def test_delete_bcros_valdiations(client, jwt, session, keycloak_mock, monkeypatch):
"""Assert different conditions of user deletion."""
admin_user = TestUserInfo.user_bcros_active
org = factory_org_model(org_info=TestOrgInfo.org_anonymous)
user = factory_user_model(user_info=TestUserInfo.user_bcros_active)
factory_membership_model(user.id, org.id)
factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value)
owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid)
patch_token_info(owner_claims, monkeypatch)
member = TestAnonymousMembership.generate_random_user(USER)
admin = TestAnonymousMembership.generate_random_user(COORDINATOR)
membership = [member, admin]
UserService.create_user_and_add_membership(membership, org.id)
owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims)
member_username = IdpHint.BCROS.value + '/' + member['username']
admin_username = IdpHint.BCROS.value + '/' + admin['username']
admin_claims = TestJwtClaims.get_test_real_user(uuid.uuid4(), admin_username, access_ype=AccessType.ANONYMOUS.value,
roles=[Role.ANONYMOUS_USER.value])
admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
member_claims = TestJwtClaims.get_test_real_user(uuid.uuid4(), member_username,
access_ype=AccessType.ANONYMOUS.value,
roles=[Role.ANONYMOUS_USER.value])
member_headers = factory_auth_header(jwt=jwt, claims=member_claims)
# set up JWTS for member and admin
patch_token_info(admin_claims, monkeypatch)
client.post('/api/v1/users', headers=admin_headers, content_type='application/json',
data=json.dumps({'isLogin': True}))
patch_token_info(member_claims, monkeypatch)
client.post('/api/v1/users', headers=member_headers, content_type='application/json',
data=json.dumps({'isLogin': True}))
patch_token_info(owner_claims, monkeypatch)
# delete only owner ;failure
rv = client.delete(f"/api/v1/users/{admin_user['username']}", headers=owner_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# admin trying to delete member: Failure
patch_token_info(admin_claims, monkeypatch)
rv = client.delete(f'/api/v1/users/{member_username}', headers=admin_headers, content_type='application/json')
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# member delete admin: failure
patch_token_info(member_claims, monkeypatch)
rv = client.delete(f'/api/v1/users/{admin_username}', headers=member_headers, content_type='application/json')
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# a self delete ;should work ;mimics leave team for anonymous user
patch_token_info(member_claims, monkeypatch)
rv = client.delete(f'/api/v1/users/{member_username}', headers=member_headers, content_type='application/json')
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
patch_token_info(admin_claims, monkeypatch)
rv = client.delete(f'/api/v1/users/{admin_username}', headers=admin_headers, content_type='application/json')
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
# add one more admin
patch_token_info(owner_claims, monkeypatch)
new_owner = TestAnonymousMembership.generate_random_user(ADMIN)
membership = [new_owner]
UserService.create_user_and_add_membership(membership, org.id)
patch_token_info(owner_claims, monkeypatch)
rv = client.delete(f"/api/v1/users/{IdpHint.BCROS.value + '/' + new_owner['username']}", headers=owner_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
def test_delete_bcros_valdiations(client, jwt, session, keycloak_mock):
"""Assert different conditions of user deletion."""
