From 443eb72687e99edd6bf9ef7941005909beaf0054 Mon Sep 17 00:00:00 2001
From: Emmanuel Viennet <emmanuel.viennet@gmail.com>
Date: Wed, 4 May 2022 23:12:03 +0200
Subject: [PATCH] API: test des permissions de toutes les routes GET (sauf
 logos)

---
 tests/api/test_api_permissions.py | 98 +++++++++++++++++++++++++++++++
 1 file changed, 98 insertions(+)
 create mode 100644 tests/api/test_api_permissions.py

diff --git a/tests/api/test_api_permissions.py b/tests/api/test_api_permissions.py
new file mode 100644
index 00000000..aa80f36f
--- /dev/null
+++ b/tests/api/test_api_permissions.py
@@ -0,0 +1,98 @@
+# -*- coding: utf-8 -*-
+
+"""Test permissions
+
+    On a deux utilisateurs dans la base test API: 
+     - "test", avec le rôle LecteurAPI qui a APIView, 
+     - et "other", qui n'a aucune permission.
+
+
+    Lancer :
+        pytest tests/api/test_api_permissions.py
+"""
+
+import requests
+
+import flask
+from tests.api.setup_test_api import API_URL, SCODOC_URL, CHECK_CERTIFICATE, api_headers
+from tests.api.tools_test_api import verify_fields
+
+from app import create_app
+from config import RunningConfig
+
+
+def test_permissions(api_headers):
+    """
+    vérification de la permissions APIView et du non accès sans role
+    de toutes les routes de l'API
+    """
+    # Ce test va récupérer toutes les routes de l'API
+    app = create_app(RunningConfig)
+    assert app
+    # Les routes de l'API avec GET, excluant les logos pour le momeent XXX
+    api_rules = [
+        r
+        for r in app.url_map.iter_rules()
+        if str(r).startswith("/ScoDoc/api")
+        and not "logo" in str(r)  # ignore logos
+        and "GET" in r.methods
+    ]
+    assert len(api_rules) > 0
+    args = {
+        "etudid": 1,
+        # "date_debut":
+        # "date_fin":
+        "dept": "TAPI",
+        "etape_apo": "???",
+        "etat": "I",
+        "evaluation_id": 1,
+        "formation_id": 1,
+        "formsemestre_id": 1,
+        "group_id": 1,
+        "ine": "1",
+        "module_id": 1,
+        "moduleimpl_id": 1,
+        "nip": 1,
+        "partition_id": 1,
+    }
+    for rule in api_rules:
+        path = rule.build(args)[1]
+        if not "GET" in rule.methods:
+            # skip all POST routes
+            continue
+        r = requests.get(
+            SCODOC_URL + path,
+            headers=api_headers,
+            verify=CHECK_CERTIFICATE,
+        )
+        assert r.status_code == 200
+
+    # Même chose sans le jeton:
+    for rule in api_rules:
+        path = rule.build(args)[1]
+        if not "GET" in rule.methods:
+            # skip all POST routes
+            continue
+        r = requests.get(
+            SCODOC_URL + path,
+            verify=CHECK_CERTIFICATE,
+        )
+        assert r.status_code == 401
+
+    # Demande un jeton pour "other"
+    r = requests.post(API_URL + "/tokens", auth=("other", "other"))
+    assert r.status_code == 200
+    token = r.json()["token"]
+    headers = {"Authorization": f"Bearer {token}"}
+    # Vérifie que tout est interdit
+    for rule in api_rules:
+        path = rule.build(args)[1]
+        if not "GET" in rule.methods:
+            # skip all POST routes
+            continue
+        r = requests.get(
+            SCODOC_URL + path,
+            headers=headers,
+            verify=CHECK_CERTIFICATE,
+        )
+        assert r.status_code == 403