diff options
Diffstat (limited to 'tests/unit')
| -rw-r--r-- | tests/unit/auth/conftest.py | 30 | ||||
| -rw-r--r-- | tests/unit/auth/fixtures/group_fixtures.py | 139 | ||||
| -rw-r--r-- | tests/unit/auth/fixtures/resource_fixtures.py | 78 | ||||
| -rw-r--r-- | tests/unit/auth/fixtures/role_fixtures.py | 169 | ||||
| -rw-r--r-- | tests/unit/auth/fixtures/user_fixtures.py | 25 | ||||
| -rw-r--r-- | tests/unit/auth/test_groups.py | 149 | ||||
| -rw-r--r-- | tests/unit/auth/test_privileges.py | 12 | ||||
| -rw-r--r-- | tests/unit/auth/test_resources.py | 34 | ||||
| -rw-r--r-- | tests/unit/auth/test_resources_roles.py | 90 | ||||
| -rw-r--r-- | tests/unit/auth/test_roles.py | 318 |
10 files changed, 721 insertions, 323 deletions
diff --git a/tests/unit/auth/conftest.py b/tests/unit/auth/conftest.py index 7f9d42d..fa86a4c 100644 --- a/tests/unit/auth/conftest.py +++ b/tests/unit/auth/conftest.py @@ -4,19 +4,41 @@ import datetime from contextlib import contextmanager from gn_auth.auth.authentication.oauth2.models.oauth2token import OAuth2Token +from gn_auth.auth.authentication.oauth2.grants.jwt_bearer_grant import JWTBearerTokenGenerator from .fixtures import * # pylint: disable=[wildcard-import,unused-wildcard-import] -def get_tokeniser(user): +SECRET_KEY = "this is the test secret key" +SCOPE = "profile group role resource register-client" + +def _tokengenerator(user, client): + """Generate a JWT token for tests""" + _generator = JWTBearerTokenGenerator( + secret_key=SECRET_KEY, + alg="HS256") + return _generator( + grant_type="urn:ietf:params:oauth:grant-type:jwt-bearer", + client=client, + user=user, + scope=SCOPE, + expires_in=3600, + include_refresh_token=False) + +def get_tokeniser(user, client): """Get contextmanager for mocking token acquisition.""" @contextmanager def __token__(*args, **kwargs):# pylint: disable=[unused-argument] yield { usr.user_id: OAuth2Token( token_id=uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), - client=None, token_type="Bearer", access_token="123456ABCDE", - refresh_token=None, revoked=False, expires_in=864000, - user=usr, issued_at=int(datetime.datetime.now().timestamp()), + client=client, + token_type="Bearer", + access_token=_tokengenerator(user, client), + refresh_token=None, + revoked=False, + expires_in=864000, + user=usr, + issued_at=int(datetime.datetime.now().timestamp()), scope="profile group role resource register-client") for usr in TEST_USERS }[user.user_id] diff --git a/tests/unit/auth/fixtures/group_fixtures.py b/tests/unit/auth/fixtures/group_fixtures.py index 79683c0..2e8cd9a 100644 --- a/tests/unit/auth/fixtures/group_fixtures.py +++ b/tests/unit/auth/fixtures/group_fixtures.py @@ -4,10 +4,10 @@ import uuid import pytest from gn_auth.auth.db import sqlite3 as db -from gn_auth.auth.authorisation.resources.groups import Group, GroupRole +from gn_auth.auth.authorisation.resources.groups import Group from gn_auth.auth.authorisation.resources import Resource, ResourceCategory -from .role_fixtures import RESOURCE_EDITOR_ROLE, RESOURCE_READER_ROLE +from .resource_fixtures import TEST_RESOURCES TEST_GROUP_01 = Group(uuid.UUID("9988c21d-f02f-4d45-8966-22c968ac2fbf"), "TheTestGroup", {}) @@ -15,16 +15,6 @@ TEST_GROUP_02 = Group(uuid.UUID("e37d59d7-c05e-4d67-b479-81e627d8d634"), "AnotherTestGroup", {}) TEST_GROUPS = (TEST_GROUP_01, TEST_GROUP_02) -SYSTEM_CATEGORY = ResourceCategory( - uuid.UUID("aa3d787f-af6a-44fa-9b0b-c82d40e54ad2"), - "system", - "The overall system.") -SYSTEM_RESOURCE = Resource( - uuid.UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), - "GeneNetwork System", - SYSTEM_CATEGORY, - True) - GROUP_CATEGORY = ResourceCategory( uuid.UUID("1e0f70ee-add5-4358-8c6c-43de77fa4cce"), "group", @@ -46,38 +36,11 @@ GROUP_RESOURCES = tuple( False) for row in GROUPS_AS_RESOURCES) -TEST_RESOURCES_GROUP_01 = ( - Resource(uuid.UUID("26ad1668-29f5-439d-b905-84d551f85955"), - "ResourceG01R01", - ResourceCategory(uuid.UUID("48056f84-a2a6-41ac-8319-0e1e212cba2a"), - "genotype", "Genotype Dataset"), - True), - Resource(uuid.UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), - "ResourceG01R02", - ResourceCategory(uuid.UUID("548d684b-d4d1-46fb-a6d3-51a56b7da1b3"), - "phenotype", "Phenotype (Publish) Dataset"), - False), - Resource(uuid.UUID("e9a1184a-e8b4-49fb-b713-8d9cbeea5b83"), - "ResourceG01R03", - ResourceCategory(uuid.UUID("fad071a3-2fc8-40b8-992b-cdefe7dcac79"), - "mrna", "mRNA Dataset"), - False)) - -TEST_RESOURCES_GROUP_02 = ( - Resource(uuid.UUID("14496a1c-c234-49a2-978c-8859ea274054"), - "ResourceG02R01", - ResourceCategory(uuid.UUID("48056f84-a2a6-41ac-8319-0e1e212cba2a"), - "genotype", "Genotype Dataset"), - False), - Resource(uuid.UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), - "ResourceG02R02", - ResourceCategory(uuid.UUID("fad071a3-2fc8-40b8-992b-cdefe7dcac79"), - "mrna", "mRNA Dataset"), - True)) - -TEST_RESOURCES = TEST_RESOURCES_GROUP_01 + TEST_RESOURCES_GROUP_02 -TEST_RESOURCES_PUBLIC = ( - SYSTEM_RESOURCE, TEST_RESOURCES_GROUP_01[0], TEST_RESOURCES_GROUP_02[1]) + +TEST_RESOURCES_GROUP_01 = TEST_RESOURCES[0:3] +TEST_RESOURCES_GROUP_02 = TEST_RESOURCES[3:5] + + def __gtuple__(cursor): return tuple(dict(row) for row in cursor.fetchall()) @@ -115,6 +78,37 @@ def fxtr_group(conn_after_auth_migrations):# pylint: disable=[redefined-outer-na "DELETE FROM groups WHERE group_id=?", ((str(group.group_id),) for group in TEST_GROUPS)) + +@pytest.fixture(scope="function") +def fxtr_resource_ownership(# pylint: disable=[redefined-outer-name] + fxtr_resources, fxtr_group +): + """fixture: Set up group ownership of resources.""" + _conn, resources = fxtr_resources + conn, groups = fxtr_group + ownership = tuple({ + "group_id": str(TEST_GROUP_01.group_id), + "resource_id": str(res.resource_id) + } for res in TEST_RESOURCES_GROUP_01) + tuple({ + "group_id": str(TEST_GROUP_02.group_id), + "resource_id": str(res.resource_id) + } for res in TEST_RESOURCES_GROUP_02) + + with db.cursor(conn) as cursor: + cursor.executemany( + "INSERT INTO resource_ownership(group_id, resource_id) " + "VALUES (:group_id, :resource_id)", + ownership) + + yield conn, resources, groups, ownership + + with db.cursor(conn) as cursor: + cursor.executemany( + "DELETE FROM resource_ownership " + "WHERE group_id=:group_id AND resource_id=:resource_id", + ownership) + + @pytest.fixture(scope="function") def fxtr_users_in_group(fxtr_group, fxtr_users):# pylint: disable=[redefined-outer-name, unused-argument] """Link the users to the groups.""" @@ -134,60 +128,3 @@ def fxtr_users_in_group(fxtr_group, fxtr_users):# pylint: disable=[redefined-out cursor.executemany( "DELETE FROM group_users WHERE group_id=? AND user_id=?", query_params) - -@pytest.fixture(scope="function") -def fxtr_group_roles(fxtr_group, fxtr_roles):# pylint: disable=[redefined-outer-name,unused-argument] - """Link roles to group""" - group_roles = ( - GroupRole(uuid.UUID("9c25efb2-b477-4918-a95c-9914770cbf4d"), - TEST_GROUP_01, RESOURCE_EDITOR_ROLE), - GroupRole(uuid.UUID("82aed039-fe2f-408c-ab1e-81cd1ba96630"), - TEST_GROUP_02, RESOURCE_READER_ROLE)) - conn, groups = fxtr_group - with db.cursor(conn) as cursor: - cursor.executemany( - "INSERT INTO group_roles VALUES (?, ?, ?)", - ((str(role.group_role_id), str(role.group.group_id), - str(role.role.role_id)) - for role in group_roles)) - - yield conn, groups, group_roles - - with db.cursor(conn) as cursor: - cursor.executemany( - ("DELETE FROM group_roles " - "WHERE group_role_id=? AND group_id=? AND role_id=?"), - ((str(role.group_role_id), str(role.group.group_id), - str(role.role.role_id)) - for role in group_roles)) - -@pytest.fixture(scope="function") -def fxtr_group_user_roles(fxtr_resources, fxtr_group_roles, fxtr_users_in_group):#pylint: disable=[redefined-outer-name,unused-argument] - """Assign roles to users.""" - conn, _groups, group_roles = fxtr_group_roles - _conn, group_resources = fxtr_resources - _conn, _group, group_users = fxtr_users_in_group - users = tuple(user for user in group_users if user.email - not in ("unaff@iliated.user", "group@lead.er")) - users_roles_resources = ( - (user, RESOURCE_EDITOR_ROLE, TEST_RESOURCES_GROUP_01[1]) - for user in users if user.email == "group@mem.ber01") - with db.cursor(conn) as cursor: - params = tuple({ - "user_id": str(user.user_id), - "role_id": str(role.role_id), - "resource_id": str(resource.resource_id) - } for user, role, resource in users_roles_resources) - cursor.executemany( - ("INSERT INTO user_roles " - "VALUES (:user_id, :role_id, :resource_id)"), - params) - - yield conn, group_users, group_roles, group_resources - - with db.cursor(conn) as cursor: - cursor.executemany( - ("DELETE FROM user_roles WHERE " - "user_id=:user_id AND role_id=:role_id AND " - "resource_id=:resource_id"), - params) diff --git a/tests/unit/auth/fixtures/resource_fixtures.py b/tests/unit/auth/fixtures/resource_fixtures.py index 7f3c383..e06f64e 100644 --- a/tests/unit/auth/fixtures/resource_fixtures.py +++ b/tests/unit/auth/fixtures/resource_fixtures.py @@ -1,45 +1,65 @@ """Fixtures and utilities for resource-related tests""" +import uuid + import pytest from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.authorisation.resources import Resource, ResourceCategory + + +SYSTEM_CATEGORY = ResourceCategory( + uuid.UUID("aa3d787f-af6a-44fa-9b0b-c82d40e54ad2"), + "system", + "The overall system.") +SYSTEM_RESOURCE = Resource( + uuid.UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), + "GeneNetwork System", + SYSTEM_CATEGORY, + True) + +TEST_RESOURCES = ( + Resource(uuid.UUID("26ad1668-29f5-439d-b905-84d551f85955"), + "ResourceG01R01", + ResourceCategory(uuid.UUID("48056f84-a2a6-41ac-8319-0e1e212cba2a"), + "genotype", "Genotype Dataset"), + True), + Resource(uuid.UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), + "ResourceG01R02", + ResourceCategory(uuid.UUID("548d684b-d4d1-46fb-a6d3-51a56b7da1b3"), + "phenotype", "Phenotype (Publish) Dataset"), + False), + Resource(uuid.UUID("e9a1184a-e8b4-49fb-b713-8d9cbeea5b83"), + "ResourceG01R03", + ResourceCategory(uuid.UUID("fad071a3-2fc8-40b8-992b-cdefe7dcac79"), + "mrna", "mRNA Dataset"), + False), + Resource(uuid.UUID("14496a1c-c234-49a2-978c-8859ea274054"), + "ResourceG02R01", + ResourceCategory(uuid.UUID("48056f84-a2a6-41ac-8319-0e1e212cba2a"), + "genotype", "Genotype Dataset"), + False), + Resource(uuid.UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), + "ResourceG02R02", + ResourceCategory(uuid.UUID("fad071a3-2fc8-40b8-992b-cdefe7dcac79"), + "mrna", "mRNA Dataset"), + True)) + +TEST_RESOURCES_PUBLIC = (SYSTEM_RESOURCE, TEST_RESOURCES[0], TEST_RESOURCES[4]) -from .group_fixtures import ( - TEST_RESOURCES, - TEST_GROUP_01, - TEST_GROUP_02, - TEST_RESOURCES_GROUP_01, - TEST_RESOURCES_GROUP_02) @pytest.fixture(scope="function") -def fxtr_resources(fxtr_group):# pylint: disable=[redefined-outer-name] +def fxtr_resources(conn_after_auth_migrations): """fixture: setup test resources in the database""" - conn, _group = fxtr_group - ownership = tuple({ - "group_id": str(TEST_GROUP_01.group_id), - "resource_id": str(res.resource_id) - } for res in TEST_RESOURCES_GROUP_01) + tuple({ - "group_id": str(TEST_GROUP_02.group_id), - "resource_id": str(res.resource_id) - } for res in TEST_RESOURCES_GROUP_02) - + conn = conn_after_auth_migrations with db.cursor(conn) as cursor: cursor.executemany( "INSERT INTO resources VALUES (?,?,?,?)", - ((str(res.resource_id), res.resource_name, - str(res.resource_category.resource_category_id), - 1 if res.public else 0) for res in TEST_RESOURCES)) - cursor.executemany( - "INSERT INTO resource_ownership(group_id, resource_id) " - "VALUES (:group_id, :resource_id)", - ownership) + ((str(res.resource_id), res.resource_name, + str(res.resource_category.resource_category_id), + 1 if res.public else 0) for res in TEST_RESOURCES)) yield (conn, TEST_RESOURCES) with db.cursor(conn) as cursor: - cursor.executemany( - "DELETE FROM resource_ownership " - "WHERE group_id=:group_id AND resource_id=:resource_id", - ownership) cursor.executemany("DELETE FROM resources WHERE resource_id=?", - ((str(res.resource_id),) - for res in TEST_RESOURCES)) + ((str(res.resource_id),) for res in TEST_RESOURCES)) diff --git a/tests/unit/auth/fixtures/role_fixtures.py b/tests/unit/auth/fixtures/role_fixtures.py index ddcbba5..1858712 100644 --- a/tests/unit/auth/fixtures/role_fixtures.py +++ b/tests/unit/auth/fixtures/role_fixtures.py @@ -7,18 +7,41 @@ from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.authorisation.roles import Role from gn_auth.auth.authorisation.privileges import Privilege +from .user_fixtures import TEST_USERS +from .resource_fixtures import SYSTEM_RESOURCE, TEST_RESOURCES_PUBLIC +from .group_fixtures import ( + TEST_GROUP_01, + TEST_RESOURCES_GROUP_01, + TEST_RESOURCES_GROUP_02) + +PUBLIC_VIEW_ROLE = Role( + uuid.UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + "public-view", + False, + (Privilege("group:resource:view-resource", + "view a resource and use it in computations"),)) + RESOURCE_READER_ROLE = Role( - uuid.UUID("c3ca2507-ee24-4835-9b31-8c21e1c072d3"), "resource_reader", True, + uuid.UUID("c3ca2507-ee24-4835-9b31-8c21e1c072d3"), "resource_reader", + True, (Privilege("group:resource:view-resource", "view a resource and use it in computations"),)) RESOURCE_EDITOR_ROLE = Role( - uuid.UUID("89819f84-6346-488b-8955-86062e9eedb7"), "resource_editor", True, + uuid.UUID("89819f84-6346-488b-8955-86062e9eedb7"), + "resource_editor", + True, ( Privilege("group:resource:view-resource", "view a resource and use it in computations"), Privilege("group:resource:edit-resource", "edit/update a resource"))) +CREATE_GROUP_ROLE = Role( + uuid.UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"), + "group-creator", + False, + (Privilege("system:group:create-group", "Create a group"),)) + TEST_ROLES = (RESOURCE_READER_ROLE, RESOURCE_EDITOR_ROLE) @pytest.fixture(scope="function") @@ -43,3 +66,145 @@ def fxtr_roles(conn_after_auth_migrations): cursor.executemany( ("DELETE FROM roles WHERE role_id=?"), ((str(role.role_id),) for role in TEST_ROLES)) + + +@pytest.fixture(scope="function") +def fxtr_resource_roles(fxtr_resources, fxtr_roles):# pylint: disable=[redefined-outer-name,unused-argument] + """Link roles to resources.""" + resource_roles = ({ + "resource_id": str(TEST_RESOURCES_GROUP_01[0].resource_id), + "role_created_by": "ecb52977-3004-469e-9428-2a1856725c7f", + "role_id": str(RESOURCE_EDITOR_ROLE.role_id) + },{ + "resource_id": str(TEST_RESOURCES_GROUP_01[0].resource_id), + "role_created_by": "ecb52977-3004-469e-9428-2a1856725c7f", + "role_id": str(RESOURCE_READER_ROLE.role_id) + }, { + "resource_id": str(TEST_RESOURCES_GROUP_02[1].resource_id), + "role_created_by": "ecb52977-3004-469e-9428-2a1856725c7f", + "role_id": str(RESOURCE_EDITOR_ROLE.role_id) + },{ + "resource_id": str(TEST_RESOURCES_GROUP_02[1].resource_id), + "role_created_by": "ecb52977-3004-469e-9428-2a1856725c7f", + "role_id": str(RESOURCE_READER_ROLE.role_id) + }) + + conn, resources = fxtr_resources + with db.cursor(conn) as cursor: + cursor.executemany( + "INSERT INTO resource_roles(resource_id, role_created_by, role_id) " + "VALUES (:resource_id, :role_created_by, :role_id)", + resource_roles) + + yield conn, resources, resource_roles + + with db.cursor(conn) as cursor: + cursor.executemany( + ("DELETE FROM resource_roles " + "WHERE resource_id=:resource_id " + "AND role_created_by=:role_created_by " + "AND role_id=:role_id"), + resource_roles) + + +@pytest.fixture(scope="function") +def fxtr_setup_group_leaders(fxtr_users): + """Define what roles users have that target resources of type 'Group'.""" + conn, users = fxtr_users + with db.cursor(conn) as cursor: + cursor.execute("SELECT * FROM group_resources") + g01res_id = { + row["group_id"]: row["resource_id"] + for row in cursor.fetchall() + }[str(TEST_GROUP_01.group_id)] + test_user_roles = ({ + "user_id": "ecb52977-3004-469e-9428-2a1856725c7f", + "role_id": "a0e67630-d502-4b9f-b23f-6805d0f30e30",# group-leader + "resource_id": g01res_id + },) + cursor.executemany( + "INSERT INTO user_roles(user_id, role_id, resource_id) " + "VALUES (:user_id, :role_id, :resource_id)", + test_user_roles) + + yield conn, users + + with db.cursor(conn) as cursor: + cursor.executemany( + "DELETE FROM user_roles WHERE user_id=:user_id " + "AND role_id=:role_id AND resource_id=:resource_id", + test_user_roles) + + +@pytest.fixture(scope="function") +def fxtr_system_roles(fxtr_users): + """Define what roles users have that target resources of type 'Group'.""" + conn, users = fxtr_users + with db.cursor(conn) as cursor: + cursor.execute("SELECT * FROM resources WHERE resource_name='GeneNetwork System'") + sysres_id = cursor.fetchone()["resource_id"] + test_user_roles = tuple({ + "user_id": str(user.user_id), + "role_id": str(PUBLIC_VIEW_ROLE.role_id), + "resource_id": sysres_id + } for user in TEST_USERS) + cursor.executemany( + "INSERT INTO user_roles(user_id, role_id, resource_id) " + "VALUES (:user_id, :role_id, :resource_id)", + test_user_roles) + + yield conn, users + + with db.cursor(conn) as cursor: + cursor.executemany( + "DELETE FROM user_roles WHERE user_id=:user_id " + "AND role_id=:role_id AND resource_id=:resource_id", + test_user_roles) + + +@pytest.fixture(scope="function") +def fxtr_resource_user_roles(# pylint: disable=[too-many-arguments, too-many-locals] + fxtr_resources, + fxtr_users_in_group, + fxtr_resource_ownership, + fxtr_resource_roles, + fxtr_setup_group_leaders, + fxtr_system_roles +):#pylint: disable=[redefined-outer-name,unused-argument] + """Assign roles to users.""" + _conn, group_resources = fxtr_resources + _conn, _resources, _groups, group_resources = fxtr_resource_ownership + _conn, _group, group_users = fxtr_users_in_group + conn, _groups, resource_roles = fxtr_resource_roles + + users_roles_resources = ( + # Give access to group leader to all resources in their group + tuple((TEST_USERS[0], RESOURCE_EDITOR_ROLE, resource) + for resource in TEST_RESOURCES_GROUP_01) + # Set group member as resource editor + + ((TEST_USERS[1], RESOURCE_EDITOR_ROLE, TEST_RESOURCES_GROUP_01[1]),) + # Set group-creator role on the unaffiliated user + + ((TEST_USERS[3], CREATE_GROUP_ROLE, SYSTEM_RESOURCE),) + # Set roles for public resources + + tuple( + (user, PUBLIC_VIEW_ROLE, resource) + for user in TEST_USERS for resource in TEST_RESOURCES_PUBLIC[1:])) + with db.cursor(conn) as cursor: + params = tuple({ + "user_id": str(user.user_id), + "role_id": str(role.role_id), + "resource_id": str(resource.resource_id) + } for user, role, resource in users_roles_resources) + cursor.executemany( + ("INSERT INTO user_roles " + "VALUES (:user_id, :role_id, :resource_id)"), + params) + + yield conn, group_users, resource_roles, group_resources + + with db.cursor(conn) as cursor: + cursor.executemany( + ("DELETE FROM user_roles WHERE " + "user_id=:user_id AND role_id=:role_id AND " + "resource_id=:resource_id"), + params) diff --git a/tests/unit/auth/fixtures/user_fixtures.py b/tests/unit/auth/fixtures/user_fixtures.py index b88d78a..1cf0e20 100644 --- a/tests/unit/auth/fixtures/user_fixtures.py +++ b/tests/unit/auth/fixtures/user_fixtures.py @@ -6,8 +6,6 @@ import pytest from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.authentication.users import User, hash_password -from .group_fixtures import TEST_GROUP_01 - TEST_USERS = ( User(uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "group@lead.er", "Group Leader"), @@ -25,29 +23,6 @@ def fxtr_users(conn_after_auth_migrations, fxtr_group):# pylint: disable=[redefi with db.cursor(conn_after_auth_migrations) as cursor: cursor.executemany(query, ( (str(user.user_id), user.email, user.name) for user in TEST_USERS)) - # setup user roles - cursor.execute("SELECT * FROM group_resources") - g01res_id = { - row["group_id"]: row["resource_id"] - for row in cursor.fetchall() - }[str(TEST_GROUP_01.group_id)] - cursor.execute("SELECT * FROM resources WHERE resource_name='GeneNetwork System'") - sysres_id = cursor.fetchone()["resource_id"] - test_user_roles = ( - { - "user_id": "ecb52977-3004-469e-9428-2a1856725c7f", - "role_id": "a0e67630-d502-4b9f-b23f-6805d0f30e30",# group-leader - "resource_id": g01res_id - }, - { - "user_id": "ecb52977-3004-469e-9428-2a1856725c7f", - "role_id": "ade7e6b0-ba9c-4b51-87d0-2af7fe39a347",# group-creator - "resource_id": sysres_id - }) - cursor.executemany( - "INSERT INTO user_roles(user_id, role_id, resource_id) " - "VALUES (:user_id, :role_id, :resource_id)", - test_user_roles) yield (conn_after_auth_migrations, TEST_USERS) diff --git a/tests/unit/auth/test_groups.py b/tests/unit/auth/test_groups.py index c9d8b19..16df56e 100644 --- a/tests/unit/auth/test_groups.py +++ b/tests/unit/auth/test_groups.py @@ -6,11 +6,9 @@ from pymonad.maybe import Nothing from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.errors import AuthorisationError -from gn_auth.auth.authentication.users import User -from gn_auth.auth.authorisation.roles import Role from gn_auth.auth.authorisation.privileges import Privilege from gn_auth.auth.authorisation.resources.groups.models import ( - Group, GroupRole, user_group, create_group, create_group_role) + Group, user_group, create_group, create_group_role) from tests.unit.auth import conftest @@ -28,40 +26,96 @@ PRIVILEGES = ( Privilege("group:resource:edit-resource", "edit/update a resource")) @pytest.mark.unit_test +@pytest.mark.parametrize("user", tuple(conftest.TEST_USERS[0:3])) +def test_create_group_fails(# pylint: disable=[too-many-arguments] + fxtr_app, auth_testdb_path, mocker, fxtr_resource_user_roles, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument] + """ + GIVEN: an authenticated user + WHEN: the user attempts to create a group + THEN: verify they are only able to create the group if they have the + appropriate privileges + """ + _conn, clients = fxtr_oauth2_clients + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + with db.connection(auth_testdb_path) as conn: + with pytest.raises(AuthorisationError): + create_group(conn, "a_test_group", user, "A test group") + + +def __cleanup_create_group__(conn, user, group): + """Cleanup creating a group...""" + # cleanup: This should probably go into a 'delete_group(…) function' + with db.cursor(conn) as cursor: + cursor.execute("DELETE FROM group_users WHERE group_id=? AND user_id=?", + (str(group.group_id), str(user.user_id))) + cursor.execute("SELECT * FROM group_resources WHERE group_id=?", + (str(group.group_id),)) + grp_rsc = cursor.fetchone() + cursor.execute( + "DELETE FROM user_roles WHERE user_id=? AND resource_id=?", + (str(user.user_id), str(grp_rsc["resource_id"]))) + cursor.execute("DELETE FROM group_resources WHERE group_id=?", + (str(group.group_id),)) + cursor.execute("DELETE FROM groups WHERE group_id=?", + (str(group.group_id),)) + + +@pytest.mark.unit_test @pytest.mark.parametrize( - "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( - Group( - UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group", - {"group_description": "A test group"}), - create_group_failure, create_group_failure, create_group_failure, - create_group_failure)))) -def test_create_group(# pylint: disable=[too-many-arguments] - fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument] + "user,expected", + ((conftest.TEST_USERS[3], Group( + UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group", + {"group_description": "A test group"})),)) +def test_create_group_succeeds(# pylint: disable=[too-many-arguments, unused-argument] + fxtr_app, + auth_testdb_path, + mocker, + fxtr_resource_user_roles, + fxtr_oauth2_clients, + user, + expected +): """ GIVEN: an authenticated user WHEN: the user attempts to create a group THEN: verify they are only able to create the group if they have the appropriate privileges """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) with db.connection(auth_testdb_path) as conn: - assert create_group( - conn, "a_test_group", user, "A test group") == expected + created_group = create_group( + conn, "a_test_group", user, "A test group") + assert created_group == expected + __cleanup_create_group__(conn, user, created_group) + @pytest.mark.unit_test @pytest.mark.parametrize("user", conftest.TEST_USERS[1:]) def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments] - fxtr_app, auth_testdb_path, mocker, fxtr_users, user):# pylint: disable=[unused-argument] + fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument] """ GIVEN: an authenticated user, without appropriate privileges WHEN: the user attempts to create a group THEN: verify the system raises an exception """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) with db.connection(auth_testdb_path) as conn: with pytest.raises(AuthorisationError): assert create_group(conn, "a_test_group", user, "A test group") @@ -71,58 +125,34 @@ create_role_failure = { "message": "Unauthorised: Could not create the group role" } -@pytest.mark.unit_test -@pytest.mark.parametrize( - "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( - GroupRole( - UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), - GROUP, - Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), - "ResourceEditor", True, PRIVILEGES)),)))) -def test_create_group_role(mocker, fxtr_users_in_group, user, expected): - """ - GIVEN: an authenticated user - WHEN: the user attempts to create a role, attached to a group - THEN: verify they are only able to create the role if they have the - appropriate privileges and that the role is attached to the given group - """ - mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) - conn, _group, _users = fxtr_users_in_group - with db.cursor(conn) as cursor: - assert create_group_role( - conn, GROUP, "ResourceEditor", PRIVILEGES) == expected - # cleanup - cursor.execute( - ("DELETE FROM group_roles " - "WHERE group_role_id=? AND group_id=? AND role_id=?"), - (str(conftest.uuid_fn()), str(GROUP.group_id), str(conftest.uuid_fn()))) @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", tuple(zip(conftest.TEST_USERS[1:], ( create_role_failure, create_role_failure, create_role_failure)))) def test_create_group_role_raises_exception_with_unauthorised_users( - mocker, fxtr_users_in_group, user, expected): + mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected): """ GIVEN: an authenticated user WHEN: the user attempts to create a role, attached to a group THEN: verify they are only able to create the role if they have the appropriate privileges and that the role is attached to the given group """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) conn, _group, _users = fxtr_users_in_group with pytest.raises(AuthorisationError): assert create_group_role( conn, GROUP, "ResourceEditor", PRIVILEGES) == expected @pytest.mark.unit_test -def test_create_multiple_groups(mocker, fxtr_users): +def test_create_multiple_groups(mocker, fxtr_resource_user_roles, fxtr_oauth2_clients): """ GIVEN: An authenticated user with appropriate authorisation WHEN: The user attempts to create a new group, while being a member of an @@ -130,21 +160,26 @@ def test_create_multiple_groups(mocker, fxtr_users): THEN: The system should prevent that, and respond with an appropriate error message """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) - user = User( - UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "group@lead.er", - "Group Leader") - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) - conn, _test_users = fxtr_users + user = conftest.TEST_USERS[3] + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + conn, *_test_users = fxtr_resource_user_roles # First time, successfully creates the group - assert create_group(conn, "a_test_group", user) == Group( + created_group = create_group(conn, "a_test_group", user) + assert created_group == Group( UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group", {}) # subsequent attempts should fail with pytest.raises(AuthorisationError): create_group(conn, "another_test_group", user) + __cleanup_create_group__(conn, user, created_group) + @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", diff --git a/tests/unit/auth/test_privileges.py b/tests/unit/auth/test_privileges.py index 0b5f120..619ccc1 100644 --- a/tests/unit/auth/test_privileges.py +++ b/tests/unit/auth/test_privileges.py @@ -11,8 +11,7 @@ def sort_key_privileges(priv): return priv.privilege_id PRIVILEGES = sorted( - (Privilege("system:group:create-group", "Create a group"), - Privilege("system:group:view-group", "View the details of a group"), + (Privilege("system:group:view-group", "View the details of a group"), Privilege("system:group:edit-group", "Edit the details of a group"), Privilege("system:user:list", "List users in the system"), Privilege("system:group:delete-group", "Delete a group"), @@ -25,19 +24,14 @@ PRIVILEGES = sorted( Privilege("group:resource:view-resource", "view a resource and use it in computations"), Privilege("group:resource:edit-resource", "edit/update a resource"), - Privilege("group:resource:delete-resource", "Delete a