aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--gn3/auth/authorisation/groups.py5
-rw-r--r--gn3/auth/authorisation/privileges.py5
-rw-r--r--gn3/auth/authorisation/roles.py2
-rw-r--r--tests/unit/auth/test_groups.py48
-rw-r--r--tests/unit/auth/test_privileges.py16
-rw-r--r--tests/unit/auth/test_roles.py19
6 files changed, 48 insertions, 47 deletions
diff --git a/gn3/auth/authorisation/groups.py b/gn3/auth/authorisation/groups.py
index ac80089..6496e87 100644
--- a/gn3/auth/authorisation/groups.py
+++ b/gn3/auth/authorisation/groups.py
@@ -12,6 +12,7 @@ from gn3.auth.authentication.checks import authenticated_p
from .checks import authorised_p
from .privileges import Privilege
from .roles import Role, create_role
+from .exceptions import AuthorisationError
class Group(NamedTuple):
"""Class representing a group."""
@@ -23,7 +24,7 @@ class GroupRole(NamedTuple):
group_role_id: UUID
role: Role
-class MembershipError(Exception):
+class MembershipError(AuthorisationError):
"""Raised when there is an error with a user's membership to a group."""
def __init__(self, user: User, groups: Sequence[Group]):
@@ -46,6 +47,7 @@ def user_membership(conn: db.DbConnection, user: User) -> Sequence[Group]:
return groups
+@authenticated_p
@authorised_p(("create-group",), error_message="Failed to create group.")
def create_group(conn: db.DbConnection, group_name: str,
group_leader: User) -> Group:
@@ -65,6 +67,7 @@ def create_group(conn: db.DbConnection, group_name: str,
return group
+@authenticated_p
@authorised_p(("create-role",), error_message="Could not create the group role")
def create_group_role(
conn: db.DbConnection, group: Group, role_name: str,
diff --git a/gn3/auth/authorisation/privileges.py b/gn3/auth/authorisation/privileges.py
index 09439ad..9e66bda 100644
--- a/gn3/auth/authorisation/privileges.py
+++ b/gn3/auth/authorisation/privileges.py
@@ -3,13 +3,14 @@ from uuid import UUID
from typing import Iterable, NamedTuple
from gn3.auth import db
+from gn3.auth.authentication.users import User
class Privilege(NamedTuple):
"""Class representing a privilege: creates immutable objects."""
privilege_id: UUID
privilege_name: str
-def user_privileges(conn: db.DbConnection, user_id: UUID) -> Iterable[Privilege]:
+def user_privileges(conn: db.DbConnection, user: User) -> Iterable[Privilege]:
"""Fetch the user's privileges from the database."""
with db.cursor(conn) as cursor:
cursor.execute(
@@ -18,7 +19,7 @@ def user_privileges(conn: db.DbConnection, user_id: UUID) -> Iterable[Privilege]
"INNER JOIN role_privileges AS rp ON ur.role_id=rp.role_id "
"INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id "
"WHERE ur.user_id=?"),
- (str(user_id),))
+ (str(user.user_id),))
results = cursor.fetchall()
return (Privilege(UUID(row[0]), row[1]) for row in results)
diff --git a/gn3/auth/authorisation/roles.py b/gn3/auth/authorisation/roles.py
index 8435c40..397ad80 100644
--- a/gn3/auth/authorisation/roles.py
+++ b/gn3/auth/authorisation/roles.py
@@ -3,6 +3,7 @@ from uuid import UUID, uuid4
from typing import Iterable, NamedTuple
from gn3.auth import db
+from gn3.auth.authentication.checks import authenticated_p
from .checks import authorised_p
from .privileges import Privilege
@@ -13,6 +14,7 @@ class Role(NamedTuple):
role_name: str
privileges: Iterable[Privilege]
+@authenticated_p
@authorised_p(("create-role",), error_message="Could not create role")
def create_role(
cursor: db.DbCursor, role_name: str,
diff --git a/tests/unit/auth/test_groups.py b/tests/unit/auth/test_groups.py
index 225bb59..22d90f4 100644
--- a/tests/unit/auth/test_groups.py
+++ b/tests/unit/auth/test_groups.py
@@ -10,6 +10,8 @@ from gn3.auth.authorisation.privileges import Privilege
from gn3.auth.authorisation.groups import (
Group, GroupRole, create_group, MembershipError, create_group_role)
+from tests.unit.auth import conftest
+
create_group_failure = {
"status": "error",
"message": "Unauthorised: Failed to create group."
