async def test_login_inactive(core4api):
await core4api.login()
rv = await core4api.post("/core4/api/v1/roles",
json=dict(name="user",
realname="test user",
passwd="password",
email="*****@*****.**",
perm=["api://core4.api.v1"]))
assert rv.code == 200
user_id = rv.json()["data"]["_id"]
etag = rv.json()["data"]["etag"]
await core4api.login("user", "password")
core4api.set_admin()
rv = await core4api.put("/core4/api/v1/roles/" + user_id,
json=dict(is_active=False, etag=etag))
assert rv.code == 200
core4api.token = None
rv = await core4api.get(
"/core4/api/v1/login?username=user&password=password")
assert rv.code == 401
async def test_restricted_user(core4api):
await core4api.login()
rv = await core4api.get("/core4/api/v1/roles")
assert rv.code == 200
rv = await core4api.post("/core4/api/v1/roles",
json=dict(name="user",
realname="test user",
passwd="password",
email="*****@*****.**",
perm=["api://core4.api.v1"]))
user_id = rv.json()["data"]["_id"]
etag = rv.json()["data"]["etag"]
assert rv.code == 200
rv = await core4api.get("/core4/api/v1/roles/" + user_id)
assert rv.code == 200
assert rv.json()["data"]["name"] == "user"
js = json.dumps({"name": "user"})
rv = await core4api.get("/core4/api/v1/roles?filter=" + js)
assert rv.code == 200
assert rv.json()["total_count"] == 1
await core4api.login("user", "password")
rv = await core4api.get("/core4/api/v1/profile")
assert rv.json()["data"]["name"] == "user"
assert rv.code == 200
core4api.set_admin()
rv = await core4api.put("/core4/api/v1/roles/" + user_id,
json=dict(perm=[], etag=etag))
assert rv.code == 200
await core4api.login("user", "password")
rv = await core4api.get("/core4/api/v1/profile")
assert rv.code == 403
async def test_method_permission(core4api):
await core4api.login()
rv = await core4api.get("/core4/api/v1/profile")
assert rv.code == 200
# check GET
await add_user_method_perms(core4api, "test_reg_user1", "/r")
rv = await core4api.get("/core4/api/v1/roles")
assert rv.code == 200
rv = await core4api.post("/core4/api/v1/roles")
assert rv.code == 403
# check POST
await add_user_method_perms(core4api, "test_reg_user2", "/c")
rv = await core4api.post("/core4/api/v1/roles",
json={
"name": "mkr",
"role": ["standard_user"],
"email": "mkr" + "@mail.com",
"passwd": "mkr",
"perm": ["api://core4.api.v1.request.role/d"]
})
assert rv.code == 200
rv = await core4api.get("/core4/api/v1/roles")
assert rv.code == 403
# check PUT
await add_user_method_perms(core4api, "test_reg_user3", "/u")
user_id = await core4api.get("/core4/api/v1/profile")
assert user_id.code == 200
rv = await core4api.get("/core4/api/v1/roles")
assert rv.code == 403
rv = await core4api.put("/core4/api/v1/roles/" +
user_id.json()["data"]["_id"],
json={
"name": "mkr2",
"role": ["standard_user"],
"email": "mkr2" + "@mail.com",
"passwd": "mkr2",
"perm": ["api://core4.api.v1.request.role/d"],
"etag": user_id.json()["data"]["etag"]
})
assert rv.code == 200
# check DELETE
await add_user_method_perms(core4api, "test_perm_user4", "/d")
rv = await core4api.get("/core4/api/v1/roles")
assert rv.code == 403
user_id = await core4api.get("/core4/api/v1/profile")
rv = await core4api.delete("/core4/api/v1/roles/" +
user_id.json()["data"]["_id"] + "?etag=" +
user_id.json()["data"]["etag"])
assert rv.code == 200
# check combined DELTE and GET
await add_user_method_perms(core4api, "test_perm_user4", "/rd")
rv = await core4api.get("/core4/api/v1/roles")
assert rv.code == 200
user_id = await core4api.get("/core4/api/v1/profile")
rv = await core4api.put("/core4/api/v1/roles/" +
user_id.json()["data"]["_id"],
json={
"name": "mkr2",
"role": ["standard_user"],
"email": "mkr2" + "@mail.com",
"passwd": "mkr2",
"perm": ["api://core4.api.v1.request.role/d"],
"etag": user_id.json()["data"]["etag"]
})
assert rv.code == 403
rv = await core4api.delete("/core4/api/v1/roles/" +
user_id.json()["data"]["_id"] + "?etag=" +
user_id.json()["data"]["etag"])
assert rv.code == 200
# check three combined perms
await add_user_method_perms(core4api, "test_perm_user4", "/rcd")
rv = await core4api.get("/core4/api/v1/roles")
assert rv.code == 200
user_id = await core4api.get("/core4/api/v1/profile")
rv = await core4api.post("/core4/api/v1/roles",
json={
"name": "mkr4",
"role": ["standard_user"],
"email": "mkr4" + "@mail.com",
"passwd": "mkr4",
"perm": ["api://core4.api.v1.request.role/d"]
})
assert rv.code == 200
rv = await core4api.put("/core4/api/v1/roles/" +
user_id.json()["data"]["_id"],
