leaudit-platform-backend/tests/release/test_role_tenant_matrix.py

from __future__ import annotations

import pytest

from .conftest import SeededUser, TenantSeed
from .helpers import ReleaseApiClient


@pytest.mark.release
def test_global_admin_can_query_cross_tenant_scope(
    admin_client: ReleaseApiClient,
    tenant_a: TenantSeed,
    tenant_b: TenantSeed,
) -> None:
    data_a = ReleaseApiClient.json_data(
        admin_client.get(f"/api/v3/rbac/users?page=1&page_size=100&tenant_code={tenant_a.tenant_code}")
    )
    data_b = ReleaseApiClient.json_data(
        admin_client.get(f"/api/v3/rbac/users?page=1&page_size=100&tenant_code={tenant_b.tenant_code}")
    )
    assert isinstance(data_a["items"], list)
    assert isinstance(data_b["items"], list)


@pytest.mark.release
def test_tenant_admin_is_limited_to_own_tenant_scope(
    tenant_admin_api: ReleaseApiClient,
    tenant_a: TenantSeed,
    tenant_b: TenantSeed,
    tenant_common_user_a: SeededUser,
    tenant_common_user_b: SeededUser,
) -> None:
    own_scope = ReleaseApiClient.json_data(tenant_admin_api.get("/api/v3/rbac/users?page=1&page_size=100"))
    tenant_codes = {str(item.get("tenant_code") or "") for item in own_scope["items"]}
    assert tenant_a.tenant_code in tenant_codes
    assert tenant_b.tenant_code not in tenant_codes

    forbidden_query = tenant_admin_api.get(
        f"/api/v3/rbac/users?page=1&page_size=20&tenant_code={tenant_b.tenant_code}",
        expected_status=403,
    )
    assert "不能查询其他租户用户" in forbidden_query.text

    same_tenant_update = tenant_admin_api.put(
        f"/api/v3/rbac/users/{tenant_common_user_a.user_id}/tenant",
        json={"tenant_code": tenant_a.tenant_code},
        expected_status=200,
    )
    same_tenant_data = ReleaseApiClient.json_data(same_tenant_update)
    assert same_tenant_data["tenant_code"] == tenant_a.tenant_code

    cross_tenant_update = tenant_admin_api.put(
        f"/api/v3/rbac/users/{tenant_common_user_b.user_id}/tenant",
        json={"tenant_code": tenant_a.tenant_code},
        expected_status=403,
    )
    assert "不能修改其他租户用户" in cross_tenant_update.text


@pytest.mark.release
def test_common_user_cannot_access_management_but_keeps_business_entry(
    common_api_a: ReleaseApiClient,
    release_entry_module: dict,
    admin_client: ReleaseApiClient,
    release_config,
    tenant_a: TenantSeed,
    tenant_b: TenantSeed,
) -> None:
    module_id = int(release_entry_module["id"])
    module_name = str(release_entry_module["name"])
    admin_client.put(
        f"/api/v3/entry-modules/{module_id}",
        json={
            "name": module_name,
            "description": "pytest release acceptance only",
            "path": release_config.module_path,
            "route_path": release_config.module_path,
            "tenants": [
                {
                    "tenant_code": tenant_a.tenant_code,
                    "tenant_name": tenant_a.tenant_name,
                    "enabled": True,
                    "sort_order": 1,
                },
                {
                    "tenant_code": tenant_b.tenant_code,
                    "tenant_name": tenant_b.tenant_name,
                    "enabled": True,
                    "sort_order": 2,
                },
            ],
        },
        expected_status=200,
    )

    users_response = common_api_a.get("/api/v3/rbac/users?page=1&page_size=20", expected_status=403)
    assert "系统设置管理权限" in users_response.text

    tenants_response = common_api_a.get("/api/v3/tenants", expected_status=403)
    assert "租户" in tenants_response.text

    home_response = common_api_a.get("/api/home/entry-modules")
    home_modules = ReleaseApiClient.json_data(home_response)
    home_names = [str(item.get("name") or "") for item in home_modules]
    assert module_name in home_names