Backend/amivapi: Add integration tests for api connection and fix small bug

Currently amivapi crashes if `user` or `group` are not included in a the
projection for `groupmembership` -- the projection is removed until it is safe
to use it again.

Furthermore added some integration tests that are skipped if tokens are not
provided to not interfere with automated testing.

Backend/security.py

@@ -56,14 +56,14 @@ def request_cache(key):
 @request_cache('apiuser')
 def get_user():
     """Return user id if the token is valid, None otherwise."""
-    response = api_get(
-        'sessions',
-        where={'token': g.get('token', '')},
-        projection={'user': 1}
-    )
-    if response:
-        print('Resp', response['_items'][0])
-        return response['_items'][0]['user']
+    if g.get('token') is not None:
+        response = api_get(
+            'sessions',
+            where={'token': g.get('token', '')},
+            projection={'user': 1}
+        )
+        if response:
+            return response['_items'][0]['user']
 
 
 @request_cache('nethz')
@@ -71,7 +71,6 @@ def get_nethz():
     """Return nethz of current user."""
     if get_user() is not None:
         response = api_get('users/' + get_user())
-        print('users/' + get_user(), response)
         return response.get('nethz')
 
 
@@ -96,7 +95,9 @@ def is_admin():
             membership = api_get(
                 'groupmemberships',
                 where={'user': user_id, 'group': group_id},
-                projection={'_id': 1}
+                # This Projection currectly crashes AMIVAPI
+                # https://github.com/amiv-eth/amivapi/issues/206
+                # projection={'_id': 1}
             )
 
             return bool(membership and membership['_items'])

Backend/tests/conftest.py

@@ -27,6 +27,38 @@ TEST_SETTINGS = {
 }
 
 
+# Check command line options for API token
+# This way we can conveniently skip integration tests per default,
+# but still provide a convenient interface to run them
+
+def pytest_addoption(parser):
+    """Add options to get tokens from command line."""
+    parser.addoption("--usertoken",
+                     action="store",
+                     help="amivapi user token")
+    parser.addoption("--admintoken",
+                     action="store",
+                     help="amivapi pvk admin token")
+
+
+@pytest.fixture
+def admintoken(request):
+    """Fixture to provide admin token or skip test if its not available."""
+    token = request.config.getoption('--admintoken')
+    if token is None:
+        pytest.skip("need api admin token to run")
+    return token
+
+
+@pytest.fixture
+def usertoken(request):
+    """Fixture to provide user token or skip test if its not available."""
+    token = request.config.getoption('--usertoken')
+    if token is None:
+        pytest.skip("need api user token to run")
+    return token
+
+
 class TestClient(FlaskClient):
     """Custom test client for easier json handling."""
 

Backend/tests/test_api.py

+"""Test api connection functions.
+
+These tests require command line options to run.
+
+First, aquire a amivapi token (e.g. with curl) both for a user in the
+admin group and for a user not in the admin group.
+
+Then provide them to the tests with:
+
+> py.test --usertoken <token> --admintoken <token>
+
+(of course, replace `<token>` with the two respective values)
+
+The basic idea is simple: all security related functions use the g object
+for their in- and outputs.
+
+So we just put the provided token into g and see if the functions work.
+"""
+
+from flask import g
+
+from security import get_user, get_nethz, is_admin
+
+
+def test_user_found(app, usertoken):
+    """Test if a user can be found with an api token."""
+    with app.app_context():
+        g.token = usertoken
+        assert get_user() is not None
+
+
+def test_nethz_found(app, usertoken):
+    """Test if a users nethz can be found with an api token."""
+    with app.app_context():
+        g.token = usertoken
+        assert get_nethz() is not None
+
+
+def test_user_not_found(app):
+    """Without token, user cannot be found."""
+    with app.app_context():
+        assert get_user() is None
+
+
+def test_nethz_not_found(app):
+    """Without token, users nethz cannot be found."""
+    with app.app_context():
+        assert get_nethz() is None
+
+
+def test_not_admin(app):
+    """Without token, user does no get admin priviledges."""
+    with app.app_context():
+        assert is_admin() is False
+
+
+def test_user_not_admin(app, usertoken):
+    """Test if the user does not get admin priviledges."""
+    with app.app_context():
+        g.token = usertoken
+        assert is_admin() is False
+
+
+def test_admin(app, admintoken):
+    """Test if admins get priviledges."""
+    with app.app_context():
+        g.token = admintoken
+        assert is_admin() is True

README.md

@@ -98,3 +98,22 @@ But don't worry, it's very easy to set them up -- take a look at the
   ```bash
   py.test
   ```
+
+- Per default, integration tests with amivapi are skipped, since they require
+  valid amivapi tokens. 
+
+  You can run  `py.test -rs` to get a summary including skipped tests.
+
+  The api tests can be included by provide tokens for a user (*not in* the
+  `PVK Admins` group) and an admin (*in* the `PVK Admins` group)
+
+  ```bash
+  # Replace <usertoken> and <admintoken> (including <>) with your tokens
+  py.test -rs --usertoken <usertoken> --admintoken <admintoken>
+  ```
+
+  An easy way to aquire the tokens is `curl`:
+
+  ```bash
+  curl -X POST -Fusername <user> -Fpassword <pass> amiv-api.ethz.ch/sessions
+  ```