stegololz commented on code in PR #61351:
URL: https://github.com/apache/airflow/pull/61351#discussion_r2821924037
##########
providers/keycloak/tests/unit/keycloak/auth_manager/test_keycloak_auth_manager.py:
##########
@@ -411,12 +441,213 @@ def test_is_authorized_dag(
token_url = auth_manager._get_token_url("server_url", "realm")
payload = auth_manager._get_payload("client_id", permission,
attributes)
- headers = auth_manager._get_headers("access_token")
+ headers = auth_manager._get_headers(user.access_token)
auth_manager.http_session.post.assert_called_once_with(
token_url, data=payload, headers=headers, timeout=5
)
assert result == expected
+ @pytest.mark.parametrize(
+ ("function", "method", "details", "permission"),
+ [
+ ("is_authorized_dag", "GET", DagDetails(id="test",
team_name="team-a"), "Dag#GET"),
+ (
+ "is_authorized_connection",
+ "DELETE",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection#DELETE",
+ ),
+ (
+ "is_authorized_variable",
+ "PUT",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable#PUT",
+ ),
+ ("is_authorized_pool", "POST", PoolDetails(name="test",
team_name="team-a"), "Pool#POST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_team_name_ignored_when_multi_team_disabled(
+ self, auth_manager, user, function, method, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager.http_session.post = Mock(return_value=mock_response)
+
+ getattr(auth_manager, function)(method=method, user=user,
details=details)
+
+ actual_permission =
auth_manager.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test", team_name="team-a"),
"Dag:team-a#GET"),
+ (
+ "is_authorized_connection",
+ ConnectionDetails(conn_id="test", team_name="team-a"),
+ "Connection:team-a#GET",
+ ),
+ (
+ "is_authorized_variable",
+ VariableDetails(key="test", team_name="team-a"),
+ "Variable:team-a#GET",
+ ),
+ ("is_authorized_pool", PoolDetails(name="test",
team_name="team-a"), "Pool:team-a#GET"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(id="test"), "Dag#GET"),
+ ("is_authorized_connection", ConnectionDetails(conn_id="test"),
"Connection#GET"),
+ ("is_authorized_variable", VariableDetails(key="test"),
"Variable#GET"),
+ ("is_authorized_pool", PoolDetails(name="test"), "Pool#GET"),
+ ],
+ )
+ def test_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "permission"),
+ [
+ ("is_authorized_dag", "Dag#LIST"),
+ ("is_authorized_connection", "Connection#LIST"),
+ ("is_authorized_variable", "Variable#LIST"),
+ ("is_authorized_pool", "Pool#LIST"),
+ ],
+ )
+ def test_list_without_team_name_uses_global_permission(
+ self, auth_manager_multi_team, user, function, permission
+ ):
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ @pytest.mark.parametrize(
+ ("function", "details", "permission"),
+ [
+ ("is_authorized_dag", DagDetails(team_name="team-a"),
"Dag:team-a#LIST"),
+ ("is_authorized_connection",
ConnectionDetails(team_name="team-a"), "Connection:team-a#LIST"),
+ ("is_authorized_variable", VariableDetails(team_name="team-a"),
"Variable:team-a#LIST"),
+ ("is_authorized_pool", PoolDetails(team_name="team-a"),
"Pool:team-a#LIST"),
+ ]
+ if AIRFLOW_V_3_2_PLUS
+ else [],
+ )
+ def test_list_with_team_name_uses_team_scoped_permission(
+ self, auth_manager_multi_team, user, function, details, permission
+ ):
+ user.access_token = _build_access_token({"groups": ["team-a"]})
+ mock_response = Mock()
+ mock_response.status_code = 200
+ auth_manager_multi_team.http_session.post =
Mock(return_value=mock_response)
+
+ getattr(auth_manager_multi_team, function)(method="GET", user=user,
details=details)
+
+ actual_permission =
auth_manager_multi_team.http_session.post.call_args.kwargs["data"]["permission"]
+ assert actual_permission == permission
+
+ def test_filter_authorized_dag_ids_team_mismatch(self,
auth_manager_multi_team, user):
+ if not AIRFLOW_V_3_2_PLUS:
+ pytest.skip("team_name not supported before Airflow 3.2.0")
Review Comment:
Done
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
