11 files changed, 137 insertions, 91 deletions

diff --git a/tests/unit/auth/fixtures/role_fixtures.py b/tests/unit/auth/fixtures/role_fixtures.py
index 1858712..63a3fca 100644
--- a/tests/unit/auth/fixtures/role_fixtures.py
+++ b/tests/unit/auth/fixtures/role_fixtures.py
@@ -163,7 +163,7 @@ def fxtr_system_roles(fxtr_users):
 
 
 @pytest.fixture(scope="function")
-def fxtr_resource_user_roles(# pylint: disable=[too-many-arguments, too-many-locals]
+def fxtr_resource_user_roles(# pylint: disable=[too-many-arguments, too-many-locals, too-many-positional-arguments]
         fxtr_resources,
         fxtr_users_in_group,
         fxtr_resource_ownership,
diff --git a/tests/unit/auth/test_groups.py b/tests/unit/auth/test_groups.py
index f22a8cf..346beb9 100644
--- a/tests/unit/auth/test_groups.py
+++ b/tests/unit/auth/test_groups.py
@@ -6,10 +6,9 @@ from pymonad.maybe import Nothing
 
 from gn_auth.auth.db import sqlite3 as db
 from gn_auth.auth.errors import AuthorisationError
-from gn_auth.auth.authorisation.roles import Role
 from gn_auth.auth.authorisation.privileges import Privilege
 from gn_auth.auth.authorisation.resources.groups.models import (
-    Group, GroupRole, user_group, create_group, create_group_role)
+    Group, user_group, create_group, create_group_role)
 
 from tests.unit.auth import conftest
 
@@ -28,7 +27,7 @@ PRIVILEGES = (
 
 @pytest.mark.unit_test
 @pytest.mark.parametrize("user", tuple(conftest.TEST_USERS[0:3]))
-def test_create_group_fails(# pylint: disable=[too-many-arguments]
+def test_create_group_fails(# pylint: disable=[too-many-arguments too-many-positional-arguments]
         fxtr_app, auth_testdb_path, mocker, fxtr_resource_user_roles, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument]
     """
     GIVEN: an authenticated user
@@ -72,7 +71,7 @@ def __cleanup_create_group__(conn, user, group):
     ((conftest.TEST_USERS[3], Group(
         UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_group",
         {"group_description": "A test group"})),))
-def test_create_group_succeeds(# pylint: disable=[too-many-arguments, unused-argument]
+def test_create_group_succeeds(# pylint: disable=[too-many-arguments too-many-positional-arguments, unused-argument]
         fxtr_app,
         auth_testdb_path,
         mocker,
@@ -103,7 +102,7 @@ def test_create_group_succeeds(# pylint: disable=[too-many-arguments, unused-arg
 
 @pytest.mark.unit_test
 @pytest.mark.parametrize("user", conftest.TEST_USERS[1:])
-def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments]
+def test_create_group_raises_exception_with_non_privileged_user(# pylint: disable=[too-many-arguments too-many-positional-arguments]
         fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user):# pylint: disable=[unused-argument]
     """
     GIVEN: an authenticated user, without appropriate privileges
@@ -126,40 +125,6 @@ create_role_failure = {
     "message": "Unauthorised: Could not create the group role"
 }
 
