Updated unit test for forthcoming user endpoint enhancements

Author: jaredhendrickson13

docs/CONTRIBUTING.md

@@ -381,6 +381,8 @@ any payload data to receive a valid response you must set this value to `[{}]`.
     - `status` : an integer that specifies the tests expected HTTPS status code (defaults to `200`) 
     - `return` : an integer that specifies the tests expected API return code (defaults to `0`)
     - `resp_time` : a float that specifies the tests maximum response time expected from the API endpoint
+    - `auth_payload` : a dictionary containing authentication payload values (typically `client-id` and `client-token`) 
+    to use with the corresponding request (defaults the username and password passed into the command)
 
 - `post_tests` : A list of dictionary formatted test parameters for POST requests. If this endpoint does not support 
 POST requests, you do not need to override this property. If this endpoint does support POST request, but does not require
@@ -390,6 +392,8 @@ any payload data to receive a valid response you must set this value to `[{}]`.
     - `status` : an integer that specifies the tests expected HTTPS status code (defaults to `200`) 
     - `return` : an integer that specifies the tests expected API return code (defaults to `0`)
     - `resp_time` : a float that specifies the tests maximum response time expected from the API endpoint
+    - `auth_payload` : a dictionary containing authentication payload values (typically `client-id` and `client-token`) 
+    to use with the corresponding request (defaults the username and password passed into the command)
 
 - `put_tests` : A list of dictionary formatted test parameters for PUT requests. If this endpoint does not support 
 PUT requests, you do not need to override this property. If this endpoint does support PUT request, but does not require
@@ -399,6 +403,8 @@ any payload data to receive a valid response you must set this value to `[{}]`.
     - `status` : an integer that specifies the tests expected HTTPS status code (defaults to `200`) 
     - `return` : an integer that specifies the tests expected API return code (defaults to `0`)
     - `resp_time` : a float that specifies the tests maximum response time expected from the API endpoint
+    - `auth_payload` : a dictionary containing authentication payload values (typically `client-id` and `client-token`) 
+    to use with the corresponding request (defaults the username and password passed into the command)
 
 - `delete_tests` : A list of dictionary formatted test parameters for DELETE requests. If this endpoint does not support 
 DELETE requests, you do not need to override this property. If this endpoint does support DELETE request, but does not require
@@ -408,6 +414,8 @@ any payload data to receive a valid response you must set this value to `[{}]`.
     - `status` : an integer that specifies the tests expected HTTPS status code (defaults to `200`) 
     - `return` : an integer that specifies the tests expected API return code (defaults to `0`)
     - `resp_time` : a float that specifies the tests maximum response time expected from the API endpoint
+    - `auth_payload` : a dictionary containing authentication payload values (typically `client-id` and `client-token`) 
+    to use with the corresponding request (defaults the username and password passed into the command)
 
 - `get_responses` : A list of previously executed GET requests in a dictionary format. Failing responses will not be 
 included.

tests/test_api_v1_user.py

@@ -1,22 +1,106 @@
 import unit_test_framework
 
+
 class APIUnitTestUser(unit_test_framework.APIUnitTest):
     url = "/api/v1/user"
     get_tests = [{"name": "Read local users"}]
     post_tests = [
         {
             "name": "Create local user",
+            "resp_time": 2,  # Allow a couple seconds for user database to be updated
             "payload": {
-                "disabled": True,
+                "disabled": False,
                 "username": "new_user",
                 "password": "changeme",
                 "descr": "NEW USER",
                 "authorizedkeys": "test auth key",
                 "ipsecpsk": "test psk",
-                "expires": "11/22/2050"
+                "expires": "11/22/2050",
+                "priv": ["page-system-usermanager"]
             },
-            "resp_time": 2    # Allow a couple seconds for user database to be updated
-        }
+        },
+        {
+            "name": "Create a disabled local user using the previously created local user",
+            "resp_time": 2,  # Allow a couple seconds for user database to be updated
+            "auth_payload": {"client-id": "new_user", "client-token": "changeme"},
+            "payload": {
+                "disabled": True,
+                "username": "disabled_user",
+                "password": "changeme",
+            },
+        },
+        {
+            "name": "Check disabled user's inability to authenticate",
+            "status": 401,
+            "return": 3,
+            "auth_payload": {"client-id": "disabled_user", "client-token": "changeme"},
+        },
+        {
+            "name": "Check username requirement and login using created user",
+            "status": 400,
+            "return": 5000,
+        },
+        {
+            "name": "Check username unique constraint",
+            "status": 400,
+            "return": 5002,
+            "payload": {
+                "username": "new_user"
+            }
+        },
+        {
+            "name": "Check username character constraint",
+            "status": 400,
+            "return": 5036,
+            "payload": {
+                "username": "!@#"
+            }
+        },
+        {
+            "name": "Check reserved username constraint",
+            "status": 400,
+            "return": 5037,
+            "payload": {
+                "username": "root"
+            }
+        },
+        {
+            "name": "Check username length constraint",
+            "status": 400,
+            "return": 5038,
+            "payload": {
+                "username": "THIS_USERNAME_IS_TOO_LONG_FOR_PFSENSE_TO_HANDLE"
+            }
+        },
+        {
+            "name": "Check password requirement",
+            "status": 400,
+            "return": 5003,
+            "payload": {
+                "username": "another_user"
+            }
+        },
+        {
+            "name": "Check privilege validation",
+            "status": 400,
+            "return": 5006,
+            "payload": {
+                "username": "another_user",
+                "password": "changeme",
+                "priv": ["INVALID"]
+            }
+        },
+        {
+            "name": "Check user expiration date validation",
+            "status": 400,
+            "return": 5040,
+            "payload": {
+                "username": "another_user",
+                "password": "changeme",
+                "expires": "INVALID"
+            }
+        },
+
     ]
     put_tests = [
         {
@@ -32,12 +116,48 @@ class APIUnitTestUser(unit_test_framework.APIUnitTest):
             },
             "resp_time": 2    # Allow a couple seconds for user database to be updated
         },
+        {
+            "name": "Check privilege validation",
+            "status": 400,
+            "return": 5006,
+            "payload": {
+                "username": "new_user",
+                "password": "changeme",
+                "priv": ["INVALID"]
+            }
+        },
+        {
+            "name": "Check user expiration date validation",
+            "status": 400,
+            "return": 5040,
+            "payload": {
+                "username": "new_user",
+                "password": "changeme",
+                "expires": "INVALID"
+            }
+        },
 
