Merge pull request #4261 from alphagov/refactor-permissions-tests

Refactor permissions tests
This commit is contained in:
Chris Hill-Scott
2022-06-06 16:05:04 +01:00
committed by GitHub

View File

@@ -1,152 +1,85 @@
import pytest
from flask import request
from werkzeug.exceptions import Forbidden, Unauthorized
from werkzeug.exceptions import Forbidden
from app.main.views.index import index
from app.utils.user import user_has_permissions
def _test_permissions(
@pytest.mark.parametrize('permissions', (
pytest.param([
# Route has a permission which the user doesnt have
'send_messages'
], marks=pytest.mark.xfail(raises=Forbidden)),
[
# Route has one of the permissions which the user has
'manage_service'
],
[
# Route has more than one of the permissions which the user has
'manage_templates', 'manage_service'
],
[
# Route has one of the permissions which the user has, and one they do not
'manage_service', 'send_messages',
],
[
# Route has no specific permissions required
],
))
def test_permissions(
client_request,
usr,
permissions,
will_succeed,
kwargs=None,
api_user_active,
):
request.view_args.update({'service_id': 'foo'})
if usr:
client_request.login(usr)
decorator = user_has_permissions(*permissions, **(kwargs or {}))
decorated_index = decorator(index)
api_user_active['permissions'] = {'foo': ['manage_users', 'manage_templates', 'manage_settings']}
api_user_active['services'] = ['foo', 'bar']
if will_succeed:
decorated_index()
else:
try:
response = decorated_index()
if not (
response.location.startswith('/sign-in?next=') and
response.status_code == 302
):
pytest.fail("Failed to throw a forbidden or unauthorised exception")
except (Forbidden, Unauthorized):
pass
client_request.login(api_user_active)
@user_has_permissions(*permissions)
def index():
pass
index()
def test_user_has_permissions_on_endpoint_fail(
client_request,
mocker,
mock_get_service,
):
user = _user_with_permissions()
mocker.patch('app.user_api_client.get_user', return_value=user)
_test_permissions(
client_request,
user,
['send_messages'],
will_succeed=False)
def test_user_has_permissions_success(
client_request,
mocker,
):
user = _user_with_permissions()
mocker.patch('app.user_api_client.get_user', return_value=user)
_test_permissions(
client_request,
user,
['manage_service'],
will_succeed=True)
def test_user_has_permissions_or(
client_request,
mocker,
):
user = _user_with_permissions()
mocker.patch('app.user_api_client.get_user', return_value=user)
_test_permissions(
client_request,
user,
['send_messages', 'manage_service'],
will_succeed=True)
def test_user_has_permissions_multiple(
client_request,
mocker,
):
user = _user_with_permissions()
mocker.patch('app.user_api_client.get_user', return_value=user)
_test_permissions(
client_request,
user,
['manage_templates', 'manage_service'],
will_succeed=True)
def test_exact_permissions(
client_request,
mocker,
):
user = _user_with_permissions()
mocker.patch('app.user_api_client.get_user', return_value=user)
_test_permissions(
client_request,
user,
['manage_service', 'manage_templates'],
will_succeed=True)
def test_platform_admin_user_can_access_page_that_has_no_permissions(
def test_restrict_admin_usage(
client_request,
platform_admin_user,
mocker,
):
mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
_test_permissions(
client_request,
platform_admin_user,
[],
will_succeed=True)
request.view_args.update({'service_id': 'foo'})
client_request.login(platform_admin_user)
@user_has_permissions(restrict_admin_usage=True)
def index():
pass
with pytest.raises(Forbidden):
index()
def test_platform_admin_user_can_not_access_page(
client_request,
platform_admin_user,
mocker,
mock_get_service,
):
mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
_test_permissions(
client_request,
platform_admin_user,
[],
will_succeed=False,
kwargs={'restrict_admin_usage': True})
def test_no_user_returns_401_unauth(
def test_no_user_returns_redirect_to_sign_in(
client_request
):
client_request.logout()
_test_permissions(
client_request,
None,
[],
will_succeed=False)
@user_has_permissions()
def index():
pass
response = index()
assert response.status_code == 302
assert response.location.startswith('/sign-in?next=')
def test_user_has_permissions_for_organisation(
client_request,
mocker,
api_user_active,
):
user = _user_with_permissions()
user['organisations'] = ['org_1', 'org_2']
mocker.patch('app.user_api_client.get_user', return_value=user)
client_request.login(user)
api_user_active['organisations'] = ['org_1', 'org_2']
client_request.login(api_user_active)
request.view_args = {'org_id': 'org_2'}
@@ -160,10 +93,8 @@ def test_user_has_permissions_for_organisation(
def test_platform_admin_can_see_orgs_they_dont_have(
client_request,
platform_admin_user,
mocker,
):
platform_admin_user['organisations'] = []
mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
client_request.login(platform_admin_user)
request.view_args = {'org_id': 'org_2'}
@@ -178,9 +109,7 @@ def test_platform_admin_can_see_orgs_they_dont_have(
def test_cant_use_decorator_without_view_args(
client_request,
platform_admin_user,
mocker,
):
mocker.patch('app.user_api_client.get_user', return_value=platform_admin_user)
client_request.login(platform_admin_user)
request.view_args = {}
@@ -195,12 +124,10 @@ def test_cant_use_decorator_without_view_args(
def test_user_doesnt_have_permissions_for_organisation(
client_request,
mocker,
api_user_active,
):
user = _user_with_permissions()
user['organisations'] = ['org_1', 'org_2']
mocker.patch('app.user_api_client.get_user', return_value=user)
client_request.login(user)
api_user_active['organisations'] = ['org_1', 'org_2']
client_request.login(api_user_active)
request.view_args = {'org_id': 'org_3'}
@@ -213,12 +140,12 @@ def test_user_doesnt_have_permissions_for_organisation(
def test_user_with_no_permissions_to_service_goes_to_templates(
client_request,
mocker
client_request,
api_user_active,
):
user = _user_with_permissions()
mocker.patch('app.user_api_client.get_user', return_value=user)
client_request.login(user)
api_user_active['permissions'] = {'foo': ['manage_users', 'manage_templates', 'manage_settings']}
api_user_active['services'] = ['foo', 'bar']
client_request.login(api_user_active)
request.view_args = {'service_id': 'bar'}
@user_has_permissions()
@@ -226,20 +153,3 @@ def test_user_with_no_permissions_to_service_goes_to_templates(
pass
index()
def _user_with_permissions():
user_data = {'id': 999,
'name': 'Test User',
'password': 'somepassword',
'email_address': 'test@user.gov.uk',
'mobile_number': '+4412341234',
'state': 'active',
'failed_login_count': 0,
'permissions': {'foo': ['manage_users', 'manage_templates', 'manage_settings']},
'platform_admin': False,
'organisations': ['org_1', 'org_2'],
'services': ['foo', 'bar'],
'current_session_id': None,
}
return user_data