def test_post_profiles_it_should_fail(self, fake_jwks):
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis-verify.ini"
os.environ["CIS_STREAM_BYPASS"] = "******"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
from cis_change_service import api
f = FakeBearer()
user_profile = FakeUser(config=FakeProfileConfig().minimal())
user_profile.first_name.signature.publisher.name = "cis"
user_profile.first_name.value = "Something"
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(user_profile.as_dict()),
content_type="application/json",
follow_redirects=True,
)
results = json.loads(result.get_data())
expected_result = {
"code":
"invalid_publisher",
"description":
"[create] cis is NOT allowed to publish field first_name",
}
assert result.status_code == 403
assert results == expected_result
def test_post_profiles_and_retrieving_status_it_should_succeed(
self, fake_jwks):
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
from cis_change_service import api
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
profiles = []
for x in range(0, 10):
profiles.append(FakeUser().as_json())
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/users",
headers={"Authorization": "Bearer " + token},
data=json.dumps(profiles),
content_type="application/json",
follow_redirects=True,
)
results = json.loads(result.get_data())
assert results is not None
def test_post_new_profile_with_uuid_should_fail(self, fake_jwks):
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis-verify.ini"
os.environ["CIS_STREAM_BYPASS"] = "******"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
from cis_change_service import api
f = FakeBearer()
user_profile = FakeUser(config=FakeProfileConfig().minimal())
user_profile.uuid.value = "something"
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(user_profile.as_dict()),
content_type="application/json",
follow_redirects=True,
)
results = json.loads(result.get_data())
expected_result = {
"code":
"uuid_or_primary_username_set",
"description":
"The fields primary_username or uuid have been set in a new profile.",
}
assert result.status_code == 403
assert results == expected_result
def test_partial_update_it_should_fail(self, fake_jwks):
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
os.environ["CIS_REGION_NAME"] = "us-east-1"
os.environ["AWS_ACCESS_KEY_ID"] = "foo"
os.environ["AWS_SECRET_ACCESS_KEY"] = "bar"
os.environ["DEFAULT_AWS_REGION"] = "us-east-1"
from cis_change_service import api
fake_new_user = FakeUser(config=FakeProfileConfig().minimal())
# Create a brand new user
patched_user_profile = ensure_appropriate_publishers_and_sign(
fake_new_user.as_dict(), self.publisher_rules, "create")
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(patched_user_profile.as_json()),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
assert result.status_code == 200
assert response["condition"] == "create"
logger.info("A stub user has been created and verified to exist.")
logger.info("Attempting failing partial update.")
null_profile = profile.User(user_structure_json=None)
null_profile.alternative_name.value = "iamanewpreferredlastname"
null_profile.sign_attribute("alternative_name", "mozilliansorg")
null_profile.user_id.value = "ad|wrong|LDAP"
null_profile.active.value = True
null_profile.sign_attribute("active", "access_provider")
result = self.app.post(
"/v2/user?user_id={}".format("mismatching_user_id"),
headers={"Authorization": "Bearer " + token},
data=json.dumps(null_profile.as_json()),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
assert result.status_code == 400
def test_partial_update_it_should_succeed(self, fake_jwks):
os.environ["CIS_STREAM_BYPASS"] = "******"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_VERIFY_PUBLISHERS"] = "true"
from cis_change_service import api
fake_new_user = FakeUser(config=FakeProfileConfig().minimal())
# Create a brand new user
patched_user_profile = ensure_appropriate_publishers_and_sign(
fake_new_user.as_dict(), self.publisher_rules, "create")
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(patched_user_profile.as_json()),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
assert result.status_code == 200
assert response["condition"] == "create"
logger.info("A stub user has been created and verified to exist.")
logger.info("Attempting partial update.")
