Начало Каталог Помощ
Вход
tum
/
soc
Наблюдаван 1
Харесван 0
Разклонения 0
Код Задачи 0 Заявки за сливане 0 Ревизии 34 Версии 0 Уики

Няма описание

Клон: main
Клонове Маркери
soc
/
iris-web
/
tests
/
tests_rest_p...

tests_rest_permissions.py 8.5KB
Постоянна връзка История Директен файл

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176 
  1. #  IRIS Source Code
    2. 

  2. #  Copyright (C) 2023 - DFIR-IRIS
    3. 

  3. #  contact@dfir-iris.org
    4. 

  4. #
    5. 

  5. #  This program is free software; you can redistribute it and/or
    6. 

  6. #  modify it under the terms of the GNU Lesser General Public
    7. 

  7. #  License as published by the Free Software Foundation; either
    8. 

  8. #  version 3 of the License, or (at your option) any later version.
    9. 

  9. #
    10. 

  10. #  This program is distributed in the hope that it will be useful,
    11. 

  11. #  but WITHOUT ANY WARRANTY; without even the implied warranty of
    12. 

  12. #  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
    13. 

  13. #  Lesser General Public License for more details.
    14. 

  14. #
    15. 

  15. #  You should have received a copy of the GNU Lesser General Public License
    16. 

  16. #  along with this program; if not, write to the Free Software Foundation,
    17. 

  17. #  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
    18. 

  18. 

  19. from unittest import TestCase
    20. 

  20. from iris import Iris
    21. 

  21. _INITIAL_DEMO_CASE_IDENTIFIER = 1
    22. 

  22. _CASE_ACCESS_LEVEL_FULL_ACCESS = 4
    23. 

  23. 

  24. _GROUP_ANALYSTS_IDENTIFIER = 2
    25. 

  25. 

  26. 

  27. class TestsRestPermissions(TestCase):
    28. 

  28. 

  29.     def setUp(self) -> None:
    30. 

  30.         self._subject = Iris()
    31. 

  31. 

  32.     def tearDown(self):
    33. 

  33.         self._subject.clear_database()
    34. 

  34. 

  35.     def test_get_case_should_return_403_when_user_has_insufficient_rights(self):
    36. 

  36.         case_identifier = self._subject.create_dummy_case()
    37. 

  37.         user = self._subject.create_dummy_user()
    38. 

  38.         body = {
    39. 

  39.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    40. 

  40.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    41. 

  41.         }
    42. 

  42.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    43. 

  43.         response = user.get(f'/api/v2/cases/{case_identifier}')
    44. 

  44.         self.assertEqual(403, response.status_code)
    45. 

  45. 

  46.     def test_delete_case_should_return_403_when_user_has_insufficient_rights(self):
    47. 

  47.         case_identifier = self._subject.create_dummy_case()
    48. 

  48.         user = self._subject.create_dummy_user()
    49. 

  49.         body = {
    50. 

  50.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    51. 

  51.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    52. 

  52.         }
    53. 

  53.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    54. 

  54.         body = {
    55. 

  55.             'groups_membership': [_GROUP_ANALYSTS_IDENTIFIER]
    56. 

  56.         }
    57. 

  57.         self._subject.create(f'/manage/users/{user.get_identifier()}/groups/update', body)
    58. 

  58. 

  59.         response = user.delete(f'/api/v2/cases/{case_identifier}')
    60. 

  60.         self.assertEqual(403, response.status_code)
    61. 

  61. 

  62.     def test_create_ioc_should_return_403_when_user_has_insufficient_rights(self):
    63. 

  63.         case_identifier = self._subject.create_dummy_case()
    64. 

  64.         user = self._subject.create_dummy_user()
    65. 

  65.         body = {
    66. 

  66.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    67. 

  67.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    68. 

  68.         }
    69. 

  69.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    70. 

  70. 

  71.         body = {'ioc_type_id': 1, 'ioc_tlp_id': 2, 'ioc_value': '8.8.8.8', 'ioc_description': 'rewrw', 'ioc_tags': ''}
    72. 

  72.         response = user.create(f'/api/v2/cases/{case_identifier}/iocs', body)
    73. 

  73.         self.assertEqual(403, response.status_code)
    74. 

  74. 

  75.     def test_get_ioc_should_return_403_when_user_has_insufficient_rights(self):
    76. 

  76.         case_identifier = self._subject.create_dummy_case()
    77. 

  77.         user = self._subject.create_dummy_user()
    78. 

  78.         body = {'ioc_type_id': 1, 'ioc_tlp_id': 2, 'ioc_value': '8.8.8.8', 'ioc_description': 'rewrw', 'ioc_tags': ''}
    79. 

  79.         response = self._subject.create(f'/api/v2/cases/{case_identifier}/iocs', body).json()
    80. 

  80.         ioc_identifier = response['ioc_id']
    81. 

  81.         body = {
    82. 

  82.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    83. 

  83.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    84. 

  84.         }
    85. 

  85.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    86. 

  86. 

  87.         response = user.get(f'/api/v2/cases/{case_identifier}/iocs/{ioc_identifier}')
    88. 

  88.         self.assertEqual(403, response.status_code)
    89. 

  89. 

  90.     def test_get_iocs_should_return_403_when_user_has_insufficient_rights(self):
    91. 

