def test_accepted_dev_cant_authenticate(self, tenants_users_devices):
dacd = ApiClient(deviceauth.URL_DEVICES)
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
uc = ApiClient(useradm.URL_MGMT)
tc = ApiClient(tenantadm.URL_INTERNAL)
# accept a dev
device = tenants_users_devices[0].devices[0]
user = tenants_users_devices[0].users[0]
r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
aset = device.authsets[0]
change_authset_status(devauthm, aset.did, aset.id, 'accepted', utoken)
# suspend
r = tc.call('PUT',
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status('suspended'),
path_params={'tid': tenants_users_devices[0].id})
assert r.status_code == 200
time.sleep(10)
# try requesting auth
body, sighdr = deviceauth.auth_req(
aset.id_data, aset.pubkey, aset.privkey,
tenants_users_devices[0].tenant_token)
r = dacd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 401
assert r.json()['error'] == 'Account suspended'
def check_access_file_transfer(self, auth, devid, forbid=False):
devconn = ApiClient(
host=get_container_manager().get_mender_gateway(),
base_url=deviceconnect.URL_MGMT,
)
res = devconn.call(
"GET",
deviceconnect.URL_MGMT_FDOWNLOAD,
headers=auth.get_auth_token(),
path_params={"id": devid},
qs_params={"path": "/etc/mender/mender.conf"},
)
if forbid:
assert res.status_code == 403
else:
assert res.ok
res = devconn.call(
"PUT",
deviceconnect.URL_MGMT_FUPLOAD,
headers=auth.get_auth_token(),
path_params={"id": devid},
qs_params={"path": "/etc/mender/mender.conf"},
)
if forbid:
assert res.status_code == 403
else:
assert res.status_code != 403
def test_user_cannot_log_in(self, tenants_users):
tc = ApiClient(tenantadm.URL_INTERNAL)
uc = ApiClient(useradm.URL_MGMT)
for u in tenants_users[0].users:
r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd))
assert r.status_code == 200
# tenant's users can log in
for u in tenants_users[0].users:
r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd))
assert r.status_code == 200
assert r.status_code == 200
# suspend tenant
r = tc.call('PUT',
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status('suspended'),
path_params={'tid': tenants_users[0].id})
assert r.status_code == 200
time.sleep(10)
# none of tenant's users can log in
for u in tenants_users[0].users:
r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd))
assert r.status_code == 401
# but other users still can
for u in tenants_users[1].users:
r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd))
assert r.status_code == 200
def test_authenticated_user_is_rejected(self, tenants):
tc = ApiClient(tenantadm.URL_INTERNAL,
host=tenantadm.HOST,
schema="http://")
uc = ApiClient(useradm.URL_MGMT)
dc = ApiClient(deviceauth.URL_MGMT)
u = tenants[0].users[0]
# log in
r = uc.call("POST", useradm.URL_LOGIN, auth=(u.name, u.pwd))
assert r.status_code == 200
token = r.text
# check can access an api
r = dc.with_auth(token).call("GET", deviceauth.URL_MGMT_DEVICES)
assert r.status_code == 200
# suspend tenant
r = tc.call(
"PUT",
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status("suspended"),
path_params={"tid": tenants[0].id},
)
assert r.status_code == 200
time.sleep(10)
# check token is rejected
r = dc.with_auth(token).call("GET", deviceauth.URL_MGMT_DEVICES)
assert r.status_code == 401
def test_authenticated_user_is_rejected(self, tenants):
tc = ApiClient(tenantadm.URL_INTERNAL)
uc = ApiClient(useradm.URL_MGMT)
dc = ApiClient(deviceauth_v2.URL_MGMT)
u = tenants[0].users[0]
# log in
r = uc.call('POST',
useradm.URL_LOGIN,
auth=(u.name, u.pwd))
assert r.status_code == 200
token = r.text
# check can access an api
r = dc.with_auth(token).call('GET', deviceauth_v2.URL_DEVICES)
assert r.status_code == 200
# suspend tenant
r = tc.call('PUT',
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status('suspended'),
path_params={'tid': tenants[0].id})
assert r.status_code == 200
time.sleep(10)
# check token is rejected
r = dc.with_auth(token).call('GET', deviceauth_v2.URL_DEVICES)
assert r.status_code == 401
def initialize_os_setup(env):
""" Seed the OS setup with all operational data - users and devices.
