diff --git a/test/test_auth_root.py b/test/test_auth_root.py new file mode 100644 index 0000000..ea7abd9 --- /dev/null +++ b/test/test_auth_root.py @@ -0,0 +1,154 @@ +""" +This module ensures root user only endpoints do return a correctly formatted 401 when user is not the root user for the org +DELETE endpoints are not tested +""" +import pytest +from httpx import AsyncClient + +from .conftest import no_su_client + +from src.organisation.models import Organisation as Org +from src.user.models import User +from src.iam.models import Group + + +@pytest.fixture(autouse=True) +def add_second_org(db_session): + db_session.add(User(email="admin@test.org", first_name="Admin", last_name="Test", oidc_id="abcd-efgh-ijkl-4321")) + db_session.flush() + db_session.add(Org(name="Test Org Two", root_user_id=2, billing_contact_id=1, owner_contact_id=2, security_contact_id=3, + status="approved", intake_questionnaire={})) + db_session.flush() + + +@pytest.mark.anyio +async def test_get_org_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get("/org?org_id=2") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_patch_org_questionnaire_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.patch("/org/questionnaire", json={"organisation_id": 2, + "intake_questionnaire": {"question_one": "new answer one", + "question_two": None, + "question_three": None}, + "partial": True}) + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_org_users_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get("/org/users?org_id=2") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_post_org_user_auth_root(no_su_client: AsyncClient, db_session): + db_session.add(User(email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234")) + db_session.flush() + + resp = await no_su_client.post("/org/user", json={"organisation_id": 2, "user_id": 2}) + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_org_groups_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get("/org/groups?org_id=2") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_org_contact_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get(f"/org/contact?org_id=2&contact_type=billing") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_patch_org_contact_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.patch("/org/contact", + json={"organisation_id": 2, "contact_type": "billing", "email": "user@example.com"}) + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_service_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get("/service/?org_id=2") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_iam_group_permissions_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get("/iam/group/permissions?org_id=2&group_id=1") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_iam_group_users_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get("/iam/group/users?org_id=2&group_id=1") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_post_iam_group_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.post("/iam/group", json={"name": "New Group", "organisation_id": 2}) + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_put_iam_group_permission_auth_root(no_su_client: AsyncClient, db_session): + db_session.add(Group(name="Test Group Two", org_id=2)) + db_session.flush() + resp = await no_su_client.put("/iam/group/permission", json={"permission_id": 1, "group_id": 2, "organisation_id": 2}) + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_put_iam_group_user_auth_root(no_su_client: AsyncClient, db_session): + db_session.add(User(email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234")) + db_session.flush() + + resp = await no_su_client.put("/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 2}) + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_get_iam_permissions_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.get("/iam/permissions?org_id=2") + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"] + + +@pytest.mark.anyio +async def test_post_iam_permissions_search_auth_root(no_su_client: AsyncClient): + resp = await no_su_client.post("/iam/permissions/search", json={"organisation_id": 2, "action": "read"}) + assert resp.status_code != 422 + assert resp.status_code == 401 + assert "Must be the org's root user" in resp.json()["detail"]