def test_mask_credentials(self):
body = {
# regular request information shouldn't be modified
"code": 400,
"detail": "Some error with potential password leak.",
"type": "application/json",
"path": "/users/random-test-user",
"url": "http://localhost:2001/magpie/users/random-test-user",
"method": "PATCH",
# flagged password matches should be redacted
"password": "******", # noqa # nosec
"param": {
"password_list": ["a", "b", "c"], # noqa # nosec
"conditions": {
"not_in": False
},
"value": 4,
"name": "password", # noqa # nosec
"password": "******", # noqa # nosec
"compare": "range(0, 12)",
"very": {
"very": {
"deep": {
"passwords": ["x", "y", "z"], # noqa # nosec
"nested": [
{
"password": "******",
"else": "x"
}, # noqa # nosec
{
"password": "******",
"else": "y"
}, # noqa # nosec
{
"password": "******",
"else": "z"
}, # noqa # nosec
]
}
}
}
}
}
redact = "[REDACTED]"
expect = copy.deepcopy(body)
expect["password"] = redact # noqa # nosec
expect["param"]["password"] = redact # noqa # nosec
expect["param"]["password_list"] = [redact, redact,
redact] # noqa # nosec
expect["param"]["very"]["very"]["deep"]["passwords"] = [
redact, redact, redact
] # noqa # nosec
for item in expect["param"]["very"]["very"]["deep"]["nested"]: # noqa
item["password"] = redact # noqa # nosec
masked = mask_credentials(body, redact=redact)
utils.check_val_equal(masked, expect)
def mock_get_post(real_func, *args, **kwargs):
if args[1] != "password":
return real_func(*args, **kwargs)
request, args = args[0], args[1:]
utils.check_val_equal(
request.url, base_url + _paths.pop(0),
"Proxied path should have been auto-resolved [URL: {}].".
format(url))
return real_func(request, *args, **kwargs)
def test_get_header_split(self):
headers = {
"Content-Type": "{}; charset=UTF-8".format(CONTENT_TYPE_JSON)
}
for name in [
"content_type", "content-type", "Content_Type", "Content-Type",
"CONTENT_TYPE", "CONTENT-TYPE"
]:
for split in [";,", ",;", ";", (",", ";"), [";", ","]]:
utils.check_val_equal(get_header(name, headers, split=split),
CONTENT_TYPE_JSON)
def test_magpie_prefix_direct_request(self):
base_url = "http://localhost"
for url in ["http://localhost", "http://localhost/magpie"]:
app = utils.get_test_magpie_app({"magpie.url": url})
path = "/version"
resp = utils.test_request(app, "GET", path)
utils.check_response_basic_info(resp)
utils.check_val_equal(
resp.request.url, base_url + path,
"Proxied path should have been auto-resolved [URL: {}].".
format(url))
def check_ui_resource_permissions(perm_form, resource_id, permissions):
select_res_id = "permission_resource_{}".format(resource_id)
select_options = perm_form.fields[
select_res_id] # contains multiple select, one per applicable permission
utils.check_val_equal(
len(select_options),
2,
msg="Always 2 select combobox expected (read and write).")
