ScoDoc/tests/api/test_api_users.py

# -*- coding: utf-8 -*-

"""Test API : utilisateurs

Utilisation :
    pytest tests/api/test_api_users.py
"""

from tests.api.setup_test_api import (
    API_URL,
    APIError,
    CHECK_CERTIFICATE,
    GET,
    POST_JSON,
    api_headers,
    api_admin_headers,
    get_auth_headers,
)


def test_list_users(api_admin_headers):
    """
    Routes: /user/<int:uid>
            /users/query?departement=dept_acronym&active=1&like=<str:nom>
    """
    admin_h = api_admin_headers
    depts = GET("/departements", headers=admin_h)
    assert len(depts) > 0
    u = GET("/user/1", headers=admin_h)
    assert u["id"] == 1
    assert u["user_name"]
    assert u["date_expiration"] is None
    dept_u = u["dept"]

    # Tous les utilisateurs, vus par SuperAdmin:
    users = GET("/users/query", headers=admin_h)

    # Les utilisateurs de chaque département (+ ceux sans département)
    all_users = []
    for acronym in [dept["acronym"] for dept in depts] + [""]:
        all_users += GET(f"/users/query?departement={acronym}", headers=admin_h)
    all_users.sort(key=lambda u: u["user_name"])
    assert len(all_users) == len(users)
    # On a créé un user "u_" par département:
    u_users = GET("/users/query?starts_with=U ", headers=admin_h)
    assert len(u_users) == len(depts)
    assert len(GET("/users/query?departement=AA", headers=admin_h)) == 1
    assert len(GET("/users/query?departement=AA&starts_with=U ", headers=admin_h)) == 1
    assert (
        len(
            GET(
                "/users/query?departement=AA&starts_with=XXX",
                headers=admin_h,
            )
        )
        == 0
    )
    # Utilisateurs vus par d'autres utilisateurs (droits accès)
    for i, u in enumerate(u for u in u_users if u["dept"] != "TAPI"):
        headers = get_auth_headers(u["user_name"], "test")
        users_by_u = GET("/users/query", headers=headers)
        assert len(users_by_u) == 4 + i
        # explication: tous ont le droit de voir les 3 users de TAPI
        # (test, other et u_TAPI)
        # plus l'utilisateur de chaque département jusqu'au leur
        # (u_AA voit AA, u_BB voit AA et BB, etc)


def test_edit_users(api_admin_headers):
    """
    Routes: /user/create
            /user/edit/<int:uid>
    """
    admin_h = api_admin_headers
    nb_users = len(GET("/users/query", headers=admin_h))
    user = POST_JSON(
        "/user/create",
        {"user_name": "toto", "nom": "Toto"},
        headers=admin_h,
    )
    assert user["user_name"] == "toto"
    assert user["dept"] is None
    assert user["active"] is True
    assert (nb_users + 1) == len(GET("/users/query", headers=admin_h))
    # Change le dept et rend inactif
    user = POST_JSON(
        f"/user/{user['id']}/edit",
        {"active": False, "dept": "TAPI"},
        headers=admin_h,
    )
    assert user["dept"] == "TAPI"
    assert user["active"] is False


def test_roles(api_admin_headers):
    """
    Routes: /user/create
            /user/<int:uid>/edit
    """
    admin_h = api_admin_headers
    user = POST_JSON(
        "/user/create",
        {"user_name": "test_roles", "nom": "Role", "prenom": "Test"},
        headers=admin_h,
    )
    uid = user["id"]
    ans = POST_JSON(f"/user/{uid}/role/Secr/add", headers=admin_h)
    assert ans["user_name"] == "test_roles"
    role = POST_JSON("/role/create/Test_X", headers=admin_h)
    assert role["role_name"] == "Test_X"
    assert role["permissions"] == []
    role = GET("/role/Test_X", headers=admin_h)
    assert role["role_name"] == "Test_X"
    assert role["permissions"] == []
    role = POST_JSON("/role/Test_X/edit", {"role_name": "Test_Y"}, headers=admin_h)
    assert role["role_name"] == "Test_Y"
    role = GET("/role/Test_Y", headers=admin_h)
    assert role["role_name"] == "Test_Y"
    role = POST_JSON(
        "/role/Test_Y/edit",
        {"permissions": ["ScoView", "ScoAbsChange"]},
        headers=admin_h,
    )
    assert set(role["permissions"]) == {"ScoView", "ScoAbsChange"}
    role = POST_JSON("/role/Test_Y/add_permission/ScoAbsAddBillet", headers=admin_h)
    assert set(role["permissions"]) == {"ScoView", "ScoAbsChange", "ScoAbsAddBillet"}
    role = GET("/role/Test_Y", headers=admin_h)
    assert set(role["permissions"]) == {"ScoView", "ScoAbsChange", "ScoAbsAddBillet"}
    role = POST_JSON("/role/Test_Y/remove_permission/ScoAbsChange", headers=admin_h)
    assert set(role["permissions"]) == {"ScoView", "ScoAbsAddBillet"}
    ans = POST_JSON("/role/Test_Y/delete", headers=admin_h)
    assert ans["OK"] is True


