From c8024daa97eeac5600089109655a6540c3c79617 Mon Sep 17 00:00:00 2001 From: luxferre Date: Thu, 4 Jun 2026 14:53:35 +0100 Subject: [PATCH 1/5] minor: renames and error messages --- src/iam/router.py | 14 +++++++------- src/iam/service.py | 5 +++-- test/test_auth_user.py | 4 ++-- 3 files changed, 12 insertions(+), 11 deletions(-) diff --git a/src/iam/router.py b/src/iam/router.py index 2895baa..e360615 100644 --- a/src/iam/router.py +++ b/src/iam/router.py @@ -75,20 +75,20 @@ async def can_act_on_resource(valid_key: service_key_dependency, db: db_dependen else: return False except Exception: - raise UnauthorizedException() + return False @router.get("/group/permissions", response_model=IAMGetGroupPermissionsResponse) async def get_group_permissions(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency): if group_model.org_id != org_model.id: - raise UnauthorizedException() + raise UnauthorizedException("Group does not belong to this organization") return {"permissions": group_model.permission_rel} @router.get("/group/users", response_model=IAMGetGroupUsersResponse) async def get_group_users(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency): if group_model.org_id != org_model.id: - raise UnauthorizedException() + raise UnauthorizedException("User does not belong to this organization") return {"users": group_model.user_rel} @@ -110,7 +110,7 @@ async def create_group(db: db_dependency, org_model: org_model_root_claim_body_d @router.put("/group/permission", response_model=IAMPutGroupPermissionResponse) async def add_group_permission(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupPermissionRequest): if group_model.org_id != org_model.id: - raise UnauthorizedException() + raise UnauthorizedException("Group does not belong to this organization") if perm_model in group_model.permission_rel: raise ConflictException("Group already has this permission") @@ -126,7 +126,7 @@ async def add_group_permission(db: db_dependency, group_model: group_model_body_ @router.put("/group/user", response_model=IAMPutGroupUserResponse) async def add_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMPutGroupUserRequest): if group_model.org_id != org_model.id: - raise UnauthorizedException() + raise UnauthorizedException("Group does not belong to this organization") if user_model in group_model.user_rel: raise ConflictException("User already in group") @@ -141,7 +141,7 @@ async def add_group_user(db: db_dependency, group_model: group_model_body_depend @router.delete("/group/permissions") async def remove_group_permissions(db: db_dependency, group_model: group_model_body_dependency, perm_model: perm_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupPermissionRequest): if group_model.org_id != org_model.id: - raise UnauthorizedException() + raise UnauthorizedException("Group does not belong to this organization") group_model.permission_rel.remove(perm_model) db.flush() @@ -154,7 +154,7 @@ async def remove_group_permissions(db: db_dependency, group_model: group_model_b @router.delete("/group/user") async def remove_group_user(db: db_dependency, group_model: group_model_body_dependency, user_model: user_model_body_dependency, org_model: org_model_root_claim_body_dependency, request_model: IAMDeleteGroupUserRequest): if group_model.org_id != org_model.id: - raise UnauthorizedException() + raise UnauthorizedException("Group does not belong to this organization") user_model.group_rel.remove(group_model) db.flush() diff --git a/src/iam/service.py b/src/iam/service.py index b1d416b..d887bfd 100644 --- a/src/iam/service.py +++ b/src/iam/service.py @@ -9,6 +9,7 @@ from typing import Annotated from src.service.models import Service from src.database import db_dependency from src.schemas import ResourceName +from src.auth.exceptions import UnauthorizedException from fastapi import HTTPException, status, Request, Depends @@ -16,11 +17,11 @@ from fastapi import HTTPException, status, Request, Depends def valid_service_key(db: db_dependency, request: Request, rn: ResourceName) -> bool: api_key = request.headers.get("X-API-Key", None) if not api_key: - raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) + raise UnauthorizedException("Missing API key") service = rn.service result = db.query(Service).filter(Service.name == service).filter(Service.api_key == api_key).first() if result is None: - raise HTTPException(status_code=status.HTTP_401_UNAUTHORIZED) + raise UnauthorizedException("Invalid API key") return True diff --git a/test/test_auth_user.py b/test/test_auth_user.py index e5ce189..c219dcb 100644 --- a/test/test_auth_user.py +++ b/test/test_auth_user.py @@ -8,7 +8,7 @@ from .conftest import no_user_client @pytest.mark.anyio -async def test_get_self_db(no_user_client: AsyncClient): +async def test_get_self_db_auth_user(no_user_client: AsyncClient): resp = await no_user_client.get("/user/self/db") assert resp.status_code != 422 assert resp.status_code == 401 @@ -16,7 +16,7 @@ async def test_get_self_db(no_user_client: AsyncClient): @pytest.mark.anyio -async def test_post_org_success(no_user_client: AsyncClient): +async def test_post_org_success_auth_user(no_user_client: AsyncClient): resp = await no_user_client.post("/org", json={"name": "New Test Org"}) assert resp.status_code != 422 assert resp.status_code == 401 From f600664789aabc4bef05fd9f51570d847991c9e7 Mon Sep 17 00:00:00 2001 From: luxferre Date: Fri, 5 Jun 2026 09:10:55 +0100 Subject: [PATCH 2/5] tests: improved coverage --- src/iam/router.py | 2 +- src/organisation/router.py | 4 +- test/test_auth_general.py | 26 +++++++ test/test_iam.py | 140 +++++++++++++++++++++++++++++++++++-- test/test_organisation.py | 17 ++++- 5 files changed, 178 insertions(+), 11 deletions(-) create mode 100644 test/test_auth_general.py diff --git a/src/iam/router.py b/src/iam/router.py index e360615..ce0074e 100644 --- a/src/iam/router.py +++ b/src/iam/router.py @@ -88,7 +88,7 @@ async def get_group_permissions(group_model: group_model_query_dependency, org_m @router.get("/group/users", response_model=IAMGetGroupUsersResponse) async def get_group_users(group_model: group_model_query_dependency, org_model: org_model_root_claim_query_dependency): if group_model.org_id != org_model.id: - raise UnauthorizedException("User does not belong to this organization") + raise UnauthorizedException("Group does not belong to this organization") return {"users": group_model.user_rel} diff --git a/src/organisation/router.py b/src/organisation/router.py index a9672b1..8e8bd36 100644 --- a/src/organisation/router.py +++ b/src/organisation/router.py @@ -137,8 +137,6 @@ async def update_questionnaire(db: db_dependency, org_model: org_model_root_clai if hasattr(questionnaire_model, key): setattr(questionnaire_model, key, value) else: - if key == "partial" or key == "organisation_id": - continue raise UnprocessableContentException("Invalid keys in update request") # Allows for partially completed questionnaires to be saved without being submitted for review @@ -241,7 +239,7 @@ async def update_root_user(db: db_dependency, org_model: org_model_body_dependen Promotes an existing organisation user to the root user, giving them full control of the org. """ if user_model not in org_model.user_rel: - raise UnauthorizedException(message="This user does not belong to your organisation.") + raise UnprocessableContentException(message="This user does not belong to your organisation.") org_model.root_user_rel = user_model db.flush() response = OrgPatchRootResponse(name=org_model.name, root_user_email=org_model.root_user_email) diff --git a/test/test_auth_general.py b/test/test_auth_general.py new file mode 100644 index 0000000..533307b --- /dev/null +++ b/test/test_auth_general.py @@ -0,0 +1,26 @@ +""" +""" +import pytest +from httpx import AsyncClient + +from .conftest import no_su_client + +from src.organisation.models import Organisation as Org +from src.user.models import User +from src.iam.models import Group + + +@pytest.mark.anyio +async def test_get_org_auth_root_su(default_client: AsyncClient, db_session): + # If a super admin can access a resource when not the root user + db_session.add(User(email="admin@test.org", first_name="Admin", last_name="Test", oidc_id="abcd-efgh-ijkl-4321")) + db_session.flush() + db_session.add( + Org(name="Test Org Two", root_user_id=2, billing_contact_id=1, owner_contact_id=2, security_contact_id=3, + status="approved", intake_questionnaire={})) + db_session.flush() + + resp = await default_client.get("/org?org_id=2") + assert resp.status_code != 422 + assert resp.status_code == 200 + assert resp.json()["name"] == "Test Org Two" diff --git a/test/test_iam.py b/test/test_iam.py index 2d85925..fa52a0b 100644 --- a/test/test_iam.py +++ b/test/test_iam.py @@ -5,10 +5,11 @@ import pytest from httpx import AsyncClient from src.user.models import User -from .conftest import default_client, db_session - +from src.organisation.models import Organisation as Org from src.iam.models import Group +from .conftest import default_client, db_session + @pytest.mark.anyio async def test_post_act_on_resource_endpoint_success(default_client: AsyncClient): @@ -28,7 +29,48 @@ async def