def test_get_asset_nonadmin_access(client): """Without being an admin, test correct responses when accessing one asset.""" with UserContext("*****@*****.**") as prosumer1: prosumer1_assets = prosumer1.assets with UserContext("*****@*****.**") as prosumer2: prosumer2_assets = prosumer2.assets headers = { "content-type": "application/json", "Authorization": get_auth_token(client, "*****@*****.**", "testtest"), } # okay to look at own asset asset_response = client.get( url_for("flexmeasures_api_v2_0.get_asset", id=prosumer2_assets[0].id), headers=headers, follow_redirects=True, ) assert asset_response.status_code == 200 # not okay to see assets owned by others asset_response = client.get( url_for("flexmeasures_api_v2_0.get_asset", id=prosumer1_assets[0].id), headers=headers, follow_redirects=True, ) assert asset_response.status_code == 403 # proper 404 for non-existing asset asset_response = client.get( url_for("flexmeasures_api_v2_0.get_asset", id=8171766575), headers=headers, follow_redirects=True, ) assert asset_response.status_code == 404 assert "not found" in asset_response.json["message"]
def test_get_asset_nonaccount_access(client, setup_api_test_data): """Without being on the same account, test correct responses when accessing one asset.""" with UserContext("*****@*****.**") as prosumer1: prosumer1_assets = prosumer1.account.generic_assets with UserContext("*****@*****.**") as supplieruser4: supplieruser4_assets = supplieruser4.account.generic_assets headers = { "content-type": "application/json", "Authorization": get_auth_token( client, "*****@*****.**", "testtest" ), } # okay to look at assets in own account asset_response = client.get( url_for("AssetAPI:fetch_one", id=supplieruser4_assets[0].id), headers=headers, follow_redirects=True, ) assert asset_response.status_code == 200 # not okay to see assets owned by other accounts asset_response = client.get( url_for("AssetAPI:fetch_one", id=prosumer1_assets[0].id), headers=headers, follow_redirects=True, ) assert asset_response.status_code == 403 # proper 404 for non-existing asset asset_response = client.get( url_for("AssetAPI:fetch_one", id=8171766575), headers=headers, follow_redirects=True, ) assert asset_response.status_code == 404 assert "not found" in asset_response.json["message"]
def test_edit_user(client): with UserContext("*****@*****.**") as supplier: supplier_auth_token = supplier.get_auth_token() # supplier is no admin supplier_id = supplier.id with UserContext("*****@*****.**") as prosumer: prosumer_auth_token = prosumer.get_auth_token() # prosumer is an admin prosumer_id = prosumer.id # without being the user themselves or an admin, the user cannot be edited user_edit_response = client.patch( url_for("flexmeasures_api_v2_0.patch_user", id=prosumer_id), headers={ "content-type": "application/json", "Authorization": supplier_auth_token, }, json={}, ) assert user_edit_response.status_code == 403 user_edit_response = client.patch( url_for("flexmeasures_api_v2_0.patch_user", id=supplier_id), headers={"content-type": "application/json"}, json={}, ) assert user_edit_response.status_code == 401 # admin can deactivate supplier, other changes will be ignored # (id is in the Userschema of the API, but we ignore it) headers = { "content-type": "application/json", "Authorization": prosumer_auth_token } user_edit_response = client.patch( url_for("flexmeasures_api_v2_0.patch_user", id=supplier_id), headers=headers, json={ "active": False, "id": 888 }, ) print("Server responded with:\n%s" % user_edit_response.json) assert user_edit_response.status_code == 200 assert user_edit_response.json["active"] is False supplier = find_user_by_email("*****@*****.**") assert supplier.active is False assert supplier.id == supplier_id # admin can edit themselves but not sensitive fields headers = { "content-type": "application/json", "Authorization": prosumer_auth_token } user_edit_response = client.patch( url_for("flexmeasures_api_v2_0.patch_user", id=prosumer_id), headers=headers, json={"active": False}, ) print("Server responded with:\n%s" % user_edit_response.json) assert user_edit_response.status_code == 403
