vincbeck commented on code in PR #61351:
URL: https://github.com/apache/airflow/pull/61351#discussion_r2818107557
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
Review Comment:
Instead, you can skip this test if not `AIRFLOW_V_3_2_PLUS`
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -163,7 +189,7 @@ def test_refresh_user_expired_with_invalid_token(
mock_get_keycloak_client.return_value = keycloak_client
- if AIRFLOW_V_3_1_7_PLUS:
+ if AIRFLOW_V_3_2_PLUS:
Review Comment:
Why updating this constant?
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test"), "Dag#GET"),
+ ("is_authorized_connection", ConnectionDetails(conn_id="test"),
"Connection#GET"),
+ ("is_authorized_variable", VariableDetails(key="test"),
"Variable#GET"),
+ ("is_authorized_pool", PoolDetails(name="test"), "Pool#GET"),
+ ],
+ )
+ def test_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "permission"),
+ [
+ ("is_authorized_dag", "Dag#LIST"),
+ ("is_authorized_connection", "Connection#LIST"),
+ ("is_authorized_variable", "Variable#LIST"),
+ ("is_authorized_pool", "Pool#LIST"),
+ ],
+ )
+ def test_list_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(team_name="team-a"),
"Dag:team-a#LIST"),
+ ("is_authorized_connection",
ConnectionDetails(team_name="team-a"), "Connection:team-a#LIST"),
+ ("is_authorized_variable", VariableDetails(team_name="team-a"),
"Variable:team-a#LIST"),
+ ("is_authorized_pool", PoolDetails(team_name="team-a"),
"Pool:team-a#LIST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_list_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ user.access_token = _build_access_token({"groups": ["team-a"]})
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ def test_filter_authorized_dag_ids_team_mismatch(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("team_name not supported before Airflow 3.2.0")
+
+ with patch.object(KeycloakAuthManager, "is_authorized_dag",
return_value=False) as mock_is_authorized:
Review Comment:
nit: this is a personal preference but I usually prefer using decorator
instead of `with`, that makes the test implementation shorter
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test"), "Dag#GET"),
+ ("is_authorized_connection", ConnectionDetails(conn_id="test"),
"Connection#GET"),
+ ("is_authorized_variable", VariableDetails(key="test"),
"Variable#GET"),
+ ("is_authorized_pool", PoolDetails(name="test"), "Pool#GET"),
+ ],
+ )
+ def test_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "permission"),
+ [
+ ("is_authorized_dag", "Dag#LIST"),
+ ("is_authorized_connection", "Connection#LIST"),
+ ("is_authorized_variable", "Variable#LIST"),
+ ("is_authorized_pool", "Pool#LIST"),
+ ],
+ )
+ def test_list_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(team_name="team-a"),
"Dag:team-a#LIST"),
+ ("is_authorized_connection",
ConnectionDetails(team_name="team-a"), "Connection:team-a#LIST"),
+ ("is_authorized_variable", VariableDetails(team_name="team-a"),
"Variable:team-a#LIST"),
+ ("is_authorized_pool", PoolDetails(team_name="team-a"),
"Pool:team-a#LIST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_list_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ user.access_token = _build_access_token({"groups": ["team-a"]})
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ def test_filter_authorized_dag_ids_team_mismatch(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("team_name not supported before Airflow 3.2.0")
+
+ with patch.object(KeycloakAuthManager, "is_authorized_dag",
return_value=False) as mock_is_authorized:
+ result = auth_manager_multi_team.filter_authorized_dag_ids(
+ dag_ids={"dag-a"}, user=user, team_name="team-b"
+ )
+
+ mock_is_authorized.assert_called_once()
+ assert result == set()
+
+ def test_filter_authorized_dag_ids_team_match(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("team_name not supported before Airflow 3.2.0")
+
+ with patch.object(KeycloakAuthManager, "is_authorized_dag",
return_value=True) as mock_is_authorized:
+ result = auth_manager_multi_team.filter_authorized_dag_ids(
+ dag_ids={"dag-a"}, user=user, team_name="team-a"
+ )
+
+ mock_is_authorized.assert_called_once()
+ assert result == {"dag-a"}
+
+ def test_filter_authorized_pools_no_team_returns_empty(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("filter_authorized_pools not supported before Airflow
3.2.0")
Review Comment:
Can you please use a decorator? That makes it easier to read
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
Review Comment:
Same
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -173,73 +199,75 @@ def test_refresh_user_expired_with_invalid_token(
keycloak_client.refresh_token.assert_called_with("refresh_token")
- @pytest.mark.parametrize(
- ("function", "method", "details", "permission", "attributes"),
+ _AUTHORIZED_PARAMS = [
Review Comment:
Why moving these tests to a constant?
