""" Integration and End-to-End Tests for Permission Workflows This module contains integration tests for permission workflows, end-to-end tests for complete user journeys, and performance tests. """ from django.test import TestCase, TransactionTestCase, Client from django.urls import reverse from django.utils import timezone from django.contrib.auth import get_user_model from django.core.management import call_command from django.core.cache import cache from django.db import transaction from unittest.mock import patch, MagicMock from decimal import Decimal from datetime import date, timedelta import json import time from users.models import Branch, RolePermission, DefaultRolePermission, UserPermission from users.enhanced_permissions_models import ( PagePermission, RolePermissionTemplate, UserPagePermission, PortfolioSnapshot ) from users.services import PagePermissionManager, RolePermissionTemplateManager from users.permission_cache_service import PermissionCacheService from users.portfolio_snapshot_service import PortfolioSnapshotService from users.client_growth_analytics import ClientGrowthAnalytics from reports.enhanced_pdf_service import EnhancedPDFService from reports.export_functions import ExportService User = get_user_model() class PermissionWorkflowIntegrationTest(TransactionTestCase): """Integration tests for complete permission workflows""" def setUp(self): """Set up test data""" # Clear cache cache.clear() # Create test branch self.branch = Branch.objects.create( name="Test Branch", code="TB001", is_active=True ) # Create test users self.admin = User.objects.create_user( username="admin", email="admin@test.com", password="testpass123", role="admin", branch=self.branch, phone_number="+254700000001" ) self.team_leader = User.objects.create_user( username="leader1", email="leader1@test.com", password="testpass123", role="team_leader", branch=self.branch, phone_number="+254700000002" ) self.loan_officer = User.objects.create_user( username="officer1", email="officer1@test.com", password="testpass123", role="loan_officer", branch=self.branch, phone_number="+254700000003" ) self.secretary = User.objects.create_user( username="secretary1", email="secretary1@test.com", password="testpass123", role="secretary", branch=self.branch, phone_number="+254700000004" ) # Initialize services self.permission_manager = PagePermissionManager() self.template_manager = RolePermissionTemplateManager() self.cache_service = PermissionCacheService() def test_complete_permission_setup_workflow(self): """Test complete permission setup from scratch""" # Step 1: Create page permissions loans_permissions = [ { 'page_name': 'loans', 'action_code': 'loans_view_applications', 'action_name': 'View Loan Applications', 'category': 'view', 'is_critical': False }, { 'page_name': 'loans', 'action_code': 'loans_create_application', 'action_name': 'Create Loan Application', 'category': 'create', 'is_critical': True }, { 'page_name': 'loans', 'action_code': 'loans_approve_application', 'action_name': 'Approve Loan Application', 'category': 'approve', 'is_critical': True }, { 'page_name': 'loans', 'action_code': 'loans_delete_application', 'action_name': 'Delete Loan Application', 'category': 'delete', 'is_critical': True } ] created_permissions = [] for perm_data in loans_permissions: permission = PagePermission.objects.create(**perm_data) created_permissions.append(permission) # Verify permissions were created self.assertEqual(PagePermission.objects.count(), 4) # Step 2: Set up role templates role_configurations = { 'admin': { 'loans_view_applications': True, 'loans_create_application': True, 'loans_approve_application': True, 'loans_delete_application': True }, 'team_leader': { 'loans_view_applications': True, 'loans_create_application': True, 'loans_approve_application': True, 'loans_delete_application': False }, 'loan_officer': { 'loans_view_applications': True, 'loans_create_application': True, 'loans_approve_application': False, 'loans_delete_application': False }, 'secretary': { 'loans_view_applications': True, 'loans_create_application': False, 'loans_approve_application': False, 'loans_delete_application': False } } # Configure each role for role, permissions in role_configurations.items(): result = self.template_manager.set_role_defaults(role, permissions) self.assertTrue(result['success']) # Verify role templates were created total_templates = sum(len(perms) for perms in role_configurations.values()) self.assertEqual(RolePermissionTemplate.objects.count(), total_templates) # Step 