workos-python/tests/test_authorization_check.py at b344d14683997e64c1f240a5b6700a95bc5e6d82 · workos/workos-python · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
from typing import Union

import pytest
from tests.utils.syncify import syncify
from workos.authorization import AsyncAuthorization, Authorization


@pytest.mark.sync_and_async(Authorization, AsyncAuthorization)
class TestAuthorizationCheck:
    @pytest.fixture(autouse=True)
    def setup(self, module_instance: Union[Authorization, AsyncAuthorization]):
        self.http_client = module_instance._http_client
        self.authorization = module_instance

    @pytest.fixture
    def mock_check_authorized(self):
        return {"authorized": True}

    @pytest.fixture
    def mock_check_unauthorized(self):
        return {"authorized": False}

    def test_check_authorized(
        self, mock_check_authorized, capture_and_mock_http_client_request
    ):
        request_kwargs = capture_and_mock_http_client_request(
            self.http_client, mock_check_authorized, 200
        )

        result = syncify(
            self.authorization.check(
                "om_01ABC",
                permission_slug="documents:read",
                resource_id="res_01ABC",
            )
        )

        assert result.authorized is True
        assert request_kwargs["method"] == "post"
        assert request_kwargs["url"].endswith(
            "/authorization/organization_memberships/om_01ABC/check"
        )

    def test_check_unauthorized(
        self, mock_check_unauthorized, capture_and_mock_http_client_request
    ):
        request_kwargs = capture_and_mock_http_client_request(
            self.http_client, mock_check_unauthorized, 200
        )

        result = syncify(
            self.authorization.check(
                "om_01ABC",
                permission_slug="documents:write",
                resource_id="res_01ABC",
            )
        )

        assert result.authorized is False
        assert request_kwargs["method"] == "post"

    def test_check_with_resource_id(
        self, mock_check_authorized, capture_and_mock_http_client_request
    ):
        request_kwargs = capture_and_mock_http_client_request(
            self.http_client, mock_check_authorized, 200
        )

        syncify(
            self.authorization.check(
                "om_01ABC",
                permission_slug="documents:read",
                resource_id="res_01XYZ",
            )
        )

        assert request_kwargs["json"] == {
            "permission_slug": "documents:read",
            "resource_id": "res_01XYZ",
        }

    def test_check_with_resource_external_id(
        self, mock_check_authorized, capture_and_mock_http_client_request
    ):
        request_kwargs = capture_and_mock_http_client_request(
            self.http_client, mock_check_authorized, 200
        )

        syncify(
            self.authorization.check(
                "om_01ABC",
                permission_slug="documents:read",
                resource_external_id="ext_doc_123",
                resource_type_slug="document",
            )
        )

        assert request_kwargs["json"] == {
            "permission_slug": "documents:read",
            "resource_external_id": "ext_doc_123",
            "resource_type_slug": "document",
        }

    def test_check_url_construction(
        self, mock_check_authorized, capture_and_mock_http_client_request
    ):
        request_kwargs = capture_and_mock_http_client_request(
            self.http_client, mock_check_authorized, 200
        )

        syncify(
            self.authorization.check(
                "om_01MEMBERSHIP",
                permission_slug="admin:access",
            )
        )

        assert request_kwargs["url"].endswith(
            "/authorization/organization_memberships/om_01MEMBERSHIP/check"
        )
        assert request_kwargs["json"] == {"permission_slug": "admin:access"}

    def test_check_raises_when_both_resource_identifiers_provided(self):
        with pytest.raises(ValueError, match="mutually exclusive"):
            syncify(
                self.authorization.check(
                    "om_01ABC",
                    permission_slug="documents:read",
                    resource_id="res_01ABC",
                    resource_external_id="ext_doc_123",
                    resource_type_slug="document",
                )
            )

    def test_check_raises_when_external_id_without_type_slug(self):
        with pytest.raises(ValueError, match="resource_type_slug is required"):
            syncify(
                self.authorization.check(
                    "om_01ABC",
                    permission_slug="documents:read",
                    resource_external_id="ext_doc_123",
                )
            )