select_values = [select.value for select in select_options]
if not permissions:
utils.check_all_equal(
["", ""],
select_values,
msg="When no permission is selected, values are empty")
return
# value must match exactly the *explicit* permission representation
for r_perm in permissions:
utils.check_val_is_in(r_perm, select_values)
def test_register_permissions_existing_group_without_intermediate_entries(
self):
utils.TestSetup.create_TestService(
self,
override_service_name=self.test_perm_svc_name,
override_service_type=ServiceAPI.service_type)
utils.TestSetup.create_TestGroup(
self, override_group_name=self.test_perm_grp_name)
session = get_db_session_from_settings(self.app.app.registry.settings)
res1_name = "test-resource"
res2_name = "sub-test-resource"
res3_name = "sub-sub-test-resource"
res3_perm = Permission.WRITE_MATCH
perm_config = {
"permissions": [
{
"service": self.test_perm_svc_name, # exists
"resource": res1_name + "/" + res2_name + "/" +
res3_name, # none exist, all created for perm
"permission": res3_perm.value, # perm only to lowest child
"action": "create",
"group": self.test_perm_grp_name,
},
]
}
utils.check_no_raise(
lambda: register.magpie_register_permissions_from_config(
perm_config, db_session=session))
# check that all service, resources, group are created correctly
services = utils.TestSetup.get_RegisteredServicesList(self)
utils.check_val_is_in(self.test_perm_svc_name,
[s["service_name"] for s in services])
groups = utils.TestSetup.get_RegisteredGroupsList(self)
utils.check_val_is_in(self.test_perm_grp_name, groups)
resp = utils.test_request(
self.app, "GET",
"/services/{}/resources".format(self.test_perm_svc_name))
body = utils.check_response_basic_info(resp)
svc_res = body[self.test_perm_svc_name]["resources"]
svc_res_id = body[self.test_perm_svc_name]["resource_id"]
utils.check_val_is_in(res1_name,
[svc_res[r]["resource_name"] for r in svc_res])
res1_id = [
svc_res[r]["resource_id"] for r in svc_res
if svc_res[r]["resource_name"] == res1_name
][0]
res1_sub = svc_res[str(res1_id)]["children"]
utils.check_val_is_in(res2_name,
[res1_sub[r]["resource_name"] for r in res1_sub])
res2_id = [
res1_sub[r]["resource_id"] for r in res1_sub
if res1_sub[r]["resource_name"] == res2_name
][0]
res2_sub = res1_sub[str(res2_id)]["children"]
utils.check_val_is_in(res3_name,
[res2_sub[r]["resource_name"] for r in res2_sub])
res3_id = [
res2_sub[r]["resource_id"] for r in res2_sub
if res2_sub[r]["resource_name"] == res3_name
][0]
# check that all permissions are created correctly (only for final item)
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, svc_res_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_val_equal(body["permission_names"], [])
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, res1_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_val_equal(body["permission_names"], [])
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, res2_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_val_equal(body["permission_names"], [])
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, res3_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_all_equal(body["permission_names"], [res3_perm.value])
def test_compare_and_sort_operations(self):
perm_ram = PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH)
perm_rar = PermissionSet(Permission.READ, Access.ALLOW,
Scope.RECURSIVE)
perm_rdm = PermissionSet(Permission.READ, Access.DENY, Scope.MATCH)
perm_rdr = PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE)
perm_wam = PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH)
perm_war = PermissionSet(Permission.WRITE, Access.ALLOW,
Scope.RECURSIVE)
perm_wdm = PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH)
perm_wdr = PermissionSet(Permission.WRITE, Access.DENY,
Scope.RECURSIVE)
perm_sorted = [
perm_ram, perm_rar, perm_rdm, perm_rdr, perm_wam, perm_war,
perm_wdm, perm_wdr
]
perm_random = [
perm_rdr, perm_wam, perm_wdm, perm_rar, perm_war, perm_ram,
perm_wdr, perm_rdm
]
utils.check_val_equal(
perm_rar,
Permission.READ,
msg="Should be equal because of defaults and name conversion")
utils.check_val_not_equal(perm_rar,
Permission.WRITE,
msg="Not equal because of mismatch name")
utils.check_val_equal(
perm_rar,
perm_rar.json(),
msg="Pre-convert any known representation before equal check")
utils.check_all_equal(list(sorted(perm_random)),
perm_sorted,
any_order=False)
# cannot sort elements with other type representations although 'PermissionSet' can, because they don't know it
# (ie: str.__lt__ and dict.__ls__ could be called with 'other' being 'PermissionSet' depending on random order)
# can still do the individual compares though if the reference object is 'PermissionSet' and other is anything
utils.check_val_equal(perm_sorted[0] < perm_sorted[1], True)
utils.check_val_equal(perm_sorted[0] < perm_sorted[1].json(), True)
utils.check_val_equal(
perm_sorted[0] < perm_sorted[1].implicit_permission, True)
utils.check_val_equal(
perm_sorted[0] < perm_sorted[1].explicit_permission, True)
utils.check_val_equal(perm_sorted[0] > perm_sorted[1], False)
utils.check_val_equal(perm_sorted[0] > perm_sorted[1].json(), False)
utils.check_val_equal(
perm_sorted[0] > perm_sorted[1].implicit_permission, False)
utils.check_val_equal(
perm_sorted[0] > perm_sorted[1].explicit_permission, False)
# validate similarity comparison with inplace conversion at the same time
for perm_1, perm_2 in itertools.product(perm_sorted[0:4],
perm_sorted[0:4]):
utils.check_val_equal(perm_1.like(perm_2.json()),
True,
msg="Expected {!r} ~ {!r}".format(
perm_1, perm_2))
for perm_1, perm_2 in itertools.product(perm_sorted[0:4],
perm_sorted[4:8]):
utils.check_val_equal(perm_1.like(perm_2.json()),
False,
msg="Expected {!r} !~ {!r}".format(
perm_1, perm_2))
def test_permission_convert_from_acl(self):
"""
Conversion from Pyramid ACL definition.
