Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 1 | """ useraccesstest.py |
| 2 | |
| 3 | This is a basic REST API permission test. Call it with a username and a |
| 4 | password, and it will try to read and update some user and slice object, |
| 5 | and report if something is broken. |
| 6 | |
| 7 | This is not an exhaustive test. |
| 8 | """ |
| 9 | |
| 10 | |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 11 | import inspect |
| 12 | import json |
| 13 | import os |
| 14 | import requests |
| 15 | import sys |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 16 | import time |
| 17 | from urllib import urlencode |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 18 | |
| 19 | from operator import itemgetter, attrgetter |
| 20 | |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 21 | if (len(sys.argv)!=6): |
| 22 | print "syntax: usertest <hostname> <username> <password> <admin_username> <admin_password>" |
| 23 | sys.exit(-1) |
| 24 | |
| 25 | hostname = sys.argv[1] |
| 26 | username = sys.argv[2] |
| 27 | password = sys.argv[3] |
| 28 | |
| 29 | opencloud_auth=(username, password) |
| 30 | admin_auth=(sys.argv[4], sys.argv[5]) |
| 31 | |
| 32 | REST_API="http://%s:8000/xos/" % hostname |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 33 | USERS_API = REST_API + "users/" |
| 34 | SLICES_API = REST_API + "slices/" |
| 35 | SITES_API = REST_API + "sites/" |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 36 | SITEPRIV_API = REST_API + "siteprivileges/" |
| 37 | SLICEPRIV_API = REST_API + "slice_privileges/" |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 38 | SITEROLE_API = REST_API + "site_roles/" |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 39 | SLICEROLE_API = REST_API + "slice_roles/" |
| 40 | |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 41 | TEST_USER_EMAIL = "test" + str(time.time()) + "@test.com" # in case observer not running, objects won't be purged, so use unique email |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 42 | |
| 43 | def fail_unless(x, msg): |
| 44 | if not x: |
| 45 | (frame, filename, line_number, function_name, lines, index) = inspect.getouterframes(inspect.currentframe())[1] |
| 46 | print "FAIL (%s:%d)" % (function_name, line_number), msg |
| 47 | |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 48 | print "downloading objects using admin" |
| 49 | r = requests.get(USERS_API + "?no_hyperlinks=1", auth=admin_auth) |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 50 | fail_unless(r.status_code==200, "failed to get users") |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 51 | allUsers = r.json() |
| 52 | r = requests.get(SLICES_API + "?no_hyperlinks=1", auth=admin_auth) |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 53 | fail_unless(r.status_code==200, "failed to get slices") |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 54 | allSlices = r.json() |
| 55 | r = requests.get(SITES_API + "?no_hyperlinks=1", auth=admin_auth) |
| 56 | allSites = r.json() |
| 57 | r = requests.get(SITEPRIV_API + "?no_hyperlinks=1", auth=admin_auth) |
| 58 | allSitePriv = r.json() |
| 59 | r = requests.get(SLICEPRIV_API + "?no_hyperlinks=1", auth=admin_auth) |
| 60 | allSlicePriv = r.json() |
| 61 | r = requests.get(SITEROLE_API + "?no_hyperlinks=1", auth=admin_auth) |
| 62 | allSiteRole = r.json() |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 63 | r = requests.get(SLICEROLE_API + "?no_hyperlinks=1", auth=admin_auth) |
| 64 | allSliceRole = r.json() |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 65 | |
| 66 | def should_see_user(myself, otherUser): |
| 67 | if myself["is_admin"]: |
| 68 | return True |
| 69 | if myself["id"] == otherUser["id"]: |
| 70 | return True |
| 71 | for sitePriv in allSitePriv: |
| 72 | if (sitePriv["user"] == myself["id"]) and (sitePriv["site"] == otherUser["site"]): |
| 73 | for role in allSiteRole: |
| 74 | if role["role"]=="pi" and role["id"] == sitePriv["role"]: |
| 75 | return True |
| 76 | return False |
