#37 bump friboo, tests

zalando-stups · Nov 13, 2015 · c47101a · c47101a
1 parent accda9f
commit c47101a
Show file tree

Hide file tree

Showing 2 changed files with 170 additions and 71 deletions.
diff --git a/project.clj b/project.clj
@@ -8,7 +8,7 @@
   :min-lein-version "2.0.0"
 
   :dependencies [[org.clojure/clojure "1.7.0"]
-                 [org.zalando.stups/friboo "1.4.1"]
+                 [org.zalando.stups/friboo "1.5.0"]
                  [clj-time "0.11.0"]
                  [yesql "0.5.0"]]
 

diff --git a/test/org/zalando/stups/kio/api_test.clj b/test/org/zalando/stups/kio/api_test.clj
@@ -2,7 +2,8 @@
   (:require [clojure.test :refer :all]
             [org.zalando.stups.kio.sql :as sql]
             [org.zalando.stups.kio.api :as api]
-            [org.zalando.stups.friboo.user :as fuser]))
+            [org.zalando.stups.friboo.user :as fuser]
+            [clojure.java.jdbc :as jdbc]))
 
 (deftest test-the-tester
   "I succeed"
@@ -67,75 +68,173 @@
                                       (get :http-code)
                                       (= 403))))))))
 
