def test_delete_does_not_remove_user_from_account_holder_group( session, monkeypatch, auth_mock): # pylint:disable=unused-argument """Assert that if the user has multiple Orgs, and deleting one doesn't remove account holders group.""" # Create a user in keycloak keycloak_service = KeycloakService() keycloak_service.add_user(KeycloakScenario.create_user_request(), return_if_exists=True) kc_user = keycloak_service.get_user_by_username( KeycloakScenario.create_user_request().user_name) user = factory_user_model( TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) # Patch token info def token_info(): # pylint: disable=unused-argument; mocks of library methods return { 'sub': str(kc_user.id), 'username': '******', 'realm_access': { 'roles': [] } } monkeypatch.setattr( 'auth_api.services.keycloak.KeycloakService._get_token_info', token_info) org1 = OrgService.create_org(TestOrgInfo.org1, user_id=user.id) OrgService.create_org(TestOrgInfo.org2, user_id=user.id) OrgService.delete_org(org1.as_dict().get('id'), token_info()) user_groups = keycloak_service.get_user_groups(user_id=kc_user.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups
def test_create_org_adds_user_to_account_holders_group(session, monkeypatch): # pylint:disable=unused-argument """Assert that an Org creation adds the user to account holders group.""" # Create a user in keycloak keycloak_service = KeycloakService() keycloak_service.add_user(KeycloakScenario.create_user_request(), return_if_exists=True) kc_user = keycloak_service.get_user_by_username( KeycloakScenario.create_user_request().user_name) user = factory_user_model( TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) # Patch token info def token_info(): # pylint: disable=unused-argument; mocks of library methods return { 'sub': str(kc_user.id), 'username': '******', 'realm_access': { 'roles': [] } } monkeypatch.setattr( 'auth_api.services.keycloak.KeycloakService._get_token_info', token_info) OrgService.create_org(TestOrgInfo.org1, user_id=user.id) user_groups = keycloak_service.get_user_groups(user_id=kc_user.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups
def test_add_user_adds_to_account_holders_group(client, jwt, session): # pylint:disable=unused-argument """Assert that a user gets added to account_holders group if the user has any active account.""" # Create a user in keycloak KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username( KeycloakScenario.create_user_request().user_name) user_id = user.id # Create user, org and membserhip in DB user = factory_user_model(TestUserInfo.get_user_with_kc_guid(user_id)) org = factory_org_model(org_status_info=None) factory_membership_model(user.id, org.id) # Login as that user headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.get_test_user( user_id, source='BCSC')) client.post('/api/v1/users', headers=headers, content_type='application/json') user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups
def test_join_account_holders_group_from_token(session, monkeypatch): """Assert that the account_holders group is getting added to the user.""" KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name) user_id = user.id # Patch token info def token_info(): # pylint: disable=unused-argument; mocks of library methods return { 'sub': str(user_id), 'username': '******', 'realm_access': { 'roles': [ ] } } monkeypatch.setattr('auth_api.services.keycloak.KeycloakService._get_token_info', token_info) KEYCLOAK_SERVICE.join_account_holders_group() # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_remove_member_removes_group_to_the_user(session, monkeypatch): # pylint:disable=unused-argument """Assert that accepting an invite adds group to the user.""" # Create a user in keycloak keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user = keycloak_service.get_user_by_username(request.user_name) user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) # Patch token info def token_info(): # pylint: disable=unused-argument; mocks of library methods return { 'sub': str(kc_user.id), 'username': '******', 'realm_access': { 'roles': [ 'edit' ] }, 'product_code': ProductCode.BUSINESS.value } monkeypatch.setattr('auth_api.services.keycloak.KeycloakService._get_token_info', token_info) org = OrgService.create_org(TestOrgInfo.org1, user_id=user.id) # Create another user request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user2 = keycloak_service.get_user_by_username(request.user_name) user2 = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user2.id)) # Add a membership to the user for the org created factory_membership_model(user2.id, org.as_dict().get('id'), member_type='COORDINATOR', member_status=4) # Add a product to org factory_product_model(org.as_dict().get('id'), product_code=ProductCode.BUSINESS.value) # Find the membership and update to ACTIVE membership = MembershipService.get_membership_for_org_and_user(org.as_dict().get('id'), user2.id) active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.ACTIVE.name) updated_fields = {'membership_status': active_membership_status} MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info()) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups # Find the membership and update to INACTIVE active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.INACTIVE.name) updated_fields = {'membership_status': active_membership_status} MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info()) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS not in groups
