diff --git a/server/advisories/tests/test_advisory_comment.py b/server/advisories/tests/test_advisory_comment.py index 35d2e049..333ac2a7 100644 --- a/server/advisories/tests/test_advisory_comment.py +++ b/server/advisories/tests/test_advisory_comment.py @@ -1,4 +1,5 @@ from rest_framework.test import APITestCase + from advisories.models import AdvisoryComment from pecoret.core.test import PeCoReTTestCaseMixin @@ -10,17 +11,10 @@ def setUp(self): self.url = self.get_url( "advisories:comment-list", advisory=self.advisory1.pk ) - - def test_allowed(self): - users = [self.advisory_manager1, self.pentester1, self.vendor1] - for user in users: - self.client.force_login(user) - self.basic_status_code_check( - self.url, self.client.post, 201, data=self.data - ) - - def test_forbidden(self): - users = [ + self.allowed_users = [ + self.advisory_manager1, self.pentester1, self.vendor1 + ] + self.forbidden_users = [ self.pentester2, self.management1, self.management2, @@ -29,12 +23,31 @@ def test_forbidden(self): self.read_only1, self.user1, ] - for user in users: + + def test_allowed(self): + for user in self.allowed_users: + self.client.force_login(user) + self.basic_status_code_check( + self.url, self.client.post, 201, data=self.data + ) + + def test_forbidden(self): + + for user in self.forbidden_users: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 403, data=self.data ) + def test_api_token_allowed(self): + for user in self.allowed_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.post, + 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.forbidden_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.post, 403, 403, 403) + class AdvisoryCommentUpdateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self): @@ -42,12 +55,26 @@ def setUp(self): self.comment1 = self.create_instance( AdvisoryComment, advisory=self.advisory1, user=self.pentester1 ) + self.comment2 = self.create_instance( + AdvisoryComment, advisory=self.advisory2, user=self.pentester2 + ) self.url = self.get_url( "advisories:comment-detail", advisory=self.advisory1.pk, pk=self.comment1.pk, ) + self.url2 = self.get_url( + 'advisories:comment-detail', advisory=self.advisory2.pk, pk=self.comment1.pk + ) self.data = {"comment": "new123"} + self.forbidden_users = [ + self.pentester2, + self.vendor2, + self.management1, + self.management2, + self.user1, + self.read_only1, self.customer2, self.customer1, self.read_only_vendor + ] def test_allowed(self): self.client.force_login(self.pentester1) @@ -57,16 +84,7 @@ def test_allowed(self): self.assertEqual(response.json()["comment"], self.data["comment"]) def test_forbidden(self): - users = [ - self.pentester2, - self.vendor2, - self.management1, - self.management2, - self.user1, - self.read_only1, - self.read_only_vendor - ] - for user in users: + for user in self.forbidden_users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.patch, 403) @@ -76,51 +94,25 @@ def test_not_found(self): self.client.force_login(user) self.basic_status_code_check(self.url, self.client.patch, 404) + def test_api_token_allowed(self): + self.api_token_check(self.pentester1, 'scope_advisories', self.url, self.client.patch, 403, 200, 403, + data=self.data) -class APITokenReadTestCase(APITestCase, PeCoReTTestCaseMixin): - def setUp(self) -> None: - self.init_mixin() - self.token1, self.key1 = self.create_api_token(self.pentester1, scope_advisories=self.api_access_choices.READ, - date_expire=None) - self.token2, self.key2 = self.create_api_token(self.pentester1, - scope_advisories=self.api_access_choices.NO_ACCESS, - date_expire=None) - self.token3, self.key3 = self.create_api_token(self.pentester2, - scope_advisories=self.api_access_choices.READ, - date_expire=None) - self.comment1 = self.create_instance( - AdvisoryComment, advisory=self.advisory1, user=self.pentester1 - ) - self.url = self.get_url( - "advisories:comment-detail", - advisory=self.advisory1.pk, - pk=self.comment1.pk, - ) - - def test_valid(self): - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.get, 200) - - def test_invalid(self): - self.set_token_header(self.key2) - self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + for user in self.forbidden_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.patch, 403, 403, 403, data=self.data) + # test IDOR + self.api_token_check(self.pentester2, 'scope_advisories', self.url2, self.client.patch, 403, 404, 403, + data=self.data) - def test_forbidden(self): - self.set_token_header(self.key3) - self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_not_found(self): + for user in [self.advisory_manager1, self.vendor1]: + self.api_token_check(user, 'scope_advisories', self.url, self.client.patch, 403, 404, 403, data=self.data) -class APITokenWriteTestCase(APITestCase, PeCoReTTestCaseMixin): - def setUp(self) -> None: +class AdvisoryCommentRetrieveView(APITestCase, PeCoReTTestCaseMixin): + def setUp(self): self.init_mixin() - self.token1, self.key1 = self.create_api_token(self.pentester1, scope_advisories=self.api_access_choices.READ, - date_expire=None) - self.token2, self.key2 = self.create_api_token(self.pentester1, - scope_advisories=self.api_access_choices.NO_ACCESS, - date_expire=None) - self.token3, self.key3 = self.create_api_token(self.pentester2, - scope_advisories=self.api_access_choices.READ, - date_expire=None) self.comment1 = self.create_instance( AdvisoryComment, advisory=self.advisory1, user=self.pentester1 ) @@ -129,22 +121,18 @@ def setUp(self) -> None: advisory=self.advisory1.pk, pk=self.comment1.pk, ) - self.data = {"comment": "test123"} - - def test_valid(self): - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) - - def test_read_write(self): - self.token1.scope_advisories = self.api_access_choices.READ_WRITE - self.token1.save() - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.patch, 200, data=self.data) + self.allowed_users = [ + self.vendor1, self.advisory_manager1, self.pentester1, self.read_only_vendor + ] + self.forbidden_users = [ + self.customer2, self.customer1, self.management2, self.management1, + self.read_only1, self.pentester2, self.vendor2, self.user1 + ] - def test_invalid(self): - self.set_token_header(self.key2) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) + def test_api_token_allowed(self): + for user in self.allowed_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403) - def test_forbidden(self): - self.set_token_header(self.key3) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) + def test_api_token_forbidden(self): + for user in self.forbidden_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) diff --git a/server/advisories/tests/test_advisory_export.py b/server/advisories/tests/test_advisory_export.py index 4a26dc09..f7eb9ff1 100644 --- a/server/advisories/tests/test_advisory_export.py +++ b/server/advisories/tests/test_advisory_export.py @@ -1,7 +1,8 @@ from rest_framework.test import APITestCase -from pecoret.core.test import PeCoReTTestCaseMixin -from backend.models.report_templates import ReportTemplate + from advisories.models.advisory import VisibilityChoices +from backend.models.report_templates import ReportTemplate +from pecoret.core.test import PeCoReTTestCaseMixin class AdvisoryExportViewTestCase(APITestCase, PeCoReTTestCaseMixin): @@ -9,33 +10,42 @@ def setUp(self) -> None: self.init_mixin() self.report_template = ReportTemplate.objects.get(name="default_template") self.url = self.get_url("advisories:advisory-export-pdf", pk=self.advisory1.pk) - - def test_allowed(self): - users = [ + self.users_allowed = [ self.pentester1, self.vendor1, self.advisory_manager1, self.read_only_vendor, ] - for user in users: + self.users_forbidden = [self.management1, + self.management2, + self.user1, + self.customer1, self.customer2, + self.management1, self.management2, + self.vendor2, + self.read_only1, + self.pentester2, ] + + def test_allowed(self): + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [ - self.management1, - self.management2, - self.user1, - self.vendor2, - self.read_only1, - self.pentester2, - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) + def test_management_draft(self): self.advisory1.visibility = VisibilityChoices.MEMBERS self.advisory1.save() self.client.force_login(self.advisory_manager1) self.basic_status_code_check(self.url, self.client.get, 403) + self.api_token_check(self.advisory_manager1, 'scope_advisories', self.url, self.client.get, 403, 403, 403) diff --git a/server/advisories/tests/test_advisory_membership_viewset.py b/server/advisories/tests/test_advisory_membership_viewset.py index ca3197f7..a32ab40c 100644 --- a/server/advisories/tests/test_advisory_membership_viewset.py +++ b/server/advisories/tests/test_advisory_membership_viewset.py @@ -1,7 +1,8 @@ from django.core import mail from rest_framework.test import APITestCase -from pecoret.core.test import PeCoReTTestCaseMixin + from advisories.models.advisory_membership import Roles +from pecoret.core.test import PeCoReTTestCaseMixin class AdvisoryMembershipCreateView(APITestCase, PeCoReTTestCaseMixin): @@ -15,12 +16,27 @@ def setUp(self) -> None: "role": Roles.READ_ONLY.label, "active_until": "2099-10-10", } + self.forbidden_users = [ + self.pentester2, + self.pentester1, + self.read_only1, + self.management1, + self.management2, + self.user1, + self.vendor1, + self.vendor2, + self.read_only_vendor, + ] def test_allowed(self): self.client.force_login(self.advisory_manager1) self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) self.assertEqual(len(mail.outbox), 1) + def test_api_token_allowed(self): + self.api_token_check(self.advisory_manager1, 'scope_advisories', self.url, self.client.post, 403, 201, 403, + data=self.data) + def test_allowed_new_user(self): self.client.force_login(self.advisory_manager1) self.data["email"] = "mynewrandommail@local.host" @@ -28,23 +44,16 @@ def test_allowed_new_user(self): self.assertEqual(len(mail.outbox), 2) def test_forbidden(self): - users = [ - self.pentester2, - self.pentester1, - self.read_only1, - self.management1, - self.management2, - self.user1, - self.vendor1, - self.vendor2, - self.read_only_vendor, - ] - for user in users: + for user in self.forbidden_users: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 403, data=self.data ) + def test_api_token_forbidden(self): + for user in self.forbidden_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.post, 403, 403, 403, data=self.data) + def test_draft_forbidden(self): self.url = self.get_url( "advisories:membership-list", advisory=self.advisory2.pk @@ -77,6 +86,17 @@ def setUp(self) -> None: self.url = self.get_url( "advisories:membership-list", advisory=self.advisory1.pk ) + self.users_allowed = [ + self.pentester1, self.vendor1, self.read_only_vendor + ] + self.forbidden_users = [ + self.vendor2, + self.management1, + self.management2, + self.pentester2, + self.user1, + self.read_only1, + ] def test_advisory_management(self): self.client.force_login(self.advisory_manager1) @@ -84,24 +104,23 @@ def test_advisory_management(self): self.assertEqual(response.json()["count"], 3) def test_allowed(self): - users = [self.pentester1, self.vendor1, self.read_only_vendor] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_api_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403) + def test_forbidden(self): - users = [ - self.vendor2, - self.management1, - self.management2, - self.pentester2, - self.user1, - self.read_only1, - ] - for user in users: + for user in self.forbidden_users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_forbidden(self): + for user in self.forbidden_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) + def test_draft_allowed(self): self.url = self.get_url( "advisories:membership-list", advisory=self.advisory2.pk @@ -111,6 +130,12 @@ def test_draft_allowed(self): self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_api_draft_allowed(self): + self.url = self.get_url("advisories:membership-list", advisory=self.advisory2.pk) + users = [self.pentester2, self.vendor2] + for user in users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403) + def test_draft_forbidden(self): self.url = self.get_url( "advisories:membership-list", advisory=self.advisory2.pk @@ -129,6 +154,23 @@ def test_draft_forbidden(self): self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_draft_forbidden(self): + self.url = self.get_url( + "advisories:membership-list", advisory=self.advisory2.pk + ) + users = [ + self.vendor1, + self.management2, + self.management1, + self.pentester1, + self.user1, + self.read_only1, + self.advisory_manager1, + self.read_only_vendor, + ] + for user in users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) + class AdvisoryMembershipUpdateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: diff --git a/server/advisories/tests/test_advisory_timeline.py b/server/advisories/tests/test_advisory_timeline.py index 2065dbbc..8b64c9d3 100644 --- a/server/advisories/tests/test_advisory_timeline.py +++ b/server/advisories/tests/test_advisory_timeline.py @@ -10,32 +10,39 @@ def setUp(self) -> None: "advisories:timeline-list", advisory=self.advisory1.pk ) self.data = {"text": "test", "date": "2022-01-01"} + self.users_allowed = [self.advisory_manager1, self.pentester1] + self.users_forbidden = [ + self.pentester2, + self.management2, + self.management1, + self.read_only1, + self.user1, + self.vendor1, + self.vendor2, self.read_only_vendor, + ] def test_allowed(self): - users = [self.advisory_manager1, self.pentester1] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 201, data=self.data ) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_advisories', self.url, self.client.post, 403, 201, 403, data=self.data) + def test_forbidden(self): - users = [ - self.pentester2, - self.management2, - self.management1, - self.read_only1, - self.user1, - self.vendor1, - self.vendor2, - self.read_only_vendor, - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 403, data=self.data ) + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_advisories', self.url, self.client.post, 403, 403, 403, data=self.data) + def test_draft_forbidden(self): users = [ self.management1, @@ -232,15 +239,23 @@ def setUp(self) -> None: self.url = self.get_url( "advisories:timeline-list", advisory=self.advisory1.pk ) - - def test_allowed(self): - users = [ + self.allowed_users = [ self.pentester1, self.vendor1, self.advisory_manager1, self.read_only_vendor, ] - for user in users: + self.forbidden_users = [ + self.pentester2, + self.management2, + self.management1, + self.read_only1, + self.user1, + self.vendor2, + ] + + def test_allowed(self): + for user in self.allowed_users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) @@ -254,18 +269,14 @@ def test_draft_allowed(self): self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [ - self.pentester2, - self.management2, - self.management1, - self.read_only1, - self.user1, - self.vendor2, - ] - for user in users: + for user in self.forbidden_users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + for user in self.forbidden_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) + def test_draft_forbidden(self): self.url = self.get_url( "advisories:timeline-list", advisory=self.advisory2.pk diff --git a/server/advisories/tests/test_advisory_viewset.py b/server/advisories/tests/test_advisory_viewset.py index 2bbd3e48..81d15bbb 100644 --- a/server/advisories/tests/test_advisory_viewset.py +++ b/server/advisories/tests/test_advisory_viewset.py @@ -9,29 +9,34 @@ class AdvisoryListViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("advisories:advisory-list") - - def test_status_allowed(self): - users = [ - self.pentester1, - self.pentester2, - self.advisory_manager1, - self.read_only1, - self.vendor1, - self.vendor2, + self.allowed_users = [ + self.pentester1, self.pentester2, + self.advisory_manager1, self.read_only1, + self.vendor1, self.vendor2, self.read_only_vendor, - self.management1, - self.management2, + self.management1, self.management2, ] - for user in users: + + def test_status_allowed(self): + for user in self.allowed_users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_api_token_allowed(self): + for user in self.allowed_users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403) + def test_forbidden(self): users = [self.user1] for user in