def test_list_is_denied_if_not_allowed_to_create(self): self.app.get('/buckets/beer/collections', headers=get_user_headers('jean:paul'), status=403) self.app.get('/buckets/beer/collections/barley/records', headers=get_user_headers('mahmud:hatim'), status=403)
def setUp(self): self.alice_headers = get_user_headers("alice") self.bob_headers = get_user_headers("bob") self.julia_headers = get_user_headers("julia") self.alice_principal = ( "basicauth:d5b0026601f1b251974e09548d44155e16" "812e3c64ff7ae053fe3542e2ca1570" ) self.bob_principal = ( "basicauth:c031ced27503f788b102ca54269a062ec737" "94bb075154c74a0d4311e74ca8b6" ) self.julia_principal = ( "basicauth:d8bab8d9fe0510fcaf9b5ad5942c027fc" "2fdf80b6dc59cc3c48d12a2fcb18f1c" ) bucket = {"permissions": {"read": [self.alice_principal]}} collection = {"permissions": {"read": [self.julia_principal]}} record = {"permissions": {"write": [self.bob_principal, self.alice_principal]}} self.app.put("/buckets/author-only", headers=self.headers) self.app.put_json("/buckets/test", bucket, headers=self.headers) self.app.put_json( "/buckets/test/groups/admins", {"data": {"members": []}}, headers=self.headers ) self.app.put_json( "/buckets/test/collections/alice-julia", collection, headers=self.headers ) self.app.put_json("/buckets/test/collections/author-only", headers=self.headers) self.app.post_json( "/buckets/test/collections/alice-julia/records", record, headers=self.headers ) self.app.post_json( "/buckets/test/collections/alice-julia/records", {"permissions": {"read": ["system.Authenticated"]}}, headers=self.headers, )
def test_adding_a_task_for_bob_doesnt_add_it_for_alice(self): record = {**MINIMALIST_RECORD} resp = self.app.post_json( self.collection_url + "/records", record, headers=get_user_headers("bob") ) record_id = "{}/records/{}".format(self.collection_url, resp.json["data"]["id"]) resp = self.app.get(record_id, headers=get_user_headers("alice"), status=404)
def test_parent_metadata_cannot_be_read_if_not_allowed_to_create_child(self): self.app.get("/buckets/beer", headers=get_user_headers("jean:paul"), status=403) self.app.get( "/buckets/beer/collections/barley", headers=get_user_headers("mahmud:hatim"), status=403, )
def test_adding_a_task_for_bob_doesnt_add_it_for_alice(self): record = {**MINIMALIST_RECORD} resp = self.app.post_json(self.collection_url + '/records', record, headers=get_user_headers('bob')) record_id = '{}/records/{}'.format(self.collection_url, resp.json['data']['id']) resp = self.app.get(record_id, headers=get_user_headers('alice'), status=404)
def test_authentication_with_new_password_is_accepted_after_change(self): self.app.put_json( "/accounts/alice", {"data": {"password": "******"}}, headers=get_user_headers("alice", "123456"), status=200, ) self.app.get("/accounts/alice", headers=get_user_headers("alice", "bouh"))
def test_fallsback_on_basicauth(self): self.app.post_json("/accounts", {"data": {"id": "me", "password": "******"}}) resp = self.app.get("/", headers=get_user_headers("me", "wrong")) assert "basicauth" in resp.json["user"]["id"] resp = self.app.get("/", headers=get_user_headers("me", "bleh")) assert "account" in resp.json["user"]["id"]
def test_fallsback_on_basicauth(self): self.app.post_json('/accounts', {'data': {'id': 'me', 'password': '******'}}) resp = self.app.get('/', headers=get_user_headers('me', 'wrong')) assert 'basicauth' in resp.json['user']['id'] resp = self.app.get('/', headers=get_user_headers('me', 'bleh')) assert 'account' in resp.json['user']['id']
def setUpClass(cls): super().setUpClass() cls.alice_headers = {**cls.headers, **get_user_headers('alice')} cls.bob_headers = {**cls.headers, **get_user_headers('bob')} cls.alice_principal = ('basicauth:d5b0026601f1b251974e09548d44155e16' '812e3c64ff7ae053fe3542e2ca1570') cls.bob_principal = ('basicauth:c031ced27503f788b102ca54269a062ec737' '94bb075154c74a0d4311e74ca8b6')