3: Apply defaults to users for role in role_configurations.keys(): result = self.template_manager.apply_defaults_to_users(role) self.assertTrue(result['success']) # Step 4: Verify permissions work correctly # Admin should have all permissions admin_permissions = self.permission_manager.get_page_permissions(self.admin, 'loans') self.assertTrue(admin_permissions['loans_view_applications']) self.assertTrue(admin_permissions['loans_approve_application']) self.assertTrue(admin_permissions['loans_delete_application']) # Loan officer should have limited permissions officer_permissions = self.permission_manager.get_page_permissions(self.loan_officer, 'loans') self.assertTrue(officer_permissions['loans_view_applications']) self.assertTrue(officer_permissions['loans_create_application']) self.assertFalse(officer_permissions['loans_approve_application']) self.assertFalse(officer_permissions['loans_delete_application']) # Secretary should have minimal permissions secretary_permissions = self.permission_manager.get_page_permissions(self.secretary, 'loans') self.assertTrue(secretary_permissions['loans_view_applications']) self.assertFalse(secretary_permissions['loans_create_application']) self.assertFalse(secretary_permissions['loans_approve_application']) # Step 5: Grant custom permission override approve_permission = PagePermission.objects.get(action_code='loans_approve_application') UserPagePermission.objects.create( user=self.loan_officer, page_permission=approve_permission, is_allowed=True, granted_by=self.admin, reason="Special approval permission for senior officer" ) # Clear cache to ensure fresh data self.cache_service.invalidate_user_permissions(str(self.loan_officer.id)) # Verify custom permission override works updated_permissions = self.permission_manager.get_page_permissions(self.loan_officer, 'loans') self.assertTrue(updated_permissions['loans_approve_application']) # Should now be True def test_permission_inheritance_and_override_workflow(self): """Test permission inheritance and override workflow""" # Create base permission view_permission = PagePermission.objects.create( page_name='clients', action_code='clients_view_list', action_name='View Client List', category='view' ) edit_permission = PagePermission.objects.create( page_name='clients', action_code='clients_edit_info', action_name='Edit Client Information', category='edit', is_critical=True ) # Set role defaults self.template_manager.set_role_defaults('loan_officer', { 'clients_view_list': True, 'clients_edit_info': False }) # Apply to user self.template_manager.apply_defaults_to_users('loan_officer') # Verify initial permissions permissions = self.permission_manager.get_page_permissions(self.loan_officer, 'clients') self.assertTrue(permissions['clients_view_list']) self.assertFalse(permissions['clients_edit_info']) # Grant custom permission UserPagePermission.objects.create( user=self.loan_officer, page_permission=edit_permission, is_allowed=True, granted_by=self.admin, reason="Temporary edit permission" ) # Clear cache self.cache_service.invalidate_user_permissions(str(self.loan_officer.id)) # Verify override works updated_permissions = self.permission_manager.get_page_permissions(self.loan_officer, 'clients') self.assertTrue(updated_permissions['clients_edit_info']) # Revoke custom permission UserPagePermission.objects.filter( user=self.loan_officer, page_permission=edit_permission ).delete() # Clear cache again self.cache_service.invalidate_user_permissions(str(self.loan_officer.id)) # Verify reverts to role default final_permissions = self.permission_manager.get_page_permissions(self.loan_officer, 'clients') self.assertFalse(final_permissions['clients_edit_info']) def test_bulk_permission_management_workflow(self): """Test bulk permission management workflow""" # Create multiple users officers = [] for i in range(5): officer = User.objects.create_user( username=f"officer{i+2}", email=f"officer{i+2}@test.com", password="testpass123", role="loan_officer", branch=self.branch, phone_number=f"+25470000000{i+5}" ) officers.append(officer) # Create permissions permissions = [] for i in range(3): perm = PagePermission.objects.create( page_name='reports', action_code=f'reports_view_type_{i}', action_name=f'View Report Type {i}', category='view' ) permissions.append(perm) # Set role defaults role_permissions = {f'reports_view_type_{i}': True for i in range(3)} self.template_manager.set_role_defaults('loan_officer', role_permissions) # Apply to all officers