Implemented badger service endpoint

Also added manage.py command to create badger service accounts.
2016-05-30 15:42:57 +02:00
parent 4aa44c42c8
commit 222d9efc89
7 changed files with 287 additions and 4 deletions
--- a/tests/test_auth.py
+++ b/tests/test_auth.py
@@ -497,3 +497,79 @@ class PermissionComputationTest(AbstractPillarTest):
                              u'methods': [u'GET']}],
                 u'world': [u'GET']},
                self.sort(compute_aggr_permissions('nodes', node, None)))
+
+
+class RequireRolesTest(AbstractPillarTest):
+    def test_no_roles_required(self):
+        from flask import g
+        from application.utils.authorization import require_login
+
+        called = [False]
+
+        @require_login()
+        def call_me():
+            called[0] = True
+
+        with self.app.test_request_context():
+            g.current_user = {'user_id': ObjectId(24*'a'),
+                              'roles': [u'succubus']}
+            call_me()
+
+        self.assertTrue(called[0])
+
+    def test_some_roles_required(self):
+        from flask import g
+        from application.utils.authorization import require_login
+
+        called = [False]
+
+        @require_login(require_roles={u'admin'})
+        def call_me():
+            called[0] = True
+
+        with self.app.test_request_context():
+            g.current_user = {'user_id': ObjectId(24*'a'),
+                              'roles': [u'succubus']}
+            self.assertRaises(Forbidden, call_me)
+        self.assertFalse(called[0])
+
+        with self.app.test_request_context():
+            g.current_user = {'user_id': ObjectId(24*'a'),
+                              'roles': [u'admin']}
+            call_me()
+        self.assertTrue(called[0])
+
+    def test_all_roles_required(self):
+        from flask import g
+        from application.utils.authorization import require_login
+
+        called = [False]
+
+        @require_login(require_roles={u'service', u'badger'},
+                       require_all=True)
+        def call_me():
+            called[0] = True
+
+        with self.app.test_request_context():
+            g.current_user = {'user_id': ObjectId(24*'a'),
+                              'roles': [u'admin']}
+            self.assertRaises(Forbidden, call_me)
+        self.assertFalse(called[0])
+
+        with self.app.test_request_context():
+            g.current_user = {'user_id': ObjectId(24*'a'),
+                              'roles': [u'service']}
+            self.assertRaises(Forbidden, call_me)
+        self.assertFalse(called[0])
+
+        with self.app.test_request_context():
+            g.current_user = {'user_id': ObjectId(24*'a'),
+                              'roles': [u'badger']}
+            self.assertRaises(Forbidden, call_me)
+        self.assertFalse(called[0])
+
+        with self.app.test_request_context():
+            g.current_user = {'user_id': ObjectId(24*'a'),
+                              'roles': [u'service', u'badger']}
+            call_me()
+        self.assertTrue(called[0])
--- a/tests/test_service_badger.py
+++ b/tests/test_service_badger.py
@@ -0,0 +1,51 @@
+"""Test badger service."""
+
+from common_test_class import AbstractPillarTest, TEST_EMAIL_ADDRESS
+
+
+class BadgerServiceTest(AbstractPillarTest):
+    def setUp(self, **kwargs):
+        AbstractPillarTest.setUp(self, **kwargs)
+
+        from application.modules import service
+
+        with self.app.test_request_context():
+            self.badger, token_doc = service.create_service_account(
+                'serviceaccount@example.com', [u'badger'], {u'badger': [u'succubus']}
+            )
+            self.badger_token = token_doc['token']
+
+            self.user_id = self.create_user()
+            self.user_email = TEST_EMAIL_ADDRESS
+
+    def _post(self, data):
+        from application.utils import dumps
+        return self.client.post('/service/badger',
+                                data=dumps(data),
+                                headers={'Authorization': self.make_header(self.badger_token),
+                                         'Content-Type': 'application/json'})
+
+    def test_grant_revoke_badge(self):
+        # Grant the badge
+        resp = self._post({'action': 'grant', 'user_email': self.user_email, 'role': 'succubus'})
+        self.assertEqual(204, resp.status_code)
+
+        with self.app.test_request_context():
+            user = self.app.data.driver.db['users'].find_one(self.user_id)
+            self.assertIn(u'succubus', user['roles'])
+
+        # Aaaahhhw it's gone again
+        resp = self._post({'action': 'revoke', 'user_email': self.user_email, 'role': 'succubus'})
+        self.assertEqual(204, resp.status_code)
+
+        with self.app.test_request_context():
+            user = self.app.data.driver.db['users'].find_one(self.user_id)
+            self.assertNotIn(u'succubus', user['roles'])
+
+    def test_grant_not_allowed_badge(self):
+        resp = self._post({'action': 'grant', 'user_email': self.user_email, 'role': 'admin'})
+        self.assertEqual(403, resp.status_code)
+
+        with self.app.test_request_context():
+            user = self.app.data.driver.db['users'].find_one(self.user_id)
+            self.assertNotIn(u'admin', user['roles'])