Updated Eve, Flask, and Werkzeug. Adjusted code to make Pillar work again.
Eve : 0.6.3 → 0.7.3 Flask : 0.10.1 → 0.12.2 Werkzeug: 0.11.10 → 0.11.15 Also updated some secondary requirements.
This commit is contained in:
@@ -127,54 +127,40 @@ class AuthenticationTests(AbstractPillarTest):
|
||||
from pillar.api.utils import authentication as auth
|
||||
from pillar.api.utils import PillarJSONEncoder, remove_private_keys
|
||||
|
||||
user_id = self.create_user(roles=['subscriber'])
|
||||
user_id = self.create_user(roles=['subscriber'], token='token')
|
||||
|
||||
now = datetime.datetime.now(tz_util.utc)
|
||||
future = now + datetime.timedelta(days=1)
|
||||
|
||||
with self.app.test_request_context():
|
||||
auth.store_token(user_id, 'nonexpired-main', future, None)
|
||||
|
||||
with self.app.test_request_context(
|
||||
headers={'Authorization': self.make_header('nonexpired-main')}):
|
||||
self.assertTrue(auth.validate_token())
|
||||
|
||||
users = self.app.data.driver.db['users']
|
||||
db_user = users.find_one(user_id)
|
||||
def fetch_user():
|
||||
with self.app.test_request_context():
|
||||
users_coll = self.app.db('users')
|
||||
return users_coll.find_one(user_id)
|
||||
|
||||
db_user = fetch_user()
|
||||
updated_fields = remove_private_keys(db_user)
|
||||
updated_fields['roles'] = ['admin', 'subscriber', 'demo'] # Try to elevate our roles.
|
||||
|
||||
# POSTing updated info to a specific user URL is not allowed by Eve.
|
||||
resp = self.client.post('/api/users/%s' % user_id,
|
||||
data=json.dumps(updated_fields, cls=PillarJSONEncoder),
|
||||
headers={'Authorization': self.make_header('nonexpired-main'),
|
||||
'Content-Type': 'application/json'})
|
||||
self.assertEqual(405, resp.status_code)
|
||||
self.post('/api/users/%s' % user_id,
|
||||
json=updated_fields,
|
||||
auth_token='token',
|
||||
expected_status=405)
|
||||
|
||||
# PUT and PATCH should not be allowed.
|
||||
resp = self.client.put('/api/users/%s' % user_id,
|
||||
data=json.dumps(updated_fields, cls=PillarJSONEncoder),
|
||||
headers={'Authorization': self.make_header('nonexpired-main'),
|
||||
'Content-Type': 'application/json'})
|
||||
self.assertEqual(403, resp.status_code)
|
||||
# PUT is allowed, but shouldn't change roles.
|
||||
self.put('/api/users/%s' % user_id,
|
||||
json=updated_fields,
|
||||
auth_token='token',
|
||||
etag=db_user['_etag'])
|
||||
db_user = fetch_user()
|
||||
self.assertEqual(['subscriber'], db_user['roles'])
|
||||
|
||||
# PATCH should not be allowed.
|
||||
updated_fields = {'roles': ['admin', 'subscriber', 'demo']}
|
||||
resp = self.client.patch('/api/users/%s' % user_id,
|
||||
data=json.dumps(updated_fields, cls=PillarJSONEncoder),
|
||||
headers={'Authorization': self.make_header('nonexpired-main'),
|
||||
'Content-Type': 'application/json'})
|
||||
self.assertEqual(403, resp.status_code)
|
||||
|
||||
# After all of this, the roles should be the same.
|
||||
with self.app.test_request_context(
|
||||
headers={'Authorization': self.make_header('nonexpired-main')}):
|
||||
self.assertTrue(auth.validate_token())
|
||||
|
||||
users = self.app.data.driver.db['users']
|
||||
db_user = users.find_one(user_id)
|
||||
|
||||
self.assertEqual(['subscriber'], db_user['roles'])
|
||||
self.patch('/api/users/%s' % user_id,
|
||||
json=updated_fields,
|
||||
auth_token='token',
|
||||
etag=db_user['_etag'],
|
||||
expected_status=405)
|
||||
db_user = fetch_user()
|
||||
self.assertEqual(['subscriber'], db_user['roles'])
|
||||
|
||||
def test_token_expiry(self):
|
||||
"""Expired tokens should be deleted from the database."""
