ScoDoc/tests/api/test_api_permissions.py

# -*- coding: utf-8 -*-

"""Test permissions

    On a deux utilisateurs dans la base test API: 
     - "test", avec le rôle LecteurAPI qui a la permission ScoView, 
     - et "other", qui n'a aucune permission.


    Lancer :
        pytest tests/api/test_api_permissions.py
"""

import requests

from tests.api.setup_test_api import API_URL, SCODOC_URL, CHECK_CERTIFICATE, api_headers
from tests.api.tools_test_api import verify_fields

from app import create_app
from config import RunningConfig


def test_permissions(api_headers):
    """
    vérification de la permissions ScoView et du non accès sans role
    de toutes les routes de l'API
    """
    # Ce test va récupérer toutes les routes de l'API
    app = create_app(RunningConfig)
    assert app
    # Les routes de l'API avec GET, excluant les logos pour le moment XXX
    api_rules = [
        r
        for r in app.url_map.iter_rules()
        if str(r).startswith("/ScoDoc/api")
        and not "logo" in str(r)  # ignore logos
        and not "absence" in str(r)  # ignore absences
        and "GET" in r.methods
    ]
    assert len(api_rules) > 0
    args = {
        "acronym": "TAPI",
        "dept_id": 1,
        "dept_ident": "TAPI",
        "dept": "TAPI",
        "etape_apo": "???",
        "etat": "I",
        "etudid": 1,
        "evaluation_id": 1,
        "formation_id": 1,
        "formsemestre_id": 1,
        "group_id": 1,
        "ine": "INE1",
        "module_id": 1,
        "moduleimpl_id": 1,
        "nip": 1,
        "partition_id": 1,
        "role_name": "Ens",
        "uid": 1,
    }
    for rule in api_rules:
        path = rule.build(args)[1]
        if not "GET" in rule.methods:
            # skip all POST routes
            continue
        r = requests.get(
            SCODOC_URL + path,
            headers=api_headers,
            verify=CHECK_CERTIFICATE,
        )
        assert r.status_code == 200

    # Même chose sans le jeton:
    for rule in api_rules:
        path = rule.build(args)[1]
        if not "GET" in rule.methods:
            # skip all POST routes
            continue
        r = requests.get(
            SCODOC_URL + path,
            verify=CHECK_CERTIFICATE,
        )
        assert r.status_code == 401

    # Demande un jeton pour "other"
    r = requests.post(API_URL + "/tokens", auth=("other", "other"))
    assert r.status_code == 200
    token = r.json()["token"]
    headers = {"Authorization": f"Bearer {token}"}
    # Vérifie que tout est interdit
    for rule in api_rules:
        path = rule.build(args)[1]
        if not "GET" in rule.methods:
            # skip all POST routes
            continue
        r = requests.get(
            SCODOC_URL + path,
            headers=headers,
            verify=CHECK_CERTIFICATE,
        )
        assert r.status_code == 401