def test_org_admin_update_same_org_user_roles_name(org_admin_headers):
""" allows admin users to update a user's name, add role, and remove role """
org = org_admin_headers['CVE-API-ORG']
user = str(uuid.uuid4())
res = post_new_org_user(
org, user) # creating a user with same org as admin org user
assert res.status_code == 200
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.add=admin', # adding role
headers=org_admin_headers)
assert res.status_code == 200
assert json.loads(
res.content.decode())['updated']['authority']['active_roles'] == [
"ADMIN"
]
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?active_roles.remove=admin', # removing role
headers=org_admin_headers)
assert res.status_code == 200
assert json.loads(
res.content.decode())['updated']['authority']['active_roles'] == []
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?name.first=t&name.last=e&name.middle=s&name.suffix=t&name.surname=s', # updating name
headers=org_admin_headers)
assert res.status_code == 200
assert json.loads(res.content.decode())['updated']['name']['first'] == 't'
assert json.loads(res.content.decode())['updated']['name']['last'] == 'e'
assert json.loads(res.content.decode())['updated']['name']['middle'] == 's'
assert json.loads(res.content.decode())['updated']['name']['suffix'] == 't'
assert json.loads(
res.content.decode())['updated']['name']['surname'] == 's'
def test_reg_user_can_view_users_same_org(reg_user_headers):
""" regular users can view users of the same organization """
org = reg_user_headers['CVE-API-ORG']
user = str(uuid.uuid4())
res = post_new_org_user(org, user)
assert res.status_code == 200
res = requests.get(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}',
headers=reg_user_headers)
ok_response_contains_json(res, 'username', user)
def test_org_admin_reset_same_org_secret(org_admin_headers):
""" services api allows admin users to reset the secret of users of same org"""
org = org_admin_headers['CVE-API-ORG']
user = str(uuid.uuid4())
res = post_new_org_user(org, user)
assert res.status_code == 200
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret',
headers=org_admin_headers)
assert res.status_code == 200
response_contains(res, 'API-secret')
def test_org_admin_cannot_create_existen_user(org_admin_headers):
""" services api prevents org admins from creating existing users """
user = str(uuid.uuid4())
org = org_admin_headers['CVE-API-ORG']
res = post_new_org_user(org, user)
assert res.status_code == 200
res = requests.post(f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user',
headers=org_admin_headers,
json={'username': user})
assert res.status_code == 400
response_contains_json(res, 'error', 'USER_EXISTS')
def test_regular_user_cannot_reset_secret_of_another_user(reg_user_headers):
""" regular user cannot update the secret of another user """
org = reg_user_headers['CVE-API-ORG']
user = str(uuid.uuid4())
res = post_new_org_user(org, user) # creating a user
assert res.status_code == 200
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}/reset_secret',
headers=reg_user_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT')
def test_org_admin_cannot_update_duplicate_user_with_new_username(
org_admin_headers):
""" services api prevents org admins from updating a user's username if that user already exist """
org = org_admin_headers['CVE-API-ORG']
user1 = org_admin_headers['CVE-API-USER']
user2 = str(uuid.uuid4())
res = post_new_org_user(
org, user2) # creating a user with same org as admin org user
assert res.status_code == 200
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user1}?new_username={user2}',
headers=org_admin_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'DUPLICATE_USERNAME')
def test_regular_user_cannot_update_for_another_user(reg_user_headers):
""" regular users cannot update information of another user of the same organization """
org = reg_user_headers['CVE-API-ORG']
user = reg_user_headers['CVE-API-USER']
user2 = str(uuid.uuid4())
res = post_new_org_user(
org, user2) # creating a user with same org as regular user
assert res.status_code == 200
user_name = str(uuid.uuid4()) # create a new name to give to second user
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user2}?new_username={user_name}',
headers=reg_user_headers)
assert res.status_code == 403
response_contains_json(res, 'error', 'NOT_SAME_USER_OR_SECRETARIAT')
def test_org_admin_update_same_org_user_state_sn_un(org_admin_headers):
""" allows admin users to update a user's active state, org shortname, and user username """
org = org_admin_headers['CVE-API-ORG']
user = str(uuid.uuid4())
res = post_new_org_user(
org, user) # creating a user with same org as admin org user
assert res.status_code == 200
new_shortname = str(uuid.uuid4()) # used in query
new_username = str(uuid.uuid4()) # used in query
res = post_new_org(new_shortname, new_shortname) # create new org
assert res.status_code == 200
res = requests.put(
f'{env.AWG_BASE_URL}{ORG_URL}/{org}/user/{user}?org_shortname={new_shortname}&new_username={new_username}&active=false',
headers=org_admin_headers)
assert res.status_code == 200
assert json.loads(res.content.decode())['updated']['active'] == False
assert json.loads(
res.content.decode())['updated']['username'] == new_username
assert json.loads(res.content.decode())['updated']['username'] is not None