def test_permissions():
            """Iterates over all users checking its permissions."""
            for i in range(users_number):
                identity = FakeIdentity(UserNeed(users[i].id))

                # Allowed permission
                permission_allowed_both = DynamicPermission(
                    ActionNeed('action{0}'.format(
                        (i % actions_users_number) +
                        actions_roles_number)),
                    ActionNeed('action{0}'.format(i % actions_roles_number))
                )
                assert permission_allowed_both.allows(identity)

                # Not allowed action user
                permission_not_allowed_user = DynamicPermission(
                    ActionNeed('action{0}'.format(
                        (i + 1) % actions_users_number +
                        actions_roles_number))
                )
                assert not permission_not_allowed_user.allows(identity)

                # Not allowed action role
                permission_not_allowed_role = DynamicPermission(
                    ActionNeed('action{0}'.format(
                        (i + 1) % actions_roles_number))
                )
                assert not permission_not_allowed_role.allows(identity)
def test_invenio_access_permission_cache_redis(app):
    """Caching the user using redis."""
    cache = RedisCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        user_can_all = User(email='*****@*****.**')
        user_can_open = User(email='*****@*****.**')

        db.session.add(user_can_all)
        db.session.add(user_can_open)

        db.session.add(ActionUsers(action='open', user=user_can_all))

        db.session.flush()

        identity_open = FakeIdentity(UserNeed(user_can_open.id))

        permission_open = DynamicPermission(ActionNeed('open'))
        assert not permission_open.allows(identity_open)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1)]),
            set([])
        )

        db.session.add(ActionUsers(action='open', user=user_can_open))
        db.session.flush()

        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_open)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
def test_invenio_access_permission_cache(app):
    """Caching the user using memory caching."""
    cache = SimpleCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        user_can_all = User(email='*****@*****.**')
        user_can_open = User(email='*****@*****.**')
        user_can_open_1 = User(email='*****@*****.**')

        db.session.add(user_can_all)
        db.session.add(user_can_open)
        db.session.add(user_can_open_1)

        db.session.add(ActionUsers(action='open', user=user_can_all))

        db.session.flush()

        permission_open = DynamicPermission(ActionNeed('open'))

        identity_open = FakeIdentity(UserNeed(user_can_open.id))

        assert not permission_open.allows(identity_open)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1)]),
            set([])
        )

        db.session.add(ActionUsers(action='open', user=user_can_open))
        db.session.flush()

        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_open)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )

        db.session.add(ActionUsers(action='open', argument=1,
                                   user=user_can_open_1))
        db.session.flush()

        identity_open_1 = FakeIdentity(UserNeed(user_can_open_1.id))
        permission_open_1 = DynamicPermission(
            ParameterizedActionNeed('open', '1'))
        assert not permission_open.allows(identity_open_1)
        assert permission_open_1.allows(identity_open_1)
        assert current_access.get_action_cache('open::1') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=3)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
def test_invenio_access_permissions_deny(app):
    """User without any provides can't access to a place limited to user 0"""
    with app.test_request_context():
        permission = DynamicPermission(UserNeed(0))

        fake_identity = FakeIdentity()
        assert not permission.allows(fake_identity)
def test_invenio_access_permission_for_users(app):
    """User can access to an action allowed/denied to the user"""
    InvenioAccess(app)
    with app.test_request_context():
        db.session.begin(nested=True)
        user_can_all = User(email='*****@*****.**')
        user_can_read = User(email='*****@*****.**')
        user_can_open = User(email='*****@*****.**')

        db.session.add(user_can_all)
        db.session.add(user_can_read)
        db.session.add(user_can_open)

        db.session.add(ActionUsers(action='open', user=user_can_all))
        db.session.add(ActionUsers(action='open', user=user_can_open))

        db.session.add(ActionUsers(action='read', user=user_can_all))
        db.session.add(ActionUsers(action='read', user=user_can_read))
        db.session.commit()

        permission_open = DynamicPermission(ActionNeed('open'))
        permission_read = DynamicPermission(ActionNeed('read'))

        identity_all = FakeIdentity(UserNeed(user_can_all.id))
        identity_read = FakeIdentity(UserNeed(user_can_read.id))
        identity_open = FakeIdentity(UserNeed(user_can_open.id))

