sboulahtit/orion
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: implement super admin and platform admin roles

Browse Source 
Add multi-platform admin authorization system with:
- AdminPlatform junction table for admin-platform assignments
- is_super_admin flag on User model for global admin access
- Platform selection flow for platform admins after login
- JWT token updates to include platform context
- New API endpoints for admin user management (super admin only)
- Auth dependencies for super admin and platform access checks

Includes comprehensive test coverage:
- Unit tests for AdminPlatform model and User admin methods
- Unit tests for AdminPlatformService operations
- Integration tests for admin users API endpoints

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Samir Boulahtit
2026-01-24 18:44:49 +01:00
parent 7e39bb0564
commit 53e05dd497
18 changed files with 2792 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

271
tests/unit/models/database/test_admin_platform.py Normal file
View File

@@ -0,0 +1,271 @@
# tests/unit/models/database/test_admin_platform.py
"""
Unit tests for AdminPlatform model.
Tests the admin-platform junction table model and its relationships.
"""
import pytest
from sqlalchemy.exc import IntegrityError
from models.database.admin_platform import AdminPlatform
@pytest.mark.unit
@pytest.mark.database
@pytest.mark.admin
class TestAdminPlatformModel:
"""Test AdminPlatform model creation and constraints."""
def test_create_admin_platform_assignment(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test creating an admin platform assignment."""
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
db.refresh(assignment)
assert assignment.id is not None
assert assignment.user_id == test_platform_admin.id
assert assignment.platform_id == test_platform.id
assert assignment.is_active is True
assert assignment.assigned_by_user_id == test_super_admin.id
assert assignment.assigned_at is not None
def test_admin_platform_unique_constraint(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test that an admin can only be assigned to a platform once."""
# Create first assignment
assignment1 = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment1)
db.commit()
# Try to create duplicate assignment
assignment2 = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment2)
with pytest.raises(IntegrityError):
db.commit()
def test_admin_platform_cascade_delete_user(
self, db, auth_manager, test_platform, test_super_admin
):
"""Test that deleting user cascades to admin platform assignments."""
from models.database.user import User
# Create a temporary admin
temp_admin = User(
email="temp_admin@example.com",
username="temp_admin",
hashed_password=auth_manager.hash_password("temppass"),
role="admin",
is_active=True,
is_super_admin=False,
)
db.add(temp_admin)
db.flush()
# Create assignment
assignment = AdminPlatform(
user_id=temp_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
assignment_id = assignment.id
# Delete user - should cascade to assignment
db.delete(temp_admin)
db.commit()
# Verify assignment is gone
remaining = db.query(AdminPlatform).filter(AdminPlatform.id == assignment_id).first()
assert remaining is None
def test_admin_platform_relationships(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test AdminPlatform relationships are loaded correctly."""
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
db.refresh(assignment)
# Test relationships
assert assignment.user is not None
assert assignment.user.id == test_platform_admin.id
assert assignment.platform is not None
assert assignment.platform.id == test_platform.id
assert assignment.assigned_by is not None
assert assignment.assigned_by.id == test_super_admin.id
def test_admin_platform_properties(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test AdminPlatform computed properties."""
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
db.refresh(assignment)
# Test properties
assert assignment.platform_code == test_platform.code
assert assignment.platform_name == test_platform.name
def test_admin_platform_repr(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test AdminPlatform string representation."""
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
db.refresh(assignment)
repr_str = repr(assignment)
assert "AdminPlatform" in repr_str
assert str(test_platform_admin.id) in repr_str
assert str(test_platform.id) in repr_str
@pytest.mark.unit
@pytest.mark.database
@pytest.mark.admin
class TestUserAdminMethods:
"""Test User model admin-related methods."""
def test_is_super_admin_user_true(self, db, test_super_admin):
"""Test is_super_admin_user property for super admin."""
assert test_super_admin.is_super_admin_user is True
def test_is_super_admin_user_false_for_platform_admin(self, db, test_platform_admin):
"""Test is_super_admin_user property for platform admin."""
assert test_platform_admin.is_super_admin_user is False
def test_is_platform_admin_true(self, db, test_platform_admin):
"""Test is_platform_admin property for platform admin."""
assert test_platform_admin.is_platform_admin is True
def test_is_platform_admin_false_for_super_admin(self, db, test_super_admin):
"""Test is_platform_admin property for super admin."""
assert test_super_admin.is_platform_admin is False
def test_can_access_platform_super_admin(self, db, test_super_admin, test_platform):
"""Test that super admin can access any platform."""
assert test_super_admin.can_access_platform(test_platform.id) is True
def test_can_access_platform_assigned(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test that platform admin can access assigned platform."""
# Create assignment
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
db.refresh(test_platform_admin)
assert test_platform_admin.can_access_platform(test_platform.id) is True
def test_can_access_platform_not_assigned(
self, db, test_platform_admin, test_platform
):
"""Test that platform admin cannot access unassigned platform."""
# No assignment created
assert test_platform_admin.can_access_platform(test_platform.id) is False
def test_can_access_platform_inactive_assignment(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test that platform admin cannot access platform with inactive assignment."""
# Create inactive assignment
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=False, # Inactive
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
db.refresh(test_platform_admin)
assert test_platform_admin.can_access_platform(test_platform.id) is False
def test_get_accessible_platform_ids_super_admin(self, db, test_super_admin):
"""Test get_accessible_platform_ids returns None for super admin."""
result = test_super_admin.get_accessible_platform_ids()
assert result is None # None means all platforms
def test_get_accessible_platform_ids_platform_admin(
self, db, test_platform_admin, test_platform, another_platform, test_super_admin
):
"""Test get_accessible_platform_ids returns correct list for platform admin."""
# Create assignments for both platforms
assignment1 = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
assignment2 = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=another_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add_all([assignment1, assignment2])
db.commit()
db.refresh(test_platform_admin)
result = test_platform_admin.get_accessible_platform_ids()
assert len(result) == 2
assert test_platform.id in result
assert another_platform.id in result
def test_get_accessible_platform_ids_no_assignments(self, db, test_platform_admin):
"""Test get_accessible_platform_ids returns empty list when no assignments."""
result = test_platform_admin.get_accessible_platform_ids()
assert result == []
def test_get_accessible_platform_ids_vendor_user(self, db, test_vendor_user):
"""Test get_accessible_platform_ids returns empty list for non-admin."""
result = test_vendor_user.get_accessible_platform_ids()
assert result == []

