FossilRepo

fossilrepo / tests / test_api_tokens.py
Source Blame History 291 lines
c588255… ragelink 1 import pytest
c588255… ragelink 2 from django.contrib.auth.models import User
c588255… ragelink 3 from django.test import Client
c588255… ragelink 4
c588255… ragelink 5 from fossil.api_tokens import APIToken, authenticate_api_token
c588255… ragelink 6 from fossil.models import FossilRepository
c588255… ragelink 7 from organization.models import Team
c588255… ragelink 8 from projects.models import ProjectTeam
c588255… ragelink 9
c588255… ragelink 10
c588255… ragelink 11 @pytest.fixture
c588255… ragelink 12 def fossil_repo_obj(sample_project):
c588255… ragelink 13 """Return the auto-created FossilRepository for sample_project."""
c588255… ragelink 14 return FossilRepository.objects.get(project=sample_project, deleted_at__isnull=True)
c588255… ragelink 15
c588255… ragelink 16
c588255… ragelink 17 @pytest.fixture
c588255… ragelink 18 def api_token(fossil_repo_obj, admin_user):
c588255… ragelink 19 """Create an API token and return (APIToken instance, raw_token)."""
c588255… ragelink 20 raw, token_hash, prefix = APIToken.generate()
c588255… ragelink 21 token = APIToken.objects.create(
c588255… ragelink 22 repository=fossil_repo_obj,
c588255… ragelink 23 name="Test Token",
c588255… ragelink 24 token_hash=token_hash,
c588255… ragelink 25 token_prefix=prefix,
c588255… ragelink 26 permissions="status:write",
c588255… ragelink 27 created_by=admin_user,
c588255… ragelink 28 )
c588255… ragelink 29 return token, raw
c588255… ragelink 30
c588255… ragelink 31
c588255… ragelink 32 @pytest.fixture
c588255… ragelink 33 def writer_user(db, admin_user, sample_project):
c588255… ragelink 34 """User with write access but not admin."""
c588255… ragelink 35 writer = User.objects.create_user(username="writer_tok", password="testpass123")
c588255… ragelink 36 team = Team.objects.create(name="Token Writers", organization=sample_project.organization, created_by=admin_user)
c588255… ragelink 37 team.members.add(writer)
c588255… ragelink 38 ProjectTeam.objects.create(project=sample_project, team=team, role="write", created_by=admin_user)
c588255… ragelink 39 return writer
c588255… ragelink 40
c588255… ragelink 41
c588255… ragelink 42 @pytest.fixture
c588255… ragelink 43 def writer_client(writer_user):
c588255… ragelink 44 client = Client()
c588255… ragelink 45 client.login(username="writer_tok", password="testpass123")
c588255… ragelink 46 return client
c588255… ragelink 47
c588255… ragelink 48
c588255… ragelink 49 # --- APIToken Model Tests ---
c588255… ragelink 50
c588255… ragelink 51
c588255… ragelink 52 @pytest.mark.django_db
c588255… ragelink 53 class TestAPITokenModel:
c588255… ragelink 54 def test_generate_token(self):
c588255… ragelink 55 raw, token_hash, prefix = APIToken.generate()
c588255… ragelink 56 assert raw.startswith("frp_")
c588255… ragelink 57 assert len(token_hash) == 64 # SHA-256 hex digest
c588255… ragelink 58 assert prefix == raw[:12]
c588255… ragelink 59
c588255… ragelink 60 def test_hash_token(self):
c588255… ragelink 61 raw, token_hash, prefix = APIToken.generate()
c588255… ragelink 62 assert APIToken.hash_token(raw) == token_hash
c588255… ragelink 63
c588255… ragelink 64 def test_create_token(self, api_token):
c588255… ragelink 65 token, raw = api_token
c588255… ragelink 66 assert token.pk is not None
c588255… ragelink 67 assert "Test Token" in str(token)
c588255… ragelink 68 assert token.token_prefix in str(token)
c588255… ragelink 69
c588255… ragelink 70 def test_soft_delete(self, api_token, admin_user):
c588255… ragelink 71 token, _ = api_token
c588255… ragelink 72 token.soft_delete(user=admin_user)
c588255… ragelink 73 assert token.is_deleted
c588255… ragelink 74 assert APIToken.objects.filter(pk=token.pk).count() == 0
c588255… ragelink 75 assert APIToken.all_objects.filter(pk=token.pk).count() == 1
c588255… ragelink 76
c588255… ragelink 77 def test_has_permission(self, api_token):
c588255… ragelink 78 token, _ = api_token
c588255… ragelink 79 assert token.has_permission("status:write") is True
c588255… ragelink 80 assert token.has_permission("status:read") is False
c588255… ragelink 81
c588255… ragelink 82 def test_has_permission_wildcard(self, fossil_repo_obj, admin_user):
c588255… ragelink 83 raw, token_hash, prefix = APIToken.generate()
c588255… ragelink 84 token = APIToken.objects.create(
c588255… ragelink 85 repository=fossil_repo_obj,
c588255… ragelink 86 name="Wildcard",
c588255… ragelink 87 token_hash=token_hash,
c588255… ragelink 88 token_prefix=prefix,
c588255… ragelink 89 permissions="*",
c588255… ragelink 90 created_by=admin_user,
c588255… ragelink 91 )
c588255… ragelink 92 assert token.has_permission("status:write") is True
c588255… ragelink 93 assert token.has_permission("anything") is True
c588255… ragelink 94
c588255… ragelink 95 def test_unique_token_hash(self, fossil_repo_obj, admin_user, api_token):
c588255… ragelink 96 """Token hashes must be unique across all tokens."""
