Exemplo n.º 1
0
def test_get_user_authorizations_for_entity(session, monkeypatch):  # pylint:disable=unused-argument
    """Assert that user authorizations for entity is working."""
    user = factory_user_model()
    org = factory_org_model()
    membership = factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    patch_token_info(
        {
            'sub': str(user.keycloak_guid),
            'realm_access': {
                'roles': ['basic']
            }
        }, monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(
        entity.business_identifier)
    assert authorization is not None
    assert authorization.get('orgMembership',
                             None) == membership.membership_type_code

    # Test with invalid user
    patch_token_info(
        {
            'sub': str(uuid.uuid4()),
            'realm_access': {
                'roles': ['basic']
            }
        }, monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(
        entity.business_identifier)
    assert authorization is not None
    assert authorization.get('orgMembership', None) is None

    # Test for passcode users with invalid username
    patch_token_info(
        {
            'loginSource': 'PASSCODE',
            'username': '******',
            'realm_access': {
                'roles': ['basic']
            }
        }, monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(
        entity.business_identifier)

    assert authorization is not None
    assert authorization.get('orgMembership', None) is None

    # Test for staff users
    patch_token_info({
        'loginSource': '',
        'realm_access': {
            'roles': ['staff']
        }
    }, monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(
        entity.business_identifier)

    assert authorization is not None
    assert authorization.get('orgMembership', None) is None
Exemplo n.º 2
0
def test_get_user_authorizations_for_entity_service_account(session, monkeypatch):
    """Assert that user authorizations for entity is working."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    factory_product_model(org.id, product_code=ProductCode.BUSINESS.value)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    # Test for service accounts with correct product code
    patch_token_info(
        {'loginSource': '', 'realm_access': {'roles': ['system']}, 'product_code': ProductCode.BUSINESS.value},
        monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier)
    assert bool(authorization) is True
    assert authorization.get('orgMembership', None) == 'ADMIN'

    # Test for service accounts with wrong product code
    patch_token_info({'loginSource': '', 'realm_access': {'roles': ['system']}, 'product_code': 'INVALIDCP'},
                     monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier)
    assert bool(authorization) is False
    assert authorization.get('orgMembership', None) is None

    # Test for service accounts with no product code
    patch_token_info({'loginSource': '', 'realm_access': {'roles': ['system']}}, monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier)
    assert bool(authorization) is False
    assert authorization.get('orgMembership', None) is None
Exemplo n.º 3
0
def test_authorizations_for_expanded_result(client, jwt, session):  # pylint:disable=unused-argument
    """Assert authorizations for affiliated users returns 200."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    claims = copy.deepcopy(TestJwtClaims.edit_user_role.value)
    claims['sub'] = str(user.keycloak_guid)

    headers = factory_auth_header(jwt=jwt, claims=claims)
    rv = client.get(
        f'/api/v1/entities/{entity.business_identifier}/authorizations',
        headers=headers,
        content_type='application/json')

    assert rv.status_code == http_status.HTTP_200_OK
    assert schema_utils.validate(rv.json, 'account_response')[0]
    assert rv.json.get('orgMembership') == 'ADMIN'
    assert rv.json.get('account', None) is None

    rv = client.get(
        f'/api/v1/entities/{entity.business_identifier}/authorizations?expanded=true',
        headers=headers,
        content_type='application/json')
    assert rv.status_code == http_status.HTTP_200_OK
    assert schema_utils.validate(rv.json, 'account_response')[0]
    assert rv.json.get('account') is not None
    assert rv.json.get('account').get('name') == org.name
    assert rv.json.get('business').get('name') == entity.name
    assert rv.json.get('business').get('folioNumber') == entity.folio_number
Exemplo n.º 4
0
def test_check_auth_for_service_account_invalid(session):  # pylint:disable=unused-argument
    """Assert that check_auth is working as expected and throws exception."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    # Test for invalid CP
    with pytest.raises(HTTPException) as excinfo:
        check_auth(
            {
                'realm_access': {
                    'roles': ['system']
                },
                'corp_type': 'IVALIDCP'
            },
            org_id=org.id)
        assert excinfo.exception.code == 403

    # Test for invalid CP
    with pytest.raises(HTTPException) as excinfo:
        check_auth({'realm_access': {'roles': ['system']}}, org_id=org.id)
        assert excinfo.exception.code == 403