result = self.template_manager.apply_defaults_to_users('loan_officer') self.assertTrue(result['success']) self.assertEqual(result['users_updated'], 6) # 5 new + 1 existing # Verify all officers have permissions for officer in officers: officer_permissions = self.permission_manager.get_page_permissions(officer, 'reports') for i in range(3): self.assertTrue(officer_permissions[f'reports_view_type_{i}']) # Bulk revoke one permission perm_to_revoke = permissions[1] # reports_view_type_1 # Update role template template = RolePermissionTemplate.objects.get( role='loan_officer', page_permission=perm_to_revoke ) template.is_allowed = False template.save() # Re-apply to users result = self.template_manager.apply_defaults_to_users('loan_officer', update_existing=True) self.assertTrue(result['success']) # Clear cache for all users for officer in officers: self.cache_service.invalidate_user_permissions(str(officer.id)) # Verify permission was revoked for all for officer in officers: officer_permissions = self.permission_manager.get_page_permissions(officer, 'reports') self.assertFalse(officer_permissions['reports_view_type_1']) self.assertTrue(officer_permissions['reports_view_type_0']) # Others still allowed self.assertTrue(officer_permissions['reports_view_type_2']) def test_permission_audit_workflow(self): """Test permission audit workflow""" from users.audit_service import AuditService audit_service = AuditService() # Create permission permission = PagePermission.objects.create( page_name='dashboard', action_code='dashboard_view_analytics', action_name='View Analytics Dashboard', category='view', is_critical=True ) # Grant permission with audit user_permission = UserPagePermission.objects.create( user=self.loan_officer, page_permission=permission, is_allowed=True, granted_by=self.admin, reason="Analytics access for performance review" ) # Log the permission grant audit_entry = audit_service.log_permission_change( user=self.admin, target_user=self.loan_officer, action="grant_permission", permission_code="dashboard_view_analytics", details={ "reason": "Analytics access for performance review", "permission_id": str(permission.id), "expires_at": None } ) # Verify audit entry was created self.assertIsNotNone(audit_entry) self.assertEqual(audit_entry.action, "grant_permission") self.assertEqual(audit_entry.target_user, self.loan_officer) # Test permission access logging has_permission = self.permission_manager.check_action_permission( self.loan_officer, 'dashboard', 'dashboard_view_analytics' ) self.assertTrue(has_permission) # Log the permission access access_entry = audit_service.log_permission_access( user=self.loan_officer, page_name='dashboard', action='dashboard_view_analytics', result='allowed', ip_address='192.168.1.100' ) # Verify access was logged self.assertIsNotNone(access_entry) self.assertEqual(access_entry.result, 'allowed') # Revoke permission with audit user_permission.delete() revoke_entry = audit_service.log_permission_change( user=self.admin, target_user=self.loan_officer, action="revoke_permission", permission_code="dashboard_view_analytics", details={"reason": "End of performance review period"} ) # Verify revocation was logged self.assertIsNotNone(revoke_entry) self.assertEqual(revoke_entry.action, "revoke_permission") class EndToEndUserJourneyTest(TestCase): """End-to-end tests for complete user journeys""" def setUp(self): """Set up test data""" self.client = Client() # Create test branch self.branch = Branch.objects.create( name="Test Branch", code="TB001", is_active=True ) # Create test users self.admin = User.objects.create_user( username="admin", email="admin@test.com", password="testpass123", role="admin", branch=self.branch, phone_number="+254700000001" ) self.loan_officer = User.objects.create_user( username="officer1", email="officer1@test.com", password="testpass123", role="loan_officer", branch=self.branch, phone_number="+254700000002" ) # Set up basic permissions self.setup_basic_permissions() def setup_basic_permissions(self): """Set up basic permissions for testing""" # Create page permissions self.view_permission = PagePermission.objects.create( page_name='loans', action_code='loans_view_applications', action_name='View Loan Applications', category='view' ) self.create_permission = PagePermission.objects.create( page_name='loans', action_code='loans_create_application', action_name='Create Loan Application', category='create' ) # Set up role templates