Return {"os_devs": [...], "os_users": [...]}
"""
uadmm = ApiClient(useradm.URL_MGMT, host=env.get_mender_gateway())
dauthd = ApiClient(deviceauth.URL_DEVICES, host=env.get_mender_gateway())
dauthm = ApiClient(deviceauth.URL_MGMT, host=env.get_mender_gateway())
users = [
create_user("*****@*****.**", "correcthorse", containers_namespace=env.name),
create_user("*****@*****.**", "correcthorse", containers_namespace=env.name),
]
r = uadmm.call("POST", useradm.URL_LOGIN, auth=(users[0].name, users[0].pwd))
assert r.status_code == 200
utoken = r.text
# create and accept some devs; save tokens
devs = []
for _ in range(10):
devs.append(make_accepted_device(dauthd, dauthm, utoken))
# get tokens for all
for d in devs:
body, sighdr = deviceauth.auth_req(
d.id_data, d.authsets[0].pubkey, d.authsets[0].privkey
)
r = dauthd.call("POST", deviceauth.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 200
d.token = r.text
return {"os_devs": devs, "os_users": users}
def do_test_delete_device_ok(self, devs_authsets, user, tenant_token=""):
devapim = ApiClient(deviceauth_v2.URL_MGMT)
devapid = ApiClient(deviceauth_v1.URL_DEVICES)
userapi = ApiClient(useradm.URL_MGMT)
depapi = ApiClient(deployments.URL_DEVICES)
# log in user
r = userapi.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# decommission a pending device
dev_pending = filter_and_page_devs(devs_authsets, status="pending")[0]
r = devapim.with_auth(utoken).call(
"DELETE", deviceauth_v2.URL_DEVICE, path_params={"id": dev_pending.id}
)
assert r.status_code == 204
# only verify the device is gone
r = devapim.with_auth(utoken).call(
"GET", deviceauth_v2.URL_DEVICE, path_params={"id": dev_pending.id}
)
assert r.status_code == 404
# log in an accepted device
dev_acc = filter_and_page_devs(devs_authsets, status="accepted")[0]
body, sighdr = deviceauth_v1.auth_req(
dev_acc.id_data,
dev_acc.authsets[0].pubkey,
dev_acc.authsets[0].privkey,
tenant_token,
)
r = devapid.call("POST", deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 200
dtoken = r.text
# decommission the accepted device
r = devapim.with_auth(utoken).call(
"DELETE", deviceauth_v2.URL_DEVICE, path_params={"id": dev_acc.id}
)
assert r.status_code == 204
# verify the device lost access
r = depapi.with_auth(dtoken).call(
"GET",
deployments.URL_NEXT,
qs_params={"device_type": "foo", "artifact_name": "bar"},
)
assert r.status_code == 401
# verify the device is gone
r = devapim.with_auth(utoken).call(
"GET", deviceauth_v2.URL_DEVICE, path_params={"id": dev_acc.id}
)
assert r.status_code == 404
def test_success_with_plan(self, clean_migrated_mongo):
tc = ApiClient(tenantadm.URL_MGMT)
uc = ApiClient(useradm.URL_MGMT)
tenantadmi = ApiClient(tenantadm.URL_INTERNAL)
devauthi = ApiClient(deviceauth_v1.URL_INTERNAL)
logging.info("Starting TestCreateOrganizationEnterprise")
tenant = "tenant{}".format(randstr())
email = "some.user@{}.com".format(tenant)
payload = {
"request_id": "123456",
"organization": tenant,
"email": email,
"password": "******",
"g-recaptcha-response": "foobar",
"plan": "professional",
"token": "tok_visa",
}
r = tc.post(tenantadm.URL_MGMT_TENANTS, data=payload)
assert r.status_code == 202
# Try log in every second for 5 minutes.
# Creating organization is an async job
# and may take some time to complete.
for i in range(5 * 60):
rsp = uc.call(
"POST",
useradm.URL_LOGIN,
auth=(email, "asdfqwer1234"),
)
if rsp.status_code == 200:
break
time.sleep(1)
if rsp.status_code != 200:
raise ValueError(
"User could not log in within five minutes after organization has been created."
