def test_accepted_dev_cant_authenticate(self, tenants_users_devices): dacd = ApiClient(deviceauth.URL_DEVICES) uc = ApiClient(useradm.URL_MGMT) tc = ApiClient(tenantadm.URL_INTERNAL) # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text aset = device.authsets[0] change_authset_status(aset.did, aset.id, 'accepted', utoken) # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # try requesting auth body, sighdr = deviceauth.auth_req( aset.id_data, aset.pubkey, aset.privkey, tenants_users_devices[0].tenant_token) r = dacd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 assert r.json()['error'] == 'Account suspended'
def test_user_cannot_log_in(self, tenants_users): tc = ApiClient(tenantadm.URL_INTERNAL) uc = ApiClient(useradm.URL_MGMT) for u in tenants_users[0].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200 # tenant's users can log in for u in tenants_users[0].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200 assert r.status_code == 200 # suspend tenant r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users[0].id}) assert r.status_code == 200 time.sleep(10) # none of tenant's users can log in for u in tenants_users[0].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 401 # but other users still can for u in tenants_users[1].users: r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200
def test_authenticated_user_is_rejected(self, tenants_users): tc = ApiClient(tenantadm.URL_INTERNAL) uc = ApiClient(useradm.URL_MGMT) dc = ApiClient(deviceauth_v2.URL_MGMT) u = tenants_users[0].users[0] # log in r = uc.call('POST', useradm.URL_LOGIN, auth=(u.name, u.pwd)) assert r.status_code == 200 token = r.text # check can access an api r = dc.with_auth(token).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 200 # suspend tenant r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users[0].id}) assert r.status_code == 200 time.sleep(10) # check token is rejected r = dc.with_auth(token).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 401
def test_authenticated_dev_is_rejected(self, tenants_users_devices): dac = ApiClient(deviceadm.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) devauth = ApiClient(deviceauth.URL_DEVICES) tc = ApiClient(tenantadm.URL_INTERNAL) dc = ApiClient(deployments.URL_DEVICES) # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text dev = tenants_users_devices[0].devices[0] r = dac.with_auth(utoken).call( 'PUT', deviceadm.URL_AUTHSET_STATUS, deviceadm.req_status('accepted'), path_params={'id': get_authset_id(dev.pubkey, utoken)}) assert r.status_code == 200 # request auth body, sighdr = deviceauth.auth_req(device.id_data, device.pubkey, device.privkey, device.tenant_token) r = devauth.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # check device can access APIs r = dc.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={ 'device_type': 'foo', 'artifact_name': 'bar' }) assert r.status_code == 204 # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # check device is rejected r = dc.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={ 'device_type': 'foo', 'artifact_name': 'bar' }) assert r.status_code == 401
def do_test_delete_device_ok(self, devs_authsets, user, tenant_token=''): devapim = ApiClient(deviceauth_v2.URL_MGMT) devapid = ApiClient(deviceauth_v1.URL_DEVICES) userapi = ApiClient(useradm.URL_MGMT) depapi = ApiClient(deployments.URL_DEVICES) # log in user r = userapi.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # decommission a pending device dev_pending = filter_and_page_devs(devs_authsets, status='pending')[0] r = devapim.with_auth(utoken).call('DELETE', deviceauth_v2.URL_DEVICE, path_params={'id': dev_pending.id}) assert r.status_code == 204 # only verify the device is gone r = devapim.