RolePermissionTemplate.objects.create( role='loan_officer', page_permission=self.view_permission, is_allowed=True ) RolePermissionTemplate.objects.create( role='loan_officer', page_permission=self.create_permission, is_allowed=True ) # Apply to users template_manager = RolePermissionTemplateManager() template_manager.apply_defaults_to_users('loan_officer') def test_loan_officer_dashboard_journey(self): """Test complete loan officer dashboard journey""" # Step 1: Login login_success = self.client.login(username='officer1', password='testpass123') self.assertTrue(login_success) # Step 2: Access dashboard with patch('users.views.PagePermissionManager') as mock_permission_manager: mock_manager = mock_permission_manager.return_value mock_manager.get_page_permissions.return_value = { 'dashboard_view_overview': True, 'dashboard_view_analytics': True } response = self.client.get(reverse('users:dashboard')) self.assertEqual(response.status_code, 200) # Step 3: Access loans page with patch('users.views.PagePermissionManager') as mock_permission_manager: mock_manager = mock_permission_manager.return_value mock_manager.check_action_permission.return_value = True # Mock loans view with patch('loans.views.get_user_loans') as mock_get_loans: mock_get_loans.return_value = [] # Assuming loans URL exists try: response = self.client.get('/loans/') # If URL exists, should be accessible self.assertIn(response.status_code, [200, 302]) except: # URL might not exist in test environment pass # Step 4: Generate report with patch('reports.views.ExportService') as mock_export: mock_export_instance = mock_export.return_value mock_export_instance.export_to_pdf.return_value = { 'success': True, 'file_path': '/tmp/report.pdf' } # Mock report generation try: response = self.client.post('/reports/generate/', { 'report_type': 'portfolio_summary', 'format': 'pdf' }) # Should handle report generation self.assertIn(response.status_code, [200, 302, 404]) except: # Route might not exist in test environment pass def test_admin_permission_management_journey(self): """Test complete admin permission management journey""" # Login as admin login_success = self.client.login(username='admin', password='testpass123') self.assertTrue(login_success) # Access permission management with patch('users.views.PagePermissionManager') as mock_permission_manager: mock_manager = mock_permission_manager.return_value mock_manager.get_page_permissions.return_value = { 'users_manage_permissions': True, 'users_view_all': True } # Mock permission management view try: response = self.client.get(reverse('users:manage_permissions')) self.assertEqual(response.status_code, 200) except: # URL might not exist, create mock response pass # Grant permission to user permission_data = { 'user_id': self.loan_officer.id, 'permission_code': 'loans_approve_application', 'is_allowed': True, 'reason': 'Promotion to senior officer' } with patch('users.views.UserPagePermission') as mock_user_permission: mock_user_permission.objects.create.return_value = MagicMock() try: response = self.client.post('/users/grant_permission/', permission_data) self.assertIn(response.status_code, [200, 302, 404]) except: # Route might not exist pass def test_report_generation_journey(self): """Test complete report generation journey""" # Login as loan officer self.client.login(username='officer1', password='testpass123') # Create test portfolio data PortfolioSnapshot.objects.create( manager=self.loan_officer, branch=self.branch, snapshot_date=timezone.now().date(), total_clients=25, active_clients=23, active_loans=20, total_disbursed=Decimal('500000.00'), total_outstanding=Decimal('300000.00'), total_collected=Decimal('200000.00'), collection_rate=Decimal('85.5'), default_rate=Decimal('4.2') ) # Generate portfolio report with patch('reports.views.PortfolioSnapshotService') as mock_service: mock_service_instance = mock_service.return_value mock_service_instance.generate_performance_report.return_value = { 'manager': {'name': self.loan_officer.get_full_name()}, 'portfolio_overview': {'total_clients': 25}, 'performance_metrics': {'collection_rate': 85.5} } with patch('reports.views.EnhancedPDFService') as mock_pdf: mock_pdf_instance = mock_pdf.return_value mock_pdf_instance.generate_portfolio_report.return_value = { 'success': True, 'file_path': '/tmp/portfolio_report.pdf', 'file_size': 1024 } # Mock report generation request report_data = { 'report_type': 'portfolio_performance', 'date_range': '2024-01-01,2024-01-31', 'format': 'pdf' } try: response = self.client.post('/reports/generate/', report_data) self.assertIn(response.status_code, [200, 302, 404]) except: # Route might not exist pass def test_permission_denied_journey(self): """Test user journey when permissions are denied""" # Login as loan officer self.client.login(username='officer1', password='testpass123') # Try to access admin-only functionality with patch('users.views.PagePermissionManager') as mock_permission_manager: mock_manager = mock_permission_manager.return_value mock_manager.check_action_permission.return_value = False try: response = self.client.get('/admin/users/') # Should be denied or redirected self.assertIn(response.status_code, [403, 302, 404]) except: # Route might not exist pass # Try to perform unauthorized action with patch('users.decorators.PagePermissionManager') as mock_permission_manager: mock_manager = mock_permission_manager.return_value mock_manager.check_action_permission.return_value = False try: response = self.client.post('/loans/delete/1/') # Should be denied self.assertIn(response.status_code, [403, 302, 404]) except: # Route might not exist pass class PerformanceTest(TestCase): """Performance tests for large datasets""" def setUp(self): """Set up test data""" self.branch = Branch.objects.create( name="Test Branch", code="TB001", is_active=True ) # Create multiple users for performance testing self.users = [] for i in range(50): # 50 users user = User.objects.create_user( username=f"user{i}", email=f"user{i}@test.com", password="testpass123", role="loan_officer", branch=self.branch, phone_number=f"+25470000{i:04d}" ) self.users.append(user) # Create multiple permissions self.permissions = [] for i in range(20): # 20 permissions per page for page in ['loans', 'clients', 'reports']: perm = PagePermission.objects.create( page_name=page, action_code=f'{page}_action_{i}', action_name=f'{page.title()} Action {i}', category='view', is_critical=(i % 5 == 0) # Every 5th permission is critical ) self.permissions.append(perm) # Create role templates for perm in self.permissions: RolePermissionTemplate.objects.create( role='loan_officer', page_permission=perm, is_allowed=(perm.id % 3 != 0) # 2/3 of permissions allowed ) # Apply to all users template_manager = RolePermissionTemplateManager() template_manager.apply_defaults_to_users('loan_officer') self.permission_manager = PagePermissionManager() def test_bulk_permission_checking_performance(self): """Test performance of bulk permission checking""" start_time = time.time() # Check permissions for all users across all pages for user in self.users[:10]: # Test with 10 users to keep test reasonable for page in ['loans', 'clients', 'reports']: permissions = self.permission_manager.get_page_permissions(user, page) self.assertIsInstance(permissions, dict) self.assertGreater(len(permissions), 0) end_time = time.time() execution_time = end_time - start_time # Should complete within reasonable time self.assertLess(execution_time, 10.0, f"Bulk permission checking took {execution_time:.2f}s") # Test with cache warming cache_service = PermissionCacheService() start_time = time.time() # Warm cache for all users for user in self.users[:10]: cache_service.warm_cache_for_user(user, ['loans', 'clients', 'reports']) # Now check permissions (should be faster) for user in self.users[:10]: for page in ['loans', 'clients', 'reports']: permissions = self.permission_manager.get_page_permissions(user, page) self.assertIsInstance(permissions, dict) cached_time = time.time() - start_time # Cached version should be faster self.assertLess(cached_time, execution_time * 0.7) def test_large_dataset_export_performance(self): """Test export performance with large datasets""" # Generate large dataset large_data = [] for i in range(1000): # 1000 records large_data.append({ 'id': i, 'client_name': f'Client {i}', 'loan_amount': Decimal(str(1000 + (i * 100))), 'status': 'Active' if i % 2 == 0 else 'Pending', 'created_date': timezone.now().date() - timedelta(days=i % 365) }) export_service = ExportService() # Test CSV export performance start_time = time.time() with patch('builtins.open', mock_open()) as mock_file: result = export_service.export_to_csv(large_data, 'large_export.csv') csv_time = time.time() - start_time self.assertTrue(result['success']) self.assertEqual(result['rows_exported'], 1000) self.assertLess(csv_time, 5.0, f"CSV export took {csv_time:.2f}s") # Test Excel export performance start_time = time.time() with patch('reports.export_functions.openpyxl') as mock_openpyxl: mock_workbook = MagicMock() mock_worksheet = MagicMock() mock_openpyxl.Workbook.return_value = mock_workbook mock_workbook.active = mock_worksheet result = export_service.export_to_excel(large_data, 'large_export.xlsx') excel_time = time.time() - start_time self.assertTrue(result['success']) self.assertLess(excel_time, 10.0, f"Excel export took {excel_time:.2f}s") def test_analytics_calculation_performance(self): """Test analytics calculation performance""" # Create portfolio snapshots for performance testing base_date = timezone.now().date() for user in self.users[:5]: # Test with 5 users for i in range(30): # 30 days of data snapshot_date = base_date - timedelta(days=i) PortfolioSnapshot.objects.create( manager=user, branch=self.branch, snapshot_date=snapshot_date, total_clients=50 + i, active_clients=45 + i, active_loans=40 + i, total_disbursed=Decimal(str(100000 + (i * 5000))), total_outstanding=Decimal(str(60000 + (i * 3000))), collection_rate=Decimal('85.0') + Decimal(str(i % 10)), default_rate=Decimal('5.0') - Decimal(str(i % 5)) ) portfolio_service = PortfolioSnapshotService() # Test portfolio trends calculation start_time = time.time() for user in self.users[:5]: trends = portfolio_service.get_portfolio_trends(user, 30) self.assertIn('daily_data', trends) self.assertEqual(len(trends['daily_data']), 30) trends_time = time.time() - start_time self.assertLess(trends_time, 5.0, f"Trends calculation took {trends_time:.2f}s") # Test performance report generation start_time = time.time() for user in self.users[:5]: report = portfolio_service.generate_performance_report(user, base_date) self.assertIn('portfolio_overview', report) self.assertIn('performance_metrics', report) report_time = time.time() - start_time self.assertLess(report_time, 8.0, f"Report generation took {report_time:.2f}s") def test_concurrent_permission_access(self): """Test concurrent permission access""" import threading import queue results = queue.Queue() def check_permissions_worker(user, page): try: permissions = self.permission_manager.get_page_permissions(user, page) results.put({'success': True, 'permissions_count': len(permissions)}) except Exception as e: results.put({'success': False, 'error': str(e)}) # Create multiple threads threads = [] for i in range(10): # 10 concurrent threads user = self.users[i % len(self.users)] page = ['loans', 'clients', 'reports'][i % 3] thread = threading.Thread(target=check_permissions_worker, args=(user, page)) threads.append(thread) # Start all threads start_time = time.time() for thread in threads: thread.start() # Wait for all threads to complete for thread in threads: thread.join() concurrent_time = time.time() - start_time # Collect results successful_results = 0 while not results.empty(): result = results.get() if result['success']: successful_results += 1 # All threads should complete successfully self.assertEqual(successful_results, 10) self.assertLess(concurrent_time, 5.0, f"Concurrent access took {concurrent_time:.2f}s") class SecurityTest(TestCase): """Security tests for permission bypass attempts""" def setUp(self): """Set up test data""" self.branch = Branch.objects.create( name="Test Branch", code="TB001", is_active=True ) self.admin = User.objects.create_user( username="admin", email="admin@test.com", password="testpass123", role="admin", branch=self.branch, phone_number="+254700000001" ) self.loan_officer = User.objects.create_user( username="officer1", email="officer1@test.com", password="testpass123", role="loan_officer", branch=self.branch, phone_number="+254700000002" ) # Create critical permission self.critical_permission = PagePermission.objects.create( page_name='admin', action_code='admin_delete_user', action_name='Delete User', category='delete', is_critical=True ) self.permission_manager = PagePermissionManager() def test_permission_bypass_attempt(self): """Test attempts to bypass permission checks""" # Loan officer should not have admin permissions has_permission = self.permission_manager.check_action_permission( self.loan_officer, 'admin', 'admin_delete_user' ) self.assertFalse(has_permission) # Try to manipulate user role in memory (should not affect permission check) original_role = self.loan_officer.role self.loan_officer.role = 'admin' # Temporary change in memory # Permission check should still use database value has_permission = self.permission_manager.check_action_permission( self.loan_officer, 'admin', 'admin_delete_user' ) self.assertFalse(has_permission) # Restore original role self.loan_officer.role = original_role def