195 lines
5.4 KiB
Python
195 lines
5.4 KiB
Python
"""
|
|
This module ensures root user only endpoints do return a correctly formatted 401 when user is not the root user for the org
|
|
DELETE endpoints are not tested
|
|
"""
|
|
|
|
import pytest
|
|
from httpx import AsyncClient
|
|
|
|
from src.organisation.models import Organisation as Org
|
|
from src.user.models import User
|
|
from src.iam.models import Group
|
|
|
|
|
|
pytestmark = [
|
|
pytest.mark.auth,
|
|
pytest.mark.root_user,
|
|
]
|
|
|
|
|
|
@pytest.fixture(autouse=True)
|
|
def add_second_org(db_session):
|
|
db_session.add(
|
|
User(
|
|
email="admin@test.org",
|
|
first_name="Admin",
|
|
last_name="Test",
|
|
oidc_id="abcd-efgh-ijkl-4321",
|
|
)
|
|
)
|
|
db_session.flush()
|
|
db_session.add(
|
|
Org(
|
|
name="Test Org Two",
|
|
root_user_id=2,
|
|
billing_contact_id=1,
|
|
owner_contact_id=2,
|
|
security_contact_id=3,
|
|
status="approved",
|
|
intake_questionnaire={},
|
|
)
|
|
)
|
|
db_session.flush()
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_org_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/org?org_id=2")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_patch_org_questionnaire_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.patch(
|
|
"/org/questionnaire",
|
|
json={
|
|
"organisation_id": 2,
|
|
"intake_questionnaire": {
|
|
"question_one": "new answer one",
|
|
"question_two": None,
|
|
"question_three": None,
|
|
},
|
|
"partial": True,
|
|
},
|
|
)
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_org_users_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/org/users?org_id=2")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_org_groups_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/org/groups?org_id=2")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_org_contact_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/org/contact?org_id=2&contact_type=billing")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_patch_org_contact_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.patch(
|
|
"/org/contact",
|
|
json={
|
|
"organisation_id": 2,
|
|
"contact_type": "billing",
|
|
"email": "user@example.com",
|
|
},
|
|
)
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_service_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/service?org_id=2")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_iam_group_permissions_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/iam/group/permissions?org_id=2&group_id=1")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_iam_group_users_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/iam/group/users?org_id=2&group_id=1")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_post_iam_group_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.post(
|
|
"/iam/group", json={"name": "New Group", "organisation_id": 2}
|
|
)
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_put_iam_group_permission_auth_root(
|
|
no_su_client: AsyncClient, db_session
|
|
):
|
|
db_session.add(Group(name="Test Group Two", org_id=2))
|
|
db_session.flush()
|
|
resp = await no_su_client.put(
|
|
"/iam/group/permission",
|
|
json={"permission_id": 1, "group_id": 2, "organisation_id": 2},
|
|
)
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_put_iam_group_user_auth_root(no_su_client: AsyncClient, db_session):
|
|
db_session.add(
|
|
User(
|
|
email="user@test.org",
|
|
first_name="User",
|
|
last_name="Test",
|
|
oidc_id="abcd-efgh-ijkl-1234",
|
|
)
|
|
)
|
|
db_session.flush()
|
|
|
|
resp = await no_su_client.put(
|
|
"/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 2}
|
|
)
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_iam_permissions_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.get("/iam/permissions?org_id=2")
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_post_iam_permissions_search_auth_root(no_su_client: AsyncClient):
|
|
resp = await no_su_client.post(
|
|
"/iam/permissions/search", json={"organisation_id": 2, "action": "read"}
|
|
)
|
|
assert resp.status_code != 422
|
|
assert resp.status_code == 403
|
|
assert "Must be the org's root user" in resp.json()["detail"]
|