def test_alter_an_asset(client, setup_api_test_data, setup_accounts): # without being an account-admin, no asset can be created ... with UserContext("*****@*****.**") as prosumer1: auth_token = prosumer1.get_auth_token() # not an account admin with AccountContext("Test Prosumer Account") as prosumer: prosumer_asset = prosumer.generic_assets[0] asset_creation_response = client.post( url_for("AssetAPI:post"), headers={"content-type": "application/json", "Authorization": auth_token}, json={}, ) print(f"Creation Response: {asset_creation_response.json}") assert asset_creation_response.status_code == 403 # ... or deleted ... asset_delete_response = client.delete( url_for("AssetAPI:delete", id=prosumer_asset.id), headers={"content-type": "application/json", "Authorization": auth_token}, json={}, ) print(f"Deletion Response: {asset_delete_response.json}") assert asset_delete_response.status_code == 403 # ... but editing is allowed. asset_edit_response = client.patch( url_for("AssetAPI:patch", id=prosumer_asset.id), headers={"content-type": "application/json", "Authorization": auth_token}, json={ "latitude": prosumer_asset.latitude }, # we're not changing values to keep other tests clean here ) print(f"Editing Response: {asset_edit_response.json}") assert asset_edit_response.status_code == 200
def test_alter_an_asset_wrongauth(client): # without admin and owner rights, no asset can be created ... with UserContext("*****@*****.**") as prosumer1: prosumer1_asset = prosumer1.assets[0] with UserContext("*****@*****.**") as prosumer2: auth_token = prosumer2.get_auth_token() prosumer2_asset = prosumer2.assets[0] asset_creation_response = client.post( url_for("flexmeasures_api_v2_0.post_assets"), headers={ "content-type": "application/json", "Authorization": auth_token }, json={}, ) print(f"Response: {asset_creation_response.json}") assert asset_creation_response.status_code == 403 # ... or edited ... asset_edit_response = client.patch( url_for("flexmeasures_api_v2_0.patch_asset", id=prosumer1_asset.id), headers={ "content-type": "application/json", "Authorization": auth_token }, json={}, ) assert asset_edit_response.status_code == 403 # ... or deleted ... asset_delete_response = client.delete( url_for("flexmeasures_api_v2_0.delete_asset", id=prosumer1_asset.id), headers={ "content-type": "application/json", "Authorization": auth_token }, json={}, ) assert asset_delete_response.status_code == 403 # ... which is impossible even if you're the owner asset_delete_response = client.delete( url_for("flexmeasures_api_v2_0.delete_asset", id=prosumer2_asset.id), headers={ "content-type": "application/json", "Authorization": auth_token }, json={}, ) assert asset_delete_response.status_code == 403
def test_edit_user(client): with UserContext("*****@*****.**") as user2: user2_auth_token = user2.get_auth_token() # user2 is no admin user2_id = user2.id with UserContext("*****@*****.**") as admin: admin_auth_token = admin.get_auth_token() admin_id = admin.id # without being the user themselves or an admin, the user cannot be edited user_edit_response = client.patch( url_for("UserAPI:patch", id=admin_id), headers={ "content-type": "application/json", "Authorization": user2_auth_token, }, json={}, ) assert user_edit_response.status_code == 403 user_edit_response = client.patch( url_for("UserAPI:patch", id=user2_id), headers={"content-type": "application/json"}, json={}, ) assert user_edit_response.status_code == 401 # admin can deactivate user2 admin_headers = { "content-type": "application/json", "Authorization": admin_auth_token, } user_edit_response = client.patch( url_for("UserAPI:patch", id=user2_id), headers=admin_headers, json={"active": False}, ) print("Server responded with:\n%s" % user_edit_response.json) assert user_edit_response.status_code == 200 assert user_edit_response.json["active"] is False user2 = find_user_by_email("*****@*****.**") assert user2.active is False assert user2.id == user2_id # admin can edit themselves but not sensitive fields user_edit_response = client.patch( url_for("UserAPI:patch", id=admin_id), headers=admin_headers, json={"active": False}, ) print("Server responded with:\n%s" % user_edit_response.json) assert user_edit_response.status_code == 403
def test_edit_user_with_unexpected_fields(client): """Sending unexpected fields (not in Schema) is an Unprocessible Entity error.""" with UserContext("*****@*****.**") as supplier: supplier_id = supplier.id with UserContext("*****@*****.**") as prosumer: prosumer_auth_token = prosumer.get_auth_token() # prosumer is an admin user_edit_response = client.patch( url_for("flexmeasures_api_v2_0.patch_user", id=supplier_id), headers={ "content-type": "application/json", "Authorization": prosumer_auth_token, }, json={ "active": False, "password": "******" }, ) print("Server responded with:\n%s" % user_edit_response.json) assert user_edit_response.status_code == 422
