"""Test functions dealing with group management.""" from uuid import UUID import pytest from gn_auth.auth.db import sqlite3 as db from gn_auth.auth.errors import AuthorisationError from gn_auth.auth.authorisation.privileges import Privilege from gn_auth.auth.authorisation.roles.models import Role, user_roles, create_role from tests.unit.auth import conftest from tests.unit.auth.fixtures import TEST_USERS create_role_failure = { "status": "error", "message": "Unauthorised: Could not create role" } PRIVILEGES = ( Privilege("group:resource:view-resource", "view a resource and use it in computations"), Privilege("group:resource:edit-resource", "edit/update a resource")) @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", tuple(zip(conftest.TEST_USERS[1:], ( create_role_failure, create_role_failure, create_role_failure)))) def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments, unused-argument] fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user, expected ): """ GIVEN: an authenticated user WHEN: the user attempts to create a role THEN: verify they are only able to create the role if they have the appropriate privileges """ _conn, clients = fxtr_oauth2_clients mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn) mocker.patch( "gn_auth.auth.authorisation.checks.require_oauth.acquire", conftest.get_tokeniser( user, tuple(client for client in clients if client.user == user)[0])) with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor: with pytest.raises(AuthorisationError): create_role(cursor, "a_test_role", PRIVILEGES) # This might still be incomplete, especially regarding resource roles. @pytest.mark.unit_test @pytest.mark.parametrize( "user,expected", (zip(TEST_USERS, (({"resource_id": UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "roles": (Role( role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), role_name="resource_editor", user_editable=True, privileges=( Privilege( privilege_id="group:resource:edit-resource", privilege_description="edit/update a resource"), Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"))),)}, {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "roles": ( Role( role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), role_name="resource_editor", user_editable=True, privileges=( Privilege( privilege_id="group:resource:edit-resource", privilege_description="edit/update a resource"), Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"))), Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description=( "view a resource and use it in computations")),)))}, {"resource_id": UUID("e9a1184a-e8b4-49fb-b713-8d9cbeea5b83"), "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "roles": (Role( role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), role_name="resource_editor", user_editable=True, privileges=( Privilege( privilege_id="group:resource:edit-resource", privilege_description="edit/update a resource"), Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"))),)}, {"resource_id": UUID("38d1807d-105f-44a7-8327-7e2d973b6d8d"), "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "roles": (Role( role_id=UUID("a0e67630-d502-4b9f-b23f-6805d0f30e30"), role_name="group-leader", user_editable=False, privileges=( Privilege( privilege_id="group:resource:create-resource", privilege_description="Create a resource object"), Privilege( privilege_id="group:resource:delete-resource", privilege_description="Delete a resource"), Privilege( privilege_id="group:resource:edit-resource", privilege_description="edit/update a resource"), Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"), Privilege( privilege_id="group:user:add-group-member", privilege_description="Add a user to a group"), Privilege( privilege_id="group:user:remove-group-member", privilege_description="Remove a user from a group"), Privilege( privilege_id="system:group:delete-group", privilege_description="Delete a group"), Privilege( privilege_id="system:group:edit-group", privilege_description="Edit the details of a group"), Privilege( privilege_id="system:group:transfer-group-leader", privilege_description=( "Transfer leadership of the group to some other member")), Privilege( privilege_id="system:group:view-group", privilege_description="View the details of a group"), Privilege( privilege_id="system:user:list", privilege_description="List users in the system"))),)}, {"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),)}, {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), "user_id": UUID("ecb52977-3004-469e-9428-2a1856725c7f"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),)}), ({"resource_id": UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"), "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), "roles": (Role( role_id=UUID("89819f84-6346-488b-8955-86062e9eedb7"), role_name="resource_editor", user_editable=True, privileges=( Privilege( privilege_id="group:resource:edit-resource", privilege_description="edit/update a resource"), Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"))),) }, {"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),) }, {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),) }, {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), "user_id": UUID("21351b66-8aad-475b-84ac-53ce528451e3"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),) }), ({"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),) }, {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),) }, {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), "user_id": UUID("ae9c6245-0966-41a5-9a5e-20885a96bea7"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),) }), ({"resource_id": UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"), "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"), "roles": ( Role( role_id=UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"), role_name="group-creator", user_editable=False, privileges=( Privilege( privilege_id="system:group:create-group", privilege_description="Create a group"),)), Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),))) }, {"resource_id": UUID("04ad9e09-94ea-4390-8a02-11f92999806b"), "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description="view a resource and use it in computations"),)),) }, {"resource_id": UUID("26ad1668-29f5-439d-b905-84d551f85955"), "user_id": UUID("9a0c7ce5-2f40-4e78-979e-bf3527a59579"), "roles": (Role( role_id=UUID("fd88bfed-d869-4969-87f2-67c4e8446ecb"), role_name="public-view", user_editable=False, privileges=( Privilege( privilege_id="group:resource:view-resource", privilege_description=( "view a resource and use it in computations")),)),)}))))) def test_user_roles( fxtr_resource_user_roles, user, expected ): """ GIVEN: an authenticated user WHEN: we request the user's privileges THEN: return **ALL** the privileges attached to the user """ conn, *_others = fxtr_resource_user_roles assert user_roles(conn, user) == expected