resource"), - - Privilege("group:role:create-role", "Create a new role"), - Privilege("group:role:edit-role", "edit/update an existing role"), - Privilege("group:user:assign-role", "Assign a role to an existing user"), - Privilege("group:role:delete-role", "Delete an existing role")), + Privilege("group:resource:delete-resource", "Delete a resource")), key=sort_key_privileges) @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", tuple(zip( conftest.TEST_USERS, (PRIVILEGES, [], [], [], [])))) -def test_user_privileges(auth_testdb_path, fxtr_users, user, expected):# pylint: disable=[unused-argument] +def test_user_privileges(auth_testdb_path, fxtr_setup_group_leaders, user, expected):# pylint: disable=[unused-argument] """ GIVEN: A user WHEN: An attempt is made to fetch the user's privileges diff --git a/tests/unit/auth/test_resources.py b/tests/unit/auth/test_resources.py index 85641be..9b45b68 100644 --- a/tests/unit/auth/test_resources.py +++ b/tests/unit/auth/test_resources.py @@ -30,11 +30,22 @@ create_resource_failure = { (Resource( uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "test_resource", resource_category, False),)))) -def test_create_resource(mocker, fxtr_users_in_group, user, expected): +def test_create_resource(# pylint: disable=[too-many-arguments, unused-argument] + mocker, + fxtr_users_in_group, + fxtr_resource_user_roles, + fxtr_oauth2_clients, + user, + expected +): """Test that resource creation works as expected.""" mocker.patch("gn_auth.auth.authorisation.resources.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + _conn, clients = fxtr_oauth2_clients + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) conn, _group, _users = fxtr_users_in_group resource = create_resource( conn, "test_resource", resource_category, user, False) @@ -49,9 +60,6 @@ def test_create_resource(mocker, fxtr_users_in_group, user, expected): "DELETE FROM resource_ownership WHERE resource_id=?", (str(resource.resource_id),)) cursor.execute( - "DELETE FROM group_roles WHERE group_id=?", - (str(group.group_id),)) - cursor.execute( "DELETE FROM resources WHERE resource_id=?", (str(resource.resource_id),)) @@ -63,11 +71,15 @@ def test_create_resource(mocker, fxtr_users_in_group, user, expected): (create_resource_failure, create_resource_failure, create_resource_failure)))) def test_create_resource_raises_for_unauthorised_users( - mocker, fxtr_users_in_group, user, expected): + mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected): """Test that resource creation works as expected.""" mocker.patch("gn_auth.auth.authorisation.resources.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + _conn, clients = fxtr_oauth2_clients + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) conn, _group, _users = fxtr_users_in_group with pytest.raises(AuthorisationError): assert create_resource( @@ -109,13 +121,13 @@ def test_public_resources(fxtr_resources): , key=sort_key_resources), PUBLIC_RESOURCES, PUBLIC_RESOURCES)))) -def test_user_resources(fxtr_group_user_roles, user, expected): +def test_user_resources(fxtr_resource_user_roles, user, expected): """ GIVEN: some resources in the database WHEN: a particular user's resources are requested THEN: list only the resources for which the user can access """ - conn, *_others = fxtr_group_user_roles + conn, *_others = fxtr_resource_user_roles assert sorted( {res.resource_id: res for res in user_resources(conn, user) }.values(), key=sort_key_resources) == expected diff --git a/tests/unit/auth/test_resources_roles.py b/tests/unit/auth/test_resources_roles.py new file mode 100644 index 0000000..39a198f --- /dev/null +++ b/tests/unit/auth/test_resources_roles.py @@ -0,0 +1,90 @@ +"""Tests for roles for a specific resource.""" +from uuid import UUID + +import pytest + +from gn_auth.auth.db import sqlite3 as db +from gn_auth.auth.authorisation.privileges import Privilege +from gn_auth.auth.authorisation.roles.models import Role, create_role +from gn_auth.auth.authorisation.resources.groups.models import ( + GroupRole, + create_group_role) + +from tests.unit.auth import conftest + + +GROUP = conftest.TEST_GROUP_01 +PRIVILEGES = ( + Privilege("group:resource:view-resource", + "view a resource and use it in computations"), + Privilege("group:resource:edit-resource", "edit/update a resource")) + + +@pytest.mark.skip("Keep as placeholder until we implement test for creating " + "a resource role.") +@pytest.mark.unit_test +@pytest.mark.parametrize( + "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( + GroupRole( + UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), + GROUP, + Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), + "ResourceEditor", True, PRIVILEGES)),)))) +def test_create_group_role(mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected): + """ + GIVEN: an authenticated user + WHEN: the user attempts to create a role, attached to a group + THEN: verify they are only able to create the role if they have the + appropriate privileges and that the role is attached to the given group + """ + _conn, clients = fxtr_oauth2_clients + mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn) + mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + conn, _group, _users = fxtr_users_in_group + with db.cursor(conn) as cursor: + assert create_group_role( + conn, GROUP, "ResourceEditor", PRIVILEGES) == expected + # cleanup + cursor.execute( + ("DELETE FROM group_roles " + "WHERE group_role_id=? AND group_id=? AND role_id=?"), + (str(conftest.uuid_fn()), str(GROUP.group_id), str(conftest.uuid_fn()))) + + +@pytest.mark.skip( + "This needs to be replaced by tests for creation of resource roles.") +@pytest.mark.unit_test +@pytest.mark.parametrize( + "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( + Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role", + True, PRIVILEGES),)))) +def