admin_user = TestUserInfo.user_bcros_active
org = factory_org_model(org_info=TestOrgInfo.org_anonymous)
user = factory_user_model(user_info=TestUserInfo.user_bcros_active)
factory_membership_model(user.id, org.id)
owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid)
member = TestAnonymousMembership.generate_random_user(MEMBER)
admin = TestAnonymousMembership.generate_random_user(ADMIN)
membership = [member, admin]
UserService.create_user_and_add_membership(membership,
org.id,
token_info=owner_claims)
owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims)
member_username = IdpHint.BCROS.value + '/' + member['username']
admin_username = IdpHint.BCROS.value + '/' + admin['username']
admin_claims = TestJwtClaims.get_test_real_user(
uuid.uuid4(), admin_username, access_ype=AccessType.ANONYMOUS.value)
admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
member_claims = TestJwtClaims.get_test_real_user(
uuid.uuid4(), member_username, access_ype=AccessType.ANONYMOUS.value)
member_headers = factory_auth_header(jwt=jwt, claims=member_claims)
# set up JWTS for member and admin
client.post('/api/v1/users',
headers=admin_headers,
content_type='application/json')
client.post('/api/v1/users',
headers=member_headers,
content_type='application/json')
# delete only owner ;failure
rv = client.delete(f"/api/v1/users/{admin_user['username']}",
headers=owner_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# admin trying to delete member: Failure
rv = client.delete(f'/api/v1/users/{member_username}',
headers=admin_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# member delete admin: failure
rv = client.delete(f'/api/v1/users/{admin_username}',
headers=member_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# a self delete ;should work ;mimics leave team for anonymous user
rv = client.delete(f'/api/v1/users/{member_username}',
headers=member_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
rv = client.delete(f'/api/v1/users/{admin_username}',
headers=admin_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
# add one more admin
new_owner = TestAnonymousMembership.generate_random_user(OWNER)
membership = [new_owner]
UserService.create_user_and_add_membership(membership,
org.id,
token_info=owner_claims)
rv = client.delete(
f"/api/v1/users/{IdpHint.BCROS.value + '/' + new_owner['username']}",
headers=owner_headers,
content_type='application/json')
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
def test_check_auth(session, monkeypatch): # pylint:disable=unused-argument
"""Assert that check_auth is working as expected."""
user = factory_user_model()
org = factory_org_model()
factory_membership_model(user.id, org.id)
factory_product_model(org.id, product_code=ProductCode.BUSINESS.value)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
# Test if staff admin can access to STAFF only method
patch_token_info(
{
'realm_access': {
'roles': ['staff', 'create_accounts']
},
'sub': str(user.keycloak_guid)
}, monkeypatch)
check_auth(one_of_roles=[STAFF])
# Test for staff admin role to only STAFF
patch_token_info(
{
'realm_access': {
'roles': ['staff', 'create_accounts']
},
'sub': str(user.keycloak_guid)
}, monkeypatch)
check_auth(equals_role=STAFF)
# Test for staff role
patch_token_info(
{
'realm_access': {
'roles': ['staff']
},
'sub': str(user.keycloak_guid),
'product_code': ProductCode.BUSINESS.value
}, monkeypatch)
check_auth(one_of_roles=[STAFF])
# Test for owner role
patch_token_info(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid),
'product_code': ProductCode.BUSINESS.value
}, monkeypatch)
check_auth(one_of_roles=[ADMIN],
business_identifier=entity.business_identifier)
# Test for owner role with org id
patch_token_info(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid),
'product_code': ProductCode.BUSINESS.value
}, monkeypatch)
check_auth(one_of_roles=[ADMIN], org_id=org.id)
# Test for exception, check for auth if resource is available for STAFF users
with pytest.raises(HTTPException) as excinfo:
patch_token_info(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
}, monkeypatch)
check_auth(one_of_roles=[STAFF],
business_identifier=entity.business_identifier)
assert excinfo.exception.code == 403
# Test auth where STAFF role is in disabled role list
with pytest.raises(HTTPException) as excinfo:
patch_token_info(
{
'realm_access': {
'roles': ['staff']
},
'sub': str(user.keycloak_guid)
}, monkeypatch)
check_auth(disabled_roles=[STAFF],
business_identifier=entity.business_identifier)
assert excinfo.exception.code == 403
# Test auth where STAFF role is exact match
with pytest.raises(HTTPException) as excinfo:
patch_token_info(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
}, monkeypatch)
check_auth(equals_role=USER,
business_identifier=entity.business_identifier)
assert excinfo.exception.code == 403
# Test auth where STAFF role is exact match
with pytest.raises(HTTPException) as excinfo:
patch_token_info(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
}, monkeypatch)
check_auth(equals_role=USER, org_id=org.id)
assert excinfo.exception.code == 403
# Test auth where STAFF role is exact match
with pytest.raises(HTTPException) as excinfo:
patch_token_info(
{
'realm_access': {
'roles': ['staff', 'create_accounts']
},
'sub': str(user.keycloak_guid)
}, monkeypatch)
check_auth(equals_role=USER, org_id=org.id)
assert excinfo.exception.code == 403
def test_create_user_add_membership_reenable(session, auth_mock,
keycloak_mock): # pylint:disable=unused-argument
"""Assert that an admin can add a member."""