463
tests/unit/services/test_admin_platform_service.py Normal file
View File

@@ -0,0 +1,463 @@
# tests/unit/services/test_admin_platform_service.py
"""
Unit tests for AdminPlatformService.
Tests the admin platform assignment service operations.
"""
import pytest
from app.exceptions import AdminOperationException, CannotModifySelfException, ValidationException
from app.services.admin_platform_service import AdminPlatformService
@pytest.mark.unit
@pytest.mark.admin
class TestAdminPlatformServiceAssign:
"""Test AdminPlatformService.assign_admin_to_platform."""
def test_assign_admin_to_platform_success(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test successfully assigning an admin to a platform."""
service = AdminPlatformService()
assignment = service.assign_admin_to_platform(
db=db,
admin_user_id=test_platform_admin.id,
platform_id=test_platform.id,
assigned_by_user_id=test_super_admin.id,
)
assert assignment is not None
assert assignment.user_id == test_platform_admin.id
assert assignment.platform_id == test_platform.id
assert assignment.is_active is True
assert assignment.assigned_by_user_id == test_super_admin.id
def test_assign_admin_user_not_found(self, db, test_platform, test_super_admin):
"""Test assigning non-existent user raises error."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.assign_admin_to_platform(
db=db,
admin_user_id=99999,
platform_id=test_platform.id,
assigned_by_user_id=test_super_admin.id,
)
assert "User not found" in str(exc.value)
def test_assign_admin_not_admin_role(
self, db, test_vendor_user, test_platform, test_super_admin
):
"""Test assigning non-admin user raises error."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.assign_admin_to_platform(
db=db,
admin_user_id=test_vendor_user.id,
platform_id=test_platform.id,
assigned_by_user_id=test_super_admin.id,
)
assert "must be an admin" in str(exc.value)
def test_assign_super_admin_raises_error(
self, db, test_super_admin, test_platform
):
"""Test assigning super admin raises error."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.assign_admin_to_platform(
db=db,
admin_user_id=test_super_admin.id,
platform_id=test_platform.id,
assigned_by_user_id=test_super_admin.id,
)
assert "Super admins don't need platform assignments" in str(exc.value)
def test_assign_platform_not_found(
self, db, test_platform_admin, test_super_admin
):
"""Test assigning to non-existent platform raises error."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.assign_admin_to_platform(
db=db,
admin_user_id=test_platform_admin.id,
platform_id=99999,
assigned_by_user_id=test_super_admin.id,
)
assert "Platform not found" in str(exc.value)
def test_assign_admin_already_assigned(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test assigning already assigned admin raises error."""
service = AdminPlatformService()
# First assignment
service.assign_admin_to_platform(
db=db,
admin_user_id=test_platform_admin.id,
platform_id=test_platform.id,
assigned_by_user_id=test_super_admin.id,
)
db.commit()
# Try to assign again
with pytest.raises(AdminOperationException) as exc:
service.assign_admin_to_platform(
db=db,
admin_user_id=test_platform_admin.id,
platform_id=test_platform.id,
assigned_by_user_id=test_super_admin.id,
)
assert "already assigned" in str(exc.value)
def test_reactivate_inactive_assignment(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test reactivating an inactive assignment."""
from models.database.admin_platform import AdminPlatform
service = AdminPlatformService()
# Create inactive assignment directly
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=False,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
# Assign again - should reactivate
result = service.assign_admin_to_platform(
db=db,
admin_user_id=test_platform_admin.id,
platform_id=test_platform.id,
assigned_by_user_id=test_super_admin.id,
)
assert result.is_active is True
@pytest.mark.unit
