def test_multiple_delegates():
    # tests with 2 delegates

    # make consumer a delegate
    req = {"user_email": email, "user_role": 'delegate'}
    r = untrusted.provider_access([req])
    assert r['success'] == True
    assert r['status_code'] == 200

    resource_group = ''.join(
        random.choice(string.ascii_lowercase) for _ in range(10))
    resource_id = provider_id + '/rs.example.com/' + resource_group

    req = {
        "user_email": email,
        "user_role": 'consumer',
        "item_id": resource_id,
        "item_type": "resourcegroup"
    }
    req["capabilities"] = ['complex']
    r = consumer.provider_access([req], '*****@*****.**')
    assert r['success'] == True
    assert r['status_code'] == 200

    # cannot update rule set by other provider
    req["capabilities"] = ['subscription']
    r = alt_provider.provider_access([req], '*****@*****.**')
    assert r['success'] == True
    assert r['status_code'] == 200

    r = consumer.get_provider_access('*****@*****.**')
    assert r['success'] == True
    assert r['status_code'] == 200
    rules = r['response']

    for r in rules:
        if r['email'] == email and r[
                'role'] == 'consumer' and resource_id == r['item']['cat_id']:
            consumer_id = r['id']

    # delegate can delete other delegate's rule
    body = {"id": consumer_id}
    r = alt_provider.delete_rule([body], '*****@*****.**')
    assert r['success'] == True
    assert r['status_code'] == 200

    # already deleted
    body = {"id": consumer_id}
    r = consumer.delete_rule([body], '*****@*****.**')
    assert r['success'] == False
    assert r['status_code'] == 403

    # delegate cannot delete delegate rule
    r = consumer.delete_rule([{"id": delegate_id}], '*****@*****.**')
    assert r['success'] == False
    assert r['status_code'] == 403
    "user_role": 'consumer',
    "item_id": resource_id,
    "item_type": "resourcegroup"
}
req["capabilities"] = ['complex']
r = consumer.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200

# delegate can update rule set by other delegate
req["capabilities"] = ['subscription']
r = alt_provider.provider_access([req], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200

r = consumer.get_provider_access('*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200
rules = r['response']

for r in rules:
    if r['email'] == email and r['role'] == 'consumer' and resource_id == r[
            'item']['cat_id']:
        consumer_id = r['id']

# delegates can delete each other's rules
body = {"id": consumer_id}
r = alt_provider.delete_rule([body], '*****@*****.**')
assert r['success'] == True
assert r['status_code'] == 200