def test_parent_and_bound_data_are_preserved(self):
request = DummyRequest()
request.invoke_subrequest.side_effect = (httpexceptions.HTTPTemporaryRedirect, None)
subrequest = DummyRequest()
subrequest.parent = mock.sentinel.parent
subrequest.bound_data = mock.sentinel.bound_data
_, redirected = follow_subrequest(request, subrequest)
self.assertEqual(subrequest.parent, redirected.parent)
self.assertEqual(subrequest.bound_data, redirected.bound_data)
def _build_request(self):
request = DummyRequest()
request.bound_data = {}
request.registry.cache = self.backend
settings = DEFAULT_SETTINGS.copy()
settings['fxa-oauth.cache_ttl_seconds'] = '0.01'
settings['fxa-oauth.required_scope'] = 'mandatory profile'
request.registry.settings = settings
resources, scope_routing = parse_clients(settings)
request.registry._fxa_oauth_config = resources
request.registry._fxa_oauth_scope_routing = scope_routing
request.headers['Authorization'] = 'Bearer foo'
return request
def test_http_put_unexisting_record_resolves_in_a_create_permission(self):
with mock.patch("kinto.core.utils.current_service") as current_service:
# Patch current service.
resource = mock.MagicMock()
resource.record_id = 1
resource.model.get_record.side_effect = storage_exceptions.RecordNotFoundError
current_service().resource.return_value = resource
current_service().collection_path = "/buckets/{bucket_id}"
# Do the actual call.
request = DummyRequest(method="put")
request.upath_info = "/buckets/abc/collections/1"
request.matchdict = {"bucket_id": "abc"}
context = RouteFactory(request)
self.assertEqual(context.required_permission, "create")
def test_permits_takes_route_factory_allowed_principals_into_account_for_object_creation(
self):
request = DummyRequest()
context = RouteFactory(request)
context._check_permission.return_value = False
context.resource_name = "book"
context.required_permission = "book:create"
context._settings = {"book_create_principals": "fxa:user"}
self.assertTrue(context.check_permission(["fxa:user"], None))
def test_ping_logs_error_if_unavailable(self):
request = DummyRequest()
self.client_error_patcher.start()
ping = heartbeat(self.storage)
with mock.patch('kinto.core.storage.logger.exception') as exc_handler:
self.assertFalse(ping(request))
self.assertTrue(exc_handler.called)
def test_fetch_shared_records_sets_shared_ids_from_results(self):
request = DummyRequest()
context = RouteFactory(request)
request.registry.permission.get_accessible_objects.return_value = {
"/obj/1": ["read", "write"],
"/obj/3": ["obj:create"],
}
context.fetch_shared_records("read", ["userid"], None)
self.assertEqual(sorted(context.shared_ids), ["1", "3"])
def test_route_factory_adds_allowed_principals_from_settings(self):
with mock.patch('kinto.core.utils.current_service') as current_service:
# Patch current service.
resource = mock.MagicMock()
current_service().resource.return_value = resource
current_service().collection_path = '/buckets'
