def test_document_delete_failure_wont_create_user_event_log( self, mark_deletion_pending, ): """Tests document deletion failure won't create user event log.""" mark_deletion_pending.side_effect = Exception('No way!') user = create_test_user( permission_codenames=(EvidenceDocumentPermission.delete_all, ), dit_team=TeamFactory(), ) entity_document = create_evidence_document(user, False) document = entity_document.document document.mark_scan_scheduled() document.mark_as_scanned(True, 'reason') url = reverse( 'api-v3:investment:evidence-document:document-item', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) api_client = self.create_api_client(user=user) with pytest.raises(Exception): api_client.delete(url) assert UserEvent.objects.count() == 0
def test_document_delete(self, delete_document, permissions, associated, allowed): """Tests document deletion.""" user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) document = entity_document.document document.mark_scan_scheduled() document.mark_as_scanned(True, 'reason') url = reverse( 'api-v3:investment:evidence-document:document-item', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) document_pk = entity_document.document.pk api_client = self.create_api_client(user=user) response = api_client.delete(url) if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response.json() == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_204_NO_CONTENT delete_document.assert_called_once_with(args=(document_pk, ))
def test_document_download_when_not_scanned(self, permissions, associated, allowed): """Tests download of individual document when not yet virus scanned.""" user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) url = reverse( 'api-v3:investment:evidence-document:document-item-download', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) api_client = self.create_api_client(user=user) response = api_client.get(url) response_data = response.json() if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response_data == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_503_SERVICE_UNAVAILABLE
def test_document_with_deletion_pending_retrieval(self, permissions, associated, allowed): """Tests retrieval of individual document that is pending deletion.""" user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) entity_document.document.mark_deletion_pending() url = reverse( 'api-v3:investment:evidence-document:document-item', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) api_client = self.create_api_client(user=user) response = api_client.get(url) if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response.json() == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_404_NOT_FOUND
def test_user_with_correct_permissions_can_export_data( self, opensearch, permissions, expected_status_code, ): """Test that only a user with correct permissions can export data.""" user = create_test_user(dit_team=TeamFactory(), permission_codenames=permissions) api_client = self.create_api_client(user=user) url = reverse('api-v4:search:large-capital-opportunity-export') response = api_client.post(url) assert response.status_code == expected_status_code
def test_user_needs_correct_permissions_to_export_data( self, opensearch, permissions, expected_status_code, ): """Test that a user without the correct permissions cannot export data.""" user = create_test_user(dit_team=TeamFactory(), permission_codenames=permissions) api_client = self.create_api_client(user=user) url = reverse('api-v4:search:large-investor-profile-export') response = api_client.post(url) assert response.status_code == expected_status_code
def test_document_retrieval(self, permissions, associated, allowed): """Tests retrieval of individual document.""" user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) url = reverse( 'api-v3:investment:evidence-document:document-item', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) api_client = self.create_api_client(user=user) response = api_client.get(url) response_data = response.json() if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response_data == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_200_OK assert 'tags' in response_data response_data['tags'] = sorted(response_data['tags'], key=itemgetter('name')) assert response_data == { 'id': str(entity_document.pk), 'av_clean': None, 'comment': entity_document.comment, 'investment_project': { 'name': entity_document.investment_project.name, 'project_code': entity_document.investment_project.project_code, 'id': str(entity_document.investment_project.pk), }, 'created_by': { 'id': str(entity_document.created_by.pk), 'first_name': entity_document.created_by.first_name, 'last_name': entity_document.created_by.last_name, 'name': entity_document.created_by.name, }, 'modified_by': None, 'tags': [ {'id': str(tag.id), 'name': tag.name} for tag in sorted(entity_document.tags.all(), key=attrgetter('name')) ], 'original_filename': 'test.txt', 'url': _get_document_url(entity_document), 'status': UPLOAD_STATUSES.not_virus_scanned, 'created_on': format_date_or_datetime(entity_document.created_on), 'modified_on': format_date_or_datetime(entity_document.modified_on), 'uploaded_on': format_date_or_datetime(entity_document.document.uploaded_on), }
def test_document_upload_status_no_status_without_permission(self): """Tests user without permission can't call upload status endpoint.""" entity_document = create_evidence_document() url = reverse( 'api-v3:investment:evidence-document:document-item-callback', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) user = create_test_user(permission_codenames=[], dit_team=TeamFactory()) api_client = self.create_api_client(user=user) response = api_client.post(url, data={}) assert response.status_code == status.HTTP_403_FORBIDDEN