)
# get the tenant id (and verify that only one tenant exists)
r = tenantadmi.call("GET", tenantadm.URL_INTERNAL_TENANTS)
assert r.status_code == 200
api_tenants = r.json()
assert len(api_tenants) == 1
# verify the device limit via internal api
# the device limit for professional plan should be 250
r = devauthi.call(
"GET",
deviceauth_v1.URL_LIMITS_MAX_DEVICES,
path_params={"tid": api_tenants[0]["id"]},
)
assert r.status_code == 200
assert r.json()["limit"] == 250
self._cleanup_stripe(email)
def do_test_ok(self, user, tenant_token=""):
useradmm = ApiClient(useradm.URL_MGMT)
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
devauthd = ApiClient(deviceauth_v1.URL_DEVICES)
# log in user
r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# preauth device
priv, pub = testutils.util.crypto.rsa_get_keypair()
id_data = {"mac": "pretenditsamac"}
body = deviceauth_v2.preauth_req(id_data, pub)
r = devauthm.with_auth(utoken).call("POST", deviceauth_v2.URL_DEVICES, body)
assert r.status_code == 201
# device appears in device list
r = devauthm.with_auth(utoken).call("GET", deviceauth_v2.URL_DEVICES)
assert r.status_code == 200
api_devs = r.json()
assert len(api_devs) == 1
api_dev = api_devs[0]
assert api_dev["status"] == "preauthorized"
assert api_dev["identity_data"] == id_data
assert len(api_dev["auth_sets"]) == 1
aset = api_dev["auth_sets"][0]
assert aset["identity_data"] == id_data
assert testutils.util.crypto.rsa_compare_keys(aset["pubkey"], pub)
assert aset["status"] == "preauthorized"
# actual device can obtain auth token
body, sighdr = deviceauth_v1.auth_req(id_data, pub, priv, tenant_token)
r = devauthd.call("POST", deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 200
# device and authset changed status to 'accepted'
r = devauthm.with_auth(utoken).call(
"GET", deviceauth_v2.URL_DEVICES, path_params={"id": api_dev["id"]}
)
api_devs = r.json()
assert len(api_devs) == 1
api_dev = api_devs[0]
assert api_dev["status"] == "accepted"
assert len(api_dev["auth_sets"]) == 1
aset = api_dev["auth_sets"][0]
assert aset["status"] == "accepted"
def test_devs_ok(self, migrated_enterprise_setup):
mender_gateway = migrated_enterprise_setup.get_mender_gateway()
uadmm = ApiClient(
"https://{}/api/management/v1/useradm".format(mender_gateway))
dauthd = ApiClient(
"https://{}/api/devices/v1/authentication".format(mender_gateway))
dauthm = ApiClient(
"https://{}/api/management/v2/devauth".format(mender_gateway))
depld = ApiClient(
"https://{}/api/devices/v1/deployments".format(mender_gateway))
# current dev tokens don't work right off the bat
# the deviceauth db is empty
for d in migrated_enterprise_setup.init_data["os_devs"]:
resp = depld.with_auth(d.token).call(
"GET",
deployments.URL_NEXT,
qs_params={
"artifact_name": "foo",
"device_type": "bar"
},
)
assert resp.status_code == 401
# but even despite the 'dummy' tenant token
# os devices can get into the deviceauth db for acceptance
ent_user = migrated_enterprise_setup.init_data["tenant"].users[0]
r = uadmm.call("POST",
useradm.URL_LOGIN,
auth=(ent_user.name, ent_user.pwd))
assert r.status_code == 200
utoken = r.text
for d in migrated_enterprise_setup.init_data["os_devs"]:
body, sighdr = deviceauth_v1.auth_req(
d.id_data,
d.authsets[0].pubkey,
d.authsets[0].privkey,
tenant_token="dummy",
)
r = dauthd.call("POST",
deviceauth_v1.URL_AUTH_REQS,
body,
headers=sighdr)
assert r.status_code == 401
r = dauthm.with_auth(utoken).call("GET",
deviceauth_v2.URL_DEVICES,
path_params={"id": d.id})
assert r.status_code == 200
assert len(r.json()) == len(
migrated_enterprise_setup.init_data["os_devs"])
def test_authenticated_dev_is_rejected(self, tenants_users_devices):
dacd = ApiClient(deviceauth.URL_DEVICES)
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
uc = ApiClient(useradm.URL_MGMT)
tc = ApiClient(tenantadm.URL_INTERNAL)
dc = ApiClient(deployments.URL_DEVICES)
# accept a dev
user = tenants_users_devices[0].users[0]
r = uc.call('POST',
useradm.URL_LOGIN,
auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
aset = tenants_users_devices[0].devices[0].authsets[0]
change_authset_status(devauthm, aset.did, aset.id, 'accepted', utoken)
# request auth
body, sighdr = deviceauth.auth_req(aset.id_data,
aset.pubkey,
aset.privkey,
tenants_users_devices[0].tenant_token)
r = dacd.call('POST',
deviceauth.URL_AUTH_REQS,
