示例#1
0
    def test_change_endpoint_fails_with_invalid_token(self, fake_jwks):
        from cis_change_service import api

        f = FakeBearer()
        bad_claims = {
            "iss": "https://auth-dev.mozilla.auth0.com/",
            "sub": "mc1l0G4sJI2eQfdWxqgVNcRAD9EAgHib@clients",
            "aud": "https://hacks",
            "iat":
            (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
            "exp":
            (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
            "scope": "read:allthething",
            "gty": "client-credentials",
        }

        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_with_scope("read:profile", bad_claims)
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.get("/v2/user",
                              headers={"Authorization": "Bearer " + token},
                              follow_redirects=True)

        assert result.status_code == 401
    def test_post_profiles_it_should_fail(self, fake_jwks):
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis-verify.ini"
        os.environ["CIS_STREAM_BYPASS"] = "******"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        from cis_change_service import api

        f = FakeBearer()
        user_profile = FakeUser(config=FakeProfileConfig().minimal())
        user_profile.first_name.signature.publisher.name = "cis"
        user_profile.first_name.value = "Something"
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(user_profile.as_dict()),
            content_type="application/json",
            follow_redirects=True,
        )

        results = json.loads(result.get_data())
        expected_result = {
            "code":
            "invalid_publisher",
            "description":
            "[create] cis is NOT allowed to publish field first_name",
        }

        assert result.status_code == 403
        assert results == expected_result
示例#3
0
    def test_returning_query_by_any_staff_only_active_true(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        token = f.generate_bearer_with_scope(
            "read:fullprofile display:all search:all")
        logger.info("Attempting to query all staff.")
        result = self.app.get(
            f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True",
            headers={"Authorization": "Bearer " + token},
            follow_redirects=True,
        )

        logger.info("All staff users returned.")
        assert result.json["users"] is not None

        if result.json["nextPage"]:
            next_page = result.json["nextPage"]
            result = self.app.get(
                f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True&nextPage={next_page}",
                headers={"Authorization": "Bearer " + token},
                follow_redirects=True,
            )
            logger.info("An additional page of all staff users returned")
            assert result.json["users"] is not None
示例#4
0
    def test_find_by_x(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        token = f.generate_bearer_with_scope("read:fullprofile display:all")

        result = self.app.get("/v2/users",
                              headers={"Authorization": "Bearer " + token},
                              follow_redirects=True)

        profile = result.json["Items"][0]
        for field in indexed_fields:

            # data classification: ALL, display scope: ALL, display parameter: -
            token = f.generate_bearer_with_scope(
                "read:fullprofile display:all")
            query = self.app.get(
                "/v2/user/{}/{}".format(field, profile[field]["value"]),
                headers={"Authorization": "Bearer " + token},
                follow_redirects=True,
            )

            assert query.json.get("access_information").get(
                "access_provider") is not None
            assert query.json.get("staff_information").get(
                "cost_center") is not None
            assert query.json.get("uuid") is not None
            assert query.json.get("active").get("value") is True
    def test_post_profiles_and_retrieving_status_it_should_succeed(
            self, fake_jwks):
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        from cis_change_service import api

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        profiles = []
        for x in range(0, 10):
            profiles.append(FakeUser().as_json())
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/users",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(profiles),
            content_type="application/json",
            follow_redirects=True,
        )

        results = json.loads(result.get_data())
        assert results is not None
    def test_post_new_profile_with_uuid_should_fail(self, fake_jwks):
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis-verify.ini"
        os.environ["CIS_STREAM_BYPASS"] = "******"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        from cis_change_service import api

        f = FakeBearer()
        user_profile = FakeUser(config=FakeProfileConfig().minimal())
        user_profile.uuid.value = "something"
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(user_profile.as_dict()),
            content_type="application/json",
            follow_redirects=True,
        )

        results = json.loads(result.get_data())
        expected_result = {
            "code":
            "uuid_or_primary_username_set",
            "description":
            "The fields primary_username or uuid have been set in a new profile.",
        }

