Add group member system test

This is a simple change that exercises the basic function of group membership. There is a new user, a group, a membership for the user in the group, and a grant for the group to the by-username collection. The group ID is not auto-incrementing, so we assign one that can be used in production and stay out of the way. The finer details of groups are fully tested at the API level; this is for basic coverage and A/B testing.
mlibrary · Dec 18, 2024 · c3e8d98 · c3e8d98
1 parent cccf2ba
commit c3e8d98
Show file tree

Hide file tree

Showing 6 changed files with 79 additions and 14 deletions.
diff --git a/db/tables.sql b/db/tables.sql
@@ -1,3 +1,5 @@
+-- vim: set ts=8
+
 -- All tables, keys, indexes, and constraints for authz_umichlib in MariaDB.
 CREATE TABLE aa_user(
 	userid		 		VARCHAR(64)	NOT NULL,
@@ -22,7 +24,7 @@ CREATE TABLE aa_user(
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
 	dlpsExpiryTime  		DATETIME,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (userid)
 );
 
@@ -32,7 +34,7 @@ CREATE TABLE aa_user_grp(
 	manager				INT,
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (uniqueIdentifier)
 );
 
@@ -42,7 +44,7 @@ CREATE TABLE aa_inst(
 	manager				INT,
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (uniqueIdentifier)
 );
 
@@ -51,7 +53,7 @@ CREATE TABLE aa_is_member_of_inst(
 	inst				INT	NOT NULL,
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (userid, inst)
 );
 
@@ -60,7 +62,7 @@ CREATE TABLE aa_is_member_of_grp(
 	user_grp			INT	NOT NULL,
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (userid, user_grp)
 );
 
@@ -72,11 +74,11 @@ CREATE TABLE aa_coll(
 	dlpsSource			VARCHAR(128)  	NOT NULL,
 	dlpsAuthenMethod		VARCHAR(3)	NOT NULL,
 	dlpsAuthzType			CHAR(1)    	NOT NULL,
-        dlpsPartlyPublic		CHAR(1)         NOT NULL,
+	dlpsPartlyPublic		CHAR(1)         NOT NULL,
 	manager				INT,
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (uniqueIdentifier)
 );
 
@@ -86,7 +88,7 @@ CREATE TABLE aa_coll_obj(
 	coll				VARCHAR(32)	NOT NULL,
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (dlpsServer, dlpsPath, coll)
 );
 
@@ -101,7 +103,7 @@ CREATE TABLE aa_network(
 	inst				INT,
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (uniqueIdentifier)
 );
 
@@ -114,7 +116,7 @@ CREATE TABLE aa_may_access(
 	lastModifiedTime		TIMESTAMP	NOT NULL,
 	lastModifiedBy			VARCHAR(64)	NOT NULL,
 	dlpsExpiryTime  		TIMESTAMP,
-        dlpsDeleted                     CHAR(1)         NOT NULL,
+	dlpsDeleted                     CHAR(1)         NOT NULL,
 	PRIMARY KEY (uniqueIdentifier)
 );
 
@@ -163,4 +165,3 @@ ALTER TABLE aa_network ADD CONSTRAINT network_dlpsDeleted
 
 ALTER TABLE aa_may_access ADD CONSTRAINT may_access_dlpsDeleted
   CHECK (dlpsDeleted IN ('t', 'f'));
-
diff --git a/db/test-fixture.sql b/db/test-fixture.sql
@@ -96,6 +96,38 @@ INSERT INTO aa_may_access VALUES(
   NULL,
   NULL, NULL, @test_inst_id, 'lauth-by-username', CURRENT_TIMESTAMP, 'root', NULL, 'f'
 );
+
+---------- setup for user allowed via group membership ----------
+INSERT INTO aa_user VALUES(
+  'lauth-group-member',NULL,'Lauth',NULL,'Test-group-mem','lauth-group-member',
+  NULL, -- org unit
+  'Library auth system test user - this user is a group member',
+  'Ann Arbor','MI','48109-119',NULL,NULL,'Staff',NULL,
+  '!none', -- umich id, !none
+  '@umich.edu', -- password, @umich.edu MAY signify SSO
+  0,NULL,
+  CURRENT_TIMESTAMP,'root', -- modified
+  NULL, -- expiry
+  'f'
+);
+
+INSERT INTO aa_user_grp VALUES(
+	9999, -- uniqueIdentifier
+	'Library auth system test group', -- commonName
+	0, -- manager
+	CURRENT_TIMESTAMP, 'root', -- modified
+  'f' -- deleted
+);
+
+INSERT INTO aa_is_member_of_grp VALUES(
+  'lauth-group-member', 9999, CURRENT_TIMESTAMP, 'root', 'f'
+);
+
+INSERT INTO aa_may_access VALUES(
+  NULL,
+  NULL, 9999, NULL, 'lauth-by-username', CURRENT_TIMESTAMP, 'root', NULL, 'f'
+);
+
 -----------------------------------------------------------------------------
 
 -- Individual grant to the by-username collection

diff --git a/test-site/htpasswd b/test-site/htpasswd
@@ -1,3 +1,4 @@
 lauth-allowed:$apr1$p.sxKRK5$KgXJ3DmjWUAjPWDT.MXgD0
 lauth-denied:$apr1$QGNY5c50$KYz8u1TVMyKtPJqQnjRTM1
 lauth-inst-member:$apr1$OlwhNzKS$pAko/dHzrwwLhirtsMyDb/
+lauth-group-member:$apr1$hb0MeJ4P$6/scL5/84n6YOXqSbmzBo.
diff --git a/test/restrictions/group_member_spec.rb b/test/restrictions/group_member_spec.rb
@@ -0,0 +1,19 @@
+require "base64"
+
+RSpec.describe "Access to resources restricted to named group member" do
+  include BasicAuth
+
+  context "when logged in as a group member" do
+    it "is allowed" do
+      response = website.get("/restricted-by-username/") do |req|
+        req.headers["Authorization"] = basic_auth_group_member
+      end
+
+      expect(response.status).to eq HttpCodes::OK
+    end
+  end
+
+  def website
+    @website ||= Faraday.new(TestSite::URL)
+  end
+end
diff --git a/test/support/auth_users.rb b/test/support/auth_users.rb
@@ -14,4 +14,8 @@ def another_good_user
   def inst_user
     "lauth-inst-member"
   end
+
+  def group_user
+    "lauth-group-member"
+  end
 end
diff --git a/test/support/basic_auth.rb b/test/support/basic_auth.rb
@@ -2,14 +2,22 @@ module BasicAuth
   include AuthUsers
 
   def basic_auth_bad_user
-    "Basic #{Base64.urlsafe_encode64("#{bad_user}:lauth-denied")}"
+    basic_auth_for(bad_user)
   end
 
   def basic_auth_good_user
-    "Basic #{Base64.urlsafe_encode64("#{good_user}:lauth-allowed")}"
+    basic_auth_for(good_user)
   end
 
   def basic_auth_inst_member
-    "Basic #{Base64.urlsafe_encode64("#{inst_user}:lauth-inst-member")}"
+    basic_auth_for(inst_user)
+  end
+
+  def basic_auth_group_member
+    basic_auth_for(group_user)
+  end
+
+  def basic_auth_for(user)
+    "Basic #{Base64.urlsafe_encode64("#{user}:#{user}")}"
   end
 end