8e9a0c367a
Prevents environment variable leaking between tests. All DATA_DIR, JWT_SECRET_KEY, and SCRIPT_TIMEOUT assignments in fixtures now use monkeypatch.setenv() which auto-reverts after each test. Removes manual os.environ.pop() cleanup lines.
84 lines
3 KiB
Python
84 lines
3 KiB
Python
"""Tests for src/rbac.py — role-based access control."""
|
|
|
|
import os
|
|
import pytest
|
|
|
|
|
|
@pytest.fixture
|
|
def setup_db(tmp_path, monkeypatch):
|
|
monkeypatch.setenv("DATA_DIR", str(tmp_path))
|
|
from src.db import get_system_db
|
|
from src.repositories.users import UserRepository
|
|
|
|
conn = get_system_db()
|
|
repo = UserRepository(conn)
|
|
repo.create(id="admin1", email="admin@test.com", name="Admin", role="admin")
|
|
repo.create(id="analyst1", email="analyst@test.com", name="Analyst", role="analyst")
|
|
repo.create(id="km1", email="km@test.com", name="KM Admin", role="km_admin")
|
|
repo.create(id="viewer1", email="viewer@test.com", name="Viewer", role="viewer")
|
|
conn.close()
|
|
yield
|
|
|
|
|
|
class TestGetUserRole:
|
|
def test_admin(self, setup_db):
|
|
from src.rbac import get_user_role, Role
|
|
assert get_user_role("admin@test.com") == Role.ADMIN
|
|
|
|
def test_analyst(self, setup_db):
|
|
from src.rbac import get_user_role, Role
|
|
assert get_user_role("analyst@test.com") == Role.ANALYST
|
|
|
|
def test_unknown_user(self, setup_db):
|
|
from src.rbac import get_user_role, Role
|
|
assert get_user_role("nobody@test.com") == Role.VIEWER
|
|
|
|
|
|
class TestHasRole:
|
|
def test_admin_has_all_roles(self, setup_db):
|
|
from src.rbac import has_role, Role
|
|
assert has_role("admin@test.com", Role.VIEWER)
|
|
assert has_role("admin@test.com", Role.ANALYST)
|
|
assert has_role("admin@test.com", Role.KM_ADMIN)
|
|
assert has_role("admin@test.com", Role.ADMIN)
|
|
|
|
def test_analyst_cant_admin(self, setup_db):
|
|
from src.rbac import has_role, Role
|
|
assert has_role("analyst@test.com", Role.ANALYST)
|
|
assert not has_role("analyst@test.com", Role.ADMIN)
|
|
|
|
def test_viewer_is_minimal(self, setup_db):
|
|
from src.rbac import has_role, Role
|
|
assert has_role("viewer@test.com", Role.VIEWER)
|
|
assert not has_role("viewer@test.com", Role.ANALYST)
|
|
|
|
|
|
class TestConvenienceFunctions:
|
|
def test_is_admin(self, setup_db):
|
|
from src.rbac import is_admin
|
|
assert is_admin("admin@test.com")
|
|
assert not is_admin("analyst@test.com")
|
|
|
|
def test_is_km_admin(self, setup_db):
|
|
from src.rbac import is_km_admin
|
|
assert is_km_admin("km@test.com")
|
|
assert is_km_admin("admin@test.com") # admin >= km_admin
|
|
assert not is_km_admin("analyst@test.com")
|
|
|
|
def test_is_analyst(self, setup_db):
|
|
from src.rbac import is_analyst
|
|
assert is_analyst("analyst@test.com")
|
|
assert is_analyst("admin@test.com")
|
|
assert not is_analyst("viewer@test.com")
|
|
|
|
|
|
class TestSetUserRole:
|
|
def test_set_role(self, setup_db):
|
|
from src.rbac import set_user_role, get_user_role, Role
|
|
assert get_user_role("viewer@test.com") == Role.VIEWER
|
|
assert set_user_role("viewer@test.com", Role.ADMIN)
|
|
assert get_user_role("viewer@test.com") == Role.ADMIN
|
|
|
|
def test_set_role_nonexistent(self, setup_db):
|
|
from src.rbac import set_user_role, Role
|
|
assert not set_user_role("nobody@test.com", Role.ADMIN)
|