cloud-api/test/test_auth_su.py

"""
This module ensures super admin only endpoints do return a correctly formatted 401 when user is not a super admin
DELETE endpoints are not tested
"""

import pytest
from httpx import AsyncClient

from src.organisation.models import OrgUsers
from src.user.models import User


@pytest.mark.anyio
async def test_get_user_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.get("/user/?user_id=1")
	assert resp.status_code != 422
	assert resp.status_code == 401
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_patch_org_status_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.patch(
		"/org/status", json={"organisation_id": 1, "status": "submitted"}
	)
	assert resp.status_code != 422
	assert resp.status_code == 401
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_patch_org_root_user_auth_su(no_su_client: AsyncClient, db_session):
	db_session.add(
		User(
			email="user@test.org",
			first_name="User",
			last_name="Test",
			oidc_id="abcd-efgh-ijkl-1234",
		)
	)
	db_session.flush()
	db_session.add(OrgUsers(org_id=1, user_id=2))
	db_session.flush()

	resp = await no_su_client.patch(
		"/org/root_user", json={"organisation_id": 1, "user_id": 2}
	)
	assert resp.status_code != 422
	assert resp.status_code == 401
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_patch_service_key_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.patch("/service/key", json={"service_id": 1})
	assert resp.status_code != 422
	assert resp.status_code == 401
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_post_service_auth_su(no_su_client: AsyncClient):
	resp = await no_su_client.post("/service/", json={"name": "New Test Service"})
	assert resp.status_code != 422
	assert resp.status_code == 401
	assert resp.json()["detail"] == "Must be super admin"


@pytest.mark.anyio
async def test_post_perm_success(no_su_client: AsyncClient, db_session):
	resp = await no_su_client.post(
		"/iam/permission",
		json={"service_id": 1, "resource": "test_resource", "action": "create"},
	)
	assert resp.status_code != 422
	assert resp.status_code == 401
	assert resp.json()["detail"] == "Must be super admin"
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`"""`
			`This module ensures super admin only endpoints do return a correctly formatted 401 when user is not a super admin`
			`DELETE endpoints are not tested`
			`"""`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`import pytest`
			`from httpx import AsyncClient`

			`from src.organisation.models import OrgUsers`
			`from src.user.models import User`


			`@pytest.mark.anyio`
			`async def test_get_user_auth_su(no_su_client: AsyncClient):`
			`resp = await no_su_client.get("/user/?user_id=1")`
			`assert resp.status_code != 422`
			`assert resp.status_code == 401`
			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_patch_org_status_auth_su(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.patch(`
			`"/org/status", json={"organisation_id": 1, "status": "submitted"}`
			`)`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
			`assert resp.status_code == 401`
			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_patch_org_root_user_auth_su(no_su_client: AsyncClient, db_session):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`db_session.add(`
			`User(`
			`email="user@test.org",`
			`first_name="User",`
			`last_name="Test",`
			`oidc_id="abcd-efgh-ijkl-1234",`
			`)`
			`)`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`db_session.flush()`
			`db_session.add(OrgUsers(org_id=1, user_id=2))`
			`db_session.flush()`

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.patch(`
			`"/org/root_user", json={"organisation_id": 1, "user_id": 2}`
			`)`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
			`assert resp.status_code == 401`
			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_patch_service_key_auth_su(no_su_client: AsyncClient):`
			`resp = await no_su_client.patch("/service/key", json={"service_id": 1})`
			`assert resp.status_code != 422`
			`assert resp.status_code == 401`
			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_post_service_auth_su(no_su_client: AsyncClient):`
			`resp = await no_su_client.post("/service/", json={"name": "New Test Service"})`
			`assert resp.status_code != 422`
			`assert resp.status_code == 401`
			`assert resp.json()["detail"] == "Must be super admin"`


			`@pytest.mark.anyio`
			`async def test_post_perm_success(no_su_client: AsyncClient, db_session):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.post(`
			`"/iam/permission",`
			`json={"service_id": 1, "resource": "test_resource", "action": "create"},`
			`)`
tests: super admin auth tests 2026-06-03 14:36:15 +01:00			`assert resp.status_code != 422`
			`assert resp.status_code == 401`
			`assert resp.json()["detail"] == "Must be super admin"`