users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + users = [self.user1] + for user in users: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) + def test_response_length(self): self.client.force_login(self.pentester1) response = self.basic_status_code_check(self.url, self.client.get, 200) @@ -68,22 +73,13 @@ def setUp(self) -> None: "internal_name": "test", "labels": [] } - - def test_forbidden(self): - users = [ + self.users_forbidden = [ self.user1, self.vendor1, self.vendor2, self.read_only_vendor, ] - for user in users: - self.client.force_login(user) - self.basic_status_code_check( - self.url, self.client.post, 403, data=self.data - ) - - def test_allowed(self): - users = [ + self.users_allowed = [ self.pentester1, self.read_only1, self.pentester2, @@ -91,12 +87,29 @@ def test_allowed(self): self.management1, self.management2, ] - for user in users: + + def test_forbidden(self): + for user in self.users_forbidden: + self.client.force_login(user) + self.basic_status_code_check( + self.url, self.client.post, 403, data=self.data + ) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_advisories', self.url, self.client.post, 403, 403, 403, data=self.data) + + def test_allowed(self): + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 201, data=self.data ) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_advisories', self.url, self.client.post, 403, 201, 403, data=self.data) + class AdvisoryUpdateViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: diff --git a/server/advisories/tests/test_label_viewset.py b/server/advisories/tests/test_label_viewset.py index d3856d55..78cce2a3 100644 --- a/server/advisories/tests/test_label_viewset.py +++ b/server/advisories/tests/test_label_viewset.py @@ -6,27 +6,31 @@ class LabelListView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("advisories:label-list") + self.users_allowed = [ + self.advisory_manager1, self.pentester1, self.pentester2, self.read_only1 + ] + self.users_forbidden = [ + self.management1, self.management2, self.vendor1, self.vendor2, self.user1, self.read_only_vendor + ] def test_allowed(self): - users = [ - self.advisory_manager1, - self.pentester1, self.pentester2, - self.read_only1 - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [ - self.management1, self.management2, - self.vendor1, self.vendor2, - self.read_only_vendor, self.user1 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) + class LabelCreateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: diff --git a/server/advisories/tests/test_management_inbox_viewset.py b/server/advisories/tests/test_management_inbox_viewset.py index d1088dbb..d20f49ec 100644 --- a/server/advisories/tests/test_management_inbox_viewset.py +++ b/server/advisories/tests/test_management_inbox_viewset.py @@ -6,15 +6,7 @@ class AdvisoryInboxListViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("advisories:inbox-list") - - def test_allowed(self): - self.client.force_login(self.advisory_manager1) - response = self.basic_status_code_check(self.url, self.client.get, 200) - self.assertEqual(response.json()["count"], 1) - self.assertEqual(response.json()["results"][0]["pk"], self.advisory1.pk) - - def test_forbidden(self): - users = [ + self.users_forbidden = [ self.pentester1, self.pentester2, self.user1, @@ -23,8 +15,20 @@ def test_forbidden(self): self.management2, self.vendor1, self.vendor2, - self.read_only_vendor, + self.read_only_vendor ] - for user in users: + + def test_allowed(self): + self.client.force_login(self.advisory_manager1) + response = self.basic_status_code_check(self.url, self.client.get, 200) + self.assertEqual(response.json()["count"], 1) + self.assertEqual(response.json()["results"][0]["pk"], self.advisory1.pk) + + def test_forbidden(self): + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403) diff --git a/server/advisories/viewsets/label.py b/server/advisories/viewsets/label.py index dbd60d2f..d73168f0 100644 --- a/server/advisories/viewsets/label.py +++ b/server/advisories/viewsets/label.py @@ -13,6 +13,7 @@ class LabelViewSet(ModelViewSet): search_fields = ["name", "description"] ordering_fields = [] serializer_class = LabelSerializer + api_scope = 'scope_advisories' def get_queryset(self): return Label.objects.all() diff --git a/server/asmonitor/tests/test_finding_viewset.py b/server/asmonitor/tests/test_finding_viewset.py index 182b4d98..82f8ffbe 100644 --- a/server/asmonitor/tests/test_finding_viewset.py +++ b/server/asmonitor/tests/test_finding_viewset.py @@ -36,7 +36,7 @@ def test_api_token_allowed(self): def test_api_token_forbidden(self): for user in self.forbidden_users: - self.api_token_check(user, 'scope_asmonitor', self.url, self.client.post, 403, 403, 403) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 403, 403, 403) class FindingCreateView(APITestCase, PeCoReTTestCaseMixin): diff --git a/server/asmonitor/tests/test_program_viewset.py b/server/asmonitor/tests/test_program_viewset.py index 59921ce8..b78a86aa 100644 --- a/server/asmonitor/tests/test_program_viewset.py +++ b/server/asmonitor/tests/test_program_viewset.py @@ -30,13 +30,7 @@ def test_api_token_allowed(self): self.pentester2, self.pentester1, self.read_only1 ] for user in users: - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.get, 200) - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.get, 200) - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.get, 403) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 200, 200, 403) def test_api_token_forbidden(self): users = [ @@ -44,13 +38,7 @@ def test_api_token_forbidden(self): self.vendor1, self.vendor2, self.customer1, self.customer2, self.user1 ] for user in users: - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.get, 403) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.get, 403) - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.get, 403) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 403, 403, 403) class ProgramCreateView(APITestCase, PeCoReTTestCaseMixin): @@ -82,10 +70,8 @@ def test_forbidden(self): def test_api_token_allowed(self): for user in self.allowed_users: self.data['name'] = self.data['name'] + user.username - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.forbidden_users: + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.post, 403, 403, 403, data=self.data) diff --git a/server/asmonitor/tests/test_tag_viewset.py b/server/asmonitor/tests/test_tag_viewset.py index b4cd4f67..0935f566 100644 --- a/server/asmonitor/tests/test_tag_viewset.py +++ b/server/asmonitor/tests/test_tag_viewset.py @@ -7,25 +7,33 @@ class TagListViewSet(APITestCase, PeCoReTTestCaseMixin): def setUp(self): self.init_mixin() self.url = self.get_url("asmonitor:tag-list") - - def test_allowed(self): - users = [ + self.users_allowed = [ self.pentester2, self.pentester1, self.read_only1 ] - for user in users: - self.client.force_login(user) - self.basic_status_code_check(self.url, self.client.get, 200) - - def test_forbidden(self): - users = [ + self.users_forbidden = [ self.vendor2, self.vendor1, self.customer1, self.customer2, self.management2, self.management1, self.advisory_manager1, self.user1 ] - for user in users: + + def test_allowed(self): + for user in self.users_allowed: + self.client.force_login(user) + self.basic_status_code_check(self.url, self.client.get, 200) + + def test_forbidden(self): + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 403, 403, 403) + class TagCreateViewSet(APITestCase, PeCoReTTestCaseMixin): def setUp(self): @@ -58,21 +66,8 @@ def test_forbidden(self): def test_api_token_allowed(self): for user in self.allowed_users: self.data['name'] = self.data['name'] + user.username - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.post, 403, 201, 403, data=self.data) def test_api_token_forbidden(self): for user in self.forbidden_users: - self.client.force_login(user) - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.get, 403) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.get, 403) - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.get, 403) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.post, 403, 403, 403, data=self.data) diff --git