def test_get_user_authorizations_for_entity(session, monkeypatch): # pylint:disable=unused-argument """Assert that user authorizations for entity is working.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) patch_token_info( { 'sub': str(user.keycloak_guid), 'realm_access': { 'roles': ['basic'] } }, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity( entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) == membership.membership_type_code # Test with invalid user patch_token_info( { 'sub': str(uuid.uuid4()), 'realm_access': { 'roles': ['basic'] } }, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity( entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) is None # Test for passcode users with invalid username patch_token_info( { 'loginSource': 'PASSCODE', 'username': '******', 'realm_access': { 'roles': ['basic'] } }, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity( entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) is None # Test for staff users patch_token_info({ 'loginSource': '', 'realm_access': { 'roles': ['staff'] } }, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity( entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) is None
def test_get_user_authorizations_for_entity_service_account(session, monkeypatch): """Assert that user authorizations for entity is working.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.BUSINESS.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for service accounts with correct product code patch_token_info( {'loginSource': '', 'realm_access': {'roles': ['system']}, 'product_code': ProductCode.BUSINESS.value}, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier) assert bool(authorization) is True assert authorization.get('orgMembership', None) == 'ADMIN' # Test for service accounts with wrong product code patch_token_info({'loginSource': '', 'realm_access': {'roles': ['system']}, 'product_code': 'INVALIDCP'}, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier) assert bool(authorization) is False assert authorization.get('orgMembership', None) is None # Test for service accounts with no product code patch_token_info({'loginSource': '', 'realm_access': {'roles': ['system']}}, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier) assert bool(authorization) is False assert authorization.get('orgMembership', None) is None
def test_authorizations_for_expanded_result(client, jwt, session): # pylint:disable=unused-argument """Assert authorizations for affiliated users returns 200.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) claims = copy.deepcopy(TestJwtClaims.edit_user_role.value) claims['sub'] = str(user.keycloak_guid) headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get( f'/api/v1/entities/{entity.business_identifier}/authorizations', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert schema_utils.validate(rv.json, 'account_response')[0] assert rv.json.get('orgMembership') == 'ADMIN' assert rv.json.get('account', None) is None rv = client.get( f'/api/v1/entities/{entity.business_identifier}/authorizations?expanded=true', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert schema_utils.validate(rv.json, 'account_response')[0] assert rv.json.get('account') is not None assert rv.json.get('account').get('name') == org.name assert rv.json.get('business').get('name') == entity.name assert rv.json.get('business').get('folioNumber') == entity.folio_number
def test_check_auth_for_service_account_invalid(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected and throws exception.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for invalid CP with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['system'] }, 'corp_type': 'IVALIDCP' }, org_id=org.id) assert excinfo.exception.code == 403 # Test for invalid CP with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['system']}}, org_id=org.id) assert excinfo.exception.code == 403 # Test for invalid CP with no args with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['system']}}) assert excinfo.exception.code == 403
def test_user_authorizations_returns_200(client, jwt, session): # pylint:disable=unused-argument """Assert authorizations for users returns 200.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) claims = copy.deepcopy(TestJwtClaims.edit_role.value) claims['sub'] = str(user.keycloak_guid) headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get('/api/v1/users/authorizations', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert rv.json.get('authorizations')[0].get('orgMembership') == 'OWNER' # Test with invalid user claims['sub'] = str(uuid.uuid4()) headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get('/api/v1/users/authorizations', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert len(rv.json.get('authorizations')) == 0
def test_check_auth_for_service_account_invalid(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected and throws exception.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id)
def test_check_auth(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.BUSINESS.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test if staff admin can access to STAFF only method check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)}, one_of_roles=[STAFF]) # Test for staff admin role to only STAFF check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)}, equals_role=STAFF) # Test for staff role check_auth({'realm_access': {'roles': ['staff']}, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value}, one_of_roles=[STAFF]) # Test for owner role check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value}, one_of_roles=[ADMIN], business_identifier=entity.business_identifier) # Test for owner role with org id check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value}, one_of_roles=[ADMIN], org_id=org.id) # Test for exception, check for auth if resource is available for STAFF users with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, one_of_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is in disabled role list with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['staff']}, 'sub': str(user.keycloak_guid)}, disabled_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, equals_role=USER, business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, equals_role=USER, org_id=org.id) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)}, equals_role=USER, org_id=org.id) assert excinfo.exception.code == 403
def test_find_user_authorization_by_org_id_and_invalid_corp_type(session): # pylint:disable=unused-argument """Assert that authorization view is not returning result when invalid corp type is passed.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'invalid_corp_type') assert authorization is None
def test_check_auth_for_service_account_valid_with_org_id(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.BUSINESS.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for service account with CP corp type check_auth({'realm_access': {'roles': ['system']}, 'product_code': ProductCode.BUSINESS.value}, org_id=org.id)