        assert result.status_code == 403
        assert results == expected_result
示例#7
0
    def test_profiles_returns_a_list(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_with_scope("read:fullprofile display:all")

        result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True)
        assert result.json is not None
        total_users_retrieved = len(result.json["Items"])
        assert total_users_retrieved > 20
        logger.info("Paginated query to all users returned: {}".format(len(result.json["Items"])))

        assert result.json["nextPage"] is not None
        assert result.json["nextPage"] != ""

        next_page = result.json["nextPage"]
        # Follow the paginator
        paged_query = self.app.get(
            "/v2/users?nextPage={}".format(json.dumps(next_page)),
            headers={"Authorization": "Bearer " + token},
            follow_redirects=True,
        )

        assert len(paged_query.json["Items"]) >= 1

        sample_primary_email = result.json["Items"][0]["primary_email"]["value"]
        primary_email_query = self.app.get(
            "/v2/users?primaryEmail={}".format(sample_primary_email),
            headers={"Authorization": "Bearer " + token},
            follow_redirects=True,
        )

        assert len(primary_email_query.json["Items"]) == 1

        token = f.generate_bearer_with_scope("read:profile display:all")
        public_data_class_query = self.app.get(
            "/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True
        )

        for profile in public_data_class_query.json["Items"]:
            assert profile.get("access_information").get("hris") is None

        token = f.generate_bearer_with_scope("read:profile display:all")
        single_user_public_data_class_query = self.app.get(
            "/v2/user/user_id/{}".format(result.json["Items"][0]["user_id"]["value"]),
            headers={"Authorization": "Bearer " + token},
            follow_redirects=True,
        )

        assert single_user_public_data_class_query.json.get("access_information").get("hris") is None

        token = f.generate_bearer_with_scope("read:fullprofile display:all")
        single_user_all_data_class_query = self.app.get(
            "/v2/user/user_id/{}".format(result.json["Items"][0]["user_id"]["value"]),
            headers={"Authorization": "Bearer " + token},
            follow_redirects=True,
        )

        assert single_user_all_data_class_query.json.get("access_information")
示例#8
0
    def test_users_with_dispaly_level_params_and_scopes(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        # data classification: ALL, display scope: PUBLIC
        token = f.generate_bearer_with_scope("read:fullprofile display:public")
        query = self.app.get("/v2/users",
                             headers={"Authorization": "Bearer " + token},
                             follow_redirects=True)

        for profile in query.json["Items"]:
            assert profile.get("access_information").get(
                "access_provider") is None
            assert profile.get("staff_information").get("cost_center") is None
            assert profile.get("uuid") is not None

        # data classification: ALL, display scope: STAFF
        token = f.generate_bearer_with_scope("read:fullprofile display:staff")
        query = self.app.get("/v2/users",
                             headers={"Authorization": "Bearer " + token},
                             follow_redirects=True)

        for profile in query.json["Items"]:
            assert profile.get("access_information").get(
                "access_provider") is None
            assert profile.get("staff_information").get(
                "cost_center") is not None
            assert profile.get("uuid") is not None
示例#9
0
    def test_change_endpoint_fails_with_invalid_token_and_jwt_validation_false(
            self, fake_jwks):
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        os.environ["CIS_REGION_NAME"] = "us-west-2"
        from cis_change_service import api

        os.environ["CIS_JWT_VALIDATION"] = "false"
        f = FakeBearer()
        bad_claims = {
            "iss": "https://auth-dev.mozilla.auth0.com/",
            "sub": "mc1l0G4sJI2eQfdWxqgVNcRAD9EAgHib@clients",
            "aud": "https://hacks",
            "iat":
            (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
            "exp":
            (datetime.utcnow() - timedelta(seconds=3100)).strftime("%s"),
            "scope": "read:allthething",
            "gty": "client-credentials",
        }

