665 lines
17 KiB
Python
665 lines
17 KiB
Python
""" """
|
|
|
|
import pytest
|
|
from httpx import AsyncClient
|
|
|
|
from .conftest import generate_query_and_status, generate_body_and_status
|
|
|
|
pytestmark = [
|
|
pytest.mark.iam_module,
|
|
]
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_post_act_on_resource_endpoint_success(default_client: AsyncClient):
|
|
body = {
|
|
"rn": {
|
|
"service": "Test Service",
|
|
"organisation": "Org One",
|
|
"resource": "test_resource",
|
|
"instance": None,
|
|
},
|
|
"action": "read",
|
|
}
|
|
headers = {
|
|
"Authorization": "Bearer not_checked_when_auth_is_disabled",
|
|
"X-API-Key": "123456789",
|
|
}
|
|
resp = await default_client.post(
|
|
"/iam/can_act_on_resource", json=body, headers=headers
|
|
)
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 200
|
|
assert data["allowed"] is True
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"service, api_key",
|
|
[("Test Service", "not_the_correct_key"), ("Test Service Two", "123456789")],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_act_on_resource_wrong_key(
|
|
default_client: AsyncClient, service: str, api_key: str
|
|
):
|
|
body = {
|
|
"rn": {
|
|
"service": service,
|
|
"organisation": "Test Org",
|
|
"resource": "test_resource",
|
|
},
|
|
"action": "read",
|
|
}
|
|
headers = {
|
|
"Authorization": "Bearer not_checked_when_auth_is_disabled",
|
|
"X-API-Key": api_key,
|
|
}
|
|
resp = await default_client.post(
|
|
"/iam/can_act_on_resource", json=body, headers=headers
|
|
)
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 401
|
|
assert data["detail"] == "Invalid API key"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_act_on_resource_missing_key(default_client: AsyncClient):
|
|
body = {
|
|
"rn": {
|
|
"service": "Test Service",
|
|
"organisation": "Test Org",
|
|
"resource": "test_resource",
|
|
},
|
|
"action": "read",
|
|
}
|
|
headers = {"Authorization": "Bearer not_checked_when_auth_is_disabled"}
|
|
resp = await default_client.post(
|
|
"/iam/can_act_on_resource?action=read", json=body, headers=headers
|
|
)
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 401
|
|
assert data["detail"] == "Missing API key"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"service, org, resource, action, expected_status",
|
|
[
|
|
(None, "Test Org", "test_resource", "read", 422),
|
|
(42, "Test Org", "test_resource", "read", 422),
|
|
("Test Service", None, "test_resource", "read", 422),
|
|
("Test Service", 42, "test_resource", "read", 422),
|
|
("Test Service", "Test Org", None, "read", 422),
|
|
("Test Service", "Test Org", 42, "read", 422),
|
|
("Test Service", "Test Org", "test_resource", None, 422),
|
|
("Test Service", "Test Org", "test_resource", 42, 422),
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_act_on_resource_endpoint_status_checks(
|
|
default_client: AsyncClient, service, org, resource, action, expected_status: int
|
|
):
|
|
body = {
|
|
"rn": {"service": service, "organisation": org, "resource": resource},
|
|
"action": action,
|
|
}
|
|
headers = {
|
|
"Authorization": "Bearer not_checked_when_auth_is_disabled",
|
|
"X-API-Key": "123456789",
|
|
}
|
|
resp = await default_client.post(
|
|
"/iam/can_act_on_resource", json=body, headers=headers
|
|
)
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"service, org, resource, action, expected_response",
|
|
[
|
|
("Test Service", "Org One", "test_resource", "read", True),
|
|
("Test Service", "Org One", "test_resource", "create", False),
|
|
("Test Service", "Org One", "no_access_here", "read", False),
|
|
("Test Service", "Org Two", "test_resource", "read", False),
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_act_on_resource_logic(
|
|
default_client: AsyncClient,
|
|
service,
|
|
org,
|
|
resource,
|
|
action,
|
|
expected_response: bool,
|
|
):
|
|
body = {
|
|
"rn": {"service": service, "organisation": org, "resource": resource},
|
|
"action": action,
|
|
}
|
|
headers = {
|
|
"Authorization": "Bearer not_checked_when_auth_is_disabled",
|
|
"X-API-Key": "123456789",
|
|
}
|
|
resp = await default_client.post(
|
|
"/iam/can_act_on_resource", json=body, headers=headers
|
|
)
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 200
|
|
assert data["allowed"] == expected_response
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_group_permissions_success(default_client: AsyncClient):
|
|
resp = await default_client.get("/iam/group/permissions?org_id=1&group_id=1")
|
|
assert resp.status_code == 200
|
|
|
|
data = resp.json()
|
|
|
|
assert "permissions" in data
|
|
assert isinstance(data["permissions"], list)
|
|
|
|
permission = data["permissions"][0]
|
|
assert permission["id"] == 1
|
|
assert permission["service_name"] == "Test Service"
