def test_add_back_a_delete_bcros(client, jwt, session, keycloak_mock): """Assert different conditions of user deletion.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model(user_info=TestUserInfo.user_bcros_active) factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) member = TestAnonymousMembership.generate_random_user(USER) membership = [ member, TestAnonymousMembership.generate_random_user(COORDINATOR) ] UserService.create_user_and_add_membership(membership, org.id, token_info=owner_claims) headers = factory_auth_header(jwt=jwt, claims=owner_claims) member_user_id = IdpHint.BCROS.value + '/' + member.get('username') rv = client.delete(f'/api/v1/users/{member_user_id}', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT kc_user = KeycloakService.get_user_by_username(member.get('username')) assert kc_user.enabled is False user_model = UserService.find_by_username(member_user_id) assert user_model.as_dict().get('user_status') == UserStatus.INACTIVE.value membership = MembershipModel.find_membership_by_userid( user_model.identifier) assert membership.status == Status.INACTIVE.value
def test_authorizations_with_multiple_accounts_returns_200(client, jwt, session): # pylint:disable=unused-argument """Assert authorizations for product returns 200.""" product_code = 'PPR' user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id) org2 = factory_org_model(org_info=TestOrgInfo.org2, org_type_info=TestOrgTypeInfo.implicit, org_status_info=None, payment_type_info=None) factory_membership_model(user.id, org.id) claims = copy.deepcopy(TestJwtClaims.public_user_role.value) claims['sub'] = str(user.keycloak_guid) headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get(f'/api/v1/accounts/{org2.id}/products/{product_code}/authorizations', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert schema_utils.validate(rv.json, 'account_response')[0] assert len(rv.json.get('roles')) == 0 headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get(f'/api/v1/accounts/{org.id}/products/{product_code}/authorizations', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert schema_utils.validate(rv.json, 'account_response')[0] len(rv.json.get('roles')) > 0
def test_create_user_and_add_membership_admin_bulk_mode_multiple( session, auth_mock, keycloak_mock, monkeypatch): # pylint:disable=unused-argument """Assert that an admin can add a group of members.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) membership = [ TestAnonymousMembership.generate_random_user(USER), TestAnonymousMembership.generate_random_user(COORDINATOR) ] patch_token_info(claims, monkeypatch) users = UserService.create_user_and_add_membership(membership, org.id) assert len(users['users']) == 2 assert users['users'][0][ 'username'] == IdpHint.BCROS.value + '/' + membership[0]['username'] assert users['users'][0]['type'] == Role.ANONYMOUS_USER.name assert users['users'][1][ 'username'] == IdpHint.BCROS.value + '/' + membership[1]['username'] assert users['users'][1]['type'] == Role.ANONYMOUS_USER.name members = MembershipModel.find_members_by_org_id(org.id) # staff didnt create members..so count is count of owner+other 2 members assert len(members) == 3
def test_get_user_authorizations_for_entity_service_account(session, monkeypatch): """Assert that user authorizations for entity is working.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.BUSINESS.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for service accounts with correct product code patch_token_info( {'loginSource': '', 'realm_access': {'roles': ['system']}, 'product_code': ProductCode.BUSINESS.value}, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier) assert bool(authorization) is True assert authorization.get('orgMembership', None) == 'ADMIN' # Test for service accounts with wrong product code patch_token_info({'loginSource': '', 'realm_access': {'roles': ['system']}, 'product_code': 'INVALIDCP'}, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier) assert bool(authorization) is False assert authorization.get('orgMembership', None) is None # Test for service accounts with no product code patch_token_info({'loginSource': '', 'realm_access': {'roles': ['system']}}, monkeypatch) authorization = Authorization.get_user_authorizations_for_entity(entity.business_identifier) assert bool(authorization) is False assert authorization.get('orgMembership', None) is None