test_create_role(# pylint: disable=[too-many-arguments, unused-argument] + fxtr_app, + auth_testdb_path, + mocker, + fxtr_users, + fxtr_oauth2_clients, + user, + expected +): + """ + GIVEN: an authenticated user + WHEN: the user attempts to create a role + THEN: verify they are only able to create the role if they have the + appropriate privileges + """ + _conn, clients = fxtr_oauth2_clients + mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) + with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor: + the_role = create_role(cursor, "a_test_role", PRIVILEGES) + assert the_role == expected diff --git a/tests/unit/auth/test_roles.py b/tests/unit/auth/test_roles.py index 00148a0..251defb 100644 --- a/tests/unit/auth/test_roles.py +++ b/tests/unit/auth/test_roles.py @@ -1,5 +1,5 @@ """Test functions dealing with group management.""" -import uuid +from uuid import UUID import pytest @@ -21,136 +21,284 @@ PRIVILEGES = ( "view a resource and use it in computations"), Privilege("group:resource:edit-resource", "edit/update a resource")) -@pytest.mark.unit_test -@pytest.mark.parametrize( - "user,expected", tuple(zip(conftest.TEST_USERS[0:1], ( - Role(uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role", - True, PRIVILEGES),)))) -def test_create_role(# pylint: disable=[too-many-arguments] - fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument] - """ - GIVEN: an authenticated user - WHEN: the user attempts to create a role - THEN: verify they are only able to create the role if they have the - appropriate privileges - """ - mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) - with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor: - the_role = create_role(cursor, "a_test_role", PRIVILEGES) - assert the_role == expected @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", tuple(zip(conftest.TEST_USERS[1:], ( create_role_failure, create_role_failure, create_role_failure)))) -def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments] - fxtr_app, auth_testdb_path, mocker, fxtr_users, user, expected):# pylint: disable=[unused-argument] +def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments, unused-argument] + fxtr_app, + auth_testdb_path, + mocker, + fxtr_users, + fxtr_oauth2_clients, + user, + expected +): """ GIVEN: an authenticated user WHEN: the user attempts to create a role THEN: verify they are only able to create the role if they have the appropriate privileges """ + _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) - mocker.patch("gn_auth.auth.authorisation.checks.require_oauth.acquire", - conftest.get_tokeniser(user)) + mocker.patch( + "gn_auth.auth.authorisation.checks.require_oauth.acquire", + conftest.get_tokeniser( + user, + tuple(client for client in clients if client.user == user)[0])) with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor: with pytest.raises(AuthorisationError): create_role(cursor, "a_test_role", PRIVILEGES) + +# This might still be incomplete, especially regarding resource roles. @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", (zip(TEST_USERS, - (({"resource_id": uuid.UUID("38d1807d-105f-44a7-8327-7e2d973b6d8d"), - "user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + (({"resource_id": UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), + "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "roles": (Role( - role_id=uuid.UUID('a0e67630-d502-4b9f-b23f-6805d0f30e30'), - role_name='group-leader', user_editable=False, + role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), + role_name="resource_editor", + user_editable=True, privileges=( Privilege( - privilege_id='group:resource:create-resource', - privilege_description='Create a resource object'), + privilege_id="group:resource:edit-resource", + privilege_description="edit/update a resource"), Privilege( - privilege_id='group:resource:delete-resource', - privilege_description='Delete a resource'), + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"))),)}, + {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), + "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + "roles": ( + Role( + role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), + role_name="resource_editor", + user_editable=True, + privileges=( + Privilege( + privilege_id="group:resource:edit-resource", + privilege_description="edit/update a resource"), + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"))), + Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description=( + "view a resource and use it in computations")),)))}, + {"resource_id": UUID("e9a1184a-e8b4-49fb-b713-8d9cbeea5b83"), + "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + "roles": (Role( + role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), + role_name="resource_editor", + user_editable=True, + privileges=( Privilege( - privilege_id='group:resource:edit-resource', - privilege_description='edit/update a resource'), + privilege_id="group:resource:edit-resource", + privilege_description="edit/update a resource"), Privilege( - privilege_id='group:resource:view-resource', - privilege_description=( - 'view a resource and use it in computations')), + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"))),)}, + {"resource_id": UUID("38d1807d-105f-44a7-8327-7e2d973b6d8d"), + "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + "roles": (Role( + role_id=UUID("a0e67630-d502-4b9f-b23f-6805d0f30e30"), + role_name="group-leader", + user_editable=False, + privileges=( Privilege( - privilege_id='group:role:create-role', - privilege_description='Create a new role'), + privilege_id="group:resource:create-resource", + privilege_description="Create a resource object"), Privilege( - privilege_id='group:role:delete-role', - privilege_description='Delete an existing