@@ -26,15 +28,13 @@ PRIVILEGES = (
@pytest.mark.unit_test
@pytest.mark.parametrize(
- "user_id,expected", (
- ("ecb52977-3004-469e-9428-2a1856725c7f", Group(
- UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group")),
- ("21351b66-8aad-475b-84ac-53ce528451e3", create_group_failure),
- ("ae9c6245-0966-41a5-9a5e-20885a96bea7", create_group_failure),
- ("9a0c7ce5-2f40-4e78-979e-bf3527a59579", create_group_failure),
- ("e614247d-84d2-491d-a048-f80b578216cb", create_group_failure)))
+ "user,expected", tuple(zip(conftest.TEST_USERS, (
+ Group(
+ UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group"),
+ create_group_failure, create_group_failure, create_group_failure,
+ create_group_failure))))
def test_create_group(# pylint: disable=[too-many-arguments]
- test_app, auth_testdb_path, mocker, test_users, user_id, expected):# pylint: disable=[unused-argument]
+ test_app, auth_testdb_path, mocker, test_users, user, expected):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a group
@@ -43,10 +43,9 @@ def test_create_group(# pylint: disable=[too-many-arguments]
"""
mocker.patch("gn3.auth.authorisation.groups.uuid4", uuid_fn)
with test_app.app_context() as flask_context:
- flask_context.g.user_id = UUID(user_id)
+ flask_context.g.user = user
with db.connection(auth_testdb_path) as conn:
- assert create_group(conn, "a_test_group", User(
- UUID(user_id), "some@email.address", "a_test_user")) == expected
+ assert create_group(conn, "a_test_group", user) == expected
create_role_failure = {
"status": "error",
@@ -55,16 +54,14 @@ create_role_failure = {
@pytest.mark.unit_test
@pytest.mark.parametrize(
- "user_id,expected", (
- ("ecb52977-3004-469e-9428-2a1856725c7f", GroupRole(
- UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
- Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
- "ResourceEditor", PRIVILEGES))),
- ("21351b66-8aad-475b-84ac-53ce528451e3", create_role_failure),
- ("ae9c6245-0966-41a5-9a5e-20885a96bea7", create_role_failure),
- ("9a0c7ce5-2f40-4e78-979e-bf3527a59579", create_role_failure),
- ("e614247d-84d2-491d-a048-f80b578216cb", create_role_failure)))
-def test_create_group_role(mocker, test_users_in_group, test_app, user_id, expected):
+ "user,expected", tuple(zip(conftest.TEST_USERS, (
+ GroupRole(
+ UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
+ Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
+ "ResourceEditor", PRIVILEGES)),
+ create_role_failure, create_role_failure, create_role_failure,
+ create_role_failure))))
+def test_create_group_role(mocker, test_users_in_group, test_app, user, expected):
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role, attached to a group
@@ -75,7 +72,7 @@ def test_create_group_role(mocker, test_users_in_group, test_app, user_id, expec
mocker.patch("gn3.auth.authorisation.roles.uuid4", uuid_fn)
conn, _group, _users = test_users_in_group
with test_app.app_context() as flask_context:
- flask_context.g.user_id = UUID(user_id)
+ flask_context.g.user = user
assert create_group_role(
conn, GROUP, "ResourceEditor", PRIVILEGES) == expected
@@ -89,11 +86,12 @@ def test_create_multiple_groups(mocker, test_app, test_users):
message
"""
mocker.patch("gn3.auth.authorisation.groups.uuid4", uuid_fn)
- user_id = UUID("ecb52977-3004-469e-9428-2a1856725c7f")
+ user = User(
+ UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "group@lead.er",
+ "Group Leader")
conn, _test_users = test_users
with test_app.app_context() as flask_context:
- flask_context.g.user_id = user_id
