Skip to content
Snippets Groups Projects
Select Git revision
  • 7594781001b77ed93db4684c9a7be01939b6944f
  • master default protected
2 results

test_api_permissions.py

Blame
  • Forked from Jean-Marie Place / SCODOC_R6A06
    3151 commits behind the upstream repository.
    test_api_permissions.py 2.68 KiB
    # -*- coding: utf-8 -*-
    
    """Test permissions
    
        On a deux utilisateurs dans la base test API: 
         - "test", avec le rôle LecteurAPI qui a APIView, 
         - et "other", qui n'a aucune permission.
    
    
        Lancer :
            pytest tests/api/test_api_permissions.py
    """
    
    import requests
    
    import flask
    from tests.api.setup_test_api import API_URL, SCODOC_URL, CHECK_CERTIFICATE, api_headers
    from tests.api.tools_test_api import verify_fields
    
    from app import create_app
    from config import RunningConfig
    
    
    def test_permissions(api_headers):
        """
        vérification de la permissions APIView et du non accès sans role
        de toutes les routes de l'API
        """
        # Ce test va récupérer toutes les routes de l'API
        app = create_app(RunningConfig)
        assert app
        # Les routes de l'API avec GET, excluant les logos pour le momeent XXX
        api_rules = [
            r
            for r in app.url_map.iter_rules()
            if str(r).startswith("/ScoDoc/api")
            and not "logo" in str(r)  # ignore logos
            and "GET" in r.methods
        ]
        assert len(api_rules) > 0
        args = {
            "etudid": 1,
            # "date_debut":
            # "date_fin":
            "dept": "TAPI",
            "dept_ident": "TAPI",
            "dept_id": 1,
            "etape_apo": "???",
            "etat": "I",
            "evaluation_id": 1,
            "formation_id": 1,
            "formsemestre_id": 1,
            "group_id": 1,
            "ine": "1",
            "module_id": 1,
            "moduleimpl_id": 1,
            "nip": 1,
            "partition_id": 1,
        }
        for rule in api_rules:
            path = rule.build(args)[1]
            if not "GET" in rule.methods:
                # skip all POST routes
                continue
            r = requests.get(
                SCODOC_URL + path,
                headers=api_headers,
                verify=CHECK_CERTIFICATE,
            )
            assert r.status_code == 200
    
        # Même chose sans le jeton:
        for rule in api_rules:
            path = rule.build(args)[1]
            if not "GET" in rule.methods:
                # skip all POST routes
                continue
            r = requests.get(
                SCODOC_URL + path,
                verify=CHECK_CERTIFICATE,
            )
            assert r.status_code == 401
    
        # Demande un jeton pour "other"
        r = requests.post(API_URL + "/tokens", auth=("other", "other"))
        assert r.status_code == 200
        token = r.json()["token"]
        headers = {"Authorization": f"Bearer {token}"}
        # Vérifie que tout est interdit
        for rule in api_rules:
            path = rule.build(args)[1]
            if not "GET" in rule.methods:
                # skip all POST routes
                continue
            r = requests.get(
                SCODOC_URL + path,
                headers=headers,
                verify=CHECK_CERTIFICATE,
            )
            assert r.status_code == 403