implement tests for being able to read collections

InfoSecInnovations · Dec 16, 2024 · a35ed7b · a35ed7b
1 parent 6b1a9fe
commit a35ed7b
Showing 1 changed file with 38 additions and 0 deletions.
diff --git a/tests/test_rbac.py b/tests/test_rbac.py
@@ -6,9 +6,11 @@
     get_keycloak_client,
     get_keycloak_admin_openid_token,
 )
+from concierge_backend_lib.authorization import UnauthorizedOperationError
 from concierge_backend_lib.document_collections import (
     create_collection,
     delete_collection,
+    get_documents,
 )
 import pytest
 from keycloak import KeycloakPostError
@@ -59,6 +61,42 @@ async def test_cannot_create_collection(user, location):
         await create_collection_for_user(user, location)
 
 
+@pytest.mark.parametrize(
+    "user,collection_name",
+    [
+        ("testadmin", "testadmin's shared collection"),
+        ("testadmin", "testadmin's private collection"),
+        ("testadmin", "testprivate's private collection"),
+        ("testsharedread", "testadmin's shared collection"),
+        ("testshared", "testadmin's shared collection"),
+        ("testprivate", "testprivate's private collection"),
+    ],
+)
+async def test_can_read_collection(user, collection_name):
+    token = keycloak_client.token(user, "test")
+    docs = await get_documents(
+        token["access_token"], collection_lookup[collection_name]
+    )
+    assert docs is not None
+
+
+@pytest.mark.parametrize(
+    "user,collection_name",
+    [
+        ("testsharedread", "testadmin's private collection"),
+        ("testshared", "testadmin's private collection"),
+        ("testprivate", "testadmin's private collection"),
+        ("testprivate", "testadmin's shared collection"),
+        ("testnothing", "testadmin's shared collection"),
+        ("testnothing", "testadmin's private collection"),
+    ],
+)
+async def test_cannot_read_collection(user, collection_name):
+    with pytest.raises((UnauthorizedOperationError, KeycloakPostError)):
+        token = keycloak_client.token(user, "test")
+        await get_documents(token["access_token"], collection_lookup[collection_name])
+
+
 async def teardown():
     token = get_keycloak_admin_openid_token()
     for id in collection_lookup.values():