test: decorator behavior

RHINENG-13409
RedHatInsights · Oct 8, 2024 · f3b4226 · f3b4226
1 parent bc49e63
commit f3b4226
Showing 1 changed file with 52 additions and 0 deletions.
diff --git a/tests/manager_tests/test_rbac_manager.py b/tests/manager_tests/test_rbac_manager.py
@@ -2,6 +2,8 @@
 """
 Unit tests for RBAC manager.
 """
+import uuid
+
 import pytest
 import requests
 from connexion import context
@@ -239,6 +241,13 @@ def _mock_get(*_, **__):
         perms, _ = rbac_mng.fetch_permissions(0)
         monkeypatch.setattr(context, "context", {"user": {}})
         context.context["user"]["rbac_perms"] = perms
+        context.context["user"]["identity_type"] = "User"
+
+    def _prepare_system_permissions(self, monkeypatch, status_code=200):
+        monkeypatch.setattr(context, "context", {"user": {}})
+        context.context["user"]["rbac_perms"] = []
+        context.context["user"]["identity_type"] = "System"
+        context.context["user"]["system_cn"] = uuid.UUID("00000000-0000-0000-0000-000000000000")
 
     def test_fetch_permissions(self, monkeypatch):
         """Test permission fetching and parsing"""
@@ -563,3 +572,46 @@ def test_handler(*_, **kwargs):
         res = test_handler(excluded=[True, False])
         # user does have opt_out:read perms, systems need to be original value
         assert res["excluded"] == [True, False]
+
+    def test_system_cert_auth(self, monkeypatch):
+        """Test using system authentication on endpoint"""
+        rbac_mng = RbacManager()
+        self._prepare_system_permissions(monkeypatch)
+
+        @rbac_mng.need_permissions(
+            [[RbacPermission(RbacApp.VULNERABILITY, RbacResource.CVE_BUSINESS_RISK_AND_STATUS, RbacAction.READ)]], allow_system_auth=False
+        )
+        def test_no_systemauth():
+            return True
+
+        # endpoint doesn't allow system auth, return 403
+        res = test_no_systemauth()
+        assert res[1] == 403  # pylint:disable=unsubscriptable-object
+
+        @rbac_mng.need_permissions(
+            [[RbacPermission(RbacApp.VULNERABILITY, RbacResource.CVE_BUSINESS_RISK_AND_STATUS, RbacAction.READ)]], allow_system_auth=True
+        )
+        def test_allowed_systemauth():
+            return True
+
+        # endpoint allows system auth
+        res = test_allowed_systemauth()
+        assert res is True
+
+        @rbac_mng.need_permissions(
+            [[RbacPermission(RbacApp.VULNERABILITY, RbacResource.CVE_BUSINESS_RISK_AND_STATUS, RbacAction.READ)]], allow_system_auth=True
+        )
+        def test_allowed_systemauth_inv_id(*_, **kwargs):
+            return True
+
+        # endpoint allows system auth, endpoint path contains same inventory_id as in identity
+        res = test_allowed_systemauth_inv_id(inventory_id="00000000-0000-0000-0000-000000000000")
+        assert res is True
+
+        # endpoint allows system auth, but endpoint path contains different inventory_id than in identity
+        res = test_allowed_systemauth_inv_id(inventory_id="00000000-0000-0000-0000-000000000001")
+        assert res[1] == 403  # pylint:disable=unsubscriptable-object
+
+        # endpoint allows system auth, but endpoint path contains invalid UUID
+        res = test_allowed_systemauth_inv_id(inventory_id="foo")
+        assert res[1] == 403  # pylint:disable=unsubscriptable-object