nk20/apps/api/tests.py

# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay
# SPDX-License-Identifier: GPL-3.0-or-later

import json
from datetime import datetime, date
from decimal import Decimal
from urllib.parse import quote_plus
from warnings import warn

from django.contrib.auth.models import User
from django.contrib.contenttypes.models import ContentType
from django.db.models.fields.files import ImageFieldFile
from django.test import TestCase
from django_filters.rest_framework import DjangoFilterBackend
from member.models import Membership, Club
from note.models import NoteClub, NoteUser, Alias, Note
from permission.models import PermissionMask, Permission, Role
from phonenumbers import PhoneNumber
from rest_framework.filters import SearchFilter, OrderingFilter

from .viewsets import ContentTypeViewSet, UserViewSet


class TestAPI(TestCase):
    """
    Load API pages and check that filters are working.
    """
    fixtures = ('initial', )

    def setUp(self) -> None:
        self.user = User.objects.create_superuser(
            username="adminapi",
            password="adminapi",
            email="adminapi@example.com",
            last_name="Admin",
            first_name="Admin",
        )
        self.client.force_login(self.user)

        sess = self.client.session
        sess["permission_mask"] = 42
        sess.save()

    def check_viewset(self, viewset, url):
        """
        This function should be called inside a unit test.
        This loads the viewset and for each filter entry, it checks that the filter is running good.
        """
        resp = self.client.get(url + "?format=json")
        self.assertEqual(resp.status_code, 200)

        model = viewset.serializer_class.Meta.model

        if not model.objects.exists():  # pragma: no cover
            warn(f"Warning: unable to test API filters for the model {model._meta.verbose_name} "
                 "since there is no instance of it.")
            return

        if hasattr(viewset, "filter_backends"):
            backends = viewset.filter_backends
            obj = model.objects.last()

            if DjangoFilterBackend in backends:
                # Specific search
                for field in viewset.filterset_fields:
                    obj = self.fix_note_object(obj, field)

                    value = self.get_value(obj, field)
                    if value is None:  # pragma: no cover
                        warn(f"Warning: the filter {field} for the model {model._meta.verbose_name} "
                             "has not been tested.")
                        continue
                    resp = self.client.get(url + f"?format=json&{field}={quote_plus(str(value))}")
                    self.assertEqual(resp.status_code, 200, f"The filter {field} for the model "
                                                            f"{model._meta.verbose_name} does not work. "
                                                            f"Given parameter: {value}")
                    content = json.loads(resp.content)
                    self.assertGreater(content["count"], 0, f"The filter {field} for the model "
                                                            f"{model._meta.verbose_name} does not work. "
                                                            f"Given parameter: {value}")

            if OrderingFilter in backends:
                # Ensure that ordering is working well
                for field in viewset.ordering_fields:
                    resp = self.client.get(url + f"?ordering={field}")
                    self.assertEqual(resp.status_code, 200)
                    resp = self.client.get(url + f"?ordering=-{field}")
                    self.assertEqual(resp.status_code, 200)

            if SearchFilter in backends:
                # Basic search
                for field in viewset.search_fields:
                    obj = self.fix_note_object(obj, field)

                    if field[0] == '$' or field[0] == '=':
                        field = field[1:]
                    value = self.get_value(obj, field)
                    if value is None:  # pragma: no cover
                        warn(f"Warning: the filter {field} for the model {model._meta.verbose_name} "
                             "has not been tested.")
                        continue
                    resp = self.client.get(url + f"?format=json&search={quote_plus(str(value))}")
                    self.assertEqual(resp.status_code, 200, f"The filter {field} for the model "
                                                            f"{model._meta.verbose_name} does not work. "
                                                            f"Given parameter: {value}")
                    content = json.loads(resp.content)
                    self.assertGreater(content["count"], 0, f"The filter {field} for the model "
                                                            f"{model._meta.verbose_name} does not work. "
                                                            f"Given parameter: {value}")

            self.check_permissions(url, obj)

    def check_permissions(self, url, obj):
        """
        Check that permissions are working
        """
        # Drop rights
        self.user.is_superuser = False
        self.user.save()
        sess = self.client.session
        sess["permission_mask"] = 0
        sess.save()

        # Delete user permissions
        for m in Membership.objects.filter(user=self.user).all():
            m.roles.clear()
            m.save()

