From 0aa983bb50fe0c0cefc9047c378d49511c613de9 Mon Sep 17 00:00:00 2001
From: index-git <sileny.index@gmail.com>
Date: Tue, 19 Dec 2023 09:55:06 +0100
Subject: [PATCH] Test roles in GeoServer ACL rules

---
 .../publications/access_rights/test_role.py   | 22 ++++++++++++++--
 .../single_publication/layers_test.py         | 26 +------------------
 2 files changed, 21 insertions(+), 27 deletions(-)

diff --git a/tests/dynamic_data/publications/access_rights/test_role.py b/tests/dynamic_data/publications/access_rights/test_role.py
index 1475e0d92..fe93d26c3 100644
--- a/tests/dynamic_data/publications/access_rights/test_role.py
+++ b/tests/dynamic_data/publications/access_rights/test_role.py
@@ -1,5 +1,8 @@
 import pytest
 
+from geoserver import util as gs_util
+from layman import app, settings, util as layman_util
+from layman.common import geoserver as gs_common
 from test_tools import process_client, role_service
 from tests import EnumTestTypes, Publication
 from tests.asserts.final.publication import util as assert_util
@@ -74,5 +77,20 @@ def test_publication(self, publication, rest_method, rest_args):
 
         info = process_client.get_workspace_publication(publication.type, publication.workspace, publication.name,
                                                         actor_name=USERNAME)
-        assert set(info['access_rights']['read']) == USER_ROLE1_ROLE2
-        assert set(info['access_rights']['write']) == USER_ROLE1
+        for right, exp_rights in [('read', USER_ROLE1_ROLE2),
+                                  ('write', USER_ROLE1),
+                                  ]:
+            assert set(info['access_rights'][right]) == exp_rights
+
+            if publication.type == process_client.LAYER_TYPE:
+                with app.app_context():
+                    internal_info = layman_util.get_publication_info(publication.workspace, publication.type, publication.name, {'keys': ['geodata_type', 'wms']})
+
+                geodata_type = internal_info['geodata_type']
+                gs_workspace = internal_info['_wms']['workspace']
+                workspaces = [publication.workspace, gs_workspace] if geodata_type != settings.GEODATA_TYPE_RASTER else [publication.workspace]
+                for wspace in workspaces:
+                    gs_expected_roles = gs_common.layman_users_and_roles_to_geoserver_roles(exp_rights)
+                    rule = f'{wspace}.{publication.name}.{right[0]}'
+                    gs_roles = gs_util.get_security_roles(rule, settings.LAYMAN_GS_AUTH)
+                    assert gs_expected_roles == gs_roles, f'gs_expected_roles={gs_expected_roles}, gs_roles={gs_roles}, wspace={wspace}, rule={rule}'
diff --git a/tests/static_data/single_publication/layers_test.py b/tests/static_data/single_publication/layers_test.py
index 7c8f8a4ed..2bea82ea7 100644
--- a/tests/static_data/single_publication/layers_test.py
+++ b/tests/static_data/single_publication/layers_test.py
@@ -9,7 +9,7 @@
 import crs as crs_def
 from geoserver import GS_REST_WORKSPACES, GS_REST, GS_AUTH, util as gs_util
 from layman import settings, app, util as layman_util
-from layman.common import bbox as bbox_util, geoserver as gs_common
+from layman.common import bbox as bbox_util
 from layman.common.micka import util as micka_common_util
 from layman.layer import util as layer_util, db as layer_db, get_layer_info_keys
 from layman.layer.geoserver.wms import DEFAULT_WMS_QGIS_STORE_PREFIX, VERSION
@@ -254,30 +254,6 @@ def test_fill_project_template(workspace, publ_type, publication):
     assert excinfo.value.response.status_code == 500
 
 
-@pytest.mark.parametrize('workspace, publ_type, publication', data.LIST_LAYERS)
-@pytest.mark.usefixtures('oauth2_provider_mock', 'ensure_layman')
-def test_gs_data_security(workspace, publ_type, publication):
-    ensure_publication(workspace, publ_type, publication)
-
-    auth = settings.LAYMAN_GS_AUTH
-    is_personal_workspace = workspace in data.USERS
-    owner_and_everyone_roles = gs_common.layman_users_and_roles_to_geoserver_roles({workspace, settings.RIGHTS_EVERYONE_ROLE})
-    owner_role_set = gs_common.layman_users_and_roles_to_geoserver_roles({workspace})
-    with app.app_context():
-        info = layman_util.get_publication_info(workspace, publ_type, publication, context={'keys': ['access_rights', 'wms']})
-    expected_roles = info['access_rights']
-    gs_workspace = info['_wms']['workspace']
-    geodata_type = data.PUBLICATIONS[(workspace, publ_type, publication)][data.TEST_DATA].get('geodata_type')
-    workspaces = [workspace, gs_workspace] if geodata_type != settings.GEODATA_TYPE_RASTER else [gs_workspace]
-    for right_type in ['read', 'write']:
-        for wspace in workspaces:
-            gs_expected_roles = gs_common.layman_users_and_roles_to_geoserver_roles(expected_roles[right_type])
-            gs_roles = gs_util.get_security_roles(f'{wspace}.{publication}.{right_type[0]}', auth)
-            assert gs_expected_roles == gs_roles\
-                or (is_personal_workspace
-                    and gs_expected_roles == owner_and_everyone_roles == gs_roles.union(owner_role_set)), f'gs_expected_roles={gs_expected_roles}, gs_roles={gs_roles}, wspace={wspace}, is_personal_workspace={is_personal_workspace}'
-
-
 @pytest.mark.parametrize('workspace, publ_type, publication', [(wspace, ptype, pub)
                                                                for wspace, ptype, pub in data.LIST_LAYERS
                                                                if data.PUBLICATIONS[(wspace, ptype, pub)][data.TEST_DATA].get('micka_xml')])