diff options
Diffstat (limited to 'tests/unit/auth')
| -rw-r--r-- | tests/unit/auth/fixtures/role_fixtures.py | 2 | ||||
| -rw-r--r-- | tests/unit/auth/test_groups.py | 43 | ||||
| -rw-r--r-- | tests/unit/auth/test_migrations_add_data_to_table.py | 4 | ||||
| -rw-r--r-- | tests/unit/auth/test_migrations_add_remove_columns.py | 4 | ||||
| -rw-r--r-- | tests/unit/auth/test_migrations_indexes.py | 4 | ||||
| -rw-r--r-- | tests/unit/auth/test_migrations_insert_data_into_empty_table.py | 4 | ||||
| -rw-r--r-- | tests/unit/auth/test_privileges.py | 13 | ||||
| -rw-r--r-- | tests/unit/auth/test_resources.py | 16 | ||||
| -rw-r--r-- | tests/unit/auth/test_resources_roles.py | 90 | ||||
| -rw-r--r-- | tests/unit/auth/test_roles.py | 49 |
10 files changed, 140 insertions, 89 deletions
diff --git a/tests/unit/auth/fixtures/role_fixtures.py b/tests/unit/auth/fixtures/role_fixtures.py index 1858712..63a3fca 100644 --- a/tests/unit/auth/fixtures/role_fixtures.py +++ b/tests/unit/auth/fixtures/role_fixtures.py @@ -163,7 +163,7 @@ def fxtr_system_roles(fxtr_users): @pytest.fixture(scope="function") -def fxtr_resource_user_roles(# pylint: disable=[too-many-arguments, too-many-locals] +def fxtr_resource_user_roles(# pylint: disable=[too-many-arguments, too-many-locals, too-many-positional-arguments] fxtr_resources, fxtr_users_in_group, fxtr_resource_ownership, diff --git a/tests/unit/auth/test_groups.py b/tests/unit/auth/test_groups.py index f22a8cf..346beb9 100644 --- a/tests/unit/auth/test_groups.py +++ b/tests/unit/auth/test_groups.py @@ -6,10 +6,9 @@ from pymonad.maybe import Nothing from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.errors import AuthorisationError -from gn_auth.auth.authorisation.roles import Role from gn_auth.auth.authorisation.privileges import Privilege from gn_auth.auth.authorisation.resources.groups.models import ( - Group, GroupRole, user_group, create_group, create_group_role) + Group, user_group, create_group, create_group_role) from tests.unit.auth import conftest @@ -28,7 +27,7 @@ PRIVILEGES = ( @pytest.mark.unit_test @pytest.mark.parametrize("user", tuple(conftest.TEST_USERS[0:3])) -def test_create_group_fails(# pylint: disable=[too-many-arguments] +def test_create_group_fails(# pylint: disable=[too-many-arguments too-many-positional-arguments] fxtr_app, auth_testdb_path, mocker, fxtr_resource_user_roles, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument] """ GIVEN: an authenticated user @@ -72,7 +71,7 @@ def __cleanup_create_group__(conn, user, group): ((conftest.TEST_USERS[3], Group( UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group", {"group_description": "A test group"})),)) -def test_create_group_succeeds(# pylint: disable=[too-many-arguments, unused-argument] +def test_create_group_succeeds(# pylint: disable=[too-many-arguments too-many-positional-arguments, unused-argument] fxtr_app, auth_testdb_path, mocker, @@ -103,7 +102,7 @@ def test_create_group_succeeds(# pylint: disable=[too-many-arguments, unused-arg @pytest.mark.unit_test @pytest.mark.parametrize("user", conftest.TEST_USERS[1:]) -def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments] +def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments too-many-positional-arguments] fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument] """ GIVEN: an authenticated user, without appropriate privileges @@ -126,40 +125,6 @@ create_role_failure = { "message": "Unauthorised: Could not create the group role" } -@pytest.mark.skip("Keep as placeholder until we implement test for creating " - "a resource role.") -@pytest.mark.unit_test -@pytest.mark.parametrize( - "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( - GroupRole( - UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), - GROUP, - Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), - "ResourceEditor", True, PRIVILEGES)),)))) -def test_create_group_role(mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected): - """ - GIVEN: an authenticated user - WHEN: the user attempts to create a role, attached to a group - THEN: verify they are only able to create the role if they have the - appropriate privileges and that the role is attached to the given group - """ - _conn, clients = fxtr_oauth2_clients - mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch( - "gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser( - user, - tuple(client