4b7d4d5a74
- Accept RBAC system: user_roles table, role_required decorator, grant_role/revoke_role/ensure_admin_role functions - Accept improved billing architecture: billing_customers table separation, provider-agnostic naming - Accept enhanced user loading with subscription/roles eager loading in app.py - Accept improved email templates with branded styling - Accept new infrastructure: migration tracking, transaction logging, A/B testing - Accept template improvements: Resend SDK, Tailwind build stage, UMAMI analytics config - Keep beanflows-specific configs: BASE_URL 5001, coffee PLAN_FEATURES/PLAN_LIMITS - Keep beanflows analytics integration and DuckDB health check - Add new test files and utility scripts from template Co-Authored-By: Claude Sonnet 4 <noreply@anthropic.com>
243 lines
9.9 KiB
Python
243 lines
9.9 KiB
Python
"""
|
|
Tests for role-based access control: role_required decorator, grant/revoke/ensure_admin_role,
|
|
and admin route protection.
|
|
"""
|
|
import pytest
|
|
from quart import Blueprint
|
|
|
|
from beanflows.auth.routes import (
|
|
ensure_admin_role,
|
|
grant_role,
|
|
revoke_role,
|
|
role_required,
|
|
)
|
|
from beanflows import core
|
|
|
|
|
|
# ════════════════════════════════════════════════════════════
|
|
# grant_role / revoke_role
|
|
# ════════════════════════════════════════════════════════════
|
|
|
|
class TestGrantRole:
|
|
async def test_grants_role(self, db, test_user):
|
|
await grant_role(test_user["id"], "admin")
|
|
row = await core.fetch_one(
|
|
"SELECT role FROM user_roles WHERE user_id = ?",
|
|
(test_user["id"],),
|
|
)
|
|
assert row is not None
|
|
assert row["role"] == "admin"
|
|
|
|
async def test_idempotent(self, db, test_user):
|
|
await grant_role(test_user["id"], "admin")
|
|
await grant_role(test_user["id"], "admin")
|
|
rows = await core.fetch_all(
|
|
"SELECT role FROM user_roles WHERE user_id = ? AND role = 'admin'",
|
|
(test_user["id"],),
|
|
)
|
|
assert len(rows) == 1
|
|
|
|
|
|
class TestRevokeRole:
|
|
async def test_revokes_existing_role(self, db, test_user):
|
|
await grant_role(test_user["id"], "admin")
|
|
await revoke_role(test_user["id"], "admin")
|
|
row = await core.fetch_one(
|
|
"SELECT role FROM user_roles WHERE user_id = ? AND role = 'admin'",
|
|
(test_user["id"],),
|
|
)
|
|
assert row is None
|
|
|
|
async def test_noop_for_missing_role(self, db, test_user):
|
|
# Should not raise
|
|
await revoke_role(test_user["id"], "nonexistent")
|
|
|
|
|
|
# ════════════════════════════════════════════════════════════
|
|
# ensure_admin_role
|
|
# ════════════════════════════════════════════════════════════
|
|
|
|
class TestEnsureAdminRole:
|
|
async def test_grants_admin_for_listed_email(self, db, test_user):
|
|
core.config.ADMIN_EMAILS = ["test@example.com"]
|
|
try:
|
|
await ensure_admin_role(test_user["id"], "test@example.com")
|
|
row = await core.fetch_one(
|
|
"SELECT role FROM user_roles WHERE user_id = ? AND role = 'admin'",
|
|
(test_user["id"],),
|
|
)
|
|
assert row is not None
|
|
finally:
|
|
core.config.ADMIN_EMAILS = []
|
|
|
|
async def test_skips_for_unlisted_email(self, db, test_user):
|
|
core.config.ADMIN_EMAILS = ["boss@example.com"]
|
|
try:
|
|
await ensure_admin_role(test_user["id"], "test@example.com")
|
|
row = await core.fetch_one(
|
|
"SELECT role FROM user_roles WHERE user_id = ? AND role = 'admin'",
|
|
(test_user["id"],),
|
|
)
|
|
assert row is None
|
|
finally:
|
|
core.config.ADMIN_EMAILS = []
|
|
|
|
async def test_empty_admin_emails_grants_nothing(self, db, test_user):
|
|
core.config.ADMIN_EMAILS = []
|
|
await ensure_admin_role(test_user["id"], "test@example.com")
|
|
row = await core.fetch_one(
|
|
"SELECT role FROM user_roles WHERE user_id = ? AND role = 'admin'",
|
|
(test_user["id"],),
|
|
)
|
|
assert row is None
|
|
|
|
async def test_case_insensitive_matching(self, db, test_user):
|
|
core.config.ADMIN_EMAILS = ["test@example.com"]
|
|
try:
|
|
await ensure_admin_role(test_user["id"], "Test@Example.COM")
|
|
row = await core.fetch_one(
|
|
"SELECT role FROM user_roles WHERE user_id = ? AND role = 'admin'",
|
|
(test_user["id"],),
|
|
)
|
|
assert row is not None
|
|
finally:
|
|
core.config.ADMIN_EMAILS = []
|
|
|
|
|
|
# ════════════════════════════════════════════════════════════
|
|
# role_required decorator
|
|
# ════════════════════════════════════════════════════════════
|
|
|
|
role_test_bp = Blueprint("role_test", __name__)
|
|
|
|
|
|
@role_test_bp.route("/admin-only")
|
|
@role_required("admin")
|
|
async def admin_only_route():
|
|
return "admin-ok", 200
|
|
|
|
|
|
@role_test_bp.route("/multi-role")
|
|