    # Test for invalid CP with no args
    with pytest.raises(HTTPException) as excinfo:
        check_auth({'realm_access': {'roles': ['system']}})
        assert excinfo.exception.code == 403
Exemplo n.º 5
0
def test_user_authorizations_returns_200(client, jwt, session):  # pylint:disable=unused-argument
    """Assert authorizations for users returns 200."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    claims = copy.deepcopy(TestJwtClaims.edit_role.value)
    claims['sub'] = str(user.keycloak_guid)

    headers = factory_auth_header(jwt=jwt, claims=claims)
    rv = client.get('/api/v1/users/authorizations',
                    headers=headers,
                    content_type='application/json')

    assert rv.status_code == http_status.HTTP_200_OK
    assert rv.json.get('authorizations')[0].get('orgMembership') == 'OWNER'

    # Test with invalid user
    claims['sub'] = str(uuid.uuid4())
    headers = factory_auth_header(jwt=jwt, claims=claims)
    rv = client.get('/api/v1/users/authorizations',
                    headers=headers,
                    content_type='application/json')

    assert rv.status_code == http_status.HTTP_200_OK
    assert len(rv.json.get('authorizations')) == 0
Exemplo n.º 6
0
def test_check_auth_for_service_account_invalid(session):  # pylint:disable=unused-argument
    """Assert that check_auth is working as expected and throws exception."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
Exemplo n.º 7
0
def test_check_auth(session):  # pylint:disable=unused-argument
    """Assert that check_auth is working as expected."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    factory_product_model(org.id, product_code=ProductCode.BUSINESS.value)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    # Test if staff admin can access to STAFF only method
    check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)},
               one_of_roles=[STAFF])

    # Test for staff admin role to only STAFF
    check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)},
               equals_role=STAFF)

    # Test for staff role
    check_auth({'realm_access': {'roles': ['staff']}, 'sub': str(user.keycloak_guid),
                'product_code': ProductCode.BUSINESS.value}, one_of_roles=[STAFF])
    # Test for owner role
    check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid),
                'product_code': ProductCode.BUSINESS.value}, one_of_roles=[ADMIN],
               business_identifier=entity.business_identifier)
    # Test for owner role with org id
    check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid),
                'product_code': ProductCode.BUSINESS.value}, one_of_roles=[ADMIN],
               org_id=org.id)

    # Test for exception, check for auth if resource is available for STAFF users
    with pytest.raises(HTTPException) as excinfo:
        check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, one_of_roles=[STAFF],
                   business_identifier=entity.business_identifier)
        assert excinfo.exception.code == 403

    # Test auth where STAFF role is in disabled role list
    with pytest.raises(HTTPException) as excinfo:
        check_auth({'realm_access': {'roles': ['staff']}, 'sub': str(user.keycloak_guid)}, disabled_roles=[STAFF],
                   business_identifier=entity.business_identifier)
        assert excinfo.exception.code == 403

    # Test auth where STAFF role is exact match
    with pytest.raises(HTTPException) as excinfo:
        check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, equals_role=USER,
                   business_identifier=entity.business_identifier)
        assert excinfo.exception.code == 403

    # Test auth where STAFF role is exact match
    with pytest.raises(HTTPException) as excinfo:
        check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, equals_role=USER,
                   org_id=org.id)
        assert excinfo.exception.code == 403

        # Test auth where STAFF role is exact match
        with pytest.raises(HTTPException) as excinfo:
            check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)},
                       equals_role=USER,
                       org_id=org.id)
            assert excinfo.exception.code == 403
Exemplo n.º 8
0
def test_find_user_authorization_by_org_id_and_invalid_corp_type(session):  # pylint:disable=unused-argument
    """Assert that authorization view is not returning result when invalid corp type is passed."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'invalid_corp_type')

    assert authorization is None
Exemplo n.º 9
0
def test_check_auth_for_service_account_valid_with_org_id(session):  # pylint:disable=unused-argument
    """Assert that check_auth is working as expected."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    factory_product_model(org.id, product_code=ProductCode.BUSINESS.value)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    # Test for service account with CP corp type
    check_auth({'realm_access': {'roles': ['system']}, 'product_code': ProductCode.BUSINESS.value}, org_id=org.id)
Exemplo n.º 10
0
def test_find_all_user_authorizations(session):  # pylint:disable=unused-argument
    """Test find all user authoirzations."""
    user = factory_user_model()
    org = factory_org_model()
    membership = factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    authorizations = Authorization.find_all_authorizations_for_user(str(user.keycloak_guid))
    assert authorizations is not None
    assert authorizations[0].org_membership == membership.membership_type_code
    assert authorizations[0].business_identifier == entity.business_identifier
Exemplo n.º 11
0
def test_find_user_authorization_by_org_id(session):  # pylint:disable=unused-argument
    """Assert that authorization view is returning result."""
    user = factory_user_model()
    org = factory_org_model()
    membership = factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    authorization = Authorization.find_user_authorization_by_org_id(str(user.keycloak_guid),
                                                                    org.id)

