unit test for authorization of groups

DefectDojo · May 15, 2021 · 036e021 · 036e021
1 parent 8dd4f54
commit 036e021
Showing 1 changed file with 70 additions and 3 deletions.
diff --git a/dojo/unittests/authorization/test_authorization.py b/dojo/unittests/authorization/test_authorization.py
@@ -2,8 +2,8 @@
 from django.core.exceptions import PermissionDenied
 from django.test import TestCase, override_settings
 from unittest.mock import patch
-from dojo.models import Product_Type, Product_Type_Member, Product, Product_Member, Engagement, \
-    Test, Finding, Endpoint
+from dojo.models import Dojo_User, Product_Type, Product_Type_Member, Product, Product_Member, Engagement, \
+    Test, Finding, Endpoint, Dojo_Group, Product_Group, Product_Type_Group
 import dojo.authorization.authorization
 from dojo.authorization.authorization import role_has_permission, get_roles_for_permission, \
     user_has_permission_or_403, user_has_permission, \
@@ -15,7 +15,7 @@ class TestAuthorization(TestCase):
 
     @classmethod
     def setUpTestData(cls):
-        cls.user = User()
+        cls.user = Dojo_User()
         cls.user.id = 1
         cls.product_type = Product_Type()
         cls.product_type.id = 1
@@ -55,6 +55,33 @@ def setUpTestData(cls):
         cls.product_member_owner.product = cls.product
         cls.product_member_owner.role = Roles.Owner
 
+        cls.group = Dojo_Group()
+        cls.group.id = 1
+
+        cls.product_group_reader = Product_Group()
+        cls.product_group_reader.id = 1
+        cls.product_group_reader.product = cls.product
+        cls.product_group_reader.group = cls.group
+        cls.product_group_reader.role = Roles.Reader
+
+        cls.product_group_owner = Product_Group()
+        cls.product_group_owner.id = 2
+        cls.product_group_owner.product = cls.product
+        cls.product_group_owner.group = cls.group
+        cls.product_group_owner.role = Roles.Owner
+
+        cls.product_type_group_reader = Product_Type_Group()
+        cls.product_type_group_reader.id = 1
+        cls.product_type_group_reader.product_type = cls.product_type
+        cls.product_type_group_reader.group = cls.group
+        cls.product_type_group_reader.role = Roles.Reader
+
+        cls.product_type_group_owner = Product_Type_Group()
+        cls.product_type_group_owner.id = 2
+        cls.product_type_group_owner.product_type = cls.product_type
+        cls.product_type_group_owner.group = cls.group
+        cls.product_type_group_owner.role = Roles.Owner
+
     def test_role_has_permission_exception(self):
         with self.assertRaisesMessage(RoleDoesNotExistError,
                 'Role 9999 does not exist'):
@@ -328,3 +355,43 @@ def test_user_has_permission_product_member_success(self, mock_get):
         self.assertTrue(result)
         self.assertEqual(mock_get.call_args[1]['user'], other_user)
         self.assertEqual(mock_get.call_args[1]['product'], self.product)
+
+    @patch('dojo.models.Product_Group.objects.filter')
+    def test_user_has_group_product_no_permissions(self, mock_get):
+        mock_get.return_value = {self.product_group_reader}
+
+        result = user_has_permission(self.user, self.product, Permissions.Product_Delete)
+
+        self.assertFalse(result)
+        self.assertEqual(mock_get.call_args[1]['group__users'], self.user)
+        self.assertEqual(mock_get.call_args[1]['product'], self.product)
+
+    @patch('dojo.models.Product_Group.objects.filter')
+    def test_user_has_group_product_success(self, mock_get):
+        mock_get.return_value = {self.product_group_owner}
+
+        result = user_has_permission(self.user, self.product, Permissions.Product_Delete)
+
+        self.assertTrue(result)
+        self.assertEqual(mock_get.call_args[1]['group__users'], self.user)
+        self.assertEqual(mock_get.call_args[1]['product'], self.product)
+
+    @patch('dojo.models.Product_Type_Group.objects.filter')
+    def test_user_has_group_product_type_no_permissions(self, mock_get):
+        mock_get.return_value = {self.product_type_group_reader}
+
+        result = user_has_permission(self.user, self.product_type, Permissions.Product_Type_Delete)
+
+        self.assertFalse(result)
+        self.assertEqual(mock_get.call_args[1]['group__users'], self.user)
+        self.assertEqual(mock_get.call_args[1]['product_type'], self.product_type)
+
+    @patch('dojo.models.Product_Type_Group.objects.filter')
+    def test_user_has_group_product_type_success(self, mock_get):
+        mock_get.return_value = {self.product_type_group_owner}
+
+        result = user_has_permission(self.user, self.product_type, Permissions.Product_Type_Delete)
+
+        self.assertTrue(result)
+        self.assertEqual(mock_get.call_args[1]['group__users'], self.user)
+        self.assertEqual(mock_get.call_args[1]['product_type'], self.product_type)