2022-05-04 23:12:03 +02:00
|
|
|
# -*- coding: utf-8 -*-
|
|
|
|
|
|
|
|
"""Test permissions
|
|
|
|
|
2023-11-15 00:17:47 +01:00
|
|
|
On a deux utilisateurs dans la base test API:
|
|
|
|
- "test", avec le rôle LecteurAPI qui a la permission ScoView,
|
2022-05-04 23:12:03 +02:00
|
|
|
- et "other", qui n'a aucune permission.
|
|
|
|
|
|
|
|
|
|
|
|
Lancer :
|
|
|
|
pytest tests/api/test_api_permissions.py
|
|
|
|
"""
|
|
|
|
|
|
|
|
import requests
|
|
|
|
|
|
|
|
from tests.api.setup_test_api import API_URL, SCODOC_URL, CHECK_CERTIFICATE, api_headers
|
|
|
|
|
|
|
|
from app import create_app
|
2023-04-06 10:38:31 +02:00
|
|
|
from app.scodoc import sco_utils as scu
|
2022-05-04 23:12:03 +02:00
|
|
|
from config import RunningConfig
|
|
|
|
|
|
|
|
|
|
|
|
def test_permissions(api_headers):
|
|
|
|
"""
|
2022-07-27 16:03:14 +02:00
|
|
|
vérification de la permissions ScoView et du non accès sans role
|
2022-05-04 23:12:03 +02:00
|
|
|
de toutes les routes de l'API
|
|
|
|
"""
|
|
|
|
# Ce test va récupérer toutes les routes de l'API
|
|
|
|
app = create_app(RunningConfig)
|
|
|
|
assert app
|
2022-05-06 16:05:34 +02:00
|
|
|
# Les routes de l'API avec GET, excluant les logos pour le moment XXX
|
2022-05-04 23:12:03 +02:00
|
|
|
api_rules = [
|
|
|
|
r
|
|
|
|
for r in app.url_map.iter_rules()
|
|
|
|
if str(r).startswith("/ScoDoc/api")
|
2022-11-27 23:31:48 +01:00
|
|
|
and "logo" not in str(r) # ignore logos
|
|
|
|
and "absence" not in str(r) # ignore absences
|
2022-05-04 23:12:03 +02:00
|
|
|
and "GET" in r.methods
|
|
|
|
]
|
|
|
|
assert len(api_rules) > 0
|
2023-08-11 23:15:17 +02:00
|
|
|
all_args = {
|
2022-08-08 10:06:42 +02:00
|
|
|
"acronym": "TAPI",
|
2022-11-27 23:31:48 +01:00
|
|
|
"code_type": "etudid",
|
|
|
|
"code": 1,
|
2024-10-29 16:40:42 +01:00
|
|
|
"date_iso": "2024-10-29",
|
2022-05-09 16:26:23 +02:00
|
|
|
"dept_id": 1,
|
2022-08-08 10:06:42 +02:00
|
|
|
"dept_ident": "TAPI",
|
|
|
|
"dept": "TAPI",
|
2022-05-04 23:12:03 +02:00
|
|
|
"etape_apo": "???",
|
|
|
|
"etat": "I",
|
2022-08-08 10:06:42 +02:00
|
|
|
"etudid": 1,
|
2022-05-04 23:12:03 +02:00
|
|
|
"evaluation_id": 1,
|
2023-12-06 20:57:24 +01:00
|
|
|
"filename": "toto",
|
2022-05-04 23:12:03 +02:00
|
|
|
"formation_id": 1,
|
|
|
|
"formsemestre_id": 1,
|
|
|
|
"group_id": 1,
|
2022-07-29 16:19:40 +02:00
|
|
|
"ine": "INE1",
|
2022-05-04 23:12:03 +02:00
|
|
|
"module_id": 1,
|
|
|
|
"moduleimpl_id": 1,
|
|
|
|
"nip": 1,
|
|
|
|
"partition_id": 1,
|
2022-08-08 10:06:42 +02:00
|
|
|
"role_name": "Ens",
|
2023-06-03 22:43:04 +02:00
|
|
|
"start": "abc",
|
2022-08-08 10:06:42 +02:00
|
|
|
"uid": 1,
|
2023-06-20 07:51:40 +02:00
|
|
|
"validation_id": 1,
|
2022-11-27 23:31:48 +01:00
|
|
|
"version": "long",
|
2023-04-17 15:39:32 +02:00
|
|
|
"assiduite_id": 1,
|
|
|
|
"justif_id": 1,
|
|
|
|
"etudids": "1",
|
2024-06-23 21:13:40 +02:00
|
|
|
"ue_id": 1,
|
2022-05-04 23:12:03 +02:00
|
|
|
}
|
2023-08-11 23:15:17 +02:00