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICE, path_params={'id': dev_pending.id}) assert r.status_code == 404 # log in an accepted device dev_acc = filter_and_page_devs(devs_authsets, status='accepted')[0] body, sighdr = deviceauth_v1.auth_req(dev_acc.id_data, dev_acc.authsets[0].pubkey, dev_acc.authsets[0].privkey, tenant_token) r = devapid.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # decommission the accepted device r = devapim.with_auth(utoken).call('DELETE', deviceauth_v2.URL_DEVICE, path_params={'id': dev_acc.id}) assert r.status_code == 204 # verify the device lost access r = depapi.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 401 # verify the device is gone r = devapim.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICE, path_params={'id': dev_acc.id}) assert r.status_code == 404
def create_tenant(name): """ Create a tenant via cli, record its id and token for further use. """ cli = CliTenantadm() api = ApiClient(tenantadm.URL_INTERNAL) id = cli.create_tenant(name) page = 0 per_page = 20 qs_params = {} found = None while True: page = page + 1 qs_params['page'] = page qs_params['per_page'] = per_page r = api.call('GET', tenantadm.URL_INTERNAL_TENANTS, qs_params=qs_params) assert r.status_code == 200 api_tenants = r.json() found = [at for at in api_tenants if at['id'] == id] if len(found) > 0: break if len(api_tenants) == 0: break assert len(found) == 1 token = found[0]['tenant_token'] return Tenant(name, id, token)
def create_authset(id_data, pubkey, privkey, utoken, tenant_token=''): api = ApiClient(deviceauth_v1.URL_DEVICES) body, sighdr = deviceauth_v1.auth_req(id_data, pubkey, privkey, tenant_token) # submit auth req r = api.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 # dev must exist and have *this* aset api_dev = get_device_by_id_data(id_data, utoken) assert api_dev is not None aset = [ a for a in api_dev['auth_sets'] if util.crypto.rsa_compare_keys(a['pubkey'], pubkey) ] assert len(aset) == 1 aset = aset[0] assert aset['identity_data'] == id_data assert aset['status'] == 'pending' return Authset(aset['id'], api_dev['id'], id_data, pubkey, privkey, 'pending')
def do_test_delete_status_failed(self, devs_authsets, user): useradmm = ApiClient(useradm.URL_MGMT) devauthm = ApiClient(deviceauth_v2.URL_MGMT) r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # not found: valid device, bogus authset r = devauthm.with_auth(utoken).call('DELETE', deviceauth_v2.URL_AUTHSET, path_params={ 'did': devs_authsets[0].id, 'aid': "foo" }) assert r.status_code == 404 # not found: bogus device r = devauthm.with_auth(utoken).call('DELETE', deviceauth_v2.URL_AUTHSET, path_params={ 'did': "foo", 'aid': "bar" }) assert r.status_code == 404
def test_fail_no_attr_value(self, user): useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) invd = ApiClient(inventory.URL_DEV) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, 1) # wait for devices to be provisioned time.sleep(3) for i, d in enumerate(devs): payload = [{ "name": "mac", }] r = invd.with_auth(d.token).call('PATCH', inventory.URL_DEVICE_ATTRIBUTES, payload) assert r.status_code == 400
def do_test_get_authset_status(self, devs_authsets, user): devauthm = ApiClient(deviceauth_v2.URL_MGMT) useradmm = ApiClient(useradm.URL_MGMT) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # try valid authsets for d in devs_authsets: for a in d.authsets: r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_AUTHSET_STATUS, path_params={'did': d.id, 'aid': a.id }) assert r.status_code == 200 assert r.json()['status'] == a.status # invalid authset or device for did, aid in [(devs_authsets[0].id, "foo"), ("foo", "bar")]: r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_AUTHSET_STATUS, path_params={'did': did, 'aid': aid }) assert r.status_code == 404
