about summary refs log tree commit diff
path: root/tests/unit/auth/test_roles.py
diff options
context:
space:
mode:
Diffstat (limited to 'tests/unit/auth/test_roles.py')
-rw-r--r--tests/unit/auth/test_roles.py331
1 files changed, 246 insertions, 85 deletions
diff --git a/tests/unit/auth/test_roles.py b/tests/unit/auth/test_roles.py
index 00148a0..b7512ef 100644
--- a/tests/unit/auth/test_roles.py
+++ b/tests/unit/auth/test_roles.py
@@ -1,5 +1,5 @@
 """Test functions dealing with group management."""
-import uuid
+from uuid import UUID
 
 import pytest
 
@@ -21,136 +21,297 @@ PRIVILEGES = (
               "view a resource and use it in computations"),
     Privilege("group:resource:edit-resource", "edit/update a resource"))
 
-@pytest.mark.unit_test
-@pytest.mark.parametrize(
-    "user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
-        Role(uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role",
-             True, PRIVILEGES),))))
-def test_create_role(# pylint: disable=[too-many-arguments]
-        fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument]
-    """
-    GIVEN: an authenticated user
-    WHEN: the user attempts to create a role
-    THEN: verify they are only able to create the role if they have the
-          appropriate privileges
-    """
-    mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
-    mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
-                 conftest.get_tokeniser(user))
-    with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
-        the_role = create_role(cursor, "a_test_role", PRIVILEGES)
-        assert the_role == expected
 
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "user,expected", tuple(zip(conftest.TEST_USERS[1:], (
         create_role_failure, create_role_failure, create_role_failure))))
-def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments]
-        fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument]
+def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments, unused-argument, too-many-positional-arguments]
+        fxtr_app,
+        auth_testdb_path,
+        mocker,
+        fxtr_users,
+        fxtr_oauth2_clients,
+        user,
+        expected
+):
     """
     GIVEN: an authenticated user
     WHEN: the user attempts to create a role
     THEN: verify they are only able to create the role if they have the
           appropriate privileges
     """
+    _conn, clients = fxtr_oauth2_clients
     mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
-    mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire",
-                 conftest.get_tokeniser(user))
+    mocker.patch(
+        "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+        conftest.get_tokeniser(
+            user,
+            tuple(client for client in clients if client.user == user)[0]))
     with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
         with pytest.raises(AuthorisationError):
             create_role(cursor, "a_test_role", PRIVILEGES)
 