|
||||
|
||||
@@ -2,8 +2,6 @@ import json
|
||||
|
||||
import pillar.tests.common_test_data as ctd
|
||||
from bson import ObjectId
|
||||
from eve.methods.post import post_internal
|
||||
from eve.methods.put import put_internal
|
||||
from flask import g
|
||||
from mock import mock
|
||||
from pillar.tests import AbstractPillarTest
|
||||
@@ -47,7 +45,7 @@ class NodeContentTypeTest(AbstractPillarTest):
|
||||
nodes = self.app.data.driver.db['nodes']
|
||||
|
||||
# Create the node.
|
||||
r, _, _, status = post_internal('nodes', node_doc)
|
||||
r, _, _, status = self.app.post_internal('nodes', node_doc)
|
||||
self.assertEqual(status, 201, r)
|
||||
node_id = r['_id']
|
||||
|
||||
@@ -56,12 +54,12 @@ class NodeContentTypeTest(AbstractPillarTest):
|
||||
self.assertNotIn('content_type', db_node['properties'])
|
||||
|
||||
# PUT it again, without a file -- should be blocked.
|
||||
self.assertRaises(UnprocessableEntity, put_internal, 'nodes', node_doc,
|
||||
self.assertRaises(UnprocessableEntity, self.app.put_internal, 'nodes', node_doc,
|
||||
_id=node_id)
|
||||
|
||||
# PUT it with a file.
|
||||
node_doc['properties']['file'] = str(file_id)
|
||||
r, _, _, status = put_internal('nodes', node_doc, _id=node_id)
|
||||
r, _, _, status = self.app.put_internal('nodes', node_doc, _id=node_id)
|
||||
self.assertEqual(status, 200, r)
|
||||
|
||||
# Get from database to test the final node.
|
||||
|
||||
@@ -164,19 +164,17 @@ class ProjectEditTest(AbstractProjectTest):
|
||||
project_info = self._create_user_and_project(['subscriber'])
|
||||
project_url = '/api/projects/%(_id)s' % project_info
|
||||
|
||||
resp = self.client.get(project_url,
|
||||
headers={'Authorization': self.make_header('token')})
|
||||
project = json.loads(resp.data.decode('utf-8'))
|
||||
project = self.get(project_url, auth_token='token').json()
|
||||
|
||||
# Create another user we can try and assign the project to.
|
||||
other_user_id = 'f00dd00df00dd00df00dd00d'
|
||||
self._create_user_with_token(['subscriber'], 'other-token', user_id=other_user_id)
|
||||
|
||||
# Unauthenticated should be forbidden
|
||||
resp = self.client.put('/api/projects/%s' % project['_id'],
|
||||
data=dumps(remove_private_keys(project)),
|
||||
headers={'Content-Type': 'application/json'})
|
||||
self.assertEqual(403, resp.status_code)
|
||||
self.put('/api/projects/%s' % project['_id'],
|
||||
json=remove_private_keys(project),
|
||||
etag=project['_etag'],
|
||||
expected_status=403)
|
||||
|
||||
# Regular user should be able to PUT, but only be able to edit certain fields.
|
||||
put_project = remove_private_keys(project)
|
||||
@@ -191,20 +189,15 @@ class ProjectEditTest(AbstractProjectTest):
|
||||
|
||||
# Try making the project public. This should update is_private as well.
|
||||
put_project['permissions']['world'] = ['GET']
|
||||
|
||||
resp = self.client.put(project_url,
|
||||
data=dumps(put_project),
|
||||
headers={'Authorization': self.make_header('token'),
|
||||
'Content-Type': 'application/json',
|
||||
'If-Match': project['_etag']})
|
||||
self.assertEqual(200, resp.status_code, resp.data)
|
||||
self.put(project_url,
|
||||
json=put_project,
|
||||
auth_token='token',
|
||||
etag=project['_etag'])
|
||||
|
||||
# Re-fetch from database to see which fields actually made it there.
|
||||
# equal to put_project -> changed in DB
|
||||
# equal to project -> not changed in DB
|
||||
resp = self.client.get(project_url,
|
||||
headers={'Authorization': self.make_header('token')})
|
||||
db_proj = json.loads(resp.data)
|
||||
db_proj = self.get(project_url, auth_token='token').json()
|
||||
self.assertEqual(project['url'], db_proj['url'])
|
||||
self.assertEqual(put_project['description'], db_proj['description'])
|
||||
self.assertEqual(put_project['name'], db_proj['name'])
|
||||
|
||||
Reference in New Issue
Block a user