Merge pull request #225 from cyberark/build-fix

Fix Roles API test failures

Author: john-odonnell

CHANGELOG.md

@@ -6,6 +6,12 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 
 ## [Unreleased]
 
+### Removed
+- Removed possible 403 response code from Roles API endpoints. As of Conjur
+  v1.19.3, requests to the Roles API return 404 when the caller has insufficient
+  privilege - see [cyberark/conjur#2755](https://github.com/cyberark/conjur/pull/2755).
+  [cyberark/conjur-openapi-spec#225](https://github.com/cyberark/conjur-openapi-spec/pull/225)
+
 ## [5.3.0] - 2021-12-22
 
 ### Added

spec/roles.yml

@@ -129,8 +129,6 @@ components:
             $ref: 'openapi.yml#/components/responses/BadRequest'
           "401":
             $ref: 'openapi.yml#/components/responses/UnauthorizedError'
-          "403":
-            $ref: 'openapi.yml#/components/responses/InadequatePrivileges'
           "404":
             $ref: 'openapi.yml#/components/responses/ResourceNotFound'
           "422":
@@ -196,8 +194,6 @@ components:
             $ref: 'openapi.yml#/components/responses/BadRequest'
           "401":
             $ref: 'openapi.yml#/components/responses/UnauthorizedError'
-          "403":
-            $ref: 'openapi.yml#/components/responses/InadequatePrivileges'
           "404":
             $ref: 'openapi.yml#/components/responses/ResourceNotFound'
           "422":
@@ -263,8 +259,6 @@ components:
             $ref: 'openapi.yml#/components/responses/BadRequest'
           "401":
             $ref: 'openapi.yml#/components/responses/UnauthorizedError'
-          "403":
-            $ref: 'openapi.yml#/components/responses/InadequatePrivileges'
           "404":
             $ref: 'openapi.yml#/components/responses/ResourceNotFound'
           "422":

test/python/roles/test_roles_api.py

@@ -177,26 +177,6 @@ def test_add_member_to_role_401(self):
 
         self.assertEqual(context.exception.status, 401)
 
-    def test_add_member_to_role_403(self):
-        """Test case for 403 status response when adding role member
-        403 - the authenticated user lacks the necessary privilege
-        """
-        # establish a new api client as user Bob
-        bob_client = api_config.get_api_client(username='bob')
-        bob_roles_api = conjur.RolesApi(bob_client)
-
-        # attempt to add Alice as a member of userGroup as Bob
-        with self.assertRaises(conjur.ApiException) as context:
-            bob_roles_api.add_member_to_role(
-                self.account,
-                'group',
-                'userGroup',
-                members='',
-                member=self.ALICE_ID
-            )
-
-        self.assertEqual(context.exception.status, 403)
-
     def test_add_member_to_role_404(self):
         """Test case for 404 status response when adding role member
         404 - the role inteded for assignment as member does not exist
@@ -286,32 +266,6 @@ def test_remove_member_from_role_401(self):
 
         self.assertEqual(context.exception.status, 401)
 
-    def test_remove_member_from_role_403(self):
-        """Test case for 403 status response when deleting role member
-        403 - the authenticated client lacks the necessary privilege
-        """
-        # add Alice as a member of userGroup and confirm
-        self.add_user_to_group('alice')
-        group_members = self.api.show_role(self.account, 'group', 'userGroup', members='')
-        self.assertEqual(len(group_members), 2)
-        self.assertEqual(group_members[1]['member'], self.ALICE_ID)
-
-        # establish a new api client as user Bob
-        bob_client = api_config.get_api_client(username='bob')
-        bob_roles_api = conjur.RolesApi(bob_client)
-
-        # attempt to delete Alice as member of userGroup as Bob
-        with self.assertRaises(conjur.ApiException) as context:
-            bob_roles_api.remove_member_from_role(
-                self.account,
-                'group',
-                'userGroup',
-                members='',
-                member=self.ALICE_ID
-            )
-
-        self.assertEqual(context.exception.status, 403)
-
     def test_remove_member_from_role_404(self):
         """Test case for 404 status response when deleting role member
         404 - the queried role intended for deletion was not found

test/python/roles/test_roles_query_params_api.py

@@ -179,7 +179,7 @@ def test_parameter_combos_a(self):
 
     def test_parameter_combos_b(self):
         """Test Conjur's response to being given all optional parameters besides `graph`
-        Conjur responses with `all` results ONLY
+        Conjur responds with `all` results ONLY
         """
         details, status, _ = self.api.show_role_with_http_info(
             self.account,
@@ -201,7 +201,17 @@ def test_parameter_combos_b(self):
         ]
 
         if api_config.ENTERPRISE_TESTS:
-            target_details.append('!:!:root')
+            system_memberships = [
+                'system:group:conjur/replication-sets/full/replicated-data',
+                'system:policy:conjur',
+                'system:policy:conjur/replication-sets',
+                'system:policy:conjur/replication-sets/full',
+                'system:policy:root',
+                'system:user:admin',
+                '!:!:root'
+            ]
+            for membership in system_memberships:
+                target_details.append(membership)
 
         self.assertEqual(status, 200)
         for i in target_details:
@@ -213,7 +223,7 @@ def test_parameter_combos_b(self):
 
     def test_parameter_combos_c(self):
         """Test Conjur's response to being given both `members` and `memberships`
-        Conjur response with `memberships` results ONLY
+        Conjur responds with `memberships` results ONLY
         """
         self.add_user_to_group('bob')