From 1570ed3ffa24346fd6afe72955984a10c3da4ae7 Mon Sep 17 00:00:00 2001
From: Adriana Lopez Lopez <71252798+dlpzx@users.noreply.github.com>
Date: Wed, 18 Sep 2024 17:39:09 +0200
Subject: [PATCH] Add Permissions integration tests (#1550)

### Feature or Bugfix
- Feature: testing

### Detail
Implement tests for Permissions api calls (inside core/permissions) as
part of https://github.com/data-dot-all/dataall/issues/1220

!Excludes updateSSMParameter mutation - I think it is unused

### Relates
- https://github.com/data-dot-all/dataall/issues/1220

### Security
Please answer the questions below briefly where applicable, or write
`N/A`. Based on
[OWASP 10](https://owasp.org/Top10/en/).

- Does this PR introduce or modify any input fields or queries - this
includes
fetching data from storage outside the application (e.g. a database, an
S3 bucket)?
  - Is the input sanitized?
- What precautions are you taking before deserializing the data you
consume?
  - Is injection prevented by parametrizing queries?
  - Have you ensured no `eval` or similar functions are used?
- Does this PR introduce any functionality or component that requires
authorization?
- How have you ensured it respects the existing AuthN/AuthZ mechanisms?
  - Are you logging failed auth attempts?
- Are you using or adding any cryptographic features?
  - Do you use a standard proven implementations?
  - Are the used keys controlled by the customer? Where are they stored?
- Are you introducing any new policies/roles/users?
  - Have you used the least-privilege principle? How?


By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license.
---
 .../core/permissions/queries.py               | 64 +++++++++++++++++++
 .../core/permissions/test_permissions.py      | 57 +++++++++++++++++
 2 files changed, 121 insertions(+)
 create mode 100644 tests_new/integration_tests/core/permissions/queries.py
 create mode 100644 tests_new/integration_tests/core/permissions/test_permissions.py

diff --git a/tests_new/integration_tests/core/permissions/queries.py b/tests_new/integration_tests/core/permissions/queries.py
new file mode 100644
index 000000000..130011f1d
--- /dev/null
+++ b/tests_new/integration_tests/core/permissions/queries.py
@@ -0,0 +1,64 @@
+# TODO: This file will be replaced by using the SDK directly
+def update_group_tenant_permissions(client, group_uri, permissions=[]):
+    query = {
+        'operationName': 'updateGroupTenantPermissions',
+        'variables': {
+            'input': {
+                'groupUri': group_uri,
+                'permissions': permissions,
+            }
+        },
+        'query': """    
+                mutation updateGroupTenantPermissions(
+                  $input: UpdateGroupTenantPermissionsInput!
+                ) {
+                  updateGroupTenantPermissions(input: $input)
+                }
+                """,
+    }
+    response = client.query(query=query)
+    return response.data.updateGroupTenantPermissions
+
+
+def list_tenant_permissions(client):
+    query = {
+        'operationName': 'listTenantPermissions',
+        'variables': {},
+        'query': """    
+                query listTenantPermissions {
+                  listTenantPermissions {
+                    name
+                    description
+                  }
+                }
+                """,
+    }
+    response = client.query(query=query)
+    return response.data.listTenantPermissions
+
+
+def list_tenant_groups(client, term=''):
+    query = {
+        'operationName': 'listTenantGroups',
+        'variables': {'filter': {'term': term}},
+        'query': """    
+            query listTenantGroups($filter: GroupFilter) {
+              listTenantGroups(filter: $filter) {
+                count
+                page
+                pages
+                hasNext
+                hasPrevious
+                nodes {
+                  groupUri
+                  tenantPermissions {
+                    name
+                    description
+                  }
+                }
+              }
+            }
+            """,
+    }
+    response = client.query(query=query)
+    return response.data.listTenantGroups
diff --git a/tests_new/integration_tests/core/permissions/test_permissions.py b/tests_new/integration_tests/core/permissions/test_permissions.py
new file mode 100644
index 000000000..9d5ff3a50
--- /dev/null
+++ b/tests_new/integration_tests/core/permissions/test_permissions.py
@@ -0,0 +1,57 @@
+from assertpy import assert_that
+
+from integration_tests.core.permissions.queries import (
+    update_group_tenant_permissions,
+    list_tenant_permissions,
+    list_tenant_groups,
+)
+from integration_tests.errors import GqlError
+
+
+def test_list_tenant_permissions(clientTenant):
+    response = list_tenant_permissions(clientTenant)
+    assert_that(response).is_not_empty()
+    assert_that(len(response)).is_greater_than_or_equal_to(3)
+    assert_that(response).does_not_contain([None, '', False])
+    assert_that([p.name for p in response]).does_not_contain([None, '', False])
+
+
+def test_list_tenant_permissions_unauthorized(client1):
+    assert_that(list_tenant_permissions).raises(GqlError).when_called_with(client1).contains(
+        'UnauthorizedOperation', 'LIST_TENANT_TEAM_PERMISSIONS'
+    )
+
+
+def test_list_tenant_groups(clientTenant):
+    response = list_tenant_groups(clientTenant)
+    assert_that(response.count).is_greater_than_or_equal_to(4)
+    assert_that(response.nodes).is_not_empty()
+    assert_that(response.nodes[0]).contains_key('tenantPermissions')
+    ## Testing admin group DAAdministrators exists
+    admin_group = next(group for group in response.nodes if group.groupUri == 'DHAdmins')
+    assert_that(admin_group).contains_key('tenantPermissions')
+
+
+def test_list_tenant_groups_unauthorized(client1):
+    assert_that(list_tenant_groups).raises(GqlError).when_called_with(client1).contains(
+        'UnauthorizedOperation', 'LIST_TENANT_TEAMS'
+    )
+
+
+def test_update_group_tenant_permissions(clientTenant, group1):
+    # get group with permissions
+    response = list_tenant_groups(clientTenant, term=group1)
+    assert_that(response.count).is_equal_to(1)
+    assert_that(len(response.nodes[0].tenantPermissions)).is_greater_than_or_equal_to(1)
+    group1_perms = [p.name for p in response.nodes[0].tenantPermissions]
+    # update permissions
+    response = update_group_tenant_permissions(clientTenant, group1, group1_perms[:-1])
+    assert_that(response).is_true()
+    # check permissions were updated
+    response = list_tenant_groups(clientTenant, term=group1)
+    assert_that(response.count).is_equal_to(1)
+    group1_p_updated = response.nodes[0]
+    assert_that(len(group1_p_updated.tenantPermissions)).is_equal_to(len(group1_perms) - 1)
+    assert_that(group1_p_updated.tenantPermissions).does_not_contain(group1_perms[-1])
+    # update permissions back to initial state
+    update_group_tenant_permissions(clientTenant, group1, group1_perms)