a/server/asmonitor/tests/test_target_viewset.py b/server/asmonitor/tests/test_target_viewset.py index 19de6401..39261977 100644 --- a/server/asmonitor/tests/test_target_viewset.py +++ b/server/asmonitor/tests/test_target_viewset.py @@ -9,15 +9,32 @@ def setUp(self) -> None: self.init_mixin() self.target = self.create_instance(Target) self.url = self.get_url('asmonitor:programs:target-list', program=self.target.program.pk) + self.users_forbidden = [ + self.customer2, self.customer1, self.management1, self.management2, self.vendor2, self.vendor1, + self.advisory_manager1, self.user1, self.read_only_vendor + ] + self.users_allowed = [ + self.read_only1, self.pentester2, self.pentester1 + ] def test_allowed(self): - users = [ - self.pentester1, self.pentester2 - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_forbidden(self): + for user in self.users_forbidden: + self.client.force_login(user) + self.basic_status_code_check(self.url, self.client.get, 403) + + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 403, 403, 403) + class TargetCreateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: @@ -50,24 +67,11 @@ def test_forbidden(self): def test_api_token_allowed(self): for user in self.allowed_users: self.data['name'] = self.data['name'] + user.username - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.post, 403, 201, 403, data=self.data) def test_api_token_forbidden(self): for user in self.forbidden_users: - self.client.force_login(user) - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.post, 403) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.post, 403) - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.post, 403) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.post, 403, 403, 403, data=self.data) class GlobalTargetViewSet(APITestCase, PeCoReTTestCaseMixin): @@ -96,21 +100,8 @@ def test_forbidden(self): def test_api_token_allowed(self): for user in self.allowed_users: - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.get, 200) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.get, 200) - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.get, 403) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 200, 200, 403) def test_api_token_forbidden(self): for user in self.forbidden_users: - self.client.force_login(user) - token_w, token_r, token_n = self.create_api_tokens_scope(user, scope='scope_asmonitor') - self.set_token_header(token_n) - self.basic_status_code_check(self.url, self.client.get, 403) - self.set_token_header(token_r) - self.basic_status_code_check(self.url, self.client.get, 403) - self.set_token_header(token_w) - self.basic_status_code_check(self.url, self.client.get, 403) + self.api_token_check(user, 'scope_asmonitor', self.url, self.client.get, 403, 403, 403) diff --git a/server/backend/tests/test_account_viewset.py b/server/backend/tests/test_account_viewset.py index bd28c3a4..5ae014a1 100644 --- a/server/backend/tests/test_account_viewset.py +++ b/server/backend/tests/test_account_viewset.py @@ -1,4 +1,5 @@ from rest_framework.test import APITestCase + from pecoret.core.test import PeCoReTTestCaseMixin @@ -6,14 +7,29 @@ class AccountListViewSet(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("backend:account-list", project=self.project1.pk) + self.users_allowed = [ + self.read_only1, self.pentester1, self.management1 + ] + self.users_forbidden = [ + self.pentester2, self.management2, self.user1, self.customer1, self.customer2, self.vendor1, self.vendor2, + self.advisory_manager1 + ] def test_allowed_status(self): - for user in [self.read_only1, self.pentester1, self.management1]: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 403, 403, 403) + def test_forbidden_status(self): - for user in [self.pentester2, self.user1]: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) @@ -30,16 +46,31 @@ def setUp(self) -> None: "password": "", "description": "just a user account." } + self.users_allowed = [ + self.pentester1, self.management1 + ] + self.users_forbidden = [ + self.read_only1, self.user1, self.pentester2, self.management2, self.customer1, self.customer2, + self.vendor1, self.vendor2, self.user1 + ] def test_allowed_status(self): - for user in [self.pentester1, self.management1]: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 201, data=self.data ) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.post, 403, 403, 403, data=self.data) + def test_forbidden_status(self): - for user in [self.read_only1, self.user1, self.pentester2]: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 403, data=self.data diff --git a/server/backend/tests/test_api_token_viewset.py b/server/backend/tests/test_api_token_viewset.py index 0015cc3a..922a8162 100644 --- a/server/backend/tests/test_api_token_viewset.py +++ b/server/backend/tests/test_api_token_viewset.py @@ -1,6 +1,5 @@ from rest_framework.test import APITestCase from pecoret.core.test import PeCoReTTestCaseMixin -from backend.models.api_token import APIToken class APITokenCreateView(APITestCase, PeCoReTTestCaseMixin): diff --git a/server/backend/tests/test_company_contact_viewset.py b/server/backend/tests/test_company_contact_viewset.py index aa2ecdab..15fa725a 100644 --- a/server/backend/tests/test_company_contact_viewset.py +++ b/server/backend/tests/test_company_contact_viewset.py @@ -1,6 +1,7 @@ from rest_framework.test import APITestCase -from pecoret.core.test import PeCoReTTestCaseMixin + from backend.models.company_contact import CompanyContact +from pecoret.core.test import PeCoReTTestCaseMixin class CompanyContactListViewTestCase(APITestCase, PeCoReTTestCaseMixin): @@ -8,24 +9,31 @@ def setUp(self) -> None: self.init_mixin() self.company = self.project1.company self.url = self.get_url("backend:companies:contact-list", company=self.company.pk) - - def test_allowed(self): - users = [ + self.users_allowed = [ self.management1, self.management2, self.pentester1, self.read_only1, self.customer1 ] - for user in users: + self.users_forbidden = [ + self.pentester2, self.user1, self.vendor2, self.vendor1, self.advisory_manager1, self.customer2 + ] + + def test_allowed(self): + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_companies', self.url, self.client.get, 200, 200, 403) + def test_forbidden(self): - users = [ - self.pentester2, self.user1, self.vendor1, self.vendor2, - self.advisory_manager1, self.customer2 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_companies', self.url, self.client.get, 403, 403, 403) + class CompanyContactDeleteViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: @@ -33,23 +41,30 @@ def setUp(self) -> None: self.company_contact = self.create_instance(CompanyContact) self.url = self.get_url("backend:companies:contact-detail", company=self.company_contact.company.pk, pk=self.company_contact.pk) + self.users_forbidden = [ + self.read_only1, self.pentester2, self.pentester1, self.user1, self.customer2, self.customer1 + ] def test_management2(self): self.client.force_login(self.management2) self.basic_status_code_check(self.url, self.client.delete, 204) + def test_api_token_management1(self): + self.api_token_check(self.management1, 'scope_companies', self.url, self.client.delete, 403, 204, 403) + def test_management1(self): self.client.force_login(self.management1) self.basic_status_code_check(self.url, self.client.delete, 204) def test_forbidden(self): - users = [ - self.read_only1, self.pentester1, self.pentester2, self.user1, self.customer2 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.delete, 403) + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_companies', self.url, self.client.delete, 403, 403, 403) + class CompanyContactUpdateViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: @@ -81,3 +96,10 @@ def test_forbidden(self): for user in users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) + + def test_idor(self): + company_contact2 = self.create_instance(CompanyContact, company=self.project2.company) + self.url = self.get_url('backend:companies:contact-detail', company=self.project1.company.pk, + pk=company_contact2.pk) + self.client.force_login(self.pentester1) + self.basic_status_code_check(self.url, self.client.patch, 