def test_delete_does_not_remove_user_from_account_holder_group(
session, monkeypatch, auth_mock): # pylint:disable=unused-argument
"""Assert that if the user has multiple Orgs, and deleting one doesn't remove account holders group."""
# Create a user in keycloak
keycloak_service = KeycloakService()
keycloak_service.add_user(KeycloakScenario.create_user_request(),
return_if_exists=True)
kc_user = keycloak_service.get_user_by_username(
KeycloakScenario.create_user_request().user_name)
user = factory_user_model(
TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id))
# Patch token info
def token_info(): # pylint: disable=unused-argument; mocks of library methods
return {
'sub': str(kc_user.id),
'username': '******',
'realm_access': {
'roles': []
}
}
monkeypatch.setattr(
'auth_api.services.keycloak.KeycloakService._get_token_info',
token_info)
org1 = OrgService.create_org(TestOrgInfo.org1, user_id=user.id)
OrgService.create_org(TestOrgInfo.org2, user_id=user.id)
OrgService.delete_org(org1.as_dict().get('id'), token_info())
user_groups = keycloak_service.get_user_groups(user_id=kc_user.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
def test_create_org_adds_user_to_account_holders_group(session, monkeypatch): # pylint:disable=unused-argument
"""Assert that an Org creation adds the user to account holders group."""
# Create a user in keycloak
keycloak_service = KeycloakService()
keycloak_service.add_user(KeycloakScenario.create_user_request(),
return_if_exists=True)
kc_user = keycloak_service.get_user_by_username(
KeycloakScenario.create_user_request().user_name)
user = factory_user_model(
TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id))
# Patch token info
def token_info(): # pylint: disable=unused-argument; mocks of library methods
return {
'sub': str(kc_user.id),
'username': '******',
'realm_access': {
'roles': []
}
}
monkeypatch.setattr(
'auth_api.services.keycloak.KeycloakService._get_token_info',
token_info)
OrgService.create_org(TestOrgInfo.org1, user_id=user.id)
user_groups = keycloak_service.get_user_groups(user_id=kc_user.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
def test_add_user_adds_to_account_holders_group(client, jwt, session): # pylint:disable=unused-argument
"""Assert that a user gets added to account_holders group if the user has any active account."""
# Create a user in keycloak
KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(),
return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(
KeycloakScenario.create_user_request().user_name)
user_id = user.id
# Create user, org and membserhip in DB
user = factory_user_model(TestUserInfo.get_user_with_kc_guid(user_id))
org = factory_org_model(org_status_info=None)
factory_membership_model(user.id, org.id)
# Login as that user
headers = factory_auth_header(jwt=jwt,
claims=TestJwtClaims.get_test_user(
user_id, source='BCSC'))
client.post('/api/v1/users',
headers=headers,
content_type='application/json')
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
def test_join_account_holders_group_from_token(session, monkeypatch):
"""Assert that the account_holders group is getting added to the user."""
KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name)
user_id = user.id
# Patch token info
def token_info(): # pylint: disable=unused-argument; mocks of library methods
return {
'sub': str(user_id),
'username': '******',
'realm_access': {
'roles': [
]
}
}
monkeypatch.setattr('auth_api.services.keycloak.KeycloakService._get_token_info', token_info)
KEYCLOAK_SERVICE.join_account_holders_group()
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_remove_member_removes_group_to_the_user(session, monkeypatch): # pylint:disable=unused-argument
"""Assert that accepting an invite adds group to the user."""