body,
headers=sighdr)
assert r.status_code == 200
dtoken = r.text
# check device can access APIs
r = dc.with_auth(dtoken).call('GET',
deployments.URL_NEXT,
qs_params={'device_type': 'foo',
'artifact_name': 'bar'})
assert r.status_code == 204
# suspend
r = tc.call('PUT',
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status('suspended'),
path_params={'tid': tenants_users_devices[0].id})
assert r.status_code == 200
time.sleep(10)
# check device is rejected
r = dc.with_auth(dtoken).call('GET',
deployments.URL_NEXT,
qs_params={'device_type': 'foo',
'artifact_name': 'bar'})
assert r.status_code == 401
def test_users_ok(self, migrated_enterprise_setup):
mender_gateway = migrated_enterprise_setup.get_mender_gateway()
uadmm = ApiClient(useradm.URL_MGMT, host=mender_gateway)
# os users can't log in
for u in migrated_enterprise_setup.init_data["os_users"]:
r = uadmm.call("POST", useradm.URL_LOGIN, auth=(u.name, u.pwd))
assert r.status_code == 401
# but enterprise user can
ent_user = migrated_enterprise_setup.init_data["tenant"].users[0]
r = uadmm.call("POST", useradm.URL_LOGIN, auth=(ent_user.name, ent_user.pwd))
assert r.status_code == 200
def test_users_ok(self, migrated_enterprise_setup):
uadmm = ApiClient('https://{}/api/management/v1/useradm'.format(get_mender_gateway()))
# os users can't log in
for u in migrated_enterprise_setup["os_users"]:
r = uadmm.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd))
assert r.status_code == 401
# but enterprise user can
ent_user = migrated_enterprise_setup["tenant"].users[0]
r = uadmm.call('POST',
useradm.URL_LOGIN,
auth=(ent_user.name, ent_user.pwd))
assert r.status_code == 200
def do_test_fail_duplicate(self, user, devices):
useradmm = ApiClient(useradm.URL_MGMT)
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
# log in user
r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# preauth duplicate device
priv, pub = testutils.util.crypto.rsa_get_keypair()
id_data = devices[0].id_data
body = deviceauth_v2.preauth_req(id_data, pub)
r = devauthm.with_auth(utoken).call("POST", deviceauth_v2.URL_DEVICES, body)
assert r.status_code == 409
# device list is unmodified
r = devauthm.with_auth(utoken).call("GET", deviceauth_v2.URL_DEVICES)
assert r.status_code == 200
api_devs = r.json()
assert len(api_devs) == len(devices)
# existing device has no new auth sets
existing = [d for d in api_devs if d["identity_data"] == id_data]
assert len(existing) == 1
existing = existing[0]
assert len(existing["auth_sets"]) == 1
aset = existing["auth_sets"][0]
assert testutils.util.crypto.rsa_compare_keys(aset["pubkey"], devices[0].pubkey)
assert aset["status"] == "pending"
def make_accepted_device(
dauthd1: ApiClient,
dauthm: ApiClient,
utoken: str,
tenant_token: str = "",
test_type: str = "regular",
) -> Device:
"""Create one device with "accepted" status."""
test_types = ["regular", "azure"]
if test_type not in test_types:
raise RuntimeError("Given test type is not allowed")
dev = make_pending_device(dauthd1, dauthm, utoken, tenant_token=tenant_token)
aset_id = dev.authsets[0].id
change_authset_status(dauthm, dev.id, aset_id, "accepted", utoken)
aset = dev.authsets[0]
aset.status = "accepted"
# TODO: very bad workaround for Azure IoT Hub backend test; following part is responsible for creating
# TODO: additonal, unnecessary auth set which causes Azure test to fail
if test_type == "regular":
# obtain auth token
body, sighdr = deviceauth.auth_req(
aset.id_data, aset.pubkey, aset.privkey, tenant_token
)
r = dauthd1.call("POST", deviceauth.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 200
dev.token = r.text
dev.status = "accepted"
return dev
def do_test_get_device(self, devs_authsets, user):
da = ApiClient(deviceauth_v2.URL_MGMT)
ua = ApiClient(useradm.URL_MGMT)
# log in user
r = ua.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# existing devices
for dev in devs_authsets:
r = da.with_auth(utoken).call(
"GET", deviceauth_v2.URL_DEVICE, path_params={"id": dev.id}
)
assert r.status_code == 200
api_dev = r.json()
self._compare_dev(dev, api_dev)
# non-existent devices
for id in ["foo", "bar"]:
r = da.with_auth(utoken).call(
"GET", deviceauth_v2.URL_DEVICE, path_params={"id": id}
)
assert r.status_code == 404
def setup_devices_and_management(nr_devices=100):
"""
Sets up user and tenant and creates authorized devices.
