Merge pull request #1093 from gchq/bugfix/improve-authorisation-tests

Add tests

backend/src/connectors/v2/authorisation/base.ts

@@ -133,7 +133,7 @@ export class BasicAuthorisationConnector {
   }
 
   async schemas(user: UserDoc, schemas: Array<SchemaDoc>, action: SchemaActionKeys): Promise<Array<Response>> {
-    if (action === SchemaAction.Create) {
+    if (action === SchemaAction.Create || action === SchemaAction.Delete) {
       const isAdmin = await authentication.hasRole(user, Roles.Admin)
 
       if (!isAdmin) {
@@ -145,18 +145,6 @@ export class BasicAuthorisationConnector {
       }
     }
 
-    if (action === SchemaAction.Delete) {
-      const isAdmin = await authentication.hasRole(user, Roles.Admin)
-
-      if (!isAdmin) {
-        return schemas.map((schema) => ({
-          id: schema.id,
-          success: false,
-          info: 'You cannot delete a schema if you are not an admin.',
-        }))
-      }
-    }
-
     return schemas.map((schema) => ({
       id: schema.id,
       success: true,

backend/test/connectors/authorisation/base.spec.ts

@@ -2,6 +2,8 @@ import { describe, expect, test, vi } from 'vitest'
 
 import { BasicAuthorisationConnector } from '../../../src/connectors/v2/authorisation/base.js'
 import { ModelDoc } from '../../../src/models/v2/Model.js'
+import { ReleaseDoc } from '../../../src/models/v2/Release.js'
+import { SchemaDoc } from '../../../src/models/v2/Schema.js'
 import { UserDoc } from '../../../src/models/v2/User.js'
 
 const mockAccessRequestService = vi.hoisted(() => ({
@@ -17,6 +19,12 @@ const mockReviewService = vi.hoisted(() => ({
 }))
 vi.mock('../../../src/services/v2/review.js', () => mockReviewService)
 
+const mockAuthentication = vi.hoisted(() => ({
+  getUserModelRoles: vi.fn(() => [] as Array<string>),
+  hasRole: vi.fn(),
+}))
+vi.mock('../../../src/connectors/v2/authentication/index.js', async () => ({ default: mockAuthentication }))
+
 describe('connectors > authorisation > base', () => {
   const user = { dn: 'testUser' } as UserDoc
   const model = { id: 'testModel' } as ModelDoc
@@ -40,4 +48,140 @@ describe('connectors > authorisation > base', () => {
 
     expect(result).toBe(approvedAccessRequest)
   })
+
+  test('hasModelVisibilityAccess > public model', async () => {
+    const connector = new BasicAuthorisationConnector()
+
+    const result = await connector.hasModelVisibilityAccess(user, { id: 'testModel', visibility: 'public' } as ModelDoc)
+
+    expect(result).toBe(true)
+  })
+
+  test('hasModelVisibilityAccess > private model with no roles', async () => {
+    const connector = new BasicAuthorisationConnector()
+
+    const result = await connector.hasModelVisibilityAccess(user, {
+      id: 'testModel',
+      visibility: 'private',
+    } as ModelDoc)
+
+    expect(result).toBe(false)
+  })
+
+  test('hasModelVisibilityAccess > private model with roles', async () => {
+    const connector = new BasicAuthorisationConnector()
+    mockAuthentication.getUserModelRoles.mockReturnValueOnce(['owner'])
+
+    const result = await connector.hasModelVisibilityAccess(user, {
+      id: 'testModel',
+      visibility: 'private',
+    } as ModelDoc)
+
+    expect(result).toBe(true)
+  })
+
+  test('model > private model with no roles', async () => {
+    const connector = new BasicAuthorisationConnector()
+
+    const result = await connector.model(
+      user,
+      {
+        id: 'testModel',
+        visibility: 'private',
+      } as ModelDoc,
+      'create',
+    )
+
+    expect(result).toStrictEqual({
+      id: 'testModel',
+      info: 'You cannot interact with a private model that you do not have access to.',
+      success: false,
+    })
+  })
+
+  test('model > private model with roles', async () => {
+    const connector = new BasicAuthorisationConnector()
+    mockAuthentication.getUserModelRoles.mockReturnValueOnce(['owner'])
+    mockAuthentication.getUserModelRoles.mockReturnValueOnce(['owner'])
+
+    const result = await connector.model(
+      user,
+      {
+        id: 'testModel',
+        visibility: 'private',
+      } as ModelDoc,
+      'create',
+    )
+
+    expect(result).toStrictEqual({
+      id: 'testModel',
+      success: true,
+    })
+  })
+
+  test('schema > create schema as Admin', async () => {
+    const connector = new BasicAuthorisationConnector()
+    mockAuthentication.hasRole.mockReturnValueOnce(true)
+
+    const result = await connector.schema(user, { id: 'testSchema' } as SchemaDoc, 'create')
+
+    expect(result).toStrictEqual({
+      id: 'testSchema',
+      success: true,
+    })
+  })
+
+  test('schema > create schema not as an Admin', async () => {
+    const connector = new BasicAuthorisationConnector()
+    mockAuthentication.hasRole.mockReturnValueOnce(false)
+
+    const result = await connector.schema(user, { id: 'testSchema' } as SchemaDoc, 'create')
+
+    expect(result).toStrictEqual({
+      id: 'testSchema',
+      info: 'You cannot upload or modify a schema if you are not an admin.',
+      success: false,
+    })
+  })
+
+  test('release > private model with roles', async () => {
+    const connector = new BasicAuthorisationConnector()
+    mockAuthentication.getUserModelRoles.mockReturnValueOnce(['owner'])
+    mockAuthentication.getUserModelRoles.mockReturnValueOnce(['owner'])
+
+    const result = await connector.release(
+      user,
+      {
+        id: 'testModel',
+        visibility: 'private',
+      } as ModelDoc,
+      {} as ReleaseDoc,
+      'create',
+    )
+
+    expect(result).toStrictEqual({
+      id: 'testModel',
+      success: true,
+    })
+  })
+
+  test('release > private model with no roles', async () => {
+    const connector = new BasicAuthorisationConnector()
+
+    const result = await connector.release(
+      user,
+      {
+        id: 'testModel',
+        visibility: 'private',
+      } as ModelDoc,
+      {} as ReleaseDoc,
+      'create',
+    )
+
+    expect(result).toStrictEqual({
+      id: 'testModel',
+      info: 'You cannot interact with a private model that you do not have access to.',
+      success: false,
+    })
+  })
 })