    assert authorization is not None
    assert authorization.org_membership == membership.membership_type_code
Exemplo n.º 12
0
def test_find_user_authorization_by_business_number_product(session):  # pylint:disable=unused-argument
    """Assert that authorization view is returning result."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    authorization = Authorization.find_user_authorization_by_business_number_and_product(
        entity.business_identifier, ProductCode.DIR_SEARCH.value)

    assert authorization is not None
    assert authorization.product_code == ProductCode.DIR_SEARCH.value
Exemplo n.º 13
0
def test_find_user_authorization_by_org_id_and_corp_type(session):  # pylint:disable=unused-argument
    """Assert that authorization view returns result when fetched using Corp type instead of jwt.

    Service accounts passes corp type instead of jwt.
    """
    user = factory_user_model()
    org = factory_org_model()
    membership = factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP')

    assert authorization is not None
    assert authorization.org_membership == membership.membership_type_code
Exemplo n.º 14
0
def test_find_invalid_user_authorization_by_business_number(session):  # pylint:disable=unused-argument
    """Test with invalid user id and assert that auth is None."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()),
                                                                             entity.business_identifier)
    assert authorization is None

    # Test with invalid business identifier
    authorization = Authorization.find_user_authorization_by_business_number(str(uuid.uuid4()), '')
    assert authorization is None
Exemplo n.º 15
0
def test_get_user_authorizations(session):  # pylint:disable=unused-argument
    """Assert that listing all user authorizations is working."""
    user = factory_user_model()
    org = factory_org_model()
    membership = factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    authorization = Authorization.get_user_authorizations(str(user.keycloak_guid))
    assert authorization is not None
    assert authorization['authorizations'][0].get('orgMembership', None) == membership.membership_type_code

    # Test with invalid user
    authorization = Authorization.get_user_authorizations(str(uuid.uuid4()))
    assert authorization is not None
    assert len(authorization['authorizations']) == 0
Exemplo n.º 16
0
def test_check_auth_for_service_account_valid_with_business_id(session):  # pylint:disable=unused-argument
    """Assert that check_auth is working as expected."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    # Test for service account with CP corp type
    check_auth({
        'realm_access': {
            'roles': ['system']
        },
        'corp_type': 'CP'
    },
               business_identifier=entity.business_identifier)
Exemplo n.º 17
0
def test_find_user_authorization_by_org_id_and_corp_type_multiple_membership(session):  # pylint:disable=unused-argument
    """Assert that authorization view returns result when fetched using Corp type instead of jwt.

    When multiple membership is present , return the one with Owner access.
    """
    user1 = factory_user_model()
    user2 = factory_user_model(user_info=TestUserInfo.user2)
    org = factory_org_model()
    factory_membership_model(user1.id, org.id, member_type='ADMIN')
    membership_owner = factory_membership_model(user2.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    authorization = Authorization.find_user_authorization_by_org_id_and_corp_type(org.id, 'CP')

    assert authorization is not None
    assert authorization.org_membership == membership_owner.membership_type_code
Exemplo n.º 18
0
def test_authorizations_for_affiliated_users_returns_200(client, jwt, session):  # pylint:disable=unused-argument
    """Assert authorizations for affiliated users returns 200."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    claims = copy.deepcopy(TestJwtClaims.passcode.value)
    claims['sub'] = str(user.keycloak_guid)

    headers = factory_auth_header(jwt=jwt, claims=claims)
    rv = client.get(f'/api/v1/entities/{entity.business_identifier}/authorizations',
                    headers=headers, content_type='application/json')

    assert rv.status_code == http_status.HTTP_200_OK
    assert rv.json.get('orgMembership') == 'OWNER'
Exemplo n.º 19
0
def test_get_user_authorizations_for_entity_service_account(session):
    """Assert that user authorizations for entity is working."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    # Test for service accounts with correct corp type
    authorization = Authorization.get_user_authorizations_for_entity(
        {
            'loginSource': '',
            'realm_access': {
                'roles': ['system']
            },
            'corp_type': 'CP'
        }, entity.business_identifier)
    assert bool(authorization) is True
    assert authorization.get('orgMembership', None) == 'OWNER'

