aboutsummaryrefslogtreecommitdiff
path: root/tests/unit/auth
diff options
context:
space:
mode:
authorFrederick Muriuki Muriithi2024-06-18 12:38:29 -0500
committerFrederick Muriuki Muriithi2024-06-18 12:38:29 -0500
commit8e460b05da4d419aa1b53b1c639d3e370143de4f (patch)
treecbf9975e205f00912566334cf80ab3e9f6014e86 /tests/unit/auth
parentb515884aedac388a3899baaa0ca70af2f66773d4 (diff)
downloadgn-auth-8e460b05da4d419aa1b53b1c639d3e370143de4f.tar.gz
Update tests for new paradigm
* Create a jwt token generator in place of a static token * Update some fixtures * Skip some tests that will require more work to fix
Diffstat (limited to 'tests/unit/auth')
-rw-r--r--tests/unit/auth/conftest.py30
-rw-r--r--tests/unit/auth/fixtures/group_fixtures.py37
-rw-r--r--tests/unit/auth/fixtures/resource_fixtures.py31
-rw-r--r--tests/unit/auth/test_groups.py52
-rw-r--r--tests/unit/auth/test_privileges.py7
-rw-r--r--tests/unit/auth/test_resources.py23
-rw-r--r--tests/unit/auth/test_roles.py38
7 files changed, 134 insertions, 84 deletions
diff --git a/tests/unit/auth/conftest.py b/tests/unit/auth/conftest.py
index 7f9d42d..fa86a4c 100644
--- a/tests/unit/auth/conftest.py
+++ b/tests/unit/auth/conftest.py
@@ -4,19 +4,41 @@ import datetime
from contextlib import contextmanager
from gn_auth.auth.authentication.oauth2.models.oauth2token import OAuth2Token
+from gn_auth.auth.authentication.oauth2.grants.jwt_bearer_grant import JWTBearerTokenGenerator
from .fixtures import * # pylint: disable=[wildcard-import,unused-wildcard-import]
-def get_tokeniser(user):
+SECRET_KEY = "this is the test secret key"
+SCOPE = "profile group role resource register-client"
+
+def _tokengenerator(user, client):
+ """Generate a JWT token for tests"""
+ _generator = JWTBearerTokenGenerator(
+ secret_key=SECRET_KEY,
+ alg="HS256")
+ return _generator(
+ grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer",
+ client=client,
+ user=user,
+ scope=SCOPE,
+ expires_in=3600,
+ include_refresh_token=False)
+
+def get_tokeniser(user, client):
"""Get contextmanager for mocking token acquisition."""
@contextmanager
def __token__(*args, **kwargs):# pylint: disable=[unused-argument]
yield {
usr.user_id: OAuth2Token(
token_id=uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
- client=None, token_type="Bearer", access_token="123456ABCDE",
- refresh_token=None, revoked=False, expires_in=864000,
- user=usr, issued_at=int(datetime.datetime.now().timestamp()),
+ client=client,
+ token_type="Bearer",
+ access_token=_tokengenerator(user, client),
+ refresh_token=None,
+ revoked=False,
+ expires_in=864000,
+ user=usr,
+ issued_at=int(datetime.datetime.now().timestamp()),
scope="profile group role resource register-client")
for usr in TEST_USERS
}[user.user_id]
diff --git a/tests/unit/auth/fixtures/group_fixtures.py b/tests/unit/auth/fixtures/group_fixtures.py
index 79683c0..8ddcf50 100644
--- a/tests/unit/auth/fixtures/group_fixtures.py
+++ b/tests/unit/auth/fixtures/group_fixtures.py
@@ -4,10 +4,10 @@ import uuid
import pytest
from gn_auth.auth.db import sqlite3 as db
-from gn_auth.auth.authorisation.resources.groups import Group, GroupRole
+from gn_auth.auth.authorisation.resources.groups import Group