test_post_act_on_resource_endpoint_success(default_client: AsyncClient assert data == True +@pytest.mark.parametrize( + "service, api_key", + [ + ("Test Service", "not_the_correct_key"), + ("Test Service Two", "123456789") + ], +) @pytest.mark.anyio +async def test_act_on_resource_wrong_key(default_client: AsyncClient, db_session, service: str, api_key: str): + body = { + "service": service, + "organisation": "Test Org", + "resource": "test_resource" + } + headers = { + "Authorization": "Bearer not_checked_when_auth_is_disabled", + "X-API-Key": api_key + } + resp = await default_client.post("/iam/can_act_on_resource?action=read", json=body, headers=headers) + data = resp.json() + + assert resp.status_code == 401 + assert data["detail"] == "Invalid API key" + + +@pytest.mark.anyio +async def test_act_on_resource_missing_key(default_client: AsyncClient): + body = { + "service": "Test Service", + "organisation": "Test Org", + "resource": "test_resource" + } + headers = { + "Authorization": "Bearer not_checked_when_auth_is_disabled" + } + resp = await default_client.post("/iam/can_act_on_resource?action=read", json=body, headers=headers) + data = resp.json() + + assert resp.status_code == 401 + assert data["detail"] == "Missing API key" + + @pytest.mark.parametrize( "service, org, resource, action, expected_status", [ @@ -41,7 +83,7 @@ async def test_post_act_on_resource_endpoint_success(default_client: AsyncClient ], ) @pytest.mark.anyio -async def test_post_act_on_resource_endpoint_failure(default_client: AsyncClient, service, org, resource, action, +async def test_act_on_resource_endpoint_failure(default_client: AsyncClient, service, org, resource, action, expected_status: int): body = { "service": service, @@ -57,6 +99,34 @@ async def test_post_act_on_resource_endpoint_failure(default_client: AsyncClient assert resp.status_code == expected_status +@pytest.mark.parametrize( + "service, org, resource, action, expected_response", + [ + ("Test Service", "Test Org", "test_resource", "read", True), + ("Test Service", "Test Org", "test_resource", "create", False), + ("Test Service", "Test Org", "no_access_here", "read", False), + ("Test Service", "Test Org Two", "test_resource", "read", False), + ], +) +@pytest.mark.anyio +async def test_act_on_resource_logic(default_client: AsyncClient, db_session, service, org, resource, action, + expected_response: bool): + body = { + "service": service, + "organisation": org, + "resource": resource + } + headers = { + "Authorization": "Bearer not_checked_when_auth_is_disabled", + "X-API-Key": "123456789" + } + resp = await default_client.post(f"/iam/can_act_on_resource?action={action}", json=body, headers=headers) + data = resp.json() + + assert resp.status_code == 200 + assert data == expected_response + + @pytest.mark.anyio async def test_get_group_permissions_success(default_client: AsyncClient): resp = await default_client.get("/iam/group/permissions?org_id=1&group_id=1") @@ -73,14 +143,16 @@ async def test_get_group_permissions_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", [ - ("org_id=2&group_id=1", 404), # Non-exists org, valid group + ("org_id=42&group_id=1", 404), # Non-exists org, valid group ("org_id=banana&group_id=1", 422), # Invalid org, valid group ("org_id=&group_id=1", 422), # Blank org, valid group ("org_id=-1&group_id=1", 422), # Negative org, valid group ("group_id=1", 422), # Only group + ("org_id=1&group_id=2", 404), # Group/Org mismatch + ("org_id=2&group_id=1", 404), # Group/Org mismatch ("", 422), # Blank query ("org_id=&group_id=", 422), # Both blank - ("org_id=1&group_id=2", 404), # Valid org, non-exists group + ("org_id=1&group_id=42", 404), # Valid org, non-exists group ("org_id=1&group_id=banana", 422), # Valid org, invalid group ("org_id=1&group_id=", 422), # Valid org, blank group ("org_id=1&group_id=-1", 422), # Valid org, negative group @@ -88,12 +160,30 @@ async def test_get_group_permissions_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_group_permissions_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_group_permissions_failure(default_client: AsyncClient, db_session, query: str, expected_status: int): resp = await default_client.get(f"/iam/group/permissions?{query}") assert resp.status_code == expected_status +@pytest.mark.parametrize( + "query", + [ + "org_id=1&group_id=2", + "org_id=2&group_id=1", + ], +) +@pytest.mark.anyio +async def test_get_group_permissions_mismatch(default_client: AsyncClient, db_session, query: str): + db_session.add(Org(name="Another Test Org", root_user_id=1, billing_contact_id=1, owner_contact_id=2, security_contact_id=3, status="approved")) + db_session.add(Group(name="Another Test Group", org_id=2)) + db_session.flush() + resp = await default_client.get(f"/iam/group/permissions?