def test_authenticated_users_get_redirected_to_home(client_without_db):
client = client_without_db
as_user(client)
resp = client.get('/auth/login')
assert resp.status_code == 302
assert resp.headers.get('Location') == 'http://localhost/'
def test_save_editor_data_as_user(client, query, data, expected_code,
expected_response):
as_user(client)
resp = client.post('/api/save_editor_data', json=data, query_string=query)
assert resp.status_code == 401
assert resp.headers['Content-Type'] == 'text/html'
assert b'Unauthorized' in resp.data
def test_create_new_vulnerabilty_failure_as_user(client, db_engine, data,
expected_status,
expected_response):
# use execute+scalar as db_engine is mocked by pytest_flask_sqlalchemy
next_id = db_engine.execute(
"SELECT Auto_increment FROM information_schema.tables WHERE table_name='vulnerability'"
).scalar()
as_user(client)
resp = client.post('/create', data=data)
assert resp.status_code == 401
assert b'Unauthorized' in resp.data
def test_logout_clears_the_session(client_without_db):
client = client_without_db
as_user(client)
with client.session_transaction() as session:
session['something_else'] = True
resp = client.get('/auth/logout')
assert resp.status_code == 302
assert resp.headers.get('Location') == 'http://localhost/'
with client.session_transaction() as session:
assert 'user_info' not in session
assert 'something_else' not in session
def test_create_new_vulnerabilty_as_user(client, db_engine, db_session, data,
expected_status):
# use execute+scalar as db_engine is mocked by pytest_flask_sqlalchemy
next_id = db_engine.execute(
"SELECT Auto_increment FROM information_schema.tables WHERE table_name='vulnerability'"
).scalar()
as_user(client)
resp = client.post('/create', data=data)
assert resp.status_code == 401
vuln = db_session.query(Vulnerability).get(next_id)
assert vuln is None
def test_delete_vulnerability_entry_as_user(client):
vuln = Vulnerability.get_by_cve_id('CVE-1970-1000')
assert vuln is not None
as_user(client)
resp = client.post('/CVE-1970-1000/create',
data={
'delete_entry': vuln.id,
})
assert resp.status_code == 401
vuln = Vulnerability.get_by_cve_id('CVE-1970-1000')
assert vuln is not None
def test_authenticated_users_get_redirected_to_home(app, client_without_db):
client = client_without_db
with set_user(app, as_user(client)):
with app.app_context():
resp = client.get("/auth/login")
assert resp.status_code == 302
assert resp.headers.get("Location") == "http://localhost/"
def test_save_editor_data_as_user(
app, client, query, data, expected_code, expected_response
):
with set_user(app, as_user(client)):
resp = client.post("/api/save_editor_data", json=data, query_string=query)
assert resp.status_code == 403
assert "application/json" in resp.headers["Content-Type"]
assert b"Forbidden" in resp.data
def test_update_vulnerabilty_as_user(client, db_session):
data = {
'cve_id': 'CVE-1970-1000',
'comment': 'This is the new comment',
'commits-0-commit_link':
'https://github.com/OWNER/REPO/commit/12345678',
'commits-0-repo_name': 'REPO',
'commits-0-repo_url': 'https://github.com/OWNER/REPO',
'commits-0-commit_hash': '12345678',
}
as_user(client)
resp = client.post('/CVE-1970-1000/create', data=data)
assert resp.status_code == 401
vuln = Vulnerability.get_by_id(1)
assert vuln.comment == 'Vulnerability 1 comment'
assert vuln.cve_id == data['cve_id']
assert len(vuln.commits) == 1
assert vuln.commits[
0].commit_link == 'https://github.com/OWNER/REPO1/commit/1234568'
assert vuln.commits[0].repo_name == 'REPO1'
assert vuln.commits[0].repo_url == 'https://github.com/OWNER/REPO1'
assert vuln.commits[0].commit_hash == '1234568'
def test_logout_clears_the_session(app, client_without_db):
client = client_without_db
with set_user(app, as_user(client)):
with app.app_context():
with client.session_transaction() as session:
session["something_else"] = True
# request /maintenance as it doesn't use the database
resp = client.get("/maintenance")
assert resp.status_code == 200
with client.session_transaction() as session:
assert "user_info" in session
assert "something_else" in session
resp = client.get("/auth/logout")
assert resp.status_code == 302
assert resp.headers.get("Location") == "http://localhost/"
with client.session_transaction() as session:
assert "user_info" not in session
assert "something_else" not in session
def test_logout_clears_the_session(app, client_without_db):
client = client_without_db
with set_user(app, as_user(client)):
with app.app_context():
with client.session_transaction() as session:
session['something_else'] = True
# request /maintenance as it doesn't use the database
resp = client.get('/maintenance')
assert resp.status_code == 200
with client.session_transaction() as session:
assert 'user_info' in session
assert 'something_else' in session
resp = client.get('/auth/logout')
assert resp.status_code == 302
assert resp.headers.get('Location') == 'http://localhost/'
with client.session_transaction() as session:
assert 'user_info' not in session
assert 'something_else' not in session
def test_create_vuln_page_if_invalid_as_user(client):
as_user(client)
resp = client.get('/INVALID_ID/create')
assert resp.status_code == 401
assert b'Unauthorized' in resp.data
def test_create_vuln_page_if_nonexisting_as_user(client):
as_user(client)
resp = client.get('/CVE-1970-9000/create')
assert resp.status_code == 401
assert b'Unauthorized' in resp.data
def test_get_update_vuln_page_as_user(client):
as_user(client)
resp = client.get('/CVE-1970-1000/create')
assert resp.status_code == 401
assert b'Unauthorized' in resp.data
def test_get_new_vuln_page_as_user(client):
as_user(client)
resp = client.get('/create')
assert resp.status_code == 401
assert b'Unauthorized' in resp.data
