.info("Attempting to query all staff.")
result = self.app.get(
f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True",
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
logger.info("All staff users returned.")
assert result.json["users"] is not None
if result.json["nextPage"]:
next_page = result.json["nextPage"]
result = self.app.get(
f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True&nextPage={next_page}",
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
logger.info("An additional page of all staff users returned")
assert result.json["users"] is not None
def test_change_endpoint_fails_with_invalid_token_and_jwt_validation_false(
self, fake_jwks):
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
os.environ["CIS_REGION_NAME"] = "us-west-2"
from cis_change_service import api
os.environ["CIS_JWT_VALIDATION"] = "false"
f = FakeBearer()
bad_claims = {
"iss": "https://auth-dev.mozilla.auth0.com/",
"sub": "mc1l0G4sJI2eQfdWxqgVNcRAD9EAgHib@clients",
"aud": "https://hacks",
"iat":
(datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
"exp":
(datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
"scope": "read:allthething",
"gty": "client-credentials",
}
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope("read:profile", bad_claims)
api.app.testing = True
self.app = api.app.test_client()
result = self.app.get(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(self.user_profile),
content_type="application/json",
follow_redirects=True,
)
assert result.status_code == 200
def test_change_endpoint_fails_with_invalid_token(self, fake_jwks):
from cis_change_service import api
f = FakeBearer()
bad_claims = {
"iss": "https://auth-dev.mozilla.auth0.com/",
"sub": "mc1l0G4sJI2eQfdWxqgVNcRAD9EAgHib@clients",
"aud": "https://hacks",
"iat":
(datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
"exp":
(datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
"scope": "read:allthething",
"gty": "client-credentials",
}
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope("read:profile", bad_claims)
api.app.testing = True
self.app = api.app.test_client()
result = self.app.get("/v2/user",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
assert result.status_code == 401
def test_returning_all(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope("read:fullprofile display:all")
result = self.app.get(
"/v2/users/id/all?connectionMethod=email",
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert isinstance(result.json["users"], list)
assert isinstance(result.json["users"][0], dict)
assert len(result.json["users"]) > 0
def test_metadata_by_primary_email(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope("read:fullprofile display:all")
result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True)
query = self.app.get(
"/v2/user/metadata/{}".format(result.json["Items"][0]["primary_email"]["value"]),
follow_redirects=True,
)
assert query.json.get("exists").get("cis") == True
assert query.json.get("exists").get("ldap") == True
def test_users_with_all(self, fake_jwks):
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
# data classification: ALL, display scope: ALL
token = f.generate_bearer_with_scope("read:fullprofile display:all")
query = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
for profile in query.json["Items"]:
assert profile.get("access_information").get(
"access_provider") is not None
assert profile.get("staff_information").get(
"cost_center") is not None
assert profile.get("uuid") is not None
def test_returning_query_by_any_find_ldap_members(self, fake_jwks):
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope(
"read:fullprofile display:all search:all")
logger.info("Attempting to query all staff.")
result = self.app.get(
f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True&fullProfiles=True",
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
logger.info("All staff users returned.")
assert result.json["users"] is not None
ldap_groups = {}
# Go find a user with an ldap group
for user in result.json["users"]:
if user["profile"]["access_information"]["ldap"]["values"] != {}:
ldap_groups = user["profile"]["access_information"]["ldap"][
"values"]
break
else:
continue
for k in ldap_groups:
logger.info("Attempting to query for: {}".format(k))
result = self.app.get(
f"/v2/users/id/all/by_attribute_contains?access_information.ldap={k}&active=True&fullProfiles=False",
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert len(result.json["users"]) > 0
def test_find_by_x_with_dispaly_level_params_and_scopes(self, fake_jwks):
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_with_scope("read:fullprofile display:all")
result = self.app.get("/v2/users",
headers={"Authorization": "Bearer " + token},
follow_redirects=True)
profile = result.json["Items"][0]
for field in indexed_fields:
# data classification: ALL, display scope: PUBLIC, display parameter: -
token = f.generate_bearer_with_scope(
"read:fullprofile display:public")
query = self.app.get(
"/v2/user/{}/{}".format(field, profile[field]["value"]),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert query.json.get("access_information").get(
"access_provider") is None
assert query.json.get("staff_information").get(
"cost_center") is None
assert query.json.get("uuid") is not None
# data classification: ALL, display scope: STAFF, display parameter: -
token = f.generate_bearer_with_scope(
"read:fullprofile display:staff")
query = self.app.get(
"/v2/user/{}/{}".format(field, profile[field]["value"]),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert query.json.get("access_information").get(
"access_provider") is None
assert query.json.get("staff_information").get(
"cost_center") is not None
assert query.json.get("uuid") is not None
# data classification: ALL, display scope: STAFF, display parameter: PUBLIC
token = f.generate_bearer_with_scope(
"read:fullprofile display:staff")
query = self.app.get(
"/v2/user/{}/{}?filterDisplay=public".format(
field, profile[field]["value"]),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert not query.json.get("access_information").get(
"access_provider")
assert not query.json.get("staff_information").get("cost_center")
assert query.json.get("uuid")
# data classification: ALL, display scope: PUBLIC, display parameter: STAFF
token = f.generate_bearer_with_scope(
"read:fullprofile display:public")
query = self.app.get(
"/v2/user/{}/{}?filterDisplay=staff".format(
field, profile[field]["value"]),
headers={"Authorization": "Bearer " + token},
follow_redirects=True,
)
assert not query.json.get("access_information").get(
"access_provider")
assert not query.json.get("staff_information").get("cost_center")
assert query.json.get("uuid")