diff options
-rw-r--r-- | gn_auth/auth/authorisation/roles/models.py | 68 | ||||
-rw-r--r-- | tests/unit/auth/fixtures/group_fixtures.py | 7 | ||||
-rw-r--r-- | tests/unit/auth/fixtures/migration_fixtures.py | 5 | ||||
-rw-r--r-- | tests/unit/auth/test_roles.py | 129 |
4 files changed, 130 insertions, 79 deletions
diff --git a/gn_auth/auth/authorisation/roles/models.py b/gn_auth/auth/authorisation/roles/models.py index 579c9dc..206b05e 100644 --- a/gn_auth/auth/authorisation/roles/models.py +++ b/gn_auth/auth/authorisation/roles/models.py @@ -64,43 +64,51 @@ def create_role( return role -def __organise_privileges__(roles_dict, privilege_row): - """Organise the privileges into their roles.""" - role_id_str = privilege_row["role_id"] - if role_id_str in roles_dict: - return { - **roles_dict, - role_id_str: Role( - UUID(role_id_str), - privilege_row["role_name"], - bool(int(privilege_row["user_editable"])), - roles_dict[role_id_str].privileges + ( - Privilege(privilege_row["privilege_id"], - privilege_row["privilege_description"]),)) - } - +def __organise_privileges__(resources, row) -> dict: + resource_id = UUID(row["resource_id"]) + role_id = UUID(row["role_id"]) + roles = resources.get(resource_id, {}).get("roles", {}) + role = roles.get(role_id, Role( + role_id, + row["role_name"], + bool(int(row["user_editable"])), + tuple())) return { - **roles_dict, - role_id_str: Role( - UUID(role_id_str), - privilege_row["role_name"], - bool(int(privilege_row["user_editable"])), - (Privilege(privilege_row["privilege_id"], - privilege_row["privilege_description"]),)) + **resources, + resource_id: { + "resource_id": resource_id, + "user_id": UUID(row["user_id"]), + "roles": { + **roles, + role_id: Role( + role.role_id, + role.role_name, + role.user_editable, + role.privileges + (Privilege( + row["privilege_id"], + row["privilege_description"]),) + ) + } + } } -def user_roles(conn: db.DbConnection, user: User) -> Sequence[Role]: - """Retrieve non-resource roles assigned to the user.""" +def user_roles(conn: db.DbConnection, user: User) -> Sequence[dict]: + """Retrieve all roles (organised by resource) assigned to the user.""" with db.cursor(conn) as cursor: + cursor.execute("SELECT * FROM user_roles") cursor.execute( - "SELECT r.*, p.* FROM user_roles AS ur INNER JOIN roles AS r " - "ON ur.role_id=r.role_id INNER JOIN role_privileges AS rp " - "ON r.role_id=rp.role_id INNER JOIN privileges AS p " - "ON rp.privilege_id=p.privilege_id WHERE ur.user_id=?", + "SELECT ur.resource_id, ur.user_id, r.*, p.* " + "FROM user_roles AS ur " + "INNER JOIN roles AS r ON ur.role_id=r.role_id " + "INNER JOIN role_privileges AS rp ON r.role_id=rp.role_id " + "INNER JOIN privileges AS p ON rp.privilege_id=p.privilege_id " + "WHERE ur.user_id=?", (str(user.user_id),)) - return tuple( - reduce(__organise_privileges__, cursor.fetchall(), {}).values()) + return tuple({ + **row, "roles": tuple(row["roles"].values()) + } for row in reduce( + __organise_privileges__, cursor.fetchall(), {}).values()) return tuple() def user_role(conn: db.DbConnection, user: User, role_id: UUID) -> Either: diff --git a/tests/unit/auth/fixtures/group_fixtures.py b/tests/unit/auth/fixtures/group_fixtures.py index 66edf5e..93133d2 100644 --- a/tests/unit/auth/fixtures/group_fixtures.py +++ b/tests/unit/auth/fixtures/group_fixtures.py @@ -21,11 +21,14 @@ GROUP_CATEGORY = ResourceCategory( "A group resource.") GROUPS_AS_RESOURCES = tuple({ "group_id": str(group.group_id), - "resource_id": str(uuid.uuid4()), + "resource_id": res_id, "resource_name": group.group_name, "category_id": str(GROUP_CATEGORY.resource_category_id), "public": "1" -} for group in TEST_GROUPS) +} for res_id, group in zip( + ("38d1807d-105f-44a7-8327-7e2d973b6d8d", + "89458ef6-e090-4b53-8c2c-59eaf2785f11"), + TEST_GROUPS)) TEST_RESOURCES_GROUP_01 = ( Resource(uuid.UUID("26ad1668-29f5-439d-b905-84d551f85955"), diff --git a/tests/unit/auth/fixtures/migration_fixtures.py b/tests/unit/auth/fixtures/migration_fixtures.py index 16a31cd..954b5a9 100644 --- a/tests/unit/auth/fixtures/migration_fixtures.py +++ b/tests/unit/auth/fixtures/migration_fixtures.py @@ -40,6 +40,11 @@ def conn_after_auth_migrations(backend, auth_testdb_path, all_migrations): # pyl """Run all migrations and return a connection to the database after""" apply_migrations(backend, all_migrations) with db.connection(auth_testdb_path) as conn: + with db.cursor(conn) as cursor: + cursor.execute( + "UPDATE resources " + "SET resource_id='0248b289-b277-4eaa-8c94-88a434d14b6e' " + "WHERE resource_name='GeneNetwork System'") yield conn rollback_migrations(backend, all_migrations) diff --git a/tests/unit/auth/test_roles.py b/tests/unit/auth/test_roles.py index 227cb9e..6c8dbae 100644 --- a/tests/unit/auth/test_roles.py +++ b/tests/unit/auth/test_roles.py @@ -64,53 +64,88 @@ def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[ @pytest.mark.parametrize( "user,expected", (zip(TEST_USERS, - ((Role( - role_id=uuid.UUID('a0e67630-d502-4b9f-b23f-6805d0f30e30'), - role_name='group-leader', user_editable=False, - privileges=( - Privilege(privilege_id='group:resource:create-resource', - privilege_description='Create