diff options
Diffstat (limited to 'tests/unit/auth/test_groups.py')
| -rw-r--r-- | tests/unit/auth/test_groups.py | 151 |
1 files changed, 93 insertions, 58 deletions
diff --git a/tests/unit/auth/test_groups.py b/tests/unit/auth/test_groups.py index c9d8b19..346beb9 100644 --- a/tests/unit/auth/test_groups.py +++ b/tests/unit/auth/test_groups.py @@ -6,11 +6,9 @@ from pymonad.maybe import Nothing from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.errors import AuthorisationError -from gn_auth.auth.authentication.users import User -from gn_auth.auth.authorisation.roles import Role from gn_auth.auth.authorisation.privileges import Privilege from gn_auth.auth.authorisation.resources.groups.models import ( - Group, GroupRole, user_group, create_group, create_group_role) + Group, user_group, create_group, create_group_role) from tests.unit.auth import conftest @@ -28,40 +26,96 @@ PRIVILEGES = ( Privilege("group:resource:edit-resource", "edit/update a resource")) @pytest.mark.unit_test +@pytest.mark.parametrize("user", tuple(conftest.TEST_USERS[0:3])) +def test_create_group_fails(# pylint: disable=[too-many-arguments too-many-positional-arguments] + fxtr_app, auth_testdb_path, mocker, fxtr_resource_user_roles, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument] + """ + GIVEN: an authenticated user + WHEN: the user attempts to create a group + THEN: verify they are only able to create the group if they have the + appropriate privileges + """ + _conn, clients = fxtr_oauth2_clients + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + with db.connection(auth_testdb_path) as conn: + with pytest.raises(AuthorisationError): + create_group(conn, "a_test_group", user, "A test group") + + +def __cleanup_create_group__(conn, user, group): + """Cleanup creating a group...""" + # cleanup: This should probably go into a 'delete_group(…) function' + with db.cursor(conn) as cursor: + cursor.execute("DELETE FROM group_users WHERE group_id=? AND user_id=?", + (str(group.group_id), str(user.user_id))) + cursor.execute("SELECT * FROM group_resources WHERE group_id=?", + (str(group.group_id),)) + grp_rsc = cursor.fetchone() + cursor.execute( + "DELETE FROM user_roles WHERE user_id=? AND resource_id=?", + (str(user.user_id), str(grp_rsc["resource_id"]))) + cursor.execute("DELETE FROM group_resources WHERE group_id=?", + (str(group.group_id),)) + cursor.execute("DELETE FROM groups WHERE group_id=?", + (str(group.group_id),)) + + +@pytest.mark.unit_test @pytest.mark.parametrize( - "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( - Group( - UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group", - {"group_description": "A test group"}), - create_group_failure, create_group_failure, create_group_failure, - create_group_failure)))) -def test_create_group(# pylint: disable=[too-many-arguments] - fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument] + "user,expected", + ((conftest.TEST_USERS[3], Group( + UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group", + {"group_description": "A test group"})),)) +def test_create_group_succeeds(# pylint: disable=[too-many-arguments too-many-positional-arguments, unused-argument] + fxtr_app, + auth_testdb_path, + mocker, + fxtr_resource_user_roles, + fxtr_oauth2_clients, + user, + expected +): """ GIVEN: an authenticated user WHEN: the user attempts to create a group THEN: verify they are only able to create the group if they have the appropriate privileges """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) with db.connection(auth_testdb_path) as conn: - assert create_group( - conn, "a_test_group", user, "A test group") == expected + created_group = create_group( + conn, "a_test_group", user, "A test group") + assert created_group == expected + __cleanup_create_group__(conn, user, created_group) + @pytest.mark.unit_test @pytest.mark.parametrize("user", conftest.TEST_USERS[1:]) -def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments] - fxtr_app, auth_testdb_path, mocker, fxtr_users, user):# pylint: disable=[unused-argument] +def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments too-many-positional-arguments] + fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument] """ GIVEN: an authenticated user, without appropriate privileges WHEN: the user attempts to create a group THEN: verify the system raises an exception """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) with db.connection(auth_testdb_path) as conn: with pytest.raises(AuthorisationError): assert create_group(conn, "a_test_group", user, "A test group") @@ -71,58 +125,34 @@ create_role_failure = { "message": "Unauthorised: Could not create the group role" } -@pytest.mark.unit_test -@pytest.mark.parametrize( - "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( - GroupRole( - UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), - GROUP, - Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), - "ResourceEditor", True, PRIVILEGES)),)))) -def test_create_group_role(mocker, fxtr_users_in_group, user, expected): - """ - GIVEN: an authenticated user - WHEN: the user attempts to create a role, attached to a group - THEN: verify they are only able to create the role if they have the - appropriate privileges and that the role is attached to the given group - """ - mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) - conn, _group, _users = fxtr_users_in_group - with db.cursor(conn) as cursor: - assert create_group_role( - conn, GROUP, "ResourceEditor", PRIVILEGES) == expected - # cleanup - cursor.execute( - ("DELETE FROM group_roles " - "WHERE group_role_id=? AND group_id=? AND role_id=?"), - (str(conftest.uuid_fn()), str(GROUP.group_id), str(conftest.uuid_fn()))) @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", tuple(zip(conftest.TEST_USERS[1:], ( create_role_failure, create_role_failure, create_role_failure)))) def test_create_group_role_raises_exception_with_unauthorised_users( - mocker, fxtr_users_in_group, user, expected): + mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected): """ GIVEN: an authenticated user WHEN: the user attempts to create a role, attached to a group THEN: verify they are only able to create the role if they have the appropriate privileges and that the role is attached to the given group """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) conn, _group, _users = fxtr_users_in_group with pytest.raises(AuthorisationError): assert create_group_role( conn, GROUP, "ResourceEditor", PRIVILEGES) == expected @pytest.mark.unit_test -def test_create_multiple_groups(mocker, fxtr_users): +def test_create_multiple_groups(mocker, fxtr_resource_user_roles, fxtr_oauth2_clients): """ GIVEN: An authenticated user with appropriate authorisation WHEN: The user attempts to create a new group, while being a member of an @@ -130,21 +160,26 @@ def test_create_multiple_groups(mocker, fxtr_users): THEN: The system should prevent that, and respond with an appropriate error message """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - user = User( - UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "group@lead.er", - "Group Leader") - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) - conn, _test_users = fxtr_users + user = conftest.TEST_USERS[3] + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + conn, *_test_users = fxtr_resource_user_roles # First time, successfully creates the group - assert create_group(conn, "a_test_group", user) == Group( + created_group = create_group(conn, "a_test_group", user) + assert created_group == Group( UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group", {}) # subsequent attempts should fail with pytest.raises(AuthorisationError): create_group(conn, "another_test_group", user) + __cleanup_create_group__(conn, user, created_group) + @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", |