test: update tests according model changes

BryanttV · BryanttV · commit ddaa0568f606 · 2025-09-23T21:53:11.000-05:00
diff --git a/openedx_authz/tests/test_enforcement.py b/openedx_authz/tests/test_enforcement.py
@@ -1,8 +1,8 @@
 """
-Tests for Casbin enforcement using model.conf and authz.policy files.
+Comprehensive test suite for Open edX authorization enforcement using Casbin.
 
-This module contains comprehensive tests for the authorization enforcement
-using Casbin with the configured model and policy files.
+This module validates the authorization system implemented with Casbin, testing
+various aspects of the permission model.
 """
 
 import os
@@ -12,6 +12,8 @@
 import casbin
 from ddt import data, ddt, unpack
 
+from openedx_authz import ROOT_DIRECTORY
+
 
 class AuthRequest(TypedDict):
     """
@@ -43,27 +45,41 @@ class CasbinEnforcementTestCase(TestCase):
     """
     Test case for Casbin enforcement policies.
 
-    This test class loads the model.conf and authz.policy files and runs
+    This test class loads the model.conf and the provided policies and runs
     enforcement tests for different user roles and permissions.
     """
 
     @classmethod
     def setUpClass(cls) -> None:
-        """Set up the Casbin enforcer with model and policy files."""
+        """Set up the Casbin enforcer."""
         super().setUpClass()
 
-        engine_config_dir = os.path.join(os.path.dirname(os.path.dirname(__file__)), "engine", "config")
+        engine_config_dir = os.path.join(ROOT_DIRECTORY, "engine", "config")
         model_file = os.path.join(engine_config_dir, "model.conf")
 
         if not os.path.isfile(model_file):
             raise FileNotFoundError(f"Model file not found: {model_file}")
 
         cls.enforcer = casbin.Enforcer(model_file)
 
-    def _load_policy(self, policy: list[str] = None) -> None:
-        """Load policy into the enforcer."""
+    def _load_policy(self, policy: list[str]) -> None:
+        """
+        Load policy rules into the Casbin enforcer.
+
+        This method clears any existing policies and loads the provided policy rules
+        into the appropriate policy stores (p for policies, g for role assignments,
+        g2 for action groupings).
+
+        Args:
+            policy (list[str]): List of policy rules where each rule is a
+                list starting with the rule type ('p', 'g', or 'g2') followed by
+                the rule parameters.
+
+        Raises:
+            ValueError: If a policy rule has an invalid type (not 'p', 'g', or 'g2').
+        """
         self.enforcer.clear_policy()
-        for rule in policy or []:
+        for rule in policy:
             if rule[0] == "p":
                 self.enforcer.add_named_policy("p", rule[1:])
             elif rule[0] == "g":
@@ -73,7 +89,7 @@ def _load_policy(self, policy: list[str] = None) -> None:
             else:
                 raise ValueError(f"Invalid policy rule: {rule}")
 
-    def _test_enforcement(self, policy: list[str] = None, request: AuthRequest = None) -> None:
+    def _test_enforcement(self, policy: list[str], request: AuthRequest) -> None:
         """
         Helper method to test enforcement and provide detailed feedback.
 
@@ -90,11 +106,18 @@ def _test_enforcement(self, policy: list[str] = None, request: AuthRequest = Non
 
 @ddt
 class SystemWideRoleTests(CasbinEnforcementTestCase):
-    """Tests for system-wide roles with global access permissions."""
+    """
+    Tests for system-wide roles with global access permissions.
+
+    This test class verifies that users assigned to system-wide roles (with global scope "*")
+    can access resources across all scopes and namespaces. Platform administrators should
+    have unrestricted access to manage any resource in the system, regardless of the
+    specific scope (organization, course, library, etc.).
+    """
 
     POLICY = [
         ["p", "role:platform_admin", "act:manage", "*", "allow"],
-        ["g", "user:user-1", "role:platform_admin"],
+        ["g", "user:user-1", "role:platform_admin", "*"],
     ] + COMMON_ACTION_GROUPING
 
     GENERAL_CASES = [
@@ -132,11 +155,17 @@ def test_platform_admin_general_access(self, request: AuthRequest):
 
 @ddt
 class ActionGroupingTests(CasbinEnforcementTestCase):
-    """Tests for action grouping."""
+    """
+    Tests for action grouping and permission inheritance.
+
+    This test class verifies that action grouping works correctly, where high-level
+    actions (like 'manage') automatically grant access to lower-level actions
+    (like 'edit', 'read', 'write', 'delete') through the g2 grouping mechanism.
+    """
 
     POLICY = [
-        ["p", "role:role-1", "act:manage", "org:any-org", "allow"],
-        ["g", "user:user-1", "role:role-1"],
+        ["p", "role:role-1", "act:manage", "org:*", "allow"],
+        ["g", "user:user-1", "role:role-1", "org:any-org"],
     ] + COMMON_ACTION_GROUPING
 
     CASES = [
@@ -174,29 +203,34 @@ def test_action_grouping_access(self, request: AuthRequest):
 
