def test_update_role(api, role_batch, scopes, collection_auth): authorized = ODPScope.ROLE_ADMIN in scopes and \ collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = role_batch[2].collection elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = role_batch[1].collection else: api_client_collection = None if collection_auth in (CollectionAuth.MATCH, CollectionAuth.MISMATCH): modified_role_collection = role_batch[2].collection else: modified_role_collection = None modified_role_batch = role_batch.copy() modified_role_batch[2] = (role := role_build( id=role_batch[2].id, collection=modified_role_collection, )) r = api(scopes, api_client_collection).put('/role/', json=dict( id=role.id, scope_ids=scope_ids(role), collection_id=role.collection_id, )) if authorized: assert_empty_result(r) assert_db_state(modified_role_batch) else: assert_forbidden(r) assert_db_state(role_batch)
def test_delete_collection(api, collection_batch, scopes, collection_auth): authorized = ODPScope.COLLECTION_ADMIN in scopes and \ collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = collection_batch[2] elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = collection_batch[1] else: api_client_collection = None modified_collection_batch = collection_batch.copy() del modified_collection_batch[2] r = api(scopes, api_client_collection).delete( f'/collection/{(collection_id := collection_batch[2].id)}') if authorized: assert_empty_result(r) assert_db_state(modified_collection_batch) assert_audit_log('delete', collection_id=collection_id) else: assert_forbidden(r) assert_db_state(collection_batch) assert_no_audit_log()
def test_create_collection(api, collection_batch, scopes, collection_auth): # note that collection-specific auth will never allow creating a new collection authorized = ODPScope.COLLECTION_ADMIN in scopes and \ collection_auth == CollectionAuth.NONE if collection_auth == CollectionAuth.NONE: api_client_collection = None else: api_client_collection = collection_batch[2] modified_collection_batch = collection_batch + [ collection := collection_build() ] r = api(scopes, api_client_collection).post('/collection/', json=dict( id=collection.id, name=collection.name, doi_key=collection.doi_key, provider_id=collection.provider_id, )) if authorized: assert_empty_result(r) assert_db_state(modified_collection_batch) assert_audit_log('insert', collection) else: assert_forbidden(r) assert_db_state(collection_batch) assert_no_audit_log()
def test_untag_record(api, record_batch_no_tags, admin_route, scopes, collection_auth, tag_cardinality, same_user): route = '/record/admin/' if admin_route else '/record/' authorized = admin_route and ODPScope.RECORD_ADMIN in scopes or \ not admin_route and ODPScope.RECORD_QC in scopes authorized = authorized and collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = record_batch_no_tags[2].collection elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = record_batch_no_tags[1].collection else: api_client_collection = None client = api(scopes, api_client_collection) record = record_batch_no_tags[2] record_tags = RecordTagFactory.create_batch(randint(1, 3), record=record) tag = new_generic_tag(tag_cardinality) if same_user: record_tag_1 = RecordTagFactory( record=record, tag=tag, user=None, ) else: record_tag_1 = RecordTagFactory( record=record, tag=tag, ) record_tag_1_dict = { 'tag_id': record_tag_1.tag_id, 'user_id': record_tag_1.user_id, 'data': record_tag_1.data, } r = client.delete(f'{route}{record.id}/tag/{record_tag_1.id}') if authorized: if not admin_route and not same_user: assert_forbidden(r) assert_db_tag_state(record.id, *record_tags, record_tag_1) assert_tag_audit_log() else: assert_empty_result(r) assert_db_tag_state(record.id, *record_tags) assert_tag_audit_log( dict(command='delete', record_id=record.id, record_tag=record_tag_1_dict), ) else: assert_forbidden(r) assert_db_tag_state(record.id, *record_tags, record_tag_1) assert_tag_audit_log() assert_db_state(record_batch_no_tags) assert_no_audit_log()
def test_delete_user(api, user_batch, scopes): authorized = ODPScope.USER_ADMIN in scopes modified_user_batch = user_batch.copy() del modified_user_batch[2] r = api(scopes).delete(f'/user/{user_batch[2].id}') if authorized: assert_empty_result(r) assert_db_state(modified_user_batch) else: assert_forbidden(r) assert_db_state(user_batch)