- user = User(user_id, "some@email.address", "a_test_user")
+ flask_context.g.user = user
# First time, successfully creates the group
assert create_group(conn, "a_test_group", user) == Group(
UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group")
diff --git a/tests/unit/auth/test_privileges.py b/tests/unit/auth/test_privileges.py
index 2514f9d..3586e90 100644
--- a/tests/unit/auth/test_privileges.py
+++ b/tests/unit/auth/test_privileges.py
@@ -6,6 +6,8 @@ import pytest
from gn3.auth import db
from gn3.auth.authorisation.privileges import Privilege, user_privileges
+from tests.unit.auth import conftest
+
SORT_KEY = lambda x: x.privilege_name
PRIVILEGES = sorted(
@@ -33,18 +35,14 @@ PRIVILEGES = sorted(
@pytest.mark.unit_test
@pytest.mark.parametrize(
- "user_id,expected", (
- ("ecb52977-3004-469e-9428-2a1856725c7f", PRIVILEGES),
- ("21351b66-8aad-475b-84ac-53ce528451e3", []),
- ("ae9c6245-0966-41a5-9a5e-20885a96bea7", []),
- ("9a0c7ce5-2f40-4e78-979e-bf3527a59579", []),
- ("e614247d-84d2-491d-a048-f80b578216cb", [])))
-def test_user_privileges(auth_testdb_path, test_users, user_id, expected):# pylint: disable=[unused-argument]
+ "user,expected", tuple(zip(
+ conftest.TEST_USERS, (PRIVILEGES, [], [], [], []))))
+def test_user_privileges(auth_testdb_path, test_users, user, expected):# pylint: disable=[unused-argument]
"""
- GIVEN: A user_id
+ GIVEN: A user
WHEN: An attempt is made to fetch the user's privileges
THEN: Ensure only
"""
with db.connection(auth_testdb_path) as conn:
assert sorted(
- user_privileges(conn, UUID(user_id)), key=SORT_KEY) == expected
+ user_privileges(conn, user), key=SORT_KEY) == expected
diff --git a/tests/unit/auth/test_roles.py b/tests/unit/auth/test_roles.py
index 70663b3..b6e681d 100644
--- a/tests/unit/auth/test_roles.py
+++ b/tests/unit/auth/test_roles.py
@@ -7,6 +7,8 @@ from gn3.auth import db
from gn3.auth.authorisation.privileges import Privilege
from gn3.auth.authorisation.roles import Role, create_role
+from tests.unit.auth import conftest
+
create_role_failure = {
"status": "error",
"message": "Unauthorised: Could not create role"
@@ -22,16 +24,13 @@ PRIVILEGES = (
@pytest.mark.unit_test
@pytest.mark.parametrize(
- "user_id,expected", (
- ("ecb52977-3004-469e-9428-2a1856725c7f", Role(
- uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role",
- PRIVILEGES)),
- ("21351b66-8aad-475b-84ac-53ce528451e3", create_role_failure),
- ("ae9c6245-0966-41a5-9a5e-20885a96bea7", create_role_failure),
- ("9a0c7ce5-2f40-4e78-979e-bf3527a59579", create_role_failure),
- ("e614247d-84d2-491d-a048-f80b578216cb", create_role_failure)))
+ "user,expected", tuple(zip(conftest.TEST_USERS, (
+ Role(
+ uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role",
+ PRIVILEGES), create_role_failure, create_role_failure,
+ create_role_failure, create_role_failure))))
def test_create_role(# pylint: disable=[too-many-arguments]
- test_app, auth_testdb_path, mocker, test_users, user_id, expected):# pylint: disable=[unused-argument]
+ test_app, auth_testdb_path, mocker, test_users, user, expected):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role
@@ -40,7 +39,7 @@ def test_create_role(# pylint: disable=[too-many-arguments]
"""
mocker.patch("gn3.auth.authorisation.roles.uuid4", uuid_fn)
with test_app.app_context() as flask_context:
- flask_context.g.user_id = uuid.UUID(user_id)
+ flask_context.g.user = user
with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
the_role = create_role(cursor, "a_test_role", PRIVILEGES)
assert the_role == expected