{query}") + + assert resp.status_code == 401 + assert resp.json()["detail"] == "Group does not belong to this organization" + + @pytest.mark.anyio async def test_get_group_users_success(default_client: AsyncClient): resp = await default_client.get("/iam/group/users?org_id=1&group_id=1") @@ -132,6 +222,24 @@ async def test_get_group_users_failure(default_client: AsyncClient, query: str, assert resp.status_code == expected_status +@pytest.mark.parametrize( + "query", + [ + "org_id=1&group_id=2", + "org_id=2&group_id=1", + ], +) +@pytest.mark.anyio +async def test_get_group_users_mismatch(default_client: AsyncClient, db_session, query: str): + db_session.add(Org(name="Another Test Org", root_user_id=1, billing_contact_id=1, owner_contact_id=2, security_contact_id=3, status="approved")) + db_session.add(Group(name="Another Test Group", org_id=2)) + db_session.flush() + resp = await default_client.get(f"/iam/group/users?{query}") + + assert resp.status_code == 401 + assert resp.json()["detail"] == "Group does not belong to this organization" + + @pytest.mark.anyio async def test_post_group_success(default_client: AsyncClient): resp = await default_client.post("/iam/group", json={"name": "New Group", "organisation_id": 1}) @@ -214,6 +322,8 @@ async def test_put_group_perm_success(default_client: AsyncClient, db_session): ({"group_id": 1, "permission_id": 1}, 422), # Missing organisation ({"organisation_id": 1, "group_id": 1}, 422), # Missing permission + ({"organisation_id": 1, "group_id": 1, "permission_id": 1}, 409), # Permission already in group + ], ) @pytest.mark.anyio @@ -223,6 +333,24 @@ async def test_put_group_perm_failure(default_client: AsyncClient, body: dict[st assert resp.status_code == expected_status +@pytest.mark.parametrize( + "body", + [ + {"organisation_id": 1, "group_id": 2, "permission_id": 1}, + {"organisation_id": 2, "group_id": 1, "permission_id": 1}, + ], +) +@pytest.mark.anyio +async def test_put_group_perm_mismatch(default_client: AsyncClient, db_session, body: dict): + db_session.add(Org(name="Another Test Org", root_user_id=1, billing_contact_id=1, owner_contact_id=2, security_contact_id=3, status="approved")) + db_session.add(Group(name="Another Test Group", org_id=2)) + db_session.flush() + resp = await default_client.put(f"/iam/group/permission", json=body) + + assert resp.status_code == 401 + assert resp.json()["detail"] == "Group does not belong to this organization" + + @pytest.mark.anyio async def test_put_group_user_success(default_client: AsyncClient, db_session): db_session.add(User(email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234")) diff --git a/test/test_organisation.py b/test/test_organisation.py index 83f5074..bde5df0 100644 --- a/test/test_organisation.py +++ b/test/test_organisation.py @@ -201,10 +201,11 @@ async def test_post_org_user_success(default_client: AsyncClient, db_session): ({"organisation_id": 1, "user_id": "id"}, 422), ({"user_id": 2}, 422), ({"organisation_id": 1, "user_id": 42}, 404), + ({"organisation_id": 1, "user_id": 1}, 409), ], ) @pytest.mark.anyio -async def test_post_org_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int, db_session): +async def test_post_org_user_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int, db_session): db_session.add(User(email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234")) db_session.flush() @@ -252,6 +253,18 @@ async def test_patch_root_user_failure(default_client: AsyncClient, body: dict[s assert resp.status_code == expected_status +@pytest.mark.anyio +async def test_patch_org_root_user_non_member(default_client: AsyncClient, db_session): + db_session.add(User(email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234")) + db_session.flush() + + resp = await default_client.patch("/org/root_user", json={"organisation_id": 1, "user_id": 2}) + data = resp.json() + + assert resp.status_code == 422 + assert data["detail"] == "This user does not belong to your organisation." + + @pytest.mark.anyio async def test_get_org_groups_success(default_client: AsyncClient): resp = await default_client.get("/org/groups?org_id=1") @@ -367,6 +380,8 @@ async def test_patch_org_contact_success(default_client: AsyncClient, key: str, "body, expected_status", [ ({"organisation_id": 42, "contact_type": "billing"}, 404), + ({"organisation_id": 1, "contact_type": "security"}, 200), + ({"organisation_id": 1, "contact_type": "owner"}, 