1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
|
"""Test functions dealing with group management."""
import uuid
import pytest
from gn_auth.auth.db import sqlite3 as db
from gn_auth.auth.errors import AuthorisationError
from gn_auth.auth.authorisation.privileges import Privilege
from gn_auth.auth.authorisation.roles.models import Role, user_roles, create_role
from tests.unit.auth import conftest
from tests.unit.auth.fixtures import TEST_USERS
create_role_failure = {
"status": "error",
"message": "Unauthorised: Could not create role"
}
PRIVILEGES = (
Privilege("group:resource:view-resource",
"view a resource and use it in computations"),
Privilege("group:resource:edit-resource", "edit/update a resource"))
@pytest.mark.skip("This still needs some work to actually tests for resource roles.")
@pytest.mark.unit_test
@pytest.mark.parametrize(
"user,expected", tuple(zip(conftest.TEST_USERS[0:1], (
Role(uuid.UUID("d32611e3-07fc-4564-b56c-786c6db6de2b"), "a_test_role",
True, PRIVILEGES),))))
def test_create_role(# pylint: disable=[too-many-arguments]
fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user, expected):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role
THEN: verify they are only able to create the role if they have the
appropriate privileges
"""
_conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
mocker.patch(
"gn_auth.auth.authorisation.checks.require_oauth.acquire",
conftest.get_tokeniser(
user,
tuple(client for client in clients if client.user == user)[0]))
with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
the_role = create_role(cursor, "a_test_role", PRIVILEGES)
assert the_role == expected
@pytest.mark.unit_test
@pytest.mark.parametrize(
"user,expected", tuple(zip(conftest.TEST_USERS[1:], (
create_role_failure, create_role_failure, create_role_failure))))
def test_create_role_raises_exception_for_unauthorised_users(# pylint: disable=[too-many-arguments]
fxtr_app, auth_testdb_path, mocker, fxtr_users, fxtr_oauth2_clients, user, expected):# pylint: disable=[unused-argument]
"""
GIVEN: an authenticated user
WHEN: the user attempts to create a role
THEN: verify they are only able to create the role if they have the
appropriate privileges
"""
_conn, clients = fxtr_oauth2_clients
mocker.patch("gn_auth.auth.authorisation.roles.models.uuid4", conftest.uuid_fn)
mocker.patch(
"gn_auth.auth.authorisation.checks.require_oauth.acquire",
conftest.get_tokeniser(
user,
tuple(client for client in clients if client.user == user)[0]))
with db.connection(auth_testdb_path) as conn, db.cursor(conn) as cursor:
with pytest.raises(AuthorisationError):
create_role(cursor, "a_test_role", PRIVILEGES)
# This might still be incomplete, especially regarding resource roles.
@pytest.mark.unit_test
@pytest.mark.parametrize(
"user,expected",
(zip(TEST_USERS,
(({"resource_id": uuid.UUID("38d1807d-105f-44a7-8327-7e2d973b6d8d"),
"user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
"roles": (Role(
role_id=uuid.UUID('a0e67630-d502-4b9f-b23f-6805d0f30e30'),
role_name='group-leader', user_editable=False,
privileges=(
Privilege(
privilege_id='group:resource:create-resource',
privilege_description='Create a resource object'),
Privilege(
privilege_id='group:resource:delete-resource',
privilege_description='Delete a resource'),
Privilege(
privilege_id='group:resource:edit-resource',
privilege_description='edit/update a resource'),
Privilege(
privilege_id='group:resource:view-resource',
privilege_description=(
'view a resource and use it in computations')),
Privilege(
privilege_id='group:user:add-group-member',
privilege_description='Add a user to a group'),
Privilege(
privilege_id='group:user:remove-group-member',
privilege_description='Remove a user from a group'),
Privilege(
privilege_id='system:group:delete-group',
privilege_description='Delete a group'),
Privilege(
privilege_id='system:group:edit-group',
privilege_description='Edit the details of a group'),
Privilege(
privilege_id='system:group:transfer-group-leader',
privilege_description=(
'Transfer leadership of the group to some other '
'member')),
Privilege(
privilege_id='system:group:view-group',
privilege_description='View the details of a group'),
Privilege(
privilege_id='system:user:list',
privilege_description='List users in the system'))),)
},
{
"resource_id": uuid.UUID("0248b289-b277-4eaa-8c94-88a434d14b6e"),
"user_id": uuid.UUID("ecb52977-3004-469e-9428-2a1856725c7f"),
"roles": (Role(
role_id=uuid.UUID("ade7e6b0-ba9c-4b51-87d0-2af7fe39a347"),
role_name="group-creator",
user_editable=False,
privileges=(
Privilege(
privilege_id="system:group:create-group",
privilege_description="Create a group"),)),)}),
({"resource_id": uuid.UUID("2130aec0-fefd-434d-92fd-9ca342348b2d"),
"user_id": uuid.UUID("21351b66-8aad-475b-84ac-53ce528451e3"),
"roles": (Role(
role_id=uuid.UUID('89819f84-6346-488b-8955-86062e9eedb7'),
role_name='resource_editor',
user_editable=True,
privileges=(
Privilege(
privilege_id='group:resource:edit-resource',
privilege_description='edit/update a resource'),
Privilege(
privilege_id='group:resource:view-resource',
privilege_description='view a resource and use it in computations'))),)},),
tuple(),
tuple()))))
def test_user_roles(fxtr_group_user_roles, user, expected):
"""
GIVEN: an authenticated user
WHEN: we request the user's privileges
THEN: return **ALL** the privileges attached to the user
"""
conn, *_others = fxtr_group_user_roles
assert user_roles(conn, user) == expected
|