# Do the actual call.
request = DummyRequest(method='post')
request.current_resource_name = 'bucket'
request.upath_info = '/buckets'
request.matchdict = {}
request.registry = mock.Mock()
request.registry.settings = {
'bucket_create_principals': 'fxa:user'
}
context = RouteFactory(request)
self.assertEquals(context.allowed_principals, ['fxa:user'])
def test_send_alert_code_can_be_specified(self):
request = DummyRequest()
request.registry.settings['project_docs'] = 'docs_url'
send_alert(request, 'Message', code='hard-eol')
self.verify_alert_header(request, {
'code': 'hard-eol',
'message': 'Message',
'url': 'docs_url'
})
def test_fetch_shared_records_sets_shared_ids_from_results(self):
request = DummyRequest()
context = RouteFactory(request)
request.registry.permission.get_accessible_objects.return_value = {
'/obj/1': ['read', 'write'],
'/obj/3': ['obj:create']
}
context.fetch_shared_records('read', ['userid'], None)
self.assertEqual(sorted(context.shared_ids), ['1', '3'])
def test_send_alert_code_can_be_specified(self):
request = DummyRequest()
request.registry.settings["project_docs"] = "docs_url"
send_alert(request, "Message", code="hard-eol")
self.verify_alert_header(request, {
"code": "hard-eol",
"message": "Message",
"url": "docs_url"
})
def test_send_alert_default_to_project_url(self):
request = DummyRequest()
request.registry.settings["project_docs"] = "docs_url"
send_alert(request, "Message")
self.verify_alert_header(request, {
"code": "soft-eol",
"message": "Message",
"url": "docs_url"
})
def test_send_alert_default_to_project_url(self):
request = DummyRequest()
request.registry.settings['project_docs'] = 'docs_url'
send_alert(request, 'Message')
self.verify_alert_header(request, {
'code': 'soft-eol',
'message': 'Message',
'url': 'docs_url'
})
def _build_request(self):
request = DummyRequest()
request.bound_data = {}
request.registry.cache = self.backend
settings = DEFAULT_SETTINGS.copy()
settings['fxa-oauth.oauth_uri'] = 'https://oauth.accounts.firefox.com/v1'
settings['fxa-oauth.cache_ttl_seconds'] = '0.01'
settings['fxa-oauth.clients.notes.client_id'] = 'c73e46074a948932'
settings['fxa-oauth.clients.notes.required_scope'] = (
'profile https://identity.mozilla.org/apps/notes')
settings['fxa-oauth.clients.lockbox.client_id'] = '299062f8b3838932'
settings['fxa-oauth.clients.lockbox.required_scope'] = (
'profile https://identity.mozilla.org/apps/lockbox')
request.registry.settings = settings
resources, scope_routing = parse_clients(settings)
request.registry._fxa_oauth_config = resources
request.registry._fxa_oauth_scope_routing = scope_routing
request.headers['Authorization'] = 'Bearer foo'
return request
def test_http_put_sets_current_object_attribute(self):
with mock.patch("kinto.core.utils.current_service") as current_service:
# Patch current service.
resource = mock.MagicMock()
resource.object_id = 1
resource.model.get_object.return_value = mock.sentinel.object
current_service().resource.return_value = resource
# Do the actual call.
request = DummyRequest(method="put")
context = RouteFactory(request)
self.assertEqual(context.current_object, mock.sentinel.object)
def test_http_put_sets_current_record_attribute(self):
with mock.patch('kinto.core.utils.current_service') as current_service:
# Patch current service.
resource = mock.MagicMock()
resource.record_id = 1
resource.model.get_record.return_value = mock.sentinel.record
current_service().resource.return_value = resource
# Do the actual call.
request = DummyRequest(method='put')
context = RouteFactory(request)
self.assertEquals(context.current_record, mock.sentinel.record)
def assert_request_resolves_to(self, method, permission, uri=None, record_not_found=False):
if uri is None:
uri = self.record_uri
with mock.patch("kinto.core.utils.current_service") as current_service:
# Patch current service.
resource = mock.MagicMock()
resource.record_id = 1
if record_not_found:
resource.model.get_record.side_effect = storage_exceptions.RecordNotFoundError
else:
resource.model.get_record.return_value = 1
current_service().resource.return_value = resource
# Do the actual call.
request = DummyRequest(method=method)
request.upath_info = uri
context = RouteFactory(request)
self.assertEqual(context.required_permission, permission)
def assert_request_resolves_to(self, method, permission, uri=None, object_not_found=False):
if uri is None:
uri = self.object_uri
with mock.patch("kinto.core.utils.current_service") as current_service:
# Patch current service.
resource = mock.MagicMock()
resource.object_id = 1
if object_not_found:
resource.model.get_object.side_effect = storage_exceptions.ObjectNotFoundError
else:
