cloud-api/test/test_auth_root.py

"""
This module ensures root user only endpoints do return a correctly formatted 401 when user is not the root user for the org
DELETE endpoints are not tested
"""

import pytest
from httpx import AsyncClient

from src.organisation.models import Organisation as Org
from src.user.models import User
from src.iam.models import Group


pytestmark = [
	pytest.mark.auth,
	pytest.mark.root_user,
]


@pytest.fixture(autouse=True)
def add_second_org(db_session):
	db_session.add(
		User(
			email="admin@test.org",
			first_name="Admin",
			last_name="Test",
			oidc_id="abcd-efgh-ijkl-4321",
		)
	)
	db_session.flush()
	db_session.add(
		Org(
			name="Test Org Two",
			root_user_id=2,
			billing_contact_id=1,
			owner_contact_id=2,
			security_contact_id=3,
			status="approved",
			intake_questionnaire={},
		)
	)
	db_session.flush()


@pytest.mark.anyio
async def test_get_org_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/org?org_id=2")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_patch_org_questionnaire_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.patch(
		"/org/questionnaire",
		json={
			"organisation_id": 2,
			"intake_questionnaire": {
				"question_one": "new answer one",
				"question_two": None,
				"question_three": None,
			},
			"partial": True,
		},
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_get_org_users_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/org/users?org_id=2")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_get_org_groups_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/org/groups?org_id=2")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_get_org_contact_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/org/contact?org_id=2&contact_type=billing")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_patch_org_contact_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.patch(
		"/org/contact",
		json={
			"organisation_id": 2,
			"contact_type": "billing",
			"email": "user@example.com",
		},
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_get_service_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/service?org_id=2")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_get_iam_group_permissions_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/iam/group/permissions?org_id=2&group_id=1")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_get_iam_group_users_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/iam/group/users?org_id=2&group_id=1")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_post_iam_group_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.post(
		"/iam/group", json={"name": "New Group", "organisation_id": 2}
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_put_iam_group_permission_auth_root(
	no_su_client: AsyncClient, db_session
):
	db_session.add(Group(name="Test Group Two", org_id=2))
	db_session.flush()
	resp = await no_su_client.put(
		"/iam/group/permission",
		json={"permission_id": 1, "group_id": 2, "organisation_id": 2},
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_put_iam_group_user_auth_root(no_su_client: AsyncClient, db_session):
	db_session.add(
		User(
			email="user@test.org",
			first_name="User",
			last_name="Test",
			oidc_id="abcd-efgh-ijkl-1234",
		)
	)
	db_session.flush()

	resp = await no_su_client.put(
		"/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 2}
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_get_iam_permissions_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.get("/iam/permissions?org_id=2")
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]


@pytest.mark.anyio
async def test_post_iam_permissions_search_auth_root(no_su_client: AsyncClient):
	resp = await no_su_client.post(
		"/iam/permissions/search", json={"organisation_id": 2, "action": "read"}
	)
	assert resp.status_code != 422
	assert resp.status_code == 403
	assert "Must be the org's root user" in resp.json()["detail"]
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`"""`
			`This module ensures root user only endpoints do return a correctly formatted 401 when user is not the root user for the org`
			`DELETE endpoints are not tested`
			`"""`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`import pytest`
			`from httpx import AsyncClient`

			`from src.organisation.models import Organisation as Org`
			`from src.user.models import User`
			`from src.iam.models import Group`


tests: pytest module markers 2026-06-09 13:58:08 +01:00			`pytestmark = [`
			`pytest.mark.auth,`
			`pytest.mark.root_user,`
			`]`


tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`@pytest.fixture(autouse=True)`
			`def add_second_org(db_session):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`db_session.add(`
			`User(`
			`email="admin@test.org",`
			`first_name="Admin",`
			`last_name="Test",`
			`oidc_id="abcd-efgh-ijkl-4321",`
			`)`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`db_session.flush()`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`db_session.add(`
			`Org(`
			`name="Test Org Two",`
			`root_user_id=2,`
			`billing_contact_id=1,`
			`owner_contact_id=2,`
			`security_contact_id=3,`
			`status="approved",`
			`intake_questionnaire={},`
			`)`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`db_session.flush()`