        # Create a new role, which will have the checking permission
        role = Role.objects.get_or_create(name="β-tester")[0]
        role.permissions.clear()
        role.save()
        membership = Membership.objects.get_or_create(user=self.user, club=Club.objects.get(name="BDE"))[0]
        membership.roles.set([role])
        membership.save()

        # Ensure that the access to the object is forbidden without permission
        resp = self.client.get(url + f"{obj.pk}/")
        self.assertEqual(resp.status_code, 404, f"Mysterious access to {url}{obj.pk}/ for {obj}")

        obj.refresh_from_db()

        # There are problems with polymorphism
        if isinstance(obj, Note) and hasattr(obj, "note_ptr"):
            obj = obj.note_ptr

        mask = PermissionMask.objects.get(rank=0)

        for field in obj._meta.fields:
            # Build permission query
            value = self.get_value(obj, field.name)
            if isinstance(value, date) or isinstance(value, datetime):
                value = value.isoformat()
            elif isinstance(value, ImageFieldFile):
                value = value.name
            elif isinstance(value, Decimal):
                value = str(value)
            query = json.dumps({field.name: value})

            # Create sample permission
            permission = Permission.objects.get_or_create(
                model=ContentType.objects.get_for_model(obj._meta.model),
                query=query,
                mask=mask,
                type="view",
                permanent=False,
                description=f"Can view {obj._meta.verbose_name}",
            )[0]
            role.permissions.set([permission])
            role.save()

            # Check that the access is possible
            resp = self.client.get(url + f"{obj.pk}/")
            self.assertEqual(resp.status_code, 200, f"Permission {permission.query} is not working "
                                                    f"for the model {obj._meta.verbose_name}")

        # Restore rights
        self.user.is_superuser = True
        self.user.save()
        sess = self.client.session
        sess["permission_mask"] = 42
        sess.save()

    @staticmethod
    def get_value(obj, key: str):
        """
        Resolve the queryset filter to get the Python value of an object.
        """
        if hasattr(obj, "all"):
            # obj is a RelatedManager
            obj = obj.last()

        if obj is None:  # pragma: no cover
            return None

        if '__' not in key:
            obj = getattr(obj, key)
            if hasattr(obj, "pk"):
                return obj.pk
            elif hasattr(obj, "all"):
                if not obj.exists():  # pragma: no cover
                    return None
                return obj.last().pk
            elif isinstance(obj, bool):
                return int(obj)
            elif isinstance(obj, datetime):
                return obj.isoformat()
            elif isinstance(obj, PhoneNumber):
                return obj.raw_input
            return obj

        key, remaining = key.split('__', 1)
        return TestAPI.get_value(getattr(obj, key), remaining)

    @staticmethod
    def fix_note_object(obj, field):
        """
        When querying an object that has a noteclub or a noteuser field,
        ensure that the object has a good value.
        """
        if isinstance(obj, Alias):
            if "noteuser" in field:
                return NoteUser.objects.last().alias.last()
            elif "noteclub" in field:
                return NoteClub.objects.last().alias.last()
        elif isinstance(obj, Note):
            if "noteuser" in field:
                return NoteUser.objects.last()
            elif "noteclub" in field:
                return NoteClub.objects.last()
        return obj


class TestBasicAPI(TestAPI):
    def test_user_api(self):
        """
        Load the user page.
        """
        self.check_viewset(ContentTypeViewSet, "/api/models/")
        self.check_viewset(UserViewSet, "/api/user/")
Update copyright for 2021 Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-06-14 19:45:36 +00:00			`# Copyright (C) 2018-2021 by BDE ENS Paris-Saclay`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`# SPDX-License-Identifier: GPL-3.0-or-later`

			`import json`
Check that permissions are working when accessing to API pages Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:21:59 +00:00			`from datetime import datetime, date`
Decimal value is serialized as a str value Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-03-21 09:59:58 +00:00			`from decimal import Decimal`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`from urllib.parse import quote_plus`
Use python Warnings instead of printing messages during tests Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 14:11:33 +00:00			`from warnings import warn`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00
			`from django.contrib.auth.models import User`
Check that permissions are working when accessing to API pages Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:21:59 +00:00			`from django.contrib.contenttypes.models import ContentType`
			`from django.db.models.fields.files import ImageFieldFile`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`from django.test import TestCase`
Ordering filters are now properly tested Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:25:54 +00:00			`from django_filters.rest_framework import DjangoFilterBackend`
Check that permissions are working when accessing to API pages Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:21:59 +00:00			`from member.models import Membership, Club`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`from note.models import NoteClub, NoteUser, Alias, Note`
Check that permissions are working when accessing to API pages Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:21:59 +00:00			`from permission.models import PermissionMask, Permission, Role`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`from phonenumbers import PhoneNumber`
Ordering filters are now properly tested Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:25:54 +00:00			`from rest_framework.filters import SearchFilter, OrderingFilter`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00
			`from .viewsets import ContentTypeViewSet, UserViewSet`