"""
tenant = create_tenant('acme')
user = create_tenant_user('bugs-bunny', tenant)
useradmm = ApiClient(useradm.URL_MGMT)
devauthd = ApiClient(deviceauth_v1.URL_DEVICES)
invm = ApiClient(inventory.URL_MGMT)
api_mgmt_deploy = ApiClient(deployments.URL_MGMT)
# log in user
r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# Upload a dummy artifact to the server
upload_image("/tests/test-artifact.mender", utoken)
# prepare accepted devices
devs = make_accepted_devices(utoken, devauthd, nr_devices,
tenant.tenant_token)
# wait for devices to be provisioned
time.sleep(3)
# Check that the number of devices were created
r = invm.with_auth(utoken).call(
'GET', inventory.URL_DEVICES, qs_params={
'per_page': nr_devices
})
assert r.status_code == 200
api_devs = r.json()
assert len(api_devs) == nr_devices
return user, tenant, utoken, devs
def test_fail_no_attr_value(self, user):
useradmm = ApiClient(useradm.URL_MGMT)
devauthd = ApiClient(deviceauth_v1.URL_DEVICES)
invm = ApiClient(inventory.URL_MGMT)
invd = ApiClient(inventory.URL_DEV)
# log in user
r = useradmm.call('POST',
useradm.URL_LOGIN,
auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# prepare accepted devices
devs = make_accepted_devices(utoken, devauthd, 1)
# wait for devices to be provisioned
time.sleep(3)
for i, d in enumerate(devs):
payload = [{
"name": "mac",
}]
r = invd.with_auth(d.token).call('PATCH',
inventory.URL_DEVICE_ATTRIBUTES,
payload)
assert r.status_code == 400
def verify_devices_unmodified(self, user, in_devices):
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
useradmm = ApiClient(useradm.URL_MGMT)
r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
r = devauthm.with_auth(utoken).call("GET", deviceauth_v2.URL_DEVICES)
assert r.status_code == 200
api_devs = r.json()
assert len(api_devs) == len(in_devices)
for ad in api_devs:
assert ad["status"] == "pending"
orig_device = [d for d in in_devices if d.id_data == ad["identity_data"]]
assert len(orig_device) == 1
orig_device = orig_device[0]
assert len(ad["auth_sets"]) == 1
aset = ad["auth_sets"][0]
assert testutils.util.crypto.rsa_compare_keys(
aset["pubkey"], orig_device.pubkey
)
def do_test_get_devices_ok(self, user, tenant_token=''):
useradmm = ApiClient(useradm.URL_MGMT)
devauthd = ApiClient(deviceauth_v1.URL_DEVICES)
invm = ApiClient(inventory.URL_MGMT)
invd = ApiClient(inventory.URL_DEV)
# log in user
r = useradmm.call('POST',
useradm.URL_LOGIN,
auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# prepare accepted devices
devs = make_accepted_devices(utoken, devauthd, 40, tenant_token)
# wait for devices to be provisioned
time.sleep(3)
r = invm.with_auth(utoken).call('GET',
inventory.URL_DEVICES,
qs_params={'per_page': 100})
assert r.status_code == 200
api_devs = r.json()
assert len(api_devs) == 40
def add_devices_to_user(user, dev_inventories):
try:
user.devices
except AttributeError:
user.devices = []
useradmm = ApiClient(useradm.URL_MGMT)
devauthd = ApiClient(deviceauth.URL_DEVICES)
devauthm = ApiClient(deviceauth.URL_MGMT)
invd = ApiClient(inventory.URL_DEV)
utoken = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd)).text
assert utoken != ""
user.api_token = utoken
for inv in dev_inventories:
device = make_accepted_device(devauthd, devauthm, utoken)
user.devices.append(device)
attrs = dict_to_inventoryattrs(inv)
rsp = invd.with_auth(device.token).call(
"PATCH", inventory.URL_DEVICE_ATTRIBUTES, body=attrs
)
assert rsp.status_code == 200
device.inventory = inv
return user
def create_tenant(name, docker_prefix=None):
""" Create a tenant via cli, record its id and token for further use. """
cli = CliTenantadm(docker_prefix)
api = ApiClient(tenantadm.URL_INTERNAL)
id = cli.create_tenant(name)
page = 0
per_page = 20
qs_params = {}
found = None
while True:
page = page + 1
qs_params['page'] = page
qs_params['per_page'] = per_page
r = api.call('GET', tenantadm.URL_INTERNAL_TENANTS, qs_params=qs_params)
assert r.status_code == 200
api_tenants = r.json()
found = [at for at in api_tenants if at['id'] == id]