def test_modif_users_depts(api_admin_headers):
    """
    Ce test vise à vérifier qu'un admin déclaré sur deux départements peut
    bien modifier les utilisateurs de ses départements mais pas ceux des autres.
    """
    admin_h = api_admin_headers
    depts = GET("/departements", headers=admin_h)
    assert len(depts) > 2
    dept1, dept2, dept3 = depts[:3]
    # On va utiliser les 3 1er dept (TAPI, AA, BB)
    # On crée un nouvel utilisateur "chef2", admin dans les 2 premiers dept
    # puis un utilisateur lambda, dans le dept 2 (AA)
    chef2 = POST_JSON(
        "/user/create",
        {
            "user_name": "chef2",
            "nom": "Chef",
            "prenom": "Test",
            "dept": dept1["acronym"],  # rattaché à dept1
        },
        headers=admin_h,
    )
    role_chef = POST_JSON(
        "/role/create/chef",
        {"permissions": ["ScoView", "ScoUsersAdmin", "ScoUsersView"]},
        headers=admin_h,
    )
    _ = POST_JSON(
        f"/user/{chef2['id']}/role/chef/add/departement/{dept1['acronym']}",
        headers=admin_h,
    )
    _ = POST_JSON(
        f"/user/{chef2['id']}/role/chef/add/departement/{dept2['acronym']}",
        headers=admin_h,
    )
    # Un mot de passe trop simple:
    ok = False
    try:
        _ = POST_JSON(
            f"/user/{chef2['id']}/password",
            {"password": "123456"},
            headers=admin_h,
        )
    except APIError as exc:
        if exc.args[1]["status"] == 400:
            ok = True
    assert ok
    # Un "vrai" mot de passe:
    chef2_password = "17HIOPpYhabb8qw'E:/jd7FFddjd"
    _ = POST_JSON(
        f"/user/{chef2['id']}/password",
        {"password": chef2_password},
        headers=admin_h,
    )
    # Création user lambda:
    u_lambda = POST_JSON(
        "/user/create",
        {
            "user_name": "lambda",
            "nom": "Lambda",
            "prenom": "Test",
            "dept": dept2["acronym"],
        },
        headers=admin_h,
    )

    # Le chef va modifier u_lambda:
    chef_h = get_auth_headers(chef2["user_name"], chef2_password)
    # on utilise une URL avec département car on n'a pas le droit sur tous:
    u = POST_JSON(
        f"/user/{u_lambda['id']}/edit",
        {"nom": "toto"},
        headers=chef_h,
        dept=dept1["acronym"],
    )
    assert u["nom"] == "toto"
    # Dans l'autre ?
    u = POST_JSON(
        f"/user/{u_lambda['id']}/edit",
        {"nom": "toto"},
        headers=chef_h,
        dept=dept2["acronym"],
    )
    # mais pas dans le troisième:
    ok = False
    try:
        u = POST_JSON(
            f"/user/{u_lambda['id']}/edit",
            {"nom": "toto"},
            headers=chef_h,
            dept=dept3["acronym"],
        )
    except APIError as exc:
        if exc.args[1]["status"] == 401:
            ok = True
    assert ok
    # Nettoyage: