From 5410727d88587663f0ef28e0fe399f7073e6cd7d Mon Sep 17 00:00:00 2001 From: thuva4 Date: Sun, 18 Mar 2018 16:14:43 +0530 Subject: Add submitter check for testcase prevent user(Non submitter) from create, update, delete a testcase tests are added Change-Id: I0c63dea7a6e0d3438802dd8c84e8a752ef7fe3f6 Signed-off-by: thuva4 --- testapi/opnfv_testapi/common/check.py | 12 ++++++--- testapi/opnfv_testapi/tests/unit/executor.py | 2 +- .../opnfv_testapi/tests/unit/handlers/test_base.py | 4 +-- .../tests/unit/handlers/test_testcase.py | 31 +++++++++++++++++----- 4 files changed, 36 insertions(+), 13 deletions(-) diff --git a/testapi/opnfv_testapi/common/check.py b/testapi/opnfv_testapi/common/check.py index 18dc67d..09a9270 100644 --- a/testapi/opnfv_testapi/common/check.py +++ b/testapi/opnfv_testapi/common/check.py @@ -31,16 +31,22 @@ def is_authorized(method): raises.Unauthorized(message.not_lfid()) if method.__name__ == "_create": kwargs['creator'] = testapi_id - if self.table in ['projects']: + if self.table in ['projects', 'testcases']: + map_name = { + 'projects': 'name', + 'testcases': 'project_name' + } + group = "opnfv-gerrit-{}-submitters" query = kwargs.get('query') if type(query) is not dict: query_data = query() else: - if self.json_args is None or 'name' not in self.json_args: + if (self.json_args is None or + map_name[self.table] not in self.json_args): query_data = query else: query_data = self.json_args - group = "opnfv-gerrit-" + query_data['name'] + "-submitters" + group = group.format(query_data[map_name[self.table]]) if group not in user_info['groups']: raises.Unauthorized(message.no_permission()) ret = yield gen.coroutine(method)(self, *args, **kwargs) diff --git a/testapi/opnfv_testapi/tests/unit/executor.py b/testapi/opnfv_testapi/tests/unit/executor.py index d08782c..5a8d688 100644 --- a/testapi/opnfv_testapi/tests/unit/executor.py +++ b/testapi/opnfv_testapi/tests/unit/executor.py @@ -91,7 +91,7 @@ def delete(excepted_status, excepted_response): def wrap(self): request = delete_request(self) if isinstance(request, tuple): - status, body = self.delete(request[0], *(request[1])) + status, body = self.delete(*request) else: status, body = self.delete(request) if excepted_status == httplib.OK: diff --git a/testapi/opnfv_testapi/tests/unit/handlers/test_base.py b/testapi/opnfv_testapi/tests/unit/handlers/test_base.py index 9a7bc5c..1fd3324 100644 --- a/testapi/opnfv_testapi/tests/unit/handlers/test_base.py +++ b/testapi/opnfv_testapi/tests/unit/handlers/test_base.py @@ -63,7 +63,8 @@ class TestBase(testing.AsyncHTTPTestCase): 'opnfv-gerrit-functest-submitters', 'opnfv-gerrit-qtip-submitters', 'opnfv-gerrit-qtip-contributors', - 'opnfv-gerrit-apex-submitters'] + 'opnfv-gerrit-apex-submitters', + 'opnfv-gerrit-noProject-submitters'] }) def tearDown(self): @@ -158,7 +159,6 @@ class TestBase(testing.AsyncHTTPTestCase): res = self.fetch(url, method='DELETE', headers=self.headers) - return res.code, res.body def delete(self, *args): diff --git a/testapi/opnfv_testapi/tests/unit/handlers/test_testcase.py b/testapi/opnfv_testapi/tests/unit/handlers/test_testcase.py index 97325e2..e0ce381 100644 --- a/testapi/opnfv_testapi/tests/unit/handlers/test_testcase.py +++ b/testapi/opnfv_testapi/tests/unit/handlers/test_testcase.py @@ -32,7 +32,6 @@ class TestCaseBase(base.TestBase): self.update_res = tcm.Testcase self.basePath = '/api/v1/projects/%s/cases' fake_pymongo.projects.insert(self.project_e.format()) - print self.req_d.format() self.results_d = rm.ResultCreateRequest.from_dict( self.load_json('test_result')) @@ -72,8 +71,8 @@ class TestCaseBase(base.TestBase): return super(TestCaseBase, self).update(new, self.project, case) @executor.mock_valid_lfid() - def delete(self, case): - return super(TestCaseBase, self).delete(self.project, case) + def delete(self, case=None, project=None): + return super(TestCaseBase, self).delete(project, case) class TestCaseCreate(TestCaseBase): @@ -81,6 +80,11 @@ class TestCaseCreate(TestCaseBase): def test_noBody(self): return None + @executor.create(httplib.FORBIDDEN, message.no_permission()) + def test_unauthorized(self): + self.project = 'newProject' + return self.req_d + @executor.create(httplib.FORBIDDEN, message.not_found_base) def test_noProject(self): self.project = 'noProject' @@ -154,6 +158,12 @@ class TestCaseUpdate(TestCaseBase): self.create_e() return self.update_req, self.req_d.name + @executor.update(httplib.FORBIDDEN, message.no_permission()) + def test_unauthorized(self): + update_req_e = tcm.TestcaseUpdateRequest(project_name="newProject", + **self.req_e.format()) + return update_req_e, self.req_d.name + @executor.update(httplib.FORBIDDEN, message.no_update()) def test_noUpdate(self): update = tcm.TestcaseUpdateRequest(project_name=self.project, @@ -184,19 +194,26 @@ class TestCaseDelete(TestCaseBase): fake_pymongo.testcases.insert({ 'name': self.results_d.case_name, 'project_name': self.results_d.project_name}) + fake_pymongo.testcases.insert({ + 'name': 'newCase', + 'project_name': 'newProject'}) @executor.delete(httplib.NOT_FOUND, message.not_found_base) def test_notFound(self): - return 'notFound' + return 'notFound', self.project + + @executor.delete(httplib.FORBIDDEN, message.no_permission()) + def test_unauthorized(self): + return 'newCase', 'newProject' @executor.delete(httplib.UNAUTHORIZED, message.tied_with_resource()) def test_deleteNotAllowed(self): - print self.create_help('/api/v1/results', self.results_d) - return self.results_d.case_name + self.create_help('/api/v1/results', self.results_d) + return self.results_d.case_name, self.project @executor.delete(httplib.OK, '_delete_success') def test_success(self): - return self.req_d.name + return self.req_d.name, self.project def _delete_success(self, body): self.assertEqual(body, '') -- cgit 1.2.3-korg