Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add missing api scope and test cases #224

Merged
merged 2 commits into from
Apr 16, 2024
Merged

add missing api scope and test cases #224

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
f09835c
add missing api scope and test cases
blockisec Apr 11, 2024
3e63628
add more api tests and enable api scopes
blockisec Apr 16, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
146 changes: 67 additions & 79 deletions server/advisories/tests/test_advisory_comment.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
from rest_framework.test import APITestCase

from advisories.models import AdvisoryComment
from pecoret.core.test import PeCoReTTestCaseMixin

Expand All @@ -10,17 +11,10 @@ def setUp(self):
self.url = self.get_url(
"advisories:comment-list", advisory=self.advisory1.pk
)

def test_allowed(self):
users = [self.advisory_manager1, self.pentester1, self.vendor1]
for user in users:
self.client.force_login(user)
self.basic_status_code_check(
self.url, self.client.post, 201, data=self.data
)

def test_forbidden(self):
users = [
self.allowed_users = [
self.advisory_manager1, self.pentester1, self.vendor1
]
self.forbidden_users = [
self.pentester2,
self.management1,
self.management2,
Expand All @@ -29,25 +23,58 @@ def test_forbidden(self):
self.read_only1,
self.user1,
]
for user in users:

def test_allowed(self):
for user in self.allowed_users:
self.client.force_login(user)
self.basic_status_code_check(
self.url, self.client.post, 201, data=self.data
)

def test_forbidden(self):

for user in self.forbidden_users:
self.client.force_login(user)
self.basic_status_code_check(
self.url, self.client.post, 403, data=self.data
)

def test_api_token_allowed(self):
for user in self.allowed_users:
self.api_token_check(user, 'scope_advisories', self.url, self.client.post,
403, 201, 403, data=self.data)

def test_api_token_forbidden(self):
for user in self.forbidden_users:
self.api_token_check(user, 'scope_advisories', self.url, self.client.post, 403, 403, 403)


class AdvisoryCommentUpdateView(APITestCase, PeCoReTTestCaseMixin):
def setUp(self):
self.init_mixin()
self.comment1 = self.create_instance(
AdvisoryComment, advisory=self.advisory1, user=self.pentester1
)
self.comment2 = self.create_instance(
AdvisoryComment, advisory=self.advisory2, user=self.pentester2
)
self.url = self.get_url(
"advisories:comment-detail",
advisory=self.advisory1.pk,
pk=self.comment1.pk,
)
self.url2 = self.get_url(
'advisories:comment-detail', advisory=self.advisory2.pk, pk=self.comment1.pk
)
self.data = {"comment": "new123"}
self.forbidden_users = [
self.pentester2,
self.vendor2,
self.management1,
self.management2,
self.user1,
self.read_only1, self.customer2, self.customer1, self.read_only_vendor
]

def test_allowed(self):
self.client.force_login(self.pentester1)
Expand All @@ -57,16 +84,7 @@ def test_allowed(self):
self.assertEqual(response.json()["comment"], self.data["comment"])

def test_forbidden(self):
users = [
self.pentester2,
self.vendor2,
self.management1,
self.management2,
self.user1,
self.read_only1,
self.read_only_vendor
]
for user in users:
for user in self.forbidden_users:
self.client.force_login(user)
self.basic_status_code_check(self.url, self.client.patch, 403)

Expand All @@ -76,51 +94,25 @@ def test_not_found(self):
self.client.force_login(user)
self.basic_status_code_check(self.url, self.client.patch, 404)

def test_api_token_allowed(self):
self.api_token_check(self.pentester1, 'scope_advisories', self.url, self.client.patch, 403, 200, 403,
data=self.data)

class APITokenReadTestCase(APITestCase, PeCoReTTestCaseMixin):
def setUp(self) -> None:
self.init_mixin()
self.token1, self.key1 = self.create_api_token(self.pentester1, scope_advisories=self.api_access_choices.READ,
date_expire=None)
self.token2, self.key2 = self.create_api_token(self.pentester1,
scope_advisories=self.api_access_choices.NO_ACCESS,
date_expire=None)
self.token3, self.key3 = self.create_api_token(self.pentester2,
scope_advisories=self.api_access_choices.READ,
date_expire=None)
self.comment1 = self.create_instance(
AdvisoryComment, advisory=self.advisory1, user=self.pentester1
)
self.url = self.get_url(
"advisories:comment-detail",
advisory=self.advisory1.pk,
pk=self.comment1.pk,
)

def test_valid(self):
self.set_token_header(self.key1)
self.basic_status_code_check(self.url, self.client.get, 200)