def test_get_account_authorizations_for_product(session, monkeypatch): # pylint:disable=unused-argument """Assert that user authorizations for product is working.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) patch_token_info(TestJwtClaims.get_test_real_user(user.keycloak_guid), monkeypatch) authorization = Authorization.get_account_authorizations_for_product(org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) == 0 # Now add some product subscription for the org patch_token_info(TestJwtClaims.get_test_real_user(user.keycloak_guid), monkeypatch) factory_product_model(org.id) authorization = Authorization.get_account_authorizations_for_product(org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) > 0 # Create another org and assert that the roles are empty org = factory_org_model(org_info=TestOrgInfo.org2, org_type_info=TestOrgTypeInfo.implicit, org_status_info=None, payment_type_info=None) factory_membership_model(user.id, org.id) patch_token_info(TestJwtClaims.get_test_real_user(user.keycloak_guid), monkeypatch) authorization = Authorization.get_account_authorizations_for_product(org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) == 0 factory_product_model(org.id) patch_token_info(TestJwtClaims.get_test_real_user(user.keycloak_guid), monkeypatch) authorization = Authorization.get_account_authorizations_for_product(org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) > 0
def test_check_auth(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.BUSINESS.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test if staff admin can access to STAFF only method check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)}, one_of_roles=[STAFF]) # Test for staff admin role to only STAFF check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)}, equals_role=STAFF) # Test for staff role check_auth({'realm_access': {'roles': ['staff']}, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value}, one_of_roles=[STAFF]) # Test for owner role check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value}, one_of_roles=[ADMIN], business_identifier=entity.business_identifier) # Test for owner role with org id check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid), 'product_code': ProductCode.BUSINESS.value}, one_of_roles=[ADMIN], org_id=org.id) # Test for exception, check for auth if resource is available for STAFF users with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, one_of_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is in disabled role list with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['staff']}, 'sub': str(user.keycloak_guid)}, disabled_roles=[STAFF], business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, equals_role=USER, business_identifier=entity.business_identifier) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['public']}, 'sub': str(user.keycloak_guid)}, equals_role=USER, org_id=org.id) assert excinfo.exception.code == 403 # Test auth where STAFF role is exact match with pytest.raises(HTTPException) as excinfo: check_auth({'realm_access': {'roles': ['staff', 'create_accounts']}, 'sub': str(user.keycloak_guid)}, equals_role=USER, org_id=org.id) assert excinfo.exception.code == 403
def test_remove_member_removes_group_to_the_user(session, monkeypatch): # pylint:disable=unused-argument """Assert that accepting an invite adds group to the user.""" # Create a user in keycloak keycloak_service = KeycloakService() request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user = keycloak_service.get_user_by_username(request.user_name) user = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user.id)) # Patch token info def token_info(): # pylint: disable=unused-argument; mocks of library methods return { 'sub': str(kc_user.id), 'username': '******', 'realm_access': { 'roles': [ 'edit' ] }, 'product_code': ProductCode.BUSINESS.value } monkeypatch.setattr('auth_api.services.keycloak.KeycloakService._get_token_info', token_info) org = OrgService.create_org(TestOrgInfo.org1, user_id=user.id) # Create another user request = KeycloakScenario.create_user_request() keycloak_service.add_user(request, return_if_exists=True) kc_user2 = keycloak_service.get_user_by_username(request.user_name) user2 = factory_user_model(TestUserInfo.get_user_with_kc_guid(kc_guid=kc_user2.id)) # Add a membership to the user for the org created factory_membership_model(user2.id, org.as_dict().get('id'), member_type='COORDINATOR', member_status=4) # Add a product to org factory_product_model(org.as_dict().get('id'), product_code=ProductCode.BUSINESS.value) # Find the membership and update to ACTIVE membership = MembershipService.get_membership_for_org_and_user(org.as_dict().get('id'), user2.id) active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.ACTIVE.name) updated_fields = {'membership_status': active_membership_status} MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info()) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS in groups # Find the membership and update to INACTIVE active_membership_status = MembershipStatusCodeModel.get_membership_status_by_code(Status.INACTIVE.name) updated_fields = {'membership_status': active_membership_status} MembershipService(membership).update_membership(updated_fields=updated_fields, token_info=token_info()) user_groups = keycloak_service.get_user_groups(user_id=kc_user2.id) groups = [] for group in user_groups: groups.append(group.get('name')) assert GROUP_ACCOUNT_HOLDERS not in groups
