Files
wehub-resource-sync fed8b2eed7
Backend release / release (push) Waiting to run
Bandit Security Scan / bandit_scan (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / build (linux/amd64, ubuntu-latest, amd64) (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / build (linux/arm64, ubuntu-24.04-arm, arm64) (push) Waiting to run
Build and push multi-arch DocsGPT Docker image / manifest (push) Blocked by required conditions
Build and push DocsGPT FE Docker image for development / build (linux/amd64, ubuntu-latest, amd64) (push) Waiting to run
Build and push DocsGPT FE Docker image for development / build (linux/arm64, ubuntu-24.04-arm, arm64) (push) Waiting to run
Build and push DocsGPT FE Docker image for development / manifest (push) Blocked by required conditions
Python linting / ruff (push) Waiting to run
Run python tests with pytest / Run tests and count coverage (3.12) (push) Waiting to run
React Widget Build / build (push) Waiting to run
chore: import upstream snapshot with attribution
2026-07-13 13:28:29 +08:00

129 lines
4.3 KiB
Python

"""Unit tests for role resolution and the authorization decorator."""
from __future__ import annotations
from contextlib import contextmanager
from unittest.mock import Mock, patch
import pytest
from flask import Flask, request
from application.api.user import authz
@contextmanager
def _fake_conn():
yield Mock()
def _patch_oidc(role_names=None, raise_db=False):
"""Patch authz for OIDC mode with a stubbed UserRolesRepository."""
repo = Mock()
repo.role_names_for.return_value = role_names or []
settings_patch = patch.object(authz, "settings")
db_patch = patch.object(authz, "db_readonly", _fake_conn)
if raise_db:
repo_patch = patch.object(authz, "UserRolesRepository", side_effect=RuntimeError("db down"))
else:
repo_patch = patch.object(authz, "UserRolesRepository", return_value=repo)
return settings_patch, db_patch, repo_patch, repo
@pytest.mark.unit
class TestResolveRoles:
def test_no_token_is_user_only(self):
assert authz.resolve_roles(None) == ["user"]
def test_simple_jwt_never_admin(self):
with patch.object(authz, "settings") as s:
s.AUTH_TYPE = "simple_jwt"
assert authz.resolve_roles({"sub": "local"}) == ["user"]
def test_session_jwt_never_admin(self):
with patch.object(authz, "settings") as s:
s.AUTH_TYPE = "session_jwt"
assert authz.resolve_roles({"sub": "abc-uuid"}) == ["user"]
def test_none_mode_local_admin_disabled(self):
with patch.object(authz, "settings") as s:
s.AUTH_TYPE = None
s.LOCAL_MODE_ADMIN = False
assert authz.resolve_roles({"sub": "local"}) == ["user"]
def test_none_mode_local_admin_enabled(self):
with patch.object(authz, "settings") as s:
s.AUTH_TYPE = None
s.LOCAL_MODE_ADMIN = True
assert authz.resolve_roles({"sub": "local"}) == ["admin", "user"]
def test_oidc_db_grant_makes_admin(self):
sp, dp, rp, repo = _patch_oidc(role_names=["admin"])
with sp as s, dp, rp:
s.AUTH_TYPE = "oidc"
assert authz.resolve_roles({"sub": "alice"}) == ["admin", "user"]
repo.role_names_for.assert_called_once_with("alice")
def test_oidc_no_grant_is_user(self):
sp, dp, rp, _ = _patch_oidc(role_names=[])
with sp as s, dp, rp:
s.AUTH_TYPE = "oidc"
assert authz.resolve_roles({"sub": "bob"}) == ["user"]
def test_oidc_ignores_forged_roles_claim(self):
sp, dp, rp, _ = _patch_oidc(role_names=[])
with sp as s, dp, rp:
s.AUTH_TYPE = "oidc"
# A self-minted token asserting admin must NOT be trusted.
assert authz.resolve_roles({"sub": "bob", "roles": ["admin"]}) == ["user"]
def test_oidc_db_error_fails_open_to_user(self):
sp, dp, rp, _ = _patch_oidc(raise_db=True)
with sp as s, dp, rp:
s.AUTH_TYPE = "oidc"
assert authz.resolve_roles({"sub": "bob"}) == ["user"]
@pytest.mark.unit
class TestHasRole:
def test_user_role_always_true(self):
assert authz.has_role(None, "user")
assert authz.has_role({}, "user")
assert authz.has_role({"roles": []}, "user")
def test_admin_requires_grant(self):
assert authz.has_role({"roles": ["admin"]}, "admin")
assert not authz.has_role({"roles": ["user"]}, "admin")
def test_missing_roles_key_is_not_admin(self):
assert not authz.has_role({"sub": "x"}, "admin")
assert not authz.has_role(None, "admin")
@pytest.mark.unit
class TestRequireRole:
def _invoke(self, token):
app = Flask(__name__)
@authz.require_role("admin")
def view():
return "ok"
with app.test_request_context("/"):
request.decoded_token = token
return view()
def test_no_token_returns_401(self):
resp = self._invoke(None)
assert resp.status_code == 401
def test_non_admin_returns_403(self):
resp = self._invoke({"sub": "x", "roles": ["user"]})
assert resp.status_code == 403
def test_missing_roles_key_returns_403_without_raising(self):
resp = self._invoke({"sub": "x"})
assert resp.status_code == 403
def test_admin_passes_through(self):
assert self._invoke({"sub": "x", "roles": ["admin"]}) == "ok"