pillar/tests/test_api/test_subscriptions.py

import typing
from unittest import mock

import responses

from pillar.tests import AbstractPillarTest, TEST_EMAIL_ADDRESS


# The OAuth lib doesn't use requests, so we can't use responses to mock it.
# Instead, we use unittest.mock for that.


class RoleUpdatingTest(AbstractPillarTest):
    def setUp(self):
        super().setUp()

        with self.app.test_request_context():
            self.create_standard_groups()

        from pillar.api.blender_cloud import subscription as sub
        self.user_subs_signal_calls = []
        sub.user_subscription_updated.connect(self._user_subs_signal)

    def _user_subs_signal(self, sender, **kwargs):
        self.user_subs_signal_calls.append((sender, kwargs))

    def _setup_testcase(self, mocked_fetch_blenderid_user, *,
                        bid_roles: typing.Set[str]):
        import urllib.parse

        # The Store API endpoint should not be called upon any more.
        url = '%s?blenderid=%s' % (self.app.config['EXTERNAL_SUBSCRIPTIONS_MANAGEMENT_SERVER'],
                                   urllib.parse.quote(TEST_EMAIL_ADDRESS))
        responses.add('GET', url,
                      status=500,
                      match_querystring=True)

        self.mock_blenderid_validate_happy()
        mocked_fetch_blenderid_user.return_value = {
            'email': TEST_EMAIL_ADDRESS,
            'full_name': 'dr. Sybren A. St\u00fcvel',
            'id': 5555,
            'roles': {
                'admin': True,
                'bfct_trainer': False,
                'conference_speaker': True,
                'network_member': True
            }
        }
        for role in bid_roles:
            mocked_fetch_blenderid_user.return_value['roles'][role] = True

    @responses.activate
    @mock.patch('pillar.api.blender_id.fetch_blenderid_user')
    def test_store_api_role_grant_subscriber(self, mocked_fetch_blenderid_user):
        self._setup_testcase(mocked_fetch_blenderid_user,
                             bid_roles={'cloud_subscriber', 'cloud_has_subscription'})

        self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',
                 expected_status=204)
        user_info = self.get('/api/users/me', auth_token='my-happy-token').json()
        self.assertEqual({'subscriber', 'has_subscription'}, set(user_info['roles']))

        # Check the signals
        self.assertEqual(1, len(self.user_subs_signal_calls))
        sender, kwargs = self.user_subs_signal_calls[0]
        self.assertEqual({'revoke_roles': set(), 'grant_roles': {'subscriber', 'has_subscription'}},
                         kwargs)

    @responses.activate
    @mock.patch('pillar.api.blender_id.fetch_blenderid_user')
    def test_store_api_role_revoke_subscriber(self, mocked_fetch_blenderid_user):
        self._setup_testcase(mocked_fetch_blenderid_user,
                             bid_roles={'conference_speaker'})

        # Make sure this user is currently known as a subcriber.
        self.create_user(roles={'subscriber', 'has_subscription'}, token='my-happy-token')
        user_info = self.get('/api/users/me', auth_token='my-happy-token').json()
        self.assertEqual({'subscriber', 'has_subscription'}, set(user_info['roles']))

        # And after updating, it shouldn't be.
        self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',
                 expected_status=204)
        user_info = self.get('/api/users/me', auth_token='my-happy-token').json()
        self.assertEqual([], user_info['roles'])

        self.assertEqual(1, len(self.user_subs_signal_calls))
        sender, kwargs = self.user_subs_signal_calls[0]
        self.assertEqual({'revoke_roles': {'subscriber', 'has_subscription'}, 'grant_roles': set()},
                         kwargs)

    @responses.activate
    @mock.patch('pillar.api.blender_id.fetch_blenderid_user')
    def test_bid_api_grant_demo(self, mocked_fetch_blenderid_user):
        self._setup_testcase(mocked_fetch_blenderid_user,
                             bid_roles={'cloud_demo'})

        self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',
                 expected_status=204)

        user_info = self.get('/api/users/me', auth_token='my-happy-token').json()
        self.assertEqual(['demo'], user_info['roles'])

        self.assertEqual(1, len(self.user_subs_signal_calls))
        sender, kwargs = self.user_subs_signal_calls[0]
        self.assertEqual({'revoke_roles': set(), 'grant_roles': {'demo'}}, kwargs)

