Coverage for tests/test_rbac.py: 98%
106 statements
« prev ^ index » next coverage.py v7.5.1, created at 2024-05-16 17:13 +0200
« prev ^ index » next coverage.py v7.5.1, created at 2024-05-16 17:13 +0200
1import tempfile
3from pydal import DAL
4import uuid
5import pytest
6import dotmap
8from src.edwh_auth_rbac.model import define_auth_rbac_model
9from src.edwh_auth_rbac.rbac import AuthRbac
10from src.edwh_auth_rbac.migrations import rbac_migrations
12namespace = uuid.UUID('84f5c757-4be0-49c8-a3ba-4f4d79167839')
15@pytest.fixture(scope="module")
16def tmpdir():
17 with tempfile.TemporaryDirectory() as tmpdirname:
18 print('new tempdir')
19 yield tmpdirname
22@pytest.fixture(scope="module")
23def database(tmpdir):
24 class Database:
25 def __enter__(self):
26 self.db = DAL('sqlite://auth_rbac.sqlite', folder=tmpdir)
28 define_auth_rbac_model(self.db, dict(allowed_types=['user', 'group']))
29 rbac_migrations(self.db)
30 return self.db
32 def __exit__(self, exc_type, exc_value, traceback):
33 self.db.close()
35 return Database()
38@pytest.fixture(scope="module")
39def rbac(database):
40 with database as db:
41 yield AuthRbac(db)
44@pytest.fixture(scope="module")
45def store(_=dotmap.DotMap()):
46 print('store', _)
47 return _
50@pytest.mark.incremental
51class TestSequentially:
52 def test_drop_all_test_users(self, database):
53 with database as db:
54 users = db(db.identity.email.contains('@test.nl')).select()
55 db(db.identity.email.contains('@test.nl')).delete()
56 for user in users:
57 db((db.membership.member_of == user.object_id) | (db.membership.subject == user.object_id)).delete()
58 db((db.permission.identity_object_id == user.object_id) | (
59 db.permission.target_object_id == user.object_id)).delete()
60 db.commit()
61 assert db(db.identity.email.contains('@test.nl')).count() == 0, 'Howcome @test.nl still exist?'
63 def test_user_creation(self, rbac, store):
64 store.remco = rbac.add_user('remco@test.nl', 'remco', 'remco test', 'secret', [])['object_id']
65 store.pietje = rbac.add_user('pietje@test.nl', 'pietje', 'pietje test', 'secret', [])['object_id']
66 store.truus = rbac.add_user('truus@test.nl', 'truus', 'truus test', 'secret', [])['object_id']
68 def test_group_creation(self, rbac, store):
69 store.articles = rbac.add_group('articles@test.nl', 'articles', [])['object_id']
70 store.all = rbac.add_group('all@test.nl', 'all', [])['object_id']
71 store.users = rbac.add_group('users@test.nl', 'users', [])['object_id']
72 store.admins = rbac.add_group('admins@test.nl', 'admins', [])['object_id']
74 def test_item_creation(self, rbac, store):
75 for name in 'abcde':
76 store[name] = rbac.add_user('article_' + name + '@test.nl', name, 'article', '', [])[
77 'object_id']
79 def test_stash_users_in_groups(self, rbac, store):
80 rbac.add_membership(store.remco, store.admins)
81 rbac.add_membership(store.pietje, store.users)
82 rbac.add_membership(store.truus, store.users)
83 rbac.add_membership(store.users, store.all)
84 rbac.add_membership(store.admins, store.all)
86 def test_stash_items_in_groups(self, rbac, store):
87 for name in 'abcde':
88 rbac.add_membership(store[name], store.articles)
90 def test_add_some_permissions(self, rbac, store):
91 rbac.add_permission(store.admins, store.articles, 'read')
92 rbac.add_permission(store.admins, store.articles, 'write')
93 rbac.add_permission(store.users, store.articles, 'read')
95 def test_first_level_memberships(self, rbac, store):
96 assert rbac.has_membership(store.remco, store.admins) is True
97 assert rbac.has_membership(store.pietje, store.users) is True
98 assert rbac.has_membership(store.remco, store.users) is False
99 assert rbac.has_membership(store.pietje, store.admins) is False
101 def test_second_level_memberships(self, rbac, store):
102 assert rbac.has_membership(store.remco, store.all) is True
103 assert rbac.has_membership(store.pietje, store.all) is True
105 def test_first_level_permissions(self, rbac, store):
106 assert rbac.has_permission(store.admins, store.articles, 'read') is True
107 assert rbac.has_permission(store.admins, store.articles, 'write') is True
108 assert rbac.has_permission(store.users, store.articles, 'read') is True
109 assert rbac.has_permission(store.users, store.articles, 'write') is False
111 def test_second_to_first_level_permissions(self, rbac, store):
112 assert rbac.has_permission(store.remco, store.articles, 'read') is True
113 assert rbac.has_permission(store.remco, store.articles, 'write') is True
114 assert rbac.has_permission(store.pietje, store.articles, 'read') is True
115 assert rbac.has_permission(store.pietje, store.articles, 'write') is False
117 def test_second_to_second_level_permissions(self, rbac, store):
118 assert rbac.has_permission(store.remco, store.a, 'read') is True
119 assert rbac.has_permission(store.remco, store.a, 'write') is True
120 assert rbac.has_permission(store.pietje, store.a, 'read') is True
121 assert rbac.has_permission(store.pietje, store.a, 'write') is False
123 def test_deeper_group_nesting(self, rbac, store):
124 store.subadmins = rbac.add_group('sub_admins@test.nl', 'subadmins', [])['object_id']
125 store.subarticles = rbac.add_group('sub_articles@test.nl', 'subarticles', [])['object_id']
126 rbac.add_membership(store.subarticles, store.articles)
127 rbac.add_membership(store.subadmins, store.admins)
128 store.nested_admin = rbac.add_user('nested_admin@test.nl', 'nested_admin', 'nested_admin test', 'secret', [])[
129 'object_id']
130 rbac.add_membership(store.nested_admin, store.subadmins)
131 for name in 'stuvw':
132 store[name] = rbac.add_user('article_' + name + '@test.nl', name, 'subarticle', '', [])['object_id']
133 rbac.add_membership(store[name], store.subarticles)
134 assert rbac.has_permission(store.nested_admin, store.s, 'read') is True
136 def test_removing_a_nested_group(self, rbac, store):
137 rbac.remove_membership(store.nested_admin, store.subadmins)
138 assert rbac.has_permission(store.nested_admin, store.s, 'read') is False