From 7425b6502931c4d1702cc26eaff37b7b8ea820b6 Mon Sep 17 00:00:00 2001
From: Serghei Mihai <smihai@entrouvert.com>
Date: Wed, 29 Jul 2015 14:53:15 +0200
Subject: [PATCH] tests: additional api access cases (#7959)

---
 tests/test_api_access.py | 83 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 83 insertions(+)

diff --git a/tests/test_api_access.py b/tests/test_api_access.py
index f845149..47c8bc8 100644
--- a/tests/test_api_access.py
+++ b/tests/test_api_access.py
@@ -49,3 +49,86 @@ def test_access_with_good_signature(setup):
     # {"err_desc": "missing \"message\" in JSON payload"}
     resp = app.post_json(url, {}, status=500)
     assert resp.json['err_desc'] == 'missing "message" in JSON payload'
+
+def test_access_http_auth(setup):
+    app, oxyd = setup
+    username = 'apiuser'
+    password = '12345'
+    api = ApiUser.objects.create(username=username,
+            fullname='Api User',
+            description='api',
+            keytype='SIGN',
+            key=password)
+    obj_type = ContentType.objects.get_for_model(OxydSMSGateway)
+
+    AccessRight.objects.create(codename='can_send_messages',
+                    apiuser=api,
+                    resource_type=obj_type,
+                    resource_pk=oxyd.pk,
+    )
+    app.authorization = ('Basic', (username, password))
+    resp = app.post_json(reverse('oxyd-send', kwargs={'slug': oxyd.slug}), {},
+                         status=500)
+    assert resp.json['err_desc'] == 'missing "message" in JSON payload'
+
+def test_access_apikey(setup):
+    app, oxyd = setup
+    password = 'apiuser_12345'
+    api = ApiUser.objects.create(username='apiuser',
+            fullname='Api User',
+            description='api',
+            keytype='API',
+            key=password)
+    obj_type = ContentType.objects.get_for_model(OxydSMSGateway)
+
+    AccessRight.objects.create(codename='can_send_messages',
+                    apiuser=api,
+                    resource_type=obj_type,
+                    resource_pk=oxyd.pk,
+    )
+    params = {'message': 'test'}
+    url = (reverse('oxyd-send', kwargs={'slug': oxyd.slug}))
+    resp = app.post_json(url + '?apikey=' + password , params, status=500)
+    assert resp.json['err_desc'] == 'missing "from" in JSON payload'
+    resp = app.post_json(url + '?raise=1&apikey=' + password[:3] , params, status=403)
+
+def test_access_apiuser_with_no_key(setup):
+    app, oxyd = setup
+    api = ApiUser.objects.create(username='apiuser',
+            fullname='Api User',
+            description='api')
+    obj_type = ContentType.objects.get_for_model(OxydSMSGateway)
+
+    AccessRight.objects.create(codename='can_send_messages',
+                    apiuser=api,
+                    resource_type=obj_type,
+                    resource_pk=oxyd.pk,
+    )
+    params = {'message': 'test', 'from': 'test api'}
+    resp = app.post_json(reverse('oxyd-send', kwargs={'slug': oxyd.slug}),
+                         params, status=500)
+    assert resp.json['err_desc'] == 'missing "to" in JSON payload'
+
+def test_access_apiuser_with_ip_restriction(setup):
+    app, oxyd = setup
+    authorized_ip = '176.31.123.109'
+    api = ApiUser.objects.create(username='apiuser',
+            fullname='Api User',
+            description='api',
+            ipsource=authorized_ip
+    )
+    obj_type = ContentType.objects.get_for_model(OxydSMSGateway)
+
+    AccessRight.objects.create(codename='can_send_messages',
+                    apiuser=api,
+                    resource_type=obj_type,
+                    resource_pk=oxyd.pk,
+    )
+    resp = app.post_json(reverse('oxyd-send', kwargs={'slug': oxyd.slug}) + '?raise=1',
+                         {}, extra_environ=[('REMOTE_ADDR', '127.0.0.1')],
+                         status=403)
+
+    resp = app.post_json(reverse('oxyd-send', kwargs={'slug': oxyd.slug}),
+                         {}, extra_environ=[('REMOTE_ADDR', authorized_ip)],
+                         status=500)
+    assert resp.json['err_desc'] == 'missing "message" in JSON payload'
-- 
2.5.0