def test_create_role_with_scopes():
scopes = ScopeFactory.create_batch(
5, type='odp') + ScopeFactory.create_batch(5, type='client')
role = RoleFactory(scopes=scopes)
result = Session.execute(select(RoleScope)).scalars()
assert [(row.role_id, row.scope_id, row.scope_type) for row in result] \
== [(role.id, scope.id, scope.type) for scope in scopes]
def test_db_setup():
migrate.systemdata.init_system_scopes()
Session.commit()
result = Session.execute(select(Scope)).scalars()
assert [row.id for row in result] == [s.value for s in ODPScope]
# create a batch of arbitrary scopes, which should not be assigned to the sysadmin
ScopeFactory.create_batch(5)
migrate.systemdata.init_admin_role()
Session.commit()
result = Session.execute(select(Role)).scalar_one()
assert (result.id,
result.collection_id) == (migrate.systemdata.ODP_ADMIN_ROLE, None)
result = Session.execute(select(RoleScope)).scalars()
assert [(row.role_id, row.scope_id, row.scope_type) for row in result] \
== [(migrate.systemdata.ODP_ADMIN_ROLE, s.value, ScopeType.odp) for s in ODPScope]
def role_build(collection=None, **id):
"""Build and return an uncommitted Role instance.
Referenced scopes and/or collection are however committed."""
return RoleFactory.build(
**id,
scopes=ScopeFactory.create_batch(randint(0, 3), type=choice(('odp', 'client'))),
collection=collection or (collection := CollectionFactory() if randint(0, 1) else None),
collection_id=collection.id if collection else None,
)
def role_batch():
"""Create and commit a batch of Role instances."""
return [
RoleFactory(
scopes=ScopeFactory.create_batch(randint(0, 3), type=choice(('odp', 'client'))),
is_collection_role=n in (1, 2) or randint(0, 1),
)
for n in range(randint(3, 5))
]
def client_build(collection=None, **id):
"""Build and return an uncommitted Client instance.
Referenced scopes and/or collection are however committed."""
return ClientFactory.build(
**id,
scopes=ScopeFactory.create_batch(randint(1, 3)),
collection=collection
or (collection := CollectionFactory() if randint(0, 1) else None),
collection_id=collection.id if collection else None,
)
def test_list_scopes(api, scope_batch, scopes):
authorized = ODPScope.SCOPE_READ in scopes
# add the parameterized scopes to the batch of expected scopes,
# as they will be created by the api fixture
scope_batch += [ScopeFactory.build(id=s.value, type='odp') for s in scopes]
r = api(scopes).get('/scope/')
if authorized:
assert_json_results(r, r.json(), scope_batch)
else:
assert_forbidden(r)
assert_db_state(scope_batch)
def client_batch(hydra_admin_api):
"""Create and commit a batch of Client instances, and create
an OAuth2 client config on Hydra for each."""
clients = []
for n in range(randint(3, 5)):
clients += [
client := ClientFactory(
scopes=(scopes := ScopeFactory.create_batch(randint(1, 3))),
is_collection_client=n in (1, 2) or randint(0, 1),
)
]
def test_platform_roles():
scopes = ScopeFactory.create_batch(8, type='odp')
client = ClientFactory(scopes=scopes[1:7])
role1 = RoleFactory(scopes=scopes[:3])
role2 = RoleFactory(scopes=scopes[5:])
user = UserFactory(roles=(role1, role2))
actual_user_perm = get_user_permissions(user.id, client.id)
expected_user_perm = {
scope.id: '*'
for n, scope in enumerate(scopes) if n in (1, 2, 5, 6)
}
assert_compare(expected_user_perm, actual_user_perm)
actual_client_perm = get_client_permissions(client.id)
expected_client_perm = {scope.id: '*' for scope in scopes[1:7]}
assert_compare(expected_client_perm, actual_client_perm)
def test_collection_client_platform_collection_role_mix():
scopes = ScopeFactory.create_batch(8, type='odp')
client = ClientFactory(scopes=scopes[1:7], is_collection_client=True)
role1 = RoleFactory(scopes=scopes[:3])
role2 = RoleFactory(scopes=scopes[3:5], is_collection_role=True)
role3 = RoleFactory(scopes=scopes[5:], collection=client.collection)
user = UserFactory(roles=(role1, role2, role3))
actual_user_perm = get_user_permissions(user.id, client.id)
expected_user_perm = {
scope.id: [client.collection_id]
for n, scope in enumerate(scopes) if n in (1, 2, 5, 6)
}
assert_compare(expected_user_perm, actual_user_perm)
actual_client_perm = get_client_permissions(client.id)
expected_client_perm = {
scope.id: [client.collection_id]
for scope in scopes[1:7]
}
assert_compare(expected_client_perm, actual_client_perm)
def scoped_client(scopes, collection=None):
ClientFactory(
id='odp.test',
scopes=[ScopeFactory(id=s.value, type='odp') for s in scopes],
collection=collection,
)
token = OAuth2Session(
client_id='odp.test',
client_secret='secret',
scope=' '.join(s.value for s in odp.ODPScope),
).fetch_token(
f'{hydra_public_url}/oauth2/token',
grant_type='client_credentials',
timeout=1.0,
)
api_client = TestClient(app=odp.api.app)
api_client.headers = {
'Accept': 'application/json',
'Authorization': 'Bearer ' + token['access_token'],
}
return api_client
def test_collection_roles():
scopes = ScopeFactory.create_batch(8, type='odp')
client = ClientFactory(scopes=scopes[1:7])
role1 = RoleFactory(scopes=scopes[:5], is_collection_role=True)
role2 = RoleFactory(scopes=scopes[3:], is_collection_role=True)
user = UserFactory(roles=(role1, role2))
actual_user_perm = get_user_permissions(user.id, client.id)
expected_user_perm = {
scope.id: [role1.collection_id]
for n, scope in enumerate(scopes) if n in (1, 2)
} | {
scope.id: [role1.collection_id, role2.collection_id]
for n, scope in enumerate(scopes) if n in (3, 4)
} | {
scope.id: [role2.collection_id]
for n, scope in enumerate(scopes) if n in (5, 6)
}
assert_compare(expected_user_perm, actual_user_perm)
actual_client_perm = get_client_permissions(client.id)
expected_client_perm = {scope.id: '*' for scope in scopes[1:7]}
assert_compare(expected_client_perm, actual_client_perm)
def scope_batch():
"""Create and commit a batch of Scope instances."""
return [
ScopeFactory()
for _ in range(randint(3, 5))
]
def test_create_client_with_scopes():
scopes = ScopeFactory.create_batch(5)
client = ClientFactory(scopes=scopes)
result = Session.execute(select(ClientScope)).scalars()
assert [(row.client_id, row.scope_id, row.scope_type) for row in result] \
== [(client.id, scope.id, scope.type) for scope in scopes]
def test_create_scope():
scope = ScopeFactory()
result = Session.execute(select(Scope)).scalar_one()
assert (result.id, result.type) == (scope.id, scope.type)