wuttaweb/tests/test_auth.py

# -*- coding: utf-8; -*-

import uuid as _uuid
from unittest import TestCase
from unittest.mock import MagicMock

from pyramid import testing

from wuttjamaican.conf import WuttaConfig
from wuttaweb import auth as mod
from wuttaweb.testing import WebTestCase


class TestLoginUser(TestCase):

    def test_basic(self):
        config = WuttaConfig()
        app = config.get_app()
        model = app.model
        request = testing.DummyRequest(wutta_config=config)
        user = model.User(username="barney")
        headers = mod.login_user(request, user)
        self.assertEqual(headers, [])


class TestLogoutUser(TestCase):

    def test_basic(self):
        config = WuttaConfig()
        request = testing.DummyRequest(wutta_config=config)
        request.session.delete = MagicMock()
        headers = mod.logout_user(request)
        request.session.delete.assert_called_once_with()
        self.assertEqual(headers, [])


class TestWuttaSecurityPolicy(TestCase):

    def setUp(self):
        self.config = WuttaConfig(
            defaults={
                "wutta.db.default.url": "sqlite://",
            }
        )

        self.request = testing.DummyRequest()
        self.pyramid_config = testing.setUp(
            request=self.request,
            settings={
                "wutta_config": self.config,
            },
        )

        self.app = self.config.get_app()
        model = self.app.model
        model.Base.metadata.create_all(bind=self.config.appdb_engine)
        self.session = self.app.make_session()
        self.user = model.User(username="barney")
        self.session.add(self.user)
        self.session.commit()

        self.policy = self.make_policy()

    def tearDown(self):
        testing.tearDown()

    def make_policy(self):
        return mod.WuttaSecurityPolicy(db_session=self.session)

    def test_remember(self):
        uuid = self.user.uuid
        self.assertIsNotNone(uuid)
        self.assertIsNone(self.policy.session_helper.authenticated_userid(self.request))
        self.policy.remember(self.request, uuid)
        self.assertEqual(
            self.policy.session_helper.authenticated_userid(self.request), uuid
        )

    def test_forget(self):
        uuid = self.user.uuid
        self.policy.remember(self.request, uuid)
        self.assertEqual(
            self.policy.session_helper.authenticated_userid(self.request), uuid
        )
        self.policy.forget(self.request)
        self.assertIsNone(self.policy.session_helper.authenticated_userid(self.request))

    def test_identity(self):

        # no identity
        user = self.policy.identity(self.request)
        self.assertIsNone(user)

        # identity is remembered (must use new policy to bust cache)
        self.policy = self.make_policy()
        uuid = self.user.uuid
        self.assertIsNotNone(uuid)
        self.policy.remember(self.request, uuid)
        user = self.policy.identity(self.request)
        self.assertIs(user, self.user)

        # invalid identity yields no user
        self.policy = self.make_policy()
        self.policy.remember(self.request, _uuid.uuid4())  # random uuid
        user = self.policy.identity(self.request)
        self.assertIsNone(user)

    def test_authenticated_userid(self):

        # no identity
        uuid = self.policy.authenticated_userid(self.request)
        self.assertIsNone(uuid)

        # identity is remembered (must use new policy to bust cache)
        self.policy = self.make_policy()
        self.policy.remember(self.request, self.user.uuid)
        uuid = self.policy.authenticated_userid(self.request)
        self.assertEqual(uuid, self.user.uuid)

    def test_permits(self):
        auth = self.app.get_auth_handler()
        model = self.app.model

        # anon has no perms
        self.assertFalse(self.policy.permits(self.request, None, "foo.bar"))

        # but we can grant it
        anons = auth.get_role_anonymous(self.session)
        self.user.roles.append(anons)
        auth.grant_permission(anons, "foo.bar")
        self.session.commit()

        # and then perm check is satisfied
        self.assertTrue(self.policy.permits(self.request, None, "foo.bar"))

        # now, create a separate role and grant another perm
        # (but user does not yet belong to this role)
        role = model.Role(name="whatever")
        self.session.add(role)
        auth.grant_permission(role, "baz.edit")
        self.session.commit()