# Create a user in keycloak
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user = keycloak_service.get_user_by_username(request.user_name)
user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id))
# Patch token info
def token_info(): # pylint: disable=unused-argument; mocks of library methods
return {
'sub': str(kc_user.id),
'username': '******',
'realm_access': {
'roles': [
'edit'
]
},
'product_code': ProductCode.BUSINESS.value
}
monkeypatch.setattr('auth_api.services.keycloak.KeycloakService._get_token_info', token_info)
org = OrgService.create_org(TestOrgInfo.org1, user_id=user.id)
# Create another user
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user2 = keycloak_service.get_user_by_username(request.user_name)
user2 = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user2.id))
# Add a membership to the user for the org created
factory_membership_model(user2.id, org.as_dict().get('id'), member_type='COORDINATOR', member_status=4)
# Add a product to org
factory_product_model(org.as_dict().get('id'), product_code=ProductCode.BUSINESS.value)
# Find the membership and update to ACTIVE
membership = MembershipService.get_membership_for_org_and_user(org.as_dict().get('id'), user2.id)
active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.ACTIVE.name)
updated_fields = {'membership_status': active_membership_status}
MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info())
user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
# Find the membership and update to INACTIVE
active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.INACTIVE.name)
updated_fields = {'membership_status': active_membership_status}
MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info())
user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS not in groups
def test_join_account_holders_group(session):
"""Assert that the account_holders group is getting added to the user."""
KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name)
user_id = user.id
KEYCLOAK_SERVICE.join_account_holders_group(keycloak_guid=user_id)
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_join_public_users_group_for_existing_users(session):
"""Test the existing user account, and assert the public_users group is not added."""
KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name)
user_id = user.id
KEYCLOAK_SERVICE.join_public_users_group(
{'sub': user_id, 'loginSource': PASSCODE, 'realm_access': {'roles': [Role.EDITOR.value]}})
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_PUBLIC_USERS not in groups
KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_join_public_users_group_for_staff_users(session, app):
"""Test the staff user account creation, and assert the public_users group is not added."""
# with app.app_context():
KEYCLOAK_SERVICE.add_user(KeycloakScenario.create_user_request(), return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name)
user_id = user.id
KEYCLOAK_SERVICE.join_public_users_group({'sub': user_id, 'loginSource': STAFF, 'realm_access': {'roles': []}})
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_PUBLIC_USERS not in groups
KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
def test_keycloak_get_user_by_username(session):
"""Get user by username. Assert get a user with the same username as the username in request."""
request = KeycloakScenario.create_user_request()
# with app.app_context():
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
assert user.user_name == request.user_name
def test_join_users_group(app, session):
"""Test the public_users group membership for public users."""
# with app.app_context():
request = KeycloakScenario.create_user_request()
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
user_id = user.id
KEYCLOAK_SERVICE.join_users_group({
'sub': user_id,
'loginSource': LoginSource.BCSC.value,
'realm_access': {
'roles': []
}
})
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_PUBLIC_USERS in groups
# BCROS
KEYCLOAK_SERVICE.join_users_group({
'sub': user_id,
'loginSource': LoginSource.BCROS.value,
'realm_access': {
'roles': []
}
})
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ANONYMOUS_USERS in groups
def test_accept_gov_account_invitation(client, jwt, session): # pylint:disable=unused-argument
"""Assert that an invitation can be accepted."""
headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.gov_account_holder_user)
client.post('/api/v1/users', headers=headers, content_type='application/json')
rv = client.post('/api/v1/orgs', data=json.dumps(TestOrgInfo.org1),
headers=headers, content_type='application/json')
dictionary = json.loads(rv.data)
org_id = dictionary['id']
rv = client.post('/api/v1/invitations', data=json.dumps(factory_invitation(org_id=org_id)),
headers=headers, content_type='application/json')
invitation_dictionary = json.loads(rv.data)
invitation_id = invitation_dictionary['id']
invitation_id_token = InvitationService.generate_confirmation_token(invitation_id)
request = KeycloakScenario.create_user_request()
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
user_id = user.id
headers_invitee = factory_auth_header(jwt=jwt, claims=TestJwtClaims.get_test_user(user_id, source='IDIR'))
client.post('/api/v1/users', headers=headers_invitee, content_type='application/json')
rv = client.put('/api/v1/invitations/tokens/{}'.format(invitation_id_token), headers=headers_invitee,
content_type='application/json')
assert rv.status_code == http_status.HTTP_200_OK
rv = client.get('/api/v1/orgs/{}/members?status=PENDING_APPROVAL'.format(org_id),
headers=headers,
content_type='application/json')
dictionary = json.loads(rv.data)
assert len(dictionary['members']) == 1
# Assert that the user got added to the keycloak groups
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_GOV_ACCOUNT_USERS in groups
def test_keycloak_delete_user_by_username_user_not_exist(session):
"""Delete user by invalid username. Assert response is None, error code data not found."""