200), ({"organisation_id": "Test Org", "contact_type": "billing"}, 422), ({"organisation_id": "", "contact_type": "billing"}, 422), ({}, 422), From b8b39188f636cdc5831e902db64000a6bc330893 Mon Sep 17 00:00:00 2001 From: luxferre Date: Fri, 5 Jun 2026 09:22:44 +0100 Subject: [PATCH 3/5] tests/minor: rename test functions `_failure` in name wasn't necessarily an accurate descriptor for parameterized testing with expected statuses. `_status_checks` used instead. --- test/test_iam.py | 19 +++++++++---------- test/test_organisation.py | 20 ++++++++++---------- test/test_service.py | 6 +++--- test/test_user.py | 4 ++-- 4 files changed, 24 insertions(+), 25 deletions(-) diff --git a/test/test_iam.py b/test/test_iam.py index fa52a0b..de505f1 100644 --- a/test/test_iam.py +++ b/test/test_iam.py @@ -1,5 +1,4 @@ """ -Act on resource tests only check for pass/fail on input validation. Logic is not tested. """ import pytest from httpx import AsyncClient @@ -83,7 +82,7 @@ async def test_act_on_resource_missing_key(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_act_on_resource_endpoint_failure(default_client: AsyncClient, service, org, resource, action, +async def test_act_on_resource_endpoint_status_checks(default_client: AsyncClient, service, org, resource, action, expected_status: int): body = { "service": service, @@ -160,7 +159,7 @@ async def test_get_group_permissions_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_group_permissions_failure(default_client: AsyncClient, db_session, query: str, expected_status: int): +async def test_get_group_permissions_status_checks(default_client: AsyncClient, db_session, query: str, expected_status: int): resp = await default_client.get(f"/iam/group/permissions?{query}") assert resp.status_code == expected_status @@ -216,7 +215,7 @@ async def test_get_group_users_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_group_users_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_group_users_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/iam/group/users?{query}") assert resp.status_code == expected_status @@ -269,7 +268,7 @@ async def test_post_group_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_post_group_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_post_group_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.post("/iam/group", json=body) assert resp.status_code == expected_status @@ -327,7 +326,7 @@ async def test_put_group_perm_success(default_client: AsyncClient, db_session): ], ) @pytest.mark.anyio -async def test_put_group_perm_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_put_group_perm_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.put("/iam/group/permission", json=body) assert resp.status_code == expected_status @@ -403,7 +402,7 @@ async def test_put_group_user_success(default_client: AsyncClient, db_session): ], ) @pytest.mark.anyio -async def test_put_group_user_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_put_group_user_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.put("/iam/group/user", json=body) assert resp.status_code == expected_status @@ -433,7 +432,7 @@ async def test_get_permissions_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_permissions_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_permissions_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/iam/permissions?{query}") assert resp.status_code == expected_status @@ -479,7 +478,7 @@ async def test_post_perm_success(default_client: AsyncClient, db_session): ], ) @pytest.mark.anyio -async def test_post_perm_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_post_perm_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.post("/iam/permission", json=body) assert resp.status_code == expected_status @@ -536,7 +535,7 @@ async def test_post_perm_search_success(default_client: AsyncClient, db_session, ], ) @pytest.mark.anyio -async def test_post_perm_search_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_post_perm_search_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.post("/iam/permissions/search", json=body) assert resp.status_code == expected_status diff --git a/test/test_organisation.py b/test/test_organisation.py index bde5df0..3fc6a3c 100644 --- a/test/test_organisation.py +++ b/test/test_organisation.py @@ -32,7 +32,7 @@ async def test_get_org_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_org_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_org_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/org?