Chris Coutinho
422 lines
15 KiB
Python
422 lines
15 KiB
Python
"""
|
|
Multi-user OAuth tests for Nextcloud WebDAV file permissions.
|
|
|
|
Tests verify that the MCP server respects Nextcloud file sharing permissions
|
|
when accessed via OAuth authentication with different users.
|
|
|
|
All operations (file creation, sharing, access) are performed through MCP tools
|
|
to ensure the MCP server properly supports multi-user scenarios.
|
|
"""
|
|
|
|
import json
|
|
import logging
|
|
|
|
import pytest
|
|
|
|
logger = logging.getLogger(__name__)
|
|
|
|
pytestmark = [pytest.mark.integration, pytest.mark.oauth]
|
|
|
|
|
|
async def test_file_share_read_permissions(
|
|
alice_mcp_client, bob_mcp_client, diana_mcp_client
|
|
):
|
|
"""
|
|
Test that shared files respect read permissions.
|
|
|
|
Scenario:
|
|
1. Alice creates a file via MCP
|
|
2. Alice shares the file with Bob (read-only) via MCP
|
|
3. Bob can read the file via MCP tools
|
|
4. Diana cannot access the file (no share)
|
|
"""
|
|
file_path = "/alice_shared_file_read.txt"
|
|
file_content = "This file is shared with Bob for reading only."
|
|
|
|
# Alice creates a file
|
|
logger.info(f"Alice creating file: {file_path}")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": file_path, "content": file_content},
|
|
)
|
|
assert not result.isError, f"Alice failed to create file: {result.content}"
|
|
|
|
share_id = None
|
|
|
|
try:
|
|
# Alice shares the file with bob (read-only, permissions=1)
|
|
logger.info("Alice sharing file with bob (read-only)...")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_share_create",
|
|
arguments={
|
|
"path": file_path,
|
|
"share_with": "bob",
|
|
"share_type": 0,
|
|
"permissions": 1,
|
|
},
|
|
)
|
|
assert not result.isError, f"Alice failed to create share: {result.content}"
|
|
share_data = json.loads(result.content[0].text)
|
|
share_id = share_data["id"]
|
|
logger.info(f"Created share {share_id}")
|
|
|
|
# Test: Bob reads the file via MCP
|
|
logger.info("Bob attempting to read file via MCP...")
|
|
result = await bob_mcp_client.call_tool(
|
|
"nc_webdav_read_file", arguments={"path": file_path}
|
|
)
|
|
|
|
# Bob should be able to read the shared file
|
|
if not result.isError:
|
|
response_data = json.loads(result.content[0].text)
|
|
logger.info(
|
|
f"Bob successfully read file: {response_data.get('content', '')[:50]}..."
|
|
)
|
|
assert "content" in response_data
|
|
assert file_content in response_data["content"]
|
|
else:
|
|
logger.warning(f"Bob could not read file: {result.content}")
|
|
# This might fail if the share path is different for bob
|
|
|
|
# Test: Diana attempts to read the file
|
|
logger.info("Diana attempting to read file via MCP...")
|
|
result = await diana_mcp_client.call_tool(
|
|
"nc_webdav_read_file", arguments={"path": file_path}
|
|
)
|
|
|
|
# Diana should NOT be able to read (no share)
|
|
if result.isError:
|
|
logger.info("Diana correctly denied access to unshared file")
|
|
else:
|
|
logger.warning("Diana unexpectedly could read unshared file")
|
|
|
|
finally:
|
|
# Cleanup - Alice deletes the share and file
|
|
if share_id:
|
|
logger.info(f"Alice deleting share {share_id}")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_share_delete", arguments={"share_id": share_id}
|
|
)
|
|
logger.info(f"Alice deleting file {file_path}")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_webdav_delete_resource", arguments={"path": file_path}
|
|
)
|
|
|
|
|
|
async def test_file_share_write_permissions(
|
|
alice_mcp_client, charlie_mcp_client, bob_mcp_client
|
|
):
|
|
"""
|
|
Test that shared files respect write permissions.
