Projet

Général

Profil

0001-api-add-basic-auth-support-to-formdefs-56690.patch

Lauréline Guérin, 13 septembre 2021 16:27

Télécharger (6,65 ko)

Voir les différences: 

Subject: [PATCH] api: add basic auth support to formdefs (#56690)


 tests/api/test_formdef.py | 70 ++++++++++++++++++++++++++++++++++-----
 wcs/api.py                |  7 ++--
 2 files changed, 67 insertions(+), 10 deletions(-)
tests/api/test_formdef.py
12 12 
from quixote import get_publisher
13 13 

  		




  14
  14
  
    
from wcs import fields, qommon

  		




  
  15
  
    
from wcs.api_access import ApiAccess

  		




  15
  16
  
    
from wcs.api_utils import sign_url

  		




  16
  17
  
    
from wcs.categories import Category

  		




  17
  18
  
    
from wcs.data_sources import NamedDataSource

  		




  ......




  187
  188
  
    
    assert len(resp.json['data']) == 2

  		




  188
  189
  
    

  		




  189
  190
  
    

  		




  190
  
  
    
def test_limited_formdef_list(pub, local_user):

  		




  
  191
  
    
@pytest.mark.parametrize('auth', ['signature', 'http-basic'])

  		




  
  192
  
    
def test_limited_formdef_list(pub, local_user, auth):

  		




  191
  193
  
    
    pub.role_class.wipe()

  		




  192
  194
  
    
    role = pub.role_class(name='Foo bar')

  		




  193
  195
  
    
    role.id = '14'

  		




  ......




  201
  203
  
    
    formdef.fields = []

  		




  202
  204
  
    
    formdef.store()

  		




  203
  205
  
    

  		




  
  206
  
    
    ApiAccess.wipe()

  		




  
  207
  
    
    access = ApiAccess()

  		




  
  208
  
    
    access.name = 'test'

  		




  
  209
  
    
    access.access_identifier = 'test'

  		




  
  210
  
    
    access.access_key = '12345'

  		




  
  211
  
    
    access.store()

  		




  
  212
  
    

  		




  
  213
  
    
    app = get_app(pub)

  		




  
  214
  
    

  		




  
  215
  
    
    if auth == 'http-basic':

  		




  
  216
  
    

  		




  
  217
  
    
        def get_url(url, **kwargs):

  		




  
  218
  
    
            app.set_authorization(('Basic', ('test', '12345')))

  		




  
  219
  
    
            return app.get(url, **kwargs)

  		




  
  220
  
    

  		




  
  221
  
    
    else:

  		




  
  222
  
    

  		




  
  223
  
    
        def get_url(url, **kwargs):

  		




  
  224
  
    
            return app.get(

  		




  
  225
  
    
                sign_uri(url, user=local_user, orig=access.access_identifier, key=access.access_key), **kwargs

  		




  
  226
  
    
            )

  		




  
  227
  
    

  		




  204
  228
  
    
    resp = get_app(pub).get(sign_uri('/api/formdefs/'))

  		




  205
  229
  
    
    assert resp.json['err'] == 0

  		




  206
  230
  
    
    assert len(resp.json['data']) == 1

  		




  ......




  216
  240
  
    
    resp = get_app(pub).get(sign_uri('/api/formdefs/'))

  		




  217
  241
  
    
    resp2 = get_app(pub).get(sign_uri('/api/formdefs/?NameID='))

  		




  218
  242
  
    
    resp3 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=XXX'))

  		




  219
  
  
    
    resp4 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0]))

  		




  
  243
  
    
    resp4 = get_url('/api/formdefs/')

  		




  220
  244
  
    
    assert resp.json['err'] == 0

  		




  221
  245
  
    
    assert len(resp.json['data']) == 1  # advertised in naked calls (as done from combo)

  		




  222
  246
  
    
    assert len(resp2.json['data']) == 0  # not advertised otherwise

  		




  ......




  229
  253
  
    
    # unless user has correct roles

  		




  230
  254
  
    
    local_user.roles = [role.id]

  		




  231
  255
  
    
    local_user.store()

  		




  232
  
  
    
    resp = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0]))

  		




  
  256
  
    
    if auth == 'http-basic':

  		




  
  257
  
    
        access.roles = [role]

  		




  
  258
  
    
        access.store()

  		




  
  259
  
    
    resp = get_url('/api/formdefs/')

  		




  233
  260
  
    
    assert resp.json['err'] == 0

  		




  234
  261
  
    
    assert len(resp.json['data']) == 1

  		




  235
  262
  
    

  		




  236
  263
  
    
    local_user.roles = []

  		




  237
  264
  
    
    local_user.store()

  		




  
  265
  
    
    if auth == 'http-basic':

  		




  
  266
  
    
        access.roles = []

  		




  
  267
  
    
        access.store()

  		




  238
  268
  
    

  		




  239
  269
  
    
    # check it's also included in anonymous/signed calls, but marked for

  		




  240
  270
  
    
    # authentication

  		




  ......