-@pytest.mark.skip("Keep as placeholder until we implement test for creating "
-                  "a resource role.")
-@pytest.mark.unit_test
-@pytest.mark.parametrize(
-    "user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
-        GroupRole(
-            UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
-            GROUP,
-            Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
-                 "ResourceEditor", True, PRIVILEGES)),))))
-def test_create_group_role(mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected):
-    """
-    GIVEN: an authenticated user
-    WHEN: the user attempts to create a role, attached to a group
-    THEN: verify they are only able to create the role if they have the
-        appropriate privileges and that the role is attached to the given group
-    """
-    _conn, clients = fxtr_oauth2_clients
-    mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn)
-    mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
-    mocker.patch(
-        "gn_auth.auth.authorisation.checks.require_oauth.acquire",
-        conftest.get_tokeniser(
-            user,
-            tuple(client for client in clients if client.user == user)[0]))
-    conn, _group, _users = fxtr_users_in_group
-    with db.cursor(conn) as cursor:
-        assert create_group_role(
-            conn, GROUP, "ResourceEditor", PRIVILEGES) == expected
-        # cleanup
-        cursor.execute(
-            ("DELETE FROM group_roles "
-             "WHERE group_role_id=? AND group_id=? AND role_id=?"),
-            (str(conftest.uuid_fn()), str(GROUP.group_id), str(conftest.uuid_fn())))
 
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
diff --git a/tests/unit/auth/test_migrations_add_data_to_table.py b/tests/unit/auth/test_migrations_add_data_to_table.py
index d9e2ca4..0945a20 100644
--- a/tests/unit/auth/test_migrations_add_data_to_table.py
+++ b/tests/unit/auth/test_migrations_add_data_to_table.py
@@ -40,7 +40,7 @@ test_params = (
 
 @pytest.mark.unit_test
 @pytest.mark.parametrize("migration_file,query,query_params,data", test_params)
-def test_apply_insert(# pylint: disable=[too-many-arguments]
+def test_apply_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments]
         auth_migrations_dir, backend, auth_testdb_path, migration_file, query,
         query_params, data):
     """
@@ -65,7 +65,7 @@ def test_apply_insert(# pylint: disable=[too-many-arguments]
 