|
|
|
|
Scenario:
|
|
1. Alice creates a file via MCP
|
|
2. Alice shares the file with Charlie (edit permission) via MCP
|
|
3. Alice shares the file with Bob (read-only) via MCP
|
|
4. Charlie can edit the file via MCP tools
|
|
5. Bob cannot edit the file
|
|
"""
|
|
file_path = "/alice_shared_file_write.txt"
|
|
file_content = "This file is shared with Charlie for editing."
|
|
|
|
logger.info(f"Alice creating file: {file_path}")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": file_path, "content": file_content},
|
|
)
|
|
assert not result.isError, f"Alice failed to create file: {result.content}"
|
|
|
|
charlie_share_id = None
|
|
bob_share_id = None
|
|
|
|
try:
|
|
# Alice shares with Charlie (read+write, permissions=3)
|
|
logger.info("Alice sharing file with Charlie (edit permission)...")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_share_create",
|
|
arguments={
|
|
"path": file_path,
|
|
"share_with": "charlie",
|
|
"share_type": 0,
|
|
"permissions": 3,
|
|
},
|
|
)
|
|
assert not result.isError, (
|
|
f"Alice failed to share with Charlie: {result.content}"
|
|
)
|
|
charlie_share_data = json.loads(result.content[0].text)
|
|
charlie_share_id = charlie_share_data["id"]
|
|
logger.info(f"Created share {charlie_share_id} for Charlie")
|
|
|
|
# Alice shares with Bob (read-only, permissions=1)
|
|
logger.info("Alice sharing file with Bob (read-only)...")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_share_create",
|
|
arguments={
|
|
"path": file_path,
|
|
"share_with": "bob",
|
|
"share_type": 0,
|
|
"permissions": 1,
|
|
},
|
|
)
|
|
assert not result.isError, f"Alice failed to share with Bob: {result.content}"
|
|
bob_share_data = json.loads(result.content[0].text)
|
|
bob_share_id = bob_share_data["id"]
|
|
logger.info(f"Created share {bob_share_id} for Bob")
|
|
|
|
# Test: Charlie can write to the file
|
|
logger.info("Charlie attempting to write to file via MCP...")
|
|
updated_content = f"{file_content}\nCharlie added this line."
|
|
result = await charlie_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": file_path, "content": updated_content},
|
|
)
|
|
|
|
if not result.isError:
|
|
logger.info("Charlie successfully wrote to file")
|
|
else:
|
|
logger.warning(f"Charlie could not write to file: {result.content}")
|
|
|
|
# Test: Bob attempts to write (should fail)
|
|
logger.info("Bob attempting to write to file via MCP...")
|
|
result = await bob_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": file_path, "content": "Bob tries to overwrite this."},
|
|
)
|
|
|
|
# Bob should be denied
|
|
if result.isError:
|
|
logger.info("Bob correctly denied write access")
|
|
else:
|
|
logger.warning("Bob unexpectedly succeeded in writing (permissions issue?)")
|
|
|
|
finally:
|
|
# Cleanup - Alice deletes shares and file
|
|
if charlie_share_id:
|
|
logger.info(f"Alice deleting Charlie's share {charlie_share_id}")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_share_delete", arguments={"share_id": charlie_share_id}
|
|
)
|
|
if bob_share_id:
|
|
logger.info(f"Alice deleting Bob's share {bob_share_id}")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_share_delete", arguments={"share_id": bob_share_id}
|
|
)
|
|
logger.info(f"Alice deleting file {file_path}")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_webdav_delete_resource", arguments={"path": file_path}
|
|
)
|
|
|
|
|
|
async def test_file_list_permissions(alice_mcp_client, bob_mcp_client):
|
|
"""
|
|
Test that file listing respects share permissions.