def test_authentication_does_not_call_bcrypt_twice(self): self.app.post_json("/accounts", {"data": {"id": "me", "password": "******"}}, status=201) with mock.patch("kinto.plugins.accounts.authentication.bcrypt") as mocked_bcrypt: resp = self.app.get("/", headers=get_user_headers("me", "bouh")) assert resp.json["user"]["id"] == "account:me" resp = self.app.get("/", headers=get_user_headers("me", "bouh")) assert resp.json["user"]["id"] == "account:me" assert mocked_bcrypt.checkpw.call_count == 1
def __init__(self, *args, **kwargs): super(PermissionsTest, self).__init__(*args, **kwargs) self.alice_headers = self.headers.copy() self.alice_headers.update(**get_user_headers('alice')) self.bob_headers = self.headers.copy() self.bob_headers.update(**get_user_headers('bob')) self.alice_principal = ('basicauth:d5b0026601f1b251974e09548d44155e16' '812e3c64ff7ae053fe3542e2ca1570') self.bob_principal = ('basicauth:c031ced27503f788b102ca54269a062ec737' '94bb075154c74a0d4311e74ca8b6')
def test_authentication_does_not_call_bcrypt_twice(self): self.app.post_json('/accounts', {'data': {'id': 'me', 'password': '******'}}, status=201) with mock.patch('kinto.plugins.accounts.authentication.bcrypt') as mocked_bcrypt: resp = self.app.get('/', headers=get_user_headers('me', 'bouh')) assert resp.json['user']['id'] == 'account:me' resp = self.app.get('/', headers=get_user_headers('me', 'bouh')) assert resp.json['user']['id'] == 'account:me' mocked_bcrypt.checkpw.assert_called_once()
def test_authentication_checks_bcrypt_again_if_password_changes(self): self.app.post_json('/accounts', {'data': {'id': 'me', 'password': '******'}}, status=201) with mock.patch('kinto.plugins.accounts.authentication.bcrypt') as mocked_bcrypt: resp = self.app.get('/', headers=get_user_headers('me', 'bouh')) assert resp.json['user']['id'] == 'account:me' self.app.patch_json('/accounts/me', {'data': {'password': '******'}}, status=200, headers=get_user_headers('me', 'bouh')) resp = self.app.get('/', headers=get_user_headers('me', 'blah')) assert resp.json['user']['id'] == 'account:me' assert mocked_bcrypt.checkpw.call_count == 2
def test_cannot_create_other_account_if_authenticated(self): self.app.post_json('/accounts', {'data': {'id': 'me', 'password': '******'}}, status=201) resp = self.app.post_json('/accounts', {'data': {'id': 'you', 'password': '******'}}, headers=get_user_headers('me', 'bouh'), status=400) assert 'do not match' in resp.json['message']
def test_user_created_by_admin_with_post_can_see_her_record(self): self.app.post_json('/accounts', {'data': {'id': 'alice', 'password': '******'}}, headers=self.admin_headers) resp = self.app.get('/accounts/alice', headers=get_user_headers('alice', 'bouh')) assert resp.json['permissions'] == {'write': ['account:alice']}
def test_object_get_403(self): headers = {**self.headers, **testing.get_user_headers("aaa")} response = self.app.get("/buckets/b1", headers=headers, status=403) response = self.cast_bravado_response(response) op = self.resources["Buckets"].get_bucket schema = self.spec.deref(op.op_spec["responses"]["403"]) validate_response(schema, op, response)
def setUp(self): super().setUp() del self.events[:] bucket = {**MINIMALIST_BUCKET} self.alice_headers = {**self.headers, **get_user_headers("alice")} resp = self.app.get("/", headers=self.alice_headers) alice_principal = resp.json["user"]["id"] bucket["permissions"] = {"write": [alice_principal]} # Create shared bucket. self.app.put_json("/buckets/beers", bucket, headers=self.headers) self.app.put_json( "/buckets/beers/collections/barley", MINIMALIST_COLLECTION, headers=self.headers ) # Records for alice and bob. self.app.post_json( self.collection_url, MINIMALIST_RECORD, headers=self.headers, status=201 ) self.app.post_json( self.collection_url, MINIMALIST_RECORD, headers=self.alice_headers, status=201 )