for client in clients if client.user == user)[0])) - conn, _group, _users = fxtr_users_in_group - with db.cursor(conn) as cursor: - assert create_group_role( - conn, GROUP, "ResourceEditor", PRIVILEGES) == expected - # cleanup - cursor.execute( - ("DELETE FROM group_roles " - "WHERE group_role_id=? AND group_id=? AND role_id=?"), - (str(conftest.uuid_fn()), str(GROUP.group_id), str(conftest.uuid_fn()))) @pytest.mark.unit_test @pytest.mark.parametrize( diff --git a/tests/unit/auth/test_migrations_add_data_to_table.py b/tests/unit/auth/test_migrations_add_data_to_table.py index d9e2ca4..0945a20 100644 --- a/tests/unit/auth/test_migrations_add_data_to_table.py +++ b/tests/unit/auth/test_migrations_add_data_to_table.py @@ -40,7 +40,7 @@ test_params = ( @pytest.mark.unit_test @pytest.mark.parametrize("migration_file,query,query_params,data", test_params) -def test_apply_insert(# pylint: disable=[too-many-arguments] +def test_apply_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments] auth_migrations_dir, backend, auth_testdb_path, migration_file, query, query_params, data): """ @@ -65,7 +65,7 @@ def test_apply_insert(# pylint: disable=[too-many-arguments] @pytest.mark.unit_test @pytest.mark.parametrize("migration_file,query,query_params,data", test_params) -def test_rollback_insert(# pylint: disable=[too-many-arguments] +def test_rollback_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments] auth_migrations_dir, backend, auth_testdb_path, migration_file, query, query_params, data): """ diff --git a/tests/unit/auth/test_migrations_add_remove_columns.py b/tests/unit/auth/test_migrations_add_remove_columns.py index af85652..15dc3a2 100644 --- a/tests/unit/auth/test_migrations_add_remove_columns.py +++ b/tests/unit/auth/test_migrations_add_remove_columns.py @@ -51,7 +51,7 @@ def rolled_back_successfully(adding: bool, result_str: str, column: str) -> bool @pytest.mark.unit_test @pytest.mark.parametrize( "migration_file,the_table,the_column,adding", TEST_PARAMS) -def test_apply_add_remove_column(# pylint: disable=[too-many-arguments] +def test_apply_add_remove_column(# pylint: disable=[too-many-arguments too-many-positional-arguments] auth_migrations_dir, auth_testdb_path, backend, migration_file, the_table, the_column, adding): """ @@ -84,7 +84,7 @@ def test_apply_add_remove_column(# pylint: disable=[too-many-arguments] @pytest.mark.unit_test @pytest.mark.parametrize( "migration_file,the_table,the_column,adding", TEST_PARAMS) -def test_rollback_add_remove_column(# pylint: disable=[too-many-arguments] +def test_rollback_add_remove_column(# pylint: disable=[too-many-arguments too-many-positional-arguments] auth_migrations_dir, auth_testdb_path, backend, migration_file, the_table, the_column, adding): """ diff --git a/tests/unit/auth/test_migrations_indexes.py b/tests/unit/auth/test_migrations_indexes.py index 1c543c4..2d0997f 100644 --- a/tests/unit/auth/test_migrations_indexes.py +++ b/tests/unit/auth/test_migrations_indexes.py @@ -30,7 +30,7 @@ migrations_tables_and_indexes = ( @pytest.mark.unit_test @pytest.mark.parametrize( "migration_file,the_table,the_index", migrations_tables_and_indexes) -def test_index_created(# pylint: disable=[too-many-arguments] +def test_index_created(# pylint: disable=[too-many-arguments too-many-positional-arguments] auth_testdb_path, auth_migrations_dir, backend, migration_file, the_table, the_index): """ @@ -61,7 +61,7 @@ def test_index_created(# pylint: disable=[too-many-arguments] @pytest.mark.unit_test @pytest.mark.parametrize( "migration_file,the_table,the_index", migrations_tables_and_indexes) -def test_index_dropped(# pylint: disable=[too-many-arguments] +def test_index_dropped(# pylint: disable=[too-many-arguments too-many-positional-arguments] auth_testdb_path, auth_migrations_dir, backend, migration_file, the_table, the_index): """ diff --git a/tests/unit/auth/test_migrations_insert_data_into_empty_table.py b/tests/unit/auth/test_migrations_insert_data_into_empty_table.py index 0cf9a1f..c699e81 100644 --- a/tests/unit/auth/test_migrations_insert_data_into_empty_table.py +++ b/tests/unit/auth/test_migrations_insert_data_into_empty_table.py @@ -16,7 +16,7 @@ test_params = ( @pytest.mark.unit_test @pytest.mark.parametrize( "migration_file,table,row_count", test_params) -def test_apply_insert(# pylint: disable=[too-many-arguments] +def