c588255… ragelink 97 token, _ = api_token
c588255… ragelink 98 from django.db import IntegrityError
c588255… ragelink 99
c588255… ragelink 100 with pytest.raises(IntegrityError):
c588255… ragelink 101 APIToken.objects.create(
c588255… ragelink 102 repository=fossil_repo_obj,
c588255… ragelink 103 name="Duplicate Hash",
c588255… ragelink 104 token_hash=token.token_hash,
c588255… ragelink 105 token_prefix="dup_",
c588255… ragelink 106 created_by=admin_user,
c588255… ragelink 107 )
c588255… ragelink 108
c588255… ragelink 109
c588255… ragelink 110 # --- authenticate_api_token Tests ---
c588255… ragelink 111
c588255… ragelink 112
c588255… ragelink 113 @pytest.mark.django_db
c588255… ragelink 114 class TestAuthenticateAPIToken:
c588255… ragelink 115 def test_valid_token(self, api_token, fossil_repo_obj):
c588255… ragelink 116 token, raw = api_token
c588255… ragelink 117
c588255… ragelink 118 class FakeRequest:
c588255… ragelink 119 META = {"HTTP_AUTHORIZATION": f"Bearer {raw}"}
c588255… ragelink 120
c588255… ragelink 121 result = authenticate_api_token(FakeRequest(), fossil_repo_obj)
c588255… ragelink 122 assert result is not None
c588255… ragelink 123 assert result.pk == token.pk
c588255… ragelink 124
c588255… ragelink 125 def test_invalid_token(self, fossil_repo_obj):
c588255… ragelink 126 class FakeRequest:
c588255… ragelink 127 META = {"HTTP_AUTHORIZATION": "Bearer invalid_token_xyz"}
c588255… ragelink 128
c588255… ragelink 129 result = authenticate_api_token(FakeRequest(), fossil_repo_obj)
c588255… ragelink 130 assert result is None
c588255… ragelink 131
c588255… ragelink 132 def test_no_auth_header(self, fossil_repo_obj):
c588255… ragelink 133 class FakeRequest:
c588255… ragelink 134 META = {}
c588255… ragelink 135
c588255… ragelink 136 result = authenticate_api_token(FakeRequest(), fossil_repo_obj)
c588255… ragelink 137 assert result is None
c588255… ragelink 138
c588255… ragelink 139 def test_non_bearer_auth(self, fossil_repo_obj):
c588255… ragelink 140 class FakeRequest:
c588255… ragelink 141 META = {"HTTP_AUTHORIZATION": "Basic dXNlcjpwYXNz"}
c588255… ragelink 142
c588255… ragelink 143 result = authenticate_api_token(FakeRequest(), fossil_repo_obj)
c588255… ragelink 144 assert result is None
c588255… ragelink 145
c588255… ragelink 146 def test_expired_token(self, fossil_repo_obj, admin_user):
c588255… ragelink 147 from datetime import timedelta
c588255… ragelink 148
c588255… ragelink 149 from django.utils import timezone
c588255… ragelink 150
c588255… ragelink 151 raw, token_hash, prefix = APIToken.generate()
c588255… ragelink 152 APIToken.objects.create(
c588255… ragelink 153 repository=fossil_repo_obj,
c588255… ragelink 154 name="Expired",
c588255… ragelink 155 token_hash=token_hash,
c588255… ragelink 156 token_prefix=prefix,
c588255… ragelink 157 expires_at=timezone.now() - timedelta(days=1),
c588255… ragelink 158 created_by=admin_user,
c588255… ragelink 159 )
c588255… ragelink 160
c588255… ragelink 161 class FakeRequest:
c588255… ragelink 162 META = {"HTTP_AUTHORIZATION": f"Bearer {raw}"}
c588255… ragelink 163
c588255… ragelink 164 result = authenticate_api_token(FakeRequest(), fossil_repo_obj)
c588255… ragelink 165 assert result is None
c588255… ragelink 166
c588255… ragelink 167 def test_updates_last_used_at(self, api_token, fossil_repo_obj):
c588255… ragelink 168 token, raw = api_token
c588255… ragelink 169 assert token.last_used_at is None
c588255… ragelink 170
c588255… ragelink 171 class FakeRequest:
c588255… ragelink 172 META = {"HTTP_AUTHORIZATION": f"Bearer {raw}"}
c588255… ragelink 173
c588255… ragelink 174 authenticate_api_token(FakeRequest(), fossil_repo_obj)