org = factory_org_model(org_info=TestOrgInfo.org_anonymous)
user = factory_user_model()
factory_membership_model(user.id, org.id)
claims = TestJwtClaims.get_test_real_user(user.keycloak_guid)
anon_member = TestAnonymousMembership.generate_random_user(MEMBER)
membership = [anon_member]
users = UserService.create_user_and_add_membership(membership,
org.id,
token_info=claims)
user_name = IdpHint.BCROS.value + '/' + membership[0]['username']
assert len(users['users']) == 1
assert users['users'][0]['username'] == user_name
assert users['users'][0]['type'] == 'ANONYMOUS'
members = MembershipModel.find_members_by_org_id(org.id)
# staff didnt create members..so count is count of owner+other 1 member
assert len(members) == 2
# assert cant be readded
users = UserService.create_user_and_add_membership(membership,
org.id,
token_info=claims)
assert users['users'][0]['http_status'] == 409
assert users['users'][0]['error'] == 'The username is already taken'
# deactivate everything and try again
anon_user = UserModel.find_by_username(user_name)
anon_user.status = Status.INACTIVE.value
anon_user.save()
membership_model = MembershipModel.find_membership_by_userid(anon_user.id)
membership_model.status = Status.INACTIVE.value
update_user_request = KeycloakUser()
update_user_request.user_name = membership[0]['username']
update_user_request.enabled = False
KeycloakService.update_user(update_user_request)
org2 = factory_org_model(org_info=TestOrgInfo.org_anonymous_2,
org_type_info={'code': 'BASIC'},
org_status_info=None,
payment_type_info=None)
factory_membership_model(user.id, org2.id)
users = UserService.create_user_and_add_membership(membership,
org2.id,
token_info=claims)
assert users['users'][0]['http_status'] == 409
assert users['users'][0]['error'] == 'The username is already taken'
# add to same org.Should work
users = UserService.create_user_and_add_membership(membership,
org.id,
token_info=claims)
assert len(users['users']) == 1
assert users['users'][0][
'username'] == IdpHint.BCROS.value + '/' + membership[0]['username']
assert users['users'][0]['type'] == 'ANONYMOUS'
def test_remove_member_removes_group_to_the_user(session, monkeypatch): # pylint:disable=unused-argument
"""Assert that accepting an invite adds group to the user."""
# Create a user in keycloak
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user = keycloak_service.get_user_by_username(request.user_name)
user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id))
# Patch token info
def token_info(): # pylint: disable=unused-argument; mocks of library methods
return {
'sub': str(kc_user.id),
'username': '******',
'realm_access': {
'roles': [
'edit'
]
},
'product_code': ProductCode.BUSINESS.value
}
monkeypatch.setattr('auth_api.utils.user_context._get_token_info', token_info)
org = OrgService.create_org(TestOrgInfo.org1, user_id=user.id)
# Create another user
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user2 = keycloak_service.get_user_by_username(request.user_name)
user2 = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user2.id))
# Add a membership to the user for the org created
factory_membership_model(user2.id, org.as_dict().get('id'), member_type='COORDINATOR', member_status=4)
# Add a product to org
factory_product_model(org.as_dict().get('id'), product_code=ProductCode.BUSINESS.value)
# Find the membership and update to ACTIVE
membership = MembershipService.get_membership_for_org_and_user(org.as_dict().get('id'), user2.id)
active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.ACTIVE.name)
updated_fields = {'membership_status': active_membership_status}
with patch.object(ActivityLogPublisher, 'publish_activity', return_value=None) as mock_alp:
MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info())
mock_alp.assert_called_with(Activity(action=ActivityAction.APPROVE_TEAM_MEMBER.value,
org_id=ANY, name=ANY, id=ANY,
value=ANY))
user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
# Deactivate Membership
with patch.object(ActivityLogPublisher, 'publish_activity', return_value=None) as mock_alp:
MembershipService(membership).deactivate_membership(token_info=token_info())
mock_alp.assert_called_with(Activity(action=ActivityAction.REMOVE_TEAM_MEMBER.value,
org_id=ANY, name=ANY, id=ANY,
value=ANY))
# ACTIVE
active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.ACTIVE.name)
updated_fields = {'membership_status': active_membership_status}
MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info())
# Find the membership and update to INACTIVE
active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.INACTIVE.name)
updated_fields = {'membership_status': active_membership_status}
with patch.object(ActivityLogPublisher, 'publish_activity', return_value=None) as mock_alp:
MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info())
mock_alp.assert_called_with(Activity(action=ActivityAction.REMOVE_TEAM_MEMBER.value,
org_id=ANY, name=ANY, id=ANY,
value=ANY))
user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS not in groups
MembershipService(membership).deactivate_membership()
def test_delete_otp_for_user(client, jwt, session): # pylint:disable=unused-argument
"""Assert that a user can be POSTed."""
