test(controller): add expected unit test failures for response codes

Matthew Fisher · Matthew Fisher · commit aa9bb8f4d921 · 2015-01-08T10:41:37.000-08:00
When testing the security holes found recently, we found a few response
codes that were not what was to be expected. Adding test coverage around
this such that we can address these tests in future refactors.
diff --git a/controller/api/tests/test_app.py b/controller/api/tests/test_app.py
@@ -277,6 +277,12 @@ def test_unauthorized_user_cannot_see_app(self):
         url = '{}/{}/logs'.format(base_url, app_id)
         response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(unauthorized_token))
         self.assertEqual(response.status_code, 403)
+        url = '{}/{}'.format(base_url, app_id)
+        response = self.client.get(url, HTTP_AUTHORIZATION='token {}'.format(unauthorized_token))
+        self.assertEqual(response.status_code, 403)
+        response = self.client.delete(url,
+                                      HTTP_AUTHORIZATION='token {}'.format(unauthorized_token))
+        self.assertEqual(response.status_code, 403)
 
     def test_app_info_not_showing_wrong_app(self):
         app_id = 'autotest'
diff --git a/controller/api/tests/test_container.py b/controller/api/tests/test_container.py
@@ -9,6 +9,7 @@
 import json
 import mock
 import requests
+import unittest
 
 from django.contrib.auth.models import User
 from django.test import TransactionTestCase
@@ -539,3 +540,29 @@ def test_run_command_good(self):
         build.sha = 'somereallylongsha'
         rc, output = c.run('echo hi')
         self.assertEqual(json.loads(output)['entrypoint'], '/runner/init')
+
+    @unittest.expectedFailure
+    def test_scale_with_unauthorized_user_returns_403(self):
+        """An unauthorized user should not be able to access an app's resources.
+
+        If an unauthorized user is trying to scale an app he or she does not have access to, it
+        should return a 403. Currently, it returns a 404. FIXME!
+        """
+        url = '/v1/apps'
+        response = self.client.post(url, HTTP_AUTHORIZATION='token {}'.format(self.token))
+        self.assertEqual(response.status_code, 201)
+        app_id = response.data['id']
+        # post a new build
+        url = "/v1/apps/{app_id}/builds".format(**locals())
+        body = {'image': 'autotest/example', 'sha': 'a'*40,
+                'procfile': json.dumps({'web': 'node server.js', 'worker': 'node worker.js'})}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(self.token))
+        unauthorized_user = User.objects.get(username='autotest2')
+        unauthorized_token = Token.objects.get(user=unauthorized_user).key
+        # scale up with unauthorized user
+        url = "/v1/apps/{app_id}/scale".format(**locals())
+        body = {'web': 4}
+        response = self.client.post(url, json.dumps(body), content_type='application/json',
+                                    HTTP_AUTHORIZATION='token {}'.format(unauthorized_token))
+        self.assertEqual(response.status_code, 403)
