auth: Implement `create_resource` function

* gn3/auth/authentication/checks.py: new `authenticated_p` decorator to apply
  on any function that requires the user to be authenticated before it runs.
* gn3/auth/authorisation/checks.py: use a `auth.authentication.users.User`
  object rather than a UUID object in the global `g`.
* gn3/auth/authorisation/groups.py: Implement the `authenticated_user_group`
  function to get the group(s) in which the currently authenticated user
  belongs.
* gn3/auth/authorisation/resources.py: Implement the `create_resource`
  function correctly.
* tests/unit/auth/conftest.py: extract the User objects into a global variable
  for reusability with the tests.
* tests/unit/auth/test_resources.py: Use global user objects from conftest in
  the tests. Set a User object (rather than UUID) in the global `g` variable.

4 files changed, 65 insertions, 7 deletions

diff --git a/gn3/auth/authentication/checks.py b/gn3/auth/authentication/checks.py
new file mode 100644
index 0000000..63b0752
--- /dev/null
+++ b/gn3/auth/authentication/checks.py
@@ -0,0 +1,14 @@
+"""Functions to check for user authentication."""
+
+from flask import g
+
+from .exceptions import AuthenticationError
+
+def authenticated_p(func):
+    """Decorator for functions requiring authentication."""
+    def __authenticated__(*args, **kwargs):
+        user = g.user if hasattr(g, "user") else False
+        if user:
+            return func(*args, **kwargs)
+        raise AuthenticationError("You need to be authenticated")
+    return __authenticated__
diff --git a/gn3/auth/authorisation/checks.py b/gn3/auth/authorisation/checks.py
index 3181655..dd041fe 100644
--- a/gn3/auth/authorisation/checks.py
+++ b/gn3/auth/authorisation/checks.py
@@ -16,11 +16,11 @@ def authorised_p(
     def __build_authoriser__(func: Callable):
         @wraps(func)
         def __authoriser__(*args, **kwargs):
-            if hasattr(g, "user_id") and g.user_id:
+            if hasattr(g, "user") and g.user:
                 with db.connection(app.config["AUTH_DB"]) as conn:
                     user_privileges = tuple(
                         priv.privilege_name for priv in
-                        auth_privs.user_privileges(conn, g.user_id))
+                        auth_privs.user_privileges(conn, g.user))
 
                 not_assigned = [
                     priv for priv in privileges if priv not in user_privileges]
diff --git a/gn3/auth/authorisation/groups.py b/gn3/auth/authorisation/groups.py
index 7597a04..ac80089 100644
--- a/gn3/auth/authorisation/groups.py
+++ b/gn3/auth/authorisation/groups.py
@@ -2,12 +2,16 @@
 from uuid import UUID, uuid4
 from typing import Sequence, Iterable, NamedTuple
 
+from flask import g
+from pymonad.maybe import Just, Maybe, Nothing
+
 from gn3.auth import db
 from gn3.auth.authentication.users import User
+from gn3.auth.authentication.checks import authenticated_p
 
+from .checks import authorised_p
 from .privileges import Privilege
 from .roles import Role, create_role
-from .checks import authorised_p
 
 class Group(NamedTuple):
     """Class representing a group."""
@@ -75,3 +79,27 @@ def create_group_role(
             (str(group_role_id), str(group.group_id), str(role.role_id)))
 
     return GroupRole(group_role_id, role)
+
+@authenticated_p
+def authenticated_user_group(conn) -> Maybe:
+    """
+    Returns the currently authenticated user's group.
+
+    Look into returning a Maybe object.
+    """
+    user = g.user
+    with db.cursor(conn) as cursor:
+        cursor.execute(
+            ("SELECT groups.group_id, groups.group_name FROM group_users "
+             "INNER JOIN groups ON group_users.group_id=groups.group_id "
+             "WHERE group_users.user_id = ?"),
+            (str(user.user_id),))
+        groups = tuple(Group(UUID(row[0]), row[1]) for row in cursor.fetchall())
+
+    if len(groups) > 1:
+        raise MembershipError(user, groups)
+
+    if len(groups) == 1:
+        return Just(groups[0])
+
+    return Nothing
diff --git a/gn3/auth/authorisation/resources.py b/gn3/auth/authorisation/resources.py
index d01c435..f0a4b3a 100644
--- a/gn3/auth/authorisation/resources.py
+++ b/gn3/auth/authorisation/resources.py
@@ -1,10 +1,14 @@
 """Handle the management of resources."""
-from uuid import UUID
+from uuid import UUID, uuid4
 from typing import NamedTuple
 
 from gn3.auth import db
-from .groups import Group
 from .checks import authorised_p
+from .exceptions import AuthorisationError
+from .groups import Group, authenticated_user_group
+
+class MissingGroupError(AuthorisationError):
+    """Raised for any resource operation without a group."""
 
 class ResourceCategory(NamedTuple):
     """Class representing a resource category."""
@@ -22,6 +26,18 @@ class Resource(NamedTuple):
 @authorised_p(("create-resource",),  error_message="Could not create resource")
 def create_resource(
         conn: db.DbConnection, resource_name: str,
-        resource_category: ResourceCategory):
+        resource_category: ResourceCategory) -> Resource:
     """Create a resource item."""
-    return tuple()
+    with db.cursor(conn) as cursor:
+        group = authenticated_user_group(conn).maybe(False, lambda val: val)
+        if not group:
+            raise MissingGroupError(
+                "User with no group cannot create a resource.")
+        resource = Resource(group, uuid4(), resource_name, resource_category)
+        cursor.execute(
+            ("INSERT INTO resources VALUES (?, ?, ?, ?)"),
+            (str(resource.group.group_id), str(resource.resource_id),
+             resource_name,
+             str(resource.resource_category.resource_category_id)))
+
+    return resource