# ADMIN
admin_user = factory_user_model(user_info=TestUserInfo.user1)
org = factory_org_model(org_info=TestOrgInfo.org_regular_bceid)
factory_membership_model(admin_user.id, org.id)
admin_claims = TestJwtClaims.get_test_real_user(admin_user.keycloak_guid)
admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
# COORDINATOR
coordinator_user = factory_user_model(user_info=TestUserInfo.user2)
factory_membership_model(coordinator_user.id,
org.id,
member_type=COORDINATOR)
coordinator_claims = TestJwtClaims.get_test_real_user(
coordinator_user.keycloak_guid)
coordinator_headers = factory_auth_header(jwt=jwt,
claims=coordinator_claims)
# just a member
member_user = factory_user_model(user_info=TestUserInfo.user3)
factory_membership_model(member_user.id, org.id, member_type=USER)
user_claims = TestJwtClaims.get_test_real_user(member_user.keycloak_guid)
user_headers = factory_auth_header(jwt=jwt, claims=user_claims)
request = KeycloakScenario.create_user_by_user_info(
user_info=TestJwtClaims.tester_bceid_role)
KEYCLOAK_SERVICE.add_user(request, return_if_exists=True)
user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
assert 'CONFIGURE_TOTP' not in json.loads(user.value()).get(
'requiredActions', None)
user_id = user.id
# Create user, org and membserhip in DB
user = factory_user_model(
TestUserInfo.get_bceid_user_with_kc_guid(user_id))
factory_membership_model(user.id, org.id)
# staff with manage accounts otp reset
headers = factory_auth_header(
jwt=jwt, claims=TestJwtClaims.staff_manage_accounts_role)
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers)
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
user1 = KEYCLOAK_SERVICE.get_user_by_username(request.user_name)
assert 'CONFIGURE_TOTP' in json.loads(user1.value()).get('requiredActions')
# staff with basic access cant do otp reset
headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_role)
rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers)
assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED
# admin can do otp reset
rv = client.delete(f'api/v1/users/{user.username}/otp',
headers=admin_headers)
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
# coordinator can do otp reset
rv = client.delete(f'api/v1/users/{user.username}/otp',
headers=coordinator_headers)
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
# user can not do otp reset
rv = client.delete(f'api/v1/users/{user.username}/otp',
headers=user_headers)
assert rv.status_code == http_status.HTTP_403_FORBIDDEN
# another org admin cant do
admin_user1 = factory_user_model(user_info=TestUserInfo.user_test)
org1 = factory_org_model(org_info=TestOrgInfo.org2,
org_type_info=TestOrgTypeInfo.implicit,
org_status_info=None,
payment_type_info=None)
factory_membership_model(admin_user1.id, org1.id)
admin_claims = TestJwtClaims.get_test_real_user(admin_user1.keycloak_guid)
admin1_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
rv = client.delete(f'api/v1/users/{user.username}/otp',
headers=admin1_headers)
assert rv.status_code == http_status.HTTP_403_FORBIDDEN
def test_check_auth(session): # pylint:disable=unused-argument
"""Assert that check_auth is working as expected."""