			`class TestAPI(TestCase):`
			`"""`
			`Load API pages and check that filters are working.`
			`"""`
			`fixtures = ('initial', )`

			`def setUp(self) -> None:`
			`self.user = User.objects.create_superuser(`
			`username="adminapi",`
			`password="adminapi",`
			`email="adminapi@example.com",`
			`last_name="Admin",`
			`first_name="Admin",`
			`)`
			`self.client.force_login(self.user)`

			`sess = self.client.session`
			`sess["permission_mask"] = 42`
			`sess.save()`

			`def check_viewset(self, viewset, url):`
			`"""`
			`This function should be called inside a unit test.`
			`This loads the viewset and for each filter entry, it checks that the filter is running good.`
			`"""`
			`resp = self.client.get(url + "?format=json")`
			`self.assertEqual(resp.status_code, 200)`

			`model = viewset.serializer_class.Meta.model`

			`if not model.objects.exists(): # pragma: no cover`
Use python Warnings instead of printing messages during tests Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 14:11:33 +00:00			`warn(f"Warning: unable to test API filters for the model {model._meta.verbose_name} "`
			`"since there is no instance of it.")`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`return`

			`if hasattr(viewset, "filter_backends"):`
			`backends = viewset.filter_backends`
			`obj = model.objects.last()`

			`if DjangoFilterBackend in backends:`
			`# Specific search`
			`for field in viewset.filterset_fields:`
			`obj = self.fix_note_object(obj, field)`

			`value = self.get_value(obj, field)`
			`if value is None: # pragma: no cover`
Use python Warnings instead of printing messages during tests Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 14:11:33 +00:00			`warn(f"Warning: the filter {field} for the model {model._meta.verbose_name} "`
			`"has not been tested.")`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`continue`
			`resp = self.client.get(url + f"?format=json&{field}={quote_plus(str(value))}")`
			`self.assertEqual(resp.status_code, 200, f"The filter {field} for the model "`
			`f"{model._meta.verbose_name} does not work. "`
			`f"Given parameter: {value}")`
			`content = json.loads(resp.content)`
			`self.assertGreater(content["count"], 0, f"The filter {field} for the model "`
			`f"{model._meta.verbose_name} does not work. "`
			`f"Given parameter: {value}")`

			`if OrderingFilter in backends:`
			`# Ensure that ordering is working well`
			`for field in viewset.ordering_fields:`
			`resp = self.client.get(url + f"?ordering={field}")`
			`self.assertEqual(resp.status_code, 200)`
			`resp = self.client.get(url + f"?ordering=-{field}")`
			`self.assertEqual(resp.status_code, 200)`

			`if SearchFilter in backends:`
			`# Basic search`
			`for field in viewset.search_fields:`
			`obj = self.fix_note_object(obj, field)`

			`if field[0] == '$' or field[0] == '=':`
			`field = field[1:]`
			`value = self.get_value(obj, field)`
			`if value is None: # pragma: no cover`
Use python Warnings instead of printing messages during tests Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 14:11:33 +00:00			`warn(f"Warning: the filter {field} for the model {model._meta.verbose_name} "`
			`"has not been tested.")`
Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`continue`
			`resp = self.client.get(url + f"?format=json&search={quote_plus(str(value))}")`
			`self.assertEqual(resp.status_code, 200, f"The filter {field} for the model "`
			`f"{model._meta.verbose_name} does not work. "`
			`f"Given parameter: {value}")`
			`content = json.loads(resp.content)`
			`self.assertGreater(content["count"], 0, f"The filter {field} for the model "`
			`f"{model._meta.verbose_name} does not work. "`
			`f"Given parameter: {value}")`

Check that permissions are working when accessing to API pages Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:21:59 +00:00			`self.check_permissions(url, obj)`

			`def check_permissions(self, url, obj):`
			`"""`
			`Check that permissions are working`
			`"""`
			`# Drop rights`
			`self.user.is_superuser = False`
			`self.user.save()`
			`sess = self.client.session`
			`sess["permission_mask"] = 0`
			`sess.save()`