def do_test_delete_device_not_found(self, devs_authsets, user): ua = ApiClient(useradm.URL_MGMT) da = ApiClient(deviceauth_v2.URL_MGMT) # log in user r = ua.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # try delete r = da.with_auth(utoken).call('DELETE', deviceauth_v2.URL_DEVICE, path_params={'id': 'foo'}) assert r.status_code == 404 # check device list unmodified r = da.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 200 api_devs = r.json() self._compare_devs(devs_authsets, api_devs)
def do_test_get_devices_ok(self, user, tenant_token=''): useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) invd = ApiClient(inventory.URL_DEV) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, 40, tenant_token) # wait for devices to be provisioned time.sleep(3) r = invm.with_auth(utoken).call('GET', inventory.URL_DEVICES, qs_params={'per_page': 100}) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == 40
def verify_devices_unmodified(self, user, in_devices): devauthm = ApiClient(deviceauth_v2.URL_MGMT) useradmm = ApiClient(useradm.URL_MGMT) r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == len(in_devices) for ad in api_devs: assert ad['status'] == 'pending' orig_device = [d for d in in_devices if d.id_data == ad['identity_data']] assert len(orig_device) == 1 orig_device = orig_device[0] assert len(ad['auth_sets']) == 1 aset = ad['auth_sets'][0] assert util.crypto.rsa_compare_keys(aset['pubkey'], orig_device.pubkey)
def do_test_get_device(self, devs_authsets, user): da = ApiClient(deviceauth_v2.URL_MGMT) ua = ApiClient(useradm.URL_MGMT) # log in user r = ua.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # existing devices for dev in devs_authsets: r = da.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICE, path_params={'id': dev.id}) assert r.status_code == 200 api_dev = r.json() self._compare_dev(dev, api_dev) # non-existent devices for id in ['foo', 'bar']: r = da.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICE, path_params={'id': id}) assert r.status_code == 404
def test_fail_bad_request(self, user): useradmm = ApiClient(useradm.URL_MGMT) devauthm = ApiClient(deviceauth_v2.URL_MGMT) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # id data not json priv, pub = util.crypto.rsa_get_keypair() id_data = '{\"mac\": \"foo\"}' body = deviceauth_v2.preauth_req( id_data, pub) r = devauthm.with_auth(utoken).call('POST', deviceauth_v2.URL_DEVICES, body) assert r.status_code == 400 # not a valid key id_data = {'mac': 'foo'} body = deviceauth_v2.preauth_req( id_data, 'not a public key') r = devauthm.with_auth(utoken).call('POST', deviceauth_v2.URL_DEVICES, body) assert r.status_code == 400
def test_ok(self, user): useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) invd = ApiClient(inventory.URL_DEV) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, 3) # wait for devices to be provisioned time.sleep(3) for i, d in enumerate(devs): payload = [ { "name": "mac", "value": "mac-new-" + str(d.id) }, { #empty value for existing "name": "sn", "value": "", }, { #empty value for new "name": "new-empty", "value": "", } ] r = invd.with_auth(d.token).call('PATCH', inventory.URL_DEVICE_ATTRIBUTES, payload) assert r.status_code == 200 for d in devs: r = invm.with_auth(utoken).call('GET', inventory.URL_DEVICE, path_params={'id': d.id}) assert r.status_code == 200 api_dev = r.json() assert len(api_dev['attributes']) == 3 for a in api_dev['attributes']: if a['name'] == 'mac': assert a['value'] == 'mac-new-' + str(api_dev['id']) elif a['name'] == 'sn': assert a['value'] == '' elif a['name'] == 'new-empty': assert a['value'] == '' else: assert False, 'unexpected attribute ' + a['name']