    # Test for service accounts with wrong corp type
    authorization = Authorization.get_user_authorizations_for_entity(
        {
            'loginSource': '',
            'realm_access': {
                'roles': ['system']
            },
            'corp_type': 'INVALIDCP'
        }, entity.business_identifier)
    assert bool(authorization) is False
    assert authorization.get('orgMembership', None) is None

    # Test for service accounts with no corp type
    authorization = Authorization.get_user_authorizations_for_entity(
        {
            'loginSource': '',
            'realm_access': {
                'roles': ['system']
            }
        }, entity.business_identifier)
    assert bool(authorization) is False
    assert authorization.get('orgMembership', None) is None
Exemplo n.º 20
0
def test_get_user_authorizations_for_entity_with_multiple_affiliations(
        session,  # pylint:disable=unused-argument
        monkeypatch):
    """Assert that user authorizations for entity is working."""
    user = factory_user_model()
    org = factory_org_model()
    membership = factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)
    patch_token_info(
        {
            'sub': str(user.keycloak_guid),
            'realm_access': {
                'roles': ['basic']
            }
        }, monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(
        entity.business_identifier)
    assert authorization is not None
    assert authorization.get('orgMembership',
                             None) == membership.membership_type_code

    # Affiliate same entity to another org and user, and assert both authorizations works
    user_2 = factory_user_model(user_info=TestUserInfo.user2)
    org_2 = factory_org_model(org_info=TestOrgInfo.org2)
    membership = factory_membership_model(user_2.id, org_2.id)
    factory_affiliation_model(entity.id, org_2.id)
    patch_token_info(
        {
            'sub': str(user_2.keycloak_guid),
            'realm_access': {
                'roles': ['basic']
            }
        }, monkeypatch)
    authorization = Authorization.get_user_authorizations_for_entity(
        entity.business_identifier)
    assert authorization is not None
    assert authorization.get('orgMembership',
                             None) == membership.membership_type_code
Exemplo n.º 21
0
def test_check_auth(session):  # pylint:disable=unused-argument
    """Assert that check_auth is working as expected."""
    user = factory_user_model()
    org = factory_org_model()
    factory_membership_model(user.id, org.id)
    entity = factory_entity_model()
    factory_affiliation_model(entity.id, org.id)

    # Test for staff role
    check_auth(
        {
            'realm_access': {
                'roles': ['staff']
            },
            'sub': str(user.keycloak_guid)
        },
        one_of_roles=STAFF)
    # Test for owner role
    check_auth(
        {
            'realm_access': {
                'roles': ['public']
            },
            'sub': str(user.keycloak_guid)
        },
        one_of_roles=OWNER,
        business_identifier=entity.business_identifier)
    # Test for owner role with org id
    check_auth(
        {
            'realm_access': {
                'roles': ['public']
            },
            'sub': str(user.keycloak_guid)
        },
        one_of_roles=OWNER,
        org_id=org.id)

    # Test for exception, check for auth if resource is available for STAFF users
    with pytest.raises(HTTPException) as excinfo:
        check_auth(
            {
                'realm_access': {
                    'roles': ['public']
                },
                'sub': str(user.keycloak_guid)
            },
            one_of_roles=[STAFF],
            business_identifier=entity.business_identifier)
        assert excinfo.exception.code == 403

    # Test auth where STAFF role is in disabled role list
    with pytest.raises(HTTPException) as excinfo:
        check_auth(
            {
                'realm_access': {
                    'roles': ['staff']
                },
                'sub': str(user.keycloak_guid)
            },
            disabled_roles=[STAFF],
            business_identifier=entity.business_identifier)
        assert excinfo.exception.code == 403

    # Test auth where STAFF role is exact match
    with pytest.raises(HTTPException) as excinfo:
        check_auth(
            {
                'realm_access': {
                    'roles': ['public']
                },
                'sub': str(user.keycloak_guid)
            },
            equals_role=MEMBER,
            business_identifier=entity.business_identifier)
        assert excinfo.exception.code == 403

    # Test auth where STAFF role is exact match
    with pytest.raises(HTTPException) as excinfo:
        check_auth(
            {
                'realm_access': {
                    'roles': ['public']
                },
                'sub': str(user.keycloak_guid)
            },
            equals_role=MEMBER,
            org_id=org.id)
        assert excinfo.exception.code == 403