|
|
assert permission["resource"] == "test_resource"
|
|
assert permission["action"] == "read"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"query, expected_status", generate_query_and_status(["group_id", "org_id"])
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_get_group_permissions_status_checks(
|
|
default_client: AsyncClient, query: str, expected_status: int
|
|
):
|
|
resp = await default_client.get(f"/iam/group/permissions?{query}")
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"query",
|
|
[
|
|
"org_id=1&group_id=2",
|
|
"org_id=2&group_id=1",
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_get_group_permissions_mismatch(default_client: AsyncClient, query: str):
|
|
resp = await default_client.get(f"/iam/group/permissions?{query}")
|
|
|
|
assert resp.status_code == 403
|
|
assert resp.json()["detail"] == "Group does not belong to this organization"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_group_users_success(default_client: AsyncClient):
|
|
resp = await default_client.get("/iam/group/users?org_id=1&group_id=1")
|
|
assert resp.status_code == 200
|
|
|
|
data = resp.json()
|
|
|
|
assert "users" in data
|
|
assert isinstance(data["users"], list)
|
|
|
|
user = data["users"][0]
|
|
assert user["id"] == 1
|
|
assert user["email"] == "admin@test.com"
|
|
|
|
assert "group" in data
|
|
assert isinstance(data["group"], dict)
|
|
assert data["group"]["id"] == 1
|
|
assert data["group"]["name"] == "Org One Group"
|
|
|
|
assert "organisation" in data
|
|
assert isinstance(data["organisation"], dict)
|
|
assert data["organisation"]["id"] == 1
|
|
assert data["organisation"]["name"] == "Org One"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"query, expected_status", generate_query_and_status(["group_id", "org_id"])
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_get_group_users_status_checks(
|
|
default_client: AsyncClient, query: str, expected_status: int
|
|
):
|
|
resp = await default_client.get(f"/iam/group/users?{query}")
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"query",
|
|
[
|
|
"org_id=1&group_id=2",
|
|
"org_id=2&group_id=1",
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_get_group_users_mismatch(default_client: AsyncClient, query: str):
|
|
resp = await default_client.get(f"/iam/group/users?{query}")
|
|
|
|
assert resp.status_code == 403
|
|
assert resp.json()["detail"] == "Group does not belong to this organization"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_post_group_success(default_client: AsyncClient):
|
|
resp = await default_client.post(
|
|
"/iam/group", json={"name": "New Group", "organisation_id": 1}
|
|
)
|
|
assert resp.status_code == 201
|
|
|
|
data = resp.json()
|
|
|
|
assert "group" in data
|
|
assert isinstance(data["group"], dict)
|
|
assert data["group"]["name"] == "New Group"
|
|
assert data["group"]["id"] == 4
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"body, expected_status",
|
|
generate_body_and_status({"organisation_id": "int", "name": "str"}),
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_post_group_status_checks(
|
|
default_client: AsyncClient, body: dict[str, str], expected_status: int
|
|
):
|
|
resp = await default_client.post("/iam/group", json=body)
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_post_group_conflict(default_client: AsyncClient):
|
|
resp = await default_client.post(
|
|
"/iam/group", json={"organisation_id": 1, "name": "Org One Group"}
|
|
)
|
|
|
|
assert resp.status_code == 409
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_put_group_perm_success(default_client: AsyncClient):
|
|
resp = await default_client.put(
|
|
"/iam/group/permission",
|
|
json={"permission_id": 1, "group_id": 3, "organisation_id": 1},
|
|
)
|
|
assert resp.status_code == 200
|
|
|
|
data = resp.json()
|
|
|
|
assert "group" in data
|
|
assert isinstance(data["group"], dict)
|
|
assert data["group"]["name"] == "Org One Group Two"
|
|
assert data["group"]["id"] == 3
|
|
|
|
assert "permissions" in data
|
|
assert isinstance(data["permissions"], list)
|
|
|
|
permission = data["permissions"][0]
|
|
assert permission["id"] == 1
|
|
assert permission["service_name"] == "Test Service"
|
|
assert permission["resource"] == "test_resource"
|
|
assert permission["action"] == "read"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"body, expected_status",
|
|
generate_body_and_status(
|
|
{"organisation_id": "int", "group_id": "int", "permission_id": "int"}
|
|
),
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_put_group_perm_status_checks(
|
|
default_client: AsyncClient, body: dict[str, str], expected_status: int
|
|
):
|
|
resp = await default_client.put("/iam/group/permission", json=body)
