def test_delete_bcros_valdiations(client, jwt, session, keycloak_mock, monkeypatch): """Assert different conditions of user deletion.""" admin_user = TestUserInfo.user_bcros_active org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model(user_info=TestUserInfo.user_bcros_active) factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) patch_token_info(owner_claims, monkeypatch) member = TestAnonymousMembership.generate_random_user(USER) admin = TestAnonymousMembership.generate_random_user(COORDINATOR) membership = [member, admin] UserService.create_user_and_add_membership(membership, org.id) owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims) member_username = IdpHint.BCROS.value + '/' + member['username'] admin_username = IdpHint.BCROS.value + '/' + admin['username'] admin_claims = TestJwtClaims.get_test_real_user(uuid.uuid4(), admin_username, access_ype=AccessType.ANONYMOUS.value, roles=[Role.ANONYMOUS_USER.value]) admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims) member_claims = TestJwtClaims.get_test_real_user(uuid.uuid4(), member_username, access_ype=AccessType.ANONYMOUS.value, roles=[Role.ANONYMOUS_USER.value]) member_headers = factory_auth_header(jwt=jwt, claims=member_claims) # set up JWTS for member and admin patch_token_info(admin_claims, monkeypatch) client.post('/api/v1/users', headers=admin_headers, content_type='application/json', data=json.dumps({'isLogin': True})) patch_token_info(member_claims, monkeypatch) client.post('/api/v1/users', headers=member_headers, content_type='application/json', data=json.dumps({'isLogin': True})) patch_token_info(owner_claims, monkeypatch) # delete only owner ;failure rv = client.delete(f"/api/v1/users/{admin_user['username']}", headers=owner_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # admin trying to delete member: Failure patch_token_info(admin_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{member_username}', headers=admin_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # member delete admin: failure patch_token_info(member_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{admin_username}', headers=member_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # a self delete ;should work ;mimics leave team for anonymous user patch_token_info(member_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{member_username}', headers=member_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT patch_token_info(admin_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{admin_username}', headers=admin_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT # add one more admin patch_token_info(owner_claims, monkeypatch) new_owner = TestAnonymousMembership.generate_random_user(ADMIN) membership = [new_owner] UserService.create_user_and_add_membership(membership, org.id) patch_token_info(owner_claims, monkeypatch) rv = client.delete(f"/api/v1/users/{IdpHint.BCROS.value + '/' + new_owner['username']}", headers=owner_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT
def test_delete_bcros_valdiations(client, jwt, session, keycloak_mock): """Assert different conditions of user deletion.""" admin_user = TestUserInfo.user_bcros_active org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model(user_info=TestUserInfo.user_bcros_active) factory_membership_model(user.id, org.id) owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) member = TestAnonymousMembership.generate_random_user(MEMBER) admin = TestAnonymousMembership.generate_random_user(ADMIN) membership = [member, admin] UserService.create_user_and_add_membership(membership, org.id, token_info=owner_claims) owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims) member_username = IdpHint.BCROS.value + '/' + member['username'] admin_username = IdpHint.BCROS.value + '/' + admin['username'] admin_claims = TestJwtClaims.get_test_real_user( uuid.uuid4(), admin_username, access_ype=AccessType.ANONYMOUS.value) admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims) member_claims = TestJwtClaims.get_test_real_user( uuid.uuid4(), member_username, access_ype=AccessType.ANONYMOUS.value) member_headers = factory_auth_header(jwt=jwt, claims=member_claims) # set up JWTS for member and admin client.post('/api/v1/users', headers=admin_headers, content_type='application/json') client.post('/api/v1/users', headers=member_headers, content_type='application/json') # delete only owner ;failure rv = client.delete(f"/api/v1/users/{admin_user['username']}", headers=owner_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # admin trying to delete member: Failure rv = client.delete(f'/api/v1/users/{member_username}', headers=admin_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # member delete admin: failure rv = client.delete(f'/api/v1/users/{admin_username}', headers=member_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # a self delete ;should work ;mimics leave team for anonymous user rv = client.delete(f'/api/v1/users/{member_username}', headers=member_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT rv = client.delete(f'/api/v1/users/{admin_username}', headers=admin_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT # add one more admin new_owner = TestAnonymousMembership.generate_random_user(OWNER) membership = [new_owner] UserService.create_user_and_add_membership(membership, org.id, token_info=owner_claims) rv = client.delete( f"/api/v1/users/{IdpHint.BCROS.value + '/' + new_owner['username']}", headers=owner_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT
def test_check_auth(session, monkeypatch): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.BUSINESS.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test if staff admin can access to STAFF only method patch_token_info( { 'realm_access': { 'roles': ['staff', 'create_accounts'] }, 'sub': str(user.keycloak_guid) }, monkeypatch) check_auth(one_of_roles=[STAFF]) # Test for staff admin role to only STAFF patch_token_info( { 'realm_access': { 'roles': ['staff', 'create_accounts'] }, 'sub': str(user.keycloak_guid) }, monkeypatch) check_auth(equals_role=STAFF) # Test for staff role patch_token_info( { 'realm_access': { 'roles': ['staff'] }, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value }, monkeypatch) check_auth(one_of_roles=[STAFF]) # Test for owner role patch_token_info( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value }, monkeypatch) check_auth(one_of_roles=[ADMIN], business_identifier=entity.business_identifier) # Test for owner role with org id patch_token_info( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value }, monkeypatch) check_auth(one_of_roles=[ADMIN], org_id=org.id) # Test for exception, check for auth if resource is available for STAFF users with pytest.raises(HTTPException) as excinfo: patch_token_info( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, monkeypatch) check_auth(one_of_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is in disabled role list with pytest.raises(HTTPException) as excinfo: patch_token_info( { 'realm_access': { 'roles': ['staff'] }, 'sub': str(user.keycloak_guid) }, monkeypatch) check_auth(disabled_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: patch_token_info( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, monkeypatch) check_auth(equals_role=USER, business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: patch_token_info( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, monkeypatch) check_auth(equals_role=USER, org_id=org.id) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: patch_token_info( { 'realm_access': { 'roles': ['staff', 'create_accounts'] }, 'sub': str(user.keycloak_guid) }, monkeypatch) check_auth(equals_role=USER, org_id=org.id) assert excinfo.exception.code == 403
def test_create_user_add_membership_reenable(session, auth_mock, keycloak_mock): # pylint:disable=unused-argument """Assert that an admin can add a member.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model() factory_membership_model(user.id, org.id) claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) anon_member = TestAnonymousMembership.generate_random_user(MEMBER) membership = [anon_member] users = UserService.create_user_and_add_membership(membership, org.id, token_info=claims) user_name = IdpHint.BCROS.value + '/' + membership[0]['username'] assert len(users['users']) == 1 assert users['users'][0]['username'] == user_name assert users['users'][0]['type'] == 'ANONYMOUS' members = MembershipModel.find_members_by_org_id(org.id) # staff didnt create members..so count is count of owner+other 1 member assert len(members) == 2 # assert cant be readded users = UserService.create_user_and_add_membership(membership, org.id, token_info=claims) assert users['users'][0]['http_status'] == 409 assert users['users'][0]['error'] == 'The username is already taken' # deactivate everything and try again anon_user = UserModel.find_by_username(user_name) anon_user.status = Status.INACTIVE.value anon_user.save() membership_model = MembershipModel.find_membership_by_userid(anon_user.id) membership_model.status = Status.INACTIVE.value update_user_request = KeycloakUser() update_user_request.user_name = membership[0]['username'] update_user_request.enabled = False KeycloakService.update_user(update_user_request) org2 = factory_org_model(org_info=TestOrgInfo.org_anonymous_2, org_type_info={'code': 'BASIC'}, org_status_info=None, payment_type_info=None) factory_membership_model(user.id, org2.id) users = UserService.create_user_and_add_membership(membership, org2.id, token_info=claims) assert users['users'][0]['http_status'] == 409 assert users['users'][0]['error'] == 'The username is already taken' # add to same org.Should work users = UserService.create_user_and_add_membership(membership, org.id, token_info=claims) assert len(users['users']) == 1 assert users['users'][0][ 'username'] == IdpHint.BCROS.value + '/' + membership[0]['username'] assert users['users'][0]['type'] == 'ANONYMOUS'
