1099.1.16
by William Grant
ivle.webapp.base.test: |
1 |
import urllib |
2 |
||
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
3 |
from ivle.webapp.base.rest import (JSONRESTView, named_operation, |
4 |
require_permission) |
|
5 |
from ivle.webapp.errors import BadRequest, MethodNotAllowed, Unauthorized |
|
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
6 |
from ivle.webapp.testing import FakeUser, FakeRequest |
7 |
||
1099.1.26
by William Grant
ivle.webapp.base.views#JSONRESTView: Check that methods are available before |
8 |
class JSONRESTViewTestWithoutPUT(JSONRESTView): |
9 |
'''A small JSON REST view for testing purposes, without a PUT method.'''
|
|
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
10 |
def get_permissions(self, user): |
11 |
if user.login == u'fakeuser': |
|
12 |
return set(['view', 'edit']) |
|
13 |
if user.login == u'otheruser': |
|
14 |
return set(['view']) |
|
15 |
return set() |
|
16 |
||
17 |
@require_permission('view') |
|
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
18 |
def GET(self, req): |
19 |
return {'method': 'get'} |
|
20 |
||
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
21 |
@require_permission('edit') |
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
22 |
def PATCH(self, req, data): |
23 |
return {'method': 'patch', |
|
24 |
'result': data['result'], 'test': data['test']} |
|
25 |
||
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
26 |
@named_operation('view') |
1099.1.28
by William Grant
ivle.webapp.base.views#JSONRESTView: Named operations now take the request. |
27 |
def do_stuff(self, req, what): |
1099.1.16
by William Grant
ivle.webapp.base.test: |
28 |
return {'result': 'Did %s!' % what} |
29 |
||
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
30 |
@named_operation('edit') |
1099.1.28
by William Grant
ivle.webapp.base.views#JSONRESTView: Named operations now take the request. |
31 |
def say_something(self, req, thing='nothing'): |
1099.1.27
by William Grant
ivle.webapp.base.views#JSONRESTView: Add support for argument defaults in |
32 |
return {'result': 'Said %s!' % thing} |
33 |
||
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
34 |
@named_operation('edit') |
1099.1.52
by William Grant
ivle.webapp.base.rest#RESTView: Remove broken old render() - it should be |
35 |
def do_say_something(self, req, what, thing='nothing'): |
36 |
return {'result': 'Said %s and %s!' % (what, thing)} |
|
37 |
||
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
38 |
@named_operation('view') |
1099.1.28
by William Grant
ivle.webapp.base.views#JSONRESTView: Named operations now take the request. |
39 |
def get_req_method(self, req): |
40 |
return {'method': req.method} |
|
41 |
||
1099.1.26
by William Grant
ivle.webapp.base.views#JSONRESTView: Check that methods are available before |
42 |
class JSONRESTViewTest(JSONRESTViewTestWithoutPUT): |
43 |
'''A small JSON REST view for testing purposes.'''
|
|
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
44 |
@require_permission('edit') |
1099.1.26
by William Grant
ivle.webapp.base.views#JSONRESTView: Check that methods are available before |
45 |
def PUT(self, req, data): |
46 |
return {'method': 'put', |
|
47 |
'result': data['result'], 'test': data['test']} |
|
48 |
||
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
49 |
class TestJSONRESTView: |
50 |
def testGET(self): |
|
51 |
req = FakeRequest() |
|
52 |
view = JSONRESTViewTest(req) |
|
53 |
view.render(req) |
|
54 |
assert req.content_type == 'application/json' |
|
55 |
