More tests, some fixes and quick refactors

Mathias Bigaignon · Mathias Bigaignon · commit 2714dac18a89 · 2024-07-02T10:41:50.000+02:00
diff --git a/.gitignore b/.gitignore
@@ -3,3 +3,4 @@ __pycache__
 *.pyc
 .python-version
 poetry.lock
+.coverage
diff --git a/entitled/client.py b/entitled/client.py
@@ -11,18 +11,20 @@
 class Client:
     "The Client class for decision-making centralization."
 
-    def __init__(self, base_path="policies"):
+    def __init__(self, base_path: str | None = None):
         self._policy_registrar: dict[typing.Type, policies.Policy] = {}
-        self._load_path = pathlib.Path(base_path)
-        self.load_policies_from_path(self._load_path)
+        self._load_path = None
+        if base_path:
+            self._load_path = pathlib.Path(base_path)
+            self.load_policies_from_path(self._load_path)
 
-    def authorize(self, actor, action, resource, context: dict | None = None):
+    def authorize(self, action, actor, resource, context: dict | None = None):
         policy = self._policy_lookup(resource)
-        return policy.authorize(actor, action, resource, context)
+        return policy.authorize(action, actor, resource, context)
 
-    def allows(self, actor, action, resource, context: dict | None = None) -> bool:
+    def allows(self, action, actor, resource, context: dict | None = None) -> bool:
         policy = self._policy_lookup(resource)
-        return policy.allows(actor, action, resource, context)
+        return policy.allows(action, actor, resource, context)
 
     def grants(self, actor, resource, context: dict | None = None):
         policy = self._policy_lookup(resource)
@@ -41,10 +43,12 @@ def register(self, policy: policies.Policy):
             raise AttributeError(f"Policy {policy} is incorrectly defined")
 
     def reload_registrar(self):
-        self.load_policies_from_path(self._load_path)
+        if self._load_path is not None:
+            self.load_policies_from_path(self._load_path)
 
     def load_policies_from_path(self, path: pathlib.Path):
         for file_path in path.glob("*.py"):
+            print(file_path)
             mod_name = file_path.stem
             full_module_name = ".".join(file_path.parts[:-1] + (mod_name,))
             spec = importlib.util.spec_from_file_location(full_module_name, file_path)
diff --git a/entitled/policies.py b/entitled/policies.py
@@ -48,26 +48,26 @@ def __register(self, action, *rules: Rule[T]):
     def grants(self, actor, resource: T, context: dict | None = None):
 
         return filter(
-            lambda action: self.allows(actor, action, resource, context),
+            lambda action: self.allows(action, actor, resource, context),
             self._registry.keys(),
         )
 
     def allows(
         self,
-        actor,
         action,
+        actor,
         resource: T,
         context: dict | None = None,
     ) -> bool:
         try:
-            return self.authorize(actor, action, resource, context)
+            return self.authorize(action, actor, resource, context)
         except exceptions.AuthorizationException:
             return False
 
     def authorize(
         self,
-        actor,
         action,
+        actor,
         resource: T,
         context: dict | None = None,
     ) -> bool:
diff --git a/tests/fixtures/models.py b/tests/fixtures/models.py
@@ -14,8 +14,7 @@ class User:
 
 
 @dataclasses.dataclass
-class Node:
+class Resource:
     name: str
     owner: User
     tenant: Tenant
-    parent: "Node | None" = None
diff --git a/tests/fixtures/policies.py b/tests/fixtures/policies.py
@@ -0,0 +1,27 @@
+from entitled.policies import Policy
+from tests.fixtures.models import Resource, Tenant, User
+
+tenant_policy = Policy[Tenant]("tenant")
+
+
+@tenant_policy.rule("member")
+def is_member(actor: User, resource: Tenant, context: dict | None = None) -> bool:
+    return actor.tenant == resource
+
+
+@tenant_policy.rule("admin_role")
+def has_admin_role(actor: User, resource: Tenant, context: dict | None = None) -> bool:
+    return is_member(actor, resource) and "admin" in actor.roles
+
+
+resource_policy = Policy[Resource]("node")
+
+
+@resource_policy.rule("edit")
+def can_edit(actor: User, resource: Resource, context: dict | None = None) -> bool:
+    return resource.owner == actor or has_admin_role(actor, resource.tenant)
+
+
+@resource_policy.rule("view")
+def can_view(actor: User, resource: Resource, context: dict | None = None) -> bool:
+    return is_member(actor, resource.tenant)
diff --git a/tests/test_client.py b/tests/test_client.py
@@ -0,0 +1,71 @@
+from pathlib import Path
+
+import pytest
+from _pytest.pytester import pytester
+
+from entitled import exceptions
+from entitled.client import Client
+from entitled.rules import Rule
+from tests.fixtures.models import Resource, Tenant, User
+from tests.fixtures.policies import resource_policy, tenant_policy
+
+
+class TestClientCreation:
+    def teardown_method(self):
+        Rule.clear_registry()
+
+    def test_create_client(self):
+        client = Client()
+        assert client._load_path is None
+        assert client._policy_registrar == {}
+
+    def test_create_client_with_loadpath(self):
+        client = Client(base_path="tests/fixtures")
+
+        assert client._load_path == Path("tests/fixtures")
+        assert len(client._policy_registrar.items()) == 2
+
+
+class TestClientDecision:
+
+    def teardown_method(self):
+        Rule.clear_registry()
+
+    def test_grants(self):
+        client = Client(base_path="tests/fixtures")
+        tenant1 = Tenant("tenant1")
+        tenant2 = Tenant("tenant2")
+        user1 = User("user1", tenant1, set(["user"]))
+        user2 = User("user2", tenant2, set(["user"]))
+        resource1 = Resource("R1", user1, tenant1)
+
+        u1_grants = [g for g in client.grants(user1, resource1)]
+        u2_grants = [g for g in client.grants(user2, resource1)]
+        assert "view" in u1_grants and "edit" in u1_grants
+        assert "view" not in u2_grants and "edit" not in u2_grants
+
+    def test_allows(self):
+        client = Client(base_path="tests/fixtures")
+        tenant1 = Tenant("tenant1")
+        tenant2 = Tenant("tenant2")
+        user1 = User("user1", tenant1, set(["user"]))
+        user2 = User("user2", tenant2, set(["user"]))
+        resource1 = Resource("R1", user1, tenant1)
+
+        assert client.allows("edit", user1, resource1)
+        assert not client.allows("edit", user2, resource1)
+        assert not client.allows("move", user2, resource1)
+
+    def test_authorize(self):
+        client = Client(base_path="tests/fixtures")
+        tenant1 = Tenant("tenant1")
+        tenant2 = Tenant("tenant2")
+        user1 = User("user1", tenant1, set(["user"]))
+        user2 = User("user2", tenant2, set(["user"]))
+        resource1 = Resource("R1", user1, tenant1)
+
+        assert client.authorize("edit", user1, resource1)
+        with pytest.raises(exceptions.AuthorizationException):
+            client.authorize("edit", user2, resource1)
+        with pytest.raises(exceptions.UndefinedAction):
+            client.authorize("move", user2, resource1)
diff --git a/tests/test_rules.py b/tests/test_rules.py
@@ -93,7 +93,7 @@ def test_authorize(self):
 
         new_tenant = Tenant("other_tenant")
         with pytest.raises(exceptions.AuthorizationException):
-            assert res.authorize(test_user, new_tenant)
+            res.authorize(test_user, new_tenant)
 
     def test_allows(self):
         tenant = Tenant("test_tenant")
