def test_update_role(api, role_batch, scopes, collection_auth):
authorized = ODPScope.ROLE_ADMIN in scopes and \
collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = role_batch[2].collection
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = role_batch[1].collection
else:
api_client_collection = None
if collection_auth in (CollectionAuth.MATCH, CollectionAuth.MISMATCH):
modified_role_collection = role_batch[2].collection
else:
modified_role_collection = None
modified_role_batch = role_batch.copy()
modified_role_batch[2] = (role := role_build(
id=role_batch[2].id,
collection=modified_role_collection,
))
r = api(scopes, api_client_collection).put('/role/', json=dict(
id=role.id,
scope_ids=scope_ids(role),
collection_id=role.collection_id,
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_role_batch)
else:
assert_forbidden(r)
assert_db_state(role_batch)
def test_delete_collection(api, collection_batch, scopes, collection_auth):
authorized = ODPScope.COLLECTION_ADMIN in scopes and \
collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = collection_batch[2]
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = collection_batch[1]
else:
api_client_collection = None
modified_collection_batch = collection_batch.copy()
del modified_collection_batch[2]
r = api(scopes, api_client_collection).delete(
f'/collection/{(collection_id := collection_batch[2].id)}')
if authorized:
assert_empty_result(r)
assert_db_state(modified_collection_batch)
assert_audit_log('delete', collection_id=collection_id)
else:
assert_forbidden(r)
assert_db_state(collection_batch)
assert_no_audit_log()
def test_create_collection(api, collection_batch, scopes, collection_auth):
# note that collection-specific auth will never allow creating a new collection
authorized = ODPScope.COLLECTION_ADMIN in scopes and \
collection_auth == CollectionAuth.NONE
if collection_auth == CollectionAuth.NONE:
api_client_collection = None
else:
api_client_collection = collection_batch[2]
modified_collection_batch = collection_batch + [
collection := collection_build()
]
r = api(scopes,
api_client_collection).post('/collection/',
json=dict(
id=collection.id,
name=collection.name,
doi_key=collection.doi_key,
provider_id=collection.provider_id,
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_collection_batch)
assert_audit_log('insert', collection)
else:
assert_forbidden(r)
assert_db_state(collection_batch)
assert_no_audit_log()
def test_untag_record(api, record_batch_no_tags, admin_route, scopes,
collection_auth, tag_cardinality, same_user):
route = '/record/admin/' if admin_route else '/record/'
authorized = admin_route and ODPScope.RECORD_ADMIN in scopes or \
not admin_route and ODPScope.RECORD_QC in scopes
authorized = authorized and collection_auth in (CollectionAuth.NONE,
CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = record_batch_no_tags[2].collection
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = record_batch_no_tags[1].collection
else:
api_client_collection = None
client = api(scopes, api_client_collection)
record = record_batch_no_tags[2]
record_tags = RecordTagFactory.create_batch(randint(1, 3), record=record)
tag = new_generic_tag(tag_cardinality)
if same_user:
record_tag_1 = RecordTagFactory(
record=record,
tag=tag,
user=None,
)
else:
record_tag_1 = RecordTagFactory(
record=record,
tag=tag,
)
record_tag_1_dict = {
'tag_id': record_tag_1.tag_id,
'user_id': record_tag_1.user_id,
'data': record_tag_1.data,
}
r = client.delete(f'{route}{record.id}/tag/{record_tag_1.id}')
if authorized:
if not admin_route and not same_user:
assert_forbidden(r)
assert_db_tag_state(record.id, *record_tags, record_tag_1)
assert_tag_audit_log()
else:
assert_empty_result(r)
assert_db_tag_state(record.id, *record_tags)
assert_tag_audit_log(
dict(command='delete',
record_id=record.id,
record_tag=record_tag_1_dict), )
else:
assert_forbidden(r)
assert_db_tag_state(record.id, *record_tags, record_tag_1)
assert_tag_audit_log()
assert_db_state(record_batch_no_tags)
assert_no_audit_log()
def test_delete_user(api, user_batch, scopes):