| 77 | |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 78 | def should_see_slice(myself, slice): |
| 79 | if myself["is_admin"]: |
| 80 | return True |
| 81 | for sitePriv in allSitePriv: |
| 82 | if (sitePriv["user"] == myself["id"]) and (sitePriv["site"] == slice["site"]): |
| 83 | for role in allSiteRole: |
| 84 | if role["role"]=="pi" and role["id"] == sitePriv["role"]: |
| 85 | return True |
| 86 | for slicePriv in allSlicePriv: |
| 87 | if (slicePriv["user"] == myself["id"]) and (sitePriv["slice"] == slice["id"]): |
| 88 | for role in allSliceRole: |
| 89 | if role["role"]=="pi" and role["id"] == slicePriv["role"]: |
| 90 | return True |
| 91 | return False |
| 92 | |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 93 | def flip_phone(user): |
| 94 | if user["phone"] == "123": |
| 95 | user["phone"] = "456" |
| 96 | else: |
| 97 | user["phone"] = "123" |
| 98 | |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 99 | def flip_desc(slice): |
| 100 | if slice["description"] == "some_description": |
| 101 | slice["description"] = "some_other_description" |
| 102 | else: |
| 103 | slice["description"] = "some_description" |
| 104 | |
| 105 | def delete_user_if_exists(email): |
| 106 | r = requests.get(USERS_API +"?email=%s" % email, auth=admin_auth) |
| 107 | if r.status_code==200: |
| 108 | user = r.json() |
| 109 | if len(user)>0: |
| 110 | user=user[0] |
| 111 | r = requests.delete(USERS_API + str(user["id"]) + "/", auth=admin_auth) |
| 112 | fail_unless(r.status_code==200, "failed to delete the test user") |
| 113 | |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 114 | print " loaded user:%d slice:%d, site:%d, site_priv:%d slice_priv:%d" % (len(allUsers), len(allSlices), len(allSites), len(allSitePriv), len(allSlicePriv)) |
| 115 | |
| 116 | # get our own user record |
| 117 | |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 118 | r = requests.get(USERS_API + "?" + urlencode({"email": username, "no_hyperlinks": "1"}), auth=opencloud_auth) |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 119 | fail_unless(r.status_code==200, "failed to get user %s" % username) |
| 120 | myself = r.json() |
| 121 | fail_unless(len(myself)==1, "wrong number of results when getting user %s" % username) |
| 122 | myself = myself[0] |
| 123 | |
| 124 | # check to see that we see the users we should be able to |
| 125 | |
| 126 | r = requests.get(USERS_API, auth=opencloud_auth) |
| 127 | myUsers = r.json() |
| 128 | for user in myUsers: |
| 129 | fail_unless(should_see_user(myself, user), "saw user %s but we shouldn't have" % user["email"]) |
| 130 | myUsersIds = [r["id"] for r in myUsers] |
| 131 | for user in allUsers: |
| 132 | if should_see_user(myself, user): |
| 133 | fail_unless(user["id"] in myUsersIds, "should have seen user %s but didnt" % user["email"]) |
| 134 | |
| 135 | # toggle the phone number on the users we should be able to |
| 136 | |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 137 | """ |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 138 | for user in allUsers: |
| 139 | user = requests.get(USERS_API + str(user["id"]) + "/", auth=admin_auth).json() |
| 140 | flip_phone(user) |
| 141 | r = requests.put(USERS_API + str(user["id"]) +"/", data=user, auth=opencloud_auth) |
| 142 | if should_see_user(myself, user): |
| 143 | fail_unless(r.status_code==200, "failed to change phone number on %s" % user["email"]) |
| 144 | else: |
| 145 | # XXX: this is failing, but for the wrong reason |
| 146 | fail_unless(r.status_code!=200, "was able to change phone number on %s but shouldn't have" % user["email"]) |
| 147 | |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 148 | # try changing is_staff. We should be able to do it if we're an admin, but not |
| 149 | # otherwise. |
| 150 | |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 151 | for user in allUsers: |
| 152 | user = requests.get(USERS_API + str(user["id"]) + "/", auth=admin_auth).json() |
| 153 | user["is_staff"] = not user["is_staff"] |