def setUp(self): super().setUp() self.admin_headers = get_user_headers('admin') self.admin_principal = self.app.get('/', headers=self.admin_headers).json['user']['id'] self.app.put_json('/buckets/beers', {'permissions': {'write': ['/buckets/beers/groups/admins']}}, headers=self.headers) self.app.put_json('/buckets/beers/groups/admins', {'data': {'members': [self.admin_principal]}}, headers=self.headers) self.app.put_json('/buckets/beers/collections/barley', MINIMALIST_COLLECTION, headers=self.headers) self.app.put_json('/buckets/sodas', MINIMALIST_BUCKET, headers=self.headers) self.app.put_json('/buckets/beers/groups/admins', {'data': {'members': [self.admin_principal]}}, headers=self.headers) self.app.put_json('/buckets/sodas/collections/sprite', {'permissions': {'read': ['/buckets/beers/groups/admins']}}, headers=self.headers)
def test_cannot_patch_unknown_account(self): self.app.patch_json( "/accounts/bob", {"data": {"password": "******"}}, headers=get_user_headers("alice", "123456"), status=403, )
def test_user_created_by_admin_with_post_can_see_her_record(self): self.app.post_json( "/accounts", {"data": {"id": "alice", "password": "******"}}, headers=self.admin_headers ) resp = self.app.get("/accounts/alice", headers=get_user_headers("alice", "bouh")) assert resp.json["permissions"] == {"write": ["account:alice"]}
def test_metadata_can_be_changed(self): resp = self.app.patch_json( "/accounts/alice", {"data": {"age": "captain"}}, headers=get_user_headers("alice", "123456"), ) assert resp.json["data"]["age"] == "captain"
def setUp(self): super().setUp() self.admin_headers = get_user_headers("admin") self.admin_principal = self.app.get("/", headers=self.admin_headers).json["user"]["id"] self.app.put_json( "/buckets/beers", {"permissions": {"write": ["/buckets/beers/groups/admins"]}}, headers=self.headers, ) self.app.put_json( "/buckets/beers/groups/admins", {"data": {"members": [self.admin_principal]}}, headers=self.headers, ) self.app.put_json( "/buckets/beers/collections/barley", MINIMALIST_COLLECTION, headers=self.headers ) self.app.put_json("/buckets/sodas", MINIMALIST_BUCKET, headers=self.headers) self.app.put_json( "/buckets/beers/groups/admins", {"data": {"members": [self.admin_principal]}}, headers=self.headers, ) self.app.put_json( "/buckets/sodas/collections/sprite", {"permissions": {"read": ["/buckets/beers/groups/admins"]}}, headers=self.headers, )
def test_read_permission_can_be_given_to_anybody_via_settings(self): with mock.patch.dict(self.app.app.registry.settings, [('history_read_principals', 'system.Everyone')]): resp = self.app.get('/buckets/test/history', headers=get_user_headers('tartan:pion')) entries = resp.json['data'] assert len(entries) == 6 # everything.
def setUp(self): super(FlushViewTest, self).setUp() self.events = [] bucket = MINIMALIST_BUCKET.copy() self.alice_headers = self.headers.copy() self.alice_headers.update(**get_user_headers('alice')) resp = self.app.get('/', headers=self.alice_headers) alice_principal = resp.json['user']['id'] bucket['permissions'] = {'write': [alice_principal]} # Create shared bucket. self.app.put_json('/buckets/beers', bucket, headers=self.headers) self.app.put_json('/buckets/beers/collections/barley', MINIMALIST_COLLECTION, headers=self.headers) # Records for alice and bob. self.app.post_json(self.collection_url, MINIMALIST_RECORD, headers=self.headers, status=201) self.app.post_json(self.collection_url, MINIMALIST_RECORD, headers=self.alice_headers, status=201)
def test_creation_is_forbidden_is_no_write_on_bucket_nor_collection(self): headers = self.headers.copy() headers.update(**get_user_headers('jean-louis')) self.app.post_json('/buckets/beer/collections/barley/records', MINIMALIST_RECORD, headers=headers, status=403)
def test_read_permission_can_be_given_to_anybody_via_settings(self): with mock.patch.dict( self.app.app.registry.settings, [("history_read_principals", "system.Everyone")] ): resp = self.app.get("/buckets/test/history", headers=get_user_headers("tartan:pion")) entries = resp.json["data"] assert len(entries) == 6 # everything.