c588255… ragelink 175 token.refresh_from_db()
c588255… ragelink 176 assert token.last_used_at is not None
c588255… ragelink 177
c588255… ragelink 178 def test_deleted_token_not_found(self, api_token, fossil_repo_obj, admin_user):
c588255… ragelink 179 token, raw = api_token
c588255… ragelink 180 token.soft_delete(user=admin_user)
c588255… ragelink 181
c588255… ragelink 182 class FakeRequest:
c588255… ragelink 183 META = {"HTTP_AUTHORIZATION": f"Bearer {raw}"}
c588255… ragelink 184
c588255… ragelink 185 result = authenticate_api_token(FakeRequest(), fossil_repo_obj)
c588255… ragelink 186 assert result is None
c588255… ragelink 187
c588255… ragelink 188
c588255… ragelink 189 # --- API Token List View Tests ---
c588255… ragelink 190
c588255… ragelink 191
c588255… ragelink 192 @pytest.mark.django_db
c588255… ragelink 193 class TestAPITokenListView:
c588255… ragelink 194 def test_list_tokens(self, admin_client, sample_project, api_token):
c588255… ragelink 195 response = admin_client.get(f"/projects/{sample_project.slug}/fossil/tokens/")
c588255… ragelink 196 assert response.status_code == 200
c588255… ragelink 197 content = response.content.decode()
c588255… ragelink 198 assert "Test Token" in content
c588255… ragelink 199 assert "status:write" in content
c588255… ragelink 200
c588255… ragelink 201 def test_list_empty(self, admin_client, sample_project, fossil_repo_obj):
c588255… ragelink 202 response = admin_client.get(f"/projects/{sample_project.slug}/fossil/tokens/")
c588255… ragelink 203 assert response.status_code == 200
c588255… ragelink 204 assert "No API tokens generated yet" in response.content.decode()
c588255… ragelink 205
c588255… ragelink 206 def test_list_denied_for_writer(self, writer_client, sample_project, api_token):
c588255… ragelink 207 """Token management requires admin, not just write."""
c588255… ragelink 208 response = writer_client.get(f"/projects/{sample_project.slug}/fossil/tokens/")
c588255… ragelink 209 assert response.status_code == 403
c588255… ragelink 210
c588255… ragelink 211 def test_list_denied_for_no_perm(self, no_perm_client, sample_project):
c588255… ragelink 212 response = no_perm_client.get(f"/projects/{sample_project.slug}/fossil/tokens/")
c588255… ragelink 213 assert response.status_code == 403
c588255… ragelink 214
c588255… ragelink 215 def test_list_denied_for_anon(self, client, sample_project):
c588255… ragelink 216 response = client.get(f"/projects/{sample_project.slug}/fossil/tokens/")
c588255… ragelink 217 assert response.status_code == 302 # redirect to login
c588255… ragelink 218
c588255… ragelink 219
c588255… ragelink 220 # --- API Token Create View Tests ---
c588255… ragelink 221
c588255… ragelink 222
c588255… ragelink 223 @pytest.mark.django_db
c588255… ragelink 224 class TestAPITokenCreateView:
c588255… ragelink 225 def test_get_form(self, admin_client, sample_project, fossil_repo_obj):
c588255… ragelink 226 response = admin_client.get(f"/projects/{sample_project.slug}/fossil/tokens/create/")
c588255… ragelink 227 assert response.status_code == 200
c588255… ragelink 228 assert "Generate API Token" in response.content.decode()
c588255… ragelink 229
c588255… ragelink 230 def test_create_token(self, admin_client, sample_project, fossil_repo_obj):
c588255… ragelink 231 response = admin_client.post(
c588255… ragelink 232 f"/projects/{sample_project.slug}/fossil/tokens/create/",
c588255… ragelink 233 {"name": "New CI Token", "permissions": "status:write"},
c588255… ragelink 234 )
c588255… ragelink 235 assert response.status_code == 200 # Shows the token on the same page