			`@pytest.mark.anyio`
			`async def test_get_org_auth_root(no_su_client: AsyncClient):`
			`resp = await no_su_client.get("/org?org_id=2")`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_patch_org_questionnaire_auth_root(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.patch(`
			`"/org/questionnaire",`
			`json={`
			`"organisation_id": 2,`
			`"intake_questionnaire": {`
			`"question_one": "new answer one",`
			`"question_two": None,`
			`"question_three": None,`
			`},`
			`"partial": True,`
			`},`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_get_org_users_auth_root(no_su_client: AsyncClient):`
			`resp = await no_su_client.get("/org/users?org_id=2")`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_get_org_groups_auth_root(no_su_client: AsyncClient):`
			`resp = await no_su_client.get("/org/groups?org_id=2")`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_get_org_contact_auth_root(no_su_client: AsyncClient):`
ruff: config and initial run 2026-06-08 10:45:38 +01:00			`resp = await no_su_client.get("/org/contact?org_id=2&contact_type=billing")`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_patch_org_contact_auth_root(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.patch(`
			`"/org/contact",`
			`json={`
			`"organisation_id": 2,`
			`"contact_type": "billing",`
			`"email": "user@example.com",`
			`},`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_get_service_auth_root(no_su_client: AsyncClient):`
fix: remove trailing slash and plurals in paths 2026-06-11 16:14:22 +01:00			`resp = await no_su_client.get("/service?org_id=2")`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_get_iam_group_permissions_auth_root(no_su_client: AsyncClient):`
			`resp = await no_su_client.get("/iam/group/permissions?org_id=2&group_id=1")`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_get_iam_group_users_auth_root(no_su_client: AsyncClient):`
			`resp = await no_su_client.get("/iam/group/users?org_id=2&group_id=1")`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_post_iam_group_auth_root(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.post(`
			`"/iam/group", json={"name": "New Group", "organisation_id": 2}`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`async def test_put_iam_group_permission_auth_root(`
			`no_su_client: AsyncClient, db_session`
			`):`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`db_session.add(Group(name="Test Group Two", org_id=2))`
			`db_session.flush()`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.put(`
			`"/iam/group/permission",`
			`json={"permission_id": 1, "group_id": 2, "organisation_id": 2},`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_put_iam_group_user_auth_root(no_su_client: AsyncClient, db_session):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`db_session.add(`
			`User(`
			`email="user@test.org",`
			`first_name="User",`
			`last_name="Test",`
			`oidc_id="abcd-efgh-ijkl-1234",`
			`)`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`db_session.flush()`

minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.put(`
			`"/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 2}`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_get_iam_permissions_auth_root(no_su_client: AsyncClient):`
			`resp = await no_su_client.get("/iam/permissions?org_id=2")`
			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`


			`@pytest.mark.anyio`
			`async def test_post_iam_permissions_search_auth_root(no_su_client: AsyncClient):`
minor: ruff formatter All changes are either: - Correcting tabs - Adding/removing line breaks - Adding trailing commas 2026-06-08 15:31:37 +01:00			`resp = await no_su_client.post(`
			`"/iam/permissions/search", json={"organisation_id": 2, "action": "read"}`
			`)`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert resp.status_code != 422`
feat: more accurate status codes 403 Forbidden replacing many 401 Unauthorized usages. 2026-06-11 14:58:05 +01:00			`assert resp.status_code == 403`
tests: root user auth tests Issue: #18 2026-06-04 11:49:49 +01:00			`assert "Must be the org's root user" in resp.json()["detail"]`