json={
"name": "mkr2",
"role": ["standard_user"],
"email": "mkr2" + "@mail.com",
"passwd": "mkr2",
"perm": ["api://core4.api.v1.request.role/d"],
"etag": user_id.json()["data"]["etag"]
})
assert rv.code == 403
rv = await core4api.delete("/core4/api/v1/roles/" +
user_id.json()["data"]["_id"] + "?etag=" +
user_id.json()["data"]["etag"])
assert rv.code == 200
# test incorrect permissions
core4api.set_admin()
rv = await core4api.post("/core4/api/v1/roles",
json={
"name": "error",
"role": ["standard_user"],
"email": "error" + "@mail.com",
"passwd": "error",
"perm": ["api://core4.api.v1.request.role/x"]
})
assert rv.code == 400
rv = await core4api.post("/core4/api/v1/roles",
json={
"name": "error",
"role": ["standard_user"],
"email": "error" + "@mail.com",
"passwd": "error",
"perm":
["api://core4.api.v1.request.role/rxc"]
})
assert rv.code == 400
async def test_job_listing(core4api):
await core4api.login()
for i in range(0, 10):
rv = await core4api.post("/core4/api/v1/jobs/enqueue",
json={
"name":
"core4.queue.helper.job.example.DummyJob",
"id": i + 1
},
headers={"Content-Type": "application/json"})
assert rv.code == 200
for i in range(0, 6):
rv = await core4api.post("/core4/api/v1/jobs/enqueue",
json={
"name": "tests.api.test_grant.MyJob",
"id": i + 1
},
headers={"Content-Type": "application/json"})
assert rv.code == 200
rv = await core4api.get("/core4/api/v1/jobs")
assert rv.json()["total_count"] == 16
await add_job_user(core4api,
"test_reg_user1",
perm=[
"api://core4.api.v1.request.queue.job.*",
"job://core4.queue.helper.job.*/r"
])
rv = await core4api.get("/core4/api/v1/jobs")
assert rv.json()["total_count"] == 10
core4api.set_admin()
await add_job_user(core4api,
"test_reg_user2",
perm=[
"api://core4.api.v1.request.queue.job.*",
"job://core4.queue.helper.*/x"
])
rv = await core4api.get("/core4/api/v1/jobs")
assert rv.json()["total_count"] == 10
core4api.set_admin()
await add_job_user(
core4api,
"user3",
perm=["api://core4.api.v1.request.queue.job.*", "job://tests.+/r"])
rv = await core4api.get("/core4/api/v1/jobs")
assert rv.json()["total_count"] == 6
rv = await core4api.post("/core4/api/v1/jobs/enqueue",
json={"name": "tests.api.test_grant.MyJob"},
headers={"Content-Type": "application/json"})
assert rv.code == 403
core4api.set_admin()
await add_job_user(
core4api,
"test_reg_user4",
perm=["api://core4.api.v1.request.queue.job.*", "job://tests.+/x"])
rv = await core4api.get("/core4/api/v1/jobs")
assert rv.json()["total_count"] == 6
rv = await core4api.post("/core4/api/v1/jobs/enqueue",
json={"name": "tests.api.test_grant.MyJob"})
assert rv.code == 200
job_id = rv.json()["data"]["_id"]
rv = await core4api.get("/core4/api/v1/jobs")
assert rv.json()["total_count"] == 7
rv = await core4api.get("/core4/api/v1/jobs/" + job_id)
assert rv.code == 200
async def test_grant(core4api):
async def _access(access):
"""
Check if accessing collection ons mongodb is possible, try/except is caused by
async, otherwise tests fail randomly
:param access:
:return:
"""
counter = 0
while True:
try:
counter += 1
mongo = motor.MotorClient("mongodb://*****:*****@testmongo:27017")
_ = await mongo.server_info()
_ = await mongo["core4test"].list_collection_names()
time.sleep(1)
break
except pymongo.errors.OperationFailure as ops_fail:
print(ops_fail.details['codeName'])
time.sleep(1)
if counter == 5:
break
continue
except Exception as E:
print("something really strange happen: ",
E.details['codeName'])
break
assert await mongo.core4test.sys.role.count_documents({}) > 0
async def _no_access(access):
counter = 0
with pytest.raises(pymongo.errors.OperationFailure):
while True:
try:
counter += 1
mongo = motor.MotorClient(
"mongodb://*****:*****@testmongo:27017")
_ = await mongo.server_info()
time.sleep(1)
break
except pymongo.errors.OperationFailure as ops_fail:
print(ops_fail.details['codeName'])
time.sleep(1)
if counter == 5:
break
continue
except Exception as E:
print("something really strange happen: ",
E.details['codeName'])
break
_ = await mongo["core4test"].list_collection_names()
await core4api.login()
data = {
"name": "test_reg_test_role1",
"realname": "test role1",
"passwd": "123456",
"email": "*****@*****.**",
"role": ["standard_user"],
"perm": []
}
rv = await core4api.post("/core4/api/v1/roles", json=data)
assert rv.code == 200
id = rv.json()["data"]["_id"]
etag = rv.json()["data"]["etag"]
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.get("/core4/api/v1/profile")