@role_required("admin", "editor")
|
|
async def multi_role_route():
|
|
return "multi-ok", 200
|
|
|
|
|
|
class TestRoleRequired:
|
|
@pytest.fixture
|
|
async def role_app(self, app):
|
|
app.register_blueprint(role_test_bp)
|
|
return app
|
|
|
|
@pytest.fixture
|
|
async def role_client(self, role_app):
|
|
async with role_app.test_client() as c:
|
|
yield c
|
|
|
|
async def test_redirects_unauthenticated(self, role_client, db):
|
|
response = await role_client.get("/admin-only", follow_redirects=False)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
async def test_rejects_user_without_role(self, role_client, db, test_user):
|
|
async with role_client.session_transaction() as sess:
|
|
sess["user_id"] = test_user["id"]
|
|
|
|
response = await role_client.get("/admin-only", follow_redirects=False)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
async def test_allows_user_with_matching_role(self, role_client, db, test_user):
|
|
await grant_role(test_user["id"], "admin")
|
|
async with role_client.session_transaction() as sess:
|
|
sess["user_id"] = test_user["id"]
|
|
|
|
response = await role_client.get("/admin-only")
|
|
assert response.status_code == 200
|
|
|
|
async def test_multi_role_allows_any_match(self, role_client, db, test_user):
|
|
await grant_role(test_user["id"], "editor")
|
|
async with role_client.session_transaction() as sess:
|
|
sess["user_id"] = test_user["id"]
|
|
|
|
response = await role_client.get("/multi-role")
|
|
assert response.status_code == 200
|
|
|
|
async def test_multi_role_rejects_none(self, role_client, db, test_user):
|
|
await grant_role(test_user["id"], "viewer")
|
|
async with role_client.session_transaction() as sess:
|
|
sess["user_id"] = test_user["id"]
|
|
|
|
response = await role_client.get("/multi-role", follow_redirects=False)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
|
|
# ════════════════════════════════════════════════════════════
|
|
# Admin route protection
|
|
# ════════════════════════════════════════════════════════════
|
|
|
|
class TestAdminRouteProtection:
|
|
async def test_admin_index_requires_admin_role(self, auth_client, db):
|
|
response = await auth_client.get("/admin/", follow_redirects=False)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
async def test_admin_index_accessible_with_admin_role(self, admin_client, db):
|
|
response = await admin_client.get("/admin/")
|
|
assert response.status_code == 200
|
|
|
|
async def test_admin_users_requires_admin_role(self, auth_client, db):
|
|
response = await auth_client.get("/admin/users", follow_redirects=False)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
async def test_admin_tasks_requires_admin_role(self, auth_client, db):
|
|
response = await auth_client.get("/admin/tasks", follow_redirects=False)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
|
|
# ════════════════════════════════════════════════════════════
|
|
# Impersonation
|
|
# ════════════════════════════════════════════════════════════
|
|
|
|
class TestImpersonation:
|
|
async def test_impersonate_stores_admin_id(self, admin_client, db, test_user):
|
|
"""Impersonating stores admin's user_id in session['admin_impersonating']."""
|
|
# Create a second user to impersonate
|
|
now = "2025-01-01T00:00:00"
|
|
other_id = await core.execute(
|
|
"INSERT INTO users (email, name, created_at) VALUES (?, ?, ?)",
|
|
("other@example.com", "Other", now),
|
|
)
|
|
|
|
async with admin_client.session_transaction() as sess:
|
|
sess["csrf_token"] = "test_csrf"
|
|
|
|
response = await admin_client.post(
|
|
f"/admin/users/{other_id}/impersonate",
|
|
form={"csrf_token": "test_csrf"},
|
|
follow_redirects=False,
|
|
)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
async with admin_client.session_transaction() as sess:
|
|
assert sess["user_id"] == other_id
|
|
assert sess["admin_impersonating"] == test_user["id"]
|
|
|
|
async def test_stop_impersonating_restores_admin(self, app, db, test_user, grant_role):
|
|
"""Stopping impersonation restores the admin's user_id."""
|
|
await grant_role(test_user["id"], "admin")
|
|
|
|
async with app.test_client() as c:
|
|
async with c.session_transaction() as sess:
|
|
sess["user_id"] = 999 # impersonated user
|
|
sess["admin_impersonating"] = test_user["id"]
|
|
sess["csrf_token"] = "test_csrf"
|
|
|
|
response = await c.post(
|
|
"/admin/stop-impersonating",
|
|
form={"csrf_token": "test_csrf"},
|
|
follow_redirects=False,
|
|
)
|
|
assert response.status_code in (302, 303, 307)
|
|
|
|
async with c.session_transaction() as sess:
|
|
assert sess["user_id"] == test_user["id"]
|
|
assert "admin_impersonating" not in sess
|