-(deftest test-write-auth-service-no-realm-not-ok
-  "If the realm is missing it should not get access."
-  (let [request {:tokeninfo {"uid" "stups_robot"
-                             "scope" ["uid" "application.write_all"]}
-                 :configuration {:allowed-uids "stups_robot,foo"}}]
-    (try (do
-           (api/require-write-authorization request "stups")
-           (is false))
-      (catch Exception e))))
-
-(deftest test-write-auth-service-no-uid-not-ok
-  "If the uid is missing it should not get access."
-  (let [request {:tokeninfo {"realm" "/services"
-                             "scope" ["uid" "application.write_all"]}
-                 :configuration {:allowed-uids "stups_robot,foo"}}]
-    (try (do
-           (api/require-write-authorization request "stups")
-           (is false))
-      (catch Exception e))))
-
-(deftest test-write-auth-service-ok
-  "If a service has necessary scope and uid it should get access."
-  (let [request {:tokeninfo {"uid" "stups_robot"
-                             "realm" "/services"
-                             "scope" ["uid" "application.write_all"]}
-                 :configuration {:allowed-uids "stups_robot,foo"}}]
-    (api/require-write-authorization request "stups")))
-
-(deftest test-write-auth-service-not-ok1
-  "If a service doesn't have the scope it should not get access."
-  (let [request {:tokeninfo {"uid" "stups_robot"
-                             "realm" "/services"
-                             "scope" ["uid"]}
-                 :configuration {:allowed-uids "stups_robot,foo"}}]
-    (try (do
-           (api/require-write-authorization request "stups")
-           (is false))
-      (catch Exception e))))
-
-(deftest test-write-auth-service-not-ok2
-  "If a service doesn't have the correct uid it should not get access."
-  (let [request {:tokeninfo {"uid" "stups_robot"
-                             "realm" "/services"
-                             "scope" ["uid" "application.write_all"]}
-                 :configuration {:allowed-uids "bar,foo"}}]
-    (try (do
-           (api/require-write-authorization request "stups")
-           (is false))
-      (catch Exception e))))
-
-(deftest test-write-auth-employee-specific-team-ok
-  "A user has to be in the correct team"
-  (let [request {:tokeninfo {"uid" "npiccolotto"
-                             "realm" "/employees"
-                             "scope" ["uid"]}
-                 :configuration {:team-service-url "http://example.com"}}]
-    (with-redefs [fuser/get-teams (constantly [{:name "stups"} {:name "asa"}])
-                  fuser/require-internal-user (constantly nil)]
-      (api/require-write-authorization request "stups"))))
-
-(deftest test-write-auth-employee-specific-team-not-ok
-  "A user has to be in the correct team"
-  (let [request {:tokeninfo {"uid" "npiccolotto"
-                             "realm" "/employees"
-                             "scope" ["uid"]}
-                 :configuration {:team-service-url "http://example.com"}}]
-    (with-redefs [fuser/get-teams (constantly [{:name "test"} {:name "asa"}])
-                  fuser/require-internal-user (constantly nil)]
+(deftest test-require-write-access
+
+  (testing "a robot should not get access if realm is missing"
+    (let [request {:tokeninfo {"uid" "stups_robot"
+                               "scope" ["uid" "application.write_all"]}
+                   :configuration {:allowed-uids "stups_robot,foo"}}]
+      (try (do
+             (api/require-write-authorization request "stups")
+             (is false))
+        (catch Exception e
+          (is (= 403 (:http-code (ex-data e))))))))
+
+  (testing "a robot should not get access if the uid is missing"
+    (let [request {:tokeninfo {"realm" "/services"
+                               "scope" ["uid" "application.write_all"]}
+                   :configuration {:allowed-uids "stups_robot,foo"}}]
+      (try (do
+             (api/require-write-authorization request "stups")
+             (is false))
+        (catch Exception e
+          (is (= 403 (:http-code (ex-data e))))))))
+
+  (testing "a robot should get access if it has write_all scope and required uid"
+    (let [request {:tokeninfo {"uid" "stups_robot"
+                               "realm" "/services"
+                               "scope" ["uid" "application.write_all"]}
+                   :configuration {:allowed-uids "stups_robot,foo"}}]
+      (api/require-write-authorization request "stups")))
+
+  (testing "a robot should not get access if it doesn't have required uid but write_all scope"
+    (let [request {:tokeninfo {"uid" "stups_robot"
+                               "realm" "/services"
+                               "scope" ["uid" "application.write_all"]}
+                   :configuration {:allowed-uids "bar,foo"}}]
       (try (do
              (api/require-write-authorization request "stups")
              (is false))
-        (catch Exception e)))))
+        (catch Exception e
+          (is (= 403 (:http-code (ex-data e))))))))
+
+  (testing "a human should get access if it is in the required team"
+    (let [request {:tokeninfo {"uid" "npiccolotto"
+                               "realm" "/employees"
+                               "scope" ["uid"]}
+                   :configuration {:team-service-url "http://example.com"}}]
+      (with-redefs [fuser/get-teams (constantly [{:name "stups"} {:name "asa"}])
+                    fuser/require-internal-user (constantly nil)]
+        (api/require-write-authorization request "stups"))))
+
+  (testing "a human should not get access if it is not in the required team"
+    (let [request {:tokeninfo {"uid" "npiccolotto"
+                               "realm" "/employees"
+                               "scope" ["uid"]}
+                   :configuration {:team-service-url "http://example.com"}}]
