# from django.conf import settings from django.contrib.auth import get_user_model from django.contrib.auth.models import AnonymousUser, User from django.contrib.contenttypes.models import ContentType from django.shortcuts import reverse from django.test import TestCase, Client import pytest import unittest import requests from access.models import Organization, Team, TeamUsers, Permission from itam.models.software import Software class SoftwarePermissions(TestCase): model = Software model_name = 'software' app_label = 'itam' @classmethod def setUpTestData(self): """Setup Test 1. Create an organization for user and item . create an organization that is different to item 2. Create a software 3. create teams with each permission: view, add, change, delete 4. create a user per team """ organization = Organization.objects.create(name='test_org') self.organization = organization different_organization = Organization.objects.create(name='test_different_organization') self.item = self.model.objects.create( organization=organization, name = 'softwareone' ) view_permissions = Permission.objects.get( codename = 'view_' + self.model_name, content_type = ContentType.objects.get( app_label = self.app_label, model = self.model_name, ) ) view_team = Team.objects.create( team_name = 'view_team', organization = organization, ) view_team.permissions.set([view_permissions]) add_permissions = Permission.objects.get( codename = 'add_' + self.model_name, content_type = ContentType.objects.get( app_label = self.app_label, model = self.model_name, ) ) add_team = Team.objects.create( team_name = 'add_team', organization = organization, ) add_team.permissions.set([add_permissions]) change_permissions = Permission.objects.get( codename = 'change_' + self.model_name, content_type = ContentType.objects.get( app_label = self.app_label, model = self.model_name, ) ) change_team = Team.objects.create( team_name = 'change_team', organization = organization, ) change_team.permissions.set([change_permissions]) delete_permissions = Permission.objects.get( codename = 'delete_' + self.model_name, content_type = ContentType.objects.get( app_label = self.app_label, model = self.model_name, ) ) delete_team = Team.objects.create( team_name = 'delete_team', organization = organization, ) delete_team.permissions.set([delete_permissions]) self.no_permissions_user = User.objects.create_user(username="test_no_permissions", password="password") self.view_user = User.objects.create_user(username="test_user_view", password="password") teamuser = TeamUsers.objects.create( team = view_team, user = self.view_user ) self.add_user = User.objects.create_user(username="test_user_add", password="password") teamuser = TeamUsers.objects.create( team = add_team, user = self.add_user ) self.change_user = User.objects.create_user(username="test_user_change", password="password") teamuser = TeamUsers.objects.create( team = change_team, user = self.change_user ) self.delete_user = User.objects.create_user(username="test_user_delete", password="password") teamuser = TeamUsers.objects.create( team = delete_team, user = self.delete_user ) self.different_organization_user = User.objects.create_user(username="test_different_organization_user", password="password") different_organization_team = Team.objects.create( team_name = 'different_organization_team', organization = different_organization, ) different_organization_team.permissions.set([ view_permissions, add_permissions, change_permissions, delete_permissions, ]) TeamUsers.objects.create( team = different_organization_team, user = self.different_organization_user ) def test_software_auth_view_user_anon_denied(self): """ Check correct permission for view Attempt to view as anon user """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) response = client.get(url) assert response.status_code == 403 def test_software_auth_view_no_permission_denied(self): """ Check correct permission for view Attempt to view with user missing permission """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.no_permissions_user) response = client.get(url) assert response.status_code == 403 def test_software_auth_view_different_organizaiton_denied(self): """ Check correct permission for view Attempt to view with user from different organization """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.different_organization_user) response = client.get(url) assert response.status_code == 403 def test_software_auth_view_has_permission(self): """ Check correct permission for view Attempt to view as user with view permission """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.view_user) response = client.get(url) assert response.status_code == 200 def test_software_auth_add_user_anon_denied(self): """ Check correct permission for add Attempt to add as anon user """ client = Client() url = reverse('ITAM:_software_add') response = client.put(url, data={'software': 'software'}) assert ( response.status_code == 302 or response.status_code == 403 ) # @pytest.mark.skip(reason="ToDO: figure out why fails") def test_software_auth_add_no_permission_denied(self): """ Check correct permission for add Attempt to add as user with no permissions """ client = Client() url = reverse('ITAM:_software_add') client.force_login(self.no_permissions_user) response = client.post(url, data={'software': 'software'}) assert response.status_code == 