c588255… ragelink 236 content = response.content.decode()
c588255… ragelink 237 assert "frp_" in content # Raw token is displayed
c588255… ragelink 238 assert "Token Generated" in content
c588255… ragelink 239
c588255… ragelink 240 # Verify token was created in DB
c588255… ragelink 241 token = APIToken.objects.get(name="New CI Token")
c588255… ragelink 242 assert token.permissions == "status:write"
c588255… ragelink 243
c588255… ragelink 244 def test_create_token_without_name_fails(self, admin_client, sample_project, fossil_repo_obj):
c588255… ragelink 245 response = admin_client.post(
c588255… ragelink 246 f"/projects/{sample_project.slug}/fossil/tokens/create/",
c588255… ragelink 247 {"name": "", "permissions": "status:write"},
c588255… ragelink 248 )
c588255… ragelink 249 assert response.status_code == 200
c588255… ragelink 250 assert "Token name is required" in response.content.decode()
c588255… ragelink 251 assert APIToken.objects.filter(repository__project=sample_project).count() == 0
c588255… ragelink 252
c588255… ragelink 253 def test_create_denied_for_writer(self, writer_client, sample_project):
c588255… ragelink 254 response = writer_client.post(
c588255… ragelink 255 f"/projects/{sample_project.slug}/fossil/tokens/create/",
c588255… ragelink 256 {"name": "Evil Token"},
c588255… ragelink 257 )
c588255… ragelink 258 assert response.status_code == 403
c588255… ragelink 259
c588255… ragelink 260
c588255… ragelink 261 # --- API Token Delete View Tests ---
c588255… ragelink 262
c588255… ragelink 263
c588255… ragelink 264 @pytest.mark.django_db
c588255… ragelink 265 class TestAPITokenDeleteView:
c588255… ragelink 266 def test_delete_token(self, admin_client, sample_project, api_token):
c588255… ragelink 267 token, _ = api_token
c588255… ragelink 268 response = admin_client.post(f"/projects/{sample_project.slug}/fossil/tokens/{token.pk}/delete/")
c588255… ragelink 269 assert response.status_code == 302
c588255… ragelink 270 token.refresh_from_db()
c588255… ragelink 271 assert token.is_deleted
c588255… ragelink 272
c588255… ragelink 273 def test_delete_get_redirects(self, admin_client, sample_project, api_token):
c588255… ragelink 274 token, _ = api_token
c588255… ragelink 275 response = admin_client.get(f"/projects/{sample_project.slug}/fossil/tokens/{token.pk}/delete/")
c588255… ragelink 276 assert response.status_code == 302 # GET redirects to list
c588255… ragelink 277
c588255… ragelink 278 def test_delete_denied_for_writer(self, writer_client, sample_project, api_token):
c588255… ragelink 279 token, _ = api_token
c588255… ragelink 280 response = writer_client.post(f"/projects/{sample_project.slug}/fossil/tokens/{token.pk}/delete/")
c588255… ragelink 281 assert response.status_code == 403
c588255… ragelink 282
c588255… ragelink 283 def test_delete_nonexistent_token(self, admin_client, sample_project, fossil_repo_obj):
c588255… ragelink 284 response = admin_client.post(f"/projects/{sample_project.slug}/fossil/tokens/99999/delete/")
c588255… ragelink 285 assert response.status_code == 404
c588255… ragelink 286
c588255… ragelink 287 def test_deleted_token_cannot_be_deleted_again(self, admin_client, sample_project, api_token, admin_user):
c588255… ragelink 288 token, _ = api_token
c588255… ragelink 289 token.soft_delete(user=admin_user)
c588255… ragelink 290 response = admin_client.post(f"/projects/{sample_project.slug}/fossil/tokens/{token.pk}/delete/")
c588255… ragelink 291 assert response.status_code == 404

Keyboard Shortcuts

Open search /
Next entry (timeline) j
Previous entry (timeline) k
Open focused entry Enter
Show this help ?
Toggle theme Top nav button