|
|
|
|
Scenario:
|
|
1. Alice creates her private file via MCP
|
|
2. Bob creates his private file via MCP
|
|
3. Alice creates a file and shares it with Bob via MCP
|
|
4. Alice can list her own files + shared files
|
|
5. Bob can list his own files + shared files from Alice
|
|
"""
|
|
alice_file = "/alice_private_file.txt"
|
|
bob_file = "/bob_private_file.txt"
|
|
shared_file = "/alice_shared_with_bob.txt"
|
|
|
|
# Alice creates her private file
|
|
logger.info(f"Alice creating private file: {alice_file}")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": alice_file, "content": "Alice's private file"},
|
|
)
|
|
assert not result.isError, f"Alice failed to create file: {result.content}"
|
|
|
|
# Bob creates his private file
|
|
logger.info(f"Bob creating private file: {bob_file}")
|
|
result = await bob_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": bob_file, "content": "Bob's private file"},
|
|
)
|
|
assert not result.isError, f"Bob failed to create file: {result.content}"
|
|
|
|
# Alice creates a shared file
|
|
logger.info(f"Alice creating shared file: {shared_file}")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": shared_file, "content": "Shared file content"},
|
|
)
|
|
assert not result.isError, f"Alice failed to create shared file: {result.content}"
|
|
|
|
share_id = None
|
|
|
|
try:
|
|
# Alice shares the file with Bob
|
|
logger.info("Alice sharing file with Bob...")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_share_create",
|
|
arguments={
|
|
"path": shared_file,
|
|
"share_with": "bob",
|
|
"share_type": 0,
|
|
"permissions": 1,
|
|
},
|
|
)
|
|
assert not result.isError, f"Alice failed to create share: {result.content}"
|
|
share_data = json.loads(result.content[0].text)
|
|
share_id = share_data["id"]
|
|
|
|
# Test: Alice lists files in root
|
|
logger.info("Alice listing files via MCP...")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_webdav_list_directory", arguments={"path": "/"}
|
|
)
|
|
|
|
if not result.isError:
|
|
response_data = json.loads(result.content[0].text)
|
|
# Extract files from DirectoryListing response
|
|
files = response_data.get("files", [])
|
|
file_names = [f["name"] for f in files]
|
|
logger.info(f"Alice can see files: {file_names}")
|
|
|
|
# Alice should see her own files
|
|
# Note: Exact assertions depend on test isolation
|
|
else:
|
|
logger.warning(f"Alice could not list files: {result.content}")
|
|
|
|
# Test: Bob lists files in root
|
|
logger.info("Bob listing files via MCP...")
|
|
result = await bob_mcp_client.call_tool(
|
|
"nc_webdav_list_directory", arguments={"path": "/"}
|
|
)
|
|
|
|
if not result.isError:
|
|
response_data = json.loads(result.content[0].text)
|
|
# Extract files from DirectoryListing response
|
|
files = response_data.get("files", [])
|
|
file_names = [f["name"] for f in files]
|
|
logger.info(f"Bob can see files: {file_names}")
|
|
|
|
# Bob should see his own file, but not Alice's private file
|
|
# Bob may see shared files in his shared folder or via different path
|
|
else:
|
|
logger.warning(f"Bob could not list files: {result.content}")
|
|
|
|
finally:
|
|
# Cleanup
|
|
if share_id:
|
|
logger.info(f"Alice deleting share {share_id}")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_share_delete", arguments={"share_id": share_id}
|
|
)
|
|
|
|
logger.info("Cleaning up Alice's files...")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_webdav_delete_resource", arguments={"path": alice_file}
|
|
)
|
|
await alice_mcp_client.call_tool(
|
|
"nc_webdav_delete_resource", arguments={"path": shared_file}
|
|
)
|
|
|
|
logger.info("Cleaning up Bob's files...")