def test_password_can_be_changed(self): self.app.put_json( "/accounts/alice", {"data": {"password": "******"}}, headers=get_user_headers("alice", "123456"), status=200, )
def test_lidt_delete_403(self): headers = {**self.headers, **testing.get_user_headers("aaa")} response = self.app.delete("/buckets/b1/collections", headers=headers, status=403) response = self.cast_bravado_response(response) op = self.resources["Collections"].delete_collections schema = self.spec.deref(op.op_spec["responses"]["403"]) validate_response(schema, op, response)
def test_creation_is_forbidden_is_no_write_on_bucket_nor_collection(self): headers = {**self.headers, **get_user_headers("jean-louis")} self.app.post_json( "/buckets/beer/collections/barley/records", MINIMALIST_RECORD, headers=headers, status=403, )
def test_object_get_403(self): headers = {**self.headers, **testing.get_user_headers('aaa')} response = self.app.get('/buckets/b1', headers=headers, status=403) response = self.cast_bravado_response(response) op = self.resources['Buckets'].get_bucket schema = self.spec.deref(op.op_spec['responses']['403']) validate_response(schema, op, response)
def test_collection_write_taken_into_account(self): resp = self.app.get("/permissions", headers=get_user_headers("any")) collections = [e for e in resp.json["data"] if e["resource_name"] == "collection"] self.assertEqual(collections[0]["id"], "barley") self.assertIn("write", collections[0]["permissions"])
def test_admin_can_delete_all_accounts(self): self.app.delete_json("/accounts", headers=self.admin_headers) self.app.get("/accounts/bob", headers=get_user_headers("bob", "987654"), status=401)
def setUp(self): self.app.put_json("/accounts/bob", {"data": { "password": "******" }}, status=201) self.bob_headers = get_user_headers("bob", "123456")
class SettingsPermissionsTest(PermissionsViewTest): admin_headers = get_user_headers("admin") admin_principal = ( "basicauth:bb7fe7b98e759578ef0de85b546dd57d21fe1e399390ad8dafc9886043a00e5c" ) # NOQA @classmethod def get_app_settings(cls, extras=None): settings = super().get_app_settings(extras) settings["bucket_write_principals"] = "system.Authenticated" settings["group_create_principals"] = cls.admin_principal settings["collection_write_principals"] = "system.Authenticated" settings["record_create_principals"] = "/buckets/beers/groups/admins" return settings def setUp(self): super().setUp() self.app.put_json("/buckets/beers", MINIMALIST_BUCKET, headers=self.headers) self.app.put_json( "/buckets/beers/groups/admins", {"data": {"members": [self.admin_principal]}}, headers=self.headers, ) self.app.put_json( "/buckets/beers/collections/barley", MINIMALIST_COLLECTION, headers=self.headers ) def test_bucket_write_taken_into_account(self): resp = self.app.get("/permissions", headers=get_user_headers("any")) buckets = [e for e in resp.json["data"] if e["resource_name"] == "bucket"] self.assertEqual(buckets[0]["id"], "beers") self.assertIn("write", buckets[0]["permissions"]) def test_collection_create_taken_into_account(self): resp = self.app.get("/permissions", headers=self.admin_headers) buckets = [e for e in resp.json["data"] if e["resource_name"] == "bucket"] self.assertEqual(buckets[0]["id"], "beers") self.assertIn("group:create", buckets[0]["permissions"]) def test_collection_write_taken_into_account(self): resp = self.app.get("/permissions", headers=get_user_headers("any")) collections = [e for e in resp.json["data"] if e["resource_name"] == "collection"] self.assertEqual(collections[0]["id"], "barley") self.assertIn("write", collections[0]["permissions"]) def test_record_create_taken_into_account(self): resp = self.app.get("/permissions", headers=self.admin_headers) collections = [e for e in resp.json["data"] if