def test_edit_user_with_unexpected_fields(client, unexpected_fields: dict): """Sending unexpected fields (not in Schema) is an Unprocessable Entity error.""" with UserContext("*****@*****.**") as user2: user2_id = user2.id with UserContext("*****@*****.**") as admin: admin_auth_token = admin.get_auth_token() user_edit_response = client.patch( url_for("UserAPI:patch", id=user2_id), headers={ "content-type": "application/json", "Authorization": admin_auth_token, }, json={ **{ "active": False }, **unexpected_fields }, ) print("Server responded with:\n%s" % user_edit_response.json) assert user_edit_response.status_code == 422
def test_post_an_asset_with_existing_name(client): """Catch DB error (Unique key violated) correctly""" with UserContext("*****@*****.**") as prosumer: auth_token = prosumer.get_auth_token() with UserContext("*****@*****.**") as prosumer: test_prosumer_id = prosumer.id existing_asset = prosumer.assets[0] post_data = get_asset_post_data() post_data["name"] = existing_asset.name post_data["owner_id"] = test_prosumer_id asset_creation = client.post( url_for("flexmeasures_api_v2_0.post_assets"), json=post_data, headers={ "content-type": "application/json", "Authorization": auth_token }, ) assert asset_creation.status_code == 422 assert "already exists" in asset_creation.json["message"]["json"]["name"][ 0]
def test_post_an_asset_with_nonexisting_field(client, setup_api_test_data): """Posting a field that is unexpected leads to a 422""" with UserContext("*****@*****.**") as prosumer: auth_token = prosumer.get_auth_token() post_data = get_asset_post_data() post_data["nnname"] = "This field does not exist" asset_creation = client.post( url_for("AssetAPI:post"), json=post_data, headers={"content-type": "application/json", "Authorization": auth_token}, ) assert asset_creation.status_code == 422 assert asset_creation.json["message"]["json"]["nnname"][0] == "Unknown field."
def test_posting_multiple_assets(client, setup_api_test_data): """We can only send one at a time""" with UserContext("*****@*****.**") as prosumer: auth_token = prosumer.get_auth_token() post_data1 = get_asset_post_data() post_data2 = get_asset_post_data() post_data2["name"] = "Test battery 3" asset_creation = client.post( url_for("AssetAPI:post"), json=[post_data1, post_data2], headers={"content-type": "application/json", "Authorization": auth_token}, ) print(f"Response: {asset_creation.json}") assert asset_creation.status_code == 422 assert asset_creation.json["message"]["json"]["_schema"][0] == "Invalid input type."
def test_delete_an_asset(client, db): with UserContext("*****@*****.**") as prosumer: existing_asset_id = prosumer.assets[0].id auth_token = get_auth_token(client, "*****@*****.**", "testtest") delete_asset_response = client.delete( url_for("flexmeasures_api_v2_0.delete_asset", id=existing_asset_id), headers={ "content-type": "application/json", "Authorization": auth_token }, ) assert delete_asset_response.status_code == 204 deleted_asset = Asset.query.filter_by(id=existing_asset_id).one_or_none() assert deleted_asset is None
def test_post_an_asset_with_existing_name(client, setup_api_test_data): """Catch DB error (Unique key violated) correctly""" with UserContext("*****@*****.**") as admin_user: auth_token = admin_user.get_auth_token() with AccountContext("Test Prosumer Account") as prosumer: prosumer_id = prosumer.id existing_asset = prosumer.generic_assets[0] post_data = get_asset_post_data() post_data["name"] = existing_asset.name post_data["account_id"] = prosumer_id asset_creation_response = client.post( url_for("AssetAPI:post"), json=post_data, headers={"content-type": "application/json", "Authorization": auth_token}, ) print(f"Creation Response: {asset_creation_response.json}") assert asset_creation_response.status_code == 422 assert ( "already exists" in asset_creation_response.json["message"]["json"]["name"][0] )
def test_edit_an_asset(client, db): with UserContext("*****@*****.**") as prosumer: existing_asset = prosumer.assets[1] post_data = dict(latitude=10, id=999) # id will be ignored auth_token = get_auth_token(client, "*****@*****.**", "testtest") edit_asset_response = client.patch( url_for("flexmeasures_api_v2_0.patch_asset", id=existing_asset.id), json=post_data, headers={ "content-type": "application/json", "Authorization": auth_token }, ) assert edit_asset_response.status_code == 200 updated_asset = Asset.query.filter_by(id=existing_asset.id).one_or_none() assert updated_asset.latitude == 10 # changed value assert updated_asset.longitude == existing_asset.longitude assert updated_asset.capacity_in_mw == existing_asset.capacity_in_mw assert updated_asset.name == existing_asset.name