if len(found) > 0:
break
if len(api_tenants) == 0:
break
assert len(found) == 1
token = found[0]['tenant_token']
return Tenant(name, id, token)
def create_org(name, username, password, plan="os"):
cli = CliTenantadm()
user_id = None
tenant_id = cli.create_org(name, username, password, plan=plan)
tenant_token = json.loads(cli.get_tenant(tenant_id))["tenant_token"]
api = ApiClient(useradm.URL_MGMT)
# Try log in every second for 3 minutes.
# - There usually is a slight delay (in order of ms) for propagating
# the created user to the db.
for i in range(3 * 60):
rsp = api.call("POST", useradm.URL_LOGIN, auth=(username, password))
if rsp.status_code == 200:
break
time.sleep(1)
if rsp.status_code != 200:
raise ValueError(
"User could not log in within three minutes after organization has been created."
)
user_token = rsp.text
rsp = api.with_auth(user_token).call("GET", useradm.URL_USERS)
users = json.loads(rsp.text)
for user in users:
if user["email"] == username:
user_id = user["id"]
break
if user_id == None:
raise ValueError("Error retrieving user id.")
tenant = Tenant(name, tenant_id, tenant_token)
user = User(user_id, username, password)
tenant.users.append(user)
return tenant
def do_test_get_authset_status(self, devs_authsets, user):
devauthm = ApiClient(deviceauth_v2.URL_MGMT)
useradmm = ApiClient(useradm.URL_MGMT)
# log in user
r = useradmm.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# try valid authsets
for d in devs_authsets:
for a in d.authsets:
r = devauthm.with_auth(utoken).call(
"GET",
deviceauth_v2.URL_AUTHSET_STATUS,
path_params={"did": d.id, "aid": a.id},
)
assert r.status_code == 200
assert r.json()["status"] == a.status
# invalid authset or device
for did, aid in [(devs_authsets[0].id, "foo"), ("foo", "bar")]:
r = devauthm.with_auth(utoken).call(
"GET",
deviceauth_v2.URL_AUTHSET_STATUS,
path_params={"did": did, "aid": aid},
)
assert r.status_code == 404
def do_test_device_count(self, devs_authsets, user):
ua = ApiClient(useradm.URL_MGMT)
da = ApiClient(deviceauth_v2.URL_MGMT)
# log in user
r = ua.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# test cases: successful counts
for status in [None, "pending", "accepted", "rejected", "preauthorized"]:
qs_params = {}
if status is not None:
qs_params = {"status": status}
r = da.with_auth(utoken).call(
"GET", deviceauth_v2.URL_DEVICES_COUNT, qs_params=qs_params
)
assert r.status_code == 200
count = r.json()
ref_devs = filter_and_page_devs(devs_authsets, status=status)
ref_count = len(ref_devs)
assert ref_count == count["count"]
# fail: bad request
r = da.with_auth(utoken).call(
"GET", deviceauth_v2.URL_DEVICES_COUNT, qs_params={"status": "foo"}
)
assert r.status_code == 400
def test_ok(self, user):
useradmm = ApiClient(useradm.URL_MGMT)
devauthd = ApiClient(deviceauth_v1.URL_DEVICES)
invm = ApiClient(inventory.URL_MGMT)
invd = ApiClient(inventory.URL_DEV)
# log in user
r = useradmm.call('POST',
useradm.URL_LOGIN,
auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
# prepare accepted devices
devs = make_accepted_devices(utoken, devauthd, 3)
# wait for devices to be provisioned
time.sleep(3)
for i, d in enumerate(devs):
payload = [
{
"name": "mac",
"value": "mac-new-" + str(d.id)
},
{
#empty value for existing
"name": "sn",
"value": "",
},
{
#empty value for new
"name": "new-empty",
"value": "",
}
]
r = invd.with_auth(d.token).call('PATCH',
inventory.URL_DEVICE_ATTRIBUTES,
payload)
assert r.status_code == 200
for d in devs:
r = invm.with_auth(utoken).call('GET',
inventory.URL_DEVICE,
path_params={'id': d.id})
assert r.status_code == 200
api_dev = r.json()
assert len(api_dev['attributes']) == 3
for a in api_dev['attributes']:
if a['name'] == 'mac':
assert a['value'] == 'mac-new-' + str(api_dev['id'])
elif a['name'] == 'sn':
assert a['value'] == ''
elif a['name'] == 'new-empty':
assert a['value'] == ''
else:
assert False, 'unexpected attribute ' + a['name']
def initialize_os_setup():
""" Seed the OS setup with all operational data - users and devices.