 @pytest.mark.unit_test
 @pytest.mark.parametrize("migration_file,query,query_params,data", test_params)
-def test_rollback_insert(# pylint: disable=[too-many-arguments]
+def test_rollback_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments]
         auth_migrations_dir, backend, auth_testdb_path, migration_file, query,
         query_params, data):
     """
diff --git a/tests/unit/auth/test_migrations_add_remove_columns.py b/tests/unit/auth/test_migrations_add_remove_columns.py
index af85652..15dc3a2 100644
--- a/tests/unit/auth/test_migrations_add_remove_columns.py
+++ b/tests/unit/auth/test_migrations_add_remove_columns.py
@@ -51,7 +51,7 @@ def rolled_back_successfully(adding: bool, result_str: str, column: str) -> bool
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "migration_file,the_table,the_column,adding", TEST_PARAMS)
-def test_apply_add_remove_column(# pylint: disable=[too-many-arguments]
+def test_apply_add_remove_column(# pylint: disable=[too-many-arguments too-many-positional-arguments]
         auth_migrations_dir, auth_testdb_path, backend, migration_file,
         the_table, the_column, adding):
     """
@@ -84,7 +84,7 @@ def test_apply_add_remove_column(# pylint: disable=[too-many-arguments]
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "migration_file,the_table,the_column,adding", TEST_PARAMS)
-def test_rollback_add_remove_column(# pylint: disable=[too-many-arguments]
+def test_rollback_add_remove_column(# pylint: disable=[too-many-arguments too-many-positional-arguments]
         auth_migrations_dir, auth_testdb_path, backend, migration_file,
         the_table, the_column, adding):
     """
diff --git a/tests/unit/auth/test_migrations_indexes.py b/tests/unit/auth/test_migrations_indexes.py
index 1c543c4..2d0997f 100644
--- a/tests/unit/auth/test_migrations_indexes.py
+++ b/tests/unit/auth/test_migrations_indexes.py
@@ -30,7 +30,7 @@ migrations_tables_and_indexes = (
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "migration_file,the_table,the_index", migrations_tables_and_indexes)
-def test_index_created(# pylint: disable=[too-many-arguments]
+def test_index_created(# pylint: disable=[too-many-arguments too-many-positional-arguments]
         auth_testdb_path, auth_migrations_dir, backend, migration_file,
         the_table, the_index):
     """
@@ -61,7 +61,7 @@ def test_index_created(# pylint: disable=[too-many-arguments]
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "migration_file,the_table,the_index", migrations_tables_and_indexes)
-def test_index_dropped(# pylint: disable=[too-many-arguments]
+def test_index_dropped(# pylint: disable=[too-many-arguments too-many-positional-arguments]
         auth_testdb_path, auth_migrations_dir, backend, migration_file,
         the_table, the_index):
     """
diff --git a/tests/unit/auth/test_migrations_insert_data_into_empty_table.py b/tests/unit/auth/test_migrations_insert_data_into_empty_table.py
index 0cf9a1f..c699e81 100644
--- a/tests/unit/auth/test_migrations_insert_data_into_empty_table.py
+++ b/tests/unit/auth/test_migrations_insert_data_into_empty_table.py
@@ -16,7 +16,7 @@ test_params = (
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "migration_file,table,row_count", test_params)
-def test_apply_insert(# pylint: disable=[too-many-arguments]
+def test_apply_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments]
         auth_testdb_path, auth_migrations_dir, backend, migration_file,
         table, row_count):
     """
@@ -45,7 +45,7 @@ def test_apply_insert(# pylint: disable=[too-many-arguments]
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "migration_file,table,row_count", test_params)
-def test_rollback_insert(# pylint: disable=[too-many-arguments]
+def test_rollback_insert(# pylint: disable=[too-many-arguments, too-many-positional-arguments]
         auth_testdb_path, auth_migrations_dir, backend, migration_file,
         table, row_count):
     """
diff --git a/tests/unit/auth/test_privileges.py b/tests/unit/auth/test_privileges.py
index 619ccc1..9b2ea04 100644
--- a/tests/unit/auth/test_privileges.py
+++ b/tests/unit/auth/test_privileges.py
@@ -24,7 +24,10 @@ PRIVILEGES = sorted(
      Privilege("group:resource:view-resource",
                "view a resource and use it in computations"),
      Privilege("group:resource:edit-resource", "edit/update a resource"),
-     Privilege("group:resource:delete-resource", "Delete a resource")),
+     Privilege("group:resource:delete-resource", "Delete a resource"),
+
+     Privilege("group:data:link-to-group",
+               "Allow linking data to only one specific group.")),
     key=sort_key_privileges)
 
 @pytest.mark.unit_test
diff --git a/tests/unit/auth/test_resources.py b/tests/unit/auth/test_resources.py
index 9b45b68..292f7dc 100644
--- a/tests/unit/auth/test_resources.py
+++ b/tests/unit/auth/test_resources.py
@@ -30,7 +30,7 @@ create_resource_failure = {
         (Resource(
             uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
             "test_resource", resource_category, False),))))
-def test_create_resource(# pylint: disable=[too-many-arguments, unused-argument]
+def test_create_resource(# pylint: disable=[too-many-arguments, too-many-positional-arguments, unused-argument]
         mocker,
         fxtr_users_in_group,
         fxtr_resource_user_roles,
@@ -47,11 +47,11 @@ def test_create_resource(# pylint: disable=[too-many-arguments, unused-argument]
             user,
             tuple(client for client in clients if client.user == user)[0]))
     conn, _group, _users = fxtr_users_in_group
-    resource = create_resource(
-        conn, "test_resource", resource_category, user, False)
-    assert resource == expected
 
     with db.cursor(conn) as cursor:
+        resource = create_resource(
+            cursor, "test_resource", resource_category, user, _group, False)
+        assert resource == expected
         # Cleanup
         cursor.execute(
             "DELETE FROM user_roles WHERE resource_id=?",
@@ -82,8 +82,15 @@ def test_create_resource_raises_for_unauthorised_users(
             tuple(client for client in clients if client.user == user)[0]))
     conn, _group, _users = fxtr_users_in_group
     with pytest.raises(AuthorisationError):
-        assert create_resource(
-            conn, "test_resource", resource_category, user, False) == expected
+        with db.cursor(conn) as cursor:
+            assert create_resource(
+                cursor,
+                "test_resource",
+                resource_category,
+                user,
+                _group,
+                False
+            ) == expected
 
