cloud-api/test/test_auth_su.py

"""
This module ensures super admin only endpoints do return a correctly formatted 401 when user is not a super admin
DELETE endpoints are not tested
"""

import pytest
from httpx import AsyncClient

pytestmark = [
	pytest.mark.auth,
	pytest.mark.super_admin,
]


@pytest.mark.anyio
async def test_get_user_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.get("/user?user_id=1")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_patch_org_status_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.patch(
		"/org/status", json={"organisation_id": 1, "status": "submitted"}
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_patch_org_root_user_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.patch(
		"/org/root_user", json={"organisation_id": 1, "user_id": 2}
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_patch_service_key_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.patch("/service/key", json={"service_id": 1})
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_post_service_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.post("/service", json={"name": "New Test Service"})
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_post_perm_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.post(
		"/iam/permission",
		json={"service_id": 1, "resource": "test_resource", "action": "create"},
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_post_org_user_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.post(
		"/org/user", json={"organisation_id": 1, "user_id": 2}
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be super admin" in resp.json()["detail"]
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`"""`
			`This module ensures super admin only endpoints do return a correctly formatted 401 when user is not a super admin`
			`DELETE endpoints are not tested`
			`"""`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`import pytest`
			`from httpx import AsyncClient`

tests: pytest module markers 2026-06-09 13:58:08 +01:00			`pytestmark = [`
			`pytest.mark.auth,`
			`pytest.mark.super_admin,`
			`]`


tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`@pytest.mark.anyio`
			`async def test_get_user_auth_su(no_su_client: AsyncClient):`
fix: remove trailing slash and plurals in paths 2026-06-11 16:14:22 +01:00			`resp = await no_su_client.get("/user?user_id=1")`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_patch_org_status_auth_su(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.patch(`
			`"/org/status", json={"organisation_id": 1, "status": "submitted"}`
			`)`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
tests: remove db modifications from individual tests All db seeding now down in conftest 2026-06-12 11:29:42 +01:00			`async def test_patch_org_root_user_auth_su(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.patch(`
			`"/org/root_user", json={"organisation_id": 1, "user_id": 2}`
			`)`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_patch_service_key_auth_su(no_su_client: AsyncClient):`
			`resp = await no_su_client.patch("/service/key", json={"service_id": 1})`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_post_service_auth_su(no_su_client: AsyncClient):`
fix: remove trailing slash and plurals in paths 2026-06-11 16:14:22 +01:00			`resp = await no_su_client.post("/service", json={"name": "New Test Service"})`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
tests: remove db modifications from individual tests All db seeding now down in conftest 2026-06-12 11:29:42 +01:00			`async def test_post_perm_auth_su(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.post(`
			`"/iam/permission",`
			`json={"service_id": 1, "resource": "test_resource", "action": "create"},`
			`)`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.json()["detail"] == "Must be super admin"`
feat: add org user by id requires su Part of the "sensical user adding" changes. 2026-06-09 13:07:43 +01:00

			`@pytest.mark.anyio`
tests: remove db modifications from individual tests All db seeding now down in conftest 2026-06-12 11:29:42 +01:00			`async def test_post_org_user_auth_su(no_su_client: AsyncClient):`
feat: add org user by id requires su Part of the "sensical user adding" changes. 2026-06-09 13:07:43 +01:00			`resp = await no_su_client.post(`
			`"/org/user", json={"organisation_id": 1, "user_id": 2}`
			`)`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
feat: add org user by id requires su Part of the "sensical user adding" changes. 2026-06-09 13:07:43 +01:00			`assert "Must be super admin" in resp.json()["detail"]`