{query}") assert resp.status_code == expected_status @@ -57,7 +57,7 @@ async def test_post_org_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_post_org_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_post_org_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.post("/org", json=body) assert resp.status_code == expected_status @@ -93,7 +93,7 @@ async def test_patch_org_questionnaire_partial_success(default_client: AsyncClie ], ) @pytest.mark.anyio -async def test_patch_questionnaire_partial_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_patch_questionnaire_partial_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.patch("/org/questionnaire", json=body) assert resp.status_code == expected_status @@ -142,7 +142,7 @@ async def test_patch_org_status_success(default_client: AsyncClient, status: str ], ) @pytest.mark.anyio -async def test_patch_org_status_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_patch_org_status_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.patch("/org/status", json=body) assert resp.status_code == expected_status @@ -173,7 +173,7 @@ async def test_get_org_users_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_org_users_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_org_users_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/org/users?{query}") assert resp.status_code == expected_status @@ -205,7 +205,7 @@ async def test_post_org_user_success(default_client: AsyncClient, db_session): ], ) @pytest.mark.anyio -async def test_post_org_user_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int, db_session): +async def test_post_org_user_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int, db_session): db_session.add(User(email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234")) db_session.flush() @@ -242,7 +242,7 @@ async def test_patch_org_root_user_success(default_client: AsyncClient, db_sessi ], ) @pytest.mark.anyio -async def test_patch_root_user_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int, db_session): +async def test_patch_root_user_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int, db_session): db_session.add(User(email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234")) db_session.flush() db_session.add(OrgUsers(org_id=1, user_id=2)) @@ -285,7 +285,7 @@ async def test_get_org_groups_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_org_groups_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_org_groups_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/org/groups?{query}") assert resp.status_code == expected_status @@ -339,7 +339,7 @@ async def test_get_org_contact_success(default_client: AsyncClient, contact_type ], ) @pytest.mark.anyio -async def test_get_org_contact_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_org_contact_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/org/contact?{query}") assert resp.status_code == expected_status @@ -391,7 +391,7 @@ async def test_patch_org_contact_success(default_client: AsyncClient, key: str, ], ) @pytest.mark.anyio -async def test_patch_org_status_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_patch_org_status_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.patch("/org/contact", json=body) assert resp.status_code == expected_status diff --git a/test/test_service.py b/test/test_service.py index ede39a8..b98095b 100644 --- a/test/test_service.py +++ b/test/test_service.py @@ -27,7 +27,7 @@ async def test_get_services_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_get_services_failure(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_services_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/service/?{query}") assert resp.status_code == expected_status @@ -53,7 +53,7 @@ async def test_post_service_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_post_services_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_post_services_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.post("/service/", json=body) assert resp.status_code == expected_status @@ -81,7 +81,7 @@ async def test_patch_service_success(default_client: AsyncClient): ], ) @pytest.mark.anyio -async def test_patch_services_failure(default_client: AsyncClient, body: dict[str, str], expected_status: int): +async def test_patch_services_status_checks(default_client: AsyncClient, body: dict[str, str], expected_status: int): resp = await default_client.patch("/service/key", json=body) assert resp.status_code == expected_status diff --git a/test/test_user.py b/test/test_user.py index bda6912..f8ad0d1 100644 --- a/test/test_user.py +++ b/test/test_user.py @@ -9,7 +9,7 @@ from httpx import AsyncClient from .conftest import default_client @pytest.mark.anyio -async def test_get_self_db(default_client: AsyncClient): +async def test_get_self_db_success(default_client: AsyncClient): resp = await default_client.get("/user/self/db") data = resp.json() @@ -44,7 +44,7 @@ async def test_get_user_success(default_client: AsyncClient): ("", 422), ], ) -async def test_get_user_fail(default_client: AsyncClient, query: str, expected_status: int): +async def test_get_user_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/user/?