user = factory_user_model()
org = factory_org_model()
factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
# Test if staff admin can access to STAFF only method
check_auth(
{
'realm_access': {
'roles': ['staff_admin']
},
'sub': str(user.keycloak_guid)
},
one_of_roles=[STAFF])
# Test for staff admin can access to STAFF_ADMIN method
check_auth(
{
'realm_access': {
'roles': ['staff_admin']
},
'sub': str(user.keycloak_guid)
},
one_of_roles=[STAFF_ADMIN])
# Test for staff admin role can access to STAFF_ADMIN and STAFF method
check_auth(
{
'realm_access': {
'roles': ['staff_admin']
},
'sub': str(user.keycloak_guid)
},
one_of_roles=[STAFF_ADMIN, STAFF])
# Test for staff admin role can access to only STAFF_ADMIN
check_auth(
{
'realm_access': {
'roles': ['staff_admin']
},
'sub': str(user.keycloak_guid)
},
equals_role=STAFF_ADMIN)
# Test for staff admin role to only STAFF
check_auth(
{
'realm_access': {
'roles': ['staff_admin']
},
'sub': str(user.keycloak_guid)
},
equals_role=STAFF)
# Test for staff role
check_auth(
{
'realm_access': {
'roles': ['staff']
},
'sub': str(user.keycloak_guid)
},
one_of_roles=[STAFF])
# Test for owner role
check_auth(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
},
one_of_roles=[OWNER],
business_identifier=entity.business_identifier)
# Test for owner role with org id
check_auth(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
},
one_of_roles=[OWNER],
org_id=org.id)
# Test for exception, check for auth if resource is available for STAFF users
with pytest.raises(HTTPException) as excinfo:
check_auth(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
},
one_of_roles=[STAFF],
business_identifier=entity.business_identifier)
assert excinfo.exception.code == 403
# Test auth where STAFF role is in disabled role list
with pytest.raises(HTTPException) as excinfo:
check_auth(
{
'realm_access': {
'roles': ['staff']
},
'sub': str(user.keycloak_guid)
},
disabled_roles=[STAFF],
business_identifier=entity.business_identifier)
assert excinfo.exception.code == 403
# Test auth where STAFF role is exact match
with pytest.raises(HTTPException) as excinfo:
check_auth(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
},
equals_role=MEMBER,
business_identifier=entity.business_identifier)
assert excinfo.exception.code == 403
# Test auth where STAFF role is exact match
with pytest.raises(HTTPException) as excinfo:
check_auth(
{
'realm_access': {
'roles': ['public']
},
'sub': str(user.keycloak_guid)
},
equals_role=MEMBER,
org_id=org.id)
assert excinfo.exception.code == 403
# Test auth where STAFF role is exact match
with pytest.raises(HTTPException) as excinfo:
check_auth(
{
'realm_access': {
'roles': ['staff_admin']
},
'sub': str(user.keycloak_guid)
},
equals_role=MEMBER,
org_id=org.id)
assert excinfo.exception.code == 403
def test_remove_member_removes_group_to_the_user(session, monkeypatch): # pylint:disable=unused-argument
"""Assert that accepting an invite adds group to the user."""
# Create a user in keycloak
keycloak_service = KeycloakService()
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user = keycloak_service.get_user_by_username(request.user_name)
user = factory_user_model(
TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id))
# Patch token info
def token_info(): # pylint: disable=unused-argument; mocks of library methods
return {
'sub': str(kc_user.id),
'username': '******',
'realm_access': {
'roles': []
}
}
monkeypatch.setattr(
'auth_api.services.keycloak.KeycloakService._get_token_info',
token_info)
org = OrgService.create_org(TestOrgInfo.org1, user_id=user.id)
# Create another user
request = KeycloakScenario.create_user_request()
keycloak_service.add_user(request, return_if_exists=True)
kc_user2 = keycloak_service.get_user_by_username(request.user_name)
user2 = factory_user_model(
TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user2.id))
# Add a membership to the user for the org created
factory_membership_model(user2.id,
org.as_dict().get('id'),
member_type='ADMIN',
member_status=4)
# Find the membership and update to ACTIVE
membership = MembershipService.get_membership_for_org_and_user(
org.as_dict().get('id'), user2.id)
active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(
Status.ACTIVE.name)
updated_fields = {'membership_status': active_membership_status}
MembershipService(membership).update_membership(
updated_fields=updated_fields, token_info=token_info())
user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS in groups
# Find the membership and update to INACTIVE
active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(
Status.INACTIVE.name)
updated_fields = {'membership_status': active_membership_status}
MembershipService(membership).update_membership(
updated_fields=updated_fields, token_info=token_info())
user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id)
groups = []
for group in user_groups:
groups.append(group.get('name'))
assert GROUP_ACCOUNT_HOLDERS not in groups
def test_reset_password(client, jwt, session, keycloak_mock): # pylint:disable=unused-argument
"""Assert that an anonymous admin can be Patched."""