@pytest.mark.admin
class TestAdminPlatformServiceRemove:
"""Test AdminPlatformService.remove_admin_from_platform."""
def test_remove_admin_from_platform_success(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test successfully removing an admin from a platform."""
from models.database.admin_platform import AdminPlatform
service = AdminPlatformService()
# Create assignment first
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
# Remove
service.remove_admin_from_platform(
db=db,
admin_user_id=test_platform_admin.id,
platform_id=test_platform.id,
removed_by_user_id=test_super_admin.id,
)
db.commit()
db.refresh(assignment)
assert assignment.is_active is False
def test_remove_admin_not_assigned(
self, db, test_platform_admin, test_platform, test_super_admin
):
"""Test removing non-existent assignment raises error."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.remove_admin_from_platform(
db=db,
admin_user_id=test_platform_admin.id,
platform_id=test_platform.id,
removed_by_user_id=test_super_admin.id,
)
assert "not assigned" in str(exc.value)
@pytest.mark.unit
@pytest.mark.admin
class TestAdminPlatformServiceQueries:
"""Test AdminPlatformService query methods."""
def test_get_platforms_for_admin(
self, db, test_platform_admin, test_platform, another_platform, test_super_admin
):
"""Test getting platforms for an admin."""
from models.database.admin_platform import AdminPlatform
service = AdminPlatformService()
# Create assignments
for platform in [test_platform, another_platform]:
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
platforms = service.get_platforms_for_admin(db, test_platform_admin.id)
assert len(platforms) == 2
platform_ids = [p.id for p in platforms]
assert test_platform.id in platform_ids
assert another_platform.id in platform_ids
def test_get_platforms_for_admin_no_assignments(self, db, test_platform_admin):
"""Test getting platforms when no assignments exist."""
service = AdminPlatformService()
platforms = service.get_platforms_for_admin(db, test_platform_admin.id)
assert platforms == []
def test_get_admins_for_platform(
self, db, test_platform_admin, test_platform, test_super_admin, auth_manager
):
"""Test getting admins for a platform."""
from models.database.admin_platform import AdminPlatform
from models.database.user import User
service = AdminPlatformService()
# Create another platform admin
another_admin = User(
email="another_padmin@example.com",
username="another_padmin",
hashed_password=auth_manager.hash_password("pass"),
role="admin",
is_active=True,
is_super_admin=False,
)
db.add(another_admin)
db.flush()
# Create assignments for both admins
for admin in [test_platform_admin, another_admin]:
assignment = AdminPlatform(
user_id=admin.id,
platform_id=test_platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
admins = service.get_admins_for_platform(db, test_platform.id)
assert len(admins) == 2
admin_ids = [a.id for a in admins]
assert test_platform_admin.id in admin_ids
assert another_admin.id in admin_ids
def test_get_admin_assignments(
self, db, test_platform_admin, test_platform, another_platform, test_super_admin
):
"""Test getting admin assignments with platform details."""
from models.database.admin_platform import AdminPlatform
service = AdminPlatformService()
# Create assignments
for platform in [test_platform, another_platform]:
assignment = AdminPlatform(
user_id=test_platform_admin.id,
platform_id=platform.id,
is_active=True,
assigned_by_user_id=test_super_admin.id,
)
db.add(assignment)
db.commit()
assignments = service.get_admin_assignments(db, test_platform_admin.id)
assert len(assignments) == 2
# Verify platform relationship is loaded
for assignment in assignments:
assert assignment.platform is not None
assert assignment.platform.code is not None
@pytest.mark.unit
@pytest.mark.admin
class TestAdminPlatformServiceSuperAdmin:
"""Test AdminPlatformService super admin operations."""