def test_remove_member_removes_group_to_the_user(session, monkeypatch): # pylint:disable=unused-argument """Assert that accepting an invite adds group to the user.""" # Create a user in keycloak keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user = keycloak_service.get_user_by_username(request.user_name) user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) # Patch token info def token_info(): # pylint: disable=unused-argument; mocks of library methods return { 'sub': str(kc_user.id), 'username': '******', 'realm_access': { 'roles': [ 'edit' ] }, 'product_code': ProductCode.BUSINESS.value } monkeypatch.setattr('auth_api.utils.user_context._get_token_info', token_info) org = OrgService.create_org(TestOrgInfo.org1, user_id=user.id) # Create another user request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user2 = keycloak_service.get_user_by_username(request.user_name) user2 = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user2.id)) # Add a membership to the user for the org created factory_membership_model(user2.id, org.as_dict().get('id'), member_type='COORDINATOR', member_status=4) # Add a product to org factory_product_model(org.as_dict().get('id'), product_code=ProductCode.BUSINESS.value) # Find the membership and update to ACTIVE membership = MembershipService.get_membership_for_org_and_user(org.as_dict().get('id'), user2.id) active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.ACTIVE.name) updated_fields = {'membership_status': active_membership_status} with patch.object(ActivityLogPublisher, 'publish_activity', return_value=None) as mock_alp: MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info()) mock_alp.assert_called_with(Activity(action=ActivityAction.APPROVE_TEAM_MEMBER.value, org_id=ANY, name=ANY, id=ANY, value=ANY)) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups # Deactivate Membership with patch.object(ActivityLogPublisher, 'publish_activity', return_value=None) as mock_alp: MembershipService(membership).deactivate_membership(token_info=token_info()) mock_alp.assert_called_with(Activity(action=ActivityAction.REMOVE_TEAM_MEMBER.value, org_id=ANY, name=ANY, id=ANY, value=ANY)) # ACTIVE active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.ACTIVE.name) updated_fields = {'membership_status': active_membership_status} MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info()) # Find the membership and update to INACTIVE active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.INACTIVE.name) updated_fields = {'membership_status': active_membership_status} with patch.object(ActivityLogPublisher, 'publish_activity', return_value=None) as mock_alp: MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info()) mock_alp.assert_called_with(Activity(action=ActivityAction.REMOVE_TEAM_MEMBER.value, org_id=ANY, name=ANY, id=ANY, value=ANY)) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS not in groups MembershipService(membership).deactivate_membership()
def test_delete_otp_for_user(client, jwt, session): # pylint:disable=unused-argument """Assert that a user can be POSTed.""" # ADMIN admin_user = factory_user_model(user_info=TestUserInfo.user1) org = factory_org_model(org_info=TestOrgInfo.org_regular_bceid) factory_membership_model(admin_user.id, org.id) admin_claims = TestJwtClaims.get_test_real_user(admin_user.keycloak_guid) admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims) # COORDINATOR coordinator_user = factory_user_model(user_info=TestUserInfo.user2) factory_membership_model(coordinator_user.id, org.id, member_type=COORDINATOR) coordinator_claims = TestJwtClaims.get_test_real_user( coordinator_user.keycloak_guid) coordinator_headers = factory_auth_header(jwt=jwt, claims=coordinator_claims) # just a member member_user = factory_user_model(user_info=TestUserInfo.user3) factory_membership_model(member_user.id, org.id, member_type=USER) user_claims = TestJwtClaims.get_test_real_user(member_user.keycloak_guid) user_headers = factory_auth_header(jwt=jwt, claims=user_claims) request = KeycloakScenario.create_user_by_user_info( user_info=TestJwtClaims.tester_bceid_role) KEYCLOAK_SERVICE.add_user(request, return_if_exists=True) user = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) assert 'CONFIGURE_TOTP' not in json.loads(user.value()).get( 'requiredActions', None) user_id = user.id # Create user, org and membserhip in DB user = factory_user_model( TestUserInfo.get_bceid_user_with_kc_guid(user_id)) factory_membership_model(user.id, org.id) # staff with manage accounts otp reset headers = factory_auth_header( jwt=jwt, claims=TestJwtClaims.staff_manage_accounts_role) rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers) assert rv.status_code == http_status.HTTP_204_NO_CONTENT user1 = KEYCLOAK_SERVICE.get_user_by_username(request.user_name) assert 'CONFIGURE_TOTP' in json.loads(user1.value()).get('requiredActions') # staff with basic access cant do otp reset headers = factory_auth_header(jwt=jwt, claims=TestJwtClaims.staff_role) rv = client.delete(f'api/v1/users/{user.username}/otp', headers=headers) assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # admin can do otp reset rv = client.delete(f'api/v1/users/{user.username}/otp', headers=admin_headers) assert rv.status_code == http_status.HTTP_204_NO_CONTENT # coordinator can do otp reset rv = client.delete(f'api/v1/users/{user.username}/otp', headers=coordinator_headers) assert rv.status_code == http_status.HTTP_204_NO_CONTENT # user can not do otp reset rv = client.delete(f'api/v1/users/{user.username}/otp', headers=user_headers) assert rv.status_code == http_status.HTTP_403_FORBIDDEN # another org admin cant do admin_user1 = factory_user_model(user_info=TestUserInfo.user_test) org1 = factory_org_model(org_info=TestOrgInfo.org2, org_type_info=TestOrgTypeInfo.implicit, org_status_info=None, payment_type_info=None) factory_membership_model(admin_user1.id, org1.id) admin_claims = TestJwtClaims.get_test_real_user(admin_user1.keycloak_guid) admin1_headers = factory_auth_header(jwt=jwt, claims=admin_claims) rv = client.delete(f'api/v1/users/{user.username}/otp', headers=admin1_headers) assert rv.status_code == http_status.HTTP_403_FORBIDDEN
def test_check_auth(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test if staff admin can access to STAFF only method check_auth( { 'realm_access': { 'roles': ['staff_admin'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[STAFF]) # Test for staff admin can access to STAFF_ADMIN method check_auth( { 'realm_access': { 'roles': ['staff_admin'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[STAFF_ADMIN]) # Test for staff admin role can access to STAFF_ADMIN and STAFF method check_auth( { 'realm_access': { 'roles': ['staff_admin'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[STAFF_ADMIN, STAFF]) # Test for staff admin role can access to only STAFF_ADMIN check_auth( { 'realm_access': { 'roles': ['staff_admin'] }, 'sub': str(user.keycloak_guid) }, equals_role=STAFF_ADMIN) # Test for staff admin role to only STAFF check_auth( { 'realm_access': { 'roles': ['staff_admin'] }, 'sub': str(user.keycloak_guid) }, equals_role=STAFF) # Test for staff role check_auth( { 'realm_access': { 'roles': ['staff'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[STAFF]) # Test for owner role check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[OWNER], business_identifier=entity.business_identifier) # Test for owner role with org id check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[OWNER], org_id=org.id) # Test for exception, check for auth if resource is available for STAFF users with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, one_of_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is in disabled role list with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['staff'] }, 'sub': str(user.keycloak_guid) }, disabled_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, equals_role=MEMBER, business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['public'] }, 'sub': str(user.keycloak_guid) }, equals_role=MEMBER, org_id=org.id) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth( { 'realm_access': { 'roles': ['staff_admin'] }, 'sub': str(user.keycloak_guid) }, equals_role=MEMBER, org_id=org.id) assert excinfo.exception.code == 403
def test_remove_member_removes_group_to_the_user(session, monkeypatch): # pylint:disable=unused-argument """Assert that accepting an invite adds group to the user.""" # Create a user in keycloak keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user = keycloak_service.get_user_by_username(request.user_name) user = factory_user_model( TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) # Patch token info def token_info(): # pylint: disable=unused-argument; mocks of library methods return { 'sub': str(kc_user.id), 'username': '******', 'realm_access': { 'roles': [] } } monkeypatch.setattr( 'auth_api.services.keycloak.KeycloakService._get_token_info', token_info) org = OrgService.create_org(TestOrgInfo.org1, user_id=user.id) # Create another user request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user2 = keycloak_service.get_user_by_username(request.user_name) user2 = factory_user_model( TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user2.id)) # Add a membership to the user for the org created factory_membership_model(user2.id, org.as_dict().get('id'), member_type='ADMIN', member_status=4) # Find the membership and update to ACTIVE membership = MembershipService.get_membership_for_org_and_user( org.as_dict().get('id'), user2.id) active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code( Status.ACTIVE.name) updated_fields = {'membership_status': active_membership_status} MembershipService(membership).update_membership( updated_fields=updated_fields, token_info=token_info()) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups # Find the membership and update to INACTIVE active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code( Status.INACTIVE.name) updated_fields = {'membership_status': active_membership_status} MembershipService(membership).update_membership( updated_fields=updated_fields, token_info=token_info()) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS not in groups
def test_reset_password(client, jwt, session, keycloak_mock): # pylint:disable=unused-argument """Assert that an anonymous admin can be Patched.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model(user_info=TestUserInfo.user_bcros_active) factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) member = TestAnonymousMembership.generate_random_user(USER) admin = TestAnonymousMembership.generate_random_user(COORDINATOR) membership = [member, admin] UserService.create_user_and_add_membership(membership, org.id, token_info=owner_claims) owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims) member_username = IdpHint.BCROS.value + '/' + member['username'] admin_username = IdpHint.BCROS.value + '/' + admin['username'] admin_claims = TestJwtClaims.get_test_real_user( uuid.uuid4(), admin_username, access_ype=AccessType.ANONYMOUS.value, roles=[Role.ANONYMOUS_USER.value]) admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims) member_claims = TestJwtClaims.get_test_real_user( uuid.uuid4(), member_username, access_ype=AccessType.ANONYMOUS.value, roles=[Role.ANONYMOUS_USER.value]) member_headers = factory_auth_header(jwt=jwt, claims=member_claims) # set up JWTS for member and admin client.post('/api/v1/users', headers=admin_headers, content_type='application/json') client.post('/api/v1/users', headers=member_headers, content_type='application/json') # reset password of admin by owner input_data = json.dumps({ 'username': admin_username, 'password': '******' }) rv = client.patch(f'/api/v1/users/{admin_username}', headers=owner_headers, data=input_data, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT # member cant reset password rv = client.patch(f'/api/v1/users/{admin_username}', headers=member_headers, data=input_data, content_type='application/json') assert rv.status_code == http_status.HTTP_403_FORBIDDEN # admin cant reset password rv = client.patch(f'/api/v1/users/{admin_username}', headers=admin_headers, data=input_data, content_type='application/json') assert rv.status_code == http_status.HTTP_403_FORBIDDEN
def test_get_user_authorizations_for_entity(session): # pylint:disable=unused-argument """Assert that user authorizations for entity is working.""" user = factory_user_model() org = factory_org_model() membership = factory_membership_model(user.id, org.id) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.get_user_authorizations_for_entity( { 'sub': str(user.keycloak_guid), 'realm_access': { 'roles': ['basic'] } }, entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) == membership.membership_type_code # Test with invalid user authorization = Authorization.get_user_authorizations_for_entity( { 'sub': str(uuid.uuid4()), 'realm_access': { 'roles': ['basic'] } }, entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) is None # Test for passcode users authorization = Authorization.get_user_authorizations_for_entity( { 'loginSource': 'PASSCODE', 'username': entity.business_identifier, 'realm_access': { 'roles': ['basic'] } }, entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) == 'OWNER' # Test for passcode users with invalid username authorization = Authorization.get_user_authorizations_for_entity( { 'loginSource': 'PASSCODE', 'username': '******', 'realm_access': { 'roles': ['basic'] } }, entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) is None # Test for staff users authorization = Authorization.get_user_authorizations_for_entity( { 'loginSource': '', 'realm_access': { 'roles': ['staff'] } }, entity.business_identifier) assert authorization is not None assert authorization.get('orgMembership', None) is None