def tenants_users_devices(tenants_users, mongo): devauthd = ApiClient(deviceauth.URL_DEVICES) devadmm = ApiClient(deviceadm.URL_MGMT) for t in tenants_users: for _ in range(2): priv, pub = deviceauth.get_keypair() mac = ":".join([ "{:02x}".format(random.randint(0x00, 0xFF), 'x') for i in range(6) ]) d = Device({'mac': mac}, pub, priv, t.tenant_token) body, sighdr = deviceauth.auth_req(d.id_data, d.pubkey, d.privkey, d.tenant_token) # submit auth req r = devauthd.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 # get the authset id for future acceptance useradmm = ApiClient(useradm.URL_MGMT) r = useradmm.call('POST', useradm.URL_LOGIN, auth=(t.users[0].name, t.users[0].pwd)) assert r.status_code == 200 utoken = r.text r = devadmm.with_auth(utoken).call('GET', deviceadm.URL_AUTHSETS) assert r.status_code == 200 api_devs = r.json() api_dev = [ x for x in api_devs if compare_keys(x['key'], d.pubkey) ][0] d.authset_id = api_dev['id'] t.devices.append(d) yield tenants_users mongo_cleanup(mongo)
def test_accepted_dev_cant_authenticate(self, tenants_users_devices): dac = ApiClient(deviceadm.URL_MGMT) uc = ApiClient(useradm.URL_MGMT) devauth = ApiClient(deviceauth.URL_DEVICES) tc = ApiClient(tenantadm.URL_INTERNAL) # accept a dev device = tenants_users_devices[0].devices[0] user = tenants_users_devices[0].users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text dev = tenants_users_devices[0].devices[0] r = dac.with_auth(utoken).call( 'PUT', deviceadm.URL_AUTHSET_STATUS, deviceadm.req_status('accepted'), path_params={'id': get_authset_id(dev.pubkey, utoken)}) assert r.status_code == 200 # suspend r = tc.call('PUT', tenantadm.URL_INTERNAL_SUSPEND, tenantadm.req_status('suspended'), path_params={'tid': tenants_users_devices[0].id}) assert r.status_code == 200 time.sleep(10) # try requesting auth body, sighdr = deviceauth.auth_req(device.id_data, device.pubkey, device.privkey, device.tenant_token) r = devauth.call('POST', deviceauth.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 assert r.json()['error'] == 'Account suspended'
def do_test_put_status_failed(self, devs_authsets, user): useradmm = ApiClient(useradm.URL_MGMT) devauthm = ApiClient(deviceauth_v2.URL_MGMT) r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # not found: valid device, bogus authset r = devauthm.with_auth(utoken).call( 'PUT', deviceauth_v2.URL_AUTHSET_STATUS, deviceauth_v2.req_status('accepted'), path_params={ 'did': devs_authsets[0].id, 'aid': "foo" }) assert r.status_code == 404 # not found: bogus device r = devauthm.with_auth(utoken).call( 'PUT', deviceauth_v2.URL_AUTHSET_STATUS, deviceauth_v2.req_status('accepted'), path_params={ 'did': "foo", 'aid': "bar" }) assert r.status_code == 404 # bad request - invalid status r = devauthm.with_auth(utoken).call( 'PUT', deviceauth_v2.URL_AUTHSET_STATUS, deviceauth_v2.req_status('invalid'), path_params={ 'did': devs_authsets[0].id, 'aid': devs_authsets[0].authsets[0].id }) assert r.status_code == 400 # bad request - invalid payload r = devauthm.with_auth(utoken).call('PUT', deviceauth_v2.URL_AUTHSET_STATUS, '{"foo": "bar"}', path_params={ 'did': devs_authsets[0].id, 'aid': devs_authsets[0].authsets[0].id }) assert r.status_code == 400
def create_device(id_data, pubkey, privkey, tenant_token=''): """ Simply submit an auth request for a device; it will result in a 'pending' device/authset.""" api = ApiClient(deviceauth_v1.URL_DEVICES) body, sighdr = deviceauth_v1.auth_req(id_data, pubkey, privkey, tenant_token) # submit auth req r = api.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 401 return Device(id_data, pubkey, privkey, tenant_token)
def make_devs_with_authsets(user, tenant_token=''): """ create a good number of devices, some with >1 authsets, with different statuses. returns DevWithAuthsets objects.""" useradmm = ApiClient(useradm.URL_MGMT) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text devices = [] # some vanilla 'pending' devices, single authset for _ in range(5): dev = make_pending_device(utoken, 1, tenant_token=tenant_token) devices.append(dev) # some pending devices with > 1 authsets for i in range(2): dev = make_pending_device(utoken, 3, tenant_token=tenant_token) devices.append(dev) # some 'accepted' devices, single authset for _ in range(3): dev = make_accepted_device(utoken, 