| 154 | r = requests.put(USERS_API + str(user["id"]) +"/", data=user, auth=opencloud_auth) |
| 155 | if myself["is_admin"]: |
| 156 | fail_unless(r.status_code==200, "failed to change is_staff on %s" % user["email"]) |
| 157 | else: |
| 158 | # XXX: this is failing, but for the wrong reason |
| 159 | fail_unless(r.status_code!=200, "was able to change is_staff on %s but shouldn't have" % user["email"]) |
| 160 | |
| 161 | # put it back to false, in case we successfully changed it... |
| 162 | user["is_staff"] = False |
| 163 | r = requests.put(USERS_API + str(user["id"]) +"/", data=user, auth=opencloud_auth) |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 164 | """ |
| 165 | |
| 166 | # delete the TEST_USER_EMAIL if it exists |
| 167 | delete_user_if_exists(TEST_USER_EMAIL) |
| 168 | |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 169 | # XXX - enacted and policed should not be required |
| 170 | |
| 171 | newUser = {"firstname": "test", "lastname": "1234", "email": TEST_USER_EMAIL, "password": "letmein", "site": allSites[0]["id"], "enacted": "2015-01-01T00:00", "policed": "2015-01-01T00:00"} |
| 172 | r = requests.post(USERS_API + "?no_hyperlinks=1", data=newUser, auth=opencloud_auth) |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 173 | if myself["is_admin"]: |
| 174 | fail_unless(r.status_code==200, "failed to create %s" % TEST_USER_EMAIL) |
| 175 | else: |
| 176 | fail_unless(r.status_code!=200, "created %s but we shouldn't have been able to" % TEST_USER_EMAIL) |
| 177 | |
| 178 | delete_user_if_exists(TEST_USER_EMAIL) |
| 179 | |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 180 | # now create it as admin |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 181 | r = requests.post(USERS_API + "?no_hyperlinks=1", data=newUser, auth=admin_auth) |
| 182 | if (r.status_code!=201): |
| 183 | print r.text |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 184 | fail_unless(r.status_code==201, "failed to create %s as admin" % TEST_USER_EMAIL) |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 185 | |
Scott Baker | 3495c5a | 2015-02-18 09:56:21 -0800 | [diff] [blame] | 186 | r = requests.get(USERS_API +"?" + urlencode({"email": TEST_USER_EMAIL}), auth=admin_auth) |
| 187 | fail_unless(r.status_code==200, "failed to get user %s" % TEST_USER_EMAIL) |
| 188 | user=r.json()[0] |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 189 | r = requests.delete(USERS_API + str(user["id"]) + "/", auth=opencloud_auth) |
| 190 | if myself["is_admin"]: |
| 191 | fail_unless(r.status_code==200, "failed to delete %s" % TEST_USER_EMAIL) |
| 192 | else: |
| 193 | fail_unless(r.status_code!=200, "deleted %s but we shouldn't have been able to" % TEST_USER_EMAIL) |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 194 | |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 195 | # slice tests |
Scott Baker | 134fff7 | 2014-10-07 12:54:51 -0700 | [diff] [blame] | 196 | |
Scott Baker | e30ce6d | 2014-10-09 10:59:58 -0700 | [diff] [blame] | 197 | r = requests.get(SLICES_API, auth=opencloud_auth) |
| 198 | mySlices = r.json() |
| 199 | |
| 200 | for slice in mySlices: |
| 201 | fail_unless(should_see_slice(myself, slice), "saw slice %s but we shouldn't have" % slice["name"]) |
| 202 | mySlicesIds = [r["id"] for r in mySlices] |
| 203 | for slice in allSlices: |
| 204 | if should_see_slice(myself, slice): |
| 205 | fail_unless(slice["id"] in mySliceIds, "should have seen slice %s but didnt" % slice["name"]) |
| 206 | |
| 207 | for slice in allSlices: |
| 208 | slice = requests.get(SLICES_API + str(slice["id"]) + "/", auth=admin_auth).json() |
| 209 | flip_desc(slice) |
| 210 | r = requests.put(SLICES_API + str(slice["id"]) +"/", data=slice, auth=opencloud_auth) |
| 211 | if should_see_slice(myself, slice): |
| 212 | fail_unless(r.status_code==200, "failed to change desc on %s" % slice["name"]) |
| 213 | else: |
| 214 | fail_unless(r.status_code!=200, "was able to change desc on %s but shouldn't have" % slice["name"]) |
| 215 | |
| 216 | print "Done." |