 @ddt
 class RoleAssignmentTests(CasbinEnforcementTestCase):
-    """Tests for role assignment."""
+    """
+    Tests for role assignment and scoped authorization.
+
+    This test class verifies that users with different roles can access resources
+    within their assigned scopes.
+    """
 
     POLICY = [
         # Policies
         ["p", "role:platform_admin", "act:manage", "*", "allow"],
-        ["p", "role:org_admin", "act:manage", "org:any-org", "allow"],
-        ["p", "role:org_editor", "act:edit", "org:any-org", "allow"],
-        ["p", "role:org_author", "act:write", "org:any-org", "allow"],
-        ["p", "role:course_admin", "act:manage", "course-v1:any-org+any-course+any-course-run", "allow"],
-        ["p", "role:library_admin", "act:manage", "lib:any-library", "allow"],
-        ["p", "role:library_editor", "act:edit", "lib:any-library", "allow"],
-        ["p", "role:library_reviewer", "act:read", "lib:any-library", "allow"],
-        ["p", "role:library_author", "act:write", "lib:any-library", "allow"],
+        ["p", "role:org_admin", "act:manage", "org:*", "allow"],
+        ["p", "role:org_editor", "act:edit", "org:*", "allow"],
+        ["p", "role:org_author", "act:write", "org:*", "allow"],
+        ["p", "role:course_admin", "act:manage", "course-v1:*", "allow"],
+        ["p", "role:library_admin", "act:manage", "lib:*", "allow"],
+        ["p", "role:library_editor", "act:edit", "lib:*", "allow"],
+        ["p", "role:library_reviewer", "act:read", "lib:*", "allow"],
+        ["p", "role:library_author", "act:write", "lib:*", "allow"],
         # Role assignments
-        ["g", "user:user-1", "role:platform_admin"],
-        ["g", "user:user-2", "role:org_admin"],
-        ["g", "user:user-3", "role:org_editor"],
-        ["g", "user:user-4", "role:org_author"],
-        ["g", "user:user-5", "role:course_admin"],
-        ["g", "user:user-6", "role:library_admin"],
-        ["g", "user:user-7", "role:library_editor"],
-        ["g", "user:user-8", "role:library_reviewer"],
-        ["g", "user:user-9", "role:library_author"],
+        ["g", "user:user-1", "role:platform_admin", "*"],
+        ["g", "user:user-2", "role:org_admin", "org:any-org"],
+        ["g", "user:user-3", "role:org_editor", "org:any-org"],
+        ["g", "user:user-4", "role:org_author", "org:any-org"],
+        ["g", "user:user-5", "role:course_admin", "course-v1:any-org+any-course+any-course-run"],
+        ["g", "user:user-6", "role:library_admin", "lib:any-library"],
+        ["g", "user:user-7", "role:library_editor", "lib:any-library"],
+        ["g", "user:user-8", "role:library_reviewer", "lib:any-library"],
+        ["g", "user:user-9", "role:library_author", "lib:any-library"],
     ] + COMMON_ACTION_GROUPING
 
     CASES = [
@@ -264,12 +298,16 @@ def test_role_assignment_access(self, request: AuthRequest):
 
 @ddt
 class DeniedAccessTests(CasbinEnforcementTestCase):
-    """Tests for denied access."""
+    """Tests for denied access scenarios.
+
+    This test class verifies that the authorization system correctly denies access
+    when explicit deny rules override allow rules.
+    """
 
     POLICY = [
         ["p", "role:platform_admin", "act:manage", "*", "allow"],
         ["p", "role:platform_admin", "act:manage", "org:restricted-org", "deny"],
-        ["g", "user:user-1", "role:platform_admin"],
+        ["g", "user:user-1", "role:platform_admin", "*"],
     ] + COMMON_ACTION_GROUPING
 
     CASES = [
@@ -319,7 +357,12 @@ def test_denied_access(self, request: AuthRequest):
 
 @ddt
 class WildcardScopeTests(CasbinEnforcementTestCase):
-    """Tests for wildcard scope."""
+    """Tests for wildcard scope authorization patterns.
+
+    Verifies that users with roles assigned to wildcard scopes (like "*" for global access
+    or "org:*" for organization-wide access) can properly access resources within their
+    authorized scope boundaries.
+    """
 
     POLICY = [
         # Policies
@@ -328,10 +371,10 @@ class WildcardScopeTests(CasbinEnforcementTestCase):
         ["p", "role:course_admin", "act:manage", "course-v1:*", "allow"],
         ["p", "role:library_admin", "act:manage", "lib:*", "allow"],
         # Role assignments
-        ["g", "user:user-1", "role:platform_admin"],
-        ["g", "user:user-2", "role:org_admin"],
-        ["g", "user:user-3", "role:course_admin"],
-        ["g", "user:user-4", "role:library_admin"],
+        ["g", "user:user-1", "role:platform_admin", "*"],
+        ["g", "user:user-2", "role:org_admin", "*"],
+        ["g", "user:user-3", "role:course_admin", "*"],
+        ["g", "user:user-4", "role:library_admin", "*"],
     ] + COMMON_ACTION_GROUPING
 
     @data(
