Add tests for private search [OSF-6898]

tests/test_search/test_permissions/__init__.py

@@ -0,0 +1,117 @@
+# -*- coding: utf-8 -*-
+"""This is a test suite for permissions on the search_search endpoint. It has four parts:
+
+    - nodefuncs - functions that return Nodes
+    - permfuncs - functions that set permissions on a Node
+    - varyfuncs - functions that vary the (non-permission) state of a Node
+    - TestSearchSearchAPI - the actual tests against the search_search API,
+      which are generated from the combinations of the above three function types
+
+"""
+from __future__ import absolute_import, division, print_function, unicode_literals
+
+import sys
+import unittest
+import unittest.case
+
+from nose.tools import assert_equal
+
+from nose_parameterized import parameterized
+from tests.test_search import SearchTestCase
+from tests.test_search.test_permissions.test_varyfuncs import VARYFUNCS, REGFUNCS, REGFUNCS_PRIVATE
+from tests.test_search.test_permissions.test_varyfuncs import base
+from tests.test_search.test_permissions.test_permfuncs import anon, auth, read
+from tests.test_search.test_permissions.test_nodefuncs import NODEFUNCS, NODEFUNCS_PRIVATE
+from website.project.model import Node
+from website.util import api_url_for
+
+
+def determine_case_name(nodefunc, permfunc, varyfunc, should_see, **_):
+    return "{}{}_{}_{}".format(
+        '' if varyfunc is base else varyfunc.__name__ + '_',
+        nodefunc.__name__,
+        'is_shown_to' if should_see else 'is_hidden_from',
+        permfunc.__name__
+    )
+
+
+def is_private(nodefunc, varyfunc):
+    return nodefunc in NODEFUNCS_PRIVATE or varyfunc in REGFUNCS_PRIVATE
+
+
+def want(name):
+    # filter cases here since we can't use nose's usual mechanisms with parameterization
+    return True
+
+
+def generate_cases():
+    for nodefunc in NODEFUNCS:
+        for permfunc in (anon, auth, read):
+            for varyfunc in VARYFUNCS:
+                if nodefunc in NODEFUNCS_PRIVATE and varyfunc in REGFUNCS:
+                    # Registration makes a node public, so skip it.
+                    continue
+                should_see = permfunc is read if is_private(nodefunc, varyfunc) else True
+                name = determine_case_name(**locals())
+                if want(name):
+                    yield name, nodefunc, permfunc, varyfunc, should_see
+
+
+class TestGenerateCases(unittest.TestCase):
+
+    # gc - generate_cases
+
+    def test_gc_generates_cases(self):
+        assert_equal(len(list(generate_cases())), 342)
+
+    def test_gc_doesnt_create_any_nodes(self):
+        list(generate_cases())
+        assert_equal(len(Node.find()), 0)
+
+
+def possiblyExpectFailure(case):
+
+    # This is a hack to conditionally wrap a failure expectation around *some*
+    # of the cases we're feeding to node-parameterized. TODO It can be removed
+    # when we write the code to unfail the tests.
+
+    def test(*a, **kw):  # name must start with test or it's ignored
+        _, _, nodefunc, permfunc, varyfunc, _ = a
+
+        # The tests we expect to fail are those where a node is in a private
+        # state, and a user does have read permission: a private search, in
+        # other words.
+
+        if is_private(nodefunc, varyfunc) and permfunc is read:
+
+            # This bit is copied from the unittest/case.py:expectedFailure
+            # decorator.
+
+            try:
+                case(*a, **kw)
+            except Exception:
+                raise unittest.case._ExpectedFailure(sys.exc_info())
+            raise unittest.case._UnexpectedSuccess
+        else:
+            case(*a, **kw)
+    return test
+
+
+class TestSearchSearchAPI(SearchTestCase):
+    """Exercises the website.search.views.search_search view.
+    """
+
+    def search(self, query, category, auth):
+        url = api_url_for('search_search')
+        data = {'q': 'category:{} AND {}'.format(category, query)}
+        return self.app.get(url, data, auth=auth).json['results']
+
+    @parameterized.expand(generate_cases)
+    @possiblyExpectFailure
+    def test(self, ignored, nodefunc, permfunc, varyfunc, should_see):
+        node = nodefunc()
+        auth = permfunc(node)
+        query, type_, key, expected_name = varyfunc(node)
+        expected = [(expected_name, type_)] if should_see else []
+        results = self.search(query, type_, auth)
+        assert_equal([(x[key], x['category']) for x in results], expected)

