# retoor <retoor@molodetz.nl>
import time
import requests
from tests.conftest import BASE_URL
from devplacepy.database import (
get_table,
get_primary_admin_uid,
invalidate_admins_cache,
refresh_snapshot,
)
from devplacepy.utils import clear_user_cache
JSON = {"Accept": "application/json"}
_counter = [0]
def _signup():
_counter[0] += 1
name = f"acm{int(time.time() * 1000)}{_counter[0]}"
requests.post(
f"{BASE_URL}/auth/signup",
data={
"username": name,
"email": f"{name}@t.dev",
"password": "secret123",
"confirm_password": "secret123",
},
allow_redirects=True,
)
row = get_table("users").find_one(username=name)
return row["uid"], row["api_key"]
def _make_admin():
uid, key = _signup()
get_table("users").update({"uid": uid, "role": "Admin"}, ["uid"])
clear_user_cache(uid)
invalidate_admins_cache()
return uid, key
def _primary_admin_key():
refresh_snapshot()
uid = get_primary_admin_uid()
return get_table("users").find_one(uid=uid)["api_key"]
def _headers(key):
return {**JSON, "X-API-KEY": key}
def _create_project(key, title, is_private=False):
data = {
"title": title,
"description": "admin container manage isolation test",
"project_type": "software",
"status": "In Development",
}
if is_private:
data["is_private"] = "on"
r = requests.post(f"{BASE_URL}/projects/create", headers=_headers(key), data=data)
assert r.status_code == 200, r.text
return r.json()["data"]
def _insert_instance(project_uid, created_by):
uid = f"acm-{int(time.time() * 1000000)}"
get_table("instances").insert(
{
"uid": uid,
"slug": uid,
"name": "manage-test",
"project_uid": project_uid,
"created_by": created_by,
"owner_uid": "",
"status": "created",
"container_id": "",
"workspace_dir": "",
"restart_policy": "never",
"deleted_at": None,
"deleted_by": None,
}
)
refresh_snapshot()
return uid
def _cleanup(inst_uid):
get_table("instances").delete(uid=inst_uid)
refresh_snapshot()
def test_data_flags_can_manage_for_owner_and_hides_for_other_on_public_project(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Data Public", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
owner_rows = requests.get(
f"{BASE_URL}/admin/containers/data", headers=_headers(owner_key)
).json()["instances"]
other_rows = requests.get(
f"{BASE_URL}/admin/containers/data", headers=_headers(other_key)
).json()["instances"]
owner_row = next(r for r in owner_rows if r["uid"] == inst_uid)
other_row = next(r for r in other_rows if r["uid"] == inst_uid)
assert owner_row["can_manage"] is True
assert other_row["can_manage"] is False
finally:
_cleanup(inst_uid)
def test_data_excludes_others_private_project_instance(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Data Private", is_private=True)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
other_rows = requests.get(
f"{BASE_URL}/admin/containers/data", headers=_headers(other_key)
).json()["instances"]
assert all(r["uid"] != inst_uid for r in other_rows)
owner_rows = requests.get(
f"{BASE_URL}/admin/containers/data", headers=_headers(owner_key)
).json()["instances"]
assert any(r["uid"] == inst_uid for r in owner_rows)
finally:
_cleanup(inst_uid)
def test_primary_admin_sees_and_can_manage_others_private_instance(app_server):
owner_uid, owner_key = _make_admin()
primary_key = _primary_admin_key()
project = _create_project(owner_key, "Manage Data Primary", is_private=True)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
rows = requests.get(
f"{BASE_URL}/admin/containers/data", headers=_headers(primary_key)
).json()["instances"]
row = next(r for r in rows if r["uid"] == inst_uid)
assert row["can_manage"] is True
finally:
_cleanup(inst_uid)
def test_instance_detail_404_for_non_viewer_on_private_project(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Detail Private", is_private=True)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.get(
f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(other_key)
)
assert r.status_code == 404
r = requests.get(
f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(owner_key)
)
assert r.status_code == 200
finally:
_cleanup(inst_uid)
def test_instance_detail_view_only_for_non_owner_on_public_project(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Detail Public", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.get(
f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(other_key)
)
assert r.status_code == 200
assert r.json()["can_manage"] is False
r = requests.get(
f"{BASE_URL}/admin/containers/{inst_uid}", headers=_headers(owner_key)
)
assert r.json()["can_manage"] is True
finally:
_cleanup(inst_uid)
