mgr/dashboard: fix REST API test cases

1. Fix the test cases by using the 'assertJsonBody'
   method. The '_post' method doesn't return anything.
   That's why we need to use the 'assertJsonBody'
   method here instead of checking the fields directly.

2. Add the missing scope and permission definition of the
   'validate_password' resource. Otherwise the resource
   is not restricted and 'test_validate_password_invalid_permissions'
   will fail.

3. Re-word error messages. Change 'cannot' to 'must not'.

Signed-off-by: Tatjana Dehler <tdehler@suse.com>

diff --git a/qa/tasks/mgr/dashboard/test_user.py b/qa/tasks/mgr/dashboard/test_user.py
index f1dd9f15c8f6fe51a4abad639366d5baba31083c..f3ee8863a6730037b3b7e7469019d104248fdf93 100644 (file)
--- a/qa/tasks/mgr/dashboard/test_user.py
+++ b/qa/tasks/mgr/dashboard/test_user.py
@@ -196,7 +196,7 @@ class UserTest(DashboardTestCase):
         })
         self.assertStatus(400)
         self.assertError('password_policy_validation_failed', 'user',
-                         'Password cannot be the same as the previous one.')
+                         'Password must not be the same as the previous one.')
         self._reset_login_to_admin('test1')
 
     def test_change_password_contains_username(self):
@@ -208,7 +208,7 @@ class UserTest(DashboardTestCase):
         })
         self.assertStatus(400)
         self.assertError('password_policy_validation_failed', 'user',
-                         'Password cannot contain username.')
+                         'Password must not contain username.')
         self._reset_login_to_admin('test1')
 
     def test_change_password_contains_forbidden_words(self):
@@ -220,7 +220,7 @@ class UserTest(DashboardTestCase):
         })
         self.assertStatus(400)
         self.assertError('password_policy_validation_failed', 'user',
-                         'Password cannot contain keywords.')
+                         'Password must not contain keywords.')
         self._reset_login_to_admin('test1')
 
     def test_change_password_contains_sequential_characters(self):
@@ -232,7 +232,7 @@ class UserTest(DashboardTestCase):
         })
         self.assertStatus(400)
         self.assertError('password_policy_validation_failed', 'user',
-                         'Password cannot contain sequential characters.')
+                         'Password must not contain sequential characters.')
         self._reset_login_to_admin('test1')
 
     def test_change_password_contains_repetetive_characters(self):
@@ -244,7 +244,7 @@ class UserTest(DashboardTestCase):
         })
         self.assertStatus(400)
         self.assertError('password_policy_validation_failed', 'user',
-                         'Password cannot contain repetitive characters.')
+                         'Password must not contain repetitive characters.')
         self._reset_login_to_admin('test1')
 
     def test_change_password(self):
@@ -400,65 +400,79 @@ class UserTest(DashboardTestCase):
             'credits': JLeaf(int),
             'valuation': JLeaf(str)
         }))
-        self.assertTrue(data['valid'])
-        self.assertEqual(data['credits'], 11)
-        self.assertEqual(data['valuation'], 'Weak')
+        self.assertJsonBody({
+            'valid': True,
+            'credits': 11,
+            'valuation': 'Weak'
+        })
 
     def test_validate_password_ok(self):
-        data = self._post('/api/user/validate_password', {
+        self._post('/api/user/validate_password', {
             'password': 'mypassword1!@'
         })
         self.assertStatus(200)
-        self.assertTrue(data['valid'])
-        self.assertEqual(data['credits'], 17)
-        self.assertEqual(data['valuation'], 'OK')
+        self.assertJsonBody({
+            'valid': True,
+            'credits': 17,
+            'valuation': 'OK'
+        })
 
     def test_validate_password_strong(self):
-        data = self._post('/api/user/validate_password', {
+        self._post('/api/user/validate_password', {
             'password': 'testpassword0047!@'
         })
         self.assertStatus(200)
-        self.assertTrue(data['valid'])
-        self.assertEqual(data['credits'], 22)
-        self.assertEqual(data['valuation'], 'Strong')
+        self.assertJsonBody({
+            'valid': True,
+            'credits': 22,
+            'valuation': 'Strong'
+        })
 
     def test_validate_password_very_strong(self):
-        data = self._post('/api/user/validate_password', {
+        self._post('/api/user/validate_password', {
             'password': 'testpassword#!$!@$'
         })
         self.assertStatus(200)
-        self.assertTrue(data['valid'])
-        self.assertEqual(data['credits'], 30)
-        self.assertEqual(data['valuation'], 'Very strong')
+        self.assertJsonBody({
+            'valid': True,
+            'credits': 30,
+            'valuation': 'Very strong'
+        })
 