test_sql_injection_protection(self): """Test protection against SQL injection in permission checks""" # Try SQL injection in page name malicious_page = "loans'; DROP TABLE users_pagepermission; --" # Should handle malicious input safely permissions = self.permission_manager.get_page_permissions( self.loan_officer, malicious_page ) self.assertEqual(permissions, {}) # Try SQL injection in action code malicious_action = "loans_view'; DROP TABLE users_pagepermission; --" has_permission = self.permission_manager.check_action_permission( self.loan_officer, 'loans', malicious_action ) self.assertFalse(has_permission) def test_cache_poisoning_protection(self): """Test protection against cache poisoning""" cache_service = PermissionCacheService() # Try to poison cache with malicious data malicious_permissions = { 'admin_delete_user': True, 'admin_create_user': True } # Even if cache is poisoned, database check should prevail cache_service.set_user_page_permissions( str(self.loan_officer.id), 'admin', malicious_permissions ) # Direct permission check should ignore poisoned cache for critical permissions has_permission = self.permission_manager.check_action_permission( self.loan_officer, 'admin', 'admin_delete_user' ) self.assertFalse(has_permission) def test_privilege_escalation_protection(self): """Test protection against privilege escalation""" # Create user permission that tries to escalate privileges UserPagePermission.objects.create( user=self.loan_officer, page_permission=self.critical_permission, is_allowed=True, granted_by=self.loan_officer, # User trying to grant to themselves reason="Self-granted permission" ) # System should validate that only authorized users can grant critical permissions from users.permission_validation import PermissionValidator validator = PermissionValidator() # Validate the permission grant is_valid = validator.validate_permission_grant( granter=self.loan_officer, grantee=self.loan_officer, permission=self.critical_permission ) # Should be invalid (user cannot grant critical permissions to themselves) self.assertFalse(is_valid) def test_session_hijacking_protection(self): """Test protection against session hijacking""" from users.audit_service import AuditService audit_service = AuditService() # Simulate permission access from different IP addresses ip1 = "192.168.1.100" ip2 = "10.0.0.50" # Different IP # First access from IP1 audit_service.log_permission_access( user=self.loan_officer, page_name='loans', action='loans_view_applications', result='allowed', ip_address=ip1 ) # Second access from different IP (potential hijacking) audit_service.log_permission_access( user=self.loan_officer, page_name='admin', action='admin_delete_user', result='denied', ip_address=ip2 ) # System should flag suspicious activity suspicious_activity = audit_service.detect_suspicious_activity(self.loan_officer) # Should detect IP address change self.assertTrue(suspicious_activity['ip_change_detected']) def test_timing_attack_protection(self): """Test protection against timing attacks""" import time # Measure time for valid permission check start_time = time.time() self.permission_manager.check_action_permission( self.admin, 'admin', 'admin_delete_user' ) valid_time = time.time() - start_time # Measure time for invalid permission check start_time = time.time() self.permission_manager.check_action_permission( self.loan_officer, 'admin', 'admin_delete_user' ) invalid_time = time.time() - start_time # Time difference should be minimal to prevent timing attacks time_difference = abs(valid_time - invalid_time) self.assertLess(time_difference, 0.1, "Timing difference too large") def test_data_exposure_protection(self): """Test protection against data exposure""" # Try to access permissions for other users other_user_permissions = self.permission_manager.get_page_permissions( self.admin, 'loans' # Admin accessing loans page ) # Loan officer should not be able to see admin's permissions officer_view_of_admin = self.permission_manager.get_page_permissions( self.loan_officer, 'admin' # Officer trying to see admin page ) # Officer should have no admin permissions self.assertEqual(len(officer_view_of_admin), 0) # Verify permission source information doesn't leak sensitive data permission_source = self.loan_officer.get_permission_source( 'loans', 'loans_view_applications' ) # Should not contain sensitive information about other users self.assertNotIn('admin', str(permission_source).lower()) self.assertNotIn('password', str(permission_source).lower())