a resource object'), - Privilege(privilege_id='group:resource:delete-resource', - privilege_description='Delete a resource'), - Privilege(privilege_id='group:resource:edit-resource', - privilege_description='edit/update a resource'), - Privilege( - privilege_id='group:resource:view-resource', - privilege_description=( - 'view a resource and use it in computations')), - Privilege(privilege_id='group:role:create-role', - privilege_description='Create a new role'), - Privilege(privilege_id='group:role:delete-role', - privilege_description='Delete an existing role'), - Privilege(privilege_id='group:role:edit-role', - privilege_description='edit/update an existing role'), - Privilege(privilege_id='group:user:add-group-member', - privilege_description='Add a user to a group'), - Privilege(privilege_id='group:user:assign-role', - privilege_description=( - 'Assign a role to an existing user')), - Privilege(privilege_id='group:user:remove-group-member', - privilege_description='Remove a user from a group'), - Privilege(privilege_id='system:group:delete-group', - privilege_description='Delete a group'), - Privilege(privilege_id='system:group:edit-group', - privilege_description='Edit the details of a group'), - Privilege( - privilege_id='system:group:transfer-group-leader', - privilege_description=( - 'Transfer leadership of the group to some other ' - 'member')), - Privilege(privilege_id='system:group:view-group', - privilege_description='View the details of a group'), - Privilege(privilege_id='system:user:list', - privilege_description='List users in the system'))), - Role( - role_id=uuid.UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"), - role_name="group-creator", user_editable=False, - privileges=( - Privilege(privilege_id='system:group:create-group', - privilege_description = "Create a group"),))), - tuple(), tuple(), tuple())))) + (({"resource_id": uuid.UUID("38d1807d-105f-44a7-8327-7e2d973b6d8d"), + "user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + "roles": (Role( + role_id=uuid.UUID('a0e67630-d502-4b9f-b23f-6805d0f30e30'), + role_name='group-leader', user_editable=False, + privileges=( + Privilege( + privilege_id='group:resource:create-resource', + privilege_description='Create a resource object'), + Privilege( + privilege_id='group:resource:delete-resource', + privilege_description='Delete a resource'), + Privilege( + privilege_id='group:resource:edit-resource', + privilege_description='edit/update a resource'), + Privilege( + privilege_id='group:resource:view-resource', + privilege_description=( + 'view a resource and use it in computations')), + Privilege( + privilege_id='group:role:create-role', + privilege_description='Create a new role'), + Privilege( + privilege_id='group:role:delete-role', + privilege_description='Delete an existing role'), + Privilege( + privilege_id='group:role:edit-role', + privilege_description='edit/update an existing role'), + Privilege( + privilege_id='group:user:add-group-member', + privilege_description='Add a user to a group'), + Privilege( + privilege_id='group:user:assign-role', + privilege_description=( + 'Assign a role to an existing user')), + Privilege( + privilege_id='group:user:remove-group-member', + privilege_description='Remove a user from a group'), + Privilege( + privilege_id='system:group:delete-group', + privilege_description='Delete a group'), + Privilege( + privilege_id='system:group:edit-group', + privilege_description='Edit the details of a group'), + Privilege( + privilege_id='system:group:transfer-group-leader', + privilege_description=( + 'Transfer leadership of the group to some other ' + 'member')), + Privilege( + privilege_id='system:group:view-group', + privilege_description='View the details of a group'), + Privilege( + privilege_id='system:user:list', + privilege_description='List users in the system'))),) + }, + { + "resource_id": uuid.UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), + "user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + "roles": (Role( + role_id=uuid.UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"), + role_name="group-creator", + user_editable=False, + privileges=( + Privilege( + privilege_id="system:group:create-group", + privilege_description="Create a group"),)),)}), + ({"resource_id": uuid.UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), + "user_id": uuid.UUID("21351b66-8aad-475b-84ac-53ce528451e3"), + "roles": (Role( + role_id=uuid.UUID('89819f84-6346-488b-8955-86062e9eedb7'), + role_name='resource_editor', + user_editable=True, + privileges=( + Privilege( + privilege_id='group:resource:edit-resource', + privilege_description='edit/update a resource'), + Privilege( + privilege_id='group:resource:view-resource', + privilege_description='view a resource and use it in computations'))),)},), + tuple(), + tuple())))) def test_user_roles(fxtr_group_user_roles, user, expected): """ GIVEN: an authenticated user |