     def test_validate_password_fail(self):
-        data = self._post('/api/user/validate_password', {
+        self._post('/api/user/validate_password', {
             'password': 'foo'
         })
         self.assertStatus(200)
-        self.assertFalse(data['valid'])
-        self.assertEqual(data['credits'], 0)
-        self.assertEqual(data['valuation'], 'Password is too weak.')
+        self.assertJsonBody({
+            'valid': False,
+            'credits': 0,
+            'valuation': 'Password is too weak.'
+        })
 
     def test_validate_password_fail_name(self):
-        data = self._post('/api/user/validate_password', {
+        self._post('/api/user/validate_password', {
             'password': 'x1zhugo_10',
             'username': 'hugo'
         })
         self.assertStatus(200)
-        self.assertFalse(data['valid'])
-        self.assertEqual(data['credits'], 0)
-        self.assertEqual(data['valuation'], 'Password cannot contain username.')
+        self.assertJsonBody({
+            'valid': False,
+            'credits': 0,
+            'valuation': 'Password must not contain username.'
+        })
 
     def test_validate_password_fail_oldpwd(self):
-        data = self._post('/api/user/validate_password', {
+        self._post('/api/user/validate_password', {
             'password': 'x1zt-st10',
             'old_password': 'x1zt-st10'
         })
         self.assertStatus(200)
-        self.assertFalse(data['valid'])
-        self.assertEqual(data['credits'], 0)
-        self.assertEqual(data['valuation'], 'Password cannot be the same as the previous one.')
+        self.assertJsonBody({
+            'valid': False,
+            'credits': 0,
+            'valuation': 'Password must not be the same as the previous one.'
+        })
 
     @DashboardTestCase.RunAs('test', 'test', [{'user': ['read', 'delete']}])
     def test_validate_password_invalid_permissions(self):
@@ -466,4 +480,4 @@ class UserTest(DashboardTestCase):
             'password': 'foo'
         })
         self.assertStatus(403)
-        self.assertError(code='invalid_credentials', component='auth')
+        self.assertError(detail='You don\'t have permissions to access that resource')

diff --git a/src/pybind/mgr/dashboard/controllers/user.py b/src/pybind/mgr/dashboard/controllers/user.py
index b70a9837bbfff769e9dbea9a181e22cf4a9cbc74..dfafb4ff71f8b2af31d31a2a6481164b6db5a5f8 100644 (file)
--- a/src/pybind/mgr/dashboard/controllers/user.py
+++ b/src/pybind/mgr/dashboard/controllers/user.py
@@ -7,7 +7,7 @@ import time
 
 import cherrypy
 
-from . import BaseController, ApiController, RESTController, Endpoint
+from . import BaseController, ApiController, RESTController, Endpoint, CreatePermission
 from .. import mgr
 from ..exceptions import DashboardException, UserAlreadyExists, \
     UserDoesNotExist, PasswordPolicyException, PwdExpirationDateNotValid
@@ -139,9 +139,11 @@ class User(RESTController):
         return User._user_to_dict(user)
 
 
-@ApiController('/user')
+@ApiController('/user', Scope.USER)
 class UserPasswordPolicy(RESTController):
+
     @Endpoint('POST')
+    @CreatePermission
     def validate_password(self, password, username=None, old_password=None):
         """
         Check if the password meets the password policy.

diff --git a/src/pybind/mgr/dashboard/services/access_control.py b/src/pybind/mgr/dashboard/services/access_control.py
index d136ca6c07f910e07513e82aece755d78dd84a01..339e4eb2b414e81e8e009ce346b819cd342b3d6d 100644 (file)
--- a/src/pybind/mgr/dashboard/services/access_control.py
+++ b/src/pybind/mgr/dashboard/services/access_control.py
@@ -123,15 +123,15 @@ class PasswordPolicy(object):
         if self.check_password_characters() < 10 or not self.check_password_length():
             raise PasswordPolicyException('Password is too weak.')
         if self.check_is_old_password():
-            raise PasswordPolicyException('Password cannot be the same as the previous one.')
+            raise PasswordPolicyException('Password must not be the same as the previous one.')
         if self.check_if_contains_username():
-            raise PasswordPolicyException('Password cannot contain username.')
+            raise PasswordPolicyException('Password must not contain username.')
         if self.check_if_contains_forbidden_words():
-            raise PasswordPolicyException('Password cannot contain keywords.')
+            raise PasswordPolicyException('Password must not contain keywords.')
         if self.check_if_repetetive_characters():
-            raise PasswordPolicyException('Password cannot contain repetitive characters.')
+            raise PasswordPolicyException('Password must not contain repetitive characters.')
         if self.check_if_sequential_characters():
-            raise PasswordPolicyException('Password cannot contain sequential characters.')
+            raise PasswordPolicyException('Password must not contain sequential characters.')
 
 
 class Role(object):