# retoor import time import requests from tests.conftest import BASE_URL from devplacepy.database import ( get_table, get_primary_admin_uid, invalidate_admins_cache, refresh_snapshot, ) from devplacepy.utils import clear_user_cache JSON = {"Accept": "application/json"} _counter = [0] def _signup(): _counter[0] += 1 name = f"pcm{int(time.time() * 1000)}{_counter[0]}" requests.post( f"{BASE_URL}/auth/signup", data={ "username": name, "email": f"{name}@t.dev", "password": "secret123", "confirm_password": "secret123", }, allow_redirects=True, ) row = get_table("users").find_one(username=name) return row["uid"], row["api_key"] def _make_admin(): uid, key = _signup() get_table("users").update({"uid": uid, "role": "Admin"}, ["uid"]) clear_user_cache(uid) invalidate_admins_cache() return uid, key def _primary_admin_key(): refresh_snapshot() uid = get_primary_admin_uid() return get_table("users").find_one(uid=uid)["api_key"] def _headers(key): return {**JSON, "X-API-KEY": key} def _create_project(key, title, is_private=False): data = { "title": title, "description": "project container manage isolation test", "project_type": "software", "status": "In Development", } if is_private: data["is_private"] = "on" r = requests.post(f"{BASE_URL}/projects/create", headers=_headers(key), data=data) assert r.status_code == 200, r.text return r.json()["data"] def _insert_instance(project_uid, created_by): uid = f"pcm-{int(time.time() * 1000000)}" get_table("instances").insert( { "uid": uid, "slug": uid, "name": "manage-test", "project_uid": project_uid, "created_by": created_by, "owner_uid": "", "status": "created", "container_id": "", "workspace_dir": "", "restart_policy": "never", "deleted_at": None, "deleted_by": None, } ) refresh_snapshot() return uid def _cleanup(inst_uid): get_table("instances").delete(uid=inst_uid) get_table("instance_schedules").delete(instance_uid=inst_uid) refresh_snapshot() def _url(slug, inst_uid, tail=""): base = f"{BASE_URL}/projects/{slug}/containers/instances/{inst_uid}" return f"{base}{tail}" if tail else base def test_delete_denied_for_non_owner_admin_on_public_project(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Project Manage Delete Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post(_url(project["slug"], inst_uid, "/delete"), headers=_headers(other_key)) assert r.status_code == 403 assert get_table("instances").find_one(uid=inst_uid) is not None finally: _cleanup(inst_uid) def test_delete_allowed_for_owner(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Project Manage Delete Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post(_url(project["slug"], inst_uid, "/delete"), headers=_headers(owner_key)) assert r.status_code == 200 finally: _cleanup(inst_uid) def test_lifecycle_actions_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Project Manage Lifecycle Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: for action in ("start", "stop", "pause", "resume", "restart"): r = requests.post(_url(project["slug"], inst_uid, f"/{action}"), headers=_headers(other_key)) assert r.status_code == 403, action finally: _cleanup(inst_uid) def test_lifecycle_actions_allowed_for_owner(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Project Manage Lifecycle Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: for action in ("start", "stop", "pause", "resume", "restart"): r = requests.post(_url(project["slug"], inst_uid, f"/{action}"), headers=_headers(owner_key)) assert r.status_code == 200, action finally: _cleanup(inst_uid) def test_exec_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Project Manage Exec Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( _url(project["slug"], inst_uid, "/exec"), headers=_headers(other_key), data={"command": "ls"}, ) assert r.status_code == 403 finally: _cleanup(inst_uid) def test_exec_allowed_for_owner_reaches_running_check(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Project Manage Exec Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( _url(project["slug"], inst_uid, "/exec"), headers=_headers(owner_key), data={"command": "ls"}, ) assert r.status_code == 400 assert "not running" in r.json()["error"]["message"] finally: _cleanup(inst_uid) def test_sync_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Project Manage Sync Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post(_url(project["slug"], inst_uid, "/sync"), headers=_headers(other_key)) assert r.status_code == 403 finally: _cleanup(inst_uid) def test_sync_allowed_for_owner_reaches_workspace_check(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Project Manage Sync Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post(_url(project["slug"], inst_uid, "/sync"), headers=_headers(owner_key)) assert r.status_code == 400 assert "workspace" in r.json()["error"]["message"] finally: _cleanup(inst_uid) def test_schedule_create_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Project Manage Schedule Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( _url(project["slug"], inst_uid, "/schedules"), headers=_headers(other_key), data={"action": "start", "kind": "cron", "cron": "0 3 * * *"}, ) assert r.status_code == 403 assert get_table("instance_schedules").find_one(instance_uid=inst_uid) is None finally: _cleanup(inst_uid) def test_schedule_create_allowed_for_owner(app_server): owner_uid, owner_key = _make_admin() project = _create_project(owner_key, "Project Manage Schedule Owner", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post( _url(project["slug"], inst_uid, "/schedules"), headers=_headers(owner_key), data={"action": "start", "kind": "cron", "cron": "0 3 * * *"}, ) assert r.status_code == 200 assert get_table("instance_schedules").find_one(instance_uid=inst_uid) is not None finally: _cleanup(inst_uid) def test_schedule_delete_denied_for_non_owner_admin(app_server): owner_uid, owner_key = _make_admin() _, other_key = _make_admin() project = _create_project(owner_key, "Project Manage Schedule Delete Denied", is_private=False) inst_uid = _insert_instance(project["uid"], owner_uid) try: created = requests.post( _url(project["slug"], inst_uid, "/schedules"), headers=_headers(owner_key), data={"action": "start", "kind": "cron", "cron": "0 3 * * *"}, ) sched_uid = created.json()["data"]["schedule"]["uid"] r = requests.post( _url(project["slug"], inst_uid, f"/schedules/{sched_uid}/delete"), headers=_headers(other_key), ) assert r.status_code == 403 assert get_table("instance_schedules").find_one(uid=sched_uid) is not None finally: _cleanup(inst_uid) def test_primary_admin_can_manage_others_private_instance(app_server): owner_uid, owner_key = _make_admin() primary_key = _primary_admin_key() project = _create_project(owner_key, "Project Manage Primary Private", is_private=True) inst_uid = _insert_instance(project["uid"], owner_uid) try: r = requests.post(_url(project["slug"], inst_uid, "/stop"), headers=_headers(primary_key)) assert r.status_code == 200 finally: _cleanup(inst_uid)