org = factory_org_model(org_info=TestOrgInfo.org_anonymous)
user = factory_user_model(user_info=TestUserInfo.user_bcros_active)
factory_membership_model(user.id, org.id)
factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value)
owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid)
member = TestAnonymousMembership.generate_random_user(USER)
admin = TestAnonymousMembership.generate_random_user(COORDINATOR)
membership = [member, admin]
UserService.create_user_and_add_membership(membership,
org.id,
token_info=owner_claims)
owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims)
member_username = IdpHint.BCROS.value + '/' + member['username']
admin_username = IdpHint.BCROS.value + '/' + admin['username']
admin_claims = TestJwtClaims.get_test_real_user(
uuid.uuid4(),
admin_username,
access_ype=AccessType.ANONYMOUS.value,
roles=[Role.ANONYMOUS_USER.value])
admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims)
member_claims = TestJwtClaims.get_test_real_user(
uuid.uuid4(),
member_username,
access_ype=AccessType.ANONYMOUS.value,
roles=[Role.ANONYMOUS_USER.value])
member_headers = factory_auth_header(jwt=jwt, claims=member_claims)
# set up JWTS for member and admin
client.post('/api/v1/users',
headers=admin_headers,
content_type='application/json')
client.post('/api/v1/users',
headers=member_headers,
content_type='application/json')
# reset password of admin by owner
input_data = json.dumps({
'username': admin_username,
'password': '******'
})
rv = client.patch(f'/api/v1/users/{admin_username}',
headers=owner_headers,
data=input_data,
content_type='application/json')
assert rv.status_code == http_status.HTTP_204_NO_CONTENT
# member cant reset password
rv = client.patch(f'/api/v1/users/{admin_username}',
headers=member_headers,
data=input_data,
content_type='application/json')
assert rv.status_code == http_status.HTTP_403_FORBIDDEN
# admin cant reset password
rv = client.patch(f'/api/v1/users/{admin_username}',
headers=admin_headers,
data=input_data,
content_type='application/json')
assert rv.status_code == http_status.HTTP_403_FORBIDDEN
def test_get_user_authorizations_for_entity(session): # pylint:disable=unused-argument
"""Assert that user authorizations for entity is working."""
user = factory_user_model()
org = factory_org_model()
membership = factory_membership_model(user.id, org.id)
entity = factory_entity_model()
factory_affiliation_model(entity.id, org.id)
authorization = Authorization.get_user_authorizations_for_entity(
{
'sub': str(user.keycloak_guid),
'realm_access': {
'roles': ['basic']
}
}, entity.business_identifier)
assert authorization is not None
assert authorization.get('orgMembership',
None) == membership.membership_type_code
# Test with invalid user
authorization = Authorization.get_user_authorizations_for_entity(
{
'sub': str(uuid.uuid4()),
'realm_access': {
'roles': ['basic']
}
}, entity.business_identifier)
assert authorization is not None
assert authorization.get('orgMembership', None) is None
# Test for passcode users
authorization = Authorization.get_user_authorizations_for_entity(
{
'loginSource': 'PASSCODE',
'username': entity.business_identifier,
'realm_access': {
'roles': ['basic']
}
}, entity.business_identifier)
assert authorization is not None
assert authorization.get('orgMembership', None) == 'OWNER'
# Test for passcode users with invalid username
authorization = Authorization.get_user_authorizations_for_entity(
{
'loginSource': 'PASSCODE',
'username': '******',
'realm_access': {
'roles': ['basic']
}
}, entity.business_identifier)
assert authorization is not None
assert authorization.get('orgMembership', None) is None
# Test for staff users
authorization = Authorization.get_user_authorizations_for_entity(
{
'loginSource': '',
'realm_access': {
'roles': ['staff']
}
}, entity.business_identifier)
assert authorization is not None
assert authorization.get('orgMembership', None) is None