        assert permission_open.allows(identity_all)
        assert permission_read.allows(identity_all)

        assert permission_open.allows(identity_open)
        assert not permission_read.allows(identity_open)

        assert not permission_open.allows(identity_read)
        assert permission_read.allows(identity_read)
def test_invenio_access_permission_for_roles(app):
    """User with a role can access to an action allowed to the role"""
    with app.test_request_context():
        admin_role = Role(name='admin')
        reader_role = Role(name='reader')
        opener_role = Role(name='opener')

        db.session.add(admin_role)
        db.session.add(reader_role)
        db.session.add(opener_role)

        db.session.add(ActionRoles(action='open', role=admin_role))
        db.session.add(ActionRoles(action='open', role=opener_role))

        db.session.add(ActionRoles(action='read', role=admin_role))
        db.session.add(ActionRoles(action='read', role=reader_role))

        db.session.flush()

        permission_open = DynamicPermission(ActionNeed('open'))
        permission_read = DynamicPermission(ActionNeed('read'))

        identity_all = FakeIdentity(RoleNeed('admin'))
        identity_read = FakeIdentity(RoleNeed('reader'))
        identity_open = FakeIdentity(RoleNeed('opener'))

        assert permission_open.allows(identity_all)
        assert permission_read.allows(identity_all)

        assert permission_open.allows(identity_open)
        assert not permission_read.allows(identity_open)

        assert not permission_open.allows(identity_read)
        assert permission_read.allows(identity_read)
Beispiel #7
0
def test_invenio_access_permission_cache_system_roles_updates(app):
    """Testing ActionSystemRoles cache with inserts/updates/deletes."""
    # This test case is doing the same of user test case but using
    # system roles.
    cache = SimpleCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        system_role_1 = SystemRoleNeed('system_role_1')
        system_role_2 = SystemRoleNeed('system_role_2')
        system_role_3 = SystemRoleNeed('system_role_3')
        system_role_4 = SystemRoleNeed('system_role_4')
        system_role_5 = SystemRoleNeed('system_role_5')
        system_role_6 = SystemRoleNeed('system_role_6')
        current_access.system_roles = {
            'system_role_1': system_role_1,
            'system_role_2': system_role_2,
            'system_role_3': system_role_3,
            'system_role_4': system_role_4,
            'system_role_5': system_role_5,
            'system_role_6': system_role_6,
        }

        # Creation of some data to test.
        db.session.add(ActionSystemRoles(action='open',
                                         role_name=system_role_1.value))
        db.session.add(ActionSystemRoles(action='write',
                                         role_name=system_role_4.value))

        db.session.flush()

        # Creation of identities to test.
        identity_fake_1 = FakeIdentity(system_role_1)
        identity_fake_2 = FakeIdentity(system_role_2)
        identity_fake_3 = FakeIdentity(system_role_3)
        identity_fake_4 = FakeIdentity(system_role_4)
        identity_fake_5 = FakeIdentity(system_role_5)
        identity_fake_6 = FakeIdentity(system_role_6)

        # Test if system_role_1 can open. In this case, the cache should store
        # only this object.
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_1)
        assert current_access.get_action_cache('open') == (
            set([system_role_1]),
            set([])
        )

        # Test if system_role_2 can write. In this case, the cache should
        # have this new object and the previous one (Open is allowed to
        # system_role_1)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_4)
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1]),
            set([])
        )

        # If we add a new system role to the action open, the open action in
        # cache should be removed but it should still containing the write
        # entry.
        db.session.add(ActionSystemRoles(action='open',
                                         role_name=system_role_2.value))
        db.session.flush()
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_2)
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )

        # Test if the new role is added to the action 'open'
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_4)
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )

        # If we update an action swapping a role, the cache containing the
        # action, should be removed.
        role_4_action_write = ActionSystemRoles.query.filter(
            ActionSystemRoles.action == 'write' and
            ActionSystemRoles.role_name == system_role_4.value).first()
        role_4_action_write.role_name = system_role_3.value
        db.session.flush()

        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is not None
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )

        # Test if the system_role_3 can write now.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_4)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_3)
        assert current_access.get_action_cache('write') == (
            set([system_role_3]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )

        # If we remove a role from an action, the cache should clear the
        # action item.
        cust_action_write = ActionSystemRoles.query.filter(
            ActionSystemRoles.action == 'write' and
            ActionSystemRoles.role_name == system_role_3).first()
        db.session.delete(cust_action_write)
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        # If no one is allowed to perform an action then everybody is allowed.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_3)
        assert current_access.get_action_cache('write') == (
            set([]),
            set([])
        )
        db.session.add(ActionSystemRoles(action='write',
                                         role_name=system_role_5.value))
        db.session.flush()
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_5)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_3)
        assert current_access.get_action_cache('write') == (
            set([system_role_5]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )

        # If you update the name of an existing action, the previous action
        # and the new action should be remove from cache.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_5)
        assert current_access.get_action_cache('write') == (
            set([system_role_5]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )
        role_5_action_write = ActionSystemRoles.query.filter(
            ActionSystemRoles.action == 'write' and
            ActionSystemRoles.role_name == system_role_5.value).first()
        role_5_action_write.action = 'open'
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_1)
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2, system_role_5]),
            set([])
        )
        db.session.add(ActionSystemRoles(action='write',
                                         role_name=system_role_4.value))
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_5)
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )

        db.session.add(ActionSystemRoles(action='open', argument='1',
                                         role_name=system_role_6.value))
        db.session.flush()
        permission_open_1 = DynamicPermission(
            ParameterizedActionNeed('open', '1'))
        assert not permission_open.allows(identity_fake_6)
        assert permission_open_1.allows(identity_fake_6)
        assert current_access.get_action_cache('open::1') == (
            set([system_role_1, system_role_2, system_role_5, system_role_6]),
            set([])
        )
        user_6_action_open_1 = ActionSystemRoles.query.filter_by(
            action='open', argument='1', role_name=system_role_6.value).first()
        user_6_action_open_1.argument = '2'
        db.session.flush()
        assert current_access.get_action_cache('open::1') is None
        assert current_access.get_action_cache('open::2') is None
        permission_open_2 = DynamicPermission(
            ParameterizedActionNeed('open', '2'))
        assert permission_open_2.allows(identity_fake_6)
        assert current_access.get_action_cache('open::2') == (
            set([system_role_1, system_role_2, system_role_5, system_role_6]),
            set([])
        )
        # open action cache should remain as before
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2, system_role_5]),
            set([])
        )
Beispiel #8
0
def test_invenio_access_permission_cache_roles_updates(app):
    """Testing ActionRoles cache with inserts/updates/deletes."""
    # This test case is doing the same of user test case but using roles.
    cache = SimpleCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        # Creation of some data to test.
        role_1 = Role(name='role_1')
        role_2 = Role(name='role_2')
        role_3 = Role(name='role_3')
        role_4 = Role(name='role_4')
        role_5 = Role(name='role_5')
        role_6 = Role(name='role_6')

        db.session.add(role_1)
        db.session.add(role_2)
        db.session.add(role_3)
        db.session.add(role_4)
        db.session.add(role_5)
        db.session.add(role_6)

        db.session.add(ActionRoles(action='open', role=role_1))
        db.session.add(ActionRoles(action='write', role=role_4))

        db.session.flush()

        # Creation of identities to test.
        identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name))
        identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name))
        identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name))
        identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name))
        identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name))
        identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name))

        # Test if role 1 can open. In this case, the cache should store only
        # this object.
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_role_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name)]),
            set([])
        )

        # Test if role 4 can write. In this case, the cache should have this
        # new object and the previous one (Open is allowed to role_1)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_4)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name)]),
            set([])
        )

        # If we add a new role to the action open, the open action in cache
        # should be removed but it should still containing the write entry.
        db.session.add(ActionRoles(action='open', role=role_2))
        db.session.flush()
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_role_2)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )

        # Test if the new role is added to the action 'open'
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_4)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )

        # If we update an action swapping a role, the cache containing the
        # action, should be removed.
        role_4_action_write = ActionRoles.query.filter(
            ActionRoles.action == 'write' and
            ActionRoles.role == role_4).first()
        role_4_action_write.role = role_3
        db.session.flush()

        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is not None
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )

        # Test if the role_3 can write now.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_role_4)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_3.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )

        # If we remove a role from an action, the cache should clear the
        # action item.
        role_3_action_write = ActionRoles.query.filter(
            ActionRoles.action == 'write' and
            ActionRoles.role == role_3).first()
        db.session.delete(role_3_action_write)
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        # If no one is allowed to perform an action then everybody is allowed.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_3)
        assert current_access.get_action_cache('write') == (
            set([]),
            set([])
        )
        db.session.add(ActionRoles(action='write', role=role_5))
        db.session.flush()
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_5)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_role_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_5.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )

        # If you update the name of an existing action, the previous action
        # and the new action should be remove from cache.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_5.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )
        role_5_action_write = ActionRoles.query.filter(
            ActionRoles.action == 'write' and
            ActionRoles.role == role_5).first()
        role_5_action_write.action = 'open'
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_role_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name)]),
            set([])
        )
        db.session.add(ActionRoles(action='write', role=role_4))
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_role_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )

        db.session.add(ActionRoles(action='open', argument='1', role=role_6))
        db.session.flush()
        permission_open_1 = DynamicPermission(
            ParameterizedActionNeed('open', '1'))
        assert not permission_open.allows(identity_fake_role_6)
        assert permission_open_1.allows(identity_fake_role_6)
        assert current_access.get_action_cache('open::1') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name),
                 Need(method='role', value=role_6.name)]),
            set([])
        )
        user_6_action_open_1 = ActionRoles.query.filter_by(
            action='open', argument='1', role_id=role_6.id).first()
        user_6_action_open_1.argument = '2'
        db.session.flush()
        assert current_access.get_action_cache('open::1') is None
        assert current_access.get_action_cache('open::2') is None
        permission_open_2 = DynamicPermission(
            ParameterizedActionNeed('open', '2'))
        assert permission_open_2.allows(identity_fake_role_6)
        assert current_access.get_action_cache('open::2') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name),
                 Need(method='role', value=role_6.name)]),
            set([])
        )
        # open action cache should remain as before
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name)]),
            set([])
        )
Beispiel #9
0
def test_invenio_access_permission_cache_users_updates(app):
    """Testing ActionUsers cache with inserts/updates/deletes."""
    cache = SimpleCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        # Creation of some data to test.
        user_1 = User(email='*****@*****.**')
        user_2 = User(email='*****@*****.**')
        user_3 = User(email='*****@*****.**')
        user_4 = User(email='*****@*****.**')
        user_5 = User(email='*****@*****.**')
        user_6 = User(email='*****@*****.**')

        db.session.add(user_1)
        db.session.add(user_2)
        db.session.add(user_3)
        db.session.add(user_4)
        db.session.add(user_5)
        db.session.add(user_6)

        db.session.add(ActionUsers(action='open', user=user_1))
        db.session.add(ActionUsers(action='write', user=user_4))

        db.session.flush()

        # Creation identities to test.
        identity_user_1 = FakeIdentity(UserNeed(user_1.id))
        identity_user_2 = FakeIdentity(UserNeed(user_2.id))
        identity_user_3 = FakeIdentity(UserNeed(user_3.id))
        identity_user_4 = FakeIdentity(UserNeed(user_4.id))
        identity_user_5 = FakeIdentity(UserNeed(user_5.id))
        identity_user_6 = FakeIdentity(UserNeed(user_6.id))

        # Test if user 1 can open. In this case, the cache should store only
        # this object.
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_user_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1)]),
            set([])
        )

        # Test if user 4 can write. In this case, the cache should have this
        # new object and the previous one (Open is allowed to user_1)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_4)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1)]),
            set([])
        )

        # If we add a new user to the action open, the open action in cache
        # should be removed but it should still containing the write entry.
        db.session.add(ActionUsers(action='open', user=user_2))
        db.session.flush()
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_user_2)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )

        # Test if the new user is added to the action 'open'
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_4)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )

        # If we update an action swapping a user, the cache containing the
        # action, should be removed.
        user_4_action_write = ActionUsers.query.filter(
            ActionUsers.action == 'write' and
            ActionUsers.user == user_4).first()
        user_4_action_write.user = user_3
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )

        # Test if the user_3 can now write.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_user_4)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=3)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )

        # If we remove a user from an action, the cache should clear the
        # action item.
        user_3_action_write = ActionUsers.query.filter(
            ActionUsers.action == 'write' and
            ActionUsers.user == user_3).first()
        db.session.delete(user_3_action_write)
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        # If no one is allowed to perform an action then everybody is allowed.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_3)
        assert current_access.get_action_cache('write') == (
            set([]),
            set([])
        )
        db.session.add(ActionUsers(action='write', user=user_5))
        db.session.flush()
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_5)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_user_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=5)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )

        # If you update the name of an existing action, the previous action
        # and the new action should be remove from cache.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=5)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
        user_5_action_write = ActionUsers.query.filter(
            ActionUsers.action == 'write' and
            ActionUsers.user == user_5).first()
        user_5_action_write.action = 'open'
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_user_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5)]),
            set([])
        )
        db.session.add(ActionUsers(action='write', user=user_4))
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_user_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )

        db.session.add(ActionUsers(action='open', argument='1', user=user_6))
        db.session.flush()
        permission_open_1 = DynamicPermission(
            ParameterizedActionNeed('open', '1'))
        assert not permission_open.allows(identity_user_6)
        assert permission_open_1.allows(identity_user_6)
        assert current_access.get_action_cache('open::1') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5),
                 Need(method='id', value=6)]),
            set([])
        )
        user_6_action_open_1 = ActionUsers.query.filter_by(
            action='open', argument='1', user_id=user_6.id).first()
        user_6_action_open_1.argument = '2'
        db.session.flush()
        assert current_access.get_action_cache('open::1') is None
        assert current_access.get_action_cache('open::2') is None
        permission_open_2 = DynamicPermission(
            ParameterizedActionNeed('open', '2'))
        assert permission_open_2.allows(identity_user_6)
        assert current_access.get_action_cache('open::2') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5),
                 Need(method='id', value=6)]),
            set([])
        )
        # open action cache should remain as before
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5)]),
            set([])
        )
def test_invenio_access_permission_cache_roles_updates(app):
    """Testing ActionRoles cache with inserts/updates/deletes."""
    # This test case is doing the same of user test case but using roles.
    cache = SimpleCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        # Creation of some data to test.
        role_1 = Role(name='role_1')
        role_2 = Role(name='role_2')
        role_3 = Role(name='role_3')
        role_4 = Role(name='role_4')
        role_5 = Role(name='role_5')
        role_6 = Role(name='role_6')

        db.session.add(role_1)
        db.session.add(role_2)
        db.session.add(role_3)
        db.session.add(role_4)
        db.session.add(role_5)
        db.session.add(role_6)

        db.session.add(ActionRoles(action='open', role=role_1))
        db.session.add(ActionRoles(action='write', role=role_4))

        db.session.flush()

        # Creation of identities to test.
        identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name))
        identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name))
        identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name))
        identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name))
        identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name))
        identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name))

        # Test if role 1 can open. In this case, the cache should store only
        # this object.
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_role_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name)]),
            set([])
        )

        # Test if role 4 can write. In this case, the cache should have this
        # new object and the previous one (Open is allowed to role_1)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_4)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name)]),
            set([])
        )

        # If we add a new role to the action open, the open action in cache
        # should be removed but it should still containing the write entry.
        db.session.add(ActionRoles(action='open', role=role_2))
        db.session.flush()
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_role_2)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )

        # Test if the new role is added to the action 'open'
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_4)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )

        # If we update an action swapping a role, the cache containing the
        # action, should be removed.
        role_4_action_write = ActionRoles.query.filter(
            ActionRoles.action == 'write' and
            ActionRoles.role == role_4).first()
        role_4_action_write.role = role_3
        db.session.flush()

        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is not None
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )

        # Test if the role_3 can write now.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_role_4)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_3.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )

        # If we remove a role from an action, the cache should clear the
        # action item.
        role_3_action_write = ActionRoles.query.filter(
            ActionRoles.action == 'write' and
            ActionRoles.role == role_3).first()
        db.session.delete(role_3_action_write)
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        # If no one is allowed to perform an action then everybody is allowed.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_3)
        assert current_access.get_action_cache('write') == (
            set([]),
            set([])
        )
        db.session.add(ActionRoles(action='write', role=role_5))
        db.session.flush()
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_5)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_role_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_5.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )

        # If you update the name of an existing action, the previous action
        # and the new action should be remove from cache.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_role_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_5.name)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name)]),
            set([])
        )
        role_5_action_write = ActionRoles.query.filter(
            ActionRoles.action == 'write' and
            ActionRoles.role == role_5).first()
        role_5_action_write.action = 'open'
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_role_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name)]),
            set([])
        )
        db.session.add(ActionRoles(action='write', role=role_4))
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_role_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='role', value=role_4.name)]),
            set([])
        )

        db.session.add(ActionRoles(action='open', argument='1', role=role_6))
        db.session.flush()
        permission_open_1 = DynamicPermission(
            ParameterizedActionNeed('open', '1'))
        assert not permission_open.allows(identity_fake_role_6)
        assert permission_open_1.allows(identity_fake_role_6)
        assert current_access.get_action_cache('open::1') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name),
                 Need(method='role', value=role_6.name)]),
            set([])
        )
        user_6_action_open_1 = ActionRoles.query.filter_by(
            action='open', argument='1', role_id=role_6.id).first()
        user_6_action_open_1.argument = '2'
        db.session.flush()
        assert current_access.get_action_cache('open::1') is None
        assert current_access.get_action_cache('open::2') is None
        permission_open_2 = DynamicPermission(
            ParameterizedActionNeed('open', '2'))
        assert permission_open_2.allows(identity_fake_role_6)
        assert current_access.get_action_cache('open::2') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name),
                 Need(method='role', value=role_6.name)]),
            set([])
        )
        # open action cache should remain as before
        assert current_access.get_action_cache('open') == (
            set([Need(method='role', value=role_1.name),
                 Need(method='role', value=role_2.name),
                 Need(method='role', value=role_5.name)]),
            set([])
        )
def test_invenio_access_permission_cache_users_updates(app):
    """Testing ActionUsers cache with inserts/updates/deletes."""
    cache = SimpleCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        # Creation of some data to test.
        user_1 = User(email='*****@*****.**')
        user_2 = User(email='*****@*****.**')
        user_3 = User(email='*****@*****.**')
        user_4 = User(email='*****@*****.**')
        user_5 = User(email='*****@*****.**')
        user_6 = User(email='*****@*****.**')

        db.session.add(user_1)
        db.session.add(user_2)
        db.session.add(user_3)
        db.session.add(user_4)
        db.session.add(user_5)
        db.session.add(user_6)

        db.session.add(ActionUsers(action='open', user=user_1))
        db.session.add(ActionUsers(action='write', user=user_4))

        db.session.flush()

        # Creation identities to test.
        identity_user_1 = FakeIdentity(UserNeed(user_1.id))
        identity_user_2 = FakeIdentity(UserNeed(user_2.id))
        identity_user_3 = FakeIdentity(UserNeed(user_3.id))
        identity_user_4 = FakeIdentity(UserNeed(user_4.id))
        identity_user_5 = FakeIdentity(UserNeed(user_5.id))
        identity_user_6 = FakeIdentity(UserNeed(user_6.id))

        # Test if user 1 can open. In this case, the cache should store only
        # this object.
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_user_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1)]),
            set([])
        )

        # Test if user 4 can write. In this case, the cache should have this
        # new object and the previous one (Open is allowed to user_1)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_4)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1)]),
            set([])
        )

        # If we add a new user to the action open, the open action in cache
        # should be removed but it should still containing the write entry.
        db.session.add(ActionUsers(action='open', user=user_2))
        db.session.flush()
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_user_2)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )

        # Test if the new user is added to the action 'open'
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_4)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )

        # If we update an action swapping a user, the cache containing the
        # action, should be removed.
        user_4_action_write = ActionUsers.query.filter(
            ActionUsers.action == 'write' and
            ActionUsers.user == user_4).first()
        user_4_action_write.user = user_3
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )

        # Test if the user_3 can now write.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_user_4)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=3)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )

        # If we remove a user from an action, the cache should clear the
        # action item.
        user_3_action_write = ActionUsers.query.filter(
            ActionUsers.action == 'write' and
            ActionUsers.user == user_3).first()
        db.session.delete(user_3_action_write)
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        # If no one is allowed to perform an action then everybody is allowed.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_3)
        assert current_access.get_action_cache('write') == (
            set([]),
            set([])
        )
        db.session.add(ActionUsers(action='write', user=user_5))
        db.session.flush()
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_5)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_user_3)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=5)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )

        # If you update the name of an existing action, the previous action
        # and the new action should be remove from cache.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_user_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=5)]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2)]),
            set([])
        )
        user_5_action_write = ActionUsers.query.filter(
            ActionUsers.action == 'write' and
            ActionUsers.user == user_5).first()
        user_5_action_write.action = 'open'
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_user_1)
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5)]),
            set([])
        )
        db.session.add(ActionUsers(action='write', user=user_4))
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_user_5)
        assert current_access.get_action_cache('write') == (
            set([Need(method='id', value=4)]),
            set([])
        )

        db.session.add(ActionUsers(action='open', argument='1', user=user_6))
        db.session.flush()
        permission_open_1 = DynamicPermission(
            ParameterizedActionNeed('open', '1'))
        assert not permission_open.allows(identity_user_6)
        assert permission_open_1.allows(identity_user_6)
        assert current_access.get_action_cache('open::1') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5),
                 Need(method='id', value=6)]),
            set([])
        )
        user_6_action_open_1 = ActionUsers.query.filter_by(
            action='open', argument='1', user_id=user_6.id).first()
        user_6_action_open_1.argument = '2'
        db.session.flush()
        assert current_access.get_action_cache('open::1') is None
        assert current_access.get_action_cache('open::2') is None
        permission_open_2 = DynamicPermission(
            ParameterizedActionNeed('open', '2'))
        assert permission_open_2.allows(identity_user_6)
        assert current_access.get_action_cache('open::2') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5),
                 Need(method='id', value=6)]),
            set([])
        )
        # open action cache should remain as before
        assert current_access.get_action_cache('open') == (
            set([Need(method='id', value=1),
                 Need(method='id', value=2),
                 Need(method='id', value=5)]),
            set([])
        )
Beispiel #12
0
def test_invenio_access_argument_permission_for_users(app):
    """User can access to an action allowed/denied with argument to the user"""
    InvenioAccess(app)
    with app.test_request_context():
        db.session.begin(nested=True)
        superuser = User(email='*****@*****.**')
        user_can_all = User(email='*****@*****.**')
        user_can_argument_dummy = User(email='*****@*****.**')

        db.session.add(superuser)
        db.session.add(user_can_all)
        db.session.add(user_can_argument_dummy)

        db.session.add(ActionUsers(action='superuser-access', user=superuser))

        db.session.add(ActionUsers(action='argument1',
                                   user=user_can_all))
        db.session.add(ActionUsers(action='argument1',
                                   argument='other',
                                   user=user_can_all))
        db.session.add(ActionUsers(action='argument1',
                                   argument='dummy',
                                   user=user_can_argument_dummy))
        db.session.add(ActionUsers(action='argument2',
                                   argument='other',
                                   user=user_can_all))
        db.session.commit()

        permission_argument1 = DynamicPermission(ActionNeed('argument1'))
        permission_argument1_dummy = DynamicPermission(
            ParameterizedActionNeed('argument1', 'dummy'))
        permission_argument1_other = DynamicPermission(
            ParameterizedActionNeed('argument1', 'other'))
        permission_argument2 = DynamicPermission(ActionNeed('argument2'))
        permission_argument2_dummy = DynamicPermission(
            ParameterizedActionNeed('argument2', 'dummy'))
        permission_argument2_other = DynamicPermission(
            ParameterizedActionNeed('argument2', 'other'))

        identity_superuser = FakeIdentity(UserNeed(superuser.id))
        identity_all = FakeIdentity(UserNeed(user_can_all.id))
        identity_unknown = AnonymousIdentity()
        identity_argument_dummy = FakeIdentity(
            UserNeed(user_can_argument_dummy.id))

        # tests for super user
        assert permission_argument1.allows(identity_superuser)
        assert permission_argument1_dummy.allows(identity_superuser)
        assert permission_argument1_other.allows(identity_superuser)
        assert permission_argument2.allows(identity_superuser)
        assert permission_argument2_dummy.allows(identity_superuser)
        assert permission_argument2_other.allows(identity_superuser)