Validate various implicit conversion of permission elements to explicit definition.
"""
utils.warn_version(__meta__.__version__,
"permission set conversion",
"3.0",
skip=True)
perm = PermissionSet((Allow, 1, "write-deny-match"))
utils.check_val_equal(perm.name, Permission.WRITE)
utils.check_val_equal(
perm.access,
Access.DENY,
msg="Explicit permission name prioritized over ACL access")
utils.check_val_equal(perm.scope, Scope.MATCH)
utils.check_val_equal(perm.type,
PermissionType.DIRECT,
msg="Should infer direct from user ID.")
perm = PermissionSet((Deny, "group:1", "read"))
utils.check_val_equal(perm.name, Permission.READ)
utils.check_val_equal(perm.access, Access.DENY)
utils.check_val_equal(perm.scope, Scope.RECURSIVE)
utils.check_val_equal(
perm.type,
PermissionType.INHERITED,
msg="Should infer inherited from group specifier.")
utils.check_raises(
lambda: PermissionSet((Allow, "group:1", ALL_PERMISSIONS)),
TypeError,
msg=
"Don't allow any object that makes the permission name not explicitly defined."
)
def test_permission_convert_from_tuple(self):
"""
Conversion from Ziggurat :class:`PermissionTuple` object.
Validate various implicit conversion of permission elements to explicit definition.
"""
utils.warn_version(__meta__.__version__,
"permission set conversion",
"3.0",
skip=True)
perm = PermissionSet(
PermissionTuple(
"user-name",
"write-deny-match",
"user", # important: perm-name & type
"group_id",
"resource_id",
"owner",
"allowed")) # these doesn't matter
utils.check_val_equal(perm.name, Permission.WRITE)
utils.check_val_equal(perm.access, Access.DENY)
utils.check_val_equal(perm.scope, Scope.MATCH)
utils.check_val_equal(
perm.type,
PermissionType.DIRECT,
msg="PermissionTuple should also help identify type")
perm = PermissionSet(
PermissionTuple(
"user-name",
"write-deny-match",
"group", # important: perm-name & type
"group_id",
"resource_id",
"owner",
"allowed")) # these doesn't matter
utils.check_val_equal(perm.name, Permission.WRITE)
utils.check_val_equal(perm.access, Access.DENY)
utils.check_val_equal(perm.scope, Scope.MATCH)
utils.check_val_equal(
perm.type,
PermissionType.INHERITED,
msg="PermissionTuple should also help identify type")
def test_permission_convert_from_json(self):
"""
Conversion by JSON definition.
Validate various implicit conversion of permission JSON definition.
