forked from ScoDoc/ScoDoc
API: test des permissions de toutes les routes GET (sauf logos)
This commit is contained in:
parent
95becc172b
commit
443eb72687
98
tests/api/test_api_permissions.py
Normal file
98
tests/api/test_api_permissions.py
Normal file
@ -0,0 +1,98 @@
|
||||
# -*- coding: utf-8 -*-
|
||||
|
||||
"""Test permissions
|
||||
|
||||
On a deux utilisateurs dans la base test API:
|
||||
- "test", avec le rôle LecteurAPI qui a APIView,
|
||||
- et "other", qui n'a aucune permission.
|
||||
|
||||
|
||||
Lancer :
|
||||
pytest tests/api/test_api_permissions.py
|
||||
"""
|
||||
|
||||
import requests
|
||||
|
||||
import flask
|
||||
from tests.api.setup_test_api import API_URL, SCODOC_URL, CHECK_CERTIFICATE, api_headers
|
||||
from tests.api.tools_test_api import verify_fields
|
||||
|
||||
from app import create_app
|
||||
from config import RunningConfig
|
||||
|
||||
|
||||
def test_permissions(api_headers):
|
||||
"""
|
||||
vérification de la permissions APIView et du non accès sans role
|
||||
de toutes les routes de l'API
|
||||
"""
|
||||
# Ce test va récupérer toutes les routes de l'API
|
||||
app = create_app(RunningConfig)
|
||||
assert app
|
||||
# Les routes de l'API avec GET, excluant les logos pour le momeent XXX
|
||||
api_rules = [
|
||||
r
|
||||
for r in app.url_map.iter_rules()
|
||||
if str(r).startswith("/ScoDoc/api")
|
||||
and not "logo" in str(r) # ignore logos
|
||||
and "GET" in r.methods
|
||||
]
|
||||
assert len(api_rules) > 0
|
||||
args = {
|
||||
"etudid": 1,
|
||||
# "date_debut":
|
||||
# "date_fin":
|
||||
"dept": "TAPI",
|
||||
"etape_apo": "???",
|
||||
"etat": "I",
|
||||
"evaluation_id": 1,
|
||||
"formation_id": 1,
|
||||
"formsemestre_id": 1,
|
||||
"group_id": 1,
|
||||
"ine": "1",
|
||||
"module_id": 1,
|
||||
"moduleimpl_id": 1,
|
||||
"nip": 1,
|
||||
"partition_id": 1,
|
||||
}
|
||||
for rule in api_rules:
|
||||
path = rule.build(args)[1]
|
||||
if not "GET" in rule.methods:
|
||||
# skip all POST routes
|
||||
continue
|
||||
r = requests.get(
|
||||
SCODOC_URL + path,
|
||||
headers=api_headers,
|
||||
verify=CHECK_CERTIFICATE,
|
||||
)
|
||||
assert r.status_code == 200
|
||||
|
||||
# Même chose sans le jeton:
|
||||
for rule in api_rules:
|
||||
path = rule.build(args)[1]
|
||||
if not "GET" in rule.methods:
|
||||
# skip all POST routes
|
||||
continue
|
||||
r = requests.get(
|
||||
SCODOC_URL + path,
|
||||
verify=CHECK_CERTIFICATE,
|
||||
)
|
||||
assert r.status_code == 401
|
||||
|
||||
# Demande un jeton pour "other"
|
||||
r = requests.post(API_URL + "/tokens", auth=("other", "other"))
|
||||
assert r.status_code == 200
|
||||
token = r.json()["token"]
|
||||
headers = {"Authorization": f"Bearer {token}"}
|
||||
# Vérifie que tout est interdit
|
||||
for rule in api_rules:
|
||||
path = rule.build(args)[1]
|
||||
if not "GET" in rule.methods:
|
||||
# skip all POST routes
|
||||
continue
|
||||
r = requests.get(
|
||||
SCODOC_URL + path,
|
||||
headers=headers,
|
||||
verify=CHECK_CERTIFICATE,
|
||||
)
|
||||
assert r.status_code == 403
|
Loading…
x
Reference in New Issue
Block a user