From 48cd35e67c23f57c44f8190311bc024468407cce Mon Sep 17 00:00:00 2001
From: Christian Boettcher <c.boettcher@fz-juelich.de>
Date: Tue, 9 Nov 2021 08:59:26 +0100
Subject: [PATCH] test acess denied for users without access rights
---
tests/apiserver_tests/test_secretswithauth.py | 24 +++++++++++++++++++
1 file changed, 24 insertions(+)
diff --git a/tests/apiserver_tests/test_secretswithauth.py b/tests/apiserver_tests/test_secretswithauth.py
index efa4159..37fa56f 100644
--- a/tests/apiserver_tests/test_secretswithauth.py
+++ b/tests/apiserver_tests/test_secretswithauth.py
@@ -11,6 +11,9 @@ proper_uuid = "3a33262e-276e-4de8-87bc-f2d5a0195faf"
def myfunc():
return User(username='secret_foo', email='secret_bar', has_secrets_access=True)
+def non_access_user():
+ return User(username='secret_foo', email='secret_bar', has_secrets_access=False)
+
class UserTests(TestCase):
def setUp(self):
@@ -98,4 +101,25 @@ class UserTests(TestCase):
key = element['key']
rsp = self.client.delete(f'/dataset/{self.dummy_oid}/secrets/{key}')
+
+
+
+ def test_secrets_without_access(self):
+ # override with non_access user
+ apiserver.app.dependency_overrides[apiserver.main.my_auth] = non_access_user
+ apiserver.app.dependency_overrides[apiserver.main.my_user] = non_access_user
+ # check if access for all secrets endpoints failed with 401 Auth required
+ # list secrets, add secret, get secret, delete secret
+ rsp = self.client.get(f'/dataset/{proper_uuid}/secrets')
+ self.assertEqual(403, rsp.status_code)
+
+ rsp = self.client.get(f'/dataset/{proper_uuid}/secrets/somespecificsecret')
+ self.assertEqual(403, rsp.status_code)
+
+ rsp = self.client.post(f'/dataset/{proper_uuid}/secrets', json={'key' : "somekey", "secret" : "somesecret"})
+ self.assertEqual(403, rsp.status_code)
+
+ rsp = self.client.delete(f'/dataset/{proper_uuid}/secrets/somespecificsecret')
+ self.assertEqual(403, rsp.status_code)
+
# TODO test delete object, DO secrets disappear too? (currently they don't)
\ No newline at end of file
--
GitLab