 def sort_key_resources(resource):
     """Sort-key for resources."""
diff --git a/tests/unit/auth/test_resources_roles.py b/tests/unit/auth/test_resources_roles.py
new file mode 100644
index 0000000..e43f25c
--- /dev/null
+++ b/tests/unit/auth/test_resources_roles.py
@@ -0,0 +1,90 @@
+"""Tests for roles for a specific resource."""
+from uuid import UUID
+
+import pytest
+
+from gn_auth.auth.db import sqlite3 as db
+from gn_auth.auth.authorisation.privileges import Privilege
+from gn_auth.auth.authorisation.roles.models import Role, create_role
+from gn_auth.auth.authorisation.resources.groups.models import (
+    GroupRole,
+    create_group_role)
+
+from tests.unit.auth import conftest
+
+
+GROUP = conftest.TEST_GROUP_01
+PRIVILEGES = (
+    Privilege("group:resource:view-resource",
+              "view a resource and use it in computations"),
+    Privilege("group:resource:edit-resource", "edit/update a resource"))
+
+
+@pytest.mark.skip("Keep as placeholder until we implement test for creating "
+                  "a resource role.")
+@pytest.mark.unit_test
+@pytest.mark.parametrize(
+    "user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
+        GroupRole(
+            UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
+            GROUP,
+            Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"),
+                 "ResourceEditor", True, PRIVILEGES)),))))
+def test_create_group_role(mocker, fxtr_users_in_group, fxtr_oauth2_clients, user, expected):
+    """
+    GIVEN: an authenticated user
+    WHEN: the user attempts to create a role, attached to a group
+    THEN: verify they are only able to create the role if they have the
+        appropriate privileges and that the role is attached to the given group
+    """
+    _conn, clients = fxtr_oauth2_clients
+    mocker.patch("gn_auth.auth.authorisation.resources.groups.models.uuid4", conftest.uuid_fn)
+    mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
+    mocker.patch(
+        "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+        conftest.get_tokeniser(
+            user,
+            tuple(client for client in clients if client.user == user)[0]))
+    conn, _group, _users = fxtr_users_in_group
+    with db.cursor(conn) as cursor:
+        assert create_group_role(
+            conn, GROUP, "ResourceEditor", PRIVILEGES) == expected
+        # cleanup
+        cursor.execute(
+            ("DELETE FROM group_roles "
+             "WHERE group_role_id=? AND group_id=? AND role_id=?"),
+            (str(conftest.uuid_fn()), str(GROUP.group_id), str(conftest.uuid_fn())))
+
+
+@pytest.mark.skip(
+    "This needs to be replaced by tests for creation of resource roles.")
+@pytest.mark.unit_test
+@pytest.mark.parametrize(
+    "user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
+        Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role",
+             True, PRIVILEGES),))))
+def test_create_role(# pylint: disable=[too-many-arguments, too-many-positional-arguments, unused-argument]
+        fxtr_app,
+        auth_testdb_path,
+        mocker,
+        fxtr_users,
+        fxtr_oauth2_clients,
+        user,
+        expected
+):
+    """
+    GIVEN: an authenticated user
+    WHEN: the user attempts to create a role
+    THEN: verify they are only able to create the role if they have the
+          appropriate privileges
+    """
+    _conn, clients = fxtr_oauth2_clients
+    mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
+    mocker.patch(
+        "gn_auth.auth.authorisation.checks.require_oauth.acquire",
+        conftest.get_tokeniser(
+            user,
+            tuple(client for client in clients if client.user == user)[0]))
+    with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
+        the_role = create_role(cursor, "a_test_role", PRIVILEGES)
+        assert the_role == expected
diff --git a/tests/unit/auth/test_roles.py b/tests/unit/auth/test_roles.py
index b9d1183..43d84e4 100644
--- a/tests/unit/auth/test_roles.py
+++ b/tests/unit/auth/test_roles.py
@@ -22,45 +22,11 @@ PRIVILEGES = (
     Privilege("group:resource:edit-resource", "edit/update a resource"))
 
