tests/owners: Add tests with token scopes

Turbo87 · Turbo87 · commit 0c1f9ca784a1 · 2022-12-01T14:36:04.000+01:00
diff --git a/src/tests/owners.rs b/src/tests/owners.rs
@@ -14,6 +14,7 @@ use cargo_registry::{
     Emails,
 };
 
+use cargo_registry::models::token::{CrateScope, EndpointScope};
 use chrono::{Duration, Utc};
 use conduit::StatusCode;
 use diesel::prelude::*;
@@ -305,6 +306,108 @@ fn owner_change_via_token() {
     );
 }
 
+#[test]
+fn owner_change_via_change_owner_token() {
+    let (app, _, _, token) =
+        TestApp::full().with_scoped_token(None, Some(vec![EndpointScope::ChangeOwners]));
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+}
+
+#[test]
+fn owner_change_via_change_owner_token_with_matching_crate_scope() {
+    let crate_scopes = Some(vec![CrateScope::try_from("foo_crate").unwrap()]);
+    let endpoint_scopes = Some(vec![EndpointScope::ChangeOwners]);
+    let (app, _, _, token) = TestApp::full().with_scoped_token(crate_scopes, endpoint_scopes);
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+}
+
+#[test]
+fn owner_change_via_change_owner_token_with_wrong_crate_scope() {
+    let crate_scopes = Some(vec![CrateScope::try_from("bar").unwrap()]);
+    let endpoint_scopes = Some(vec![EndpointScope::ChangeOwners]);
+    let (app, _, _, token) = TestApp::full().with_scoped_token(crate_scopes, endpoint_scopes);
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+    // TODO this should return "403 Forbidden" once token scopes are implemented for this endpoint
+    // assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    // assert_eq!(
+    //     response.into_json(),
+    //     json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
+    // );
+}
+
+#[test]
+fn owner_change_via_publish_token() {
+    let (app, _, _, token) =
+        TestApp::full().with_scoped_token(None, Some(vec![EndpointScope::PublishUpdate]));
+
+    let user2 = app.db_new_user("user-2");
+    let user2 = user2.as_model();
+
+    let krate =
+        app.db(|conn| CrateBuilder::new("foo_crate", token.as_model().user_id).expect_build(conn));
+
+    let url = format!("/api/v1/crates/{}/owners", krate.name);
+    let body = json!({ "owners": [user2.gh_login] });
+    let body = serde_json::to_vec(&body).unwrap();
+    let response = token.put::<()>(&url, &body);
+    assert_eq!(response.status(), StatusCode::OK);
+    assert_eq!(
+        response.into_json(),
+        json!({ "ok": true, "msg": "user user-2 has been invited to be an owner of crate foo_crate" })
+    );
+    // TODO this should return "403 Forbidden" once token scopes are implemented for this endpoint
+    // assert_eq!(response.status(), StatusCode::FORBIDDEN);
+    // assert_eq!(
+    //     response.into_json(),
+    //     json!({ "errors": [{ "detail": "must be logged in to perform that action" }] })
+    // );
+}
+
 #[test]
 fn owner_change_without_auth() {
     let (app, anon, cookie) = TestApp::full().with_user();