def test_toggle_super_admin_promote(
self, db, test_platform_admin, test_super_admin
):
"""Test promoting admin to super admin."""
service = AdminPlatformService()
result = service.toggle_super_admin(
db=db,
user_id=test_platform_admin.id,
is_super_admin=True,
current_admin_id=test_super_admin.id,
)
db.commit()
assert result.is_super_admin is True
def test_toggle_super_admin_demote(
self, db, test_super_admin, auth_manager
):
"""Test demoting super admin to platform admin."""
from models.database.user import User
service = AdminPlatformService()
# Create another super admin to demote
another_super = User(
email="another_super@example.com",
username="another_super",
hashed_password=auth_manager.hash_password("pass"),
role="admin",
is_active=True,
is_super_admin=True,
)
db.add(another_super)
db.commit()
result = service.toggle_super_admin(
db=db,
user_id=another_super.id,
is_super_admin=False,
current_admin_id=test_super_admin.id,
)
db.commit()
assert result.is_super_admin is False
def test_toggle_super_admin_cannot_demote_self(self, db, test_super_admin):
"""Test that super admin cannot demote themselves."""
service = AdminPlatformService()
with pytest.raises(CannotModifySelfException):
service.toggle_super_admin(
db=db,
user_id=test_super_admin.id,
is_super_admin=False,
current_admin_id=test_super_admin.id,
)
def test_toggle_super_admin_user_not_found(self, db, test_super_admin):
"""Test toggling non-existent user raises error."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.toggle_super_admin(
db=db,
user_id=99999,
is_super_admin=True,
current_admin_id=test_super_admin.id,
)
assert "User not found" in str(exc.value)
def test_toggle_super_admin_not_admin(
self, db, test_vendor_user, test_super_admin
):
"""Test toggling non-admin user raises error."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.toggle_super_admin(
db=db,
user_id=test_vendor_user.id,
is_super_admin=True,
current_admin_id=test_super_admin.id,
)
assert "must be an admin" in str(exc.value)
@pytest.mark.unit
@pytest.mark.admin
class TestAdminPlatformServiceCreatePlatformAdmin:
"""Test AdminPlatformService.create_platform_admin."""
def test_create_platform_admin_success(
self, db, test_platform, another_platform, test_super_admin
):
"""Test creating a new platform admin with assignments."""
service = AdminPlatformService()
user, assignments = service.create_platform_admin(
db=db,
email="new_padmin@example.com",
username="new_padmin",
password="securepass123",
platform_ids=[test_platform.id, another_platform.id],
created_by_user_id=test_super_admin.id,
first_name="New",
last_name="Admin",
)
db.commit()
assert user is not None
assert user.email == "new_padmin@example.com"
assert user.username == "new_padmin"
assert user.role == "admin"
assert user.is_super_admin is False
assert user.first_name == "New"
assert user.last_name == "Admin"
assert len(assignments) == 2
def test_create_platform_admin_duplicate_email(
self, db, test_platform, test_super_admin, test_platform_admin
):
"""Test creating platform admin with duplicate email fails."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.create_platform_admin(
db=db,
email=test_platform_admin.email, # Duplicate
username="unique_username",
password="securepass123",
platform_ids=[test_platform.id],
created_by_user_id=test_super_admin.id,
)
assert "Email already exists" in str(exc.value)
def test_create_platform_admin_duplicate_username(
self, db, test_platform, test_super_admin, test_platform_admin
):
"""Test creating platform admin with duplicate username fails."""
service = AdminPlatformService()
with pytest.raises(ValidationException) as exc:
service.create_platform_admin(
db=db,
email="unique@example.com",
username=test_platform_admin.username, # Duplicate
password="securepass123",
platform_ids=[test_platform.id],
created_by_user_id=test_super_admin.id,
)
assert "Username already exists" in str(exc.value)