"""
utils.warn_version(__meta__.__version__,
"permission set conversion",
"3.0",
skip=True)
perm = PermissionSet({
"name": Permission.WRITE,
"access": Access.DENY,
"scope": Scope.MATCH
})
utils.check_val_equal(perm.name, Permission.WRITE)
utils.check_val_equal(perm.access, Access.DENY)
utils.check_val_equal(perm.scope, Scope.MATCH)
perm = PermissionSet({
"name": Permission.WRITE.value,
"access": Access.DENY.value,
"scope": Scope.MATCH.value
})
utils.check_val_equal(perm.name, Permission.WRITE)
utils.check_val_equal(perm.access, Access.DENY)
utils.check_val_equal(perm.scope, Scope.MATCH)
def test_permission_convert_from_enum(self):
"""
Conversion by enum values.
Validate various implicit conversion of permission name string to explicit definition.
"""
utils.warn_version(__meta__.__version__,
"permission set conversion",
"3.0",
skip=True)
perm = PermissionSet(Permission.READ)
utils.check_val_equal(perm.name, Permission.READ)
utils.check_val_equal(perm.access, Access.ALLOW)
utils.check_val_equal(perm.scope, Scope.RECURSIVE)
perm = PermissionSet(Permission.WRITE, access="deny")
utils.check_val_equal(perm.name, Permission.WRITE)
utils.check_val_equal(perm.access, Access.DENY)
utils.check_val_equal(perm.scope, Scope.RECURSIVE)
def test_permission_convert_from_string(self):
"""
Conversion by implicit/explicit name.
Validate various implicit conversion of permission name string to explicit definition.
"""
utils.warn_version(__meta__.__version__,
"permission set conversion",
"3.0",
skip=True)
perm = PermissionSet("read") # old implicit format
utils.check_val_equal(perm.name, Permission.READ)
utils.check_val_equal(perm.access, Access.ALLOW)
utils.check_val_equal(perm.scope, Scope.RECURSIVE)
perm = PermissionSet("read-match") # old format
utils.check_val_equal(perm.name, Permission.READ)
utils.check_val_equal(perm.access, Access.ALLOW)
utils.check_val_equal(perm.scope, Scope.MATCH)
perm = PermissionSet("read-allow-match") # new explicit format
utils.check_val_equal(perm.name, Permission.READ)
utils.check_val_equal(perm.access, Access.ALLOW)
utils.check_val_equal(perm.scope, Scope.MATCH)
perm = PermissionSet("read-allow-recursive")
utils.check_val_equal(perm.name, Permission.READ)
utils.check_val_equal(perm.access, Access.ALLOW)
utils.check_val_equal(perm.scope, Scope.RECURSIVE)
perm = PermissionSet("read-deny-match")
utils.check_val_equal(perm.name, Permission.READ)
utils.check_val_equal(perm.access, Access.DENY)
utils.check_val_equal(perm.scope, Scope.MATCH)
def test_guess_target_format_default(self):
request = utils.mock_request()
content_type, where = ag.guess_target_format(request)
utils.check_val_equal(content_type, CONTENT_TYPE_JSON)
utils.check_val_equal(where, True)
def test_enum_get_by_value(self):
utils.check_val_equal(DummyEnum.get("value-1"), DummyEnum.VALUE1)
utils.check_val_equal(DummyEnum.get("VALUE1"), DummyEnum.VALUE1)
utils.check_val_equal(DummyEnum.get("random"), None)
utils.check_val_equal(DummyEnum.get("random", "something"),
"something")
def test_get_query_param(self):
resp = utils.mock_request("/some/path")
v = ar.get_query_param(resp, "value")
utils.check_val_equal(v, None)
resp = utils.mock_request("/some/path?other=test")
v = ar.get_query_param(resp, "value")
utils.check_val_equal(v, None)
resp = utils.mock_request("/some/path?other=test")
v = ar.get_query_param(resp, "value", True)
utils.check_val_equal(v, True)
resp = utils.mock_request("/some/path?value=test")
v = ar.get_query_param(resp, "value", True)
utils.check_val_equal(v, "test")
resp = utils.mock_request("/some/path?query=value")
v = ar.get_query_param(resp, "query")
utils.check_val_equal(v, "value")
resp = utils.mock_request("/some/path?QUERY=VALUE")
v = ar.get_query_param(resp, "query")
utils.check_val_equal(v, "VALUE")
resp = utils.mock_request("/some/path?QUERY=VALUE")
v = asbool(ar.get_query_param(resp, "query"))
utils.check_val_equal(v, False)
resp = utils.mock_request("/some/path?Query=TRUE")
v = asbool(ar.get_query_param(resp, "query"))
utils.check_val_equal(v, True)
def test_register_permissions_multiple_resource_type_possible(self):
"""
Verify that service that allows multiple resource-types children retrieves ``type`` field for their creation.
