From eac80a7d13a596e38983fa8647048b4bc3ab1daa Mon Sep 17 00:00:00 2001
From: Diego Rodriguez <diego.rodriguez@cern.ch>
Date: Mon, 6 Nov 2017 17:10:52 +0100
Subject: [PATCH] api: refactor get status endpoint

* Add tests for unknown workflow and unauthorized access.

Signed-off-by: Diego Rodriguez <diego.rodriguez@cern.ch>
---
 reana_workflow_controller/rest.py | 37 +++++--------------
 tests/test_views.py               | 59 +++++++++++++++++++++++++++++--
 2 files changed, 66 insertions(+), 30 deletions(-)

diff --git a/reana_workflow_controller/rest.py b/reana_workflow_controller/rest.py
index 5d60ba1c..44836de1 100644
--- a/reana_workflow_controller/rest.py
+++ b/reana_workflow_controller/rest.py
@@ -912,38 +912,19 @@ def get_workflow_status(workflow_id):  # noqa
     try:
         organization = request.args['organization']
         user_uuid = request.args['user']
-        user = User.query.filter(User.id_ == user_uuid).first()
-        if not user:
+        workflow = Workflow.query.filter(Workflow.id_ == workflow_id).first()
+        if not workflow:
+            return jsonify({'message': 'Workflow {} does not exist'.
+                            format(workflow_id)}), 404
+        if not str(workflow.owner_id) == user_uuid:
             return jsonify(
-                {'message': 'User {} does not exist'.format(user_uuid)}), 404
+                {'message': 'User {} is not allowed to access workflow {}'
+                 .format(user_uuid, workflow_id)}), 403
 
-        resp = None
-
-        # Make sure that user can access the workflow.
-        for workflow in user.workflows:
-            current_app.logger.debug(workflow_id,)
-            current_app.logger.debug(workflow.id_)
-            if workflow_id == str(workflow.id_):
-                resp = {'id': workflow.id_,
+        return jsonify({'id': workflow.id_,
                         'status': workflow.status.name,
                         'organization': organization,
-                        'user': user_uuid}
-
-        if resp:
-            return jsonify(resp), 200
-        else:  # Check if workflow exists at all.
-            workflow = Workflow.query.filter(Workflow.id_ == workflow_id).\
-                first()
-
-            if not workflow:
-                return jsonify(
-                    {'message': 'Workflow {} does not exist'
-                        .format(workflow_id)}), 404
-            else:
-                return jsonify(
-                    {'message': 'User {} is not allowed to access workflow {}'
-                        .format(user_uuid, workflow_id)}), 403
-
+                        'user': user_uuid}), 200
     except KeyError as e:
         return jsonify({"message": str(e)}), 400
     except Exception as e:
diff --git a/tests/test_views.py b/tests/test_views.py
index 63919359..0320de1c 100644
--- a/tests/test_views.py
+++ b/tests/test_views.py
@@ -21,8 +21,6 @@
 # submit itself to any jurisdiction.
 """REANA-Workflow-Controller fsdb module tests."""
 
-from __future__ import absolute_import, print_function
-
 import json
 import os
 import uuid
@@ -423,3 +421,60 @@ def test_get_workflow_status(app, db_session, default_user):
                          data=json.dumps(data))
         json_response = json.loads(res.data.decode())
         assert json_response.get('status') == workflow_finished.status.name
+
+
+def test_get_workflow_status_unauthorized(app, default_user):
+    """Test get workflow status unauthorized."""
+    with app.test_client() as client:
+        # create workflow
+        organization = 'default'
+        data = {'parameters': {'min_year': '1991',
+                               'max_year': '2001'},
+                'specification': {'first': 'do this',
+                                  'second': 'do that'},
+                'type': 'cwl'}
+        res = client.post(url_for('api.create_workflow'),
+                          query_string={
+                              "user": default_user.id_,
+                              "organization": organization},
+                          content_type='application/json',
+                          data=json.dumps(data))
+
+        response_data = json.loads(res.get_data(as_text=True))
+        workflow_created_uuid = response_data.get('workflow_id')
+        random_user_uuid = uuid.uuid4()
+        res = client.get(url_for('api.get_workflow_status',
+                                 workflow_id=workflow_created_uuid),
+                         query_string={
+                             "user": random_user_uuid,
+                             "organization": organization},
+                         content_type='application/json',
+                         data=json.dumps(data))
+        assert res.status_code == 403
+
+
+def test_get_workflow_status_unknown_workflow(app, default_user):
+    """Test get workflow status for unknown workflow."""
+    with app.test_client() as client:
+        # create workflow
+        organization = 'default'
+        data = {'parameters': {'min_year': '1991',
+                               'max_year': '2001'},
+                'specification': {'first': 'do this',
+                                  'second': 'do that'},
+                'type': 'cwl'}
+        res = client.post(url_for('api.create_workflow'),
+                          query_string={
+                              "user": default_user.id_,
+                              "organization": organization},
+                          content_type='application/json',
+                          data=json.dumps(data))
+        random_workflow_uuid = uuid.uuid4()
+        res = client.get(url_for('api.get_workflow_status',
+                                 workflow_id=random_workflow_uuid),
+                         query_string={
+                             "user": default_user.id_,
+                             "organization": organization},
+                         content_type='application/json',
+                         data=json.dumps(data))
+        assert res.status_code == 404