90 lines
2.9 KiB
Python
90 lines
2.9 KiB
Python
import pytest
|
|
|
|
import atst
|
|
from atst.app import make_app, make_config
|
|
from atst.domain.auth import UNPROTECTED_ROUTES as _NO_LOGIN_REQUIRED
|
|
import atst.domain.authz as authz
|
|
|
|
from tests.factories import UserFactory
|
|
|
|
_NO_ACCESS_CHECK_REQUIRED = _NO_LOGIN_REQUIRED + [
|
|
"task_orders.get_started", # all users can start a new TO
|
|
"atst.csp_environment_access", # internal redirect
|
|
"atst.jedi_csp_calculator", # internal redirect
|
|
"atst.styleguide", # dev reference
|
|
"dev.test_email", # dev tool
|
|
"dev.messages", # dev tool
|
|
"atst.home", # available to all users
|
|
"users.user", # available to all users
|
|
"users.update_user", # available to all users
|
|
"portfolios.accept_invitation", # available to all users; access control is built into invitation logic
|
|
"atst.catch_all", # available to all users
|
|
"portfolios.portfolios", # the portfolios list is scoped to the user separately
|
|
]
|
|
|
|
|
|
def protected_routes(app):
|
|
_protected_routes = []
|
|
|
|
for rule in app.url_map.iter_rules():
|
|
args = [1] * len(rule.arguments)
|
|
mock_args = dict(zip(rule.arguments, args))
|
|
_n, route = rule.build(mock_args)
|
|
if rule.endpoint in _NO_ACCESS_CHECK_REQUIRED or "/static" in route:
|
|
continue
|
|
|
|
_protected_routes.append((rule, route))
|
|
|
|
return _protected_routes
|
|
|
|
|
|
sample_config = make_config()
|
|
sample_app = make_app(sample_config)
|
|
_PROTECTED_ROUTES = protected_routes(sample_app)
|
|
|
|
|
|
class Null:
|
|
"""
|
|
Very simple null object. Will return itself for all attribute
|
|
calls:
|
|
> foo = Null()
|
|
> foo.bar.baz == foo
|
|
"""
|
|
|
|
def __init__(self, *args, **kwargs):
|
|
pass
|
|
|
|
def __getattr__(self, name):
|
|
return self
|
|
|
|
|
|
@pytest.mark.parametrize("rule,route", _PROTECTED_ROUTES)
|
|
def test_all_protected_routes_have_access_control(
|
|
rule, route, mocker, client, user_session, monkeypatch
|
|
):
|
|
"""
|
|
This tests that all routes, except the ones in
|
|
_NO_ACCESS_CHECK_REQUIRED, are protected by the access
|
|
decorator.
|
|
"""
|
|
# monkeypatch any object lookups that might happen in the access decorator
|
|
monkeypatch.setattr("atst.domain.portfolios.Portfolios.for_user", lambda *a: [])
|
|
monkeypatch.setattr("atst.domain.portfolios.Portfolios.get", lambda *a: None)
|
|
monkeypatch.setattr("atst.domain.task_orders.TaskOrders.get", lambda *a: Null())
|
|
|
|
# patch the two internal functions the access decorator uses so
|
|
# that we can check that one or the other was called
|
|
mocker.patch("atst.domain.authz.decorator.user_can_access")
|
|
mocker.patch("atst.domain.authz.decorator.evaluate_exceptions")
|
|
|
|
user = UserFactory.create()
|
|
user_session(user)
|
|
|
|
method = "get" if "GET" in rule.methods else "post"
|
|
getattr(client, method)(route)
|
|
|
|
assert (
|
|
atst.domain.authz.decorator.user_can_access.call_count == 1
|
|
or atst.domain.authz.decorator.evaluate_exceptions.call_count == 1
|
|
), "no access control for {}".format(rule.endpoint)
|