 
-@pytest.mark.skip(
-    "This needs to be replaced by tests for creation of resource roles.")
-@pytest.mark.unit_test
-@pytest.mark.parametrize(
-    "user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
-        Role(UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role",
-             True, PRIVILEGES),))))
-def test_create_role(# pylint: disable=[too-many-arguments, unused-argument]
-        fxtr_app,
-        auth_testdb_path,
-        mocker,
-        fxtr_users,
-        fxtr_oauth2_clients,
-        user,
-        expected
-):
-    """
-    GIVEN: an authenticated user
-    WHEN: the user attempts to create a role
-    THEN: verify they are only able to create the role if they have the
-          appropriate privileges
-    """
-    _conn, clients = fxtr_oauth2_clients
-    mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
-    mocker.patch(
-        "gn_auth.auth.authorisation.checks.require_oauth.acquire",
-        conftest.get_tokeniser(
-            user,
-            tuple(client for client in clients if client.user == user)[0]))
-    with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
-        the_role = create_role(cursor, "a_test_role", PRIVILEGES)
-        assert the_role == expected
-
-
 @pytest.mark.unit_test
 @pytest.mark.parametrize(
     "user,expected", tuple(zip(conftest.TEST_USERS[1:], (
         create_role_failure, create_role_failure, create_role_failure))))
-def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments, unused-argument]
+def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments, unused-argument, too-many-positional-arguments]
         fxtr_app,
         auth_testdb_path,
         mocker,
@@ -149,6 +115,10 @@ def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[
                 user_editable=False,
                 privileges=(
                     Privilege(
+                        "group:data:link-to-group",
+                        "Allow linking data to only one specific group."),
+
+                    Privilege(
                         privilege_id="group:resource:create-resource",
                         privilege_description="Create a resource object"),
                     Privilege(
diff --git a/tests/unit/conftest.py b/tests/unit/conftest.py
index dcf4003..53ee062 100644
--- a/tests/unit/conftest.py
+++ b/tests/unit/conftest.py
@@ -8,6 +8,17 @@ import pytest
 
 from gn_auth import create_app
 
+def setup_secrets(rootdir: Path) -> Path:
+    """Setup secrets directory and file."""
+    secretsfile = Path(rootdir).joinpath("secrets/secrets.py")
+    secretsfile.parent.mkdir(exist_ok=True)
+    with open(secretsfile, "w", encoding="utf8") as outfile:
+        outfile.write(
+            'SECRET_KEY="qQIrgiK29kXZU6v8D09y4uw_sk8I4cqgNZniYUrRoUk"')
+
+    return secretsfile
+
+
 @pytest.fixture(scope="session")
 def fxtr_app():
     """Fixture: setup the test app"""
@@ -22,8 +33,8 @@ def fxtr_app():
         app = create_app({
             "TESTING": True,
             "AUTH_DB": testdb,
+            "GN_AUTH_SECRETS": str(setup_secrets(testdir)),
             "OAUTH2_ACCESS_TOKEN_GENERATOR": "tests.unit.auth.test_token.gen_token",
-            "SECRET_KEY": "qQIrgiK29kXZU6v8D09y4uw_sk8I4cqgNZniYUrRoUk",
             "UPLOADS_DIR": testuploadsdir,
             "SSL_PRIVATE_KEY": f"{testsroot}/test-ssl-private-key.pem",
             "CLIENTS_SSL_PUBLIC_KEYS_DIR": f"{testsroot}/test-public-keys-dir"