     ]
     delete_tests = [
         {
             "name": "Delete local user",
             "payload": {"username": "new_user"}
+        },
+        {
+            "name": "Delete disabled user",
+            "payload": {"username": "disabled_user"}
+        },
+        {
+            "name": "Check deletion of non-existing user",
+            "status": 400,
+            "return": 5001,
+            "payload": {"username": "INVALID"}
+        },
+        {
+            "name": "Check deletion of system users",
+            "status": 400,
+            "return": 5005,
+            "payload": {"username": "admin"}
         }
     ]
 

tests/test_api_v1_user_privilege.py

@@ -8,7 +8,29 @@ class APIUnitTestUserPrivilege(unit_test_framework.APIUnitTest):
             "name": "Grant user privileges",
             "payload": {
                 "username": "admin",
-                "priv": ["page-all", "page-system-usermanager"]
+                "priv": ["page-all", "page-system-api"]
+            }
+        },
+        {
+            "name": "Check username requirement",
+            "status": 400,
+            "return": 5000,
+        },
+        {
+            "name": "Check non-existing username",
+            "status": 400,
+            "return": 5001,
+            "payload": {
+                "username": "INVALID"
+            }
+        },
+        {
+            "name": "Check non-existing privileges",
+            "status": 400,
+            "return": 5006,
+            "payload": {
+                "username": "admin",
+                "priv": ["INVALID"]
             }
         }
     ]
@@ -17,7 +39,7 @@ class APIUnitTestUserPrivilege(unit_test_framework.APIUnitTest):
             "name": "Delete user privileges",
             "payload": {
                 "username": "admin",
-                "priv": ["page-system-usermanager"]
+                "priv": ["page-system-api"]
             }
         }
     ]

tests/unit_test_framework/__init__.py

@@ -12,6 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+import pfsense_vshell
 import requests
 import argparse
 import json
@@ -122,14 +123,16 @@ def make_request(self, method, test_params):
         # Create authentication payload for local authentication
         if self.args.auth_mode == "local":
             test_params["payload"] = test_params.get("payload", {})
-            test_params["payload"].update(self.auth_payload)
+            test_params["payload"].update(test_params.get("auth_payload", self.auth_payload))
             headers = {}
         # Create authentication headers for token authentication
         elif self.args.auth_mode == "token":
             headers = {"Authorization": self.args.username + " " + self.args.password}
         # Create authentication headers for JWT authentication
         elif self.args.auth_mode == "jwt":
-            headers = {"Authorization": "Bearer " + self.__request_jwt__()}
+            headers = {
+                "Authorization": "Bearer " + self.__request_jwt__(test_params.get("auth_payload", self.auth_payload))
+            }
 
         # Attempt to make the API call, if the request times out print timeout error
         try:
@@ -316,12 +319,12 @@ def __format_msg__(self, method, test_params, result, mode="failed"):
         )
         return msg
 
-    def __request_jwt__(self):
+    def __request_jwt__(self, auth_payload):
         try:
             req = requests.request(
                 "POST",
                 url=self.args.scheme + "://" + self.args.host + ":" + str(self.args.port) + "/api/v1/access_token",
-                data=json.dumps({"client-id": self.args.username, "client-token": self.args.password}),
+                data=json.dumps(auth_payload),
                 verify=False,
                 timeout=self.args.timeout
             )