from gn_auth.auth.authorisation.resources import Resource, ResourceCategory
-from .role_fixtures import RESOURCE_EDITOR_ROLE, RESOURCE_READER_ROLE
+from .role_fixtures import RESOURCE_EDITOR_ROLE
TEST_GROUP_01 = Group(uuid.UUID("9988c21d-f02f-4d45-8966-22c968ac2fbf"),
"TheTestGroup", {})
@@ -135,38 +135,13 @@ def fxtr_users_in_group(fxtr_group, fxtr_users):# pylint: disable=[redefined-out
"DELETE FROM group_users WHERE group_id=? AND user_id=?",
query_params)
-@pytest.fixture(scope="function")
-def fxtr_group_roles(fxtr_group, fxtr_roles):# pylint: disable=[redefined-outer-name,unused-argument]
- """Link roles to group"""
- group_roles = (
- GroupRole(uuid.UUID("9c25efb2-b477-4918-a95c-9914770cbf4d"),
- TEST_GROUP_01, RESOURCE_EDITOR_ROLE),
- GroupRole(uuid.UUID("82aed039-fe2f-408c-ab1e-81cd1ba96630"),
- TEST_GROUP_02, RESOURCE_READER_ROLE))
- conn, groups = fxtr_group
- with db.cursor(conn) as cursor:
- cursor.executemany(
- "INSERT INTO group_roles VALUES (?, ?, ?)",
- ((str(role.group_role_id), str(role.group.group_id),
- str(role.role.role_id))
- for role in group_roles))
-
- yield conn, groups, group_roles
-
- with db.cursor(conn) as cursor:
- cursor.executemany(
- ("DELETE FROM group_roles "
- "WHERE group_role_id=? AND group_id=? AND role_id=?"),
- ((str(role.group_role_id), str(role.group.group_id),
- str(role.role.role_id))
- for role in group_roles))
@pytest.fixture(scope="function")
-def fxtr_group_user_roles(fxtr_resources, fxtr_group_roles, fxtr_users_in_group):#pylint: disable=[redefined-outer-name,unused-argument]
+def fxtr_group_user_roles(fxtr_users_in_group, fxtr_resources, fxtr_resource_roles):#pylint: disable=[redefined-outer-name,unused-argument]
"""Assign roles to users."""
- conn, _groups, group_roles = fxtr_group_roles
- _conn, group_resources = fxtr_resources
_conn, _group, group_users = fxtr_users_in_group
+ _conn, group_resources = fxtr_resources
+ conn, _groups, resource_roles = fxtr_resource_roles
users = tuple(user for user in group_users if user.email
not in ("unaff@iliated.user", "group@lead.er"))
users_roles_resources = (
@@ -183,7 +158,7 @@ def fxtr_group_user_roles(fxtr_resources, fxtr_group_roles, fxtr_users_in_group)
"VALUES (:user_id, :role_id, :resource_id)"),
params)
- yield conn, group_users, group_roles, group_resources
+ yield conn, group_users, resource_roles, group_resources
with db.cursor(conn) as cursor:
cursor.executemany(
diff --git a/tests/unit/auth/fixtures/resource_fixtures.py b/tests/unit/auth/fixtures/resource_fixtures.py
index 7f3c383..37397d2 100644
--- a/tests/unit/auth/fixtures/resource_fixtures.py
+++ b/tests/unit/auth/fixtures/resource_fixtures.py
@@ -3,6 +3,7 @@ import pytest
from gn_auth.auth.db import sqlite3 as db
+from .role_fixtures import RESOURCE_EDITOR_ROLE, RESOURCE_READER_ROLE
from .group_fixtures import (
TEST_RESOURCES,
TEST_GROUP_01,
@@ -43,3 +44,33 @@ def fxtr_resources(fxtr_group):# pylint: disable=[redefined-outer-name]
cursor.executemany("DELETE FROM resources WHERE resource_id=?",
((str(res.resource_id),)
for res in TEST_RESOURCES))
+
+
+@pytest.fixture(scope="function")
+def fxtr_resource_roles(fxtr_group, fxtr_resources, fxtr_roles):# pylint: disable=[redefined-outer-name,unused-argument]
+ """Link roles to resources."""
