# retoor import time import requests from tests.conftest import BASE_URL from devplacepy.database import ( get_table, get_primary_admin_uid, invalidate_admins_cache, refresh_snapshot, ) from devplacepy.utils import clear_user_cache JSON = {"Accept": "application/json"} _counter = [0] def _signup(): _counter[0] += 1 name = f"acm{int(time.time() * 1000)}{_counter[0]}" requests.post( f"{BASE_URL}/auth/signup", data={ "username": name, "email": f"{name}@t.dev", "password": "secret123", "confirm_password": "secret123", }, allow_redirects=True, ) row = get_table("users").find_one(username=name) return row["uid"], row["api_key"] def _make_admin(): uid, key = _signup() get_table("users").update({"uid": uid, "role": "Admin"}, ["uid"]) clear_user_cache(uid) invalidate_admins_cache() return uid, key def _primary_admin_key(): refresh_snapshot() uid = get_primary_admin_uid() return get_table("users").find_one(uid=uid)["api_key"] def _headers(key): return {**JSON, "X-API-KEY": key} def _create_project(key, title, is_private=False): data = { "title": title, "description": "admin container manage isolation test", "project_type": "software", "status": "In Development", } if is_private: data["is_private"] = "on" r = requests.post(f"{BASE_URL}/projects/create", headers=_headers(key), data=data) assert r.status_code == 200, r.text return r.json()["data"] def _insert_instance(project_uid, created_by): uid = f"acm-{int(time.time() * 1000000)}" get_table("instances").insert( { "uid": uid, "slug": uid, "name": "manage-test", "project_uid": project_uid, "created_by": created_by, "owner_uid": "", "status": "created", "container_id": "", "workspace_dir": "", "restart_policy": "never", "deleted_at": None, "deleted_by": None, } ) refresh_snapshot() return uid def _cleanup(inst_uid): get_table("instances").delete(uid=inst_uid) refresh_snapshot() def test_data_flags_can_manage_for_owner_and_hides_for_other_on_public_project(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Data Public", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: owner_rows = requests.get( f"{BASE_URL}/admin/containers/data", headers=_headers(owner_key) ).json()["instances"] other_rows = requests.get( f"{BASE_URL}/admin/containers/data", headers=_headers(other_key) ).json()["instances"] owner_row = next(r for r in owner_rows if r["uid"] == inst_uid) other_row = next(r for r in other_rows if r["uid"] == inst_uid) assert owner_row["can_manage"] is True assert other_row["can_manage"] is False finally: _cleanup(inst_uid) def test_data_excludes_others_private_project_instance(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Data Private", is_private=True) inst_uid = _insert_instance(project["uid"], owner_uid) try: other_rows = requests.get( f"{BASE_URL}/admin/containers/data", headers=_headers(other_key) ).json()["instances"] assert all(r["uid"] != inst_uid for r in other_rows) owner_rows = requests.get( f"{BASE_URL}/admin/containers/data", headers=_headers(owner_key) ).json()["instances"] assert any(r["uid"] == inst_uid for r in owner_rows) finally: _cleanup(inst_uid) def test_primary_admin_sees_and_can_manage_others_private_instance(app_server): owner_uid, owner_key = _make_admin() primary_key = _primary_admin_key() project = _create_project(owner_key, "Manage Data Primary", is_private=True) inst_uid = _insert_instance(project["uid"], owner_uid) try: rows = requests.get( f"{BASE_URL}/admin/containers/data", headers=_headers(primary_key) ).json()["instances"] row = next(r for r in rows if r["uid"] == inst_uid) assert row["can_manage"] is True finally: _cleanup(inst_uid) def test_instance_detail_404_for_non_viewer_on_private_project(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Detail Private", is_private=True) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.get( f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(other_key) ) assert r.status_code == 404 r = requests.get( f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(owner_key) ) assert r.status_code == 200 finally: _cleanup(inst_uid) def test_instance_detail_view_only_for_non_owner_on_public_project(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Detail Public", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.get( f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(other_key) ) assert r.status_code == 200 assert r.json()["can_manage"] is False r = requests.get( f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(owner_key) ) assert r.json()["can_manage"] is True finally: _cleanup(inst_uid) def test_lifecycle_actions_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Lifecycle Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: for action in ("start", "stop", "pause", "resume", "restart"): r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/{action}", headers=_headers(other_key), ) assert r.status_code == 403, action finally: _cleanup(inst_uid) def test_lifecycle_actions_allowed_for_owner(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Manage Lifecycle Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: for action in ("start", "stop", "pause", "resume", "restart"): r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/{action}", headers=_headers(owner_key), ) assert r.status_code == 200, action finally: _cleanup(inst_uid) def test_delete_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Delete Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/delete", headers=_headers(other_key) ) assert r.status_code == 403 assert get_table("instances").find_one(uid=inst_uid) is not None finally: _cleanup(inst_uid) def test_delete_allowed_for_owner(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Manage Delete Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/delete", headers=_headers(owner_key) ) assert r.status_code == 200 finally: _cleanup(inst_uid) def test_sync_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Sync Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/sync", headers=_headers(other_key) ) assert r.status_code == 403 finally: _cleanup(inst_uid) def test_sync_allowed_for_owner_reaches_workspace_check(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Manage Sync Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/sync", headers=_headers(owner_key) ) assert r.status_code == 400 assert "workspace" in r.json()["error"]["message"] finally: _cleanup(inst_uid) def test_configure_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Configure Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/edit", headers=_headers(other_key), data={"restart_policy": "always"}, ) assert r.status_code == 403 finally: _cleanup(inst_uid) def test_configure_allowed_for_owner(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Manage Configure Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( f"{BASE_URL}/admin/containers/{inst_uid}/edit", headers=_headers(owner_key), data={"restart_policy": "always"}, ) assert r.status_code == 200 finally: _cleanup(inst_uid) def test_edit_page_redirects_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Edit Page Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.get( f"{BASE_URL}/admin/containers/{inst_uid}/edit", headers=_headers(other_key), allow_redirects=False, ) assert r.status_code == 302 assert r.headers["location"] == f"/admin/containers/{inst_uid}" finally: _cleanup(inst_uid) def test_edit_page_allowed_for_owner(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Manage Edit Page Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.get( f"{BASE_URL}/admin/containers/{inst_uid}/edit", headers=_headers(owner_key) ) assert r.status_code == 200 finally: _cleanup(inst_uid) def test_create_rejects_others_private_project(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Manage Create Denied", is_private=True) r = requests.post( f"{BASE_URL}/admin/containers/create", headers=_headers(other_key), data={"project_slug": project["slug"], "name": "denied-instance"}, ) assert r.status_code == 404 assert get_table("instances").find_one(name="denied-instance") is None def test_projects_search_excludes_others_private_project(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() title = f"Manage Search Unique {int(time.time() * 1000)}" project = _create_project(owner_key, title, is_private=True) r = requests.get( f"{BASE_URL}/admin/containers/projects/search", headers=_headers(other_key), params={"q": title}, ) assert all(res["slug"] != project["slug"] for res in r.json()["results"]) r = requests.get( f"{BASE_URL}/admin/containers/projects/search", headers=_headers(owner_key), params={"q": title}, ) assert any(res["slug"] == project["slug"] for res in r.json()["results"])