def create_app(config_name):
config_obj = config[config_name]
app = create_woodbox(config_obj)
from .api_v1 import blueprint as api_v1_blueprint
app.register_blueprint(api_v1_blueprint, url_prefix='/api/v1')
add_session_management_urls(app)
return app
def setUp(self):
super(SessionTestCase, self).setUp()
add_session_management_urls(self.app)
with self.app.test_request_context('/'):
db.initialize()
# Create a user
self.u1 = WBUserModel(username='******', password='******', roles=[])
db.session.add(self.u1)
db.session.commit()
self.u1 = self.u1.id
def setUp(self):
super(SessionTestCase, self).setUp()
add_session_management_urls(self.app)
with self.app.test_request_context('/'):
db.initialize()
# Create a user
self.u1 = WBUserModel(username='******', password='******', roles=[])
db.session.add(self.u1)
db.session.commit()
self.u1 = self.u1.id
def setUp(self):
super(AuthenticatorTestCase, self).setUp()
add_session_management_urls(self.app)
self.app.add_url_rule('/test', 'test', needs_authenticated_user_function, methods=['GET'])
with self.app.test_request_context('/'):
db.initialize()
# Create a user
self.u1 = WBUserModel(username='******', password='******', roles=[])
db.session.add(self.u1)
db.session.commit()
self.u1 = self.u1.id
def setUp(self):
super(AuthenticatorTestCase, self).setUp()
add_session_management_urls(self.app)
self.app.add_url_rule('/test',
'test',
needs_authenticated_user_function,
methods=['GET'])
with self.app.test_request_context('/'):
db.initialize()
# Create a user
self.u1 = WBUserModel(username='******', password='******', roles=[])
db.session.add(self.u1)
db.session.commit()
self.u1 = self.u1.id
def test_record_api_with_acl_user_2(self):
add_session_management_urls(self.app)
make_api(
self.api,
"Test",
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize],
)
with self.app.test_client() as c:
response = c.post("/authenticate", data={"username": "******", "password": "******"})
response = json.loads(response.data)
session_id = response["session_id"]
secret = response["session_secret"]
# get all Bob's records
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests")
response = c.get("/my-tests", headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}]}\n',
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d2))
response = c.get("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}}\n',
)
# patch records
patch_data = json.dumps({"data": {"attributes": {"title": "SpongeBob SquarePants"}, "type": "my-tests"}})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
"/my-tests/{}".format(self.d2),
method="PATCH",
content_type="application/vnd.api+json",
body=patch_data,
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.patch("/my-tests/{}".format(self.d2), data=patch_data, headers=headers)
self.assertEqual(response.status_code, 405)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests/{}".format(self.d2), method="DELETE"
)
response = c.delete("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 405)
# post
post_data = json.dumps(
{
"data": {
"attributes": {"title": "Dennis the Menace", "author": "Hank Ketcham", "owner_id": "2"},
"type": "my-tests",
}
}
)
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests", method="POST", content_type="application/vnd.api+json", body=post_data
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.post("/my-tests", data=post_data, headers=headers)
self.assertEqual(response.status_code, 405)
def test_record_api_with_acl_user_1(self):
add_session_management_urls(self.app)
make_api(
self.api,
"Test",
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize],
)
with self.app.test_client() as c:
response = c.post("/authenticate", data={"username": "******", "password": "******"})
response = json.loads(response.data)
session_id = response["session_id"]
secret = response["session_secret"]
# get all Alice's records
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests")
response = c.get("/my-tests", headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}]}\n',
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d1))
response = c.get("/my-tests/{}".format(self.d1), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}}\n',
)
# get a forbidden record
headers = HMACAuthenticator.get_authorization_headers(session_id, secret, "/my-tests/{}".format(self.d2))
response = c.get("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 403)
# patch Alice's records
patch_data = json.dumps(
{"data": {"attributes": {"title": "Alice's Adventures in Wonderland"}, "type": "my-tests"}}
)
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
"/my-tests/{}".format(self.d1),
method="PATCH",
content_type="application/vnd.api+json",
body=patch_data,
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.patch("/my-tests/{}".format(self.d1), data=patch_data, headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.headers["Content-Location"], "/my-tests/{}".format(self.d1))
# patch someone else's record: this is forbidden (because not owner)
patch_data = json.dumps({"data": {"attributes": {"title": "SpongeBob SquarePants"}, "type": "my-tests"}})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
"/my-tests/{}".format(self.d2),
method="PATCH",
content_type="application/vnd.api+json",
body=patch_data,
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.patch("/my-tests/{}".format(self.d2), data=patch_data, headers=headers)
self.assertEqual(response.status_code, 403, response.data)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests/{}".format(self.d1), method="DELETE"
)
response = c.delete("/my-tests/{}".format(self.d1), headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.data, "")
# delete someone else file
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests/{}".format(self.d2), method="DELETE"