# with app.app_context():
# First delete the user if it exists
try:
if KEYCLOAK_SERVICE.get_user_by_username(KeycloakScenario.create_user_request().user_name):
KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
except Exception:
pass
response = None
try:
response = KEYCLOAK_SERVICE.delete_user_by_username(KeycloakScenario.create_user_request().user_name)
except BusinessException as err:
assert err.code == Error.DATA_NOT_FOUND.name
assert response is None
def test_keycloak_add_user(session):
"""Add user to Keycloak. Assert return a user with the same username as the username in request."""
# with app.app_context():
request = KeycloakScenario.create_user_request()
user = KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
assert user.user_name == request.user_name
KEYCLOAK_SERVICE.delete_user_by_username(request.user_name)
def test_add_bceid_user(client, jwt, session): # pylint:disable=unused-argument
"""Assert that a user can be POSTed."""
# Create a user in keycloak
request = KeycloakScenario.create_user_request()
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
user_id = user.id
headers = factory_auth_header(jwt=jwt,
claims=TestJwtClaims.get_test_user(
user_id, source='BCEID'))
rv = client.post('/api/v1/users',
headers=headers,
content_type='application/json',
data=json.dumps({
'firstName': 'John',
'lastName': 'Doe'
}))
assert rv.status_code == http_status.HTTP_201_CREATED
assert rv.json.get('firstname') == 'John'
rv = client.post('/api/v1/users',
headers=headers,
content_type='application/json',
data=json.dumps({
'firstName': 'John-New',
'lastName': 'Doe'
}))
assert rv.status_code == http_status.HTTP_201_CREATED
assert rv.json.get('firstname') == 'John-New'
def test_keycloak_delete_user_by_username(session):
"""Delete user by username.Assert response is not None."""
# with app.app_context():
request = KeycloakScenario.create_user_request()
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
KEYCLOAK_SERVICE.delete_user_by_username(request.user_name)
assert True
def test_reset_otp(session):
"""Assert that the user otp configuration get reset in keycloak."""
request = KeycloakScenario.create_user_by_user_info(user_info=TestJwtClaims.tester_bceid_role)
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
user_id = user.id
KEYCLOAK_SERVICE.reset_otp(user_id)
assert True
def test_accept_public_users_invitation(
client,
jwt,
session,
org_info,
role, # pylint:disable=unused-argument
claims,
source,
exp_status):
"""Assert that an invitation can be accepted."""
headers = factory_auth_header(jwt=jwt, claims=claims)
client.post('/api/v1/users',
headers=headers,
content_type='application/json')
rv = client.post('/api/v1/orgs',
data=json.dumps(org_info),
headers=headers,
content_type='application/json')
dictionary = json.loads(rv.data)
org_id = dictionary['id']
rv = client.post('/api/v1/invitations',
data=json.dumps(
factory_invitation(org_id=org_id,
membership_type=role)),
headers=headers,
content_type='application/json')
invitation_dictionary = json.loads(rv.data)
invitation_id = invitation_dictionary['id']
invitation_id_token = InvitationService.generate_confirmation_token(
invitation_id)
request = KeycloakScenario.create_user_request()
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
user_id = user.id
headers_invitee = factory_auth_header(jwt=jwt,
claims=TestJwtClaims.get_test_user(
user_id, source=source))
client.post('/api/v1/users',
headers=headers_invitee,
content_type='application/json')
rv = client.put(
'/api/v1/invitations/tokens/{}'.format(invitation_id_token),
headers=headers_invitee,
content_type='application/json')
assert rv.status_code == http_status.HTTP_200_OK
rv = client.get(f'/api/v1/orgs/{org_id}/members?status={exp_status.name}',
headers=headers,
content_type='application/json')
dictionary = json.loads(rv.data)
assert len(dictionary['members']) == 1
# Assert that the user got added to the keycloak groups
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_PUBLIC_USERS in groups
def test_keycloak_get_token(session):
"""Get token by username and password. Assert access_token is included in response."""