assert rv.code == 200
rv = await core4api.post("/core4/api/v1/access")
assert rv.code == 200
access = rv.json()["data"]["mongodb"]
# 1
await _no_access(access)
core4api.set_admin()
data = {"etag": etag, "perm": ["mongodb://core4test"]}
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
etag = rv.json()["data"]["etag"]
# 2
await _access(access)
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.post("/core4/api/v1/access")
assert rv.code == 200
access = rv.json()["data"]["mongodb"]
# 3
await _access(access)
data = {"etag": etag, "realname": "no change"}
core4api.set_admin()
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
etag = rv.json()["data"]["etag"]
# 4
await _access(access)
data = {"etag": etag, "perm": ["mongodb://core4test", "mongodb://other"]}
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
etag = rv.json()["data"]["etag"]
# 5
await _access(access)
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.post("/core4/api/v1/access/mongodb")
assert rv.code == 200
access = rv.json()["data"]
# 6
await _access(access)
data = {"etag": etag, "perm": ["mongodb://other"]}
core4api.set_admin()
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
# 7
await _no_access(access)
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.post("/core4/api/v1/access/mongodb")
assert rv.code == 200
access = rv.json()["data"]
# 8
await _no_access(access)
core4api.set_admin()
rv = await core4api.get("/core4/api/v1/roles/" + id)
# 9
assert rv.code == 200
etag = rv.json()["data"]["etag"]
data = {"etag": etag, "perm": ["mongodb://core4test"]}
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
# 10
assert rv.code == 200
etag = rv.json()["data"]["etag"]
await _access(access)
rv = await core4api.delete("/core4/api/v1/roles/" + id + "/" + etag)
# 11
assert rv.code == 200
counter = 0
while True:
try:
mongo = motor.MotorClient("mongodb://*****:*****@testmongo:27017")
_ = await mongo.server_info()
time.sleep(1)
break
except pymongo.errors.OperationFailure as aha:
print(aha.details['codeName'])
time.sleep(1)
counter += 1
if counter == 5:
break
assert counter == 5
# 12
await _no_access(access)
await core4api.login("test_reg_test_role1", "123456", 401)
rv = await core4api.get("/core4/api/v1/profile")
assert rv.code == 401
async def test_grant(core4api):
async def _access(access):
mongo = motor.MotorClient("mongodb://*****:*****@testmongo:27017")
_ = await mongo.server_info()
_ = await mongo["core4test"].list_collection_names()
assert await mongo.core4test.sys.role.count_documents({}) > 0
async def _no_access(access):
with pytest.raises(pymongo.errors.OperationFailure):
await _access(access)
await core4api.login()
data = {
"name": "test_reg_test_role1",
"realname": "test role1",
"passwd": "123456",
"email": "*****@*****.**",
"role": ["standard_user"],
"perm": []
}
rv = await core4api.post("/core4/api/v1/roles", json=data)
assert rv.code == 200
id = rv.json()["data"]["_id"]
etag = rv.json()["data"]["etag"]
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.get("/core4/api/v1/profile")
assert rv.code == 200
rv = await core4api.post("/core4/api/v1/access")
assert rv.code == 200
access = rv.json()["data"]["mongodb"]
await _no_access(access)
core4api.set_admin()
data = {"etag": etag, "perm": ["mongodb://core4test"]}
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
etag = rv.json()["data"]["etag"]
await _no_access(access)
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.post("/core4/api/v1/access")
assert rv.code == 200
access = rv.json()["data"]["mongodb"]
await _access(access)
data = {"etag": etag, "realname": "no change"}
core4api.set_admin()
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
etag = rv.json()["data"]["etag"]
await _access(access)
data = {"etag": etag, "perm": ["mongodb://core4test", "mongodb://other"]}
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
etag = rv.json()["data"]["etag"]
await _no_access(access)
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.post("/core4/api/v1/access/mongodb")
assert rv.code == 200
access = rv.json()["data"]
await _access(access)
data = {"etag": etag, "perm": ["mongodb://other"]}
core4api.set_admin()
rv = await core4api.put("/core4/api/v1/roles/" + id, json=data)
assert rv.code == 200
await _no_access(access)
await core4api.login("test_reg_test_role1", "123456")
rv = await core4api.post("/core4/api/v1/access/mongodb")
assert rv.code == 200
access = rv.json()["data"]
await _no_access(access)