|
|
await bob_mcp_client.call_tool(
|
|
"nc_webdav_delete_resource", arguments={"path": bob_file}
|
|
)
|
|
|
|
|
|
async def test_folder_share_permissions(alice_mcp_client, bob_mcp_client):
|
|
"""
|
|
Test that folder sharing works correctly.
|
|
|
|
Scenario:
|
|
1. Alice creates a folder via MCP
|
|
2. Alice creates files in the folder via MCP
|
|
3. Alice shares the folder with Bob via MCP
|
|
4. Bob can access files in the shared folder via MCP
|
|
"""
|
|
folder_path = "/alice_shared_folder"
|
|
file_in_folder = f"{folder_path}/document.txt"
|
|
file_content = "This is a document in Alice's shared folder"
|
|
|
|
# Alice creates folder
|
|
logger.info(f"Alice creating folder: {folder_path}")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_webdav_create_directory", arguments={"path": folder_path}
|
|
)
|
|
assert not result.isError, f"Alice failed to create folder: {result.content}"
|
|
|
|
# Alice creates file in folder
|
|
logger.info(f"Alice creating file in folder: {file_in_folder}")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_webdav_write_file",
|
|
arguments={"path": file_in_folder, "content": file_content},
|
|
)
|
|
assert not result.isError, f"Alice failed to create file: {result.content}"
|
|
|
|
share_id = None
|
|
|
|
try:
|
|
# Alice shares the folder with Bob
|
|
logger.info("Alice sharing folder with Bob...")
|
|
result = await alice_mcp_client.call_tool(
|
|
"nc_share_create",
|
|
arguments={
|
|
"path": folder_path,
|
|
"share_with": "bob",
|
|
"share_type": 0,
|
|
"permissions": 1,
|
|
},
|
|
)
|
|
assert not result.isError, f"Alice failed to create share: {result.content}"
|
|
share_data = json.loads(result.content[0].text)
|
|
share_id = share_data["id"]
|
|
logger.info(f"Created folder share {share_id}")
|
|
|
|
# Test: Bob lists the shared folder
|
|
logger.info("Bob attempting to list shared folder via MCP...")
|
|
result = await bob_mcp_client.call_tool(
|
|
"nc_webdav_list_directory", arguments={"path": folder_path}
|
|
)
|
|
|
|
if not result.isError:
|
|
response_data = json.loads(result.content[0].text)
|
|
# Extract files from DirectoryListing response
|
|
files = response_data.get("files", [])
|
|
logger.info(f"Bob can see {len(files)} files in shared folder")
|
|
|
|
# Bob should see the file in the shared folder
|
|
file_names = [f["name"] for f in files]
|
|
assert "document.txt" in file_names, (
|
|
"Bob should see the file in shared folder"
|
|
)
|
|
else:
|
|
logger.warning(f"Bob could not list shared folder: {result.content}")
|
|
|
|
# Test: Bob reads the file in the shared folder
|
|
logger.info("Bob attempting to read file in shared folder via MCP...")
|
|
result = await bob_mcp_client.call_tool(
|
|
"nc_webdav_read_file", arguments={"path": file_in_folder}
|
|
)
|
|
|
|
if not result.isError:
|
|
response_data = json.loads(result.content[0].text)
|
|
logger.info("Bob successfully read file in shared folder")
|
|
assert "content" in response_data
|
|
assert file_content in response_data["content"]
|
|
else:
|
|
logger.warning(
|
|
f"Bob could not read file in shared folder: {result.content}"
|
|
)
|
|
|
|
finally:
|
|
# Cleanup - Alice deletes the share and folder
|
|
if share_id:
|
|
logger.info(f"Alice deleting share {share_id}")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_share_delete", arguments={"share_id": share_id}
|
|
)
|
|
|
|
logger.info("Alice cleaning up test folder...")
|
|
await alice_mcp_client.call_tool(
|
|
"nc_webdav_delete_resource", arguments={"path": folder_path}
|
|
)
|