        # so far then, user does not have the permission
        self.policy = self.make_policy()
        self.policy.remember(self.request, self.user.uuid)
        self.assertFalse(self.policy.permits(self.request, None, "baz.edit"))

        # but if we assign user to role, perm check should pass
        self.user.roles.append(role)
        self.session.commit()
        self.assertTrue(self.policy.permits(self.request, None, "baz.edit"))

        # now let's try another perm - we won't grant it, but will
        # confirm user is denied access unless they become root
        self.assertFalse(self.policy.permits(self.request, None, "some-root-perm"))
        self.request.is_root = True
        self.assertTrue(self.policy.permits(self.request, None, "some-root-perm"))


class TestAddPermissionGroup(WebTestCase):

    def test_basic(self):
        permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})
        self.assertNotIn("widgets", permissions)
        self.pyramid_config.add_wutta_permission_group("widgets")
        permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})
        self.assertIn("widgets", permissions)
        self.assertEqual(permissions["widgets"]["label"], "Widgets")


class TestAddPermission(WebTestCase):

    def test_basic(self):
        permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})
        self.assertNotIn("widgets", permissions)
        self.pyramid_config.add_wutta_permission("widgets", "widgets.polish")
        permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})
        self.assertIn("widgets", permissions)
        self.assertEqual(permissions["widgets"]["label"], "Widgets")
        self.assertIn("widgets.polish", permissions["widgets"]["perms"])
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`# -- coding: utf-8; --`

fix: refactor to reflect usage of proper UUID values 2024-12-08 00:11:30 -06:00			`import uuid as _uuid`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`from unittest import TestCase`
			`from unittest.mock import MagicMock`

			`from pyramid import testing`

			`from wuttjamaican.conf import WuttaConfig`
			`from wuttaweb import auth as mod`
tests: move `WebTestCase` to `wuttaweb.testing` module 2025-01-06 16:47:48 -06:00			`from wuttaweb.testing import WebTestCase`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00

			`class TestLoginUser(TestCase):`

			`def test_basic(self):`
			`config = WuttaConfig()`
			`app = config.get_app()`
			`model = app.model`
			`request = testing.DummyRequest(wutta_config=config)`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`user = model.User(username="barney")`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`headers = mod.login_user(request, user)`
			`self.assertEqual(headers, [])`

fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`class TestLogoutUser(TestCase):`

			`def test_basic(self):`
			`config = WuttaConfig()`
			`request = testing.DummyRequest(wutta_config=config)`
			`request.session.delete = MagicMock()`
			`headers = mod.logout_user(request)`
			`request.session.delete.assert_called_once_with()`
			`self.assertEqual(headers, [])`


			`class TestWuttaSecurityPolicy(TestCase):`

			`def setUp(self):`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.config = WuttaConfig(`
			`defaults={`
			`"wutta.db.default.url": "sqlite://",`
			`}`
			`)`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00
			`self.request = testing.DummyRequest()`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.pyramid_config = testing.setUp(`
			`request=self.request,`
			`settings={`
			`"wutta_config": self.config,`
			`},`
			`)`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00
			`self.app = self.config.get_app()`
			`model = self.app.model`
			`model.Base.metadata.create_all(bind=self.config.appdb_engine)`
			`self.session = self.app.make_session()`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.user = model.User(username="barney")`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`self.session.add(self.user)`
			`self.session.commit()`

			`self.policy = self.make_policy()`

			`def tearDown(self):`
			`testing.tearDown()`

			`def make_policy(self):`
			`return mod.WuttaSecurityPolicy(db_session=self.session)`

			`def test_remember(self):`
			`uuid = self.user.uuid`
			`self.assertIsNotNone(uuid)`
			`self.assertIsNone(self.policy.session_helper.authenticated_userid(self.request))`
			`self.policy.remember(self.request, uuid)`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertEqual(`
			`self.policy.session_helper.authenticated_userid(self.request), uuid`
			`)`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00
			`def test_forget(self):`
			`uuid = self.user.uuid`
			`self.policy.remember(self.request, uuid)`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertEqual(`
			`self.policy.session_helper.authenticated_userid(self.request), uuid`
			`)`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`self.policy.forget(self.request)`
			`self.assertIsNone(self.policy.session_helper.authenticated_userid(self.request))`