404, data=self.data) diff --git a/server/backend/tests/test_company_information_viewset.py b/server/backend/tests/test_company_information_viewset.py index 3d453218..1d2bfe01 100644 --- a/server/backend/tests/test_company_information_viewset.py +++ b/server/backend/tests/test_company_information_viewset.py @@ -8,21 +8,28 @@ def setUp(self) -> None: self.init_mixin() self.url = self.get_url("backend:companies:information-list", company=self.project1.company.pk) self.data = {"text": "test123"} - - def test_allowed(self): - users = [ + self.users_allowed = [ self.pentester1, self.management1, self.read_only1, self.management2, self.customer1 ] - for user in users: + self.users_forbidden = [ + self.vendor1, self.vendor2, self.user1, self.advisory_manager1, self.pentester2, self.customer2 + ] + + def test_allowed(self): + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_companies', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_companies', self.url, self.client.post, 403, 403, 403, data=self.data) + def test_forbidden(self): - users = [ - self.vendor1, self.vendor2, self.user1, self.advisory_manager1, self.pentester2, - self.customer2 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) @@ -67,25 +74,32 @@ class CompanyInformationListView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("backend:companies:information-list", company=self.project1.company.pk) + self.users_allowed = [ + self.pentester1, self.read_only1, self.management2, self.management1, self.customer1 + ] + self.users_forbidden = [ + self.user1, self.advisory_manager1, self.vendor1, self.vendor2, self.pentester2, + self.customer2 + ] def test_allowed(self): - users = [ - self.pentester1, self.read_only1, self.management2, self.management1, - self.customer1 - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [ - self.user1, self.advisory_manager1, self.vendor1, self.vendor2, self.pentester2, - self.customer2 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_companies', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_companies', self.url, self.client.get, 403, 403, 403) + class CompanyInformationUpdateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: diff --git a/server/backend/tests/test_company_viewset.py b/server/backend/tests/test_company_viewset.py index c7e1bbee..a52ef95b 100644 --- a/server/backend/tests/test_company_viewset.py +++ b/server/backend/tests/test_company_viewset.py @@ -1,22 +1,30 @@ from rest_framework.test import APITestCase -from pecoret.core.test import PeCoReTTestCaseMixin + from backend.models import Company, ReportTemplate +from pecoret.core.test import PeCoReTTestCaseMixin class CompanyListViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("backend:company-list") - - def test_status_allowed(self): - users = [ + self.user_allowed = [ self.management2, self.management1, self.read_only1, self.pentester2, self.pentester1, self.customer1, self.customer2 ] - for user in users: + self.user_forbidden = [ + self.user1, self.vendor1, self.vendor2, self.advisory_manager1 + ] + + def test_status_allowed(self): + for user in self.user_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_api_token_allowed(self): + for user in self.user_allowed: + self.api_token_check(user, 'scope_companies', self.url, self.client.get, 200, 200, 403) + def test_customer(self): self.client.force_login(self.customer1) response = self.basic_status_code_check(self.url, self.client.get, 200) @@ -24,37 +32,45 @@ def test_customer(self): self.assertEqual(response.json()['results'][0]['pk'], self.project1.company.pk) def test_status_forbidden(self): - users = [ - self.user1, self.vendor1, self.vendor2, self.advisory_manager1 - ] - for user in users: + for user in self.user_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + for user in self.user_forbidden: + self.api_token_check(user, 'scope_companies', self.url, self.client.get, 403, 403, 403) + class CompanyUpdateViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("backend:company-detail", pk=self.project1.company.pk) self.data = {"street": "randomstreet 1"} - - def test_status_allowed(self): - users = [ + self.users_allowed = [ self.management2, self.management1, self.customer1, self.pentester1, self.read_only1 ] - for user in users: + self.users_forbidden = [ + self.user1, self.pentester2, self.vendor2, self.vendor1, self.advisory_manager1, self.customer2 + ] + + def test_status_allowed(self): + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.patch, 200, data=self.data) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_companies', self.url, self.client.patch, 403, 200, 403, data=self.data) + def test_status_forbidden(self): - users = [ - self.user1, self.pentester2, self.vendor2, self.vendor1, - self.advisory_manager1, self.customer2 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_companies', self.url, self.client.patch, 403, 403, 403, data=self.data) + def test_customer_forbidden_fields(self): self.client.force_login(self.customer1) self.report_template = self.create_instance(ReportTemplate) @@ -129,63 +145,3 @@ def test_status_forbidden(self): for user in users: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) - - -class APITokenReadTestCase(APITestCase, PeCoReTTestCaseMixin): - def setUp(self) -> None: - self.init_mixin() - self.token1, self.key1 = self.create_api_token(self.pentester1, scope_companies=self.api_access_choices.READ, - date_expire=None) - self.token2, self.key2 = self.create_api_token(self.pentester1, - scope_companies=self.api_access_choices.NO_ACCESS, - date_expire=None) - self.token3, self.key3 = self.create_api_token(self.advisory_manager1, - scope_companies=self.api_access_choices.READ, - date_expire=None) - self.url = self.get_url("backend:company-detail", pk=self.project1.company.pk) - - def test_valid(self): - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.get, 200) - - def test_no_access_token(self): - self.set_token_header(self.key2) - self.basic_status_code_check(self.url, self.client.get, 403) - - def test_forbidden_user(self): - self.set_token_header(self.key3) - self.basic_status_code_check(self.url, self.client.get, 403) - - -class APITokenWriteTestCase(APITestCase, PeCoReTTestCaseMixin): - def setUp(self) -> None: - self.init_mixin() - self.token1, self.key1 = self.create_api_token(self.pentester1, scope_companies=self.api_access_choices.READ, - date_expire=None) - self.token2, self.key2 = self.create_api_token(self.pentester1, - scope_companies=self.api_access_choices.NO_ACCESS, - date_expire=None) - self.token3, self.key3 = self.create_api_token(self.advisory_manager1, - scope_companies=self.api_access_choices.READ, - date_expire=None) - self.url = self.get_url("backend:company-detail", - pk=self.project1.company.pk) - self.data = {"name": "test123"} - - def test_valid(self): - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) - - def test_read_write(self): - self.token1.scope_companies = self.api_access_choices.READ_WRITE - self.token1.save() - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.patch, 200, data=self.data) - - def test_invalid(self): - self.set_token_header(self.key2) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) - - def test_forbidden(self): - self.set_token_header(self.key3) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) diff --git a/server/backend/tests/test_cwe_viewset.py b/server/backend/tests/test_cwe_viewset.py index e59e6f9e..97d242dd 100644 --- a/server/backend/tests/test_cwe_viewset.py +++ b/server/backend/tests/test_cwe_viewset.py @@ -1,30 +1,38 @@ from rest_framework.test import APITestCase -from pecoret.core.test import PeCoReTTestCaseMixin + from backend.models import CWE +from pecoret.core.test import PeCoReTTestCaseMixin class CWEListViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("backend:cwe-list") + self.users_allowed = [ + self.pentester1, self.pentester2, self.management1, self.management2, self.read_only1 + ] + self.users_forbidden = [ + self.user1, self.customer2, self.customer1, self.advisory_manager1 + ] def test_allowed_status(self): - users = [ - self.pentester1, self.pentester2, - self.management1, self.management2, self.read_only1 - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden_status(self): - users = [ - self.user1 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 403, 403, 403) + class CWECreateViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: diff --git a/server/backend/tests/test_finding_attachment_viewset.py b/server/backend/tests/test_finding_attachment_viewset.py index 6063811e..a9301194 100644 --- a/server/backend/tests/test_finding_attachment_viewset.py +++ b/server/backend/tests/test_finding_attachment_viewset.py @@ -1,6 +1,8 @@ import base64 + from django.core.files.uploadedfile import SimpleUploadedFile from rest_framework.test import APITestCase + from backend.models import FindingImageAttachment from pecoret.core.test import PeCoReTTestCaseMixin @@ -27,17 +29,32 @@ def setUp(self) -> None: project=self.project1.pk, finding=self.finding1.pk, ) + self.users_allowed = [ + self.pentester1, self.management1, self.read_only1 + ] + self.users_forbidden = [ + self.user1, self.pentester2, self.customer1, self.customer2, self.vendor1, self.vendor2, + self.advisory_manager1 + ] def test_allowed_status(self): - for user in [self.pentester1, self.management1, self.read_only1]: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden_status(self): - for user in [self.pentester2, self.user1]: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 403, 403, 403) + def test_idor(self): self.client.force_login(self.pentester1) url = self.get_url( @@ -80,9 +97,16 @@ def setUp(self) -> None: self.data = { "caption": "proof1", } + self.users_allowed = [ + self.pentester1, self.management1 + ] + self.users_forbidden = [ + self.pentester2, self.read_only1, self.user1, self.advisory_manager1, self.management2, + self.customer1, self.customer2, self.read_only_vendor, self.vendor2, self.vendor1 + ] def test_allowed(self): - for user in [self.pentester1, self.management1]: + for user in self.users_allowed: self.client.force_login(user) self.data["image"] = SimpleUploadedFile("file.png", base64.b64decode(self.image64), content_type="image/png") @@ -90,7 +114,7 @@ def test_allowed(self): format="multipart") def test_forbidden(self): - for user in [self.pentester2, self.read_only1, self.user1]: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check( self.url, self.client.post, 403, data=self.data, format="multipart" diff --git a/server/backend/tests/test_finding_comments_viewset.py b/server/backend/tests/test_finding_comments_viewset.py index 486a541d..020cd746 100644 --- a/server/backend/tests/test_finding_comments_viewset.py +++ b/server/backend/tests/test_finding_comments_viewset.py @@ -32,19 +32,31 @@ def setUp(self) -> None: project=self.project1.pk, finding=self.comment1.finding.pk, ) + self.users_allowed = [ + self.read_only1, self.pentester1, self.management1 + ] + self.users_forbidden = [ + self.advisory_manager1, self.user1, self.management2, self.pentester2 + ] def test_allowed(self): - users = [self.read_only1, self.pentester1, self.management1] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 200, 200, 403) + def test_forbidden(self): - users = [self.advisory_manager1, self.user1, self.management2, self.pentester2] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 403, 403, 403) + class FindingCommentCreateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: @@ -178,86 +190,3 @@ def test_forbidden(self): self.basic_status_code_check( self.url, self.client.patch, 403, data=self.data ) - - -class APITokenReadTestCase(APITestCase, PeCoReTTestCaseMixin): - def setUp(self) -> None: - self.init_mixin() - self.token1, self.key1 = self.create_api_token(self.pentester1, scope_all_projects=self.api_access_choices.READ, - date_expire=None) - self.token2, self.key2 = self.create_api_token(self.pentester1, - scope_all_projects=self.api_access_choices.NO_ACCESS, - date_expire=None) - self.token3, self.key3 = self.create_api_token(self.pentester2, - scope_all_projects=self.api_access_choices.READ, - date_expire=None) - self.finding1 = self.create_finding( - component=self.asset1, - vulnerability__project=self.project1, - project=self.project1, - user=self.pentester1, - ) - self.comment1 = self.create_instance(FindingComment, finding=self.finding1) - self.url = self.get_url( - "backend:findings:comment-detail", - project=self.project1.pk, - finding=self.finding1.pk, - pk=self.comment1.pk, - ) - - def test_valid(self): - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.get, 200) - - def test_invalid(self): - self.set_token_header(self.key2) - self.basic_status_code_check(self.url, self.client.get, 403) - - def test_forbidden(self): - self.set_token_header(self.key3) - self.basic_status_code_check(self.url, self.client.get, 403) - - -class APITokenWriteTestCase(APITestCase, PeCoReTTestCaseMixin): - def setUp(self) -> None: - self.init_mixin() - self.token1, self.key1 = self.create_api_token(self.pentester1, scope_all_projects=self.api_access_choices.READ, - date_expire=None) - self.token2, self.key2 = self.create_api_token(self.pentester1, - scope_all_projects=self.api_access_choices.NO_ACCESS, - date_expire=None) - self.token3, self.key3 = self.create_api_token(self.pentester2, - scope_all_projects=self.api_access_choices.READ, - date_expire=None) - self.finding1 = self.create_finding( - component=self.asset1, - vulnerability__project=self.project1, - project=self.project1, - user=self.pentester1, - ) - self.comment1 = self.create_instance(FindingComment, finding=self.finding1) - self.url = self.get_url( - "backend:findings:comment-detail", - project=self.project1.pk, - finding=self.finding1.pk, - pk=self.comment1.pk, - ) - self.data = {"text": "test123"} - - def test_valid(self): - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) - - def test_read_write(self): - self.token1.scope_all_projects = self.api_access_choices.READ_WRITE - self.token1.save() - self.set_token_header(self.key1) - self.basic_status_code_check(self.url, self.client.patch, 200, data=self.data) - - def test_invalid(self): - self.set_token_header(self.key2) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) - - def test_forbidden(self): - self.set_token_header(self.key3) - self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data) diff --git a/server/backend/tests/test_finding_timeline_viewset.py b/server/backend/tests/test_finding_timeline_viewset.py index 1e9645f5..0d8157ff 100644 --- a/server/backend/tests/test_finding_timeline_viewset.py +++ b/server/backend/tests/test_finding_timeline_viewset.py @@ -29,19 +29,31 @@ def setUp(self): project=self.project1.pk, finding=self.timeline1.finding.pk, ) + self.users_allowed = [ + self.read_only1, self.pentester1, self.management1 + ] + self.users_forbidden = [ + self.management2, self.advisory_manager1, self.pentester2, self.user1 + ] def test_allowed(self): - users = [self.read_only1, self.pentester1, self.management1] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [self.management2, self.advisory_manager1, self.pentester2, self.user1] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 403, 403, 403) + def test_broken_access(self): self.url = self.get_url( "backend:findings:timeline-list", diff --git a/server/backend/tests/test_finding_viewset.py b/server/backend/tests/test_finding_viewset.py index 1d8cdbbf..229bd3d7 100644 --- a/server/backend/tests/test_finding_viewset.py +++ b/server/backend/tests/test_finding_viewset.py @@ -28,19 +28,31 @@ def setUp(self) -> None: user=self.pentester2, ) self.url = self.get_url("backend:finding-list", project=self.project1.pk) + self.user_allowed = [ + self.read_only1, self.pentester1, self.management1 + ] + self.user_forbidden = [ + self.user1, self.management2, self.pentester2 + ] def test_status_allowed(self): - users = [self.read_only1, self.pentester1, self.management1] - for user in users: + for user in self.user_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_status_forbidden(self): - users = [self.user1, self.management2, self.pentester2] - for user in users: + for user in self.user_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.user_allowed: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.user_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 