    @responses.activate
    @mock.patch('pillar.api.blender_id.fetch_blenderid_user')
    def test_bid_api_role_revoke_demo(self, mocked_fetch_blenderid_user):
        self._setup_testcase(mocked_fetch_blenderid_user,
                             bid_roles={'conference_speaker'})

        # Make sure this user is currently known as demo user.
        self.create_user(roles={'demo'}, token='my-happy-token')
        user_info = self.get('/api/users/me', auth_token='my-happy-token').json()
        self.assertEqual(['demo'], user_info['roles'])

        # And after updating, it shouldn't be.
        self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',
                 expected_status=204)
        user_info = self.get('/api/users/me', auth_token='my-happy-token').json()
        self.assertEqual([], user_info['roles'])

        self.assertEqual(1, len(self.user_subs_signal_calls))
        sender, kwargs = self.user_subs_signal_calls[0]
        self.assertEqual({'revoke_roles': {'demo'}, 'grant_roles': set()}, kwargs)
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`import typing`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`from unittest import mock`

			`import responses`

			`from pillar.tests import AbstractPillarTest, TEST_EMAIL_ADDRESS`


			`# The OAuth lib doesn't use requests, so we can't use responses to mock it.`
			`# Instead, we use unittest.mock for that.`


			`class RoleUpdatingTest(AbstractPillarTest):`
			`def setUp(self):`
			`super().setUp()`

			`with self.app.test_request_context():`
			`self.create_standard_groups()`

Send a Blinker signal when someone's subscription status changes This is very close to the 'roles changed' signal, with the difference that it is sent only once for multiple role changes. 2017-12-21 12:59:32 +01:00			`from pillar.api.blender_cloud import subscription as sub`
			`self.user_subs_signal_calls = []`
			`sub.user_subscription_updated.connect(self._user_subs_signal)`

			`def _user_subs_signal(self, sender, **kwargs):`
			`self.user_subs_signal_calls.append((sender, kwargs))`

Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`def _setup_testcase(self, mocked_fetch_blenderid_user, *,`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`bid_roles: typing.Set[str]):`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`import urllib.parse`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00
			`# The Store API endpoint should not be called upon any more.`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`url = '%s?blenderid=%s' % (self.app.config['EXTERNAL_SUBSCRIPTIONS_MANAGEMENT_SERVER'],`
			`urllib.parse.quote(TEST_EMAIL_ADDRESS))`
			`responses.add('GET', url,`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`status=500,`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`match_querystring=True)`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`self.mock_blenderid_validate_happy()`
			`mocked_fetch_blenderid_user.return_value = {`
			`'email': TEST_EMAIL_ADDRESS,`
			`'full_name': 'dr. Sybren A. St\u00fcvel',`
			`'id': 5555,`
			`'roles': {`
			`'admin': True,`
			`'bfct_trainer': False,`
			`'conference_speaker': True,`
			`'network_member': True`
			`}`
			`}`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`for role in bid_roles:`
			`mocked_fetch_blenderid_user.return_value['roles'][role] = True`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00
			`@responses.activate`
			`@mock.patch('pillar.api.blender_id.fetch_blenderid_user')`
			`def test_store_api_role_grant_subscriber(self, mocked_fetch_blenderid_user):`
			`self._setup_testcase(mocked_fetch_blenderid_user,`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`bid_roles={'cloud_subscriber', 'cloud_has_subscription'})`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00
			`self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',`
			`expected_status=204)`
			`user_info = self.get('/api/users/me', auth_token='my-happy-token').json()`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`self.assertEqual({'subscriber', 'has_subscription'}, set(user_info['roles']))`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00
Send a Blinker signal when someone's subscription status changes This is very close to the 'roles changed' signal, with the difference that it is sent only once for multiple role changes. 2017-12-21 12:59:32 +01:00			`# Check the signals`
			`self.assertEqual(1, len(self.user_subs_signal_calls))`
			`sender, kwargs = self.user_subs_signal_calls[0]`
			`self.assertEqual({'revoke_roles': set(), 'grant_roles': {'subscriber', 'has_subscription'}},`
			`kwargs)`

Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`@responses.activate`
			`@mock.patch('pillar.api.blender_id.fetch_blenderid_user')`
			`def test_store_api_role_revoke_subscriber(self, mocked_fetch_blenderid_user):`
			`self._setup_testcase(mocked_fetch_blenderid_user,`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`bid_roles={'conference_speaker'})`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00
			`# Make sure this user is currently known as a subcriber.`
Send a Blinker signal when someone's subscription status changes This is very close to the 'roles changed' signal, with the difference that it is sent only once for multiple role changes. 2017-12-21 12:59:32 +01:00			`self.create_user(roles={'subscriber', 'has_subscription'}, token='my-happy-token')`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`user_info = self.get('/api/users/me', auth_token='my-happy-token').json()`
Send a Blinker signal when someone's subscription status changes This is very close to the 'roles changed' signal, with the difference that it is sent only once for multiple role changes. 2017-12-21 12:59:32 +01:00			`self.assertEqual({'subscriber', 'has_subscription'}, set(user_info['roles']))`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00
			`# And after updating, it shouldn't be.`
			`self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',`
			`expected_status=204)`
			`user_info = self.get('/api/users/me', auth_token='my-happy-token').json()`
			`self.assertEqual([], user_info['roles'])`

Send a Blinker signal when someone's subscription status changes This is very close to the 'roles changed' signal, with the difference that it is sent only once for multiple role changes. 2017-12-21 12:59:32 +01:00			`self.assertEqual(1, len(self.user_subs_signal_calls))`
			`sender, kwargs = self.user_subs_signal_calls[0]`
			`self.assertEqual({'revoke_roles': {'subscriber', 'has_subscription'}, 'grant_roles': set()},`
			`kwargs)`

Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`@responses.activate`
			`@mock.patch('pillar.api.blender_id.fetch_blenderid_user')`
			`def test_bid_api_grant_demo(self, mocked_fetch_blenderid_user):`
			`self._setup_testcase(mocked_fetch_blenderid_user,`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`bid_roles={'cloud_demo'})`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00
			`self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',`
			`expected_status=204)`

			`user_info = self.get('/api/users/me', auth_token='my-happy-token').json()`
			`self.assertEqual(['demo'], user_info['roles'])`

Send a Blinker signal when someone's subscription status changes This is very close to the 'roles changed' signal, with the difference that it is sent only once for multiple role changes. 2017-12-21 12:59:32 +01:00			`self.assertEqual(1, len(self.user_subs_signal_calls))`
			`sender, kwargs = self.user_subs_signal_calls[0]`
			`self.assertEqual({'revoke_roles': set(), 'grant_roles': {'demo'}}, kwargs)`

Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`@responses.activate`
			`@mock.patch('pillar.api.blender_id.fetch_blenderid_user')`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`def test_bid_api_role_revoke_demo(self, mocked_fetch_blenderid_user):`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00			`self._setup_testcase(mocked_fetch_blenderid_user,`
Use Blender ID to obtain subscription status. Instead of performing a call to the Blender Store, call to Blender ID to get the user's subscription status. Currently this is performed as a second HTTP call after logging in; in the future we may want to include the roles in the login response from Blender ID, so that we can do this in one call instead of two. 2017-11-30 15:28:35 +01:00			`bid_roles={'conference_speaker'})`
Reworked subscription/demo role management from web to API level. In the old situation, users had to be able to change their own roles. This is inherently insecure. 2017-05-04 17:49:18 +02:00
			`# Make sure this user is currently known as demo user.`
			`self.create_user(roles={'demo'}, token='my-happy-token')`
			`user_info = self.get('/api/users/me', auth_token='my-happy-token').json()`
			`self.assertEqual(['demo'], user_info['roles'])`

			`# And after updating, it shouldn't be.`
			`self.get('/api/bcloud/update-subscription', auth_token='my-happy-token',`
			`expected_status=204)`
			`user_info = self.get('/api/users/me', auth_token='my-happy-token').json()`
			`self.assertEqual([], user_info['roles'])`
Send a Blinker signal when someone's subscription status changes This is very close to the 'roles changed' signal, with the difference that it is sent only once for multiple role changes. 2017-12-21 12:59:32 +01:00
			`self.assertEqual(1, len(self.user_subs_signal_calls))`
			`sender, kwargs = self.user_subs_signal_calls[0]`
			`self.assertEqual({'revoke_roles': {'demo'}, 'grant_roles': set()}, kwargs)`