authorized = ODPScope.USER_ADMIN in scopes
modified_user_batch = user_batch.copy()
del modified_user_batch[2]
r = api(scopes).delete(f'/user/{user_batch[2].id}')
if authorized:
assert_empty_result(r)
assert_db_state(modified_user_batch)
else:
assert_forbidden(r)
assert_db_state(user_batch)
def test_delete_provider(api, provider_batch, scopes):
authorized = ODPScope.PROVIDER_ADMIN in scopes
modified_provider_batch = provider_batch.copy()
del modified_provider_batch[2]
r = api(scopes).delete(f'/provider/{provider_batch[2].id}')
if authorized:
assert_empty_result(r)
assert_db_state(modified_provider_batch)
else:
assert_forbidden(r)
assert_db_state(provider_batch)
def test_delete_record(api, record_batch_with_ids, admin_route, scopes,
collection_tags, collection_auth, published_doi):
route = '/record/admin/' if admin_route else '/record/'
authorized = admin_route and ODPScope.RECORD_ADMIN in scopes or \
not admin_route and ODPScope.RECORD_WRITE in scopes
authorized = authorized and collection_auth in (CollectionAuth.NONE,
CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = record_batch_with_ids[2].collection
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = record_batch_with_ids[1].collection
else:
api_client_collection = None
for ct in collection_tags:
CollectionTagFactory(
collection=record_batch_with_ids[2].collection,
tag=TagFactory(id=ct, type='collection'),
)
if published_doi:
PublishedDOI(doi=record_batch_with_ids[2].doi).save()
modified_record_batch = record_batch_with_ids.copy()
del modified_record_batch[2]
r = api(scopes, api_client_collection).delete(
f'{route}{(record_id := record_batch_with_ids[2].id)}')
if authorized:
if not admin_route and set(collection_tags) & {
ODPCollectionTag.FROZEN, ODPCollectionTag.READY
}:
assert_unprocessable(
r,
'Cannot delete a record belonging to a ready or frozen collection'
)
assert_db_state(record_batch_with_ids)
assert_no_audit_log()
elif published_doi:
assert_unprocessable(
r, 'The DOI has been published and cannot be deleted.')
assert_db_state(record_batch_with_ids)
assert_no_audit_log()
else:
assert_empty_result(r)
assert_db_state(modified_record_batch)
assert_audit_log('delete', record_id=record_id)
else:
assert_forbidden(r)
assert_db_state(record_batch_with_ids)
assert_no_audit_log()
def test_create_provider(api, provider_batch, scopes):
authorized = ODPScope.PROVIDER_ADMIN in scopes
modified_provider_batch = provider_batch + [provider := provider_build()]
r = api(scopes).post('/provider/',
json=dict(
id=provider.id,
name=provider.name,
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_provider_batch)
else:
assert_forbidden(r)
assert_db_state(provider_batch)
def test_create_project(api, project_batch, scopes):
authorized = ODPScope.PROJECT_ADMIN in scopes
modified_project_batch = project_batch + [project := project_build()]
r = api(scopes).post('/project/',
json=dict(
id=project.id,
name=project.name,
collection_ids=collection_ids(project),
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_project_batch)
else:
assert_forbidden(r)
assert_db_state(project_batch)
def test_update_client(api, client_batch, scopes, collection_auth):
authorized = ODPScope.CLIENT_ADMIN in scopes and \
collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = client_batch[2].collection
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = client_batch[1].collection
else:
api_client_collection = None
if collection_auth in (CollectionAuth.MATCH, CollectionAuth.MISMATCH):
modified_client_collection = client_batch[2].collection
else:
modified_client_collection = None
modified_client_batch = client_batch.copy()
modified_client_batch[2] = (client := client_build(
id=client_batch[2].id,
collection=modified_client_collection,
))
r = api(scopes, api_client_collection).put(
'/client/',
json=dict(
id=client.id,
name=fake.catch_phrase(),
secret=fake.password(),
scope_ids=scope_ids(client),
collection_id=client.collection_id,
grant_types=[],
response_types=[],
redirect_uris=[],
post_logout_redirect_uris=[],
token_endpoint_auth_method=TokenEndpointAuthMethod.