test_apply_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments] auth_testdb_path, auth_migrations_dir, backend, migration_file, table, row_count): """ @@ -45,7 +45,7 @@ def test_apply_insert(# pylint: disable=[too-many-arguments] @pytest.mark.unit_test @pytest.mark.parametrize( "migration_file,table,row_count", test_params) -def test_rollback_insert(# pylint: disable=[too-many-arguments] +def test_rollback_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments] auth_testdb_path, auth_migrations_dir, backend, migration_file, table, row_count): """ diff --git a/tests/unit/auth/test_privileges.py b/tests/unit/auth/test_privileges.py index 619ccc1..41dae7f 100644 --- a/tests/unit/auth/test_privileges.py +++ b/tests/unit/auth/test_privileges.py @@ -24,7 +24,18 @@ PRIVILEGES = sorted( Privilege("group:resource:view-resource", "view a resource and use it in computations"), Privilege("group:resource:edit-resource", "edit/update a resource"), - Privilege("group:resource:delete-resource", "Delete a resource")), + Privilege("group:resource:delete-resource", "Delete a resource"), + + Privilege("group:data:link-to-group", + "Allow linking data to only one specific group."), + + # Role-management privileges + Privilege("resource:role:create-role", + "Create a new role on a specific resource"), + Privilege("resource:role:delete-role", + "Delete an existing role from a specific resource"), + Privilege("resource:role:edit-role", + "Edit an existing role on a specific resource")), key=sort_key_privileges) @pytest.mark.unit_test diff --git a/tests/unit/auth/test_resources.py b/tests/unit/auth/test_resources.py index 9b45b68..04da6df 100644 --- a/tests/unit/auth/test_resources.py +++ b/tests/unit/auth/test_resources.py @@ -30,7 +30,7 @@ create_resource_failure = { (Resource( uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "test_resource", resource_category, False),)))) -def test_create_resource(# pylint: disable=[too-many-arguments, unused-argument] +def test_create_resource(# pylint: disable=[too-many-arguments, too-many-positional-arguments, unused-argument] mocker, fxtr_users_in_group, fxtr_resource_user_roles, @@ -47,11 +47,11 @@ def test_create_resource(# pylint: disable=[too-many-arguments, unused-argument] user, tuple(client for client in clients if client.user == user)[0])) conn, _group, _users = fxtr_users_in_group - resource = create_resource( - conn, "test_resource", resource_category, user, False) - assert resource == expected with db.cursor(conn) as cursor: + resource = create_resource( + conn, "test_resource", resource_category, user, _group, False) + assert resource == expected # Cleanup cursor.execute( "DELETE FROM user_roles WHERE resource_id=?", @@ -83,7 +83,13 @@ def test_create_resource_raises_for_unauthorised_users( conn, _group, _users = fxtr_users_in_group with pytest.raises(AuthorisationError): assert create_resource( - conn, "test_resource", resource_category, user, False) == expected + conn, + "test_resource", + resource_category, + user, + _group, + False + ) == expected def sort_key_resources(resource): """Sort-key for resources.""" diff --git a/tests/unit/auth/test_resources_roles.py b/tests/unit/auth/test_resources_roles.py new file mode 100644 index 0000000..e43f25c --- /dev/null +++ b/tests/unit/auth/test_resources_roles.py @@ -0,0 +1,90 @@ +"""Tests for roles for a specific resource.""" +from uuid import UUID + +import pytest + +from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.authorisation.privileges import Privilege +from gn_auth.auth.authorisation.roles.models import Role, create_role +from gn_auth.auth.authorisation.resources.groups.models import ( + GroupRole, + create_group_role) + +from tests.unit.auth import conftest + + +GROUP = conftest.TEST_GROUP_01 +PRIVILEGES = ( + Privilege("group:resource:view-resource", + "view a resource and use it in computations"), + Privilege("group:resource:edit-resource", "edit/update a resource")) + + +@pytest.mark.skip("Keep as placeholder until we implement test for creating " + "a resource role.") +@pytest.mark.unit_test +@pytest.mark.parametrize( + "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( + GroupRole( + UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), + GROUP, + Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), + "ResourceEditor", True, PRIVILEGES)),)))) +def test_create_group_role(mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected): + """ + GIVEN: an authenticated user + WHEN: the user attempts to create a role, attached to a group + THEN: verify they are only able to create the role if they have the + appropriate privileges and that the role is attached to the given group + """ + _conn, clients = fxtr_oauth2_clients + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) + mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + conn, _group, _users = fxtr_users_in_group + with db.cursor(conn) as cursor: + assert create_group_role( + conn, GROUP, "ResourceEditor", PRIVILEGES) == expected + # cleanup + cursor.execute( + ("DELETE FROM group_roles " + "WHERE group_role_id=? AND group_id=? AND role_id=?"), + (str(conftest.uuid_fn()), str(GROUP.group_id), str(conftest.uuid_fn()))) + + +@pytest.mark.skip( + "This needs to be replaced by tests for creation of resource roles.") +@pytest.mark.unit_test +@pytest.mark.parametrize( + "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( + Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role", + True, PRIVILEGES),)))) +def test_create_role(# pylint: disable=[too-many-arguments, too-many-positional-arguments, unused-argument] + fxtr_app, + auth_testdb_path, + mocker, + fxtr_users, + fxtr_oauth2_clients, + user, + expected +): + """ + GIVEN: an authenticated user + WHEN: the user attempts to create a role + THEN: verify they are only able to create the role if they have the + appropriate privileges + """ + _conn, clients = fxtr_oauth2_clients + mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor: + the_role = create_role(cursor, "a_test_role", PRIVILEGES) + assert the_role == expected diff --git a/tests/unit/auth/test_roles.py b/tests/unit/auth/test_roles.py index b9d1183..b7512ef 100644 --- a/tests/unit/auth/test_roles.py +++ b/tests/unit/auth/test_roles.py @@ -22,45 +22,11 @@ PRIVILEGES = ( Privilege("group:resource:edit-resource", "edit/update a resource")) -@pytest.mark.skip( - "This needs to be replaced by tests for creation of resource roles.") -@pytest.mark.unit_test -@pytest.mark.parametrize( - "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( - Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role", - True, PRIVILEGES),)))) -def test_create_role(# pylint: disable=[too-many-arguments, unused-argument] - fxtr_app, - auth_testdb_path, - mocker, - fxtr_users, - fxtr_oauth2_clients, - user, - expected -): - """ - GIVEN: an authenticated user - WHEN: the user attempts to create a role - THEN: verify they are only able to create the role if they have the - appropriate privileges - """ - _conn, clients = fxtr_oauth2_clients - mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch( - "gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser( - user, - tuple(client for client in clients if client.user == user)[0])) - with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor: - the_role = create_role(cursor, "a_test_role", PRIVILEGES) - assert the_role == expected - - @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", tuple(zip(conftest.TEST_USERS[1:], ( create_role_failure, create_role_failure, create_role_failure)))) -def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments, unused-argument] +def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments, unused-argument, too-many-positional-arguments] fxtr_app, auth_testdb_path, mocker, @@ -149,6 +115,10 @@ def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[ user_editable=False, privileges=( Privilege( + "group:data:link-to-group", + "Allow linking data to only one specific group."), + + Privilege( privilege_id="group:resource:create-resource", privilege_description="Create a resource object"), Privilege( @@ -167,6 +137,15 @@ def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[ privilege_id="group:user:remove-group-member", privilege_description="Remove a user from a group"), Privilege( + privilege_id="resource:role:create-role", + privilege_description="Create a new role on a specific resource"), + Privilege( + privilege_id="resource:role:delete-role", + privilege_description="Delete an existing role from a specific resource"), + Privilege( + privilege_id="resource:role:edit-role", + privilege_description="Edit an existing role on a specific resource"), + Privilege( privilege_id="system:group:delete-group", privilege_description="Delete a group"), Privilege( |