def test_join_account_holders_group(session): """Assert that the account_holders group is getting added to the user.""" KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name) user_id = user.id KEYCLOAK_SERVICE.join_account_holders_group(keycloak_guid=user_id) # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_join_public_users_group_for_existing_users(session): """Test the existing user account, and assert the public_users group is not added.""" KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name) user_id = user.id KEYCLOAK_SERVICE.join_public_users_group( {'sub': user_id, 'loginSource': PASSCODE, 'realm_access': {'roles': [Role.EDITOR.value]}}) # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_PUBLIC_USERS not in groups KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_join_public_users_group_for_staff_users(session, app): """Test the staff user account creation, and assert the public_users group is not added.""" # with app.app_context(): KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name) user_id = user.id KEYCLOAK_SERVICE.join_public_users_group({'sub': user_id, 'loginSource': STAFF, 'realm_access': {'roles': []}}) # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_PUBLIC_USERS not in groups KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_keycloak_get_user_by_username(session): """Get user by username. Assert get a user with the same username as the username in request.""" request = KeycloakScenario.create_user_request() # with app.app_context(): KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) assert user.user_name == request.user_name
def test_join_users_group(app, session): """Test the public_users group membership for public users.""" # with app.app_context(): request = KeycloakScenario.create_user_request() KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) user_id = user.id KEYCLOAK_SERVICE.join_users_group({ 'sub': user_id, 'loginSource': LoginSource.BCSC.value, 'realm_access': { 'roles': [] } }) # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_PUBLIC_USERS in groups # BCROS KEYCLOAK_SERVICE.join_users_group({ 'sub': user_id, 'loginSource': LoginSource.BCROS.value, 'realm_access': { 'roles': [] } }) # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ANONYMOUS_USERS in groups
def test_accept_gov_account_invitation(client, jwt, session): # pylint:disable=unused-argument """Assert that an invitation can be accepted.""" headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.gov_account_holder_user) client.post('/api/v1/users', headers=headers, content_type='application/json') rv = client.post('/api/v1/orgs', data=json.dumps(TestOrgInfo.org1), headers=headers, content_type='application/json') dictionary = json.loads(rv.data) org_id = dictionary['id'] rv = client.post('/api/v1/invitations', data=json.dumps(factory_invitation(org_id=org_id)), headers=headers, content_type='application/json') invitation_dictionary = json.loads(rv.data) invitation_id = invitation_dictionary['id'] invitation_id_token = InvitationService.generate_confirmation_token(invitation_id) request = KeycloakScenario.create_user_request() KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) user_id = user.id headers_invitee = factory_auth_header(jwt=jwt, claims=TestJwtClaims.get_test_user(user_id, source='IDIR')) client.post('/api/v1/users', headers=headers_invitee, content_type='application/json') rv = client.put('/api/v1/invitations/tokens/{}'.format(invitation_id_token), headers=headers_invitee, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK rv = client.get('/api/v1/orgs/{}/members?status=PENDING_APPROVAL'.format(org_id), headers=headers, content_type='application/json') dictionary = json.loads(rv.data) assert len(dictionary['members']) == 1 # Assert that the user got added to the keycloak groups user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_GOV_ACCOUNT_USERS in groups
def test_keycloak_delete_user_by_username_user_not_exist(session): """Delete user by invalid username. Assert response is None, error code data not found.""" # with app.app_context(): # First delete the user if it exists try: if KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name): KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name) except Exception: pass response = None try: response = KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name) except BusinessException as err: assert err.code == Error.DATA_NOT_FOUND.name assert response is None
def test_keycloak_add_user(session): """Add user to Keycloak. Assert return a user with the same username as the username in request.""" # with app.app_context(): request = KeycloakScenario.create_user_request() user = KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) assert user.user_name == request.user_name KEYCLOAK_SERVICE.delete_user_by_username(request.user_name)
def test_add_bceid_user(client, jwt, session): # pylint:disable=unused-argument """Assert that a user can be POSTed.""" # Create a user in keycloak request = KeycloakScenario.create_user_request() KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) user_id = user.id headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.get_test_user( user_id, source='BCEID')) rv = client.post('/api/v1/users', headers=headers, content_type='application/json', data=json.dumps({ 'firstName': 'John', 'lastName': 'Doe' })) assert rv.status_code == http_status.HTTP_201_CREATED assert rv.json.get('firstname') == 'John' rv = client.post('/api/v1/users', headers=headers, content_type='application/json', data=json.dumps({ 'firstName': 'John-New', 'lastName': 'Doe' })) assert rv.status_code == http_status.HTTP_201_CREATED assert rv.json.get('firstname') == 'John-New'