        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_with_scope("read:profile", bad_claims)
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.get(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(self.user_profile),
            content_type="application/json",
            follow_redirects=True,
        )
        assert result.status_code == 200
示例#10
0
    def test_partial_update_it_should_fail(self, fake_jwks):
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        os.environ["CIS_REGION_NAME"] = "us-east-1"
        os.environ["AWS_ACCESS_KEY_ID"] = "foo"
        os.environ["AWS_SECRET_ACCESS_KEY"] = "bar"
        os.environ["DEFAULT_AWS_REGION"] = "us-east-1"
        from cis_change_service import api

        fake_new_user = FakeUser(config=FakeProfileConfig().minimal())
        # Create a brand new user
        patched_user_profile = ensure_appropriate_publishers_and_sign(
            fake_new_user.as_dict(), self.publisher_rules, "create")

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(patched_user_profile.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )

        response = json.loads(result.get_data())
        assert result.status_code == 200
        assert response["condition"] == "create"

        logger.info("A stub user has been created and verified to exist.")

        logger.info("Attempting failing partial update.")
        null_profile = profile.User(user_structure_json=None)
        null_profile.alternative_name.value = "iamanewpreferredlastname"
        null_profile.sign_attribute("alternative_name", "mozilliansorg")
        null_profile.user_id.value = "ad|wrong|LDAP"
        null_profile.active.value = True
        null_profile.sign_attribute("active", "access_provider")

        result = self.app.post(
            "/v2/user?user_id={}".format("mismatching_user_id"),
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(null_profile.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )
        response = json.loads(result.get_data())
        assert result.status_code == 400
示例#11
0
    def test_partial_update_it_should_succeed(self, fake_jwks):
        os.environ["CIS_STREAM_BYPASS"] = "******"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_VERIFY_PUBLISHERS"] = "true"
        from cis_change_service import api

        fake_new_user = FakeUser(config=FakeProfileConfig().minimal())
        # Create a brand new user
        patched_user_profile = ensure_appropriate_publishers_and_sign(
            fake_new_user.as_dict(), self.publisher_rules, "create")

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(patched_user_profile.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )

        response = json.loads(result.get_data())
        assert result.status_code == 200
        assert response["condition"] == "create"

        logger.info("A stub user has been created and verified to exist.")
        logger.info("Attempting partial update.")

        # Now let's try a partial update :)
        null_profile = profile.User(user_structure_json=None)
        null_profile.active.value = True
        null_profile.sign_attribute("active", "access_provider")
        null_profile.last_name.value = "iamanewpreferredlastname"
        null_profile.sign_attribute("last_name", "mozilliansorg")

        result = self.app.post(
            "/v2/user?user_id={}".format(patched_user_profile.user_id.value),
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(null_profile.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )
        logger.info(result.get_data())
        response = json.loads(result.get_data())
        assert result.status_code == 200
        assert response["condition"] == "update"
示例#12
0
    def test_returning_all(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        token = f.generate_bearer_with_scope("read:fullprofile display:all")
        result = self.app.get(
            "/v2/users/id/all?connectionMethod=email",
            headers={"Authorization": "Bearer " + token},
            follow_redirects=True,
        )
        assert isinstance(result.json["users"], list)
        assert isinstance(result.json["users"][0], dict)
        assert len(result.json["users"]) > 0
示例#13
0
    def test_users_with_scopes(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        # data classification: PUBLIC, display scope: ALL
        token = f.generate_bearer_with_scope("display:all")
        query = self.app.get("/v2/users",
                             headers={"Authorization": "Bearer " + token},
                             follow_redirects=True)

        for profile in query.json["Items"]:
            assert profile.get("access_information").get(
                "access_provider") is None
            assert profile.get("staff_information").get("cost_center") is None
            assert profile.get("uuid") is not None

        # data classification: STAFF, display scope: ALL
        token = f.generate_bearer_with_scope(
            "classification:workgroup:staff_only display:all")
        query = self.app.get("/v2/users",
                             headers={"Authorization": "Bearer " + token},
                             follow_redirects=True)

        for profile in query.json["Items"]:
            assert profile.get("access_information").get(
                "access_provider") is None
            assert profile.get("staff_information").get(
                "cost_center") is not None
            assert profile.get("staff_information").get("title") is None
            assert profile.get("uuid") is not None