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test"), "Dag#GET"),
+ ("is_authorized_connection", ConnectionDetails(conn_id="test"),
"Connection#GET"),
+ ("is_authorized_variable", VariableDetails(key="test"),
"Variable#GET"),
+ ("is_authorized_pool", PoolDetails(name="test"), "Pool#GET"),
+ ],
+ )
+ def test_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "permission"),
+ [
+ ("is_authorized_dag", "Dag#LIST"),
+ ("is_authorized_connection", "Connection#LIST"),
+ ("is_authorized_variable", "Variable#LIST"),
+ ("is_authorized_pool", "Pool#LIST"),
+ ],
+ )
+ def test_list_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(team_name="team-a"),
"Dag:team-a#LIST"),
+ ("is_authorized_connection",
ConnectionDetails(team_name="team-a"), "Connection:team-a#LIST"),
+ ("is_authorized_variable", VariableDetails(team_name="team-a"),
"Variable:team-a#LIST"),
+ ("is_authorized_pool", PoolDetails(team_name="team-a"),
"Pool:team-a#LIST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_list_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ user.access_token = _build_access_token({"groups": ["team-a"]})
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ def test_filter_authorized_dag_ids_team_mismatch(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("team_name not supported before Airflow 3.2.0")
+
+ with patch.object(KeycloakAuthManager, "is_authorized_dag",
return_value=False) as mock_is_authorized:
+ result = auth_manager_multi_team.filter_authorized_dag_ids(
+ dag_ids={"dag-a"}, user=user, team_name="team-b"
+ )
+
+ mock_is_authorized.assert_called_once()
+ assert result == set()
+
+ def test_filter_authorized_dag_ids_team_match(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("team_name not supported before Airflow 3.2.0")
Review Comment:
Can you please use a decorator? That makes it easier to read
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test"), "Dag#GET"),
+ ("is_authorized_connection", ConnectionDetails(conn_id="test"),
"Connection#GET"),
+ ("is_authorized_variable", VariableDetails(key="test"),
"Variable#GET"),
+ ("is_authorized_pool", PoolDetails(name="test"), "Pool#GET"),
+ ],
+ )
+ def test_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "permission"),
+ [
+ ("is_authorized_dag", "Dag#LIST"),
+ ("is_authorized_connection", "Connection#LIST"),
+ ("is_authorized_variable", "Variable#LIST"),
+ ("is_authorized_pool", "Pool#LIST"),
+ ],
+ )
+ def test_list_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(team_name="team-a"),
"Dag:team-a#LIST"),
+ ("is_authorized_connection",
ConnectionDetails(team_name="team-a"), "Connection:team-a#LIST"),
+ ("is_authorized_variable", VariableDetails(team_name="team-a"),
"Variable:team-a#LIST"),
+ ("is_authorized_pool", PoolDetails(team_name="team-a"),
"Pool:team-a#LIST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_list_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ user.access_token = _build_access_token({"groups": ["team-a"]})
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ def test_filter_authorized_dag_ids_team_mismatch(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("team_name not supported before Airflow 3.2.0")
Review Comment:
Can you please use a decorator? That makes it easier to read
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test"), "Dag#GET"),
+ ("is_authorized_connection", ConnectionDetails(conn_id="test"),
"Connection#GET"),
+ ("is_authorized_variable", VariableDetails(key="test"),
"Variable#GET"),
+ ("is_authorized_pool", PoolDetails(name="test"), "Pool#GET"),
+ ],
+ )
+ def test_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "permission"),
+ [
+ ("is_authorized_dag", "Dag#LIST"),
+ ("is_authorized_connection", "Connection#LIST"),
+ ("is_authorized_variable", "Variable#LIST"),
+ ("is_authorized_pool", "Pool#LIST"),
+ ],
+ )
+ def test_list_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(team_name="team-a"),
"Dag:team-a#LIST"),
+ ("is_authorized_connection",
ConnectionDetails(team_name="team-a"), "Connection:team-a#LIST"),
+ ("is_authorized_variable", VariableDetails(team_name="team-a"),
"Variable:team-a#LIST"),
+ ("is_authorized_pool", PoolDetails(team_name="team-a"),
"Pool:team-a#LIST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
Review Comment:
Same
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -349,38 +377,40 @@ def test_is_authorized_invalid_request(self, function,
auth_manager, user):
assert "Request not recognized by Keycloak. invalid_scope. Invalid
scopes: GET" in str(e.value)
- @pytest.mark.parametrize(
- ("method", "access_entity", "details", "permission", "attributes"),
+ _DAG_AUTHORIZED_PARAMS = [
Review Comment:
Same here
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]