TMSS-876: rename test so it can be run independently, add tests for...

TMSS-876: rename test so it can be run independently, add tests for Access-Control-Allow-methods header

TMSS-876: rename test so it can be run independently, add tests for...
018433a3 · Jörn Künsemöller · 2eda3ff1 · 018433a3 · 2eda3ff1 · 018433a3
Commit 018433a3 authored 3 years ago by Jörn Künsemöller
--- a/SAS/TMSS/backend/test/CMakeLists.txt
+++ b/SAS/TMSS/backend/test/CMakeLists.txt
@@ -35,7 +35,7 @@ if(BUILD_TESTING)
    lofar_add_test(t_scheduling_units)
    lofar_add_test(t_scheduling)
    lofar_add_test(t_conversions)
-    lofar_add_test(t_permissions)
+    lofar_add_test(t_permissions_project_roles)
    lofar_add_test(t_permissions_system_roles)
    lofar_add_test(t_complex_serializers)
    lofar_add_test(t_observation_strategies_specification_and_scheduling_test)

--- a/SAS/TMSS/backend/test/t_permissions.sh
+++ b/SAS/TMSS/backend/test/t_permissions.sh
-#!/bin/sh
-
-./runctest.sh t_permissions
\ No newline at end of file
--- a/SAS/TMSS/backend/test/t_permissions.py
+++ b/SAS/TMSS/backend/test/t_permissions.py
@@ -93,7 +93,7 @@ class ProjectPermissionTestCase(TestCase):
        # create the required permission entries to control what endpoint action requires which project role
        shared_support_role_url = BASE_URL + '/project_role/shared_support/'
        cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.ProjectPermission(name='taskdraft', GET=[shared_support_role_url], POST=[shared_support_role_url]), '/project_permission/')
-        cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.ProjectPermission(name='taskdraft-create_task_blueprint', GET=[shared_support_role_url]), '/project_permission/')
+        cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.ProjectPermission(name='taskdraft-create_task_blueprint', POST=[shared_support_role_url]), '/project_permission/')

        cls.task_template_url = cls.test_data_creator.post_data_and_get_url(cls.test_data_creator.TaskTemplate(), '/task_template/')

@@ -166,7 +166,6 @@ class ProjectPermissionTestCase(TestCase):
        # make sure we cannot create a blueprint from it
        POST_and_assert_expected_response(self, taskdraft_url + '/create_task_blueprint/', {}, 403, {}, auth=self.auth)

-    @unittest.skip("TODO: fix test, there are issues with permissions since we changed the method from GET to POST")
    def test_task_draft_create_task_blueprint_GET_works_if_user_has_permission_for_related_project(self):
        # create task draft connected to project where we have 'shared_support' role
        taskdraft_test_data = self.test_data_creator.TaskDraft(scheduling_unit_draft_url=self.scheduling_unit_draft_shared_support_url, template_url=self.task_template_url)
@@ -175,11 +174,65 @@ class ProjectPermissionTestCase(TestCase):
        # make sure we cannot create a blueprint from it
        POST_and_assert_expected_response(self, taskdraft_url + '/create_task_blueprint/', {}, 201, {}, auth=self.auth)

+    def test_access_control_allow_header_return_all_methods_for_superuser(self):
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = (AUTH.username, AUTH.password)
+
+            r = session.get(BASE_URL + '/task_draft/')
+            self.assertEqual(r.status_code, 200)
+            allowed_methods = r.headers['Access-Control-Allow-Methods'].split(', ')
+            for method in ['GET', 'POST', 'PUT', 'PATCH', 'DELETE']:
+                self.assertIn(method, allowed_methods)
+
+    def test_access_control_allow_header_reflects_user_permissions_in_list_view(self):
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = self.auth
+
+            r = session.get(BASE_URL + '/task_draft/')
+            self.assertEqual(r.status_code, 200)
+            allowed_methods = r.headers['Access-Control-Allow-Methods'].split(', ')
+            for method in ['GET']:  # user has no general POST permission on the model (via system role)
+                self.assertIn(method, allowed_methods)
+            for method in ['POST', 'PUT', 'PATCH', 'DELETE']:
+                self.assertNotIn(method, allowed_methods)
+
+    def test_access_control_allow_header_reflects_user_permissions_in_detail_view(self):
+        # create task draft connected to project where we have 'shared_support' role
+        taskdraft_test_data = self.test_data_creator.TaskDraft(scheduling_unit_draft_url=self.scheduling_unit_draft_shared_support_url, template_url=self.task_template_url)
+        taskdraft_url = POST_and_assert_expected_response(self, BASE_URL + '/task_draft/', taskdraft_test_data, 201, taskdraft_test_data)['url']
+
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = self.auth
+
+            r = session.get(taskdraft_url)
+            self.assertEqual(r.status_code, 200)
+            allowed_methods = r.headers['Access-Control-Allow-Methods'].split(', ')
+            for method in ['GET', 'POST']:  # user has POST permission on this particular object (via project role, see setUpClass)
+                self.assertIn(method, allowed_methods)
+            for method in ['PUT', 'PATCH', 'DELETE']:
+                self.assertNotIn(method, allowed_methods)
+
+    def test_access_control_allow_header_not_in_response_when_no_permission(self):
+
+        # create task draft connected to project where we have no role
+        taskdraft_test_data = self.test_data_creator.TaskDraft(scheduling_unit_draft_url=self.scheduling_unit_draft_forbidden_url, template_url=self.task_template_url)
+        taskdraft_url = POST_and_assert_expected_response(self, BASE_URL + '/task_draft/', taskdraft_test_data, 201, taskdraft_test_data)['url']
+
+        with requests.Session() as session:
+            session.verify = False
+            session.auth = self.auth
+            r = session.get(taskdraft_url)
+            self.assertEqual(r.status_code, 403)
+            self.assertNotIn('Access-Control-Allow-Methods', r.headers)
+
    # todo: add tests for other models with project permissions


 if __name__ == "__main__":
    logging.basicConfig(format='%(asctime)s %(levelname)s %(message)s',
                        level=logging.INFO)
-    unittest.main(defaultTest='ProjectPermissionTestCase.test_task_draft_create_task_blueprint_GET_works_if_user_has_permission_for_related_project')
+    unittest.main()

--- a/SAS/TMSS/backend/test/t_permissions.run
+++ b/SAS/TMSS/backend/test/t_permissions.run
@@ -2,5 +2,5 @@

 # Run the unit test
 source python-coverage.sh
-python_coverage_test "*tmss*" t_permissions.py
+python_coverage_test "*tmss*" t_permissions_project_roles.py

--- a/SAS/TMSS/backend/test/t_permissions_project_roles.sh
+++ b/SAS/TMSS/backend/test/t_permissions_project_roles.sh
+#!/bin/sh
+
+./runctest.sh t_permissions_project_roles
\ No newline at end of file