def test_create_user_add_membership_reenable(session, auth_mock, keycloak_mock, monkeypatch): # pylint:disable=unused-argument """Assert that an admin can add a member.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) patch_token_info(claims, monkeypatch) anon_member = TestAnonymousMembership.generate_random_user(USER) membership = [anon_member] users = UserService.create_user_and_add_membership(membership, org.id) user_name = IdpHint.BCROS.value + '/' + membership[0]['username'] assert len(users['users']) == 1 assert users['users'][0]['username'] == user_name assert users['users'][0]['type'] == Role.ANONYMOUS_USER.name members = MembershipModel.find_members_by_org_id(org.id) # staff didnt create members..so count is count of owner+other 1 member assert len(members) == 2 # assert cant be readded users = UserService.create_user_and_add_membership(membership, org.id) assert users['users'][0]['http_status'] == 409 assert users['users'][0]['error'] == 'The username is already taken' # deactivate everything and try again anon_user = UserModel.find_by_username(user_name) anon_user.status = Status.INACTIVE.value anon_user.save() membership_model = MembershipModel.find_membership_by_userid(anon_user.id) membership_model.status = Status.INACTIVE.value update_user_request = KeycloakUser() update_user_request.user_name = membership[0]['username'] update_user_request.enabled = False KeycloakService.update_user(update_user_request) org2 = factory_org_model(org_info=TestOrgInfo.org_anonymous_2, org_type_info={'code': 'BASIC'}, org_status_info=None, payment_type_info=None) factory_membership_model(user.id, org2.id) factory_product_model(org2.id, product_code=ProductCode.DIR_SEARCH.value) users = UserService.create_user_and_add_membership(membership, org2.id) assert users['users'][0]['http_status'] == 409 assert users['users'][0]['error'] == 'The username is already taken' # add to same org.Should work users = UserService.create_user_and_add_membership(membership, org.id) assert len(users['users']) == 1 assert users['users'][0][ 'username'] == IdpHint.BCROS.value + '/' + membership[0]['username'] assert users['users'][0]['type'] == Role.ANONYMOUS_USER.name
def test_reset_password(client, jwt, session, keycloak_mock): # pylint:disable=unused-argument """Assert that an anonymous admin can be Patched.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model(user_info=TestUserInfo.user_bcros_active) factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) member = TestAnonymousMembership.generate_random_user(USER) admin = TestAnonymousMembership.generate_random_user(COORDINATOR) membership = [member, admin] UserService.create_user_and_add_membership(membership, org.id, token_info=owner_claims) owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims) member_username = IdpHint.BCROS.value + '/' + member['username'] admin_username = IdpHint.BCROS.value + '/' + admin['username'] admin_claims = TestJwtClaims.get_test_real_user( uuid.uuid4(), admin_username, access_ype=AccessType.ANONYMOUS.value) admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims) member_claims = TestJwtClaims.get_test_real_user( uuid.uuid4(), member_username, access_ype=AccessType.ANONYMOUS.value) member_headers = factory_auth_header(jwt=jwt, claims=member_claims) # set up JWTS for member and admin client.post('/api/v1/users', headers=admin_headers, content_type='application/json') client.post('/api/v1/users', headers=member_headers, content_type='application/json') # reset password of admin by owner input_data = json.dumps({ 'username': admin_username, 'password': '******' }) rv = client.patch(f'/api/v1/users/{admin_username}', headers=owner_headers, data=input_data, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT # member cant reset password rv = client.patch(f'/api/v1/users/{admin_username}', headers=member_headers, data=input_data, content_type='application/json') assert rv.status_code == http_status.HTTP_403_FORBIDDEN # admin cant reset password rv = client.patch(f'/api/v1/users/{admin_username}', headers=admin_headers, data=input_data, content_type='application/json') assert rv.status_code == http_status.HTTP_403_FORBIDDEN