def test_invalid(self):
self.set_token_header(self.key2)
self.basic_status_code_check(self.url, self.client.get, 403)
def test_api_token_forbidden(self):
for user in self.forbidden_users:
self.api_token_check(user, 'scope_advisories', self.url, self.client.patch, 403, 403, 403, data=self.data)
# test IDOR
self.api_token_check(self.pentester2, 'scope_advisories', self.url2, self.client.patch, 403, 404, 403,
data=self.data)

def test_forbidden(self):
self.set_token_header(self.key3)
self.basic_status_code_check(self.url, self.client.get, 403)
def test_api_token_not_found(self):
for user in [self.advisory_manager1, self.vendor1]:
self.api_token_check(user, 'scope_advisories', self.url, self.client.patch, 403, 404, 403, data=self.data)


class APITokenWriteTestCase(APITestCase, PeCoReTTestCaseMixin):
def setUp(self) -> None:
class AdvisoryCommentRetrieveView(APITestCase, PeCoReTTestCaseMixin):
def setUp(self):
self.init_mixin()
self.token1, self.key1 = self.create_api_token(self.pentester1, scope_advisories=self.api_access_choices.READ,
date_expire=None)
self.token2, self.key2 = self.create_api_token(self.pentester1,
scope_advisories=self.api_access_choices.NO_ACCESS,
date_expire=None)
self.token3, self.key3 = self.create_api_token(self.pentester2,
scope_advisories=self.api_access_choices.READ,
date_expire=None)
self.comment1 = self.create_instance(
AdvisoryComment, advisory=self.advisory1, user=self.pentester1
)
Expand All @@ -129,22 +121,18 @@ def setUp(self) -> None:
advisory=self.advisory1.pk,
pk=self.comment1.pk,
)
self.data = {"comment": "test123"}

def test_valid(self):
self.set_token_header(self.key1)
self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data)

def test_read_write(self):
self.token1.scope_advisories = self.api_access_choices.READ_WRITE
self.token1.save()
self.set_token_header(self.key1)
self.basic_status_code_check(self.url, self.client.patch, 200, data=self.data)
self.allowed_users = [
self.vendor1, self.advisory_manager1, self.pentester1, self.read_only_vendor
]
self.forbidden_users = [
self.customer2, self.customer1, self.management2, self.management1,
self.read_only1, self.pentester2, self.vendor2, self.user1
]

def test_invalid(self):
self.set_token_header(self.key2)
self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data)
def test_api_token_allowed(self):
for user in self.allowed_users:
self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403)

def test_forbidden(self):
self.set_token_header(self.key3)
self.basic_status_code_check(self.url, self.client.patch, 403, data=self.data)
def test_api_token_forbidden(self):
for user in self.forbidden_users:
self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403)
40 changes: 25 additions & 15 deletions server/advisories/tests/test_advisory_export.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,41 +1,51 @@
from rest_framework.test import APITestCase
from pecoret.core.test import PeCoReTTestCaseMixin
from backend.models.report_templates import ReportTemplate

from advisories.models.advisory import VisibilityChoices
from backend.models.report_templates import ReportTemplate
from pecoret.core.test import PeCoReTTestCaseMixin


class AdvisoryExportViewTestCase(APITestCase, PeCoReTTestCaseMixin):
def setUp(self) -> None:
self.init_mixin()
self.report_template = ReportTemplate.objects.get(name="default_template")
self.url = self.get_url("advisories:advisory-export-pdf", pk=self.advisory1.pk)

def test_allowed(self):
users = [
self.users_allowed = [
self.pentester1,
self.vendor1,
self.advisory_manager1,
self.read_only_vendor,
]
for user in users:
self.users_forbidden = [self.management1,
self.management2,
self.user1,
self.customer1, self.customer2,
self.management1, self.management2,
self.vendor2,
self.read_only1,
self.pentester2, ]

def test_allowed(self):
for user in self.users_allowed:
self.client.force_login(user)
self.basic_status_code_check(self.url, self.client.get, 200)

def test_forbidden(self):
users = [
self.management1,
self.management2,
self.user1,
self.vendor2,
self.read_only1,
self.pentester2,
]
for user in users:
for user in self.users_forbidden:
self.client.force_login(user)
self.basic_status_code_check(self.url, self.client.get, 403)

def test_api_token_allowed(self):
for user in self.users_allowed:
self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 200, 200, 403)

def test_api_token_forbidden(self):
for user in self.users_forbidden:
self.api_token_check(user, 'scope_advisories', self.url, self.client.get, 403, 403, 403)

def test_management_draft(self):
self.advisory1.visibility = VisibilityChoices.MEMBERS
self.advisory1.save()
self.client.force_login(self.advisory_manager1)
self.basic_status_code_check(self.url, self.client.get, 403)
self.api_token_check(self.advisory_manager1, 'scope_advisories', self.url, self.client.get, 403, 403, 403)
Loading
Loading