2017-08-17 18:24:10 +02:00
|
|
|
import json
|
|
|
|
|
2016-05-10 23:19:24 +02:00
|
|
|
import pytest
|
|
|
|
|
2017-08-17 18:24:10 +02:00
|
|
|
from lemur.tests.factories import UserFactory, RoleFactory
|
2016-05-10 23:19:24 +02:00
|
|
|
from lemur.users.views import * # noqa
|
2019-05-16 16:57:02 +02:00
|
|
|
from .vectors import (
|
|
|
|
VALID_ADMIN_API_TOKEN,
|
|
|
|
VALID_ADMIN_HEADER_TOKEN,
|
|
|
|
VALID_USER_HEADER_TOKEN,
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_user_input_schema(client):
|
|
|
|
from lemur.users.schemas import UserInputSchema
|
|
|
|
|
|
|
|
input_data = {
|
2019-05-16 16:57:02 +02:00
|
|
|
"username": "example",
|
|
|
|
"password": "1233432",
|
|
|
|
"email": "example@example.com",
|
2016-05-10 23:19:24 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
data, errors = UserInputSchema().load(input_data)
|
|
|
|
|
|
|
|
assert not errors
|
|
|
|
|
|
|
|
|
2019-05-16 16:57:02 +02:00
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 200),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 200),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 200),
|
|
|
|
("", 401),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_get(client, token, status):
|
2019-05-16 16:57:02 +02:00
|
|
|
assert (
|
|
|
|
client.get(api.url_for(Users, user_id=1), headers=token).status_code == status
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 405),
|
|
|
|
("", 405),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_post_(client, token, status):
|
2019-05-16 16:57:02 +02:00
|
|
|
assert (
|
|
|
|
client.post(api.url_for(Users, user_id=1), data={}, headers=token).status_code
|
|
|
|
== status
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 403),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 400),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 400),
|
|
|
|
("", 401),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_put(client, token, status):
|
2019-05-16 16:57:02 +02:00
|
|
|
assert (
|
|
|
|
client.put(api.url_for(Users, user_id=1), data={}, headers=token).status_code
|
|
|
|
== status
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 405),
|
|
|
|
("", 405),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_delete(client, token, status):
|
2019-05-16 16:57:02 +02:00
|
|
|
assert (
|
|
|
|
client.delete(api.url_for(Users, user_id=1), headers=token).status_code
|
|
|
|
== status
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 405),
|
|
|
|
("", 405),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_patch(client, token, status):
|
2019-05-16 16:57:02 +02:00
|
|
|
assert (
|
|
|
|
client.patch(api.url_for(Users, user_id=1), data={}, headers=token).status_code
|
|
|
|
== status
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 403),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 400),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 400),
|
|
|
|
("", 401),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_list_post_(client, token, status):
|
2019-05-16 16:57:02 +02:00
|
|
|
assert (
|
|
|
|
client.post(api.url_for(UsersList), data={}, headers=token).status_code
|
|
|
|
== status
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 200),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 200),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 200),
|
|
|
|
("", 401),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_list_get(client, token, status):
|
|
|
|
assert client.get(api.url_for(UsersList), headers=token).status_code == status
|
|
|
|
|
|
|
|
|
2019-05-16 16:57:02 +02:00
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 405),
|
|
|
|
("", 405),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_list_delete(client, token, status):
|
|
|
|
assert client.delete(api.url_for(UsersList), headers=token).status_code == status
|
|
|
|
|
|
|
|
|
2019-05-16 16:57:02 +02:00
|
|
|
@pytest.mark.parametrize(
|
|
|
|
"token,status",
|
|
|
|
[
|
|
|
|
(VALID_USER_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_HEADER_TOKEN, 405),
|
|
|
|
(VALID_ADMIN_API_TOKEN, 405),
|
|
|
|
("", 405),
|
|
|
|
],
|
|
|
|
)
|
2016-05-10 23:19:24 +02:00
|
|
|
def test_user_list_patch(client, token, status):
|
2019-05-16 16:57:02 +02:00
|
|
|
assert (
|
|
|
|
client.patch(api.url_for(UsersList), data={}, headers=token).status_code
|
|
|
|
== status
|
|
|
|
)
|
2017-08-16 18:38:42 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_sensitive_filter(client):
|
2019-05-16 16:57:02 +02:00
|
|
|
resp = client.get(
|
|
|
|
api.url_for(UsersList) + "?filter=password;a", headers=VALID_ADMIN_HEADER_TOKEN
|
|
|
|
)
|
|
|
|
assert "'password' is not sortable or filterable" in resp.json["message"]
|
2017-08-16 18:38:42 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_sensitive_sort(client):
|
2019-05-16 16:57:02 +02:00
|
|
|
resp = client.get(
|
|
|
|
api.url_for(UsersList) + "?sortBy=password&sortDir=asc",
|
|
|
|
headers=VALID_ADMIN_HEADER_TOKEN,
|
|
|
|
)
|
|
|
|
assert "'password' is not sortable or filterable" in resp.json["message"]
|
2017-08-17 18:24:10 +02:00
|
|
|
|
|
|
|
|
|
|
|
def test_user_role_changes(client, session):
|
|
|
|
user = UserFactory()
|
|
|
|
role1 = RoleFactory()
|
|
|
|
role2 = RoleFactory()
|
|
|
|
session.flush()
|
|
|
|
|
|
|
|
data = {
|
2019-05-16 16:57:02 +02:00
|
|
|
"active": True,
|
|
|
|
"id": user.id,
|
|
|
|
"username": user.username,
|
|
|
|
"email": user.email,
|
|
|
|
"roles": [{"id": role1.id}, {"id": role2.id}],
|
2017-08-17 18:24:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
# PUT two roles
|
2019-05-16 16:57:02 +02:00
|
|
|
resp = client.put(
|
|
|
|
api.url_for(Users, user_id=user.id),
|
|
|
|
data=json.dumps(data),
|
|
|
|
headers=VALID_ADMIN_HEADER_TOKEN,
|
|
|
|
)
|
2017-08-17 18:24:10 +02:00
|
|
|
assert resp.status_code == 200
|
2019-05-16 16:57:02 +02:00
|
|
|
assert len(resp.json["roles"]) == 2
|
2017-08-17 18:24:10 +02:00
|
|
|
assert set(user.roles) == {role1, role2}
|
|
|
|
|
|
|
|
# Remove one role and PUT again
|
2019-05-16 16:57:02 +02:00
|
|
|
del data["roles"][1]
|
|
|
|
resp = client.put(
|
|
|
|
api.url_for(Users, user_id=user.id),
|
|
|
|
data=json.dumps(data),
|
|
|
|
headers=VALID_ADMIN_HEADER_TOKEN,
|
|
|
|
)
|
2017-08-17 18:24:10 +02:00
|
|
|
assert resp.status_code == 200
|
2019-05-16 16:57:02 +02:00
|
|
|
assert len(resp.json["roles"]) == 1
|
2017-08-17 18:24:10 +02:00
|
|
|
assert set(user.roles) == {role1}
|