assert req.response_body == '{"method": "get"}\n' |
|
56 |
||
57 |
def testPUT(self): |
|
58 |
req = FakeRequest() |
|
59 |
req.method = 'PUT' |
|
60 |
req.request_body = '{"test": "FAI\\uA746ED", "result": 1}' |
|
61 |
view = JSONRESTViewTest(req) |
|
62 |
view.render(req) |
|
63 |
assert req.content_type == 'application/json' |
|
64 |
assert req.response_body == \ |
|
65 |
'{"test": "FAI\\ua746ED", "method": "put", "result": 1}\n' |
|
66 |
||
67 |
def testPATCH(self): |
|
68 |
req = FakeRequest() |
|
69 |
req.method = 'PATCH' |
|
70 |
req.request_body = '{"test": "FAI\\uA746ED", "result": 1}' |
|
71 |
view = JSONRESTViewTest(req) |
|
72 |
view.render(req) |
|
73 |
assert req.content_type == 'application/json' |
|
74 |
assert req.response_body == \ |
|
75 |
'{"test": "FAI\\ua746ED", "method": "patch", "result": 1}\n' |
|
76 |
||
77 |
def testEmulatedPATCH(self): |
|
78 |
req = FakeRequest() |
|
79 |
req.method = 'PUT' |
|
80 |
req.headers_in['X-IVLE-Patch-Semantics'] = 'yes' |
|
81 |
req.request_body = '{"test": "FAI\\uA746ED", "result": 1}' |
|
82 |
view = JSONRESTViewTest(req) |
|
83 |
view.render(req) |
|
84 |
assert req.content_type == 'application/json' |
|
85 |
assert req.response_body == \ |
|
86 |
'{"test": "FAI\\ua746ED", "method": "patch", "result": 1}\n' |
|
87 |
||
88 |
def testInvalidMethod(self): |
|
89 |
req = FakeRequest() |
|
90 |
req.method = 'FAKEANDBOGUS' |
|
91 |
view = JSONRESTViewTest(req) |
|
92 |
try: |
|
93 |
view.render(req) |
|
1099.1.26
by William Grant
ivle.webapp.base.views#JSONRESTView: Check that methods are available before |
94 |
except MethodNotAllowed, e: |
95 |
assert e.allowed == ['GET', 'PUT', 'PATCH', 'POST'] |
|
96 |
else: |
|
97 |
raise AssertionError("did not raise MethodNotAllowed") |
|
98 |
||
99 |
def testNoPUTMethod(self): |
|
100 |
req = FakeRequest() |
|
101 |
req.method = 'PUT' |
|
102 |
view = JSONRESTViewTestWithoutPUT(req) |
|
103 |
try: |
|
104 |
view.render(req) |
|
105 |
except MethodNotAllowed, e: |
|
106 |
assert e.allowed == ['GET', 'PATCH', 'POST'] |
|
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
107 |
else: |
1099.1.16
by William Grant
ivle.webapp.base.test: |
108 |
raise AssertionError("did not raise MethodNotAllowed") |
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
109 |
|
110 |
def testInvalidMethodWithPATCHEmulation(self): |
|
111 |
req = FakeRequest() |
|
112 |
req.method = 'FAKEANDBOGUS' |
|
113 |
req.headers_in['X-IVLE-Patch-Semantics'] = 'yes' |
|
114 |
view = JSONRESTViewTest(req) |
|
115 |
try: |
|
116 |
view.render(req) |
|
1099.1.16
by William Grant
ivle.webapp.base.test: |
117 |
except MethodNotAllowed: |
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
118 |
pass
|
119 |
else: |
|
1099.1.16
by William Grant
ivle.webapp.base.test: |
120 |
raise AssertionError("did not raise MethodNotAllowed") |
121 |
||
122 |
def testNamedOperation(self): |
|
123 |
req = FakeRequest() |
|
124 |
req.method = 'POST' |
|
125 |
req.request_body = urllib.urlencode({'ivle.op': 'do_stuff', |
|
126 |
'what': 'blah'}) |
|
127 |
view = JSONRESTViewTest(req) |
|
128 |
view.render(req) |
|
129 |
assert req.content_type == 'application/json' |
|
130 |
assert req.response_body == '{"result": "Did blah!"}\n' |
|
131 |
||
132 |
def testPOSTWithoutName(self): |
|
133 |
req = FakeRequest() |
|
134 |
req.method = 'POST' |
|
135 |
req.request_body = urllib.urlencode({'what': 'blah'}) |
|
136 |
view = JSONRESTViewTest(req) |
|
137 |
try: |
|
138 |
view.render(req) |
|
139 |
except BadRequest, e: |
|
140 |
assert e.message == 'No named operation specified.' |