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_put_group_perm_conflict(default_client: AsyncClient):
|
|
resp = await default_client.put(
|
|
"/iam/group/permission",
|
|
json={"organisation_id": 1, "group_id": 1, "permission_id": 1},
|
|
)
|
|
|
|
assert resp.status_code == 409
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"body",
|
|
[
|
|
{"organisation_id": 1, "group_id": 2, "permission_id": 1},
|
|
{"organisation_id": 2, "group_id": 1, "permission_id": 1},
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_put_group_perm_mismatch(default_client: AsyncClient, body: dict):
|
|
resp = await default_client.put("/iam/group/permission", json=body)
|
|
|
|
assert resp.status_code == 403
|
|
assert resp.json()["detail"] == "Group does not belong to this organization"
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_put_group_user_success(default_client: AsyncClient):
|
|
resp = await default_client.put(
|
|
"/iam/group/user", json={"user_id": 2, "group_id": 1, "organisation_id": 1}
|
|
)
|
|
assert resp.status_code == 200
|
|
|
|
data = resp.json()
|
|
|
|
assert "group" in data
|
|
assert isinstance(data["group"], dict)
|
|
assert data["group"]["name"] == "Org One Group"
|
|
assert data["group"]["id"] == 1
|
|
|
|
assert "users" in data
|
|
assert isinstance(data["users"], list)
|
|
|
|
user = data["users"][1]
|
|
assert user["id"] == 2
|
|
assert user["first_name"] == "User"
|
|
assert user["last_name"] == "Test"
|
|
assert user["email"] == "user@orgone.com"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"body, expected_status",
|
|
generate_body_and_status(
|
|
{"organisation_id": "int", "group_id": "int", "user_id": "int"}
|
|
),
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_put_group_user_status_checks(
|
|
default_client: AsyncClient, body: dict[str, str], expected_status: int
|
|
):
|
|
resp = await default_client.put("/iam/group/user", json=body)
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_get_permissions_success(default_client: AsyncClient):
|
|
resp = await default_client.get("/iam/permissions?org_id=1")
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 200
|
|
assert "permissions" in data
|
|
assert isinstance(data["permissions"], list)
|
|
|
|
permission = data["permissions"][0]
|
|
assert permission["id"] == 1
|
|
assert permission["service_name"] == "Test Service"
|
|
assert permission["resource"] == "test_resource"
|
|
assert permission["action"] == "read"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"query, expected_status", generate_query_and_status(["org_id"])
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_get_permissions_status_checks(
|
|
default_client: AsyncClient, query: str, expected_status: int
|
|
):
|
|
resp = await default_client.get(f"/iam/permissions?{query}")
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_post_perm_success(default_client: AsyncClient):
|
|
resp = await default_client.post(
|
|
"/iam/permission",
|
|
json={"service_id": 1, "resource": "test_resource", "action": "create"},
|
|
)
|
|
assert resp.status_code == 201
|
|
|
|
data = resp.json()
|
|
|
|
assert "permission" in data
|
|
assert isinstance(data["permission"], dict)
|
|
|
|
assert data["permission"]["id"] == 2
|
|
assert data["permission"]["service_name"] == "Test Service"
|
|
assert data["permission"]["resource"] == "test_resource"
|
|
assert data["permission"]["action"] == "create"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"body, expected_status",
|
|
[
|
|
(
|
|
{"service_id": 1, "resource": "test_resource", "action": "read"},
|
|
409,
|
|
),
|
|
# service_id tests
|
|
(
|
|
{"service_id": 42, "resource": "test_resource", "action": "read"},
|
|
404,
|
|
), # Non-existent service
|
|
(
|
|
{"service_id": "banana", "resource": "test_resource", "action": "read"},
|
|
422,
|
|
), # Invalid service ID
|
|
(
|
|
{"service_id": "", "resource": "test_resource", "action": "read"},
|
|
422,
|
|
), # Blank service ID
|
|
(
|
|
{"service_id": -1, "resource": "test_resource", "action": "read"},
|
|
422,
|
|
), # Negative service ID
|
|
# resource tests
|
|
(
|
|
{"service_id": 1, "resource": 42, "action": "read"},
|
|
422,
|
|
), # Invalid resource type
|
|
# action tests
|
|
(
|
|
{"service_id": 1, "resource": "test_resource", "action": 42},
|
|
422,
|
|
), # Invalid action type
|
|
# missing/partial body tests
|
|
({}, 422), # Blank body
|
|
({"resource": "test_resource"}, 422), # Only resource
|
|
({"action": "read"}, 422), # Only action
|
|
({"service_id": 1}, 422), # Only service
|
|
({"service_id": 1, "action": "read"}, 422), # Missing resource
|
|
({"service_id": 1, "resource": "test_resource"}, 422), # Missing action
|
|
({"resource": "test_resource", "action": "read"}, 422), # Missing service
