Keep tests in line

clients/teams.py

@@ -8,6 +8,7 @@ def has_member(access_token: str, team_id: str, user_id: str):
         url=f"{os.environ['TEAMS_API_URL']}/teams/{team_id}/members/{user_id}",
         headers={"Authorization": f"Bearer {access_token}"},
     )
+    r.raise_for_status()
     return r.status_code == 200
 
 

models/models.py

@@ -11,7 +11,6 @@ class MaskinportenClientIn(BaseModel):
 
 class MaskinportenClientOut(BaseModel):
     client_id: str
-    team_id: str
     name: str
     description: str
     scopes: list[str]

requirements.txt

@@ -1,12 +1,12 @@
 #
-# This file is autogenerated by pip-compile with python 3.9
+# This file is autogenerated by pip-compile
 # To update, run:
 #
 #    pip-compile
 #
-attrs==21.2.0
+attrs==20.3.0
     # via jsonschema
-aws-xray-sdk==2.8.0
+aws-xray-sdk==2.6.0
     # via okdata-maskinporten-api (setup.py)
 boto3==1.18.38
     # via okdata-maskinporten-api (setup.py)
@@ -25,11 +25,11 @@ cryptography==3.4.8
     # via pyopenssl
 ecdsa==0.14.1
     # via python-jose
-fastapi==0.68.1
+fastapi==0.68.0
     # via okdata-maskinporten-api (setup.py)
 future==0.18.2
     # via aws-xray-sdk
-idna==3.2
+idna==2.10
     # via requests
 jmespath==0.10.0
     # via
@@ -41,12 +41,14 @@ jsonschema==3.2.0
     # via okdata-sdk
 mangum==0.12.2
     # via okdata-maskinporten-api (setup.py)
-okdata-aws==0.4.0
+okdata-aws==0.3.0
     # via okdata-maskinporten-api (setup.py)
 okdata-resource-auth==0.1.3
     # via okdata-maskinporten-api (setup.py)
 okdata-sdk==0.6.0
     # via okdata-aws
+prettytable==2.0.0
+    # via okdata-sdk
 pyasn1==0.4.8
     # via
     #   python-jose
@@ -66,9 +68,9 @@ pyopenssl==20.0.1
     # via okdata-maskinporten-api (setup.py)
 pyrsistent==0.17.3
     # via jsonschema
-python-dateutil==2.8.2
+python-dateutil==2.8.1
     # via botocore
-python-jose==3.3.0
+python-jose==3.2.0
     # via python-keycloak
 python-keycloak==0.24.0
     # via
@@ -80,7 +82,7 @@ requests==2.26.0
     #   okdata-resource-auth
     #   okdata-sdk
     #   python-keycloak
-rsa==4.7.2
+rsa==4.7
     # via python-jose
 s3transfer==0.5.0
     # via boto3
@@ -92,19 +94,20 @@ six==1.15.0
     #   jsonschema
     #   pyopenssl
     #   python-dateutil
+    #   python-jose
 starlette==0.14.2
     # via fastapi
-structlog==21.1.0
+structlog==20.2.0
     # via okdata-aws
-typing-extensions==3.10.0.2
-    # via
-    #   mangum
-    #   pydantic
-urllib3==1.26.6
+typing-extensions==3.10.0.0
+    # via mangum
+urllib3==1.26.5
     # via
     #   botocore
     #   okdata-sdk
     #   requests
+wcwidth==0.2.5
+    # via prettytable
 wrapt==1.12.1
     # via aws-xray-sdk
 

test/resources/conftest.py

@@ -7,6 +7,8 @@
 valid_token = "valid-token"
 valid_token_no_access = "valid-token-no-access"
 username = "janedoe"
+team_id = "abc-123-def-456"
+origo_team_role = "origo-team"
 
 
 @pytest.fixture

test/resources/test_maskinporten_clients.py

@@ -3,20 +3,33 @@
 import requests_mock
 
 from test.mock_utils import mock_access_token_generation_requests
-from test.resources.conftest import valid_token
+from test.resources.conftest import (
+    origo_team_role,
+    team_id,
+    username,
+    valid_token,
+)
 
 
 def test_create_client(
     mock_client, mock_aws, mock_authorizer, maskinporten_create_client_response
 ):
     body = {
+        "team_id": team_id,
         "name": "some-client",
         "description": "Very cool client",
         "scopes": ["folkeregister:deling/offentligmedhjemmel"],
         "env": "test",
     }
     with requests_mock.Mocker(real_http=True) as rm:
         mock_access_token_generation_requests(rm)
+        rm.get(
+            os.getenv("TEAMS_API_URL") + f"/teams/{team_id}/roles",
+            json=[origo_team_role, "some-other-role"],
+        )
+        rm.get(
+            os.getenv("TEAMS_API_URL") + f"/teams/{team_id}/members/{username}",
+        )
         rm.post(
             os.getenv("MASKINPORTEN_CLIENTS_ENDPOINT"),
             json=maskinporten_create_client_response,
@@ -34,6 +47,52 @@ def test_create_client(
     }
 
 
+def test_create_client_missing_role(mock_client, mock_aws, mock_authorizer):
+    with requests_mock.Mocker(real_http=True) as rm:
+        body = {
+            "team_id": "random-team",
+            "name": "some-client",
+            "description": "Very cool client",
+            "scopes": ["folkeregister:deling/offentligmedhjemmel"],
+            "env": "test",
+        }
+        rm.get(
+            os.getenv("TEAMS_API_URL") + "/teams/random-team/roles",
+            json=["some-role"],
+        )
+        response = mock_client.post(
+            "/clients", json=body, headers={"Authorization": f"Bearer {valid_token}"}
+        )
+
+    assert response.status_code == 403
+    assert response.json()["message"] == "Team is not assigned required role origo-team"
+
+
+def test_create_client_not_team_member(mock_client, mock_aws, mock_authorizer):
+    with requests_mock.Mocker(real_http=True) as rm:
+        body = {
+            "team_id": team_id,
+            "name": "some-client",
+            "description": "Very cool client",
+            "scopes": ["folkeregister:deling/offentligmedhjemmel"],
+            "env": "test",
+        }
+        rm.get(
+            os.getenv("TEAMS_API_URL") + f"/teams/{team_id}/roles",
+            json=[origo_team_role, "some-other-role"],
+        )
+        rm.get(
+            os.getenv("TEAMS_API_URL") + f"/teams/{team_id}/members/{username}",
+            status_code=404,
+        )
+        response = mock_client.post(
+            "/clients", json=body, headers={"Authorization": f"Bearer {valid_token}"}
+        )
+
+    assert response.status_code == 400
+    assert response.json()["message"] == "User is not a member of specified team"
+
+
 def test_create_client_key(mock_client):
     client_id = "some-client-id"
 

tox.ini

@@ -23,6 +23,7 @@ setenv =
     KEYCLOAK_SERVER=http://keycloak-test.no
     KEYCLOAK_REALM=some-realm
     RESOURCE_SERVER_CLIENT_ID=some-resource-server
+    TEAMS_API_URL=http://api.teams.mock
 
 [testenv:flake8]
 skip_install = true