def test_delete_provider(api, provider_batch, scopes): authorized = ODPScope.PROVIDER_ADMIN in scopes modified_provider_batch = provider_batch.copy() del modified_provider_batch[2] r = api(scopes).delete(f'/provider/{provider_batch[2].id}') if authorized: assert_empty_result(r) assert_db_state(modified_provider_batch) else: assert_forbidden(r) assert_db_state(provider_batch)
def test_delete_record(api, record_batch_with_ids, admin_route, scopes, collection_tags, collection_auth, published_doi): route = '/record/admin/' if admin_route else '/record/' authorized = admin_route and ODPScope.RECORD_ADMIN in scopes or \ not admin_route and ODPScope.RECORD_WRITE in scopes authorized = authorized and collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = record_batch_with_ids[2].collection elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = record_batch_with_ids[1].collection else: api_client_collection = None for ct in collection_tags: CollectionTagFactory( collection=record_batch_with_ids[2].collection, tag=TagFactory(id=ct, type='collection'), ) if published_doi: PublishedDOI(doi=record_batch_with_ids[2].doi).save() modified_record_batch = record_batch_with_ids.copy() del modified_record_batch[2] r = api(scopes, api_client_collection).delete( f'{route}{(record_id := record_batch_with_ids[2].id)}') if authorized: if not admin_route and set(collection_tags) & { ODPCollectionTag.FROZEN, ODPCollectionTag.READY }: assert_unprocessable( r, 'Cannot delete a record belonging to a ready or frozen collection' ) assert_db_state(record_batch_with_ids) assert_no_audit_log() elif published_doi: assert_unprocessable( r, 'The DOI has been published and cannot be deleted.') assert_db_state(record_batch_with_ids) assert_no_audit_log() else: assert_empty_result(r) assert_db_state(modified_record_batch) assert_audit_log('delete', record_id=record_id) else: assert_forbidden(r) assert_db_state(record_batch_with_ids) assert_no_audit_log()
def test_create_provider(api, provider_batch, scopes): authorized = ODPScope.PROVIDER_ADMIN in scopes modified_provider_batch = provider_batch + [provider := provider_build()] r = api(scopes).post('/provider/', json=dict( id=provider.id, name=provider.name, )) if authorized: assert_empty_result(r) assert_db_state(modified_provider_batch) else: assert_forbidden(r) assert_db_state(provider_batch)
def test_create_project(api, project_batch, scopes): authorized = ODPScope.PROJECT_ADMIN in scopes modified_project_batch = project_batch + [project := project_build()] r = api(scopes).post('/project/', json=dict( id=project.id, name=project.name, collection_ids=collection_ids(project), )) if authorized: assert_empty_result(r) assert_db_state(modified_project_batch) else: assert_forbidden(r) assert_db_state(project_batch)
def test_update_client(api, client_batch, scopes, collection_auth): authorized = ODPScope.CLIENT_ADMIN in scopes and \ collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = client_batch[2].collection elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = client_batch[1].collection else: api_client_collection = None if collection_auth in (CollectionAuth.MATCH, CollectionAuth.MISMATCH): modified_client_collection = client_batch[2].collection else: modified_client_collection = None modified_client_batch = client_batch.copy() modified_client_batch[2] = (client := client_build( id=client_batch[2].id, collection=modified_client_collection, )) r = api(scopes, api_client_collection).put( '/client/', json=dict( id=client.id, name=fake.catch_phrase(), secret=fake.password(), scope_ids=scope_ids(client), collection_id=client.collection_id, grant_types=[], response_types=[], redirect_uris=[], post_logout_redirect_uris=[], token_endpoint_auth_method=TokenEndpointAuthMethod. CLIENT_SECRET_BASIC, allowed_cors_origins=[], )) if authorized: assert_empty_result(r) assert_db_state(modified_client_batch) else: assert_forbidden(r) assert_db_state(client_batch)