1, tenant_token=tenant_token) devices.append(dev) # some 'accepted' devices with >1 authsets for _ in range(2): dev = make_accepted_device(utoken, 3, tenant_token=tenant_token) devices.append(dev) # some rejected devices for _ in range(2): dev = make_rejected_device(utoken, 3, tenant_token=tenant_token) devices.append(dev) # preauth'd devices for i in range(2): dev = make_preauthd_device(utoken) devices.append(dev) # preauth'd devices with extra 'pending' sets for i in range(2): dev = make_preauthd_device_with_pending(utoken, num_pending=2, tenant_token=tenant_token) devices.append(dev) return devices
def devices(clean_migrated_mongo, user): uc = ApiClient(useradm.URL_MGMT) r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text devices = [] for _ in range(5): aset = create_random_authset(utoken) dev = Device(aset.did, aset.id_data, aset.pubkey) devices.append(dev) yield devices
def tenants_users_devices(tenants_users, mongo): uc = ApiClient(useradm.URL_MGMT) for t in tenants_users: user = t.users[0] r = uc.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text for _ in range(2): aset = create_random_authset(utoken, t.tenant_token) dev = Device(aset.did, aset.id_data, aset.pubkey, t.tenant_token) dev.authsets.append(aset) t.devices.append(dev) yield tenants_users
def create_tenant(name): """ Create a tenant via cli, record its id and token for further use. """ cli = CliTenantadm() api = ApiClient(tenantadm.URL_INTERNAL) id = cli.create_tenant(name) r = api.call('GET', tenantadm.URL_INTERNAL_TENANTS) assert r.status_code == 200 api_tenants = r.json() api_tenant = [at for at in api_tenants if at['id'] == id] token = api_tenant[0]['tenant_token'] return Tenant(name, id, token)
def tenants(mongo): cli = CliTenantadm() api = ApiClient(tenantadm.URL_INTERNAL) tenants = [Tenant('tenant1'), Tenant('tenant2')] for t in tenants: t.id = cli.create_tenant(t.name) r = api.call('GET', tenantadm.URL_INTERNAL_TENANTS) api_tenants = r.json() for t in tenants: api_tenant = [at for at in api_tenants if at['id'] == t.id] t.tenant_token = api_tenant[0]['tenant_token'] yield tenants mongo_cleanup(mongo)
def do_test_filter_devices_ok(self, user, tenant_token=''): useradmm = ApiClient(useradm.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) invm = ApiClient(inventory.URL_MGMT) invd = ApiClient(inventory.URL_DEV) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # prepare accepted devices devs = make_accepted_devices(utoken, devauthd, 40, tenant_token) # wait for devices to be provisioned time.sleep(3) r = invm.with_auth(utoken).call('GET', inventory.URL_DEVICES, qs_params={'per_page': 100}) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == 40 # upload inventory attributes for i, d in enumerate(devs): payload = [{"name": "mac", "value": "de:ad:be:ef:06:" + str(i)}] r = invd.with_auth(d.token).call('PATCH', inventory.URL_DEVICE_ATTRIBUTES, payload) assert r.status_code == 200 # get device with exact mac value qs_params = {} qs_params['per_page'] = 100 qs_params['mac'] = 'de:ad:be:ef:06:7' r = invm.with_auth(utoken).call('GET', inventory.URL_DEVICES, qs_params=qs_params) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == 1
def do_test_ok_get_devices(self, devs_authsets, user): da = ApiClient(deviceauth_v2.URL_MGMT) ua = ApiClient(useradm.URL_MGMT) # log in user r = ua.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # test cases for status, page, per_page in [ (None, None, None), ('pending', None, None), ('accepted', None, None), ('rejected', None, None), ('preauthorized', None, None), (None, 1, 10), (None, 3, 10), (None, 2, 5), ('accepted', 1, 4), ('accepted', 2, 4), ('accepted', 5, 2), ('pending', 2, 2)]: qs_params = {} if status is not None: qs_params['status'] = status if page is not None: qs_params['page'] = page if per_page is not None: qs_params['per_page'] = per_page r = da.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES, qs_params=qs_params) assert r.status_code == 200 api_devs = r.json() ref_devs = filter_and_page_devs(devs_authsets, page=page, per_page=per_page, status=status) self._compare_devs(ref_devs, api_devs)