+
+# This might still be incomplete, especially regarding resource roles.
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "user,expected",
     (zip(TEST_USERS,
-         (({"resource_id": uuid.UUID("38d1807d-105f-44a7-8327-7e2d973b6d8d"),
-            "user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
+         (({"resource_id": UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"),
+            "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
             "roles": (Role(
-                role_id=uuid.UUID('a0e67630-d502-4b9f-b23f-6805d0f30e30'),
-                role_name='group-leader', user_editable=False,
+                role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"),
+                role_name="resource_editor",
+                user_editable=True,
                 privileges=(
                     Privilege(
-                        privilege_id='group:resource:create-resource',
-                        privilege_description='Create a resource object'),
+                        privilege_id="group:resource:edit-resource",
+                        privilege_description="edit/update a resource"),
                     Privilege(
-                        privilege_id='group:resource:delete-resource',
-                        privilege_description='Delete a resource'),
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"))),)},
+           {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"),
+            "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
+            "roles": (
+                Role(
+                    role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"),
+                    role_name="resource_editor",
+                    user_editable=True,
+                    privileges=(
+                        Privilege(
+                            privilege_id="group:resource:edit-resource",
+                            privilege_description="edit/update a resource"),
+                        Privilege(
+                            privilege_id="group:resource:view-resource",
+                            privilege_description="view a resource and use it in computations"))),
+                Role(
+                    role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                    role_name="public-view",
+                    user_editable=False,
+                    privileges=(
+                        Privilege(
+                            privilege_id="group:resource:view-resource",
+                            privilege_description=(
+                                "view a resource and use it in computations")),)))},
+           {"resource_id": UUID("e9a1184a-e8b4-49fb-b713-8d9cbeea5b83"),
+            "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
+            "roles": (Role(
+                role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"),
+                role_name="resource_editor",
+                user_editable=True,
+                privileges=(
                     Privilege(
-                        privilege_id='group:resource:edit-resource',
-                        privilege_description='edit/update a resource'),
+                        privilege_id="group:resource:edit-resource",
+                        privilege_description="edit/update a resource"),
                     Privilege(
-                        privilege_id='group:resource:view-resource',
-                        privilege_description=(
-                            'view a resource and use it in computations')),
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"))),)},
+           {"resource_id": UUID("38d1807d-105f-44a7-8327-7e2d973b6d8d"),
+            "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
+            "roles": (Role(
+                role_id=UUID("a0e67630-d502-4b9f-b23f-6805d0f30e30"),
+                role_name="group-leader",
+                user_editable=False,
+                privileges=(
                     Privilege(
-                        privilege_id='group:role:create-role',
-                        privilege_description='Create a new role'),
+                        "group:data:link-to-group",
+                        "Allow linking data to only one specific group."),
+
                     Privilege(
-                        privilege_id='group:role:delete-role',
-                        privilege_description='Delete an existing role'),
+                        privilege_id="group:resource:create-resource",
+                        privilege_description="Create a resource object"),
                     Privilege(
-                        privilege_id='group:role:edit-role',
-                        privilege_description='edit/update an existing role'),
+                        privilege_id="group:resource:delete-resource",
+                        privilege_description="Delete a resource"),
                     Privilege(
-                        privilege_id='group:user:add-group-member',
-                        privilege_description='Add a user to a group'),
+                        privilege_id="group:resource:edit-resource",
+                        privilege_description="edit/update a resource"),
                     Privilege(
-                        privilege_id='group:user:assign-role',
-                        privilege_description=(
-                            'Assign a role to an existing user')),
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),
+                    Privilege(
+                        privilege_id="group:user:add-group-member",
+                        privilege_description="Add a user to a group"),
+                    Privilege(
+                        privilege_id="group:user:remove-group-member",
+                        privilege_description="Remove a user from a group"),
+                    Privilege(
+                        privilege_id="resource:role:create-role",
+                        privilege_description="Create a new role on a specific resource"),
+                    Privilege(
+                        privilege_id="resource:role:delete-role",
+                        privilege_description="Delete an existing role from a specific resource"),
                     Privilege(
-                        privilege_id='group:user:remove-group-member',
-                        privilege_description='Remove a user from a group'),
+                        privilege_id="resource:role:edit-role",
+                        privilege_description="Edit an existing role on a specific resource"),
                     Privilege(
-                        privilege_id='system:group:delete-group',
-                        privilege_description='Delete a group'),
+                        privilege_id="system:group:delete-group",
+                        privilege_description="Delete a group"),
                     Privilege(
-                        privilege_id='system:group:edit-group',
-                        privilege_description='Edit the details of a group'),
+                        privilege_id="system:group:edit-group",
+                        privilege_description="Edit the details of a group"),
                     Privilege(
-                        privilege_id='system:group:transfer-group-leader',
+                        privilege_id="system:group:transfer-group-leader",
                         privilege_description=(
-                            'Transfer leadership of the group to some other '
-                            'member')),
+                            "Transfer leadership of the group to some other member")),
                     Privilege(
-                        privilege_id='system:group:view-group',
-                        privilege_description='View the details of a group'),
+                        privilege_id="system:group:view-group",
+                        privilege_description="View the details of a group"),
                     Privilege(
-                        privilege_id='system:user:list',
-                        privilege_description='List users in the system'))),)
-            },
-           {
-               "resource_id": uuid.UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"),
-               "user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
-               "roles": (Role(
-                   role_id=uuid.UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"),
-                   role_name="group-creator",
-                   user_editable=False,
-                   privileges=(
-                       Privilege(
-                           privilege_id="system:group:create-group",
-                           privilege_description="Create a group"),)),)}),
-          ({"resource_id": uuid.UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"),
-            "user_id": uuid.UUID("21351b66-8aad-475b-84ac-53ce528451e3"),
+                        privilege_id="system:user:list",
+                        privilege_description="List users in the system"))),)},
+           {"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"),
+            "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)},
+           {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"),
+            "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
             "roles": (Role(
-                role_id=uuid.UUID('89819f84-6346-488b-8955-86062e9eedb7'),
-                role_name='resource_editor',
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)}),
+          ({"resource_id": UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"),
+            "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"),
+            "roles": (Role(
+                role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"),
+                role_name="resource_editor",
                 user_editable=True,
                 privileges=(
                     Privilege(
-                        privilege_id='group:resource:edit-resource',
-                        privilege_description='edit/update a resource'),
+                        privilege_id="group:resource:edit-resource",
+                        privilege_description="edit/update a resource"),
                     Privilege(
-                        privilege_id='group:resource:view-resource',
-                        privilege_description='view a resource and use it in computations'))),)},),
-          tuple(),
-          tuple()))))
-def test_user_roles(fxtr_group_user_roles, user, expected):
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"))),)
+            },
+           {"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"),
+            "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)
+            },
+           {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"),
+            "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)
+            },
+           {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"),
+            "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)
+            }),
+          ({"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"),
+            "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)
+            },
+           {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"),
+            "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)
+            },
+           {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"),
+            "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)
+            }),
+          ({"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"),
+            "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"),
+            "roles": (
+                Role(
+                    role_id=UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"),
+                    role_name="group-creator",
+                    user_editable=False,
+                    privileges=(
+                        Privilege(
+                            privilege_id="system:group:create-group",
+                            privilege_description="Create a group"),)),
+                Role(
+                    role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                    role_name="public-view",
+                    user_editable=False,
+                    privileges=(
+                        Privilege(
+                            privilege_id="group:resource:view-resource",
+                            privilege_description="view a resource and use it in computations"),)))
+            },
+           {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"),
+            "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description="view a resource and use it in computations"),)),)
+            },
+           {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"),
+            "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"),
+            "roles": (Role(
+                role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"),
+                role_name="public-view",
+                user_editable=False,
+                privileges=(
+                    Privilege(
+                        privilege_id="group:resource:view-resource",
+                        privilege_description=(
+                            "view a resource and use it in computations")),)),)})))))
+def test_user_roles(
+        fxtr_resource_user_roles,
+        user,
+        expected
+):
     """
     GIVEN: an authenticated user
     WHEN: we request the user's privileges
     THEN: return **ALL** the privileges attached to the user
     """
-    conn, *_others = fxtr_group_user_roles
+    conn, *_others = fxtr_resource_user_roles
     assert user_roles(conn, user) == expected
generated by cgit-pink 1.4.1 (git 2.36.1) at 2026-02-24 00:32:34 +0000