)
response = c.delete("/my-tests/{}".format(self.d2), headers=headers)
self.assertEqual(response.status_code, 403)
# post
post_data = json.dumps(
{
"data": {
"attributes": {"title": "Dennis the Menace", "author": "Hank Ketcham", "owner_id": "2"},
"type": "my-tests",
}
}
)
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, "/my-tests", method="POST", content_type="application/vnd.api+json", body=post_data
)
headers["Content-Type"] = "application/vnd.api+json"
response = c.post("/my-tests", data=post_data, headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.headers["Content-Location"], "/my-tests/4")
def test_record_api_with_acl_user_2(self):
add_session_management_urls(self.app)
make_api(self.api,
'Test',
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize])
with self.app.test_client() as c:
response = c.post('/authenticate',
data={
'username': '******',
'password': '******'
})
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
# get all Bob's records
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests')
response = c.get('/my-tests', headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}]}\n'
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests/{}'.format(self.d2))
response = c.get('/my-tests/{}'.format(self.d2), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "2"}}, "owner-id": 2, "author": "Stephen Hillenburg", "title": "SpongeBob"}, "type": "my-tests", "id": "2"}}\n'
)
# patch records
patch_data = json.dumps({
"data": {
"attributes": {
"title": "SpongeBob SquarePants"
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='PATCH',
content_type='application/vnd.api+json',
body=patch_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.patch('/my-tests/{}'.format(self.d2),
data=patch_data,
headers=headers)
self.assertEqual(response.status_code, 405)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='DELETE')
response = c.delete('/my-tests/{}'.format(self.d2),
headers=headers)
self.assertEqual(response.status_code, 405)
# post
post_data = json.dumps({
"data": {
"attributes": {
"title": "Dennis the Menace",
"author": "Hank Ketcham",
"owner_id": "2",
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests',
method='POST',
content_type='application/vnd.api+json',
body=post_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.post('/my-tests', data=post_data, headers=headers)
self.assertEqual(response.status_code, 405)
def test_record_api_with_acl_user_1(self):
add_session_management_urls(self.app)
make_api(self.api,
'Test',
MyTestModel,
MyTestSchema,
record_authorizer=IsOwner(),
api_authorizers=[my_test_acl.authorize])
with self.app.test_client() as c:
response = c.post('/authenticate',
data={
'username': '******',
'password': '******'
})
response = json.loads(response.data)
session_id = response['session_id']
secret = response['session_secret']
# get all Alice's records
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests')
response = c.get('/my-tests', headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": [{"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}]}\n'
)
# get one allowed record
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests/{}'.format(self.d1))
response = c.get('/my-tests/{}'.format(self.d1), headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(
response.data,
'{"data": {"attributes": {"owner": {"data": {"attributes": {"username": "******"}, "type": "users", "id": "1"}}, "owner-id": 1, "author": "Lewis Caroll", "title": "Alice in Wonderland"}, "type": "my-tests", "id": "1"}}\n'
)
# get a forbidden record
headers = HMACAuthenticator.get_authorization_headers(
session_id, secret, '/my-tests/{}'.format(self.d2))
response = c.get('/my-tests/{}'.format(self.d2), headers=headers)
self.assertEqual(response.status_code, 403)
# patch Alice's records
patch_data = json.dumps({
"data": {
"attributes": {
"title": "Alice's Adventures in Wonderland"
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d1),
method='PATCH',
content_type='application/vnd.api+json',
body=patch_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.patch('/my-tests/{}'.format(self.d1),
data=patch_data,
headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.headers['Content-Location'],
'/my-tests/{}'.format(self.d1))
# patch someone else's record: this is forbidden (because not owner)
patch_data = json.dumps({
"data": {
"attributes": {
"title": "SpongeBob SquarePants"
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='PATCH',
content_type='application/vnd.api+json',
body=patch_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.patch('/my-tests/{}'.format(self.d2),
data=patch_data,
headers=headers)
self.assertEqual(response.status_code, 403, response.data)
# delete own file
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d1),
method='DELETE')
response = c.delete('/my-tests/{}'.format(self.d1),
headers=headers)
self.assertEqual(response.status_code, 204)
self.assertEqual(response.data, '')
# delete someone else file
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests/{}'.format(self.d2),
method='DELETE')
response = c.delete('/my-tests/{}'.format(self.d2),
headers=headers)
self.assertEqual(response.status_code, 403)
# post
post_data = json.dumps({
"data": {
"attributes": {
"title": "Dennis the Menace",
"author": "Hank Ketcham",
"owner_id": "2",
},
"type": "my-tests"
}
})
headers = HMACAuthenticator.get_authorization_headers(
session_id,
secret,
'/my-tests',
method='POST',
content_type='application/vnd.api+json',
body=post_data)
headers['Content-Type'] = 'application/vnd.api+json'
response = c.post('/my-tests', data=post_data, headers=headers)
self.assertEqual(response.status_code, 200)
self.assertEqual(response.headers['Content-Location'],
'/my-tests/4')