{query}") assert resp.status_code == expected_status From 29245e5c137aecff74ca6f34d27d476cf8821d2a Mon Sep 17 00:00:00 2001 From: luxferre Date: Fri, 5 Jun 2026 09:31:56 +0100 Subject: [PATCH 4/5] tests: questionnaire submission test Assertion to verify that None type question answers don't overwrite preexisting answers. --- test/test_organisation.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/test/test_organisation.py b/test/test_organisation.py index 3fc6a3c..d0bf0ff 100644 --- a/test/test_organisation.py +++ b/test/test_organisation.py @@ -112,7 +112,7 @@ async def test_patch_org_questionnaire_submit_success(default_client: AsyncClien assert data["name"] == "Test Org" assert data["intake_questionnaire"]["question_one"] == "new answer one" assert data["status"] == "submitted" - # assert type(data["intake_questionnaire"]["question_two"]) == str + assert data["intake_questionnaire"]["question_two"] == "answer two" assert data["intake_questionnaire"]["question_three"] is None From d3d93167412c8b2570ba4d58f960a344351bfc75 Mon Sep 17 00:00:00 2001 From: luxferre Date: Fri, 5 Jun 2026 12:17:32 +0100 Subject: [PATCH 5/5] tests: query generator --- test/conftest.py | 35 ++++++++++++++++++++++++++++++++ test/test_iam.py | 42 ++++----------------------------------- test/test_organisation.py | 20 ++++--------------- test/test_service.py | 8 ++------ test/test_user.py | 9 ++------- 5 files changed, 47 insertions(+), 67 deletions(-) diff --git a/test/conftest.py b/test/conftest.py index 416dcc6..26a4f64 100644 --- a/test/conftest.py +++ b/test/conftest.py @@ -1,4 +1,5 @@ from typing import AsyncGenerator +from itertools import combinations import pytest from httpx import AsyncClient, ASGITransport @@ -95,6 +96,40 @@ def _seed(db): group_model.user_rel.append(user_model) db.commit() + +def generate_query_and_status(params) -> list[tuple[str, int]]: + possible_values = [0, -1, 42, "banana", ""] + + defaults = [f"{param}=1" for param in params] + + # Missing params + query_list = [ + "&".join(combo) + for r in range(len(defaults) + 1) + for combo in combinations(defaults, r) + ] + + # Complete query as default for invalid checks + default_query = query_list.pop(-1) + + # Checks for each param being invalid + for param in params: + for value in possible_values: + new_value = f"&{param}={value}" + query_list.append(default_query.replace(f"{param}=1", new_value)) + + query_and_status = [] + + # Assign expected status + for query in query_list: + # ID 42 is used to represent a non-existent entry. So it should 404. + status = 404 if "42" in query else 422 + # Remove leading "&" if present + query = query if len(query) > 1 and query[0] != "&" else query[1:] + query_and_status.append((query, status)) + + return query_and_status + # # Produces a text file with method and path for every endpoint in the API # from fastapi.routing import APIRoute # diff --git a/test/test_iam.py b/test/test_iam.py index de505f1..70fbf6d 100644 --- a/test/test_iam.py +++ b/test/test_iam.py @@ -7,7 +7,7 @@ from src.user.models import User from src.organisation.models import Organisation as Org from src.iam.models import Group -from .conftest import default_client, db_session +from .conftest import default_client, db_session, generate_query_and_status @pytest.mark.anyio @@ -141,22 +141,7 @@ async def test_get_group_permissions_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", - [ - ("org_id=42&group_id=1", 404), # Non-exists org, valid group - ("org_id=banana&group_id=1", 422), # Invalid org, valid group - ("org_id=&group_id=1", 422), # Blank org, valid group - ("org_id=-1&group_id=1", 422), # Negative org, valid group - ("group_id=1", 422), # Only group - ("org_id=1&group_id=2", 404), # Group/Org mismatch - ("org_id=2&group_id=1", 404), # Group/Org mismatch - ("", 422), # Blank query - ("org_id=&group_id=", 422), # Both blank - ("org_id=1&group_id=42", 404), # Valid org, non-exists group - ("org_id=1&group_id=banana", 422), # Valid org, invalid group - ("org_id=1&group_id=", 422), # Valid org, blank group - ("org_id=1&group_id=-1", 422), # Valid