Adjust tests for authorization

Signed-off-by: Georg Pfuetzenreuter <mail@georg-pfuetzenreuter.net>
2024-09-28 18:08:37 +02:00 · 2024-09-28 18:08:37 +02:00 · 353ca0f44a
commit 353ca0f44a
parent a47ee638f1
3 changed files with 54 additions and 3 deletions
--- a/scripts/test.sh
+++ b/scripts/test.sh
@ -8,5 +8,5 @@ podman run                \
 	-it                     \
 	-v .:"$wd"              \
 	registry.opensuse.org/home/crameleon/containers/containers/crameleon/pytest-nftables:latest \
-	env PYTHONPATH="$wd" pytest --pdb --pdbcls=IPython.terminal.debugger:Pdb -rA -s -v -x "$wd"/tests
+	env NFT-API-CONFIG="$wd"/tests/config.yaml PYTHONPATH="$wd" pytest --pdb --pdbcls=IPython.terminal.debugger:Pdb -rA -s -v -x "$wd"/tests

--- a/tests/config.yaml
+++ b/tests/config.yaml
@ -0,0 +1,12 @@
+nft-api:
+  tokens:
+    $2y$05$1g7dRvcw2Jkml7WHIWa1Q.O9qg5shbHA8VHxZhwkmCTVmnkl4GDjW:  # == ICanOnlyGet
+      /set/inet/filter/testset4:
+        - GET
+    $2y$05$7e4Slhr6/SWvaQXGRQywdua0jpm6HxOCiC8tYowpR2ioW2.ZKFdHe:  # == foo
+      /set/inet/filter/testset4:
+        - GET
+        - POST
+      /set/inet/filter/testset6:
+        - GET
+        - POST
--- a/tests/test_api_set.py
+++ b/tests/test_api_set.py
@ -10,22 +10,60 @@ You may obtain copies of the Licence in any of the official languages at https:/

 from json import dumps, loads

-from falcon import HTTP_CREATED, HTTP_OK
+from falcon import HTTP_CREATED, HTTP_OK, HTTP_UNAUTHORIZED
 from pytest import mark

 vs = [4, 6]

+
+def test_get_set_unauthorized_no_token(client):
+  response = client.simulate_get('/set/inet/filter/testset4')
+  have_out = loads(response.content)
+  assert response.status == HTTP_UNAUTHORIZED
+  assert 'title' in have_out
+  assert have_out['title'] == 'Authentication required'
+
+
+def test_get_set_unauthorized_wrong_token(client):
+  response = client.simulate_get(
+    '/set/inet/filter/testset4',
+    headers={'X-NFT-API-Token': 'pwned'},
+  )
+  have_out = loads(response.content)
+  assert response.status == HTTP_UNAUTHORIZED
+  assert 'title' in have_out
+  assert have_out['title'] == 'Unauthorized'
+
+
+def test_post_set_unauthorized_wrong_token_for_method(client):
+  response = client.simulate_post(
+    '/set/inet/filter/testset4',
+    headers={
+      'content-type': 'application/json',
+      'X-NFT-API-Token': 'ICanOnlyGet',
+    },
+  )
+  have_out = loads(response.content)
+  assert response.status == HTTP_UNAUTHORIZED
+  assert 'title' in have_out
+  assert have_out['title'] == 'Unauthorized method for path'
+
+
@mark.parametrize('v', vs)
 def test_get_set(client, nft_ruleset_populated_sets, v):  # noqa ARG001, nft is not needed here
  want_out = {
    4: ["192.168.0.0/24", "127.0.0.1"],
    6: ["fd80::/64", "fe80::1"],
  }
-  response = client.simulate_get(f'/set/inet/filter/testset{v}')
+  response = client.simulate_get(
+    f'/set/inet/filter/testset{v}',
+    headers={'X-NFT-API-Token': 'foo'},
+  )
  have_out = loads(response.content)
  assert sorted(have_out) == sorted(want_out[v])
  assert response.status == HTTP_OK

+
@mark.parametrize('v', vs)
@mark.parametrize('plvariant', ['address', 'network'])
@mark.parametrize('plformat', ['string', 'list'])
@ -65,6 +103,7 @@ def test_append_to_set(client, nft_ruleset_populated_sets, v, plvariant, plforma
    }),
    headers={
      'content-type': 'application/json',
+      'X-NFT-API-Token': 'foo',
    },
  )
  have_out = loads(response.content)