From f3b42265433b9e9cc9cecae62ba25a80c873677e Mon Sep 17 00:00:00 2001 From: Jan Dobes Date: Tue, 8 Oct 2024 10:32:50 +0200 Subject: [PATCH] test: decorator behavior RHINENG-13409 --- tests/manager_tests/test_rbac_manager.py | 52 ++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/tests/manager_tests/test_rbac_manager.py b/tests/manager_tests/test_rbac_manager.py index c2bc74c75..02fe06cea 100644 --- a/tests/manager_tests/test_rbac_manager.py +++ b/tests/manager_tests/test_rbac_manager.py @@ -2,6 +2,8 @@ """ Unit tests for RBAC manager. """ +import uuid + import pytest import requests from connexion import context @@ -239,6 +241,13 @@ def _mock_get(*_, **__): perms, _ = rbac_mng.fetch_permissions(0) monkeypatch.setattr(context, "context", {"user": {}}) context.context["user"]["rbac_perms"] = perms + context.context["user"]["identity_type"] = "User" + + def _prepare_system_permissions(self, monkeypatch, status_code=200): + monkeypatch.setattr(context, "context", {"user": {}}) + context.context["user"]["rbac_perms"] = [] + context.context["user"]["identity_type"] = "System" + context.context["user"]["system_cn"] = uuid.UUID("00000000-0000-0000-0000-000000000000") def test_fetch_permissions(self, monkeypatch): """Test permission fetching and parsing""" @@ -563,3 +572,46 @@ def test_handler(*_, **kwargs): res = test_handler(excluded=[True, False]) # user does have opt_out:read perms, systems need to be original value assert res["excluded"] == [True, False] + + def test_system_cert_auth(self, monkeypatch): + """Test using system authentication on endpoint""" + rbac_mng = RbacManager() + self._prepare_system_permissions(monkeypatch) + + @rbac_mng.need_permissions( + [[RbacPermission(RbacApp.VULNERABILITY, RbacResource.CVE_BUSINESS_RISK_AND_STATUS, RbacAction.READ)]], allow_system_auth=False + ) + def test_no_systemauth(): + return True + + # endpoint doesn't allow system auth, return 403 + res = test_no_systemauth() + assert res[1] == 403 # pylint:disable=unsubscriptable-object + + @rbac_mng.need_permissions( + [[RbacPermission(RbacApp.VULNERABILITY, RbacResource.CVE_BUSINESS_RISK_AND_STATUS, RbacAction.READ)]], allow_system_auth=True + ) + def test_allowed_systemauth(): + return True + + # endpoint allows system auth + res = test_allowed_systemauth() + assert res is True + + @rbac_mng.need_permissions( + [[RbacPermission(RbacApp.VULNERABILITY, RbacResource.CVE_BUSINESS_RISK_AND_STATUS, RbacAction.READ)]], allow_system_auth=True + ) + def test_allowed_systemauth_inv_id(*_, **kwargs): + return True + + # endpoint allows system auth, endpoint path contains same inventory_id as in identity + res = test_allowed_systemauth_inv_id(inventory_id="00000000-0000-0000-0000-000000000000") + assert res is True + + # endpoint allows system auth, but endpoint path contains different inventory_id than in identity + res = test_allowed_systemauth_inv_id(inventory_id="00000000-0000-0000-0000-000000000001") + assert res[1] == 403 # pylint:disable=unsubscriptable-object + + # endpoint allows system auth, but endpoint path contains invalid UUID + res = test_allowed_systemauth_inv_id(inventory_id="foo") + assert res[1] == 403 # pylint:disable=unsubscriptable-object