From 5f3b02b20f48fe43342490af8430dcc6e6772394 Mon Sep 17 00:00:00 2001 From: junjiequan Date: Tue, 23 Jul 2024 11:09:56 +0200 Subject: [PATCH] added api tests of new access checking endpoint for sample Auth and proposal Auth --- test/ProposalAuthorization.js | 118 ++++++++++++++++++++++++++++++++-- test/SampleAuthorization.js | 82 +++++++++++++++++++++++ 2 files changed, 195 insertions(+), 5 deletions(-) diff --git a/test/ProposalAuthorization.js b/test/ProposalAuthorization.js index 1ba2f3af4..05aa0e66c 100644 --- a/test/ProposalAuthorization.js +++ b/test/ProposalAuthorization.js @@ -218,6 +218,18 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); + it("0061: check admin access to proposal 1 should return true", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid1 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenAdminIngestor}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0070: full query for proposals for admin", async () => { return request(appUrl) .get("/api/v3/proposals/fullquery") @@ -242,6 +254,18 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); + it("0081: check admin access to proposal 2 should return true", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid2 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenAdminIngestor}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0090: access proposal 3 as admin", async () => { return request(appUrl) .get("/api/v3/proposals/" + encodedProposalPid3) @@ -254,6 +278,18 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); + it("0091: check admin access to proposal 3 should return true", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid3 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenAdminIngestor}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0100: list of proposals for user 1", async () => { return request(appUrl) .get("/api/v3/proposals") @@ -267,15 +303,27 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); - it("0110: access proposal 1 as user 1", async () => { + it("0110: access proposal 1 as user 1 should fail", async () => { return request(appUrl) - .get("/api/v3/proposals/" + 20170268) + .get("/api/v3/proposals/" + encodedProposalPid1) .set("Accept", "application/json") .set({ Authorization: `Bearer ${accessTokenUser1}` }) .expect("Content-Type", /json/) .expect(TestData.AccessForbiddenStatusCode); }); + it("0111: check user 1 access to proposal 1 should return false", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid1 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser1}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(false); + }); + }); + it("0120: access proposal 2 as user 1", async () => { return request(appUrl) .get("/api/v3/proposals/" + encodedProposalPid2) @@ -288,7 +336,19 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); - it("0130: access proposal 3 as user 1", async () => { + it("0121: check user 1 access to proposal 2 should return true", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid2 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser1}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + + it("0130: access proposal 3 as user 1 should fail", async () => { return request(appUrl) .get("/api/v3/proposals/" + encodedProposalPid3) .set("Accept", "application/json") @@ -297,6 +357,18 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { .expect(TestData.AccessForbiddenStatusCode); }); + it("0131: check user 1 access to proposal 3 should return false", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid3 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser1}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(false); + }); + }); + it("0140: full query for proposals for user 1", async () => { return request(appUrl) .get("/api/v3/proposals/fullquery") @@ -323,7 +395,7 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); - it("0160: access proposal 1 as user 2", async () => { + it("0160: access proposal 1 as user 2 should fail", async () => { return request(appUrl) .get("/api/v3/proposals/" + encodedProposalPid1) .set("Accept", "application/json") @@ -332,7 +404,19 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { .expect(TestData.AccessForbiddenStatusCode); }); - it("0160: access proposal 2 as user 2", async () => { + it("0161: check user 2 access to proposal 1 should return false", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid1 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser2}` }) + .expect("Content-Type", /json/) + .expect(TestData.SuccessfulGetStatusCode) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(false); + }); + }); + + it("0165: access proposal 2 as user 2", async () => { return request(appUrl) .get("/api/v3/proposals/" + encodedProposalPid2) .set("Accept", "application/json") @@ -344,6 +428,18 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); + it("0166: check user 2 access to proposal 2 should return true", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid2 