""" This module ensures root user only endpoints do return a correctly formatted 401 when user is not the root user for the org DELETE endpoints are not tested """ import pytest from httpx import AsyncClient from src.organisation.models import Organisation as Org from src.user.models import User from src.iam.models import Group @pytest.fixture(autouse=True) def add_second_org(db_session): db_session.add( User( email="admin@test.org", first_name="Admin", last_name="Test", oidc_id="abcd-efgh-ijkl-4321", ) ) db_session.flush() db_session.add( Org( name="Test Org Two", root_user_id=2, billing_contact_id=1, owner_contact_id=2, security_contact_id=3, status="approved", intake_questionnaire={}, ) ) db_session.flush() @pytest.mark.anyio async def test_get_org_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/org?org_id=2") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_patch_org_questionnaire_auth_root(no_su_client: AsyncClient): resp = await no_su_client.patch( "/org/questionnaire", json={ "organisation_id": 2, "intake_questionnaire": { "question_one": "new answer one", "question_two": None, "question_three": None, }, "partial": True, }, ) assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_get_org_users_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/org/users?org_id=2") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_post_org_user_auth_root(no_su_client: AsyncClient, db_session): db_session.add( User( email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234", ) ) db_session.flush() resp = await no_su_client.post( "/org/user", json={"organisation_id": 2, "user_id": 2} ) assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_get_org_groups_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/org/groups?org_id=2") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_get_org_contact_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/org/contact?org_id=2&contact_type=billing") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_patch_org_contact_auth_root(no_su_client: AsyncClient): resp = await no_su_client.patch( "/org/contact", json={ "organisation_id": 2, "contact_type": "billing", "email": "user@example.com", }, ) assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_get_service_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/service/?org_id=2") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_get_iam_group_permissions_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/iam/group/permissions?org_id=2&group_id=1") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_get_iam_group_users_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/iam/group/users?org_id=2&group_id=1") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_post_iam_group_auth_root(no_su_client: AsyncClient): resp = await no_su_client.post( "/iam/group", json={"name": "New Group", "organisation_id": 2} ) assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_put_iam_group_permission_auth_root( no_su_client: AsyncClient, db_session ): db_session.add(Group(name="Test Group Two", org_id=2)) db_session.flush() resp = await no_su_client.put( "/iam/group/permission", json={"permission_id": 1, "group_id": 2, "organisation_id": 2}, ) assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_put_iam_group_user_auth_root(no_su_client: AsyncClient, db_session): db_session.add( User( email="user@test.org", first_name="User", last_name="Test", oidc_id="abcd-efgh-ijkl-1234", ) ) db_session.flush() resp = await no_su_client.put( "/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 2} ) assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_get_iam_permissions_auth_root(no_su_client: AsyncClient): resp = await no_su_client.get("/iam/permissions?org_id=2") assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"] @pytest.mark.anyio async def test_post_iam_permissions_search_auth_root(no_su_client: AsyncClient): resp = await no_su_client.post( "/iam/permissions/search", json={"organisation_id": 2, "action": "read"} ) assert resp.status_code != 422 assert resp.status_code == 401 assert "Must be the org's root user" in resp.json()["detail"]