def test_keycloak_delete_user_by_username(session): """Delete user by username.Assert response is not None.""" # with app.app_context(): request = KeycloakScenario.create_user_request() KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) KEYCLOAK_SERVICE.delete_user_by_username(request.user_name) assert True
def test_reset_otp(session): """Assert that the user otp configuration get reset in keycloak.""" request = KeycloakScenario.create_user_by_user_info(user_info=TestJwtClaims.tester_bceid_role) KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) user_id = user.id KEYCLOAK_SERVICE.reset_otp(user_id) assert True
def test_accept_public_users_invitation( client, jwt, session, org_info, role, # pylint:disable=unused-argument claims, source, exp_status): """Assert that an invitation can be accepted.""" headers = factory_auth_header(jwt=jwt, claims=claims) client.post('/api/v1/users', headers=headers, content_type='application/json') rv = client.post('/api/v1/orgs', data=json.dumps(org_info), headers=headers, content_type='application/json') dictionary = json.loads(rv.data) org_id = dictionary['id'] rv = client.post('/api/v1/invitations', data=json.dumps( factory_invitation(org_id=org_id, membership_type=role)), headers=headers, content_type='application/json') invitation_dictionary = json.loads(rv.data) invitation_id = invitation_dictionary['id'] invitation_id_token = InvitationService.generate_confirmation_token( invitation_id) request = KeycloakScenario.create_user_request() KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) user_id = user.id headers_invitee = factory_auth_header(jwt=jwt, claims=TestJwtClaims.get_test_user( user_id, source=source)) client.post('/api/v1/users', headers=headers_invitee, content_type='application/json') rv = client.put( '/api/v1/invitations/tokens/{}'.format(invitation_id_token), headers=headers_invitee, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK rv = client.get(f'/api/v1/orgs/{org_id}/members?status={exp_status.name}', headers=headers, content_type='application/json') dictionary = json.loads(rv.data) assert len(dictionary['members']) == 1 # Assert that the user got added to the keycloak groups user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_PUBLIC_USERS in groups
def test_keycloak_get_token(session): """Get token by username and password. Assert access_token is included in response.""" request = KeycloakScenario.create_user_request() # with app.app_context(): KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) response = KEYCLOAK_SERVICE.get_token(request.user_name, request.password) assert response.get('access_token') is not None KEYCLOAK_SERVICE.delete_user_by_username(request.user_name)
def test_keycloak_get_user_by_username_not_exist(session): """Get user by a username not exists in Keycloak. Assert user is None, error code is data not found.""" user = None request = KeycloakScenario.create_user_request() # with app.app_context(): try: user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) except BusinessException as err: assert err.code == Error.DATA_NOT_FOUND.name assert user is None
def test_create_user_and_add_same_user_name_error_in_kc(session, auth_mock, keycloak_mock): # pylint:disable=unused-argument """Assert that same user name cannot be added twice.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) membership = [TestAnonymousMembership.generate_random_user(ADMIN)] keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() request.user_name = membership[0]['username'] keycloak_service.add_user(request) users = UserService.create_user_and_add_membership(membership, org.id, single_mode=True) assert users['users'][0]['http_status'] == 409 assert users['users'][0]['error'] == 'The username is already taken'
def test_join_account_holders_group_from_token(session, monkeypatch): """Assert that the account_holders group is getting added to the user.""" request = KeycloakScenario.create_user_request() KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) user_id = user.id # Patch token info patch_token_info({'sub': user_id}, monkeypatch) KEYCLOAK_SERVICE.join_account_holders_group() # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups
def test_create_org_adds_user_to_account_holders_group(session, monkeypatch): # pylint:disable=unused-argument """Assert that an Org creation adds the user to account holders group.""" # Create a user in keycloak keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user = keycloak_service.get_user_by_username(request.user_name) user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) patch_token_info({'sub': user.keycloak_guid}, monkeypatch) OrgService.create_org(TestOrgInfo.org1, user_id=user.id) user_groups = keycloak_service.get_user_groups(user_id=kc_user.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups
def test_delete_otp_for_user(session, auth_mock, keycloak_mock): """Assert that the otp cant be reset.""" kc_service = KeycloakService() org = factory_org_model(org_info=TestOrgInfo.org_anonymous) admin_user = factory_user_model() factory_membership_model(admin_user.id, org.id) admin_claims = TestJwtClaims.get_test_real_user(admin_user.keycloak_guid) membership = [TestAnonymousMembership.generate_random_user(USER)] keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() request.user_name = membership[0]['username'] keycloak_service.add_user(request) user = kc_service.get_user_by_username(request.user_name) user = factory_user_model(TestUserInfo.get_bceid_user_with_kc_guid(user.id)) factory_membership_model(user.id, org.id) UserService.delete_otp_for_user(user.username, admin_claims) user1 = kc_service.get_user_by_username(request.user_name) assert 'CONFIGURE_TOTP' in json.loads(user1.value()).get('requiredActions')