  91.         case_identifier = self._subject.create_dummy_case()
    92. 

  92.         user = self._subject.create_dummy_user()
    93. 

  93.         body = {
    94. 

  94.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    95. 

  95.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    96. 

  96.         }
    97. 

  97.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    98. 

  98. 

  99.         response = user.get(f'/api/v2/cases/{case_identifier}/iocs')
    100. 

  100.         self.assertEqual(403, response.status_code)
    101. 

  101. 

  102.     def test_delete_ioc_should_return_403_when_user_has_insufficient_rights(self):
    103. 

  103.         case_identifier = self._subject.create_dummy_case()
    104. 

  104.         user = self._subject.create_dummy_user()
    105. 

  105.         body = {'ioc_type_id': 1, 'ioc_tlp_id': 2, 'ioc_value': '8.8.8.8', 'ioc_description': 'rewrw', 'ioc_tags': ''}
    106. 

  106.         response = self._subject.create(f'/api/v2/cases/{case_identifier}/iocs', body).json()
    107. 

  107.         ioc_identifier = response['ioc_id']
    108. 

  108.         body = {
    109. 

  109.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    110. 

  110.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    111. 

  111.         }
    112. 

  112.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    113. 

  113. 

  114.         response = user.delete(f'/api/v2/cases/{case_identifier}/iocs/{ioc_identifier}')
    115. 

  115.         self.assertEqual(403, response.status_code)
    116. 

  116. 

  117.     def test_get_asset_should_return_403_when_user_has_insufficient_rights(self):
    118. 

  118.         case_identifier = self._subject.create_dummy_case()
    119. 

  119.         user = self._subject.create_dummy_user()
    120. 

  120.         body = {'asset_type_id': '1', 'asset_name': 'admin_laptop_test'}
    121. 

  121.         response = self._subject.create(f'/api/v2/cases/{case_identifier}/assets', body).json()
    122. 

  122.         asset_identifier = response['asset_id']
    123. 

  123.         body = {
    124. 

  124.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    125. 

  125.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    126. 

  126.         }
    127. 

  127.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    128. 

  128. 

  129.         response = user.get(f'/api/v2/cases/{case_identifier}/assets/{asset_identifier}')
    130. 

  130.         self.assertEqual(403, response.status_code)
    131. 

  131. 

  132.     def test_delete_asset_should_return_403_when_user_has_insufficient_rights(self):
    133. 

  133.         case_identifier = self._subject.create_dummy_case()
    134. 

  134.         user = self._subject.create_dummy_user()
    135. 

  135.         body = {'asset_type_id': '1', 'asset_name': 'admin_laptop_test'}
    136. 

  136.         response = self._subject.create(f'/api/v2/cases/{case_identifier}/assets', body).json()
    137. 

  137.         asset_identifier = response['asset_id']
    138. 

  138.         body = {
    139. 

  139.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    140. 

  140.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    141. 

  141.         }
    142. 

  142.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    143. 

  143. 

  144.         response = user.delete(f'/api/v2/cases/{case_identifier}/assets/{asset_identifier}')
    145. 

  145.         self.assertEqual(403, response.status_code)
    146. 

  146. 

  147.     def test_get_task_should_return_403_when_user_has_insufficient_rights(self):
    148. 

  148.         case_identifier = self._subject.create_dummy_case()
    149. 

  149.         user = self._subject.create_dummy_user()
    150. 

  150.         body = {'task_assignees_id': [1], 'task_description': '', 'task_status_id': 1, 'task_tags': '', 'task_title': 'dummy title', 'custom_attributes': {}}
    151. 

  151.         response = self._subject.create(f'/api/v2/cases/{case_identifier}/tasks',  body).json()
    152. 

  152.         task_identifier = response['id']
    153. 

  153.         body = {
    154. 

  154.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    155. 

  155.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    156. 

  156.         }
    157. 

  157.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    158. 

  158. 

  159.         response = user.get(f'/api/v2/cases/{case_identifier}/tasks/{task_identifier}')
    160. 

  160.         self.assertEqual(403, response.status_code)
    161. 

  161. 

  162.     def test_delete_task_should_return_403_when_user_has_insufficient_rights(self):
    163. 

  163.         user = self._subject.create_dummy_user()
    164. 

  164.         body = {
    165. 

  165.             'cases_list': [_INITIAL_DEMO_CASE_IDENTIFIER],
    166. 

  166.             'access_level': _CASE_ACCESS_LEVEL_FULL_ACCESS
    167. 

  167.         }
    168. 

  168.         self._subject.create(f'/manage/users/{user.get_identifier()}/cases-access/update', body)
    169. 

  169.         case_identifier = self._subject.create_dummy_case()
    170. 

  170.         body = {'task_assignees_id': [1], 'task_description': '', 'task_status_id': 1, 'task_tags': '', 'task_title': 'dummy title', 'custom_attributes': {}}
    171. 

  171.         response = self._subject.create(f'/api/v2/cases/{case_identifier}/tasks', body).json()
    172. 

  172.         task_identifier = response['id']
    173. 

  173. 

  174.         response = user.delete(f'/api/v2/cases/{case_identifier}/tasks/{task_identifier}')
    175. 

  175.         self.assertEqual(403, response.status_code)
    176. 

  176.