403, 403, 403) + def test_project(self): self.client.force_login(self.pentester1) response = self.client.get(self.url) diff --git a/server/backend/tests/test_generic_asset_viewset.py b/server/backend/tests/test_generic_asset_viewset.py index 015f1e91..023d4d38 100644 --- a/server/backend/tests/test_generic_asset_viewset.py +++ b/server/backend/tests/test_generic_asset_viewset.py @@ -10,6 +10,12 @@ def setUp(self) -> None: self.url = self.get_url("backend:generic-asset-list", project=self.project1.pk) self.data = {"name": 'test', "environment": Environment.UNKNOWN.label, "accessible": AssetAccessibility.UNKNOWN.label} + self.users_allowed = [ + self.pentester1, self.management1 + ] + self.users_forbidden = [ + self.read_only_vendor, self.read_only1, self.pentester2, self.user1, self.management2 + ] def test_pentester1(self): self.client.force_login(self.pentester1) @@ -20,13 +26,19 @@ def test_management1(self): self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) def test_forbidden(self): - users = [ - self.read_only1, self.management2, self.pentester2, self.user1 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.data['name'] = user.username + self.api_token_check(user, 'scope_all_projects', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.post, 403, 403, 403, data=self.data) + class HostUpdateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: diff --git a/server/backend/tests/test_host_viewset.py b/server/backend/tests/test_host_viewset.py index 87ab3947..e599ed53 100644 --- a/server/backend/tests/test_host_viewset.py +++ b/server/backend/tests/test_host_viewset.py @@ -10,6 +10,12 @@ def setUp(self) -> None: self.url = self.get_url("backend:host-list", project=self.project1.pk) self.data = {"ip": "10.10.10.10", "dns": "intern.test.,com", "environment": Environment.UNKNOWN.label, "accessible": AssetAccessibility.UNKNOWN.label} + self.users_allowed = [ + self.pentester1, self.management1 + ] + self.users_forbidden = [ + self.read_only1, self.management2, self.pentester2, self.user1 + ] def test_pentester1(self): self.client.force_login(self.pentester1) @@ -19,11 +25,18 @@ def test_management1(self): self.client.force_login(self.management1) self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) + def test_api_token_allowed(self): + for user in self.users_allowed: + old_ip = int(self.data['ip'].split('.')[-1]) + self.data['ip'] = '.'.join(self.data['ip'].split('.')[:-1]) + f'.{old_ip + 1}' + self.api_token_check(user, 'scope_all_projects', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.post, 403, 403, 403, data=self.data) + def test_forbidden(self): - users = [ - self.read_only1, self.management2, self.pentester2, self.user1 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) diff --git a/server/backend/tests/test_membership_viewset.py b/server/backend/tests/test_membership_viewset.py index 58cc9703..5be41f93 100644 --- a/server/backend/tests/test_membership_viewset.py +++ b/server/backend/tests/test_membership_viewset.py @@ -8,20 +8,27 @@ class MembershipListViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: self.init_mixin() self.url = self.get_url("backend:membership-list", project=self.project1.pk) + self.users_allowed = [ + self.management1, self.pentester1, self.read_only1 + ] + self.users_forbidden = [ + self.user1, self.pentester2, self.management2 + ] def test_status_code_allowed(self): - users = [ - self.management1, self.pentester1, self.read_only1, - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_status_code_forbidden(self): - for user in [self.user1, self.pentester2, self.management2]: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_all_projects', self.url, self.client.get, 403, 403, 403) + class MembershipCreateViewTestCase(APITestCase, PeCoReTTestCaseMixin): def setUp(self) -> None: diff --git a/server/backend/viewsets/api_token.py b/server/backend/viewsets/api_token.py index c74758f0..d9b26aae 100644 --- a/server/backend/viewsets/api_token.py +++ b/server/backend/viewsets/api_token.py @@ -8,7 +8,7 @@ class APITokenViewSet(PeCoReTNoUpdateViewSet): queryset = APIToken.objects.none() search_fields = ["name"] serializer_class = APITokenSerializer - api_scope = None + api_scope = None # do not allow api tokens to configure api tokens permission_classes = [ permissions.GroupPermission( read_write_groups=[ diff --git a/server/backend/viewsets/membership.py b/server/backend/viewsets/membership.py index 6844896f..64de2573 100644 --- a/server/backend/viewsets/membership.py +++ b/server/backend/viewsets/membership.py @@ -12,7 +12,7 @@ class MembershipViewSet(PeCoReTModelViewSet): queryset = Membership.objects.none() filterset_class = None search_fields = [] - api_scope = None + api_scope = None # disable changing memberships through api tokens permission_classes = [permissions.PRESET_OWNER_OR_READ_ONLY] serializer_class = MembershipSerializer diff --git a/server/backend/viewsets/users.py b/server/backend/viewsets/users.py index 4785ffc1..1d65fc36 100644 --- a/server/backend/viewsets/users.py +++ b/server/backend/viewsets/users.py @@ -144,6 +144,7 @@ def change_password(self, request, *args, **kwargs): class GroupViewSet(PeCoReTReadOnlyModelViewSet): queryset = Group.objects.all() filterset_class = None + api_scope = None # do not allow api access search_fields = ["name"] permission_classes = [ permissions.GroupPermission(read_write_groups=[permissions.Groups.SUPERUSER], read_only_groups=[]) diff --git a/server/backend/viewsets/vulnerability.py b/server/backend/viewsets/vulnerability.py index f4ceb6f2..626f4d2e 100644 --- a/server/backend/viewsets/vulnerability.py +++ b/server/backend/viewsets/vulnerability.py @@ -89,6 +89,7 @@ class ProjectVulnerabilityViewSet(PeCoReTModelViewSet): filterset_class = None serializer_class = ProjectVulnerabilitySerializer permission_classes = [permissions.PRESET_PENTESTER_OR_READONLY] + api_scope = 'scope_all_projects' def get_queryset(self): return models.ProjectVulnerability.objects.for_project(self.request.project) diff --git a/server/checklists/tests/test_category_viewset.py b/server/checklists/tests/test_category_viewset.py index 748e9e7e..9703053a 100644 --- a/server/checklists/tests/test_category_viewset.py +++ b/server/checklists/tests/test_category_viewset.py @@ -8,24 +8,31 @@ def setUp(self): self.init_mixin() self.url = self.get_url('checklists:category-list') self.category = self.create_instance(Category) + self.users_allowed = [ + self.pentester2, self.pentester1, self.read_only1, self.management2, self.management1 + ] + self.users_forbidden = [ + self.vendor2, self.vendor1, self.user1, self.customer1, self.customer2, self.advisory_manager1 + ] def test_allowed(self): - users = [ - self.pentester1, self.pentester2, - self.management1, self.management2 - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [ - self.advisory_manager1, self.vendor1, self.vendor2, self.user1, - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 403, 403, 403) + + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 200, 200, 403) + class CategoryCreateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self): @@ -36,21 +43,30 @@ def setUp(self): 'name': 'test', 'summary': 'asdf' } + self.users_allowed = [ + self.pentester2, self.pentester1, self.read_only1 + ] + self.users_forbidden = [ + self.management1, self.management2, self.customer2, self.customer1, self.user1, + self.vendor2, self.vendor1, self.advisory_manager1, self.read_only_vendor + ] def test_allowed(self): - users = [ - self.pentester1, self.pentester2 - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.data['category_id'] = self.data['category_id'] + user.username self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) def test_forbidden(self): - users = [ - self.management1, self.management2, self.read_only_vendor, self.vendor1, - self.vendor2, self.advisory_manager1, self.user1 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) + + def test_api_token_allowed(self): + for user in self.users_allowed: + self.data['category_id'] = user.username + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.post, 403, 403, 