diff --git a/tests/api/test_api_permissions.py b/tests/api/test_api_permissions.py new file mode 100644 index 000000000..aa80f36fb --- /dev/null +++ b/tests/api/test_api_permissions.py @@ -0,0 +1,98 @@ +# -*- coding: utf-8 -*- + +"""Test permissions + + On a deux utilisateurs dans la base test API: + - "test", avec le rôle LecteurAPI qui a APIView, + - et "other", qui n'a aucune permission. + + + Lancer : + pytest tests/api/test_api_permissions.py +""" + +import requests + +import flask +from tests.api.setup_test_api import API_URL, SCODOC_URL, CHECK_CERTIFICATE, api_headers +from tests.api.tools_test_api import verify_fields + +from app import create_app +from config import RunningConfig + + +def test_permissions(api_headers): + """ + vérification de la permissions APIView et du non accès sans role + de toutes les routes de l'API + """ + # Ce test va récupérer toutes les routes de l'API + app = create_app(RunningConfig) + assert app + # Les routes de l'API avec GET, excluant les logos pour le momeent XXX + api_rules = [ + r + for r in app.url_map.iter_rules() + if str(r).startswith("/ScoDoc/api") + and not "logo" in str(r) # ignore logos + and "GET" in r.methods + ] + assert len(api_rules) > 0 + args = { + "etudid": 1, + # "date_debut": + # "date_fin": + "dept": "TAPI", + "etape_apo": "???", + "etat": "I", + "evaluation_id": 1, + "formation_id": 1, + "formsemestre_id": 1, + "group_id": 1, + "ine": "1", + "module_id": 1, + "moduleimpl_id": 1, + "nip": 1, + "partition_id": 1, + } + for rule in api_rules: + path = rule.build(args)[1] + if not "GET" in rule.methods: + # skip all POST routes + continue + r = requests.get( + SCODOC_URL + path, + headers=api_headers, + verify=CHECK_CERTIFICATE, + ) + assert r.status_code == 200 + + # Même chose sans le jeton: + for rule in api_rules: + path = rule.build(args)[1] + if not "GET" in rule.methods: + # skip all POST routes + continue + r = requests.get( + SCODOC_URL + path, + verify=CHECK_CERTIFICATE, + ) + assert r.status_code == 401 + + # Demande un jeton pour "other" + r = requests.post(API_URL + "/tokens", auth=("other", "other")) + assert r.status_code == 200 + token = r.json()["token"] + headers = {"Authorization": f"Bearer {token}"} + # Vérifie que tout est interdit + for rule in api_rules: + path = rule.build(args)[1] + if not "GET" in rule.methods: + # skip all POST routes + continue + r = requests.get( + SCODOC_URL + path, + headers=headers, + verify=CHECK_CERTIFICATE, + ) + assert r.status_code == 403