resource.model.get_object.return_value = 1
current_service().resource.return_value = resource
# Do the actual call.
request = DummyRequest(method=method)
request.upath_info = uri
context = RouteFactory(request)
self.assertEqual(context.required_permission, permission)
def test_kcl_ignores_missing_new(match_buckets_a_resource):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [], match_buckets_a_resource)
single_record = [
{'old': changes_record('a', 'c')},
]
request = DummyRequest()
event = events.ResourceChanged(PAYLOAD, single_record, request)
listener(event)
assert not client.send_version.called
def test_kcl_drops_events_with_no_matching_records(match_buckets_a_resource):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [], match_buckets_a_resource)
single_record = [
{'new': changes_record('b', 'c')},
]
request = DummyRequest()
event = events.ResourceChanged(PAYLOAD, single_record, request)
listener(event)
assert not client.send_version.called
def test_kcl_posts_on_matching_records(match_buckets_a_resource):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [],
match_buckets_a_resource)
single_record = [
{'new': changes_record('a', 'c')},
]
request = DummyRequest()
event = events.ResourceChanged(PAYLOAD, single_record, request)
listener(event)
client.send_version.assert_called_with('broadcaster', 'monitor_changes', '"123"')
def _build_request(self):
request = DummyRequest()
request.bound_data = {}
request.registry.cache = self.backend
settings = DEFAULT_SETTINGS.copy()
settings[
'fxa-oauth.oauth_uri'] = 'https://oauth.accounts.firefox.com/v1'
settings['fxa-oauth.cache_ttl_seconds'] = '0.01'
settings['fxa-oauth.clients.notes.client_id'] = 'c73e46074a948932'
settings['fxa-oauth.clients.notes.required_scope'] = (
'profile https://identity.mozilla.org/apps/notes')
settings['fxa-oauth.clients.lockbox.client_id'] = '299062f8b3838932'
settings['fxa-oauth.clients.lockbox.required_scope'] = (
'profile https://identity.mozilla.org/apps/lockbox')
request.registry.settings = settings
resources, scope_routing = parse_clients(settings)
request.registry._fxa_oauth_config = resources
request.registry._fxa_oauth_scope_routing = scope_routing
request.headers['Authorization'] = 'Bearer foo'
return request
def test_kcl_can_fail_to_match_in_collections(match_collection_z1_resource):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [],
match_collection_z1_resource)
one_record = [
{'new': changes_record('z', 'z2')},
]
request = DummyRequest()
event = events.ResourceChanged(PAYLOAD, one_record, request)
listener(event)
assert not client.send_version.called
def test_user_validation_listener(self):
request = DummyRequest()
old_inactive = {"id": "alice", "password": "******", "validated": False}
old_active = {"id": "alice", "password": "******", "validated": True}
new_inactive = {"id": "alice", "password": "******", "validated": False}
new_active = {"id": "alice", "password": "******", "validated": True}
with mock.patch("kinto.plugins.accounts.mails.Emailer.send_mail"
) as mocked_send_mail:
# No email sent if account validation is not enabled.
event = ResourceChanged(
{"action": ACTIONS.UPDATE.value},
[{
"old": old_inactive,
"new": new_inactive
}],
request,
)
on_account_activated(event)
mocked_send_mail.assert_not_called()
# No email sent if the old account was already active.
request.registry.settings["account_validation"] = True
event = ResourceChanged({"action": ACTIONS.UPDATE.value},
[{
"old": old_active,
"new": new_active
}], request)
request.registry.cache.get = mock.MagicMock(return_value=None)
on_account_activated(event)
mocked_send_mail.assert_not_called()
# No email sent if the new account is still inactive.
event = ResourceChanged(
{"action": ACTIONS.UPDATE.value},
[{
"old": old_inactive,
"new": new_inactive
}],
request,
)
request.registry.cache.get = mock.MagicMock(return_value=None)
on_account_activated(event)
mocked_send_mail.assert_not_called()