def test_reset_bceid_user(session, auth_mock): # pylint: disable=unused-argument """Assert that reset data from a bceid user.""" keycloak_service = KeycloakService() request = KeycloakScenario.create_user_by_user_info( TestJwtClaims.tester_bceid_role) keycloak_service.add_user(request, return_if_exists=True) user = keycloak_service.get_user_by_username(request.user_name) assert user is not None user_id = user.id user_with_token = TestUserInfo.user_bceid_tester user_with_token['keycloak_guid'] = user_id user = factory_user_model(user_info=user_with_token) org = factory_org_model(user_id=user.id) response = ResetDataService.reset( TestJwtClaims.get_test_user(user_id, 'BCEID')) assert response is None found_org = OrgService.find_by_org_id(org.id) assert found_org is None
def test_delete_does_not_remove_user_from_account_holder_group(session, monkeypatch, auth_mock): # pylint:disable=unused-argument """Assert that if the user has multiple Orgs, and deleting one doesn't remove account holders group.""" # Create a user in keycloak keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user = keycloak_service.get_user_by_username(request.user_name) user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) patch_token_info({'sub': user.keycloak_guid}, monkeypatch) patch_pay_account_delete(monkeypatch) org1 = OrgService.create_org(TestOrgInfo.org1, user_id=user.id) OrgService.create_org(TestOrgInfo.org2, user_id=user.id) OrgService.delete_org(org1.as_dict().get('id')) user_groups = keycloak_service.get_user_groups(user_id=kc_user.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups
def test_join_users_group_for_existing_users(session, monkeypatch): """Test the existing user account, and assert the public_users group is not added.""" request = KeycloakScenario.create_user_request() KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) user_id = user.id patch_token_info( { 'sub': user_id, 'loginSource': LoginSource.BCSC.value, 'realm_access': { 'roles': [Role.EDITOR.value] } }, monkeypatch) KEYCLOAK_SERVICE.join_users_group() # Get the user groups and verify the public_users group is in the list user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_PUBLIC_USERS in groups
def test_delete_otp_for_user(client, jwt, session): # pylint:disable=unused-argument """Assert that a user can be POSTed.""" # ADMIN admin_user = factory_user_model(user_info=TestUserInfo.user1) org = factory_org_model(org_info=TestOrgInfo.org_regular_bceid) factory_membership_model(admin_user.id, org.id) admin_claims = TestJwtClaims.get_test_real_user(admin_user.keycloak_guid) admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims) # COORDINATOR coordinator_user = factory_user_model(user_info=TestUserInfo.user2) factory_membership_model(coordinator_user.id, org.id, member_type=COORDINATOR) coordinator_claims = TestJwtClaims.get_test_real_user(coordinator_user.keycloak_guid) coordinator_headers = factory_auth_header(jwt=jwt, claims=coordinator_claims) # just a member member_user = factory_user_model(user_info=TestUserInfo.user3) factory_membership_model(member_user.id, org.id, member_type=USER) user_claims = TestJwtClaims.get_test_real_user(member_user.keycloak_guid) user_headers = factory_auth_header(jwt=jwt, claims=user_claims) request = KeycloakScenario.create_user_by_user_info(user_info=TestJwtClaims.tester_bceid_role) KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) assert 'CONFIGURE_TOTP' not in json.loads(user.value()).get('requiredActions', None) user_id = user.id # Create user, org and membserhip in DB user = factory_user_model(TestUserInfo.get_bceid_user_with_kc_guid(user_id)) factory_membership_model(user.id, org.id) # staff with manage accounts otp reset headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_manage_accounts_role) rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers) assert rv.status_code == http_status.HTTP_204_NO_CONTENT user1 = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) assert 'CONFIGURE_TOTP' in json.loads(user1.value()).get('requiredActions') # staff with basic access cant do otp reset headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_role) rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers) assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # admin can do otp reset rv = client.delete(f'api/v1/users/{user.username}/otp', headers=admin_headers) assert rv.status_code == http_status.HTTP_204_NO_CONTENT # coordinator can do otp reset rv = client.delete(f'api/v1/users/{user.username}/otp', headers=coordinator_headers) assert rv.status_code == http_status.HTTP_204_NO_CONTENT # user can not do otp reset rv = client.delete(f'api/v1/users/{user.username}/otp', headers=user_headers) assert rv.status_code == http_status.HTTP_403_FORBIDDEN # another org admin cant do admin_user1 = factory_user_model(user_info=TestUserInfo.user_test) org1 = factory_org_model(org_info=TestOrgInfo.org2, org_type_info=TestOrgTypeInfo.implicit, org_status_info=None, payment_type_info=None) factory_membership_model(admin_user1.id, org1.id) admin_claims = TestJwtClaims.get_test_real_user(admin_user1.keycloak_guid) admin1_headers = factory_auth_header(jwt=jwt, claims=admin_claims) rv = client.delete(f'api/v1/users/{user.username}/otp', headers=admin1_headers) assert rv.status_code == http_status.HTTP_403_FORBIDDEN