+ resource_roles = ({
+ "resource_id": str(TEST_RESOURCES_GROUP_01[0].resource_id),
+ "role_created_by": "ecb52977-3004-469e-9428-2a1856725c7f",
+ "role_id": str(RESOURCE_EDITOR_ROLE.role_id)
+ },{
+ "resource_id": str(TEST_RESOURCES_GROUP_01[0].resource_id),
+ "role_created_by": "ecb52977-3004-469e-9428-2a1856725c7f",
+ "role_id": str(RESOURCE_READER_ROLE.role_id)
+ })
+ conn, groups = fxtr_group
+ with db.cursor(conn) as cursor:
+ cursor.executemany(
+ "INSERT INTO resource_roles(resource_id, role_created_by, role_id) "
+ "VALUES (:resource_id, :role_created_by, :role_id)",
+ resource_roles)
+
+ yield conn, groups, resource_roles
+
+ with db.cursor(conn) as cursor:
+ cursor.executemany(
+ ("DELETE FROM resource_roles "
+ "WHERE resource_id=:resource_id "
+ "AND role_created_by=:role_created_by "
+ "AND role_id=:role_id"),
+ resource_roles)
diff --git a/tests/unit/auth/test_groups.py b/tests/unit/auth/test_groups.py
index c9d8b19..2960fe1 100644
--- a/tests/unit/auth/test_groups.py
+++ b/tests/unit/auth/test_groups.py
@@ -36,16 +36,20 @@ PRIVILEGES = (
create_group_failure, create_group_failure, create_group_failure,
create_group_failure))))
def test_create_group(# pylint: disable=[too-many-arguments]
- fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument]
+ fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user, expected):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a group
THEN: verify they are only able to create the group if they have the
appropriate privileges
"""
+ _conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
with db.connection(auth_testdb_path) as conn:
assert create_group(
conn, "a_test_group", user, "A test group") == expected
@@ -53,15 +57,19 @@ def test_create_group(# pylint: disable=[too-many-arguments]
@pytest.mark.unit_test
@pytest.mark.parametrize("user", conftest.TEST_USERS[1:])
def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments]
- fxtr_app, auth_testdb_path, mocker, fxtr_users, user):# pylint: disable=[unused-argument]
+ fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user, without appropriate privileges
WHEN: the user attempts to create a group
THEN: verify the system raises an exception
"""
+ _conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
with db.connection(auth_testdb_path) as conn:
with pytest.raises(AuthorisationError):
assert create_group(conn, "a_test_group", user, "A test group")
@@ -71,6 +79,8 @@ create_role_failure = {
"message": "Unauthorised: Could not create the group role"
}
+@pytest.mark.skip("Keep as placeholder until we implement test for creating "
+ "a resource role.")
@pytest.mark.unit_test
@pytest.mark.parametrize(
"user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
@@ -79,17 +89,21 @@ create_role_failure = {
GROUP,
Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
"ResourceEditor", True, PRIVILEGES)),))))
-def test_create_group_role(mocker, fxtr_users_in_group, user, expected):
+def test_create_group_role(mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected):
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role, attached to a group
THEN: verify they are only able to create the role if they have the
appropriate privileges and that the role is attached to the given group
"""
+ _conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn)
mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
conn, _group, _users = fxtr_users_in_group
with db.cursor(conn) as cursor:
assert create_group_role(
@@ -105,24 +119,28 @@ def test_create_group_role(mocker, fxtr_users_in_group, user, expected):
"user,expected", tuple(zip(conftest.TEST_USERS[1:], (
create_role_failure, create_role_failure, create_role_failure))))
def test_create_group_role_raises_exception_with_unauthorised_users(
- mocker, fxtr_users_in_group, user, expected):
+ mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected):
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role, attached to a group
THEN: verify they are only able to create the role if they have the
appropriate privileges and that the role is attached to the given group
"""
+ _conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn)
mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
conn, _group, _users = fxtr_users_in_group
with pytest.raises(AuthorisationError):
assert create_group_role(
conn, GROUP, "ResourceEditor", PRIVILEGES) == expected
@pytest.mark.unit_test
-def test_create_multiple_groups(mocker, fxtr_users):
+def test_create_multiple_groups(mocker, fxtr_users, fxtr_oauth2_clients):
"""
GIVEN: An authenticated user with appropriate authorisation
WHEN: The user attempts to create a new group, while being a member of an
@@ -130,12 +148,16 @@ def test_create_multiple_groups(mocker, fxtr_users):
THEN: The system should prevent that, and respond with an appropriate error
message
"""
+ _conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn)
user = User(
UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "group@lead.er",
"Group Leader")
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
conn, _test_users = fxtr_users
# First time, successfully creates the group
assert create_group(conn, "a_test_group", user) == Group(
diff --git a/tests/unit/auth/test_privileges.py b/tests/unit/auth/test_privileges.py
index 0b5f120..a225369 100644
--- a/tests/unit/auth/test_privileges.py
+++ b/tests/unit/auth/test_privileges.py
@@ -25,12 +25,7 @@ PRIVILEGES = sorted(
Privilege("group:resource:view-resource",
"view a resource and use it in computations"),
Privilege("group:resource:edit-resource", "edit/update a resource"),
- Privilege("group:resource:delete-resource", "Delete a resource"),
-
- Privilege("group:role:create-role", "Create a new role"),
- Privilege("group:role:edit-role", "edit/update an existing role"),
- Privilege("group:user:assign-role", "Assign a role to an existing user"),
- Privilege("group:role:delete-role", "Delete an existing role")),
+ Privilege("group:resource:delete-resource", "Delete a resource")),
key=sort_key_privileges)
@pytest.mark.unit_test
diff --git a/tests/unit/auth/test_resources.py b/tests/unit/auth/test_resources.py
index 85641be..b842490 100644
--- a/tests/unit/auth/test_resources.py
+++ b/tests/unit/auth/test_resources.py
@@ -30,11 +30,15 @@ create_resource_failure = {
(Resource(
uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
"test_resource", resource_category, False),))))
-def test_create_resource(mocker, fxtr_users_in_group, user, expected):
+def test_create_resource(mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected):
"""Test that resource creation works as expected."""