			`# Delete user permissions`
			`for m in Membership.objects.filter(user=self.user).all():`
			`m.roles.clear()`
			`m.save()`

			`# Create a new role, which will have the checking permission`
			`role = Role.objects.get_or_create(name="β-tester")[0]`
			`role.permissions.clear()`
			`role.save()`
			`membership = Membership.objects.get_or_create(user=self.user, club=Club.objects.get(name="BDE"))[0]`
			`membership.roles.set([role])`
			`membership.save()`

			`# Ensure that the access to the object is forbidden without permission`
			`resp = self.client.get(url + f"{obj.pk}/")`
			`self.assertEqual(resp.status_code, 404, f"Mysterious access to {url}{obj.pk}/ for {obj}")`

			`obj.refresh_from_db()`

			`# There are problems with polymorphism`
			`if isinstance(obj, Note) and hasattr(obj, "note_ptr"):`
			`obj = obj.note_ptr`

			`mask = PermissionMask.objects.get(rank=0)`

			`for field in obj._meta.fields:`
			`# Build permission query`
			`value = self.get_value(obj, field.name)`
			`if isinstance(value, date) or isinstance(value, datetime):`
			`value = value.isoformat()`
			`elif isinstance(value, ImageFieldFile):`
			`value = value.name`
Decimal value is serialized as a str value Signed-off-by: Yohann D'ANELLO <ynerant@crans.org> 2021-03-21 09:59:58 +00:00			`elif isinstance(value, Decimal):`
			`value = str(value)`
Check that permissions are working when accessing to API pages Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 17:21:59 +00:00			`query = json.dumps({field.name: value})`

			`# Create sample permission`
			`permission = Permission.objects.get_or_create(`
			`model=ContentType.objects.get_for_model(obj._meta.model),`
			`query=query,`
			`mask=mask,`
			`type="view",`
			`permanent=False,`
			`description=f"Can view {obj._meta.verbose_name}",`
			`)[0]`
			`role.permissions.set([permission])`
			`role.save()`

			`# Check that the access is possible`
			`resp = self.client.get(url + f"{obj.pk}/")`
			`self.assertEqual(resp.status_code, 200, f"Permission {permission.query} is not working "`
			`f"for the model {obj._meta.verbose_name}")`

			`# Restore rights`
			`self.user.is_superuser = True`
			`self.user.save()`
			`sess = self.client.session`
			`sess["permission_mask"] = 42`
			`sess.save()`

Unit tests for API pages, closes #83 Signed-off-by: Yohann D'ANELLO <yohann.danello@gmail.com> 2020-12-23 13:54:21 +00:00			`@staticmethod`
			`def get_value(obj, key: str):`
			`"""`
			`Resolve the queryset filter to get the Python value of an object.`
			`"""`
			`if hasattr(obj, "all"):`
			`# obj is a RelatedManager`
			`obj = obj.last()`

			`if obj is None: # pragma: no cover`
			`return None`

			`if '__' not in key:`
			`obj = getattr(obj, key)`
			`if hasattr(obj, "pk"):`
			`return obj.pk`
			`elif hasattr(obj, "all"):`
			`if not obj.exists(): # pragma: no cover`
			`return None`
			`return obj.last().pk`
			`elif isinstance(obj, bool):`
			`return int(obj)`
			`elif isinstance(obj, datetime):`
			`return obj.isoformat()`
			`elif isinstance(obj, PhoneNumber):`
			`return obj.raw_input`
			`return obj`

			`key, remaining = key.split('__', 1)`
			`return TestAPI.get_value(getattr(obj, key), remaining)`

			`@staticmethod`
			`def fix_note_object(obj, field):`
			`"""`
			`When querying an object that has a noteclub or a noteuser field,`
			`ensure that the object has a good value.`
			`"""`
			`if isinstance(obj, Alias):`
			`if "noteuser" in field:`
			`return NoteUser.objects.last().alias.last()`
			`elif "noteclub" in field:`
			`return NoteClub.objects.last().alias.last()`
			`elif isinstance(obj, Note):`
			`if "noteuser" in field:`
			`return NoteUser.objects.last()`
			`elif "noteclub" in field:`
			`return NoteClub.objects.last()`
			`return obj`


			`class TestBasicAPI(TestAPI):`
			`def test_user_api(self):`
			`"""`
			`Load the user page.`
			`"""`
			`self.check_viewset(ContentTypeViewSet, "/api/models/")`
			`self.check_viewset(UserViewSet, "/api/user/")`