Return {"os_devs": [...], "os_users": [...]}
"""
uadmm = ApiClient('https://{}/api/management/v1/useradm'.format(
get_mender_gateway()))
dauthd = ApiClient('https://{}/api/devices/v1/authentication'.format(
get_mender_gateway()))
dauthm = ApiClient('https://{}/api/management/v2/devauth'.format(
get_mender_gateway()))
users = [
create_user("*****@*****.**",
"correcthorse",
docker_prefix=docker_compose_instance),
create_user("*****@*****.**",
"correcthorse",
docker_prefix=docker_compose_instance)
]
r = uadmm.call('POST',
useradm.URL_LOGIN,
auth=(users[0].name, users[0].pwd))
assert r.status_code == 200
utoken = r.text
# create and accept some devs; save tokens
devs = []
for i in range(10):
devs.append(make_accepted_device(dauthd, dauthm, utoken))
# get tokens for all
for d in devs:
body, sighdr = deviceauth_v1.auth_req(d.id_data, d.authsets[0].pubkey,
d.authsets[0].privkey)
r = dauthd.call('POST',
deviceauth_v1.URL_AUTH_REQS,
body,
headers=sighdr)
assert r.status_code == 200
d.token = r.text
return {"os_devs": devs, "os_users": users}
def login_tenant_users(tenant):
useradm_MGMT = ApiClient(useradm.URL_MGMT)
for user in tenant.users:
rsp = useradm_MGMT.call("POST",
useradm.URL_LOGIN,
auth=(user.name, user.pwd))
assert rsp.status_code == 200, "Failed to setup test environment"
user.token = rsp.text
def test_accepted_dev_cant_authenticate(self, tenants_users_devices):
dacd = ApiClient(deviceauth.URL_DEVICES)
devauthm = ApiClient(deviceauth.URL_MGMT)
uc = ApiClient(useradm.URL_MGMT)
tc = ApiClient(tenantadm.URL_INTERNAL,
host=tenantadm.HOST,
schema="http://")
# accept a dev
device = tenants_users_devices[0].devices[0]
user = tenants_users_devices[0].users[0]
r = uc.call("POST", useradm.URL_LOGIN, auth=(user.name, user.pwd))
assert r.status_code == 200
utoken = r.text
aset = device.authsets[0]
change_authset_status(devauthm, aset.did, aset.id, "accepted", utoken)
# suspend
r = tc.call(
"PUT",
tenantadm.URL_INTERNAL_SUSPEND,
tenantadm.req_status("suspended"),
path_params={"tid": tenants_users_devices[0].id},
)
assert r.status_code == 200
time.sleep(10)
# try requesting auth
body, sighdr = deviceauth.auth_req(
aset.id_data,
aset.pubkey,
aset.privkey,
tenants_users_devices[0].tenant_token,
)
r = dacd.call("POST", deviceauth.URL_AUTH_REQS, body, headers=sighdr)
assert r.status_code == 401
assert r.json()["error"] == "Account suspended"
def check_access_rbac(self, auth, forbid=False):
uadm = ApiClient(
host=get_container_manager().get_mender_gateway(),
base_url=useradm.URL_MGMT,
)
res = uadm.call("GET", useradm.URL_ROLES, headers=auth.get_auth_token(),)
if forbid:
assert res.status_code == 403
else:
assert res.ok