def test_document_delete_without_permission(self, delete_document): """Tests user can't delete document without permissions.""" entity_document = create_evidence_document() entity_document.document.mark_scan_scheduled() entity_document.document.mark_as_scanned(True, 'reason') url = reverse( 'api-v3:investment:evidence-document:document-item', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) user = create_test_user(permission_codenames=[], dit_team=TeamFactory()) api_client = self.create_api_client(user=user) response = api_client.delete(url) assert response.status_code == status.HTTP_403_FORBIDDEN assert delete_document.called is False
def test_document_delete_creates_user_event_log( self, delete_document, permissions, associated, allowed, ): """Tests document deletion creates user event log.""" user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) document = entity_document.document document.mark_scan_scheduled() document.mark_as_scanned(True, 'reason') url = reverse( 'api-v3:investment:evidence-document:document-item', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) document_pk = entity_document.document.pk expected_user_event_data = { 'id': str(entity_document.pk), 'url': entity_document.url, 'status': entity_document.document.status, 'av_clean': entity_document.document.av_clean, 'created_by': { 'id': str(entity_document.created_by.id), 'first_name': entity_document.created_by.first_name, 'last_name': entity_document.created_by.last_name, 'name': entity_document.created_by.name, }, 'created_on': format_date_or_datetime(entity_document.created_on), 'modified_by': None, 'modified_on': format_date_or_datetime(entity_document.modified_on), 'uploaded_on': format_date_or_datetime(entity_document.document.uploaded_on), 'original_filename': entity_document.original_filename, 'comment': entity_document.comment, 'investment_project': { 'id': str(entity_document.investment_project.id), 'name': entity_document.investment_project.name, 'project_code': entity_document.investment_project.project_code, }, 'tags': [{ 'id': str(tag.id), 'name': tag.name } for tag in entity_document.tags.all()], } expected_user_event_data['tags'].sort(key=itemgetter('id')) api_client = self.create_api_client(user=user) frozen_time = datetime.datetime(2018, 1, 2, 12, 30, 50, tzinfo=utc) with freeze_time(frozen_time): response = api_client.delete(url) if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response.json() == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_204_NO_CONTENT delete_document.assert_called_once_with(args=(document_pk, )) assert UserEvent.objects.count() == 1 user_event = UserEvent.objects.first() user_event.data['tags'].sort(key=itemgetter('id')) assert user_event.adviser == user assert user_event.type == USER_EVENT_TYPES.evidence_document_delete assert user_event.timestamp == frozen_time assert user_event.api_url_path == url assert user_event.data == expected_user_event_data
def test_document_upload_schedule_virus_scan( self, virus_scan_document_apply_async, permissions, associated, allowed, ): """Tests scheduling virus scan after upload completion. Checks that a virus scan of the document was scheduled. Virus scanning is tested separately in the documents app. """ user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) url = reverse( 'api-v3:investment:evidence-document:document-item-callback', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) api_client = self.create_api_client(user=user) response = api_client.post(url) response_data = response.json() if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response_data == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_200_OK entity_document.document.refresh_from_db() assert 'tags' in response_data response_data['tags'] = sorted(response_data['tags'], key=itemgetter('name')) assert response_data == { 'id': str(entity_document.pk), 'av_clean': None, 'comment': entity_document.comment, 'investment_project': { 'name': entity_document.investment_project.name, 'project_code': entity_document.investment_project.project_code, 'id': str(entity_document.investment_project.pk), }, 'created_by': { 'id': str(entity_document.created_by.pk), 'first_name': entity_document.created_by.first_name, 'last_name': entity_document.created_by.last_name, 'name': entity_document.created_by.name, }, 'modified_by': None, 'tags': [{ 'id': str(tag.id), 'name': tag.name } for tag in sorted(entity_document.tags.all(), key=attrgetter('name'))], 'original_filename': 'test.txt', 'url': _get_document_url(entity_document), 'status': UPLOAD_STATUSES.virus_scanning_scheduled, 'created_on': format_date_or_datetime(entity_document.created_on), 'modified_on': format_date_or_datetime(entity_document.modified_on), 'uploaded_on': format_date_or_datetime(entity_document.document.uploaded_on), } virus_scan_document_apply_async.assert_called_once_with(args=(str( entity_document.document.pk), ), )
def test_documents_list(self, permissions, associated, allowed): """Tests list endpoint.""" user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) entity_document.document.mark_as_scanned(True, '') # document that is pending to be deleted, shouldn't be in the list investment_project = entity_document.investment_project entity_document_to_be_deleted = create_evidence_document( user, investment_project) entity_document_to_be_deleted.document.mark_deletion_pending() url = reverse( 'api-v3:investment:evidence-document:document-collection', kwargs={ 'project_pk': investment_project.pk, }, ) api_client = self.create_api_client(user=user) response = api_client.get(url) response_data = response.json() if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response_data == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_200_OK assert response_data['count'] == 1 assert