        # data classification: STAFF + MOZILLA_CONFIDENTIAL, display scope: ALL
        token = f.generate_bearer_with_scope(
            "classification:workgroup:staff_only classification:mozilla_confidential display:all"
        )
        query = self.app.get("/v2/users",
                             headers={"Authorization": "Bearer " + token},
                             follow_redirects=True)

        for profile in query.json["Items"]:
            assert profile.get("access_information").get(
                "access_provider") is None
            assert profile.get("staff_information").get(
                "cost_center") is not None
            assert profile.get("staff_information").get("title") is not None
            assert profile.get("uuid") is not None
示例#14
0
    def test_users_with_all(self, fake_jwks):
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        # data classification: ALL, display scope: ALL
        token = f.generate_bearer_with_scope("read:fullprofile display:all")
        query = self.app.get("/v2/users",
                             headers={"Authorization": "Bearer " + token},
                             follow_redirects=True)

        for profile in query.json["Items"]:
            assert profile.get("access_information").get(
                "access_provider") is not None
            assert profile.get("staff_information").get(
                "cost_center") is not None
            assert profile.get("uuid") is not None
示例#15
0
    def test_metadata_by_primary_email(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        token = f.generate_bearer_with_scope("read:fullprofile display:all")

        result = self.app.get("/v2/users", headers={"Authorization": "Bearer " + token}, follow_redirects=True)

        query = self.app.get(
            "/v2/user/metadata/{}".format(result.json["Items"][0]["primary_email"]["value"]),
            follow_redirects=True,
        )

        assert query.json.get("exists").get("cis")  == True
        assert query.json.get("exists").get("ldap") == True
示例#16
0
    def test_change_endpoint_returns(self, fake_jwks):
        from cis_change_service import api

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(self.user_profile),
            content_type="application/json",
            follow_redirects=True,
        )

        json.loads(result.get_data())
        assert result.status_code == 200
示例#17
0
    def test_stream_bypass_publishing_mode_it_should_succeed(self, fake_jwks):
        from cis_change_service import api

        os.environ["CIS_STREAM_BYPASS"] = "******"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(self.user_profile),
            content_type="application/json",
            follow_redirects=True,
        )

        json.loads(result.get_data())
        assert result.status_code == 200
    def test_post_a_profile_and_retreiving_status_it_should_succeed(
            self, fake_jwks):
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        from cis_change_service import api

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(self.user_profile),
            content_type="application/json",
            follow_redirects=True,
        )

        response = json.loads(result.get_data())

        logger.info(response)

        dynamodb = boto3.resource(
            "dynamodb",
            region_name="us-west-2",
            aws_access_key_id="ak",
            aws_secret_access_key="sk",
            endpoint_url="http://localhost:{}".format(self.dynalite_port),
        )

        table = dynamodb.Table("local-identity-vault")
        resp = table.query(KeyConditionExpression=Key("id").eq(
            json.loads(self.user_profile)["user_id"]["value"]))
        user_from_vault = json.loads(resp["Items"][0]["profile"])
        assert user_from_vault["last_modified"]["value"] is not None
        assert user_from_vault["last_modified"]["signature"]["publisher"][
            "value"] is not None
        assert response is not None
示例#19
0
    def test_post_profiles_and_update_it_and_retrieving_status_it_should_succeed(
            self, fake_jwks):
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        from cis_change_service import api