403 # @pytest.mark.skip(reason="ToDO: figure out why fails") def test_software_auth_add_different_organization_denied(self): """ Check correct permission for add attempt to add as user from different organization """ client = Client() url = reverse('ITAM:_software_add') client.force_login(self.different_organization_user) response = client.post(url, data={'name': 'software', 'organization': self.organization.id}) assert response.status_code == 403 def test_software_auth_add_permission_view_denied(self): """ Check correct permission for add Attempt to add a user with view permission """ client = Client() url = reverse('ITAM:_software_add') client.force_login(self.view_user) response = client.post(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_add_has_permission(self): """ Check correct permission for add Attempt to add as user with no permission """ client = Client() url = reverse('ITAM:_software_add') client.force_login(self.add_user) response = client.post(url, data={'software': 'software', 'organization': self.organization.id}) assert response.status_code == 200 def test_software_auth_change_user_anon_denied(self): """ Check correct permission for change Attempt to change as anon """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) response = client.patch(url, data={'software': 'software'}) assert ( response.status_code == 302 or response.status_code == 403 ) def test_software_auth_change_no_permission_denied(self): """ Ensure permission view cant make change Attempt to make change as user without permissions """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.no_permissions_user) response = client.post(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_change_different_organization_denied(self): """ Ensure permission view cant make change Attempt to make change as user from different organization """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.different_organization_user) response = client.post(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_change_permission_view_denied(self): """ Ensure permission view cant make change Attempt to make change as user with view permission """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.view_user) response = client.post(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_change_permission_add_denied(self): """ Ensure permission view cant make change Attempt to make change as user with add permission """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.add_user) response = client.post(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_change_has_permission(self): """ Check correct permission for change Make change with user who has change permission """ client = Client() url = reverse('ITAM:_software_view', kwargs={'pk': self.item.id}) client.force_login(self.change_user) response = client.post(url, data={'software': 'software'}) assert response.status_code == 200 def test_software_auth_delete_user_anon_denied(self): """ Check correct permission for delete Attempt to delete item as anon user """ client = Client() url = reverse('ITAM:_software_delete', kwargs={'pk': self.item.id}) response = client.delete(url, data={'software': 'software'}) assert ( response.status_code == 302 or response.status_code == 403 ) def test_software_auth_delete_no_permission_denied(self): """ Check correct permission for delete Attempt to delete as user with no permissons """ client = Client() url = reverse('ITAM:_software_delete', kwargs={'pk': self.item.id}) client.force_login(self.no_permissions_user) response = client.delete(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_delete_different_organization_denied(self): """ Check correct permission for delete Attempt to delete as user from different organization """ client = Client() url = reverse('ITAM:_software_delete', kwargs={'pk': self.item.id}) client.force_login(self.different_organization_user) response = client.delete(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_delete_permission_view_denied(self): """ Check correct permission for delete Attempt to delete as user with veiw permission only """ client = Client() url = reverse('ITAM:_software_delete', kwargs={'pk': self.item.id}) client.force_login(self.view_user) response = client.delete(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_delete_permission_add_denied(self): """ Check correct permission for delete Attempt to delete as user with add permission only """ client = Client() url = reverse('ITAM:_software_delete', kwargs={'pk': self.item.id}) client.force_login(self.add_user) response = client.delete(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_delete_permission_change_denied(self): """ Check correct permission for delete Attempt to delete as user with change permission only """ client = Client() url = reverse('ITAM:_software_delete', kwargs={'pk': self.item.id}) client.force_login(self.change_user) response = client.delete(url, data={'software': 'software'}) assert response.status_code == 403 def test_software_auth_delete_has_permission(self): """ Check correct permission for delete Delete item as user with delete permission """ client = Client() url = reverse('ITAM:_software_delete', kwargs={'pk': self.item.id}) client.force_login(self.delete_user) response = client.delete(url, data={'software': 'software'}) assert response.status_code == 302 and response.url == reverse('ITAM:Software')