Coverage for tests / test_gafaelfawr.py: 18%

43 statements  

« prev     ^ index     » next       coverage.py v7.13.5, created at 2026-05-01 08:17 +0000

1# This file is part of daf_butler. 

2# 

3# Developed for the LSST Data Management System. 

4# This product includes software developed by the LSST Project 

5# (http://www.lsst.org). 

6# See the COPYRIGHT file at the top-level directory of this distribution 

7# for details of code ownership. 

8# 

9# This software is dual licensed under the GNU General Public License and also 

10# under a 3-clause BSD license. Recipients may choose which of these licenses 

11# to use; please see the files gpl-3.0.txt and/or bsd_license.txt, 

12# respectively. If you choose the GPL option then the following text applies 

13# (but note that there is still no warranty even if you opt for BSD instead): 

14# 

15# This program is free software: you can redistribute it and/or modify 

16# it under the terms of the GNU General Public License as published by 

17# the Free Software Foundation, either version 3 of the License, or 

18# (at your option) any later version. 

19# 

20# This program is distributed in the hope that it will be useful, 

21# but WITHOUT ANY WARRANTY; without even the implied warranty of 

22# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 

23# GNU General Public License for more details. 

24# 

25# You should have received a copy of the GNU General Public License 

26# along with this program. If not, see <http://www.gnu.org/licenses/>. 

27 

28from __future__ import annotations 

29 

30import unittest 

31 

32from lsst.daf.butler.tests.server_available import butler_server_import_error, butler_server_is_available 

33 

34if butler_server_is_available: 34 ↛ 35line 34 didn't jump to line 35 because the condition on line 34 was never true

35 import fastapi 

36 import httpx 

37 

38 from lsst.daf.butler.remote_butler.server._dependencies import repository_authorization_dependency 

39 from lsst.daf.butler.remote_butler.server._gafaelfawr import GafaelfawrClient, GafaelfawrGroupAuthorizer 

40 

41 

42# FastAPI is not installed during LSST Pipelines stack builds, so skip these 

43# tests if it is not available. 

44@unittest.skipIf(not butler_server_is_available, butler_server_import_error) 

45class GafaelfawrAuthorizationTestCase(unittest.IsolatedAsyncioTestCase): 

46 """Test authorization checks using Gafaelfawr group membership.""" 

47 

48 async def test_gafaelfawr_group_auth(self) -> None: 

49 response_code = 200 

50 response_data = {"username": "some-user", "groups": [{"name": "some-group"}, {"name": "b"}]} 

51 request_headers: httpx.Headers = httpx.Headers(None) 

52 request_count = 0 

53 

54 def handler(request: httpx.Request): 

55 nonlocal request_headers 

56 request_headers = request.headers 

57 nonlocal request_count 

58 request_count += 1 

59 return httpx.Response(response_code, json=response_data) 

60 

61 transport = httpx.MockTransport(handler) 

62 

63 client = GafaelfawrClient("http://gafaelfawr.example", transport=transport) 

64 authorizer = GafaelfawrGroupAuthorizer( 

65 client, {"any_group": ["*"], "group_a": ["a"], "group_b": ["c", "b"]} 

66 ) 

67 

68 with self.assertRaises(fastapi.HTTPException) as e: 

69 await repository_authorization_dependency("group_a", "username", "mock-token", authorizer) 

70 self.assertEqual(e.exception.status_code, 403) 

71 self.assertEqual(request_headers.get("Authorization"), "Bearer mock-token") 

72 

73 # Should authorize the special '*' all users group without hitting 

74 # Gafaelfawr service. 

75 request_count = 0 

76 await repository_authorization_dependency("any_group", "username", "mock-token", authorizer) 

77 self.assertEqual(request_count, 0) 

78 

79 # Should hit the Gafaelfawr service to check that the user is in group 

80 # "b". 

81 request_count = 0 

82 await repository_authorization_dependency("group_b", "username", "mock-token", authorizer) 

83 self.assertEqual(request_count, 1) 

84 

85 # A second request with the same username should be cached... 

86 request_count = 0 

87 await repository_authorization_dependency("group_b", "username", "mock-token", authorizer) 

88 self.assertEqual(request_count, 0) 

89 

90 # But it should go back to the server for a different user 

91 request_count = 0 

92 response_data = {"username": "other-username", "groups": [{"name": "incorrect-group"}]} 

93 with self.assertRaises(fastapi.HTTPException) as e: 

94 await repository_authorization_dependency("group_b", "other-username", "mock-token", authorizer) 

95 self.assertEqual(e.exception.status_code, 403) 

96 self.assertEqual(request_count, 1) 

97 

98 # Bad repository name 

99 with self.assertRaises(ValueError): 

100 await repository_authorization_dependency( 

101 "unknown_repository", "username", "mock-token", authorizer 

102 )