request = KeycloakScenario.create_user_request()
# with app.app_context():
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
response = KEYCLOAK_SERVICE.get_token(request.user_name, request.password)
assert response.get('access_token') is not None
KEYCLOAK_SERVICE.delete_user_by_username(request.user_name)
def test_keycloak_get_user_by_username_not_exist(session):
"""Get user by a username not exists in Keycloak. Assert user is None, error code is data not found."""
user = None
request = KeycloakScenario.create_user_request()
# with app.app_context():
try:
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
except BusinessException as err:
assert err.code == Error.DATA_NOT_FOUND.name
assert user is None
def test_create_user_and_add_same_user_name_error_in_kc(session, auth_mock,
keycloak_mock): # pylint:disable=unused-argument
"""Assert that same user name cannot be added twice."""
org = factory_org_model(org_info=TestOrgInfo.org_anonymous)
membership = [TestAnonymousMembership.generate_random_user(ADMIN)]
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_request()
request.user_name = membership[0]['username']
keycloak_service.add_user(request)
users = UserService.create_user_and_add_membership(membership, org.id, single_mode=True)
assert users['users'][0]['http_status'] == 409
assert users['users'][0]['error'] == 'The username is already taken'
def test_join_account_holders_group_from_token(session, monkeypatch):
"""Assert that the account_holders group is getting added to the user."""
request = KeycloakScenario.create_user_request()
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
user_id = user.id
# Patch token info
patch_token_info({'sub': user_id}, monkeypatch)
KEYCLOAK_SERVICE.join_account_holders_group()
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
def test_create_org_adds_user_to_account_holders_group(session, monkeypatch): # pylint:disable=unused-argument
"""Assert that an Org creation adds the user to account holders group."""
# Create a user in keycloak
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user = keycloak_service.get_user_by_username(request.user_name)
user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id))
patch_token_info({'sub': user.keycloak_guid}, monkeypatch)
OrgService.create_org(TestOrgInfo.org1, user_id=user.id)
user_groups = keycloak_service.get_user_groups(user_id=kc_user.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
def test_delete_otp_for_user(session, auth_mock, keycloak_mock):
"""Assert that the otp cant be reset."""
kc_service = KeycloakService()
org = factory_org_model(org_info=TestOrgInfo.org_anonymous)
admin_user = factory_user_model()
factory_membership_model(admin_user.id, org.id)
admin_claims = TestJwtClaims.get_test_real_user(admin_user.keycloak_guid)
membership = [TestAnonymousMembership.generate_random_user(USER)]
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_request()
request.user_name = membership[0]['username']
keycloak_service.add_user(request)
user = kc_service.get_user_by_username(request.user_name)
user = factory_user_model(TestUserInfo.get_bceid_user_with_kc_guid(user.id))
factory_membership_model(user.id, org.id)
UserService.delete_otp_for_user(user.username, admin_claims)
user1 = kc_service.get_user_by_username(request.user_name)
assert 'CONFIGURE_TOTP' in json.loads(user1.value()).get('requiredActions')
def test_reset_bceid_user(session, auth_mock): # pylint: disable=unused-argument
"""Assert that reset data from a bceid user."""
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_by_user_info(
TestJwtClaims.tester_bceid_role)
keycloak_service.add_user(request, return_if_exists=True)
user = keycloak_service.get_user_by_username(request.user_name)
assert user is not None
user_id = user.id
user_with_token = TestUserInfo.user_bceid_tester
user_with_token['keycloak_guid'] = user_id
user = factory_user_model(user_info=user_with_token)
org = factory_org_model(user_id=user.id)
response = ResetDataService.reset(
TestJwtClaims.get_test_user(user_id, 'BCEID'))
assert response is None
found_org = OrgService.find_by_org_id(org.id)
assert found_org is None
def test_delete_does_not_remove_user_from_account_holder_group(session, monkeypatch,
auth_mock): # pylint:disable=unused-argument
"""Assert that if the user has multiple Orgs, and deleting one doesn't remove account holders group."""