def test_check_auth_for_service_account_valid_with_org_id(session): # pylint:disable=unused-argument """Assert that check_auth is working as expected.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.BUSINESS.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) # Test for service account with CP corp type check_auth({'realm_access': {'roles': ['system']}, 'product_code': ProductCode.BUSINESS.value}, org_id=org.id)
def test_find_user_authorization_by_business_number_product(session): # pylint:disable=unused-argument """Assert that authorization view is returning result.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) entity = factory_entity_model() factory_affiliation_model(entity.id, org.id) authorization = Authorization.find_user_authorization_by_business_number_and_product( entity.business_identifier, ProductCode.DIR_SEARCH.value) assert authorization is not None assert authorization.product_code == ProductCode.DIR_SEARCH.value
def test_reset_password_by_member(session, auth_mock, keycloak_mock): # pylint:disable=unused-argument """Assert that the password cant be changed by member.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) admin_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) membership = [TestAnonymousMembership.generate_random_user(USER)] users = UserService.create_user_and_add_membership(membership, org.id, token_info=admin_claims) user_name = users['users'][0]['username'] user_info = {'username': user_name, 'password': '******'} with pytest.raises(HTTPException) as excinfo: UserService.reset_password_for_anon_user(user_info, user_name, token_info=TestJwtClaims.public_user_role) assert excinfo.exception.code == 403
def test_reset_password(session, auth_mock, keycloak_mock): # pylint:disable=unused-argument """Assert that the password can be changed.""" org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model() factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) membership = [TestAnonymousMembership.generate_random_user(USER)] users = UserService.create_user_and_add_membership(membership, org.id, token_info=claims) user_name = users['users'][0]['username'] user_info = {'username': user_name, 'password': '******'} kc_user = UserService.reset_password_for_anon_user(user_info, user_name, claims) # cant assert anything else since password wont be gotten back assert kc_user.user_name == user_name.replace(f'{IdpHint.BCROS.value}/', '').lower()
def test_create_task_product(session, keycloak_mock): # pylint:disable=unused-argument """Assert that a task can be created.""" user = factory_user_model() test_org = factory_org_model() test_product = factory_product_model(org_id=test_org.id) product: ProductCodeModel = ProductCodeModel.find_by_code( test_product.product_code) test_task_info = { 'name': test_org.name, 'relationshipId': test_product.id, 'relatedTo': user.id, 'dateSubmitted': datetime.today(), 'relationshipType': TaskRelationshipType.PRODUCT.value, 'type': product.description, 'status': [TaskStatus.OPEN.value], 'accountId': test_org.id, 'relationship_status': TaskRelationshipStatus.PENDING_STAFF_REVIEW.value } task = TaskService.create_task(test_task_info) assert task dictionary = task.as_dict() assert dictionary['name'] == test_task_info['name'] assert dictionary['account_id'] == test_org.id assert dictionary[ 'relationship_type'] == TaskRelationshipType.PRODUCT.value
def test_authorizations_for_account_with_search_returns_200(client, jwt, session): # pylint:disable=unused-argument """Assert authorizations for product returns 200.""" product_code = 'PPR' user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id) claims = copy.deepcopy(TestJwtClaims.public_user_role.value) claims['sub'] = str(user.keycloak_guid) headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get(f'/api/v1/accounts/{org.id}/products/{product_code}/authorizations', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert rv.json.get('roles') == ['search']
def test_authorizations_for_extended_returns_200(app, client, jwt, session): # pylint:disable=unused-argument """Assert authorizations for product returns 200.""" product_code = 'PPR' user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) factory_product_model(org.id) claims = copy.deepcopy(TestJwtClaims.public_user_role.value) claims['sub'] = str(user.keycloak_guid) headers = factory_auth_header(jwt=jwt, claims=claims) rv = client.get(f'/api/v1/accounts/{org.id}/products/{product_code}/authorizations?expanded=true', headers=headers, content_type='application/json') assert rv.status_code == http_status.HTTP_200_OK assert schema_utils.validate(rv.json, 'account_response')[0] assert len(rv.json.get('roles')) > 0 assert rv.json.get('account').get('name') == org.name