        # Post a new user
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        my_fake_user = User(user_id="userA")
        my_fake_user.active.value = True
        my_fake_user.primary_email.value = "*****@*****.**"
        my_fake_user.uuid.value = None
        my_fake_user.primary_username.value = None
        result = self.app.post(
            "/v2/user?user_id={}".format(my_fake_user.user_id.value),
            headers={"Authorization": "Bearer " + token},
            json=my_fake_user.as_dict(),
            content_type="application/json",
            follow_redirects=True,
        )
        results = json.loads(result.get_data())
        # Post it again
        result = self.app.post(
            "/v2/user?user_id={}".format(my_fake_user.user_id.value),
            headers={"Authorization": "Bearer " + token},
            json=my_fake_user.as_dict(),
            content_type="application/json",
            follow_redirects=True,
        )
        results = json.loads(result.get_data())
        assert results is not None
        assert results.get("status_code") == 202 or results.get(
            "status_code") == 200
示例#20
0
    def test_stream_bypass_publishing_mode_it_should_succeed(self, fake_jwks):
        os.environ["CIS_STREAM_BYPASS"] = "******"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        os.environ["CIS_REGION_NAME"] = "us-west-2"
        from cis_change_service import api

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(self.user_profile),
            content_type="application/json",
            follow_redirects=True,
        )
        json.loads(result.get_data())
        assert result.status_code == 200
示例#21
0
    def test_returning_query_by_any_find_ldap_members(self, fake_jwks):
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        token = f.generate_bearer_with_scope(
            "read:fullprofile display:all search:all")
        logger.info("Attempting to query all staff.")
        result = self.app.get(
            f"/v2/users/id/all/by_attribute_contains?staff_information.staff=True&active=True&fullProfiles=True",
            headers={"Authorization": "Bearer " + token},
            follow_redirects=True,
        )

        logger.info("All staff users returned.")
        assert result.json["users"] is not None

        ldap_groups = {}

        # Go find a user with an ldap group
        for user in result.json["users"]:
            if user["profile"]["access_information"]["ldap"]["values"] != {}:
                ldap_groups = user["profile"]["access_information"]["ldap"][
                    "values"]
                break
            else:
                continue

        for k in ldap_groups:
            logger.info("Attempting to query for: {}".format(k))
            result = self.app.get(
                f"/v2/users/id/all/by_attribute_contains?access_information.ldap={k}&active=True&fullProfiles=False",
                headers={"Authorization": "Bearer " + token},
                follow_redirects=True,
            )

            assert len(result.json["users"]) > 0
    def test_delete_profile(self, fake_jwks):
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        from cis_change_service import api

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.delete(
            "/v2/user?user_id={}".format(
                json.loads(self.user_profile)["user_id"]["value"]),
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(self.user_profile),
            content_type="application/json",
            follow_redirects=True,
        )

        results = json.loads(result.get_data())
        assert results is not None
        assert result.status_code == 200
示例#23
0
    def test_wrong_publisher(self, fake_jwks):
        """
        This verifies a wrong-publisher can't update
        it creates a valid user, then wrongly modify an attribute its not allowed to
        """
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis-verify.ini"
        os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
        os.environ["CIS_ENVIRONMENT"] = "local"
        os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
        os.environ["CIS_REGION_NAME"] = "us-east-1"
        os.environ["AWS_ACCESS_KEY_ID"] = "foo"
        os.environ["AWS_SECRET_ACCESS_KEY"] = "bar"
        os.environ["DEFAULT_AWS_REGION"] = "us-east-1"
        os.environ["CIS_VERIFY_SIGNATURES"] = "true"
        os.environ["CIS_VERIFY_PUBLISHERS"] = "true"
        from cis_change_service import api

        fake_new_user = FakeUser(
            config=FakeProfileConfig().minimal().no_display())
        # Create a brand new user
        patched_user_profile = ensure_appropriate_publishers_and_sign(
            fake_new_user.as_dict(), self.publisher_rules, "create")
        # Ensure a first_name is set as we'll use that for testing
        patched_user_profile.first_name.value = "test"
        patched_user_profile.first_name.signature.publisher.name = "ldap"
        patched_user_profile.first_name.metadata.display = "public"
        patched_user_profile.sign_attribute("first_name", "ldap")