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser2}` }) + .expect("Content-Type", /json/) + .expect(TestData.SuccessfulGetStatusCode) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0170: access proposal 3 as user 2", async () => { return request(appUrl) .get("/api/v3/proposals/" + encodedProposalPid3) @@ -356,6 +452,18 @@ describe("1400: ProposalAuthorization: Test access to proposal", () => { }); }); + it("0171: check user 2 access to proposal 3 should return true", async () => { + return request(appUrl) + .get("/api/v3/proposals/" + encodedProposalPid3 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser2}` }) + .expect("Content-Type", /json/) + .expect(TestData.SuccessfulGetStatusCode) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0180: full query for proposals for user 2", async () => { return request(appUrl) .get("/api/v3/proposals/fullquery") diff --git a/test/SampleAuthorization.js b/test/SampleAuthorization.js index 1f834f9b0..5317a4b38 100644 --- a/test/SampleAuthorization.js +++ b/test/SampleAuthorization.js @@ -1349,6 +1349,18 @@ describe("2250: Sample Authorization", () => { }); }); + it("0641: check Admin Ingestor access to public sample 1 should return true", async () => { + return request(appUrl) + .get("/api/v3/Samples/" + sampleId1 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenAdminIngestor}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0645: fetch all attachments for sample 1 as Admin Ingestor", async () => { return request(appUrl) .get("/api/v3/Samples/" + sampleId1 + "/attachments") @@ -1585,6 +1597,18 @@ describe("2250: Sample Authorization", () => { .expect(TestData.CreationForbiddenStatusCode); }); + it("0731: check Sample Ingestor access to sample 1 should return false", async () => { + return request(appUrl) + .get("/api/v3/Samples/" + sampleId1 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenSampleIngestor}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(false); + }); + }); + it("0735: fetch all attachments for sample 1 as Sample Ingestor, which should fail", async () => { return request(appUrl) .get("/api/v3/Samples/" + sampleId1 + "/attachments") @@ -1605,6 +1629,18 @@ describe("2250: Sample Authorization", () => { }); }); + it("0741: check Sample Ingestor access to sample 2 should return true", async () => { + return request(appUrl) + .get("/api/v3/Samples/" + sampleId2 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenSampleIngestor}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0745: fetch all attachments for sample 2 as Sample Ingestor", async () => { return request(appUrl) .get("/api/v3/Samples/" + sampleId2 + "/attachments") @@ -1769,6 +1805,18 @@ describe("2250: Sample Authorization", () => { .expect(TestData.CreationForbiddenStatusCode); }); + it("0831: check User 1 access to sample 2 should return false", async () => { + return request(appUrl) + .get("/api/v3/Samples/" + sampleId1 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser1}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(false); + }); + }); + it("0835: fetch all attachments for sample 1 as User 1, which should fail", async () => { return request(appUrl) .get("/api/v3/Samples/" + sampleId1 + "/attachments") @@ -1805,6 +1853,18 @@ describe("2250: Sample Authorization", () => { }); }); + it("0851: check User 1 access to sample 3 should return true", async () => { + return request(appUrl) + .get("/api/v3/Samples/" + sampleId3 + "/access") + .set("Accept", "application/json") + .set({ Authorization: `Bearer ${accessTokenUser1}` }) + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("0855: fetch all attachments for sample 3 as User 1", async () => { return request(appUrl) .get("/api/v3/Samples/" + sampleId3 + "/attachments") @@ -2736,6 +2796,17 @@ describe("2250: Sample Authorization", () => { .expect(TestData.AccessForbiddenStatusCode); }); + it("1331: check unauthenticated user access to sample 1 should return false", async () => { + return request(appUrl) + .get("/api/v3/Samples/" + sampleId1 + "/access") + .set("Accept", "application/json") + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(false); + }); + }); + it("1335: fetch all attachments for sample 1 as Unauthenticated User, which should fail", async () => { return request(appUrl) .get("/api/v3/Samples/" + sampleId1 + "/attachments") @@ -2866,6 +2937,17 @@ describe("2250: Sample Authorization", () => { }); }); + it("1421: check unauthenticated user access to public sample 10 should return true", async () => { + return request(appUrl) + .get("/api/v3/Samples/" + sampleId10 + "/access") + .set("Accept", "application/json") + .expect(TestData.SuccessfulGetStatusCode) + .expect("Content-Type", /json/) + .then((res) => { + res.body.should.have.property("canAccess").and.be.equal(true); + }); + }); + it("1425: fetch all attachments for sample 10 as Unauthenticated User", async () => { return request(appUrl) .get("/api/v3/Samples/" + sampleId10 + "/attachments")