def test_post_an_asset_with_invalid_data(client, db): """ Add an asset with some fields having invalid data and one field missing. The right error messages should be in the response and the number of assets has not increased. """ with UserContext("*****@*****.**") as prosumer: num_assets_before = len(prosumer.assets) auth_token = get_auth_token(client, "*****@*****.**", "testtest") post_data = get_asset_post_data() post_data["latitude"] = 70.4 post_data["longitude"] = 300.9 post_data["capacity_in_mw"] = -100 post_data["min_soc_in_mwh"] = 10 post_data["max_soc_in_mwh"] = 5 del post_data["unit"] post_asset_response = client.post( url_for("flexmeasures_api_v2_0.post_assets"), json=post_data, headers={ "content-type": "application/json", "Authorization": auth_token }, ) print("Server responded with:\n%s" % post_asset_response.json) assert post_asset_response.status_code == 422 assert ( "Must be greater than or equal to 0" in post_asset_response.json["message"]["json"]["capacity_in_mw"][0]) assert ("greater than or equal to -180 and less than or equal to 180" in post_asset_response.json["message"]["json"]["longitude"][0]) assert "required field" in post_asset_response.json["message"]["json"][ "unit"][0] assert ("must be equal or higher than the minimum soc" in post_asset_response.json["message"]["json"]["max_soc_in_mwh"]) assert Asset.query.filter_by( owner_id=prosumer.id).count() == num_assets_before
def test_user_reset_password(app, client, sender): """ Reset the password of supplier. Only the prosumer is allowed to do that (as admin). """ with UserContext("*****@*****.**") as supplier: supplier_id = supplier.id old_password = supplier.password headers = {"content-type": "application/json"} if sender != "": headers["Authorization"] = (get_auth_token(client, sender, "testtest"), ) with app.mail.record_messages() as outbox: pwd_reset_response = client.patch( url_for("flexmeasures_api_v2_0.reset_user_password", id=supplier_id), query_string={}, headers=headers, ) print("Server responded with:\n%s" % pwd_reset_response.json) if sender == "": assert pwd_reset_response.status_code == 401 return if sender == "*****@*****.**": assert pwd_reset_response.status_code == 403 return assert pwd_reset_response.status_code == 200 supplier = find_user_by_email("*****@*****.**") assert len(outbox) == 2 assert "has been reset" in outbox[0].subject pwd_reset_instructions = outbox[1] assert old_password != supplier.password assert "reset instructions" in pwd_reset_instructions.subject assert ("reset your password:\n\n%sreset/" % request.host_url in pwd_reset_instructions.body)
def test_user_reset_password(app, client, setup_inactive_user, sender): """ Reset the password of User 2. Only the admin user and User 2 themselves are allowed to do that. """ with UserContext("*****@*****.**") as user2: user2_id = user2.id old_password = user2.password headers = {"content-type": "application/json"} if sender != "": headers["Authorization"] = (get_auth_token(client, sender, "testtest"),) with app.mail.record_messages() as outbox: pwd_reset_response = client.patch( url_for("UserAPI:reset_user_password", id=user2_id), query_string={}, headers=headers, ) print("Server responded with:\n%s" % pwd_reset_response.json) if sender in ("", "*****@*****.**"): assert pwd_reset_response.status_code == 401 return if sender == "*****@*****.**": assert pwd_reset_response.status_code == 403 return assert pwd_reset_response.status_code == 200 user2 = find_user_by_email("*****@*****.**") assert len(outbox) == 2 assert "has been reset" in outbox[0].subject pwd_reset_instructions = outbox[1] assert old_password != user2.password assert "reset instructions" in pwd_reset_instructions.subject assert ( "reset your password:\n\n%sreset/" % request.host_url in pwd_reset_instructions.body )
def test_post_an_asset_with_invalid_data(client, setup_api_test_data): """ Add an asset with some fields having invalid data and one field missing. The right error messages should be in the response and the number of assets has not increased. """ with UserContext("*****@*****.**") as prosumer: num_assets_before = len(prosumer.assets) auth_token = get_auth_token(client, "*****@*****.**", "testtest") post_data = get_asset_post_data() post_data["name"] = "Something new" post_data["longitude"] = 300.9 del post_data["generic_asset_type_id"] post_asset_response = client.post( url_for("AssetAPI:post"), json=post_data, headers={"content-type": "application/json", "Authorization": auth_token}, ) print("Server responded with:\n%s" % post_asset_response.json) assert post_asset_response.status_code == 422 assert ( "exceeds the maximum longitude" in post_asset_response.json["message"]["json"]["longitude"][0] ) assert ( "required field" in post_asset_response.json["message"]["json"]["generic_asset_type_id"][0] ) assert ( GenericAsset.query.filter_by(account_id=prosumer.id).count() == num_assets_before )