user permission REST test, WIP
diff --git a/planetstack/tests/useraccesstest.py b/planetstack/tests/useraccesstest.py
index 6a17b16..290d7cf 100644
--- a/planetstack/tests/useraccesstest.py
+++ b/planetstack/tests/useraccesstest.py
@@ -1,3 +1,13 @@
+""" useraccesstest.py
+
+ This is a basic REST API permission test. Call it with a username and a
+ password, and it will try to read and update some user and slice object,
+ and report if something is broken.
+
+ This is not an exhaustive test.
+"""
+
+
import inspect
import json
import os
@@ -13,12 +23,15 @@
SITEPRIV_API = REST_API + "site_privileges/"
SLICEPRIV_API = REST_API + "slice_memberships/"
SITEROLE_API = REST_API + "site_roles/"
+SLICEROLE_API = REST_API + "slice_roles/"
+
+TEST_USER_EMAIL = "test1234@test.com"
username = sys.argv[1]
password = sys.argv[2]
opencloud_auth=(username, password)
-admin_auth=("scott@onlab.us", "letmein")
+admin_auth=("scott@onlab.us", "letmein") # admin creds, used to get full set of objects
def fail_unless(x, msg):
if not x:
@@ -39,6 +52,8 @@
allSlicePriv = r.json()
r = requests.get(SITEROLE_API + "?no_hyperlinks=1", auth=admin_auth)
allSiteRole = r.json()
+r = requests.get(SLICEROLE_API + "?no_hyperlinks=1", auth=admin_auth)
+allSliceRole = r.json()
def should_see_user(myself, otherUser):
if myself["is_admin"]:
@@ -52,12 +67,42 @@
return True
return False
+def should_see_slice(myself, slice):
+ if myself["is_admin"]:
+ return True
+ for sitePriv in allSitePriv:
+ if (sitePriv["user"] == myself["id"]) and (sitePriv["site"] == slice["site"]):
+ for role in allSiteRole:
+ if role["role"]=="pi" and role["id"] == sitePriv["role"]:
+ return True
+ for slicePriv in allSlicePriv:
+ if (slicePriv["user"] == myself["id"]) and (sitePriv["slice"] == slice["id"]):
+ for role in allSliceRole:
+ if role["role"]=="pi" and role["id"] == slicePriv["role"]:
+ return True
+ return False
+
def flip_phone(user):
if user["phone"] == "123":
user["phone"] = "456"
else:
user["phone"] = "123"
+def flip_desc(slice):
+ if slice["description"] == "some_description":
+ slice["description"] = "some_other_description"
+ else:
+ slice["description"] = "some_description"
+
+def delete_user_if_exists(email):
+ r = requests.get(USERS_API +"?email=%s" % email, auth=admin_auth)
+ if r.status_code==200:
+ user = r.json()
+ if len(user)>0:
+ user=user[0]
+ r = requests.delete(USERS_API + str(user["id"]) + "/", auth=admin_auth)
+ fail_unless(r.status_code==200, "failed to delete the test user")
+
print " loaded user:%d slice:%d, site:%d, site_priv:%d slice_priv:%d" % (len(allUsers), len(allSlices), len(allSites), len(allSitePriv), len(allSlicePriv))
# get our own user record
@@ -81,6 +126,7 @@
# toggle the phone number on the users we should be able to
+"""
for user in allUsers:
user = requests.get(USERS_API + str(user["id"]) + "/", auth=admin_auth).json()
flip_phone(user)
@@ -91,6 +137,9 @@
# XXX: this is failing, but for the wrong reason
fail_unless(r.status_code!=200, "was able to change phone number on %s but shouldn't have" % user["email"])
+# try changing is_staff. We should be able to do it if we're an admin, but not
+# otherwise.
+
for user in allUsers:
user = requests.get(USERS_API + str(user["id"]) + "/", auth=admin_auth).json()
user["is_staff"] = not user["is_staff"]
@@ -104,8 +153,53 @@
# put it back to false, in case we successfully changed it...
user["is_staff"] = False
r = requests.put(USERS_API + str(user["id"]) +"/", data=user, auth=opencloud_auth)
+"""
+
+# delete the TEST_USER_EMAIL if it exists
+delete_user_if_exists(TEST_USER_EMAIL)
+
+newUser = {"firstname": "test", "lastname": "1234", "email": TEST_USER_EMAIL, "password": "letmein"}
+r = requests.post(USERS_API, data=newUser, auth=opencloud_auth)
+if myself["is_admin"]:
+ fail_unless(r.status_code==200, "failed to create %s" % TEST_USER_EMAIL)
+else:
+ fail_unless(r.status_code!=200, "created %s but we shouldn't have been able to" % TEST_USER_EMAIL)
+
+delete_user_if_exists(TEST_USER_EMAIL)
+
+sys.exit(-1)
+# now create it as admin
+r = requests.post(USERS_API, data=newUser, auth=admin_auth)
+fail_unless(r.status_code==201, "failed to create %s as admin" % TEST_USER_EMAIL)
+user = requests.get(USERS_API +"?email=%s" % TEST_USER_EMAIL, auth=admin_auth).json()[0]
+r = requests.delete(USERS_API + str(user["id"]) + "/", auth=opencloud_auth)
+if myself["is_admin"]:
+ fail_unless(r.status_code==200, "failed to delete %s" % TEST_USER_EMAIL)
+else:
+ fail_unless(r.status_code!=200, "deleted %s but we shouldn't have been able to" % TEST_USER_EMAIL)
+# slice tests
+r = requests.get(SLICES_API, auth=opencloud_auth)
+mySlices = r.json()
+
+for slice in mySlices:
+ fail_unless(should_see_slice(myself, slice), "saw slice %s but we shouldn't have" % slice["name"])
+mySlicesIds = [r["id"] for r in mySlices]
+for slice in allSlices:
+ if should_see_slice(myself, slice):
+ fail_unless(slice["id"] in mySliceIds, "should have seen slice %s but didnt" % slice["name"])
+
+for slice in allSlices:
+ slice = requests.get(SLICES_API + str(slice["id"]) + "/", auth=admin_auth).json()
+ flip_desc(slice)
+ r = requests.put(SLICES_API + str(slice["id"]) +"/", data=slice, auth=opencloud_auth)
+ if should_see_slice(myself, slice):
+ fail_unless(r.status_code==200, "failed to change desc on %s" % slice["name"])
+ else:
+ fail_unless(r.status_code!=200, "was able to change desc on %s but shouldn't have" % slice["name"])
+
+print "Done."