def do_test_fail_duplicate(self, user, devices): useradmm = ApiClient(useradm.URL_MGMT) devauthm = ApiClient(deviceauth_v2.URL_MGMT) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # preauth duplicate device priv, pub = util.crypto.rsa_get_keypair() id_data = devices[0].id_data body = deviceauth_v2.preauth_req( id_data, pub) r = devauthm.with_auth(utoken).call('POST', deviceauth_v2.URL_DEVICES, body) assert r.status_code == 409 # device list is unmodified r = devauthm.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES) assert r.status_code == 200 api_devs = r.json() assert len(api_devs) == len(devices) # existing device has no new auth sets existing = [d for d in api_devs if d['identity_data'] == id_data] assert len(existing) == 1 existing = existing[0] assert len(existing['auth_sets']) == 1 aset = existing['auth_sets'][0] assert util.crypto.rsa_compare_keys(aset['pubkey'], devices[0].pubkey) assert aset['status'] == 'pending'
def do_test_device_count(self, devs_authsets, user): ua = ApiClient(useradm.URL_MGMT) da = ApiClient(deviceauth_v2.URL_MGMT) # log in user r = ua.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text # test cases: successful counts for status in [None, \ 'pending', \ 'accepted', \ 'rejected', \ 'preauthorized']: qs_params={} if status is not None: qs_params={'status': status} r = da.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES_COUNT, qs_params=qs_params) assert r.status_code == 200 count = r.json() ref_devs = filter_and_page_devs(devs_authsets, status=status) ref_count = len(ref_devs) assert ref_count == count['count'] # fail: bad request r = da.with_auth(utoken).call('GET', deviceauth_v2.URL_DEVICES_COUNT, qs_params={'status': 'foo'}) assert r.status_code == 400
def do_test_put_status_reject(self, devs_authsets, user, tenant_token=''): devauthm = ApiClient(deviceauth_v2.URL_MGMT) devauthd = ApiClient(deviceauth_v1.URL_DEVICES) useradmm = ApiClient(useradm.URL_MGMT) deploymentsd = ApiClient(deployments.URL_DEVICES) # log in user r = useradmm.call('POST', useradm.URL_LOGIN, auth=(user.name, user.pwd)) assert r.status_code == 200 utoken = r.text devs = [] for status in ['pending', 'accepted', 'preauthorized']: found = filter_and_page_devs(devs_authsets, status=status) devs.extend(found) for dev in devs: aset = None dtoken = None # for accepted or preauthd devs, reject the accepted/preauthd set # otherwise just select something if dev.status in ['accepted', 'preauthorized']: aset = [a for a in dev.authsets if a.status == dev.status] assert len(aset) == 1 aset = aset[0] else: aset = dev.authsets[0] # for accepted devs, also have an active device and check it loses api access if dev.status == 'accepted': body, sighdr = deviceauth_v1.auth_req(aset.id_data, aset.pubkey, aset.privkey, tenant_token) r = devauthd.call('POST', deviceauth_v1.URL_AUTH_REQS, body, headers=sighdr) assert r.status_code == 200 dtoken = r.text # reject the authset change_authset_status(dev.id, aset.id, 'rejected', utoken) # the given authset always changes to 'rejected' aset.status='rejected' # if all other asets are also rejected, the device becomes too # otherwise it's 'pending' rej_asets = [a for a in dev.authsets if a.id != aset.id and a.status == 'rejected'] if len(rej_asets) == len(dev.authsets) - 1: dev.status = 'rejected' else: dev.status = 'pending' # check if the api device is consistent self.verify_dev_after_status_update(dev, utoken) # if we rejected an accepted, active device, check that it lost access if dtoken is not None: r = deploymentsd.with_auth(dtoken).call('GET', deployments.URL_NEXT, qs_params={'device_type': 'foo', 'artifact_name': 'bar'}) assert r.status_code == 401