+      (with-redefs [fuser/get-teams (constantly [{:name "test"} {:name "asa"}])
+                    fuser/require-internal-user (constantly nil)]
+        (try (do
+               (api/require-write-authorization request "stups")
+               (is false))
+          (catch Exception e
+            (is (= 403 (:http-code (ex-data e)))))))))
+
+  (testing "a robot should not write without write scope"
+    (let [request {:tokeninfo {"uid" "robobro"
+                               "realm" "/services"
+                               "scope" ["uid"]}
+                   :configuration {:service-user-url "http://robot.com"}}]
+      (with-redefs [fuser/require-service-team (constantly "stups")
+                    fuser/require-internal-user (constantly nil)]
+        (try
+          (api/require-write-authorization request "stups")
+          (is false)
+          (catch Exception e
+            (is (= 403 (:http-code (ex-data e)))))))))
+
+  (testing "a robot should write with write scope and correct team"
+    (let [request {:tokeninfo {"uid" "robobro"
+                               "realm" "/services"
+                               "scope" ["uid" "application.write"]}
+                   :configuration {:service-user-url "http://robot.com"}}]
+      (with-redefs [fuser/require-service-team (constantly "stups")
+                    fuser/require-internal-user (constantly nil)]
+        (api/require-write-authorization request "stups"))))
+
+  (testing "a robot should not write with write scope to another team"
+    (let [request {:tokeninfo {"uid" "robobro"
+                               "realm" "/services"
+                               "scope" ["uid"]}
+                   :configuration {:service-user-url "http://robot.com"}}]
+      (with-redefs [fuser/require-service-team (constantly "stups")
+                    fuser/require-internal-user (constantly nil)]
+        (try
+          (api/require-write-authorization request "team-britney")
+          (is false)
+          (catch Exception e
+            (is (= 403 (:http-code (ex-data e)))))))))
+
+  (testing "a robot should write applications"
+    (let [request {:tokeninfo {"uid" "robobro"
+                               "realm" "/services"
+                               "scope" ["uid" "application.write"]}
+                   :configuration {:service-user-url "http://robot.com"}}
+          application {:team_id "stups"
+                       :id "foo"}]
+      (with-redefs [fuser/require-service-team (constantly "stups")
+                    fuser/require-internal-user (constantly nil)
+                    sql/cmd-create-or-update-application! (constantly nil)]
+        (api/create-or-update-application! {:application application
+                                            :application_id "foo"}
+                                           request
+                                           nil))))
+
+  (testing "a robot should write versions"
+    (let [request {:tokeninfo {"uid" "robobro"
+                               "realm" "/services"
+                               "scope" ["uid" "application.write"]}
+                   :configuration {:service-user-url "http://robot.com"}}
+          application {:team_id "stups"
+                       :id "foo"}
+          version {:id "bar"}]
+      (with-redefs [fuser/require-service-team (constantly "stups")
+                    fuser/require-internal-user (constantly nil)
+                    ; does not matter, is used by with-db-transaction macro
+                    jdbc/db-transaction* #(list %1 %2)
+                    sql/cmd-create-or-update-version! (constantly nil)
+                    sql/cmd-delete-approvals! (constantly nil)
+                    api/load-application (constantly application)]
+        (api/create-or-update-version! {:version version
+                                        :version_id "bar"
+                                        :application_id "foo"}
+                                       request
+                                       nil))))
+
+  (testing "a robot should not write approvals"
+    (let [request {:tokeninfo {"uid" "robobro"
+                               "realm" "/services"
+                               "scope" ["uid" "application.write"]}
+                   :configuration {:service-user-url "http://robot.com"}}
+          application {:team_id "stups"
+                       :id "foo"}]
+      (with-redefs [fuser/require-service-team (constantly "stups")
+                    fuser/require-internal-user (constantly nil)
+                    api/load-application (constantly application)
+                    sql/cmd-approve-version! (constantly nil)]
+        (try
+          (api/approve-version! {:version_id "bar"
+                                 :application_id "foo"
+                                 :notes "test"}
+                                request
+                                nil)
+          (is false)
+          (catch Exception e
+            (is (= 403 (:http-code (ex-data e)))))))))
+
+  (testing "a human should write approvals"
+    (let [request {:tokeninfo {"uid" "nikolaus"
+                               "realm" "/employees"
+                               "scope" ["uid"]}
+                   :configuration {:team-service-url "http://employee.com"}}
+          application {:team_id "stups"
+                       :id "foo"}]
+      (with-redefs [fuser/get-teams (constantly [{:name "stups"} {:name "asa"}])
+                    fuser/require-internal-user (constantly nil)
+                    api/load-application (constantly application)
+                    sql/cmd-approve-version! (constantly nil)]
+        (api/approve-version! {:version_id "bar"
+                               :application_id "foo"
+                               :notes "test"}
+                              request
+                              nil)))))