role'), + privilege_id="group:resource:delete-resource", + privilege_description="Delete a resource"), Privilege( - privilege_id='group:role:edit-role', - privilege_description='edit/update an existing role'), + privilege_id="group:resource:edit-resource", + privilege_description="edit/update a resource"), Privilege( - privilege_id='group:user:add-group-member', - privilege_description='Add a user to a group'), + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"), Privilege( - privilege_id='group:user:assign-role', - privilege_description=( - 'Assign a role to an existing user')), + privilege_id="group:user:add-group-member", + privilege_description="Add a user to a group"), Privilege( - privilege_id='group:user:remove-group-member', - privilege_description='Remove a user from a group'), + privilege_id="group:user:remove-group-member", + privilege_description="Remove a user from a group"), Privilege( - privilege_id='system:group:delete-group', - privilege_description='Delete a group'), + privilege_id="system:group:delete-group", + privilege_description="Delete a group"), Privilege( - privilege_id='system:group:edit-group', - privilege_description='Edit the details of a group'), + privilege_id="system:group:edit-group", + privilege_description="Edit the details of a group"), Privilege( - privilege_id='system:group:transfer-group-leader', + privilege_id="system:group:transfer-group-leader", privilege_description=( - 'Transfer leadership of the group to some other ' - 'member')), + "Transfer leadership of the group to some other member")), Privilege( - privilege_id='system:group:view-group', - privilege_description='View the details of a group'), + privilege_id="system:group:view-group", + privilege_description="View the details of a group"), Privilege( - privilege_id='system:user:list', - privilege_description='List users in the system'))),) - }, - { - "resource_id": uuid.UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), - "user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"), - "roles": (Role( - role_id=uuid.UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"), - role_name="group-creator", - user_editable=False, - privileges=( - Privilege( - privilege_id="system:group:create-group", - privilege_description="Create a group"),)),)}), - ({"resource_id": uuid.UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), - "user_id": uuid.UUID("21351b66-8aad-475b-84ac-53ce528451e3"), + privilege_id="system:user:list", + privilege_description="List users in the system"))),)}, + {"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), + "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),)}, + {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), + "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),)}), + ({"resource_id": UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), + "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), "roles": (Role( - role_id=uuid.UUID('89819f84-6346-488b-8955-86062e9eedb7'), - role_name='resource_editor', + role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), + role_name="resource_editor", user_editable=True, privileges=( Privilege( - privilege_id='group:resource:edit-resource', - privilege_description='edit/update a resource'), + privilege_id="group:resource:edit-resource", + privilege_description="edit/update a resource"), + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"))),) + }, + {"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), + "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),) + }, + {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), + "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( Privilege( - privilege_id='group:resource:view-resource', - privilege_description='view a resource and use it in computations'))),)},), - tuple(), - tuple())))) -def test_user_roles(fxtr_group_user_roles, user, expected): + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),) + }, + {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), + "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),) + }), + ({"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), + "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),) + }, + {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), + "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),) + }, + {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), + "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),) + }), + ({"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), + "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"), + "roles": ( + Role( + role_id=UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"), + role_name="group-creator", + user_editable=False, + privileges=( + Privilege( + privilege_id="system:group:create-group", + privilege_description="Create a group"),)), + Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),))) + }, + {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), + "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description="view a resource and use it in computations"),)),) + }, + {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), + "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"), + "roles": (Role( + role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), + role_name="public-view", + user_editable=False, + privileges=( + Privilege( + privilege_id="group:resource:view-resource", + privilege_description=( + "view a resource and use it in computations")),)),)}))))) +def test_user_roles( + fxtr_resource_user_roles, + user, + expected +): """ GIVEN: an authenticated user WHEN: we request the user's privileges THEN: return **ALL** the privileges attached to the user """ - conn, *_others = fxtr_group_user_roles + conn, *_others = fxtr_resource_user_roles assert user_roles(conn, user) == expected |