tests/test_search/test_permissions/test_nodefuncs.py

@@ -0,0 +1,93 @@
+# -*- coding: utf-8 -*-
+from __future__ import absolute_import, division, print_function, unicode_literals
+
+from nose.tools import assert_equal, ok_
+
+from modularodm import Q
+
+from tests import factories
+from tests.base import DbIsolationMixin
+from tests.test_search import OsfTestCase
+from website.project.model import Node
+
+
+def _project(is_public):
+    project = factories.ProjectFactory(title='Flim Flammity', is_public=is_public)
+    project.update_search()
+    return project
+
+def public_project(): return _project(True)
+def private_project(): return _project(False)
+
+
+def _component(is_public, parent_is_public):
+    project = factories.ProjectFactory(title='Slim Slammity', is_public=parent_is_public)
+    project.update_search()
+    component = factories.NodeFactory(
+        title='Flim Flammity',
+        parent=project,
+        is_public=is_public,
+    )
+    component.update_search()
+    return component
+
+def public_component_of_a_public_project(): return _component(True, True)
+def public_component_of_a_private_project(): return _component(True, False)
+def private_component_of_a_public_project(): return _component(False, True)
+def private_component_of_a_private_project(): return _component(False, False)
+
+
+NODEFUNCS_PRIVATE = [
+    private_project,
+    private_component_of_a_public_project,
+    private_component_of_a_private_project
+]
+NODEFUNCS = [
+    public_project,
+    public_component_of_a_public_project,
+    public_component_of_a_private_project
+] + NODEFUNCS_PRIVATE
+
+
+class TestNodeFuncs(DbIsolationMixin, OsfTestCase):
+
+    def test_there_are_no_nodes_to_start_with(self):
+        assert_equal(Node.find().count(), 0)
+
+
+    # pp - {public,private}_project
+
+    def test_pp_makes_public_project_public(self):
+        public_project()
+        ok_(Node.find_one().is_public)
+
+    def test_pp_makes_private_project_private(self):
+        private_project()
+        ok_(not Node.find_one().is_public)
+
+
+    # pcoapp - {public,private}_component_of_a_{public,private}_project
+
+    def test_pcoapp_makes_public_component_of_a_public_project(self):
+        public_component_of_a_public_project()
+        component = Node.find_one(Q('parent_node', 'ne', None))
+        ok_(component.is_public)
+        ok_(component.parent_node.is_public)
+
+    def test_pcoapp_makes_public_component_of_a_private_project(self):
+        public_component_of_a_private_project()
+        component = Node.find_one(Q('parent_node', 'ne', None))
+        ok_(component.is_public)
+        ok_(not component.parent_node.is_public)
+
+    def test_pcoapp_makes_private_component_of_a_public_project(self):
+        private_component_of_a_public_project()
+        component = Node.find_one(Q('parent_node', 'ne', None))
+        ok_(not component.is_public)
+        ok_(component.parent_node.is_public)
+
+    def test_pcoapp_makes_private_component_of_a_private_project(self):
+        private_component_of_a_private_project()
+        component = Node.find_one(Q('parent_node', 'ne', None))
+        ok_(not component.is_public)
+        ok_(not component.parent_node.is_public)

tests/test_search/test_permissions/test_permfuncs.py

@@ -0,0 +1,73 @@
+# -*- coding: utf-8 -*-
+from __future__ import absolute_import, division, print_function, unicode_literals
+
+from nose.tools import assert_equal, assert_in, assert_not_in
+
+from modularodm import Q
+
+from framework.auth.core import User
+from tests import factories
+from tests.base import DbIsolationMixin
+from tests.test_search import OsfTestCase
+from tests.test_search.test_permissions.test_nodefuncs import public_project
+from website.util import permissions
+from website.project.model import Node
+
+
+def anon(node):
+    return None
+
+
+def auth(node):
+    return factories.AuthUserFactory().auth
+
+
+def read(node):
+    user = factories.AuthUserFactory()
+    node.add_contributor(user, permissions.READ)
+    return user.auth
+
+
+class TestPermFuncs(DbIsolationMixin, OsfTestCase):
+
+    @staticmethod
+    def get_user_id_from_authtuple(authtuple):
+        return User.find_one(Q('emails', 'eq', authtuple[0]))._id
+
+
+    # anon
+
+    def test_anon_returns_none(self):
+        assert_equal(anon(public_project()), None)
+
+    def test_anon_makes_no_user(self):
+        anon(public_project())
+        assert_equal(len(User.find()), 1)  # only the project creator
+
+
+    # auth
+
+    def test_auth_returns_authtuple(self):
+        assert_equal(auth(public_project())[1], 'password')
+
+    def test_auth_creates_a_user(self):
+        auth(public_project())
+        assert_equal(len(User.find()), 2)  # project creator + 1
+
+    def test_auth_user_is_not_a_contributor_on_the_node(self):
+        user_id = self.get_user_id_from_authtuple(auth(public_project()))
+        assert_not_in(user_id, Node.find_one().permissions.keys())
+
+
+    # read
+
+    def test_read_returns_authtuple(self):
+        assert_equal(read(public_project())[1], 'password')
+
+    def test_read_creates_a_user(self):
+        read(public_project())
+        assert_equal(len(User.find()), 2)  # project creator + 1
+
+    def test_read_user_is_a_contributor_on_the_node(self):
+        user_id = self.get_user_id_from_authtuple(read(public_project()))
+        assert_in(user_id, Node.find_one().permissions.keys())