"""
svc_type = ServiceTHREDDS.service_type
svc_name = "unittest-service-thredds-register-children-resources"
utils.TestSetup.create_TestService(self,
override_service_name=svc_name,
override_service_type=svc_type)
utils.TestSetup.create_TestGroup(
self, override_group_name=self.test_perm_grp_name)
session = get_db_session_from_settings(self.app.app.registry.settings)
res1_name = "test-resource"
res2_name = "sub-test-resource"
res3_name = "sub-sub-test-resource"
res3_perm = "write-deny-recursive"
res3_path = res1_name + "/" + res2_name + "/" + res3_name # none exist, all created for final permission
perm_config = {
"permissions": [
{
"service": svc_name, # exists
"resource": res3_path,
"permission": res3_perm, # perm only on lowest child
"type": Directory.
resource_type_name, # without this, fails because cannot infer Directory/File
"action": "create",
"group": self.test_perm_grp_name,
},
]
}
utils.check_no_raise(
lambda: register.magpie_register_permissions_from_config(
perm_config, db_session=session))
# check that all service, resources, group are created correctly
services = utils.TestSetup.get_RegisteredServicesList(self)
utils.check_val_is_in(svc_name, [s["service_name"] for s in services])
groups = utils.TestSetup.get_RegisteredGroupsList(self)
utils.check_val_is_in(self.test_perm_grp_name, groups)
resp = utils.test_request(self.app, "GET",
"/services/{}/resources".format(svc_name))
body = utils.check_response_basic_info(resp)
svc_res = body[svc_name]["resources"] # type: JSON
utils.check_val_is_in(res1_name,
[svc_res[r]["resource_name"] for r in svc_res])
res1_id = [
svc_res[r]["resource_id"] for r in svc_res
if svc_res[r]["resource_name"] == res1_name
][0]
res1_sub = svc_res[str(res1_id)]["children"] # type: JSON
utils.check_val_is_in(res2_name,
[res1_sub[r]["resource_name"] for r in res1_sub])
res2_id = [
res1_sub[r]["resource_id"] for r in res1_sub
if res1_sub[r]["resource_name"] == res2_name
][0]
res2_sub = res1_sub[str(res2_id)]["children"] # type: JSON
utils.check_val_is_in(res3_name,
[res2_sub[r]["resource_name"] for r in res2_sub])
res3_id = [
res2_sub[r]["resource_id"] for r in res2_sub
if res2_sub[r]["resource_name"] == res3_name
][0]
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, res3_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_val_is_in(res3_perm, body["permission_names"])
# validate that without the 'type', similar resource would not be created due to missing information
res_missing_type_name = "missing-type"
res_missing_type_path = res3_path.replace("/" + res3_name,
"/" + res_missing_type_name)
missing_type_perm_config = copy.deepcopy(perm_config) # type: JSON
missing_type_perm_config["permissions"][0].pop("type")
missing_type_perm_config["permissions"][0][
"resource"] = res_missing_type_path
utils.check_no_raise(
lambda: register.magpie_register_permissions_from_config(
missing_type_perm_config, db_session=session))
resp = utils.test_request(self.app, "GET",
"/resources/{}".format(res2_id))
body = utils.check_response_basic_info(resp)
res_children = body["resource"]["children"]
res_found = [
res for _, res in res_children.items()
if res["resource_name"] == res_missing_type_name
]
utils.check_val_equal(res_found, [])