403, data=self.data) diff --git a/server/checklists/tests/test_checklist_viewset.py b/server/checklists/tests/test_checklist_viewset.py index f4975458..cb93faaf 100644 --- a/server/checklists/tests/test_checklist_viewset.py +++ b/server/checklists/tests/test_checklist_viewset.py @@ -1,6 +1,7 @@ from rest_framework.test import APITestCase -from pecoret.core.test import PeCoReTTestCaseMixin + from checklists.models import Checklist, Category +from pecoret.core.test import PeCoReTTestCaseMixin class ChecklistListView(APITestCase, PeCoReTTestCaseMixin): @@ -8,24 +9,33 @@ def setUp(self): self.init_mixin() self.checklist1 = self.create_instance(Checklist) self.url = self.get_url('checklists:checklist-list') - - def test_allowed(self): - users = [ + self.users_allowed = [ self.pentester1, self.pentester2, self.read_only1, self.management1, self.management2 ] - for user in users: + self.users_forbidden = [ + self.advisory_manager1, self.user1, self.vendor1, self.vendor2, + self.customer1, self.customer2 + ] + + def test_allowed(self): + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [ - self.advisory_manager1, self.user1, self.vendor1, self.vendor2 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 200, 200, 403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 403, 403, 403) + class ChecklistCreateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self): @@ -35,21 +45,30 @@ def setUp(self): self.data = { 'checklist_id': 'test-123', 'name': 'test123', 'categories': [category.pk] } - - def test_allowed(self): - users = [ + self.users_allowed = [ self.pentester1, self.pentester2 ] - for user in users: - self.data['checklist_id'] = self.data['checklist_id'] + user.username + self.users_forbidden = [ + self.management2, self.management1, self.advisory_manager1, self.user1, + self.vendor1, self.vendor2, self.read_only_vendor, self.customer2, self.customer1 + ] + + def test_allowed(self): + for user in self.users_allowed: + self.data['checklist_id'] = user.username self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) def test_forbidden(self): - users = [ - self.management2, self.management1, self.advisory_manager1, self.user1, - self.vendor1, self.vendor2, self.read_only_vendor - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) + + def test_api_allowed(self): + for user in self.users_allowed: + self.data['checklist_id'] = user.username + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.post, 403, 403, 403, data=self.data) diff --git a/server/checklists/tests/test_item_viewset.py b/server/checklists/tests/test_item_viewset.py index fdb70d19..ef5baa11 100644 --- a/server/checklists/tests/test_item_viewset.py +++ b/server/checklists/tests/test_item_viewset.py @@ -7,24 +7,32 @@ class ItemListView(APITestCase, PeCoReTTestCaseMixin): def setUp(self): self.init_mixin() self.url = self.get_url('checklists:item-list') - item = self.create_instance(Item) + self.users_allowed = [ + self.pentester2, self.pentester1, self.management1, self.management2, self.read_only1 + ] + self.users_forbidden = [ + self.user1, self.customer1, self.customer2, self.advisory_manager1, + self.vendor1, self.vendor2, self.read_only_vendor + ] def test_allowed(self): - users = [ - self.pentester2, self.pentester1, self.management2, self.management1 - ] - for user in users: + for user in self.users_allowed: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 200) def test_forbidden(self): - users = [ - self.advisory_manager1, self.user1, self.vendor2, self.vendor1, self.read_only_vendor - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.get, 403) + def test_api_token_allowed(self): + for user in self.users_allowed: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 200, 200 ,403) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.get, 403, 403, 403) + class ItemCreateView(APITestCase, PeCoReTTestCaseMixin): def setUp(self): @@ -37,21 +45,30 @@ def setUp(self): 'description': 'asdf', 'category': category.pk } + self.users_allowed = [ + self.pentester2, self.pentester1, self.read_only1 + ] + self.users_forbidden = [ + self.customer2, self.customer1, self.vendor1, self.vendor2, self.user1, + self.management1, self.management2, self.advisory_manager1 + ] def test_allowed(self): - users = [ - self.pentester2, self.pentester1 - ] - for user in users: - self.data['item_id'] = self.data['item_id'] + user.username + for user in self.users_allowed: + self.data['item_id'] = user.username self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 201, data=self.data) def test_forbidden(self): - users = [ - self.management1, self.management2, self.advisory_manager1, self.vendor1, - self.vendor2, self.user1 - ] - for user in users: + for user in self.users_forbidden: self.client.force_login(user) self.basic_status_code_check(self.url, self.client.post, 403, data=self.data) + + def test_api_token_allowed(self): + for user in self.users_allowed: + self.data['item_id'] = user.username + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.post, 403, 201, 403, data=self.data) + + def test_api_token_forbidden(self): + for user in self.users_forbidden: + self.api_token_check(user, 'scope_knowledgebase', self.url, self.client.post, 403, 403, 403, data=self.data) diff --git a/server/checklists/viewsets/category.py b/server/checklists/viewsets/category.py index 12925a59..2ecd1967 100644 --- a/server/checklists/viewsets/category.py +++ b/server/checklists/viewsets/category.py @@ -1,6 +1,3 @@ -from rest_framework.decorators import action -from rest_framework.response import Response -from rest_framework import status from pecoret.core.viewsets import PeCoReTReadOnlyModelViewSet, PeCoReTModelViewSet from pecoret.core import permissions from checklists.models import AssetCategory, Category @@ -16,6 +13,7 @@ class AssetCategoryViewSet(PeCoReTReadOnlyModelViewSet): serializer_class = AssetCategorySerializer filterset_class = AssetCategoryFilter search_fields = ["name", "assetitem__name"] + api_scope = 'scope_all_projects' def get_queryset(self): return AssetCategory.objects.for_project(self.request.project) @@ -33,5 +31,6 @@ class CategoryViewSet(PeCoReTModelViewSet): ] ) ] + api_scope = 'scope_knowledgebase' search_fields = ['name', 'category_id'] serializer_class = CategorySerializer diff --git a/server/checklists/viewsets/checklist.py b/server/checklists/viewsets/checklist.py index 0be1d0a3..9b818c7a 100644 --- a/server/checklists/viewsets/checklist.py +++ b/server/checklists/viewsets/checklist.py @@ -11,6 +11,7 @@ class ChecklistViewSet(PeCoReTModelViewSet): queryset = Checklist.objects.none() + api_scope = 'scope_knowledgebase' permission_classes = [ permissions.GroupPermission( read_write_groups=[ @@ -34,6 +35,7 @@ class AssetChecklistViewSet(PeCoReTNoUpdateViewSet): search_fields = ["name"] permission_classes = [permissions.PRESET_PENTESTER_OR_READONLY] serializer_class = AssetChecklistSerializer + api_scope = 'scope_all_projects' def get_queryset(self): return AssetChecklist.objects.for_project(self.request.project) diff --git a/server/checklists/viewsets/item.py b/server/checklists/viewsets/item.py index c2119ac1..201d7789 100644 --- a/server/checklists/viewsets/item.py +++ b/server/checklists/viewsets/item.py @@ -28,6 +28,7 @@ class ItemViewSet(PeCoReTModelViewSet): queryset = Item.objects.all() serializer_class = ItemSerializer search_fields = ['name', 'item_id'] + api_scope = 'scope_knowledgebase' permission_classes = [ permissions.GroupPermission( read_only_groups=[ diff --git a/server/pecoret/core/permissions/company.py b/server/pecoret/core/permissions/company.py index 781b138d..fbe9e9fe 100644 --- a/server/pecoret/core/permissions/company.py +++ b/server/pecoret/core/permissions/company.py @@ -64,6 +64,10 @@ def has_permission(self, request, view): request.company = company return True if user.is_customer and user.company.pk == company.pk: + # customers should not have api tokens at the moment, but check permissions to prevent future errors + if isinstance(request.auth, APIToken): + if not self.has_token_permission(request, view, None): + return False request.company = company return True if request.method not in SAFE_METHODS: