stegololz commented on code in PR #61351:
URL: https://github.com/apache/airflow/pull/61351#discussion_r2821921313
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test"), "Dag#GET"),
+ ("is_authorized_connection", ConnectionDetails(conn_id="test"),
"Connection#GET"),
+ ("is_authorized_variable", VariableDetails(key="test"),
"Variable#GET"),
+ ("is_authorized_pool", PoolDetails(name="test"), "Pool#GET"),
+ ],
+ )
+ def test_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "permission"),
+ [
+ ("is_authorized_dag", "Dag#LIST"),
+ ("is_authorized_connection", "Connection#LIST"),
+ ("is_authorized_variable", "Variable#LIST"),
+ ("is_authorized_pool", "Pool#LIST"),
+ ],
+ )
+ def test_list_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(team_name="team-a"),
"Dag:team-a#LIST"),
+ ("is_authorized_connection",
ConnectionDetails(team_name="team-a"), "Connection:team-a#LIST"),
+ ("is_authorized_variable", VariableDetails(team_name="team-a"),
"Variable:team-a#LIST"),
+ ("is_authorized_pool", PoolDetails(team_name="team-a"),
"Pool:team-a#LIST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
Review Comment:
Done.
This change added a little twist. As resource detail classes gained a
team_name kwarg in Airflow 3.2, constructing them directly would raise
TypeError on older versions. Deferring construction to the test body via
details_cls/details_kwargs lets skipif prevent execution first.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