def test_lifecycle_actions_denied_for_non_owner_admin(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Lifecycle Denied", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
for action in ("start", "stop", "pause", "resume", "restart"):
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/{action}",
headers=_headers(other_key),
)
assert r.status_code == 403, action
finally:
_cleanup(inst_uid)
def test_lifecycle_actions_allowed_for_owner(app_server):
owner_uid, owner_key = _make_admin()
project = _create_project(owner_key, "Manage Lifecycle Owner", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
for action in ("start", "stop", "pause", "resume", "restart"):
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/{action}",
headers=_headers(owner_key),
)
assert r.status_code == 200, action
finally:
_cleanup(inst_uid)
def test_delete_denied_for_non_owner_admin(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Delete Denied", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/delete", headers=_headers(other_key)
)
assert r.status_code == 403
assert get_table("instances").find_one(uid=inst_uid) is not None
finally:
_cleanup(inst_uid)
def test_delete_allowed_for_owner(app_server):
owner_uid, owner_key = _make_admin()
project = _create_project(owner_key, "Manage Delete Owner", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/delete", headers=_headers(owner_key)
)
assert r.status_code == 200
finally:
_cleanup(inst_uid)
def test_sync_denied_for_non_owner_admin(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Sync Denied", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/sync", headers=_headers(other_key)
)
assert r.status_code == 403
finally:
_cleanup(inst_uid)
def test_sync_allowed_for_owner_reaches_workspace_check(app_server):
owner_uid, owner_key = _make_admin()
project = _create_project(owner_key, "Manage Sync Owner", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/sync", headers=_headers(owner_key)
)
assert r.status_code == 400
assert "workspace" in r.json()["error"]["message"]
finally:
_cleanup(inst_uid)
def test_configure_denied_for_non_owner_admin(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Configure Denied", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/edit",
headers=_headers(other_key),
data={"restart_policy": "always"},
)
assert r.status_code == 403
finally:
_cleanup(inst_uid)
def test_configure_allowed_for_owner(app_server):
owner_uid, owner_key = _make_admin()
project = _create_project(owner_key, "Manage Configure Owner", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.post(
f"{BASE_URL}/admin/containers/{inst_uid}/edit",
headers=_headers(owner_key),
data={"restart_policy": "always"},
)
assert r.status_code == 200
finally:
_cleanup(inst_uid)
def test_edit_page_redirects_non_owner_admin(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Edit Page Denied", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.get(
f"{BASE_URL}/admin/containers/{inst_uid}/edit",
headers=_headers(other_key),
allow_redirects=False,
)
assert r.status_code == 302
assert r.headers["location"] == f"/admin/containers/{inst_uid}"
finally:
_cleanup(inst_uid)
def test_edit_page_allowed_for_owner(app_server):
owner_uid, owner_key = _make_admin()
project = _create_project(owner_key, "Manage Edit Page Owner", is_private=False)
inst_uid = _insert_instance(project["uid"], owner_uid)
try:
r = requests.get(
f"{BASE_URL}/admin/containers/{inst_uid}/edit", headers=_headers(owner_key)
)
assert r.status_code == 200
finally:
_cleanup(inst_uid)
def test_create_rejects_others_private_project(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
project = _create_project(owner_key, "Manage Create Denied", is_private=True)
r = requests.post(
f"{BASE_URL}/admin/containers/create",
headers=_headers(other_key),
data={"project_slug": project["slug"], "name": "denied-instance"},
)
assert r.status_code == 404
assert get_table("instances").find_one(name="denied-instance") is None
def test_projects_search_excludes_others_private_project(app_server):
owner_uid, owner_key = _make_admin()
_, other_key = _make_admin()
title = f"Manage Search Unique {int(time.time() * 1000)}"
project = _create_project(owner_key, title, is_private=True)
r = requests.get(
f"{BASE_URL}/admin/containers/projects/search",
headers=_headers(other_key),
params={"q": title},
)
assert all(res["slug"] != project["slug"] for res in r.json()["results"])
r = requests.get(
f"{BASE_URL}/admin/containers/projects/search",
headers=_headers(owner_key),
params={"q": title},
)
assert any(res["slug"] == project["slug"] for res in r.json()["results"])