mocker.patch("gn_auth.auth.authorisation.resources.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ _conn, clients = fxtr_oauth2_clients
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
conn, _group, _users = fxtr_users_in_group
resource = create_resource(
conn, "test_resource", resource_category, user, False)
@@ -49,9 +53,6 @@ def test_create_resource(mocker, fxtr_users_in_group, user, expected):
"DELETE FROM resource_ownership WHERE resource_id=?",
(str(resource.resource_id),))
cursor.execute(
- "DELETE FROM group_roles WHERE group_id=?",
- (str(group.group_id),))
- cursor.execute(
"DELETE FROM resources WHERE resource_id=?",
(str(resource.resource_id),))
@@ -63,11 +64,15 @@ def test_create_resource(mocker, fxtr_users_in_group, user, expected):
(create_resource_failure, create_resource_failure,
create_resource_failure))))
def test_create_resource_raises_for_unauthorised_users(
- mocker, fxtr_users_in_group, user, expected):
+ mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected):
"""Test that resource creation works as expected."""
mocker.patch("gn_auth.auth.authorisation.resources.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ _conn, clients = fxtr_oauth2_clients
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
conn, _group, _users = fxtr_users_in_group
with pytest.raises(AuthorisationError):
assert create_resource(
diff --git a/tests/unit/auth/test_roles.py b/tests/unit/auth/test_roles.py
index 00148a0..e07ee98 100644
--- a/tests/unit/auth/test_roles.py
+++ b/tests/unit/auth/test_roles.py
@@ -21,45 +21,58 @@ PRIVILEGES = (
"view a resource and use it in computations"),
Privilege("group:resource:edit-resource", "edit/update a resource"))
+
+@pytest.mark.skip("This still needs some work to actually tests for resource roles.")
@pytest.mark.unit_test
@pytest.mark.parametrize(
"user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
Role(uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role",
True, PRIVILEGES),))))
def test_create_role(# pylint: disable=[too-many-arguments]
- fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument]
+ fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user, expected):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role
THEN: verify they are only able to create the role if they have the
appropriate privileges
"""
+ _conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
the_role = create_role(cursor, "a_test_role", PRIVILEGES)
assert the_role == expected
+
@pytest.mark.unit_test
@pytest.mark.parametrize(
"user,expected", tuple(zip(conftest.TEST_USERS[1:], (
create_role_failure, create_role_failure, create_role_failure))))
def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments]
- fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument]
+ fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user, expected):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role
THEN: verify they are only able to create the role if they have the
appropriate privileges
"""
+ _conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
- mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
- conftest.get_tokeniser(user))
+ mocker.patch(
+ "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+ conftest.get_tokeniser(
+ user,
+ tuple(client for client in clients if client.user == user)[0]))
with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
with pytest.raises(AuthorisationError):
create_role(cursor, "a_test_role", PRIVILEGES)
+
+# This might still be incomplete, especially regarding resource roles.
@pytest.mark.unit_test
@pytest.mark.parametrize(
"user,expected",
@@ -84,22 +97,9 @@ def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[
privilege_description=(
'view a resource and use it in computations')),
Privilege(
- privilege_id='group:role:create-role',
- privilege_description='Create a new role'),
- Privilege(
- privilege_id='group:role:delete-role',
- privilege_description='Delete an existing role'),
- Privilege(
- privilege_id='group:role:edit-role',
- privilege_description='edit/update an existing role'),
- Privilege(
privilege_id='group:user:add-group-member',
privilege_description='Add a user to a group'),
Privilege(
- privilege_id='group:user:assign-role',
- privilege_description=(
- 'Assign a role to an existing user')),
- Privilege(
privilege_id='group:user:remove-group-member',
privilege_description='Remove a user from a group'),
Privilege(