diff options
| author | Ernst Widerberg <ernst@sunet.se> | 2022-01-18 11:30:16 +0100 |
|---|---|---|
| committer | Ernst Widerberg <ernst@sunet.se> | 2022-01-21 16:46:26 +0100 |
| commit | 583762aee1f46a853bb728cabd55756d31abc7aa (patch) | |
| tree | 26ed79f85ba308bc963ab6cc9f0263cb0b96c69a | |
| parent | 396e8fddd2e5485d32bfadbe89890dfa85ce4f30 (diff) | |
Add testing for some unauthorized API calls
| -rw-r--r-- | src/test/test_api.py | 47 |
1 files changed, 47 insertions, 0 deletions
diff --git a/src/test/test_api.py b/src/test/test_api.py index 9d76e5e..371fcf2 100644 --- a/src/test/test_api.py +++ b/src/test/test_api.py @@ -183,3 +183,50 @@ def test_005(): response = client.delete("/sc/v0/delete/unittest") assert(response.status_code == 400) assert(response.json()['status'] == 'error') + +def test_006(): + print("*** Add doc for unauthorized domain (this is allowed, currently)") + + doc_port = random.randint(1, 65536) + doc_ip = str(ipaddress.IPv4Address(random.randint(1, 0xffffffff))) + doc_asn = str(doc_ip) + '_' + str(doc_port) + + json_data = { + 'ip': doc_ip, + 'port': doc_port, + 'whois_description': 'unittest', + 'asn': doc_asn, + 'asn_country_code': 'SE', + 'ptr': 'unittest.example.com', + 'abuse_mail': 'unittest@example.com', + 'domain': 'sunet.se', + 'timestamp_in_utc': '2021-06-21T14:06UTC', + 'producer_unique_keys': { + 'subject_cn': 'unittest', + 'subject_o': 'unittest', + 'full_name': 'unittest', + 'end_of_general_support': False, + 'cve_2021_21972': 'unittest', + 'cve_2021_21974': 'unittest', + 'cve_2021_21985': 'unittest' + } + } + + response = client.post( + "/sc/v0/add", headers=JWT_HEADER, json=dict(json_data, domain="example.com") + ) + assert(response.status_code == 200) + assert(response.json()['status'] == 'success') + + print("*** Get doc for unauthorized domain (not allowed)") + doc_id = response.json()['docs']['_id'] + response = client.get(f"/sc/v0/get/{doc_id}", headers=JWT_HEADER) + assert(response.status_code == 400) + assert(response.json()['status'] == 'error') + assert(response.json()['message'] == 'User not authorized to view this object') + + print("*** Delete doc for unauthorized domain (not allowed)") + response = client.delete(f"/sc/v0/delete/{doc_id}", headers=JWT_HEADER) + assert(response.status_code == 400) + assert(response.json()['status'] == 'error') + assert(response.json()['message'] == 'User not authorized to delete this object') |