def test_get_account_authorizations_for_product(session): # pylint:disable=unused-argument """Assert that user authorizations for product is working.""" user = factory_user_model() org = factory_org_model() factory_membership_model(user.id, org.id) authorization = Authorization.get_account_authorizations_for_product( str(user.keycloak_guid), org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) == 0 # Now add some product subscription for the org factory_product_model(org.id) authorization = Authorization.get_account_authorizations_for_product( str(user.keycloak_guid), org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) == 1 assert authorization.get('roles')[0] == 'search' # Create another org and assert that the roles are empty org = factory_org_model(org_info=TestOrgInfo.org2, org_type_info=TestOrgTypeInfo.implicit, org_status_info=None, payment_type_info=None) factory_membership_model(user.id, org.id) authorization = Authorization.get_account_authorizations_for_product( str(user.keycloak_guid), org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) == 0 factory_product_model(org.id, product_role_codes=['search', 'register']) authorization = Authorization.get_account_authorizations_for_product( str(user.keycloak_guid), org.id, 'PPR') assert authorization is not None assert len(authorization.get('roles')) == 2 assert 'search' in authorization.get('roles') assert 'register' in authorization.get('roles')
def test_delete_bcros_valdiations(client, jwt, session, keycloak_mock, monkeypatch): """Assert different conditions of user deletion.""" admin_user = TestUserInfo.user_bcros_active org = factory_org_model(org_info=TestOrgInfo.org_anonymous) user = factory_user_model(user_info=TestUserInfo.user_bcros_active) factory_membership_model(user.id, org.id) factory_product_model(org.id, product_code=ProductCode.DIR_SEARCH.value) owner_claims = TestJwtClaims.get_test_real_user(user.keycloak_guid) patch_token_info(owner_claims, monkeypatch) member = TestAnonymousMembership.generate_random_user(USER) admin = TestAnonymousMembership.generate_random_user(COORDINATOR) membership = [member, admin] UserService.create_user_and_add_membership(membership, org.id) owner_headers = factory_auth_header(jwt=jwt, claims=owner_claims) member_username = IdpHint.BCROS.value + '/' + member['username'] admin_username = IdpHint.BCROS.value + '/' + admin['username'] admin_claims = TestJwtClaims.get_test_real_user(uuid.uuid4(), admin_username, access_ype=AccessType.ANONYMOUS.value, roles=[Role.ANONYMOUS_USER.value]) admin_headers = factory_auth_header(jwt=jwt, claims=admin_claims) member_claims = TestJwtClaims.get_test_real_user(uuid.uuid4(), member_username, access_ype=AccessType.ANONYMOUS.value, roles=[Role.ANONYMOUS_USER.value]) member_headers = factory_auth_header(jwt=jwt, claims=member_claims) # set up JWTS for member and admin patch_token_info(admin_claims, monkeypatch) client.post('/api/v1/users', headers=admin_headers, content_type='application/json', data=json.dumps({'isLogin': True})) patch_token_info(member_claims, monkeypatch) client.post('/api/v1/users', headers=member_headers, content_type='application/json', data=json.dumps({'isLogin': True})) patch_token_info(owner_claims, monkeypatch) # delete only owner ;failure rv = client.delete(f"/api/v1/users/{admin_user['username']}", headers=owner_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # admin trying to delete member: Failure patch_token_info(admin_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{member_username}', headers=admin_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # member delete admin: failure patch_token_info(member_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{admin_username}', headers=member_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_401_UNAUTHORIZED # a self delete ;should work ;mimics leave team for anonymous user patch_token_info(member_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{member_username}', headers=member_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT patch_token_info(admin_claims, monkeypatch) rv = client.delete(f'/api/v1/users/{admin_username}', headers=admin_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT # add one more admin patch_token_info(owner_claims, monkeypatch) new_owner = TestAnonymousMembership.generate_random_user(ADMIN) membership = [new_owner] UserService.create_user_and_add_membership(membership, org.id) patch_token_info(owner_claims, monkeypatch) rv = client.delete(f"/api/v1/users/{IdpHint.BCROS.value + '/' + new_owner['username']}", headers=owner_headers, content_type='application/json') assert rv.status_code == http_status.HTTP_204_NO_CONTENT