From 13e9b2ea3ebe64fee7c1ffb7deb89cfa0318f04f Mon Sep 17 00:00:00 2001 From: Jarne Clauw <67628242+JarneClauw@users.noreply.github.com> Date: Sun, 28 Apr 2024 11:33:10 +0200 Subject: [PATCH 1/2] Cleanup of authentication tests --- backend/tests/endpoints/conftest.py | 11 ++++++----- backend/tests/endpoints/course/courses_test.py | 13 +++++-------- backend/tests/endpoints/endpoint.py | 16 ++++++++-------- 3 files changed, 19 insertions(+), 21 deletions(-) diff --git a/backend/tests/endpoints/conftest.py b/backend/tests/endpoints/conftest.py index bcdddc7c..45dbcfef 100644 --- a/backend/tests/endpoints/conftest.py +++ b/backend/tests/endpoints/conftest.py @@ -26,15 +26,16 @@ def data_map(course: Course) -> dict[str, Any]: } @fixture -def auth_test(request: FixtureRequest, client: FlaskClient, data_map: dict[str, Any]) -> tuple: +def auth_test( + request: FixtureRequest, client: FlaskClient, data_map: dict[str, Any] + ) -> tuple[str, Any, str, bool]: """Add concrete test data to auth""" - # endpoint, method, token, allowed - endpoint, method, token, *other = request.param + endpoint, method, token, allowed = request.param for k, v in data_map.items(): endpoint = endpoint.replace(k, str(v)) - csrf = get_csrf_from_login(client, token) - return endpoint, getattr(client, method), csrf, *other + + return endpoint, getattr(client, method), get_csrf_from_login(client, token), allowed diff --git a/backend/tests/endpoints/course/courses_test.py b/backend/tests/endpoints/course/courses_test.py index ca3599c5..123e89a9 100644 --- a/backend/tests/endpoints/course/courses_test.py +++ b/backend/tests/endpoints/course/courses_test.py @@ -21,16 +21,13 @@ class TestCourseEndpoint(TestEndpoint): ### AUTHENTICATION ### # Where is login required authentication_tests = \ - authentication_tests("/courses", ["get", "post"], ["login"], ["0123456789", ""]) + \ - authentication_tests("/courses/@course_id", ["get", "patch", "delete"], - ["login"], ["0123456789", ""]) + \ - authentication_tests("/courses/@course_id/students", ["get", "post", "delete"], - ["login"], ["0123456789", ""]) + \ - authentication_tests("/courses/@course_id/admins", ["get", "post", "delete"], - ["login"], ["0123456789", ""]) + authentication_tests("/courses", ["get", "post"]) + \ + authentication_tests("/courses/@course_id", ["get", "patch", "delete"]) + \ + authentication_tests("/courses/@course_id/students", ["get", "post", "delete"]) + \ + authentication_tests("/courses/@course_id/admins", ["get", "post", "delete"]) @mark.parametrize("auth_test", authentication_tests, indirect=True) - def test_authentication(self, auth_test: tuple[str, Any]): + def test_authentication(self, auth_test: tuple[str, Any, str, bool]): """Test the authentication""" super().authentication(auth_test) diff --git a/backend/tests/endpoints/endpoint.py b/backend/tests/endpoints/endpoint.py index c2b2c796..caf06ac4 100644 --- a/backend/tests/endpoints/endpoint.py +++ b/backend/tests/endpoints/endpoint.py @@ -3,17 +3,17 @@ from typing import Any from pytest import param -def authentication_tests(endpoint: str, methods: list[str], - allowed_tokens: list[str], disallowed_tokens: list[str]) -> list[Any]: +def authentication_tests(endpoint: str, methods: list[str]) -> list[Any]: """Transform the format to single authentication tests""" tests = [] - for token in (allowed_tokens + disallowed_tokens): - allowed: bool = token in allowed_tokens - for method in methods: + for method in methods: + for token in ["0123456789", "login"]: + allowed = token == "login" tests.append(param( - (endpoint, method, token, allowed), - id = f"{endpoint} {method.upper()} ({token} {'allowed' if allowed else 'disallowed'})" + (endpoint, method, token, allowed), + id = f"{endpoint} {method.upper()} " \ + f"({token} {'allowed' if allowed else 'disallowed'})" )) return tests @@ -84,7 +84,7 @@ def query_parameter_tests( class TestEndpoint: """Base class for endpoint tests""" - def authentication(self, auth_test: tuple[str, Any]): + def authentication(self, auth_test: tuple[str, Any, str, bool]): """Test if the authentication for the given endpoint works""" endpoint, method, csrf, allowed = auth_test From d53a31c8a2c5b0cd0dbebc4aa41105a790da33c2 Mon Sep 17 00:00:00 2001 From: Jarne Clauw <67628242+JarneClauw@users.noreply.github.com> Date: Sun, 28 Apr 2024 11:52:35 +0200 Subject: [PATCH 2/2] Adding tests where no csrf token is given --- backend/tests/endpoints/conftest.py | 3 ++- backend/tests/endpoints/endpoint.py | 7 +++++-- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/backend/tests/endpoints/conftest.py b/backend/tests/endpoints/conftest.py index 45dbcfef..de82cf72 100644 --- a/backend/tests/endpoints/conftest.py +++ b/backend/tests/endpoints/conftest.py @@ -34,8 +34,9 @@ def auth_test( for k, v in data_map.items(): endpoint = endpoint.replace(k, str(v)) + csrf = get_csrf_from_login(client, token) if token else None - return endpoint, getattr(client, method), get_csrf_from_login(client, token), allowed + return endpoint, getattr(client, method), csrf, allowed diff --git a/backend/tests/endpoints/endpoint.py b/backend/tests/endpoints/endpoint.py index caf06ac4..1be6b3be 100644 --- a/backend/tests/endpoints/endpoint.py +++ b/backend/tests/endpoints/endpoint.py @@ -8,7 +8,7 @@ def authentication_tests(endpoint: str, methods: list[str]) -> list[Any]: tests = [] for method in methods: - for token in ["0123456789", "login"]: + for token in [None, "0123456789", "login"]: allowed = token == "login" tests.append(param( (endpoint, method, token, allowed), @@ -89,7 +89,10 @@ def authentication(self, auth_test: tuple[str, Any, str, bool]): endpoint, method, csrf, allowed = auth_test - response = method(endpoint, headers = {"X-CSRF-TOKEN":csrf}) + if csrf: + response = method(endpoint, headers = {"X-CSRF-TOKEN":csrf}) + else: + response = method(endpoint) assert allowed == (response.status_code != 401) def authorization(self, auth_test: tuple[str, Any, str, bool]):