e["resource_name"] == "collection"] self.assertEqual(collections[0]["id"], "barley") self.assertIn("record:create", collections[0]["permissions"]) def test_settings_permissions_are_merged_with_perms_backend(self): self.app.patch_json( "/buckets/beers", {"permissions": {"collection:create": [self.admin_principal]}}, headers=self.headers, ) self.app.patch_json( "/buckets/beers/collections/barley", {"permissions": {"read": [self.admin_principal]}}, headers=self.headers, ) resp = self.app.get("/permissions", headers=self.admin_headers) buckets = [e for e in resp.json["data"] if e["resource_name"] == "bucket"] self.assertEqual(buckets[0]["id"], "beers") self.assertIn("group:create", buckets[0]["permissions"]) self.assertIn("collection:create", buckets[0]["permissions"]) collections = [e for e in resp.json["data"] if e["resource_name"] == "collection"] self.assertEqual(collections[0]["id"], "barley") self.assertIn("record:create", collections[0]["permissions"]) self.assertIn("read", collections[0]["permissions"])
class SettingsPermissionsTest(PermissionsViewTest): admin_headers = get_user_headers('admin') admin_principal = 'basicauth:bb7fe7b98e759578ef0de85b546dd57d21fe1e399390ad8dafc9886043a00e5c' # NOQA def __init__(self, *args, **kwargs): super(SettingsPermissionsTest, self).__init__(*args, **kwargs) def get_app_settings(self, extras=None): settings = super(SettingsPermissionsTest, self).get_app_settings(extras) settings['bucket_write_principals'] = 'system.Authenticated' settings['group_create_principals'] = self.admin_principal settings['collection_write_principals'] = 'system.Authenticated' settings['record_create_principals'] = '/buckets/beers/groups/admins' return settings def setUp(self): super(SettingsPermissionsTest, self).setUp() self.app.put_json('/buckets/beers', MINIMALIST_BUCKET, headers=self.headers) self.app.put_json('/buckets/beers/groups/admins', {'data': { 'members': [self.admin_principal] }}, headers=self.headers) self.app.put_json('/buckets/beers/collections/barley', MINIMALIST_COLLECTION, headers=self.headers) def test_bucket_write_taken_into_account(self): resp = self.app.get('/permissions', headers=get_user_headers("any")) buckets = [ e for e in resp.json['data'] if e['resource_name'] == 'bucket' ] self.assertEqual(buckets[0]['id'], 'beers') self.assertIn('write', buckets[0]['permissions']) def test_collection_create_taken_into_account(self): resp = self.app.get('/permissions', headers=self.admin_headers) buckets = [ e for e in resp.json['data'] if e['resource_name'] == 'bucket' ] self.assertEqual(buckets[0]['id'], 'beers') self.assertIn('group:create', buckets[0]['permissions']) def test_collection_write_taken_into_account(self): resp = self.app.get('/permissions', headers=get_user_headers("any")) collections = [ e for e in resp.json['data'] if e['resource_name'] == 'collection' ] self.assertEqual(collections[0]['id'], 'barley') self.assertIn('write', collections[0]['permissions']) def test_record_create_taken_into_account(self): resp = self.app.get('/permissions', headers=self.admin_headers) collections = [ e for e in resp.json['data'] if e['resource_name'] == 'collection' ] self.assertEqual(collections[0]['id'], 'barley') self.assertIn('record:create', collections[0]['permissions'])
def test_account_record_can_be_obtained_if_authenticated(self): self.app.get('/accounts/alice', headers=get_user_headers('alice', '123456'))
def test_account_record_can_be_obtained_if_authenticated(self): self.app.get("/accounts/alice", headers=get_user_headers("alice", "123456"))
def test_authentication_is_denied_after_delete(self): self.app.delete('/accounts/alice', headers=get_user_headers('alice', '123456')) self.app.get('/accounts/alice', headers=get_user_headers('alice', '123456'), status=401)
def test_accounts_list_contains_only_one_record(self): resp = self.app.get('/accounts', headers=get_user_headers('alice', '123456')) assert len(resp.json['data']) == 1
