def test_delegate_set_delegate_rule():
# delegate cannot set delegate rule
req = {"user_email": email, "user_role":'delegate'}
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 403
req1 = {"user_email": email, "user_role":'data ingester', "item_id":resource_id, "item_type":"resourcegroup"}
req2 = {"user_email": email, "user_role":'delegate'}
r = alt_provider.provider_access([req1, req2], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 403
def test_deleted_delegate():
# provider deletes delegate
global consumer_id
r = untrusted.delete_rule([{"id": delegate_id}])
assert r['success'] == True
assert r['status_code'] == 200
# deleted delegate cannot do anything
req = {
"user_email": email,
"user_role": 'consumer',
"item_id": resource_id,
"item_type": "resourcegroup"
}
req["capabilities"] = ['complex']
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 401
r = alt_provider.get_provider_access('*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 401
body = {"id": consumer_id}
r = alt_provider.delete_rule([body], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 401
def test_delegate_set_delegate_rule():
# delegate cannot set delegate rule
req = {"user_email": email, "user_role": 'delegate'}
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 403
def test_set_rule_unassigned_delegate():
# token request should fail
body = {"id": resource_id + "/someitem", "apis": ["/ngsi-ld/v1/entities"]}
r = consumer.get_token(body)
assert r['success'] is False
# set temporal consumer rule as delegate
req = {
"user_email": email,
"user_role": 'consumer',
"item_id": resource_id,
"item_type": "resourcegroup"
}
req["capabilities"] = ['temporal']
# should fail because unapproved delegate
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 401
# check if unreg'd delegate can use delegate API
r = alt_provider.get_delegate_providers()
assert r['success'] == False
assert r['status_code'] == 404
def test_delegate_invalid_provider_email():
req = {"user_email": email, "user_role":'consumer', "item_id":resource_id, "item_type":"resourcegroup"}
req["capabilities"] = ['temporal']
# fail because provider_email missing
r = alt_provider.provider_access([req])
assert r['success'] == False
assert r['status_code'] == 400
# invalid provider_email
r = alt_provider.provider_access([req], 'abc.xyz@rbccps$$.')
assert r['success'] == False
assert r['status_code'] == 400
# non-existent provider
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 401
def test_multiple_delegates():
# tests with 2 delegates
# make consumer a delegate
req = {"user_email": email, "user_role": 'delegate'}
r = untrusted.provider_access([req])
assert r['success'] == True
assert r['status_code'] == 200
resource_group = ''.join(
random.choice(string.ascii_lowercase) for _ in range(10))
resource_id = provider_id + '/rs.example.com/' + resource_group
req = {
"user_email": email,
"user_role": 'consumer',
"item_id": resource_id,
"item_type": "resourcegroup"
}
req["capabilities"] = ['complex']
r = consumer.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
# cannot update rule set by other provider
req["capabilities"] = ['subscription']
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
r = consumer.get_provider_access('*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
rules = r['response']
for r in rules:
if r['email'] == email and r[
'role'] == 'consumer' and resource_id == r['item']['cat_id']:
consumer_id = r['id']
# delegate can delete other delegate's rule
body = {"id": consumer_id}
r = alt_provider.delete_rule([body], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
# already deleted
body = {"id": consumer_id}
r = consumer.delete_rule([body], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 403
# delegate cannot delete delegate rule
r = consumer.delete_rule([{"id": delegate_id}], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 403
def test_delegate_set_consumer_rule():
req = {"user_email": email, "user_role":'consumer', "item_id":resource_id, "item_type":"resourcegroup"}
req["capabilities"] = ['temporal']
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
body = {"request" : [resource_id + "/someitem"]}
r = consumer.get_token(body)
assert r['success'] is True
def test_delegate_set_ingester_rule():
# delegate can set ingester rule
body = {"request" : [diresource_id + "/someitem"]}
# data ingester token request should fail
r = consumer.get_token(body)
assert r['success'] is False
req = {"user_email": email, "user_role":'data ingester', "item_id":diresource_id, "item_type":"resourcegroup"}
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
# without adapter API
r = consumer.get_token(body)
assert r['success'] is True
def test_delegate_set_onboarder_rule():
# delegate can set onboarder rule
body = {"id": provider_id + "/catalogue.iudx.io/catalogue/crud"}
# onboarder token request should fail
r = consumer.get_token(body)
assert r['success'] is False
req = {"user_email": email, "user_role": 'onboarder'}
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
r = consumer.get_token(body)
assert r['success'] is True
assert None != r['response']['token']
def test_delegate_update_provider_rule():
# delegate can update rule set by provider
req = {"user_email": email, "user_role":'consumer', "item_id":pr_resource_id, "item_type":"resourcegroup"}
req["capabilities"] = ['complex'];
r = untrusted.provider_access([req])
assert r['success'] == True
assert r['status_code'] == 200
req = {"user_email": email, "user_role":'consumer', "item_id":pr_resource_id, "item_type":"resourcegroup"}
req["capabilities"] = ['temporal'];
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
body = {"request" : [pr_resource_id + "/someitem"]}
r = consumer.get_token(body)
assert r['success'] is True
def test_different_provider_tokens():
resource_id = set_policy()
# let alt_provider set a policy
resource_id_alt = "iisc.ac.in/2052f450ac2dde345335fb18b82e21da92e3388c/rs.iudx.io/" + rand_rsg(
)
access_req = {
"user_email": email,
"user_role": 'consumer',
"item_id": resource_id_alt,
"item_type": "resourcegroup",
"capabilities": ["complex", "subscription", "temporal"]
}
r = alt_provider.provider_access([access_req])
assert r['success'] == True
assert r['status_code'] == 200
body = {}
body['request'] = [resource_id, resource_id_alt]
r = consumer.get_token(body)
assert r['success'] is True
assert r['status_code'] == 200
token = r['response']['token']
s = token.split("/")
uuid = s[3]
r = consumer.view_tokens()
check = False
for tokens in r['response']:
if uuid == tokens['uuid']:
assert len(tokens['request']) == 2
resources = [i['cat_id'] for i in tokens['request']]
assert set(resources) == set(body['request'])
check = True
assert check is True
# token request should fail
body = {"id": resource_id + "/someitem", "apis": ["/ngsi-ld/v1/entities"]}
r = consumer.get_token(body)
assert r['success'] is False
# set temporal consumer rule as delegate
req = {
"user_email": email,
"user_role": 'consumer',
"item_id": resource_id,
"item_type": "resourcegroup"
}
req["capabilities"] = ['temporal']
# should fail because unapproved delegate
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == False
assert r['status_code'] == 401
req = {"user_email": delegate_email, "user_role": 'delegate'}
r = untrusted.provider_access([req])
assert r['success'] == True
assert r['status_code'] == 200
req = {
"user_email": email,
"user_role": 'consumer',
"item_id": resource_id,
"item_type": "resourcegroup"
}
req["capabilities"] = ['temporal']
