From 65998166efd38741ebac6ad0fe2a8812f8be16e6 Mon Sep 17 00:00:00 2001 From: Scott Baker Date: Thu, 9 Oct 2014 10:59:58 -0700 Subject: [PATCH] user permission REST test, WIP --- planetstack/tests/useraccesstest.py | 96 ++++++++++++++++++++++++++++- 1 file changed, 95 insertions(+), 1 deletion(-) diff --git a/planetstack/tests/useraccesstest.py b/planetstack/tests/useraccesstest.py index 6a17b16..290d7cf 100644 --- a/planetstack/tests/useraccesstest.py +++ b/planetstack/tests/useraccesstest.py @@ -1,3 +1,13 @@ +""" useraccesstest.py + + This is a basic REST API permission test. Call it with a username and a + password, and it will try to read and update some user and slice object, + and report if something is broken. + + This is not an exhaustive test. +""" + + import inspect import json import os @@ -13,12 +23,15 @@ SITES_API = REST_API + "sites/" SITEPRIV_API = REST_API + "site_privileges/" SLICEPRIV_API = REST_API + "slice_memberships/" SITEROLE_API = REST_API + "site_roles/" +SLICEROLE_API = REST_API + "slice_roles/" + +TEST_USER_EMAIL = "test1234@test.com" username = sys.argv[1] password = sys.argv[2] opencloud_auth=(username, password) -admin_auth=("scott@onlab.us", "letmein") +admin_auth=("scott@onlab.us", "letmein") # admin creds, used to get full set of objects def fail_unless(x, msg): if not x: @@ -39,6 +52,8 @@ r = requests.get(SLICEPRIV_API + "?no_hyperlinks=1", auth=admin_auth) allSlicePriv = r.json() r = requests.get(SITEROLE_API + "?no_hyperlinks=1", auth=admin_auth) allSiteRole = r.json() +r = requests.get(SLICEROLE_API + "?no_hyperlinks=1", auth=admin_auth) +allSliceRole = r.json() def should_see_user(myself, otherUser): if myself["is_admin"]: @@ -52,12 +67,42 @@ def should_see_user(myself, otherUser): return True return False +def should_see_slice(myself, slice): + if myself["is_admin"]: + return True + for sitePriv in allSitePriv: + if (sitePriv["user"] == myself["id"]) and (sitePriv["site"] == slice["site"]): + for role in allSiteRole: + if role["role"]=="pi" and role["id"] == sitePriv["role"]: + return True + for slicePriv in allSlicePriv: + if (slicePriv["user"] == myself["id"]) and (sitePriv["slice"] == slice["id"]): + for role in allSliceRole: + if role["role"]=="pi" and role["id"] == slicePriv["role"]: + return True + return False + def flip_phone(user): if user["phone"] == "123": user["phone"] = "456" else: user["phone"] = "123" +def flip_desc(slice): + if slice["description"] == "some_description": + slice["description"] = "some_other_description" + else: + slice["description"] = "some_description" + +def delete_user_if_exists(email): + r = requests.get(USERS_API +"?email=%s" % email, auth=admin_auth) + if r.status_code==200: + user = r.json() + if len(user)>0: + user=user[0] + r = requests.delete(USERS_API + str(user["id"]) + "/", auth=admin_auth) + fail_unless(r.status_code==200, "failed to delete the test user") + print " loaded user:%d slice:%d, site:%d, site_priv:%d slice_priv:%d" % (len(allUsers), len(allSlices), len(allSites), len(allSitePriv), len(allSlicePriv)) # get our own user record @@ -81,6 +126,7 @@ for user in allUsers: # toggle the phone number on the users we should be able to +""" for user in allUsers: user = requests.get(USERS_API + str(user["id"]) + "/", auth=admin_auth).json() flip_phone(user) @@ -91,6 +137,9 @@ for user in allUsers: # XXX: this is failing, but for the wrong reason fail_unless(r.status_code!=200, "was able to change phone number on %s but shouldn't have" % user["email"]) +# try changing is_staff. We should be able to do it if we're an admin, but not +# otherwise. + for user in allUsers: user = requests.get(USERS_API + str(user["id"]) + "/", auth=admin_auth).json() user["is_staff"] = not user["is_staff"] @@ -104,8 +153,53 @@ for user in allUsers: # put it back to false, in case we successfully changed it... user["is_staff"] = False r = requests.put(USERS_API + str(user["id"]) +"/", data=user, auth=opencloud_auth) +""" + +# delete the TEST_USER_EMAIL if it exists +delete_user_if_exists(TEST_USER_EMAIL) + +newUser = {"firstname": "test", "lastname": "1234", "email": TEST_USER_EMAIL, "password": "letmein"} +r = requests.post(USERS_API, data=newUser, auth=opencloud_auth) +if myself["is_admin"]: + fail_unless(r.status_code==200, "failed to create %s" % TEST_USER_EMAIL) +else: + fail_unless(r.status_code!=200, "created %s but we shouldn't have been able to" % TEST_USER_EMAIL) +delete_user_if_exists(TEST_USER_EMAIL) +sys.exit(-1) +# now create it as admin +r = requests.post(USERS_API, data=newUser, auth=admin_auth) +fail_unless(r.status_code==201, "failed to create %s as admin" % TEST_USER_EMAIL) + +user = requests.get(USERS_API +"?email=%s" % TEST_USER_EMAIL, auth=admin_auth).json()[0] +r = requests.delete(USERS_API + str(user["id"]) + "/", auth=opencloud_auth) +if myself["is_admin"]: + fail_unless(r.status_code==200, "failed to delete %s" % TEST_USER_EMAIL) +else: + fail_unless(r.status_code!=200, "deleted %s but we shouldn't have been able to" % TEST_USER_EMAIL) + +# slice tests + +r = requests.get(SLICES_API, auth=opencloud_auth) +mySlices = r.json() + +for slice in mySlices: + fail_unless(should_see_slice(myself, slice), "saw slice %s but we shouldn't have" % slice["name"]) +mySlicesIds = [r["id"] for r in mySlices] +for slice in allSlices: + if should_see_slice(myself, slice): + fail_unless(slice["id"] in mySliceIds, "should have seen slice %s but didnt" % slice["name"]) + +for slice in allSlices: + slice = requests.get(SLICES_API + str(slice["id"]) + "/", auth=admin_auth).json() + flip_desc(slice) + r = requests.put(SLICES_API + str(slice["id"]) +"/", data=slice, auth=opencloud_auth) + if should_see_slice(myself, slice): + fail_unless(r.status_code==200, "failed to change desc on %s" % slice["name"]) + else: + fail_unless(r.status_code!=200, "was able to change desc on %s but shouldn't have" % slice["name"]) +print "Done." -- 2.43.0