def test_find_all_user_authorizations(session): # pylint:disable=unused-argument """Test find all user authoirzations.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorizations = Authorization.find_all_authorizations_for_user(str(user.keycloak_guid)) assert authorizations is not None assert authorizations[0].org_membership == membership.membership_type_code assert authorizations[0].business_identifier == entity.business_identifier
def test_find_user_authorization_by_org_id(session): # pylint:disable=unused-argument """Assert that authorization view is returning result.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id(str(user.keycloak_guid), org.id) assert authorization is not None assert authorization.org_membership == membership.membership_type_code
def test_find_user_authorization_by_business_number_product(session): # pylint:disable=unused-argument """Assert that authorization view is returning result.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_business_number_and_product( entity.business_identifier, ProductCode.DIR_SEARCH.value) assert authorization is not None assert authorization.product_code == ProductCode.DIR_SEARCH.value
def test_find_user_authorization_by_org_id_and_corp_type(session): # pylint:disable=unused-argument """Assert that authorization view returns result when fetched using Corp type instead of jwt. Service accounts passes corp type instead of jwt. """ user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP') assert authorization is not None assert authorization.org_membership == membership.membership_type_code
def test_find_invalid_user_authorization_by_business_number(session): # pylint:disable=unused-argument """Test with invalid user id and assert that auth is None.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()), entity.business_identifier) assert authorization is None # Test with invalid business identifier authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()), '') assert authorization is None
def test_get_user_authorizations(session): # pylint:disable=unused-argument """Assert that listing all user authorizations is working.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.get_user_authorizations(str(user.keycloak_guid)) assert authorization is not None assert authorization['authorizations'][0].get('orgMembership', None) == membership.membership_type_code # Test with invalid user authorization = Authorization.get_user_authorizations(str(uuid.uuid4())) assert authorization is not None assert len(authorization['authorizations']) == 0
def test_check_auth_for_service_account_valid_with_business_id(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for service account with CP corp type check_auth({ 'realm_access': { 'roles': ['system'] }, 'corp_type': 'CP' }, business_identifier=entity.business_identifier)
def test_find_user_authorization_by_org_id_and_corp_type_multiple_membership(session): # pylint:disable=unused-argument """Assert that authorization view returns result when fetched using Corp type instead of jwt. When multiple membership is present , return the one with Owner access. """ user1 = factory_user_model() user2 = factory_user_model(user_info=TestUserInfo.user2) org = factory_org_model() factory_membership_model(user1.id, org.id, member_type='ADMIN') membership_owner = factory_membership_model(user2.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP') assert authorization is not None assert authorization.org_membership == membership_owner.membership_type_code
def test_authorizations_for_affiliated_users_returns_200(client, jwt, session): # pylint:disable=unused-argument """Assert authorizations for affiliated users returns 200.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) claims = copy.deepcopy(TestJwtClaims.passcode.value) claims['sub'] = str(user.keycloak_guid) headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get(f'/api/v1/entities/{entity.business_identifier}/authorizations', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert rv.json.get('orgMembership') == 'OWNER'
def test_get_user_authorizations_for_entity_service_account(session): """Assert that user authorizations for entity is working.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for service accounts with correct corp type authorization = Authorization.get_user_authorizations_for_entity( { 'loginSource': '', 'realm_access': { 'roles': ['system'] }, 'corp_type': 'CP' }, entity.business_identifier) assert bool(authorization) is True assert authorization.get('orgMembership', None) == 'OWNER' # Test for service accounts with wrong corp type authorization = Authorization.get_user_authorizations_for_entity( { 'loginSource': '', 'realm_access': { 'roles': ['system'] }, 'corp_type': 'INVALIDCP' }, entity.business_identifier) assert bool(authorization) is False assert authorization.get('orgMembership', None) is None # Test for service accounts with no corp type authorization = Authorization.get_user_authorizations_for_entity( { 'loginSource': '', 'realm_access': { 'roles': ['system'] } }, entity.business_identifier) assert bool(authorization) is False assert authorization.get('orgMembership', None) is None
def test_get_user_authorizations_for_entity_with_multiple_affiliations( session, # pylint:disable=unused-argument monkeypatch): """Assert that user authorizations for entity is working.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) patch_token_info( { 'sub': str(user.keycloak_guid), 'realm_access': { 'roles': ['basic'] } }, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity( entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) == membership.membership_type_code # Affiliate same entity to another org and user, and assert both authorizations works user_2 = factory_user_model(user_info=TestUserInfo.user2) org_2 = factory_org_model(org_info=TestOrgInfo.org2) membership = factory_membership_model(user_2.id, org_2.id) factory_affiliation_model(entity.id, org_2.id) patch_token_info( { 'sub': str(user_2.keycloak_guid), 'realm_access': { 'roles': ['basic'] } }, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity( entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) == membership.membership_type_code
def test_check_auth(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for staff role check_auth( { 'realm_access': { 'roles': ['staff'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=STAFF) # Test for owner role check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=OWNER, business_identifier=entity.business_identifier) # Test for owner role with org id check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=OWNER, org_id=org.id) # Test for exception, check for auth if resource is available for STAFF users with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is in disabled role list with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['staff'] }, 'sub': str(user.keycloak_guid) }, disabled_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, equals_role=MEMBER, business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, equals_role=MEMBER, org_id=org.id) assert excinfo.exception.code == 403