org, negative group - ("org_id=1", 422), # Only org - ], + generate_query_and_status(["group_id", "org_id"]) ) @pytest.mark.anyio async def test_get_group_permissions_status_checks(default_client: AsyncClient, db_session, query: str, expected_status: int): @@ -199,20 +184,7 @@ async def test_get_group_users_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", - [ - ("org_id=2&group_id=1", 404), # Non-exists org, valid group - ("org_id=banana&group_id=1", 422), # Invalid org, valid group - ("org_id=&group_id=1", 422), # Blank org, valid group - ("org_id=-1&group_id=1", 422), # Negative org, valid group - ("group_id=1", 422), # Only group - ("", 422), # Blank query - ("org_id=&group_id=", 422), # Both blank - ("org_id=1&group_id=2", 404), # Valid org, non-exists group - ("org_id=1&group_id=banana", 422), # Valid org, invalid group - ("org_id=1&group_id=", 422), # Valid org, blank group - ("org_id=1&group_id=-1", 422), # Valid org, negative group - ("org_id=1", 422), # Only org - ], + generate_query_and_status(["group_id", "org_id"]) ) @pytest.mark.anyio async def test_get_group_users_status_checks(default_client: AsyncClient, query: str, expected_status: int): @@ -423,13 +395,7 @@ async def test_get_permissions_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", - [ - ("org_id=42", 404), # Non-exists org - ("org_id=banana", 422), # Invalid org - ("org_id=", 422), # Blank org - ("org_id=-1", 422), # Negative org - ("", 422), # Blank query - ], + generate_query_and_status(["org_id"]) ) @pytest.mark.anyio async def test_get_permissions_status_checks(default_client: AsyncClient, query: str, expected_status: int): diff --git a/test/test_organisation.py b/test/test_organisation.py index d0bf0ff..8e697e7 100644 --- a/test/test_organisation.py +++ b/test/test_organisation.py @@ -6,7 +6,7 @@ from httpx import AsyncClient from src.organisation.models import Organisation, OrgUsers from src.user.models import User -from .conftest import default_client +from .conftest import default_client, generate_query_and_status @pytest.mark.anyio @@ -25,11 +25,7 @@ async def test_get_org_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", - [ - ("org_id=2", 404), - ("org_id=banana", 422), - ("", 422), - ], + generate_query_and_status(["org_id"]) ) @pytest.mark.anyio async def test_get_org_status_checks(default_client: AsyncClient, query: str, expected_status: int): @@ -166,11 +162,7 @@ async def test_get_org_users_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", - [ - ("org_id=2", 404), - ("org_id=banana", 422), - ("", 422), - ], + generate_query_and_status(["org_id"]) ) @pytest.mark.anyio async def test_get_org_users_status_checks(default_client: AsyncClient, query: str, expected_status: int): @@ -278,11 +270,7 @@ async def test_get_org_groups_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", - [ - ("org_id=2", 404), - ("org_id=banana", 422), - ("", 422), - ], + generate_query_and_status(["org_id"]) ) @pytest.mark.anyio async def test_get_org_groups_status_checks(default_client: AsyncClient, query: str, expected_status: int): diff --git a/test/test_service.py b/test/test_service.py index b98095b..5a1e7ad 100644 --- a/test/test_service.py +++ b/test/test_service.py @@ -4,7 +4,7 @@ import pytest from httpx import AsyncClient -from .conftest import default_client +from .conftest import default_client, generate_query_and_status @pytest.mark.anyio @@ -20,11 +20,7 @@ async def test_get_services_success(default_client: AsyncClient): @pytest.mark.parametrize( "query, expected_status", - [ - ("org_id=2", 404), - ("org_id=banana", 422), - ("", 422), - ], + generate_query_and_status(["org_id"]) ) @pytest.mark.anyio async def test_get_services_status_checks(default_client: AsyncClient, query: str, expected_status: int): diff --git a/test/test_user.py b/test/test_user.py index f8ad0d1..bdcd500 100644 --- a/test/test_user.py +++ b/test/test_user.py @@ -6,7 +6,7 @@ import pytest from httpx import AsyncClient -from .conftest import default_client +from .conftest import default_client, generate_query_and_status @pytest.mark.anyio async def test_get_self_db_success(default_client: AsyncClient): @@ -37,12 +37,7 @@ async def test_get_user_success(default_client: AsyncClient): @pytest.mark.anyio @pytest.mark.parametrize( "query, expected_status", - [ - ("user_id=1", 200), - ("user_id=2", 404), - ("user_id=banana", 422), - ("", 422), - ], + generate_query_and_status(["user_id"]) ) async def test_get_user_status_checks(default_client: AsyncClient, query: str, expected_status: int): resp = await default_client.get(f"/user/?{query}")