|
141 |
else: |
|
142 |
raise AssertionError("did not raise BadRequest") |
|
143 |
||
144 |
def testNonexistentNamedOperation(self): |
|
145 |
req = FakeRequest() |
|
146 |
req.method = 'POST' |
|
147 |
req.request_body = urllib.urlencode({'ivle.op': 'enoent'}) |
|
148 |
view = JSONRESTViewTest(req) |
|
149 |
try: |
|
150 |
view.render(req) |
|
151 |
except BadRequest, e: |
|
152 |
assert e.message == 'Invalid named operation.' |
|
153 |
else: |
|
154 |
raise AssertionError("did not raise BadRequest") |
|
155 |
||
156 |
def testDisallowedNamedOperation(self): |
|
157 |
req = FakeRequest() |
|
158 |
req.method = 'POST' |
|
159 |
req.request_body = urllib.urlencode({'ivle.op': 'GET'}) |
|
160 |
view = JSONRESTViewTest(req) |
|
161 |
try: |
|
162 |
view.render(req) |
|
163 |
except BadRequest, e: |
|
164 |
assert e.message == 'Invalid named operation.' |
|
165 |
else: |
|
166 |
raise AssertionError("did not raise BadRequest") |
|
167 |
||
168 |
def testNamedOperationWithMissingArgs(self): |
|
169 |
req = FakeRequest() |
|
170 |
req.method = 'POST' |
|
171 |
req.request_body = urllib.urlencode({'ivle.op': 'do_stuff', |
|
172 |
'nothing': 'wrong'}) |
|
173 |
view = JSONRESTViewTest(req) |
|
174 |
try: |
|
175 |
view.render(req) |
|
176 |
except BadRequest, e: |
|
177 |
assert e.message == 'Missing arguments: what' |
|
178 |
else: |
|
1099.1.8
by William Grant
ivle.webapp.testing: Add, with fake request and user. |
179 |
raise AssertionError("did not raise BadRequest") |
1099.1.27
by William Grant
ivle.webapp.base.views#JSONRESTView: Add support for argument defaults in |
180 |
|
181 |
def testNamedOperationWithExtraArgs(self): |
|
182 |
req = FakeRequest() |
|
183 |
req.method = 'POST' |
|
184 |
req.request_body = urllib.urlencode({'ivle.op': 'do_stuff', |
|
185 |
'what': 'blah', |
|
186 |
'toomany': 'args'}) |
|
187 |
view = JSONRESTViewTest(req) |
|
188 |
try: |
|
189 |
view.render(req) |
|
190 |
except BadRequest, e: |
|
191 |
assert e.message == 'Extra arguments: toomany' |
|
192 |
else: |
|
193 |
raise AssertionError("did not raise BadRequest") |
|
194 |
||
195 |
def testNamedOperationWithDefaultArgs(self): |
|
196 |
req = FakeRequest() |
|
197 |
req.method = 'POST' |
|
198 |
req.request_body = urllib.urlencode({'ivle.op': 'say_something'}) |
|
199 |
view = JSONRESTViewTest(req) |
|
200 |
view.render(req) |
|
201 |
assert req.content_type == 'application/json' |
|
202 |
assert req.response_body == '{"result": "Said nothing!"}\n' |
|
203 |
||
204 |
def testNamedOperationWithOverriddenDefaultArgs(self): |
|
205 |
req = FakeRequest() |
|
206 |
req.method = 'POST' |
|
207 |
req.request_body = urllib.urlencode({'ivle.op': 'say_something', |
|
208 |
'thing': 'something'}) |
|
209 |
view = JSONRESTViewTest(req) |
|
210 |
view.render(req) |
|
211 |
assert req.content_type == 'application/json' |
|
212 |
assert req.response_body == '{"result": "Said something!"}\n' |
|
1099.1.28
by William Grant
ivle.webapp.base.views#JSONRESTView: Named operations now take the request. |
213 |
|
1099.1.52
by William Grant
ivle.webapp.base.rest#RESTView: Remove broken old render() - it should be |
214 |
def testNamedOperationWithDefaultAndMissingArgs(self): |
215 |
req = FakeRequest() |
|
216 |
req.method = 'POST' |
|
217 |
req.request_body = urllib.urlencode({'ivle.op': 'do_say_something', |
|
218 |
'thing': 'something'}) |
|
219 |
view = JSONRESTViewTest(req) |
|
220 |
try: |
|
221 |
view.render(req) |
|
222 |
except BadRequest, e: |
|
223 |
assert e.message == 'Missing arguments: what' |
|
224 |
else: |
|
