Refactor Authorization

tests/unit/accounts/test_core.py

@@ -390,14 +390,8 @@ def test_unauthenticated_userid(self):
 
 
 def test_includeme(monkeypatch):
-    authz_obj = pretend.stub()
-    authz_cls = pretend.call_recorder(lambda *a, **kw: authz_obj)
-    monkeypatch.setattr(accounts, "ACLAuthorizationPolicy", authz_cls)
-    monkeypatch.setattr(accounts, "MacaroonAuthorizationPolicy", authz_cls)
-    monkeypatch.setattr(accounts, "TwoFactorAuthorizationPolicy", authz_cls)
-
     multi_policy_obj = pretend.stub()
-    multi_policy_cls = pretend.call_recorder(lambda ps, authz: multi_policy_obj)
+    multi_policy_cls = pretend.call_recorder(lambda ps: multi_policy_obj)
     monkeypatch.setattr(accounts, "MultiSecurityPolicy", multi_policy_cls)
 
     session_policy_obj = pretend.stub()
@@ -474,6 +468,10 @@ def test_includeme(monkeypatch):
     assert config.set_security_policy.calls == [pretend.call(multi_policy_obj)]
     assert multi_policy_cls.calls == [
         pretend.call(
-            [session_policy_obj, basic_policy_obj, macaroon_policy_obj], authz_obj
+            [
+                session_policy_obj,
+                basic_policy_obj,
+                macaroon_policy_obj,
+            ]
         )
     ]

tests/unit/accounts/test_models.py

@@ -11,10 +11,14 @@
 # limitations under the License.
 
 import datetime
+import uuid
 
 import pytest
 
+from pyramid.authorization import Authenticated
+
 from warehouse.accounts.models import Email, RecoveryCode, User, UserFactory
+from warehouse.utils.security_policy import principals_for
 
 from ...common.db.accounts import (
     EmailFactory as DBEmailFactory,
@@ -162,3 +166,62 @@ def test_acl(self, db_session):
             ("Allow", "group:admins", "admin"),
             ("Allow", "group:moderators", "moderator"),
         ]
+
+    @pytest.mark.parametrize(
+        (
+            "is_superuser",
+            "is_moderator",
+            "is_psf_staff",
+            "expected",
+        ),
+        [
+            (False, False, False, []),
+            (
+                True,
+                False,
+                False,
+                ["group:admins", "group:moderators", "group:psf_staff"],
+            ),
+            (
+                False,
+                True,
+                False,
+                ["group:moderators"],
+            ),
+            (
+                True,
+                True,
+                False,
+                ["group:admins", "group:moderators", "group:psf_staff"],
+            ),
+            (
+                False,
+                False,
+                True,
+                ["group:psf_staff"],
+            ),
+            (
+                False,
+                True,
+                True,
+                ["group:moderators", "group:psf_staff"],
+            ),
+        ],
+    )
+    def test_principals(
+        self,
+        is_superuser,
+        is_moderator,
+        is_psf_staff,
+        expected,
+    ):
+        user = User(
+            id=uuid.uuid4(),
+            is_superuser=is_superuser,
+            is_moderator=is_moderator,
+            is_psf_staff=is_psf_staff,
+        )
+
+        expected = expected[:] + [f"user:{user.id}", Authenticated]
+
+        assert set(principals_for(user)) == set(expected)