  248
  278
  
    
    resp = get_app(pub).get(sign_uri('/api/formdefs/'))

  		




  249
  279
  
    
    resp2 = get_app(pub).get(sign_uri('/api/formdefs/?NameID='))

  		




  250
  280
  
    
    resp3 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=XXX'))

  		




  251
  
  
    
    resp4 = get_app(pub).get(sign_uri('/api/formdefs/?NameID=%s' % local_user.name_identifiers[0]))

  		




  
  281
  
    
    resp4 = get_url('/api/formdefs/')

  		




  252
  282
  
    
    assert resp.json['err'] == 0

  		




  253
  283
  
    
    assert len(resp.json['data']) == 1

  		




  254
  284
  
    
    assert resp.json['data'][0]['authentication_required']

  		




  ......




  277
  307
  
    
    assert 'count' not in resp1.json['data'][0]

  		




  278
  308
  
    

  		




  279
  309
  
    

  		




  280
  
  
    
def test_backoffice_submission_formdef_list(pub, local_user):

  		




  
  310
  
    
@pytest.mark.parametrize('auth', ['signature', 'http-basic'])

  		




  
  311
  
    
def test_backoffice_submission_formdef_list(pub, local_user, auth):

  		




  281
  312
  
    
    pub.role_class.wipe()

  		




  282
  313
  
    
    role = pub.role_class(name='Foo bar')

  		




  283
  314
  
    
    role.id = '14'

  		




  ......




  296
  327
  
    
    formdef2.fields = []

  		




  297
  328
  
    
    formdef2.store()

  		




  298
  329
  
    

  		




  
  330
  
    
    ApiAccess.wipe()

  		




  
  331
  
    
    access = ApiAccess()

  		




  
  332
  
    
    access.name = 'test'

  		




  
  333
  
    
    access.access_identifier = 'test'

  		




  
  334
  
    
    access.access_key = '12345'

  		




  
  335
  
    
    access.store()

  		




  
  336
  
    

  		




  
  337
  
    
    app = get_app(pub)

  		




  
  338
  
    

  		




  
  339
  
    
    if auth == 'http-basic':

  		




  
  340
  
    

  		




  
  341
  
    
        def get_url(url, **kwargs):

  		




  
  342
  
    
            app.set_authorization(('Basic', ('test', '12345')))

  		




  
  343
  
    
            return app.get(url, **kwargs)

  		




  
  344
  
    

  		




  
  345
  
    
    else:

  		




  
  346
  
    

  		




  
  347
  
    
        def get_url(url, **kwargs):

  		




  
  348
  
    
            return app.get(

  		




  
  349
  
    
                sign_uri(url, user=local_user, orig=access.access_identifier, key=access.access_key), **kwargs

  		




  
  350
  
    
            )

  		




  
  351
  
    

  		




  299
  352
  
    
    resp = get_app(pub).get(sign_uri('/api/formdefs/?backoffice-submission=on'))

  		




  300
  353
  
    
    assert resp.json['err'] == 0

  		




  301
  354
  
    
    assert len(resp.json['data']) == 0

  		




  ......




  328
  381
  
    
    # ... unless user has correct roles

  		




  329
  382
  
    
    local_user.roles = [role.id]

  		




  330
  383
  
    
    local_user.store()

  		




  331
  
  
    
    resp = get_app(pub).get(

  		




  332
  
  
    
        sign_uri('/api/formdefs/?backoffice-submission=on&NameID=%s' % local_user.name_identifiers[0])

  		




  333
  
  
    
    )

  		




  
  384
  
    
    if auth == 'http-basic':

  		




  
  385
  
    
        access.roles = [role]

  		




  
  386
  
    
        access.store()

  		




  
  387
  
    
    resp = get_url('/api/formdefs/?backoffice-submission=on')

  		




  334
  388
  
    
    assert resp.json['err'] == 0

  		




  335
  389
  
    
    assert len(resp.json['data']) == 1

  		




  336
  390
  
    
    assert 'backoffice_submission_url' in resp.json['data'][0]

  		












  

    
      wcs/api.py
    
  





  758
  758
  
    
            # signed URL with a None user is considered like an appropriate

  		




  759
  759
  
    
            # webservice call.

  		




  760
  760
  
    
            user = False

  		




  761
  
  
    
        if not is_url_signed():

  		




  
  761
  
    
        url_signed = is_url_signed()

  		




  
  762
  
    
        if user and user.is_api_user:

  		




  
  763
  
    
            pass  # API users are ok

  		




  
  764
  
    
        elif not url_signed:

  		




  762
  765
  
    
            if not (get_request().user and get_request().user.is_admin):

  		




  763
  766
  
    
                raise AccessForbiddenError('user not authenticated')

  		




  764
  767
  
    
            user = get_request().user

  		




  765
  768
  
    

  		




  766
  
  
    
        list_all_forms = (user and user.is_admin) or (is_url_signed() and user is None)

  		




  
  769
  
    
        list_all_forms = (user and user.is_admin) or (url_signed and user is None)

  		




  767
  770
  
    
        backoffice_submission = get_request().form.get('backoffice-submission') == 'on'

  		




  768
  771
  
    

  		




  769
  772
  
    
        list_forms = self.get_list_forms(user, list_all_forms, backoffice_submission=backoffice_submission)

  		




  770
  
  
    
-