def test_update_provider(api, provider_batch, scopes): authorized = ODPScope.PROVIDER_ADMIN in scopes modified_provider_batch = provider_batch.copy() modified_provider_batch[2] = (provider := provider_build( id=provider_batch[2].id, collections=provider_batch[2].collections, )) r = api(scopes).put('/provider/', json=dict( id=provider.id, name=provider.name, )) if authorized: assert_empty_result(r) assert_db_state(modified_provider_batch) else: assert_forbidden(r) assert_db_state(provider_batch)
def test_update_user(api, user_batch, scopes): authorized = ODPScope.USER_ADMIN in scopes modified_user_batch = user_batch.copy() modified_user_batch[2] = (user := UserFactory.build( id=user_batch[2].id, name=user_batch[2].name, email=user_batch[2].email, verified=user_batch[2].verified, roles=RoleFactory.create_batch(randint(0, 3)), )) r = api(scopes).put('/user/', json=dict( id=user.id, active=user.active, role_ids=role_ids(user), )) if authorized: assert_empty_result(r) assert_db_state(modified_user_batch) else: assert_forbidden(r) assert_db_state(user_batch)
def test_delete_role(api, role_batch, scopes, collection_auth): authorized = ODPScope.ROLE_ADMIN in scopes and \ collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = role_batch[2].collection elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = role_batch[1].collection else: api_client_collection = None modified_role_batch = role_batch.copy() del modified_role_batch[2] r = api(scopes, api_client_collection).delete(f'/role/{role_batch[2].id}') if authorized: assert_empty_result(r) assert_db_state(modified_role_batch) else: assert_forbidden(r) assert_db_state(role_batch)
def test_update_collection(api, collection_batch_no_projects, scopes, collection_auth): authorized = ODPScope.COLLECTION_ADMIN in scopes and \ collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = collection_batch_no_projects[2] elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = collection_batch_no_projects[1] else: api_client_collection = None modified_collection_batch = collection_batch_no_projects.copy() modified_collection_batch[2] = (collection := collection_build( id=collection_batch_no_projects[2].id, clients=collection_batch_no_projects[2].clients, roles=collection_batch_no_projects[2].roles, )) r = api(scopes, api_client_collection).put('/collection/', json=dict( id=collection.id, name=collection.name, doi_key=collection.doi_key, provider_id=collection.provider_id, )) if authorized: assert_empty_result(r) assert_db_state(modified_collection_batch) assert_audit_log('update', collection) else: assert_forbidden(r) assert_db_state(collection_batch_no_projects) assert_no_audit_log()
def test_untag_collection(api, collection_batch, admin_route, scopes, collection_auth, tag_cardinality, same_user): route = '/collection/admin/' if admin_route else '/collection/' authorized = admin_route and ODPScope.COLLECTION_ADMIN in scopes or \ not admin_route and ODPScope.COLLECTION_READ in scopes authorized = authorized and collection_auth in (CollectionAuth.NONE, CollectionAuth.MATCH) if collection_auth == CollectionAuth.MATCH: api_client_collection = collection_batch[2] elif collection_auth == CollectionAuth.MISMATCH: api_client_collection = collection_batch[1] else: api_client_collection = None client = api(scopes, api_client_collection) collection = collection_batch[2] collection_tags = CollectionTagFactory.create_batch(randint(1, 3), collection=collection) tag = new_generic_tag(tag_cardinality) if same_user: collection_tag_1 = CollectionTagFactory( collection=collection, tag=tag, user=None, ) else: collection_tag_1 = CollectionTagFactory( collection=collection, tag=tag, ) collection_tag_1_dict = { 'tag_id': collection_tag_1.tag_id, 'user_id': collection_tag_1.user_id, 'data': collection_tag_1.data, } r = client.delete(f'{route}{collection.id}/tag/{collection_tag_1.id}') if authorized: if not admin_route and not same_user: assert_forbidden(r) assert_db_tag_state(collection.id, *collection_tags, collection_tag_1) assert_tag_audit_log() else: assert_empty_result(r) assert_db_tag_state(collection.id, *collection_tags) assert_tag_audit_log( dict(command='delete', collection_id=collection.id, collection_tag=collection_tag_1_dict), ) else: assert_forbidden(r) assert_db_tag_state(collection.id, *collection_tags, collection_tag_1) assert_tag_audit_log() assert_db_state(collection_batch) assert_no_audit_log()