# Create a user in keycloak
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user = keycloak_service.get_user_by_username(request.user_name)
user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id))
patch_token_info({'sub': user.keycloak_guid}, monkeypatch)
patch_pay_account_delete(monkeypatch)
org1 = OrgService.create_org(TestOrgInfo.org1, user_id=user.id)
OrgService.create_org(TestOrgInfo.org2, user_id=user.id)
OrgService.delete_org(org1.as_dict().get('id'))
user_groups = keycloak_service.get_user_groups(user_id=kc_user.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
def test_join_users_group_for_existing_users(session, monkeypatch):
"""Test the existing user account, and assert the public_users group is not added."""
request = KeycloakScenario.create_user_request()
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
user_id = user.id
patch_token_info(
{
'sub': user_id,
'loginSource': LoginSource.BCSC.value,
'realm_access': {
'roles': [Role.EDITOR.value]
}
}, monkeypatch)
KEYCLOAK_SERVICE.join_users_group()
# Get the user groups and verify the public_users group is in the list
user_groups = KEYCLOAK_SERVICE.get_user_groups(user_id=user_id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_PUBLIC_USERS in groups
def test_delete_otp_for_user(client, jwt, session): # pylint:disable=unused-argument
"""Assert that a user can be POSTed."""
# ADMIN
admin_user = factory_user_model(user_info=TestUserInfo.user1)
org = factory_org_model(org_info=TestOrgInfo.org_regular_bceid)
factory_membership_model(admin_user.id, org.id)
admin_claims = TestJwtClaims.get_test_real_user(admin_user.keycloak_guid)
admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
# COORDINATOR
coordinator_user = factory_user_model(user_info=TestUserInfo.user2)
factory_membership_model(coordinator_user.id, org.id, member_type=COORDINATOR)
coordinator_claims = TestJwtClaims.get_test_real_user(coordinator_user.keycloak_guid)
coordinator_headers = factory_auth_header(jwt=jwt, claims=coordinator_claims)
# just a member
member_user = factory_user_model(user_info=TestUserInfo.user3)
factory_membership_model(member_user.id, org.id, member_type=USER)
user_claims = TestJwtClaims.get_test_real_user(member_user.keycloak_guid)
user_headers = factory_auth_header(jwt=jwt, claims=user_claims)
request = KeycloakScenario.create_user_by_user_info(user_info=TestJwtClaims.tester_bceid_role)
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
assert 'CONFIGURE_TOTP' not in json.loads(user.value()).get('requiredActions', None)
user_id = user.id
# Create user, org and membserhip in DB
user = factory_user_model(TestUserInfo.get_bceid_user_with_kc_guid(user_id))
factory_membership_model(user.id, org.id)
# staff with manage accounts otp reset
headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_manage_accounts_role)
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers)
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
user1 = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
assert 'CONFIGURE_TOTP' in json.loads(user1.value()).get('requiredActions')
# staff with basic access cant do otp reset
headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_role)
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers)
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# admin can do otp reset
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=admin_headers)
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
# coordinator can do otp reset
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=coordinator_headers)
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
# user can not do otp reset
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=user_headers)
assert rv.status_code == http_status.HTTP_403_FORBIDDEN
# another org admin cant do
admin_user1 = factory_user_model(user_info=TestUserInfo.user_test)
org1 = factory_org_model(org_info=TestOrgInfo.org2, org_type_info=TestOrgTypeInfo.implicit, org_status_info=None,
payment_type_info=None)
factory_membership_model(admin_user1.id, org1.id)
admin_claims = TestJwtClaims.get_test_real_user(admin_user1.keycloak_guid)
admin1_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=admin1_headers)
assert rv.status_code == http_status.HTTP_403_FORBIDDEN