From 6155d955a784a233344bad3a6bc06a5222966c35 Mon Sep 17 00:00:00 2001 From: luxferre Date: Wed, 24 Jun 2026 16:02:48 +0100 Subject: [PATCH] tests: simplified auth tests --- test/test_auth_general.py | 31 ++++++++ test/test_auth_root.py | 153 -------------------------------------- test/test_auth_su.py | 75 ------------------- test/test_auth_user.py | 28 ------- 4 files changed, 31 insertions(+), 256 deletions(-) delete mode 100644 test/test_auth_root.py delete mode 100644 test/test_auth_su.py delete mode 100644 test/test_auth_user.py diff --git a/test/test_auth_general.py b/test/test_auth_general.py index 543af7a..ea3cd69 100644 --- a/test/test_auth_general.py +++ b/test/test_auth_general.py @@ -16,3 +16,34 @@ async def test_get_org_auth_root_su(default_client: AsyncClient): assert resp.status_code != 422 assert resp.status_code == 200 assert resp.json()["organisations"][0]["name"] == "Org Two" + + +# Standardised tests verify if each endpoint has been assigned the correct auth level. +# Sample tests here verify that each auth level works. + + +@pytest.mark.anyio +async def test_get_org_auth_root(no_su_client: AsyncClient): + # Sample test. Checks if a non-root user gets blocked on a root endpoint. + resp = await no_su_client.get("/org?org_id=2") + assert resp.status_code != 422 + assert resp.status_code == 403 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_user_auth_su(no_su_client: AsyncClient): + # Sample test. Checks if a non-su user gets blocked on a su endpoint. + resp = await no_su_client.get("/user?user_id=1") + assert resp.status_code != 422 + assert resp.status_code == 403 + assert resp.json()["detail"] == "Must be super admin" + + +@pytest.mark.anyio +async def test_get_self_db_auth_user(no_user_client: AsyncClient): + # Sample test. Checks if a non-user gets blocked on a user endpoint. + resp = await no_user_client.get("/user/self/db") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert resp.json()["detail"] == "Not authenticated" diff --git a/test/test_auth_root.py b/test/test_auth_root.py deleted file mode 100644 index 429bf4b..0000000 --- a/test/test_auth_root.py +++ /dev/null @@ -1,153 +0,0 @@ -""" -This module ensures root user only endpoints do return a correctly formatted 401 when user is not the root user for the org -DELETE endpoints are not tested -""" - -import pytest -from httpx import AsyncClient - -pytestmark = [ - pytest.mark.auth, - pytest.mark.root_user, -] - - -@pytest.mark.anyio -async def test_get_org_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/org?org_id=2") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_patch_org_questionnaire_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.patch( - "/org/questionnaire", - json={ - "organisation_id": 2, - "intake_questionnaire": { - "question_one": "new answer one", - "question_two": None, - "question_three": None, - }, - "partial": True, - }, - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_get_org_users_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/org/users?org_id=2") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_get_org_groups_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/org/groups?org_id=2") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_get_org_contact_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/org/contact?org_id=2&contact_type=billing") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_patch_org_contact_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.patch( - "/org/contact", - json={ - "organisation_id": 2, - "contact_type": "billing", - "email": "user@example.com", - }, - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_get_service_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/service?org_id=2") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_get_iam_group_permissions_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/iam/group/permissions?org_id=2&group_id=1") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_get_iam_group_users_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/iam/group/users?org_id=2&group_id=1") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_post_iam_group_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.post( - "/iam/group", json={"name": "New Group", "organisation_id": 2} - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_put_iam_group_permission_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.put( - "/iam/group/permission", - json={"permission_id": 1, "group_id": 2, "organisation_id": 2}, - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_put_iam_group_user_auth_root( - no_su_client: AsyncClient, -): - resp = await no_su_client.put( - "/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 2} - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_get_iam_permissions_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.get("/iam/permissions?org_id=2") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] - - -@pytest.mark.anyio -async def test_post_iam_permissions_search_auth_root(no_su_client: AsyncClient): - resp = await no_su_client.post( - "/iam/permissions/search", json={"organisation_id": 2, "action": "read"} - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be the org's root user" in resp.json()["detail"] diff --git a/test/test_auth_su.py b/test/test_auth_su.py deleted file mode 100644 index f0136bf..0000000 --- a/test/test_auth_su.py +++ /dev/null @@ -1,75 +0,0 @@ -""" -This module ensures super admin only endpoints do return a correctly formatted 401 when user is not a super admin -DELETE endpoints are not tested -""" - -import pytest -from httpx import AsyncClient - -pytestmark = [ - pytest.mark.auth, - pytest.mark.super_admin, -] - - -@pytest.mark.anyio -async def test_get_user_auth_su(no_su_client: AsyncClient): - resp = await no_su_client.get("/user?user_id=1") - assert resp.status_code != 422 - assert resp.status_code == 403 - assert resp.json()["detail"] == "Must be super admin" - - -@pytest.mark.anyio -async def test_patch_org_status_auth_su(no_su_client: AsyncClient): - resp = await no_su_client.patch( - "/org/status", json={"organisation_id": 1, "status": "submitted"} - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert resp.json()["detail"] == "Must be super admin" - - -@pytest.mark.anyio -async def test_patch_org_root_user_auth_su(no_su_client: AsyncClient): - resp = await no_su_client.patch( - "/org/root_user", json={"organisation_id": 1, "user_id": 2} - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert resp.json()["detail"] == "Must be super admin" - - -@pytest.mark.anyio -async def test_patch_service_key_auth_su(no_su_client: AsyncClient): - resp = await no_su_client.patch("/service/key", json={"service_id": 1}) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert resp.json()["detail"] == "Must be super admin" - - -@pytest.mark.anyio -async def test_post_service_auth_su(no_su_client: AsyncClient): - resp = await no_su_client.post("/service", json={"name": "New Test Service"}) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert resp.json()["detail"] == "Must be super admin" - - -@pytest.mark.anyio -async def test_post_perm_auth_su(no_su_client: AsyncClient): - resp = await no_su_client.post( - "/iam/permission", - json={"service_id": 1, "resource": "test_resource", "action": "create"}, - ) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert resp.json()["detail"] == "Must be super admin" - - -@pytest.mark.anyio -async def test_post_org_user_auth_su(no_su_client: AsyncClient): - resp = await no_su_client.post("/org/user", json={"organisation_id": 1, "user_id": 2}) - assert resp.status_code != 422 - assert resp.status_code == 403 - assert "Must be super admin" in resp.json()["detail"] diff --git a/test/test_auth_user.py b/test/test_auth_user.py deleted file mode 100644 index 3d2f6ce..0000000 --- a/test/test_auth_user.py +++ /dev/null @@ -1,28 +0,0 @@ -""" -This testing module removes the testing user override to verify that endpoints with only the user requirement return a 401 error when not logged in -""" - -import pytest -from httpx import AsyncClient - - -pytestmark = [ - pytest.mark.auth, - pytest.mark.user, -] - - -@pytest.mark.anyio -async def test_get_self_db_auth_user(no_user_client: AsyncClient): - resp = await no_user_client.get("/user/self/db") - assert resp.status_code != 422 - assert resp.status_code == 401 - assert resp.json()["detail"] == "Not authenticated" - - -@pytest.mark.anyio -async def test_post_org_success_auth_user(no_user_client: AsyncClient): - resp = await no_user_client.post("/org", json={"name": "New Test Org"}) - assert resp.status_code != 422 - assert resp.status_code == 401 - assert resp.json()["detail"] == "Not authenticated"