# Now let's try a partial update :)
null_profile = profile.User(user_structure_json=None)
null_profile.active.value = True
null_profile.sign_attribute("active", "access_provider")
null_profile.last_name.value = "iamanewpreferredlastname"
null_profile.sign_attribute("last_name", "mozilliansorg")
result = self.app.post(
"/v2/user?user_id={}".format(patched_user_profile.user_id.value),
headers={"Authorization": "Bearer " + token},
data=json.dumps(null_profile.as_json()),
content_type="application/json",
follow_redirects=True,
)
logger.info(result.get_data())
response = json.loads(result.get_data())
assert result.status_code == 200
assert response["condition"] == "update"
def test_change_endpoint_returns(self, fake_jwks):
from cis_change_service import api
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(self.user_profile),
content_type="application/json",
follow_redirects=True,
)
json.loads(result.get_data())
assert result.status_code == 200
def test_stream_bypass_publishing_mode_it_should_succeed(self, fake_jwks):
from cis_change_service import api
os.environ["CIS_STREAM_BYPASS"] = "******"
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(self.user_profile),
content_type="application/json",
follow_redirects=True,
)
json.loads(result.get_data())
assert result.status_code == 200
def test_post_a_profile_and_retreiving_status_it_should_succeed(
self, fake_jwks):
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
from cis_change_service import api
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(self.user_profile),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
logger.info(response)
dynamodb = boto3.resource(
"dynamodb",
region_name="us-west-2",
aws_access_key_id="ak",
aws_secret_access_key="sk",
endpoint_url="http://localhost:{}".format(self.dynalite_port),
)
table = dynamodb.Table("local-identity-vault")
resp = table.query(KeyConditionExpression=Key("id").eq(
json.loads(self.user_profile)["user_id"]["value"]))
user_from_vault = json.loads(resp["Items"][0]["profile"])
assert user_from_vault["last_modified"]["value"] is not None
assert user_from_vault["last_modified"]["signature"]["publisher"][
"value"] is not None
assert response is not None
def test_stream_bypass_publishing_mode_it_should_succeed(self, fake_jwks):
os.environ["CIS_STREAM_BYPASS"] = "******"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
os.environ["CIS_REGION_NAME"] = "us-west-2"
from cis_change_service import api
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(self.user_profile),
content_type="application/json",
follow_redirects=True,
)
json.loads(result.get_data())
assert result.status_code == 200
def test_post_profiles_and_update_it_and_retrieving_status_it_should_succeed(
self, fake_jwks):
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
from cis_change_service import api
# Post a new user
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
my_fake_user = User(user_id="userA")
my_fake_user.active.value = True
my_fake_user.primary_email.value = "*****@*****.**"
my_fake_user.uuid.value = None
my_fake_user.primary_username.value = None
result = self.app.post(
"/v2/user?user_id={}".format(my_fake_user.user_id.value),
headers={"Authorization": "Bearer " + token},
json=my_fake_user.as_dict(),
content_type="application/json",
follow_redirects=True,
)
results = json.loads(result.get_data())
# Post it again
result = self.app.post(
"/v2/user?user_id={}".format(my_fake_user.user_id.value),
headers={"Authorization": "Bearer " + token},
json=my_fake_user.as_dict(),
content_type="application/json",
follow_redirects=True,
)
results = json.loads(result.get_data())
assert results is not None
assert results.get("status_code") == 202 or results.get(
"status_code") == 200
def test_delete_profile(self, fake_jwks):
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis.ini"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
from cis_change_service import api
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.delete(
"/v2/user?user_id={}".format(
json.loads(self.user_profile)["user_id"]["value"]),
headers={"Authorization": "Bearer " + token},
data=json.dumps(self.user_profile),
content_type="application/json",
follow_redirects=True,
)
results = json.loads(result.get_data())
assert results is not None
assert result.status_code == 200
def test_wrong_publisher(self, fake_jwks):
"""
This verifies a wrong-publisher can't update
it creates a valid user, then wrongly modify an attribute its not allowed to
"""
os.environ["CIS_CONFIG_INI"] = "tests/mozilla-cis-verify.ini"
os.environ["AWS_XRAY_SDK_ENABLED"] = "false"
os.environ["CIS_ENVIRONMENT"] = "local"
os.environ["CIS_DYNALITE_PORT"] = self.dynalite_port
os.environ["CIS_REGION_NAME"] = "us-east-1"
os.environ["AWS_ACCESS_KEY_ID"] = "foo"
os.environ["AWS_SECRET_ACCESS_KEY"] = "bar"
os.environ["DEFAULT_AWS_REGION"] = "us-east-1"
os.environ["CIS_VERIFY_SIGNATURES"] = "true"
os.environ["CIS_VERIFY_PUBLISHERS"] = "true"
from cis_change_service import api
fake_new_user = FakeUser(
config=FakeProfileConfig().minimal().no_display())
# Create a brand new user
patched_user_profile = ensure_appropriate_publishers_and_sign(
fake_new_user.as_dict(), self.publisher_rules, "create")
# Ensure a first_name is set as we'll use that for testing
patched_user_profile.first_name.value = "test"
patched_user_profile.first_name.signature.publisher.name = "ldap"
patched_user_profile.first_name.metadata.display = "public"
patched_user_profile.sign_attribute("first_name", "ldap")
f = FakeBearer()
fake_jwks.return_value = json_form_of_pk
token = f.generate_bearer_without_scope()
api.app.testing = True
self.app = api.app.test_client()
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(patched_user_profile.as_json()),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
assert result.status_code == 200
assert response["condition"] == "create"
# sign first_name again but with wrong publisher (but same value as before)
new_user = cis_profile.User(user_id=patched_user_profile.user_id.value)
new_user.first_name = patched_user_profile.first_name
new_user.sign_attribute("first_name", "access_provider")
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(new_user.as_json()),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
assert response["status_code"] == 202
# sign first_name again but with wrong publisher and different display (but same value as before)
new_user = cis_profile.User(user_id=patched_user_profile.user_id.value)
new_user.first_name = patched_user_profile.first_name
new_user.first_name.metadata.display = "staff"
new_user.sign_attribute("first_name", "access_provider")
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(new_user.as_json()),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
assert response["code"] == "invalid_publisher"
# sign first_name again but with wrong publisher and wrong value (it should fail)
new_user.first_name.value = "new-test"
new_user.sign_attribute("first_name", "access_provider")
result = self.app.post(
"/v2/user",
headers={"Authorization": "Bearer " + token},
data=json.dumps(new_user.as_json()),
content_type="application/json",
follow_redirects=True,
)
response = json.loads(result.get_data())
assert result.status_code != 200