|
|
|
# Arguments spécifiques pour certaines routes
|
|
|
|
# par défaut, on passe tous les arguments de all_args
|
|
|
|
endpoint_args = {
|
|
|
|
"api.formsemestres_query": {},
|
2023-11-15 00:17:47 +01:00
|
|
|
"api.formsemestre_edt": {
|
|
|
|
"formsemestre_id": 1,
|
|
|
|
},
|
2024-11-04 22:34:33 +01:00
|
|
|
"api.operations_user_notes": {
|
|
|
|
"start": 0,
|
|
|
|
"uid": 1,
|
|
|
|
},
|
2023-08-11 23:15:17 +02:00
|
|
|
}
|
2022-05-04 23:12:03 +02:00
|
|
|
for rule in api_rules:
|
2023-08-11 23:15:17 +02:00
|
|
|
args = endpoint_args.get(rule.endpoint, all_args)
|
2022-05-04 23:12:03 +02:00
|
|
|
path = rule.build(args)[1]
|
|
|
|
if not "GET" in rule.methods:
|
|
|
|
# skip all POST routes
|
|
|
|
continue
|
2023-07-04 15:04:58 +02:00
|
|
|
|
|
|
|
if any(
|
|
|
|
path.startswith(p)
|
|
|
|
for p in [
|
2023-12-06 20:57:24 +01:00
|
|
|
"/ScoDoc/api/justificatif/1/list", # demande AbsJustifView
|
|
|
|
"/ScoDoc/api/justificatif/1/justifies", # demande ScoJustifChange
|
|
|
|
"/ScoDoc/api/justificatif/1/export", # demande AbsChange
|
2024-11-08 00:15:39 +01:00
|
|
|
"/ScoDoc/api/operations/user/", # demande superamin ou user lui même
|
2023-07-04 15:04:58 +02:00
|
|
|
]
|
|
|
|
):
|
2023-12-06 20:57:24 +01:00
|
|
|
# On passe ces routes spéciales
|
2023-07-04 15:04:58 +02:00
|
|
|
continue
|
|
|
|
|
2022-05-04 23:12:03 +02:00
|
|
|
r = requests.get(
|
|
|
|
SCODOC_URL + path,
|
|
|
|
headers=api_headers,
|
|
|
|
verify=CHECK_CERTIFICATE,
|
2023-04-06 10:38:31 +02:00
|
|
|
timeout=scu.SCO_TEST_API_TIMEOUT,
|
2022-05-04 23:12:03 +02:00
|
|
|
)
|
2024-08-14 10:28:26 +02:00
|
|
|
assert r.status_code // 100 == 2 # 2xx success
|
2022-05-04 23:12:03 +02:00
|
|
|
|
|
|
|
# Même chose sans le jeton:
|
|
|
|
for rule in api_rules:
|
|
|
|
path = rule.build(args)[1]
|
|
|
|
if not "GET" in rule.methods:
|
|
|
|
# skip all POST routes
|
|
|
|
continue
|
|
|
|
r = requests.get(
|
|
|
|
SCODOC_URL + path,
|
|
|
|
verify=CHECK_CERTIFICATE,
|
2023-04-06 10:38:31 +02:00
|
|
|
timeout=scu.SCO_TEST_API_TIMEOUT,
|
2022-05-04 23:12:03 +02:00
|
|
|
)
|
|
|
|
assert r.status_code == 401
|
|
|
|
|
|
|
|
# Demande un jeton pour "other"
|
2023-04-06 16:10:32 +02:00
|
|
|
r = requests.post(
|
|
|
|
API_URL + "/tokens", auth=("other", "other"), timeout=scu.SCO_TEST_API_TIMEOUT
|
|
|
|
)
|
2022-05-04 23:12:03 +02:00
|
|
|
assert r.status_code == 200
|
|
|
|
token = r.json()["token"]
|
|
|
|
headers = {"Authorization": f"Bearer {token}"}
|
|
|
|
# Vérifie que tout est interdit
|
|
|
|
for rule in api_rules:
|
|
|
|
path = rule.build(args)[1]
|
|
|
|
if not "GET" in rule.methods:
|
|
|
|
# skip all POST routes
|
|
|
|
continue
|
|
|
|
r = requests.get(
|
|
|
|
SCODOC_URL + path,
|
|
|
|
headers=headers,
|
|
|
|
verify=CHECK_CERTIFICATE,
|
2023-04-06 10:38:31 +02:00
|
|
|
timeout=scu.SCO_TEST_API_TIMEOUT,
|
2022-05-04 23:12:03 +02:00
|
|
|
)
|
2022-08-08 10:06:42 +02:00
|
|
|
assert r.status_code == 401
|