def setup_users(cidc_api, monkeypatch, registered=True) -> Tuple[int, int]:
"""
Insert two users into the database. If `registered=False`, don't
register the first user.
"""
current_user = Users(id=1, email="*****@*****.**")
other_user = Users(id=2, email="*****@*****.**")
mock_current_user(current_user, monkeypatch)
with cidc_api.app_context():
if registered:
current_user.role = CIDCRole.CIMAC_USER.value
current_user.approval_date = datetime.now()
current_user.insert()
other_user.insert()
return current_user.id, other_user.id
def test_authorize(cidc_api, clean_db):
"""Check that authorization works as expected."""
user = Users(**PAYLOAD)
with cidc_api.app_context():
# Unregistered user should not be authorized to do anything to any resource except "users"
with pytest.raises(Unauthorized, match="not registered"):
auth.authorize(user, [], "some-resource", "some-http-method")
# We can't track accesses for users who aren't registered
assert user._accessed is None
# Unregistered user should not be able to GET users
with pytest.raises(Unauthorized, match="not registered"):
auth.authorize(user, [], "users", "GET")
assert user._accessed is None
# Unregistered user should not be able to GET self
with pytest.raises(Unauthorized, match="not registered"):
auth.authorize(user, [], "self", "GET")
assert user._accessed is None
# Unregistered user should be able to POST users
assert auth.authorize(user, [], "self", "POST")
# Add the user to the db but don't approve yet
user.insert()
# Unapproved user isn't authorized to do anything
with pytest.raises(Unauthorized, match="pending approval"):
auth.authorize(user, [], "self", "POST")
# Check that we tracked this user's last access
assert user._accessed.date() == date.today()
_accessed = user._accessed
# Ensure unapproved user can access their own data
assert auth.authorize(user, [], "self", "GET")
# Give the user a role but don't approve them
user.role = CIDCRole.CIMAC_USER.value
user.update()
# Unapproved user *with an authorized role* still shouldn't be authorized
with pytest.raises(Unauthorized, match="pending approval"):
auth.authorize(user, [CIDCRole.CIMAC_USER.value], "self", "POST")
# Approve the user
user.approval_date = datetime.now()
user.update()
# If user doesn't have required role, they should not be authorized.
with pytest.raises(Unauthorized, match="not authorized to access"):
auth.authorize(user, [CIDCRole.ADMIN.value], "some-resource",
"some-http-method")
# If user has an allowed role, they should be authorized
assert auth.authorize(user, [CIDCRole.CIMAC_USER.value],
"some-resource", "some-http-method")
# If the resource has no role restrictions, they should be authorized
assert auth.authorize(user, [], "some-resource", "some-http-method")
# Disable user
user.disabled = True
user.update()
# If user has an allowed role but is disabled, they should be unauthorized
with pytest.raises(Unauthorized, match="disabled"):
auth.authorize(user, [CIDCRole.CIMAC_USER.value], "some-resource",
"some-http-method")
# Ensure unapproved user can access their own data
assert auth.authorize(user, [], "self", "GET")
# If the resource has no role restrictions, they should be still unauthorized
with pytest.raises(Unauthorized, match="disabled"):
auth.authorize(user, [], "some-resource", "some-http-method")
# Check that user's last access wasn't updated by all activity,
# since it occurred on the same day as previous accesses
assert user._accessed == _accessed