# Email sent if there is an activation key in the cache.
event = ResourceChanged(
{"action": ACTIONS.UPDATE.value},
[{
"old": old_inactive,
"new": new_active
}],
request,
)
on_account_activated(event)
mocked_send_mail.assert_called_once()
def test_kcl_can_match_in_collections(match_collection_z1_resource):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [],
match_collection_z1_resource)
one_record = [
{'new': changes_record('z', 'z1')},
]
request = DummyRequest()
request.route_path.return_value = "/buckets/z/collections/z1"
event = events.ResourceChanged(PAYLOAD, one_record, request)
listener(event)
client.send_version.assert_called_with('broadcaster', 'monitor_changes', '"123"')
def setUp(self):
mocked = mock.patch("kinto.plugins.openid.requests.get")
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer="https://idp", client_id="abc")
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, "_verify_token")
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {"sub": "userid"}
def test_fetch_shared_objects_uses_pattern_if_on_plural_endpoint(self):
request = DummyRequest()
request.route_path.return_value = "/v1/buckets/%2A"
service = mock.MagicMock()
service.type = "plural"
with mock.patch("kinto.core.authorization.utils.current_service") as m:
m.return_value = service
context = RouteFactory(request)
self.assertTrue(context.on_plural_endpoint)
context.fetch_shared_objects("read", ["userid"], None)
request.registry.permission.get_accessible_objects.assert_called_with(
["userid"], [("/buckets/*", "read")], with_children=False)
def test_fetch_shared_records_uses_pattern_if_on_collection(self):
request = DummyRequest()
request.route_path.return_value = '/v1/buckets/%2A'
service = mock.MagicMock()
service.type = 'collection'
with mock.patch('kinto.core.authorization.utils.current_service') as m:
m.return_value = service
context = RouteFactory(request)
self.assertTrue(context.on_collection)
context.fetch_shared_records('read', ['userid'], None)
request.registry.permission.get_accessible_objects.assert_called_with(
['userid'], [('/buckets/*', 'read')], with_children=False)
def setUp(self):
mocked = mock.patch('kinto.plugins.openid.requests.get')
self.mocked_get = mocked.start()
self.addCleanup(mocked.stop)
self.policy = OpenIDConnectPolicy(issuer='https://idp', client_id='abc')
self.request = DummyRequest()
self.request.registry.cache.get.return_value = None
mocked = mock.patch.object(self.policy, '_verify_token')
self.verify = mocked.start()
self.addCleanup(mocked.stop)
self.verify.return_value = {'sub': 'userid'}
def test_kcl_ignores_writes_not_on_records(match_buckets_a_resource):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [], match_buckets_a_resource)
payload = {
**PAYLOAD,
'resource_name': 'collection',
}
single_record = [
{'new': changes_record('a', 'c')}
]
request = DummyRequest()
event = events.ResourceChanged(payload, single_record, request)
listener(event)
assert not client.send_version.called
def test_kinto_changes_ignores_not_monitor_changes(match_buckets_a_resource):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [], match_buckets_a_resource)
payload = {
**PAYLOAD,
'bucket_id': 'food',
'collection_id': 'french',
}
single_record = [
{'new': {'id': 'abcd'}}
]
request = DummyRequest()
event = events.ResourceChanged(payload, single_record, request)
listener(event)
assert not client.send_version.called
def test_fetch_shared_records_uses_get_bound_permission_callback(self):
request = DummyRequest()
service = mock.MagicMock()
request.route_path.return_value = '/v1/buckets/%2A'
service.type = 'collection'
with mock.patch('kinto.core.authorization.utils.current_service') as m:
m.return_value = service
context = RouteFactory(request)
self.assertTrue(context.on_collection)
# Define a callback where write means read:
def get_bound_perms(obj_id, perm):
return [(obj_id, 'write'), (obj_id, 'read')]
context.fetch_shared_records('read', ['userid'], get_bound_perms)
request.registry.permission.get_accessible_objects.assert_called_with(
['userid'], [('/buckets/*', 'write'), ('/buckets/*', 'read')])
def test_user_creation_listener(self):
request = DummyRequest()
impacted_object = {"new": {"id": "alice", "password": "******"}}
with mock.patch("kinto.plugins.accounts.mails.Emailer.send_mail") as mocked_send_mail:
# No email sent if account validation is not enabled.
event = ResourceChanged({"action": ACTIONS.UPDATE.value}, [impacted_object], request)
on_account_created(event)
mocked_send_mail.assert_not_called()
# No email sent if there's no activation key in the cache.
request.registry.settings["account_validation"] = True
event = ResourceChanged({"action": ACTIONS.UPDATE.value}, [impacted_object], request)
request.registry.cache.get = mock.MagicMock(return_value=None)
on_account_created(event)
mocked_send_mail.assert_not_called()