CLIENT_SECRET_BASIC,
allowed_cors_origins=[],
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_client_batch)
else:
assert_forbidden(r)
assert_db_state(client_batch)
def test_update_provider(api, provider_batch, scopes):
authorized = ODPScope.PROVIDER_ADMIN in scopes
modified_provider_batch = provider_batch.copy()
modified_provider_batch[2] = (provider := provider_build(
id=provider_batch[2].id,
collections=provider_batch[2].collections,
))
r = api(scopes).put('/provider/',
json=dict(
id=provider.id,
name=provider.name,
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_provider_batch)
else:
assert_forbidden(r)
assert_db_state(provider_batch)
def test_update_user(api, user_batch, scopes):
authorized = ODPScope.USER_ADMIN in scopes
modified_user_batch = user_batch.copy()
modified_user_batch[2] = (user := UserFactory.build(
id=user_batch[2].id,
name=user_batch[2].name,
email=user_batch[2].email,
verified=user_batch[2].verified,
roles=RoleFactory.create_batch(randint(0, 3)),
))
r = api(scopes).put('/user/',
json=dict(
id=user.id,
active=user.active,
role_ids=role_ids(user),
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_user_batch)
else:
assert_forbidden(r)
assert_db_state(user_batch)
def test_delete_role(api, role_batch, scopes, collection_auth):
authorized = ODPScope.ROLE_ADMIN in scopes and \
collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = role_batch[2].collection
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = role_batch[1].collection
else:
api_client_collection = None
modified_role_batch = role_batch.copy()
del modified_role_batch[2]
r = api(scopes, api_client_collection).delete(f'/role/{role_batch[2].id}')
if authorized:
assert_empty_result(r)
assert_db_state(modified_role_batch)
else:
assert_forbidden(r)
assert_db_state(role_batch)
def test_update_collection(api, collection_batch_no_projects, scopes,
collection_auth):
authorized = ODPScope.COLLECTION_ADMIN in scopes and \
collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = collection_batch_no_projects[2]
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = collection_batch_no_projects[1]
else:
api_client_collection = None
modified_collection_batch = collection_batch_no_projects.copy()
modified_collection_batch[2] = (collection := collection_build(
id=collection_batch_no_projects[2].id,
clients=collection_batch_no_projects[2].clients,
roles=collection_batch_no_projects[2].roles,
))
r = api(scopes,
api_client_collection).put('/collection/',
json=dict(
id=collection.id,
name=collection.name,
doi_key=collection.doi_key,
provider_id=collection.provider_id,
))
if authorized:
assert_empty_result(r)
assert_db_state(modified_collection_batch)
assert_audit_log('update', collection)
else:
assert_forbidden(r)
assert_db_state(collection_batch_no_projects)
assert_no_audit_log()
def test_untag_collection(api, collection_batch, admin_route, scopes,
collection_auth, tag_cardinality, same_user):
route = '/collection/admin/' if admin_route else '/collection/'
authorized = admin_route and ODPScope.COLLECTION_ADMIN in scopes or \
not admin_route and ODPScope.COLLECTION_READ in scopes
authorized = authorized and collection_auth in (CollectionAuth.NONE,
CollectionAuth.MATCH)
if collection_auth == CollectionAuth.MATCH:
api_client_collection = collection_batch[2]
elif collection_auth == CollectionAuth.MISMATCH:
api_client_collection = collection_batch[1]
else:
api_client_collection = None
client = api(scopes, api_client_collection)
collection = collection_batch[2]
collection_tags = CollectionTagFactory.create_batch(randint(1, 3),
collection=collection)
tag = new_generic_tag(tag_cardinality)
if same_user:
collection_tag_1 = CollectionTagFactory(
collection=collection,
tag=tag,
user=None,
)
else:
collection_tag_1 = CollectionTagFactory(
collection=collection,
tag=tag,
)
collection_tag_1_dict = {
'tag_id': collection_tag_1.tag_id,
'user_id': collection_tag_1.user_id,
'data': collection_tag_1.data,
}
r = client.delete(f'{route}{collection.id}/tag/{collection_tag_1.id}')
if authorized:
if not admin_route and not same_user:
assert_forbidden(r)
assert_db_tag_state(collection.id, *collection_tags,
collection_tag_1)
assert_tag_audit_log()
else:
assert_empty_result(r)
assert_db_tag_state(collection.id, *collection_tags)
assert_tag_audit_log(
dict(command='delete',
collection_id=collection.id,
collection_tag=collection_tag_1_dict), )
else:
assert_forbidden(r)
assert_db_tag_state(collection.id, *collection_tags, collection_tag_1)
assert_tag_audit_log()
assert_db_state(collection_batch)
assert_no_audit_log()