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_post_perm_status_checks(
|
|
default_client: AsyncClient, body: dict[str, str], expected_status: int
|
|
):
|
|
resp = await default_client.post("/iam/permission", json=body)
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"body",
|
|
[
|
|
{
|
|
"organisation_id": 1,
|
|
"service_id": 1,
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
{"organisation_id": 1, "service_id": 1},
|
|
{"organisation_id": 1, "resource": "test_resource"},
|
|
{"organisation_id": 1, "action": "read"},
|
|
{"organisation_id": 1, "service_id": 1, "action": "read"},
|
|
{"organisation_id": 1, "service_id": 1, "resource": "test_resource"},
|
|
{"organisation_id": 1, "resource": "test_resource", "action": "read"},
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_post_perm_search_success(default_client: AsyncClient, body):
|
|
resp = await default_client.post("/iam/permissions/search", json=body)
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 200
|
|
assert "permissions" in data
|
|
assert isinstance(data["permissions"], list)
|
|
|
|
permission = data["permissions"][0]
|
|
assert permission["id"] == 1
|
|
assert permission["service_name"] == "Test Service"
|
|
assert permission["resource"] == "test_resource"
|
|
assert permission["action"] == "read"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"body, expected_status",
|
|
[
|
|
# organisation_id tests
|
|
(
|
|
{
|
|
"organisation_id": 42,
|
|
"service_id": 1,
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
404,
|
|
), # Non-existent organisation
|
|
(
|
|
{
|
|
"organisation_id": "banana",
|
|
"service_id": 1,
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
422,
|
|
), # Invalid organisation ID
|
|
(
|
|
{
|
|
"organisation_id": "",
|
|
"service_id": 1,
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
422,
|
|
), # Blank organisation ID
|
|
(
|
|
{
|
|
"organisation_id": -1,
|
|
"service_id": 1,
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
422,
|
|
), # Negative organisation ID
|
|
# service_id tests
|
|
(
|
|
{
|
|
"organisation_id": 1,
|
|
"service_id": "banana",
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
422,
|
|
), # Invalid service ID
|
|
(
|
|
{
|
|
"organisation_id": 1,
|
|
"service_id": "",
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
422,
|
|
), # Blank service ID
|
|
(
|
|
{
|
|
"organisation_id": 1,
|
|
"service_id": -1,
|
|
"resource": "test_resource",
|
|
"action": "read",
|
|
},
|
|
422,
|
|
), # Negative service ID
|
|
# resource tests
|
|
(
|
|
{"organisation_id": 1, "service_id": 1, "resource": 42, "action": "read"},
|
|
422,
|
|
), # Invalid resource type
|
|
# action tests
|
|
(
|
|
{
|
|
"organisation_id": 1,
|
|
"service_id": 1,
|
|
"resource": "test_resource",
|
|
"action": 42,
|
|
},
|
|
422,
|
|
), # Invalid action type
|
|
# missing/partial body tests
|
|
({}, 422), # Blank body
|
|
],
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_post_perm_search_status_checks(
|
|
default_client: AsyncClient, body: dict[str, str], expected_status: int
|
|
):
|
|
resp = await default_client.post("/iam/permissions/search", json=body)
|
|
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_delete_group_permissions_success(default_client: AsyncClient):
|
|
resp = await default_client.delete(
|
|
"/iam/group/permission?org_id=1&group_id=1&perm_id=1"
|
|
)
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 200
|
|
assert "permissions" in data
|
|
assert isinstance(data["permissions"], list)
|
|
assert len(data["permissions"]) == 0
|
|
assert "group" in data
|
|
assert data["group"]["id"] == 1
|
|
assert data["group"]["name"] == "Org One Group"
|
|
|
|
|
|
@pytest.mark.parametrize(
|
|
"query, expected_status",
|
|
generate_query_and_status(["group_id", "org_id", "perm_id"]),
|
|
)
|
|
@pytest.mark.anyio
|
|
async def test_delete_group_permissions_status_checks(
|
|
default_client: AsyncClient, query: str, expected_status: int
|
|
):
|
|
resp = await default_client.delete(f"/iam/group/permission?{query}")
|
|
assert resp.status_code == expected_status
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_delete_permissions_success(default_client: AsyncClient):
|
|
resp = await default_client.delete("/iam/permission?perm_id=1")
|
|
|
|
assert resp.status_code == 204
|
|
|
|
|
|
@pytest.mark.anyio
|
|
async def test_delete_group_users_success(default_client: AsyncClient):
|
|
resp = await default_client.delete("/iam/group/user?org_id=1&group_id=1&user_id=1")
|
|
data = resp.json()
|
|
|
|
assert resp.status_code == 200
|
|
assert "users" in data
|
|
assert isinstance(data["users"], list)
|
|
assert len(data["users"]) == 0
|
|
assert "group" in data
|
|
assert data["group"]["id"] == 1
|
|
assert data["group"]["name"] == "Org One Group"
|