225 |
raise AssertionError("did not raise BadRequest") |
|
226 |
||
1099.1.28
by William Grant
ivle.webapp.base.views#JSONRESTView: Named operations now take the request. |
227 |
def testNamedOperationUsingRequest(self): |
228 |
req = FakeRequest() |
|
229 |
req.method = 'POST' |
|
230 |
req.request_body = urllib.urlencode({'ivle.op': 'get_req_method'}) |
|
231 |
view = JSONRESTViewTest(req) |
|
232 |
view.render(req) |
|
233 |
assert req.content_type == 'application/json' |
|
234 |
assert req.response_body == '{"method": "POST"}\n' |
|
1099.1.53
by William Grant
ivle.webapp.base.rest#JSONRESTView: Check for bad JSON input, rather than |
235 |
|
236 |
def testInvalidPOSTData(self): |
|
237 |
req = FakeRequest() |
|
238 |
req.method = 'POST' |
|
239 |
req.request_body = 'I am invalid&&&&' |
|
240 |
view = JSONRESTViewTest(req) |
|
241 |
try: |
|
242 |
view.render(req) |
|
243 |
except BadRequest, e: |
|
244 |
print e.message |
|
245 |
assert e.message == 'No named operation specified.' |
|
246 |
else: |
|
247 |
raise AssertionError("did not raise BadRequest") |
|
248 |
||
249 |
def testInvalidPATCHData(self): |
|
250 |
req = FakeRequest() |
|
251 |
req.method = 'PATCH' |
|
252 |
req.request_body = 'I am invalid' |
|
253 |
view = JSONRESTViewTest(req) |
|
254 |
try: |
|
255 |
view.render(req) |
|
256 |
except BadRequest, e: |
|
257 |
assert e.message == 'Invalid JSON data' |
|
258 |
else: |
|
259 |
raise AssertionError("did not raise BadRequest") |
|
260 |
||
261 |
def testInvalidPUTData(self): |
|
262 |
req = FakeRequest() |
|
263 |
req.method = 'PUT' |
|
264 |
req.request_body = 'I am invalid' |
|
265 |
view = JSONRESTViewTest(req) |
|
266 |
try: |
|
267 |
view.render(req) |
|
268 |
except BadRequest, e: |
|
269 |
assert e.message == 'Invalid JSON data' |
|
270 |
else: |
|
271 |
raise AssertionError("did not raise BadRequest") |
|
1099.1.112
by William Grant
Implement authorization in JSON REST views. Add security declarations to |
272 |
|
273 |
class TestJSONRESTSecurity: |
|
274 |
def testGoodMethod(self): |
|
275 |
req = FakeRequest() |
|
276 |
req.user.login = u'otheruser' |
|
277 |
req.method = 'GET' |
|
278 |
view = JSONRESTViewTest(req) |
|
279 |
view.render(req) |
|
280 |
assert req.content_type == 'application/json' |
|
281 |
assert req.response_body == '{"method": "get"}\n' |
|
282 |
||
283 |
def testBadMethod(self): |
|
284 |
req = FakeRequest() |
|
285 |
req.user.login = u'otheruser' |
|
286 |
req.method = 'PUT' |
|
287 |
view = JSONRESTViewTest(req) |
|
288 |
try: |
|
289 |
view.render(req) |
|
290 |
except Unauthorized, e: |
|
291 |
pass
|
|
292 |
else: |
|
293 |
raise AssertionError("did not raise Unauthorized") |
|
294 |
||
295 |
def testGoodNamedOperation(self): |
|
296 |
req = FakeRequest() |
|
297 |
req.user.login = u'otheruser' |
|
298 |
req.method = 'POST' |
|
299 |
req.request_body = urllib.urlencode({'ivle.op': 'do_stuff', |
|
300 |
'what': 'blah'}) |
|
301 |
view = JSONRESTViewTest(req) |
|
302 |
view.render(req) |
|
303 |
assert req.content_type == 'application/json' |
|
304 |
assert req.response_body == '{"result": "Did blah!"}\n' |
|
305 |
||
306 |
def testBadNamedOperation(self): |
|
307 |
req = FakeRequest() |
|
308 |
req.user.login = u'otheruser' |
|
309 |
req.method = 'POST' |
|
310 |
req.request_body = urllib.urlencode({'ivle.op': 'say_something'}) |
|
311 |
view = JSONRESTViewTest(req) |
|
312 |
try: |
|
313 |
view.render(req) |
|
314 |
except Unauthorized, e: |
|
315 |
pass
|
|
316 |
else: |
|
317 |
raise AssertionError("did not raise Unauthorized") |
|
318 |