# Email sent if there is an activation key in the cache.
request.registry.cache.get = mock.MagicMock(return_value="some activation key")
on_account_created(event)
mocked_send_mail.assert_called_once()
def test_excluding_resources(kinto_changes_settings):
client = mock.Mock()
listener = KintoChangesListener(client, 'broadcaster', [], [])
listener.included_resources = [
('bucket', {'id': 'a'}),
('collection', {'bucket_id': 'b', 'id': 'd'}),
('collection', {'bucket_id': 'z', 'id': 'z1'}),
]
listener.excluded_resources = [
('bucket', {'id': 'b'}),
('collection', {'bucket_id': 'a', 'id': 'c'}),
('collection', {'bucket_id': 'z', 'id': 'z2'}),
]
request = DummyRequest()
client.reset_mock()
event = events.ResourceChanged(PAYLOAD, [{'new': changes_record('a', 'c')}], request)
listener(event)
assert not client.send_version.called
client.reset_mock()
event = events.ResourceChanged(PAYLOAD, [{'new': changes_record('b', 'x')}], request)
listener(event)
assert not client.send_version.called
client.reset_mock()
event = events.ResourceChanged(PAYLOAD, [{'new': changes_record('a', 'd')}], request)
listener(event)
assert client.send_version.called
client.reset_mock()
event = events.ResourceChanged(PAYLOAD, [{'new': changes_record('z', 'z1')}], request)
listener(event)
assert client.send_version.called
client.reset_mock()
event = events.ResourceChanged(PAYLOAD, [{'new': changes_record('a', 'z2')}], request)
listener(event)
assert client.send_version.called
client.reset_mock()
event = events.ResourceChanged(PAYLOAD, [{'new': changes_record('x', 'z1')}], request)
listener(event)
assert not client.send_version.called
def test_fetch_shared_objects_uses_get_bound_permission_callback(self):
request = DummyRequest()
service = mock.MagicMock()
request.route_path.return_value = "/v1/buckets/%2A"
service.type = "plural"
with mock.patch("kinto.core.authorization.utils.current_service") as m:
m.return_value = service
context = RouteFactory(request)
self.assertTrue(context.on_plural_endpoint)
# Define a callback where write means read:
def get_bound_perms(obj_id, perm):
return [(obj_id, "write"), (obj_id, "read")]
context.fetch_shared_objects("read", ["userid"], get_bound_perms)
request.registry.permission.get_accessible_objects.assert_called_with(
["userid"], [("/buckets/*", "write"), ("/buckets/*", "read")],
with_children=False)
def test_route_factory_adds_allowed_principals_from_settings(self):
with mock.patch('kinto.core.utils.current_service') as current_service:
# Patch current service.
resource = mock.MagicMock()
current_service().resource.return_value = resource
current_service().collection_path = '/buckets'
# Do the actual call.
request = DummyRequest(method='post')
request.current_resource_name = 'bucket'
request.upath_info = '/buckets'
request.matchdict = {}
request.registry = mock.Mock()
request.registry.settings = {
'bucket_create_principals': 'fxa:user'
}
context = RouteFactory(request)
self.assertEquals(context.allowed_principals, ['fxa:user'])
def setUp(self):
super(BaseTestPermission, self).setUp()
self.permission = self.backend.load_from_config(self._get_config())
self.permission.initialize_schema()
self.request = DummyRequest()
self.client_error_patcher = []
def get_request(self, resource_name=''):
request = DummyRequest(method='GET')
request.current_resource_name = resource_name
request.registry.cache = self.cache
request.registry.storage = self.storage
return request
def test_removes_unprefixed_from_principals(self):
request = DummyRequest()
request.effective_principals = ["foo", "system.Authenticated"]
request.prefixed_userid = "basic:foo"
self.assertEqual(prefixed_principals(request), ["basic:foo", "system.Authenticated"])
def test_removes_unprefixed_from_principals(self):
request = DummyRequest()
request.effective_principals = ['foo', 'system.Authenticated']
request.prefixed_userid = 'basic:foo'
self.assertEqual(prefixed_principals(request),
['basic:foo', 'system.Authenticated'])
def test_works_if_userid_is_not_in_principals(self):
request = DummyRequest()
request.effective_principals = ['basic:foo', 'system.Authenticated']
request.prefixed_userid = 'basic:foo'
self.assertEqual(prefixed_principals(request),
['basic:foo', 'system.Authenticated'])