def test_account_can_be_deleted(self): self.app.delete('/accounts/alice', headers=get_user_headers('alice', '123456'))
def test_metadata_can_be_changed(self): resp = self.app.patch_json('/accounts/alice', {'data': {'age': 'captain'}}, headers=get_user_headers('alice', '123456')) assert resp.json['data']['age'] == 'captain'
def test_cannot_patch_someone_else_account(self): self.app.put_json('/accounts/bob', {'data': {'password': '******'}}, status=201) self.app.patch_json('/accounts/bob', {'data': {'password': '******'}}, headers=get_user_headers('alice', '123456'), status=403)
def test_bucket_write_taken_into_account(self): resp = self.app.get("/permissions", headers=get_user_headers("any")) buckets = [e for e in resp.json["data"] if e["resource_name"] == "bucket"] self.assertEqual(buckets[0]["id"], "beers") self.assertIn("write", buckets[0]["permissions"])
def test_cannot_read_if_not_allowed(self): headers = {**self.headers, **get_user_headers("jean-louis")} self.app.get("/buckets/beer/groups/moderators", headers=headers, status=403)
def test_cannot_obtain_someone_else_account(self): self.app.get("/accounts/bob", headers=get_user_headers("alice", "123456"), status=403)
def setUpClass(cls): super().setUpClass() cls.alice_headers = {**cls.headers, **get_user_headers("alice")} cls.alice_principal = ( "basicauth:d5b0026601f1b251974e09548d44155e16812e3c64ff7ae053fe3542e2ca1570" )
def test_accounts_list_contains_only_one_record(self): resp = self.app.get("/accounts", headers=get_user_headers("alice", "123456")) assert len(resp.json["data"]) == 1
def setUp(self): self.everyone_headers = get_user_headers("")
def test_authentication_is_denied_after_delete(self): self.app.delete("/accounts/alice", headers=get_user_headers("alice", "123456")) self.app.get("/accounts/alice", headers=get_user_headers("alice", "123456"), status=401)
def test_authentication_with_new_password_is_accepted_after_change(self): self.app.put_json('/accounts/alice', {'data': {'password': '******'}}, headers=get_user_headers('alice', '123456'), status=200) self.app.get('/accounts/alice', headers=get_user_headers('alice', 'bouh'))
def test_account_can_be_deleted(self): self.app.delete("/accounts/alice", headers=get_user_headers("alice", "123456"))
def test_cannot_obtain_unknown_account(self): self.app.get("/accounts/jeanine", headers=get_user_headers("alice", "123456"), status=403)
def setUpClass(cls): super().setUpClass() cls.headers.update(testing.get_user_headers("mat"))
def test_default_bucket_can_be_created_with_simple_put(self): self.app.put(self.bucket_url, headers=get_user_headers("bob"), status=201)
def setUpClass(cls): super().setUpClass() cls.headers.update(get_user_headers('mat')) cls.indexer = cls.app.app.registry.indexer
def test_username_and_account_id_must_match(self): resp = self.app.patch_json('/accounts/alice', {'data': {'id': 'bob', 'password': '******'}}, headers=get_user_headers('alice', '123456'), status=400) assert 'does not match' in resp.json['message']
def test_cannot_obtain_someone_else_account(self): self.app.get('/accounts/bob', headers=get_user_headers('alice', '123456'), status=403)
def test_publicly_readable_record_allows_any_authenticated(self): resp = self.app.get("/buckets/test/history", headers=get_user_headers("jack:")) entries = resp.json["data"] assert len(entries) == 1 assert "system.Authenticated" in entries[0]["target"]["permissions"]["read"] assert entries[0]["resource_name"] == "record"
def test_cannot_patch_unknown_account(self): self.app.patch_json('/accounts/bob', {'data': {'password': '******'}}, headers=get_user_headers('alice', '123456'), status=403)
def __init__(self, *args, **kwargs): super(BaseWebTest, self).__init__(*args, **kwargs) self.headers.update(get_user_headers('mat'))