Skip to content

Commit

Permalink
Add Permissions integration tests (#1550)
Browse files Browse the repository at this point in the history
### Feature or Bugfix
- Feature: testing

### Detail
Implement tests for Permissions api calls (inside core/permissions) as
part of #1220

!Excludes updateSSMParameter mutation - I think it is unused

### Relates
- #1220

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
  • Loading branch information
dlpzx authored Sep 18, 2024
1 parent f683ecd commit 1570ed3
Show file tree
Hide file tree
Showing 2 changed files with 121 additions and 0 deletions.
64 changes: 64 additions & 0 deletions tests_new/integration_tests/core/permissions/queries.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,64 @@
# TODO: This file will be replaced by using the SDK directly
def update_group_tenant_permissions(client, group_uri, permissions=[]):
query = {
'operationName': 'updateGroupTenantPermissions',
'variables': {
'input': {
'groupUri': group_uri,
'permissions': permissions,
}
},
'query': """
mutation updateGroupTenantPermissions(
$input: UpdateGroupTenantPermissionsInput!
) {
updateGroupTenantPermissions(input: $input)
}
""",
}
response = client.query(query=query)
return response.data.updateGroupTenantPermissions


def list_tenant_permissions(client):
query = {
'operationName': 'listTenantPermissions',
'variables': {},
'query': """
query listTenantPermissions {
listTenantPermissions {
name
description
}
}
""",
}
response = client.query(query=query)
return response.data.listTenantPermissions


def list_tenant_groups(client, term=''):
query = {
'operationName': 'listTenantGroups',
'variables': {'filter': {'term': term}},
'query': """
query listTenantGroups($filter: GroupFilter) {
listTenantGroups(filter: $filter) {
count
page
pages
hasNext
hasPrevious
nodes {
groupUri
tenantPermissions {
name
description
}
}
}
}
""",
}
response = client.query(query=query)
return response.data.listTenantGroups
57 changes: 57 additions & 0 deletions tests_new/integration_tests/core/permissions/test_permissions.py
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
from assertpy import assert_that

from integration_tests.core.permissions.queries import (
update_group_tenant_permissions,
list_tenant_permissions,
list_tenant_groups,
)
from integration_tests.errors import GqlError


def test_list_tenant_permissions(clientTenant):
response = list_tenant_permissions(clientTenant)
assert_that(response).is_not_empty()
assert_that(len(response)).is_greater_than_or_equal_to(3)
assert_that(response).does_not_contain([None, '', False])
assert_that([p.name for p in response]).does_not_contain([None, '', False])


def test_list_tenant_permissions_unauthorized(client1):
assert_that(list_tenant_permissions).raises(GqlError).when_called_with(client1).contains(
'UnauthorizedOperation', 'LIST_TENANT_TEAM_PERMISSIONS'
)


def test_list_tenant_groups(clientTenant):
response = list_tenant_groups(clientTenant)
assert_that(response.count).is_greater_than_or_equal_to(4)
assert_that(response.nodes).is_not_empty()
assert_that(response.nodes[0]).contains_key('tenantPermissions')
## Testing admin group DAAdministrators exists
admin_group = next(group for group in response.nodes if group.groupUri == 'DHAdmins')
assert_that(admin_group).contains_key('tenantPermissions')


def test_list_tenant_groups_unauthorized(client1):
assert_that(list_tenant_groups).raises(GqlError).when_called_with(client1).contains(
'UnauthorizedOperation', 'LIST_TENANT_TEAMS'
)


def test_update_group_tenant_permissions(clientTenant, group1):
# get group with permissions
response = list_tenant_groups(clientTenant, term=group1)
assert_that(response.count).is_equal_to(1)
assert_that(len(response.nodes[0].tenantPermissions)).is_greater_than_or_equal_to(1)
group1_perms = [p.name for p in response.nodes[0].tenantPermissions]
# update permissions
response = update_group_tenant_permissions(clientTenant, group1, group1_perms[:-1])
assert_that(response).is_true()
# check permissions were updated
response = list_tenant_groups(clientTenant, term=group1)
assert_that(response.count).is_equal_to(1)
group1_p_updated = response.nodes[0]
assert_that(len(group1_p_updated.tenantPermissions)).is_equal_to(len(group1_perms) - 1)
assert_that(group1_p_updated.tenantPermissions).does_not_contain(group1_perms[-1])
# update permissions back to initial state
update_group_tenant_permissions(clientTenant, group1, group1_perms)

0 comments on commit 1570ed3

Please sign in to comment.