        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk
        token = f.generate_bearer_without_scope()
        api.app.testing = True
        self.app = api.app.test_client()
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(patched_user_profile.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )

        response = json.loads(result.get_data())
        assert result.status_code == 200
        assert response["condition"] == "create"

        # sign first_name again but with wrong publisher (but same value as before)
        new_user = cis_profile.User(user_id=patched_user_profile.user_id.value)
        new_user.first_name = patched_user_profile.first_name
        new_user.sign_attribute("first_name", "access_provider")
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(new_user.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )
        response = json.loads(result.get_data())
        assert response["status_code"] == 202

        # sign first_name again but with wrong publisher and different display (but same value as before)
        new_user = cis_profile.User(user_id=patched_user_profile.user_id.value)
        new_user.first_name = patched_user_profile.first_name
        new_user.first_name.metadata.display = "staff"
        new_user.sign_attribute("first_name", "access_provider")
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(new_user.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )
        response = json.loads(result.get_data())
        assert response["code"] == "invalid_publisher"

        # sign first_name again but with wrong publisher and wrong value (it should fail)
        new_user.first_name.value = "new-test"
        new_user.sign_attribute("first_name", "access_provider")
        result = self.app.post(
            "/v2/user",
            headers={"Authorization": "Bearer " + token},
            data=json.dumps(new_user.as_json()),
            content_type="application/json",
            follow_redirects=True,
        )
        response = json.loads(result.get_data())
        assert result.status_code != 200
示例#24
0
    def test_find_by_x_with_dispaly_level_params_and_scopes(self, fake_jwks):
        os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
        f = FakeBearer()
        fake_jwks.return_value = json_form_of_pk

        token = f.generate_bearer_with_scope("read:fullprofile display:all")

        result = self.app.get("/v2/users",
                              headers={"Authorization": "Bearer " + token},
                              follow_redirects=True)

        profile = result.json["Items"][0]
        for field in indexed_fields:

            # data classification: ALL, display scope: PUBLIC, display parameter: -
            token = f.generate_bearer_with_scope(
                "read:fullprofile display:public")
            query = self.app.get(
                "/v2/user/{}/{}".format(field, profile[field]["value"]),
                headers={"Authorization": "Bearer " + token},
                follow_redirects=True,
            )

            assert query.json.get("access_information").get(
                "access_provider") is None
            assert query.json.get("staff_information").get(
                "cost_center") is None
            assert query.json.get("uuid") is not None

            # data classification: ALL, display scope: STAFF, display parameter: -
            token = f.generate_bearer_with_scope(
                "read:fullprofile display:staff")
            query = self.app.get(
                "/v2/user/{}/{}".format(field, profile[field]["value"]),
                headers={"Authorization": "Bearer " + token},
                follow_redirects=True,
            )

            assert query.json.get("access_information").get(
                "access_provider") is None
            assert query.json.get("staff_information").get(
                "cost_center") is not None
            assert query.json.get("uuid") is not None

            # data classification: ALL, display scope: STAFF, display parameter: PUBLIC
            token = f.generate_bearer_with_scope(
                "read:fullprofile display:staff")
            query = self.app.get(
                "/v2/user/{}/{}?filterDisplay=public".format(
                    field, profile[field]["value"]),
                headers={"Authorization": "Bearer " + token},
                follow_redirects=True,
            )

            assert not query.json.get("access_information").get(
                "access_provider")
            assert not query.json.get("staff_information").get("cost_center")
            assert query.json.get("uuid")

            # data classification: ALL, display scope: PUBLIC, display parameter: STAFF
            token = f.generate_bearer_with_scope(
                "read:fullprofile display:public")
            query = self.app.get(
                "/v2/user/{}/{}?filterDisplay=staff".format(
                    field, profile[field]["value"]),
                headers={"Authorization": "Bearer " + token},
                follow_redirects=True,
            )

            assert not query.json.get("access_information").get(
                "access_provider")
            assert not query.json.get("staff_information").get("cost_center")
            assert query.json.get("uuid")