len(response_data['results']) == 1 result = response_data['results'][0] assert 'tags' in result result['tags'] = sorted(result['tags'], key=itemgetter('name')) assert result == { 'id': str(entity_document.pk), 'av_clean': True, 'comment': entity_document.comment, 'investment_project': { 'name': entity_document.investment_project.name, 'project_code': entity_document.investment_project.project_code, 'id': str(entity_document.investment_project.pk), }, 'created_by': { 'id': str(entity_document.created_by.pk), 'first_name': entity_document.created_by.first_name, 'last_name': entity_document.created_by.last_name, 'name': entity_document.created_by.name, }, 'modified_by': None, 'tags': [{ 'id': str(tag.id), 'name': tag.name } for tag in sorted(entity_document.tags.all(), key=attrgetter('name'))], 'original_filename': 'test.txt', 'url': _get_document_url(entity_document), 'status': UPLOAD_STATUSES.virus_scanned, 'created_on': format_date_or_datetime(entity_document.created_on), 'modified_on': format_date_or_datetime(entity_document.modified_on), 'uploaded_on': format_date_or_datetime(entity_document.document.uploaded_on), }
def test_document_creation(self, get_signed_upload_url_mock, permissions, associated, allowed): """Test document creation.""" get_signed_upload_url_mock.return_value = 'http://document-about-ocelots' user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) evidence_tags = EvidenceTagFactory.create_batch(2) investment_project = InvestmentProjectFactory() if associated: investment_project.created_by.dit_team = user.dit_team investment_project.created_by.save() url = reverse( 'api-v3:investment:evidence-document:document-collection', kwargs={ 'project_pk': investment_project.pk, }, ) api_client = self.create_api_client(user=user) response = api_client.post( url, data={ 'original_filename': 'test.txt', 'tags': [tag.pk for tag in evidence_tags], }, ) response_data = response.json() if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response_data == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == status.HTTP_201_CREATED entity_document = EvidenceDocument.objects.get(pk=response_data['id']) assert entity_document.original_filename == 'test.txt' assert entity_document.investment_project.pk == investment_project.pk assert 'tags' in response_data response_data['tags'] = sorted(response_data['tags'], key=itemgetter('name')) assert response_data == { 'id': str(entity_document.pk), 'av_clean': None, 'comment': entity_document.comment, 'investment_project': { 'name': entity_document.investment_project.name, 'project_code': entity_document.investment_project.project_code, 'id': str(entity_document.investment_project.pk), }, 'created_by': { 'id': str(entity_document.created_by.pk), 'first_name': entity_document.created_by.first_name, 'last_name': entity_document.created_by.last_name, 'name': entity_document.created_by.name, }, 'modified_by': None, 'tags': [{ 'id': str(tag.id), 'name': tag.name } for tag in sorted(entity_document.tags.all(), key=attrgetter('name'))], 'original_filename': 'test.txt', 'url': _get_document_url(entity_document), 'status': UPLOAD_STATUSES.not_virus_scanned, 'signed_upload_url': 'http://document-about-ocelots', 'created_on': format_date_or_datetime(entity_document.created_on), 'modified_on': format_date_or_datetime(entity_document.modified_on), 'uploaded_on': format_date_or_datetime(entity_document.document.uploaded_on), }
def ist_adviser(): """Provides IST adviser.""" team = TeamFactory(tags=[Team.TAGS.investment_services_team]) yield AdviserFactory(dit_team_id=team.id)
def test_document_download( self, sign_s3_url, permissions, associated, allowed, av_clean, expected_status, ): """Tests download of individual document.""" sign_s3_url.return_value = 'http://what' user = create_test_user(permission_codenames=permissions, dit_team=TeamFactory()) entity_document = create_evidence_document(user, associated=associated) entity_document.document.mark_as_scanned(av_clean, '') url = reverse( 'api-v3:investment:evidence-document:document-item-download', kwargs={ 'project_pk': entity_document.investment_project.pk, 'entity_document_pk': entity_document.pk, }, ) api_client = self.create_api_client(user=user) response = api_client.get(url) response_data = response.json() if not allowed: assert response.status_code == status.HTTP_403_FORBIDDEN assert response_data == { 'detail': 'You do not have permission to perform this action.', } return assert response.status_code == expected_status if response.status_code == status.HTTP_200_OK: assert 'tags' in response_data response_data['tags'] = sorted(response_data['tags'], key=itemgetter('name')) assert response_data == { 'id': str(entity_document.pk), 'av_clean': True, 'comment': entity_document.comment, 'investment_project': { 'name': entity_document.investment_project.name, 'project_code': entity_document.investment_project.project_code, 'id': str(entity_document.investment_project.pk), }, 'created_by': { 'id': str(entity_document.created_by.pk), 'first_name': entity_document.created_by.first_name, 'last_name': entity_document.created_by.last_name, 'name': entity_document.created_by.name, }, 'modified_by': None, 'tags': [{ 'id': str(tag.id), 'name': tag.name } for tag in sorted(entity_document.tags.all(), key=attrgetter('name'))], 'original_filename': 'test.txt', 'url': _get_document_url(entity_document), 'status': UploadStatus.VIRUS_SCANNED, 'created_on': format_date_or_datetime(entity_document.created_on), 'modified_on': format_date_or_datetime(entity_document.modified_on), 'uploaded_on': format_date_or_datetime(entity_document.document.uploaded_on), 'document_url': 'http://what', }
def ist_adviser(): """Provides IST adviser.""" team = TeamFactory(tags=[Team.Tag.INVESTMENT_SERVICES_TEAM]) yield AdviserFactory(dit_team_id=team.id)