			`def test_identity(self):`

			`# no identity`
			`user = self.policy.identity(self.request)`
			`self.assertIsNone(user)`

			`# identity is remembered (must use new policy to bust cache)`
			`self.policy = self.make_policy()`
			`uuid = self.user.uuid`
			`self.assertIsNotNone(uuid)`
			`self.policy.remember(self.request, uuid)`
			`user = self.policy.identity(self.request)`
			`self.assertIs(user, self.user)`

			`# invalid identity yields no user`
			`self.policy = self.make_policy()`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.policy.remember(self.request, _uuid.uuid4()) # random uuid`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`user = self.policy.identity(self.request)`
			`self.assertIsNone(user)`

			`def test_authenticated_userid(self):`

			`# no identity`
			`uuid = self.policy.authenticated_userid(self.request)`
			`self.assertIsNone(uuid)`

			`# identity is remembered (must use new policy to bust cache)`
			`self.policy = self.make_policy()`
			`self.policy.remember(self.request, self.user.uuid)`
			`uuid = self.policy.authenticated_userid(self.request)`
			`self.assertEqual(uuid, self.user.uuid)`

			`def test_permits(self):`
			`auth = self.app.get_auth_handler()`
			`model = self.app.model`

			`# anon has no perms`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertFalse(self.policy.permits(self.request, None, "foo.bar"))`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00
			`# but we can grant it`
			`anons = auth.get_role_anonymous(self.session)`
			`self.user.roles.append(anons)`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`auth.grant_permission(anons, "foo.bar")`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`self.session.commit()`

			`# and then perm check is satisfied`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertTrue(self.policy.permits(self.request, None, "foo.bar"))`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00
			`# now, create a separate role and grant another perm`
			`# (but user does not yet belong to this role)`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`role = model.Role(name="whatever")`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`self.session.add(role)`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`auth.grant_permission(role, "baz.edit")`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00			`self.session.commit()`

			`# so far then, user does not have the permission`
			`self.policy = self.make_policy()`
			`self.policy.remember(self.request, self.user.uuid)`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertFalse(self.policy.permits(self.request, None, "baz.edit"))`
feat: add custom security policy, login/logout for pyramid aka. the `wuttaweb.auth` module 2024-08-04 21:54:46 -05:00
			`# but if we assign user to role, perm check should pass`
			`self.user.roles.append(role)`
			`self.session.commit()`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertTrue(self.policy.permits(self.request, None, "baz.edit"))`
feat: add support for admin user to become / stop being root 2024-08-05 14:21:54 -05:00
			`# now let's try another perm - we won't grant it, but will`
			`# confirm user is denied access unless they become root`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertFalse(self.policy.permits(self.request, None, "some-root-perm"))`
feat: add support for admin user to become / stop being root 2024-08-05 14:21:54 -05:00			`self.request.is_root = True`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`self.assertTrue(self.policy.permits(self.request, None, "some-root-perm"))`
feat: expose Role permissions for editing 2024-08-14 15:10:54 -05:00

			`class TestAddPermissionGroup(WebTestCase):`

			`def test_basic(self):`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})`
			`self.assertNotIn("widgets", permissions)`
			`self.pyramid_config.add_wutta_permission_group("widgets")`
			`permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})`
			`self.assertIn("widgets", permissions)`
			`self.assertEqual(permissions["widgets"]["label"], "Widgets")`
feat: expose Role permissions for editing 2024-08-14 15:10:54 -05:00

			`class TestAddPermission(WebTestCase):`

			`def test_basic(self):`
fix: format all code with black and from now on should not deviate from that... 2025-08-31 12:26:43 -05:00			`permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})`
			`self.assertNotIn("widgets", permissions)`
			`self.pyramid_config.add_wutta_permission("widgets", "widgets.polish")`
			`permissions = self.pyramid_config.get_settings().get("wutta_permissions", {})`
			`self.assertIn("widgets", permissions)`
			`self.assertEqual(permissions["widgets"]["label"], "Widgets")`
			`self.assertIn("widgets.polish", permissions["widgets"]["perms"])`