        # first tests for permissions with argument
        assert permission_argument1.allows(identity_all)
        assert permission_argument1_dummy.allows(identity_all)
        assert permission_argument1_other.allows(identity_all)

        assert not permission_argument1.allows(identity_argument_dummy)
        assert permission_argument1_dummy.allows(identity_argument_dummy)
        assert not permission_argument1_other.allows(identity_argument_dummy)

        assert not permission_argument1.allows(identity_unknown)
        assert not permission_argument1_dummy.allows(identity_unknown)
        assert not permission_argument1_other.allows(identity_unknown)

        # second tests for permissions with arguments
#        assert permission_argument2.allows(identity_all)
#        assert permission_argument2_dummy.allows(identity_all)
        assert permission_argument2_other.allows(identity_all)

#        assert permission_argument2.allows(identity_argument_dummy)
#        assert permission_argument2_dummy.allows(identity_argument_dummy)
        assert not permission_argument2_other.allows(identity_argument_dummy)

#        assert permission_argument2.allows(identity_unknown)
#        assert permission_argument2_dummy.allows(identity_unknown)
        assert not permission_argument2_other.allows(identity_unknown)
Beispiel #13
0
def test_invenio_access_permission_for_users(app):
    """User can access to an action allowed/denied to the user"""
    InvenioAccess(app)
    with app.test_request_context():
        db.session.begin(nested=True)
        superuser = User(email='*****@*****.**')
        user_can_all = User(email='*****@*****.**')
        user_can_read = User(email='*****@*****.**')
        user_can_open = User(email='*****@*****.**')

        db.session.add(superuser)
        db.session.add(user_can_all)
        db.session.add(user_can_read)
        db.session.add(user_can_open)

        db.session.add(ActionUsers(action='superuser-access', user=superuser))

        db.session.add(ActionUsers(action='open', user=user_can_all))
        db.session.add(ActionUsers(action='open', user=user_can_open))

        db.session.add(ActionUsers(action='read', user=user_can_all))
        db.session.add(ActionUsers(action='read', user=user_can_read))

        db.session.add(ActionUsers(action='not_logged', user=user_can_all))

        db.session.commit()

        permission_open = DynamicPermission(ActionNeed('open'))
        permission_read = DynamicPermission(ActionNeed('read'))
        permission_not_logged = DynamicPermission(ActionNeed('not_logged'))

        identity_superuser = FakeIdentity(UserNeed(superuser.id))
        identity_all = FakeIdentity(UserNeed(user_can_all.id))
        identity_read = FakeIdentity(UserNeed(user_can_read.id))
        identity_open = FakeIdentity(UserNeed(user_can_open.id))
        identity_unknown = AnonymousIdentity()

        # global permissions
        assert permission_open.allows(identity_superuser)
        assert permission_read.allows(identity_superuser)

        assert permission_open.allows(identity_all)
        assert permission_read.allows(identity_all)
        assert permission_not_logged.allows(identity_all)

        assert permission_open.allows(identity_open)
        assert not permission_read.allows(identity_open)
        assert not permission_not_logged.allows(identity_open)

        assert not permission_open.allows(identity_read)
        assert permission_read.allows(identity_read)
        assert not permission_not_logged.allows(identity_read)

        assert not permission_open.allows(identity_unknown)
        assert not permission_read.allows(identity_unknown)
def test_invenio_access_permission_for_users(app):
    """User can access to an action allowed/denied to the user"""
    InvenioAccess(app)
    with app.test_request_context():
        db.session.begin(nested=True)
        superuser = User(email='*****@*****.**')
        user_can_all = User(email='*****@*****.**')
        user_can_read = User(email='*****@*****.**')
        user_can_open = User(email='*****@*****.**')

        db.session.add(superuser)
        db.session.add(user_can_all)
        db.session.add(user_can_read)
        db.session.add(user_can_open)

        db.session.add(ActionUsers(action='superuser-access', user=superuser))

        db.session.add(ActionUsers(action='open', user=user_can_all))
        db.session.add(ActionUsers(action='open', user=user_can_open))

        db.session.add(ActionUsers(action='read', user=user_can_all))
        db.session.add(ActionUsers(action='read', user=user_can_read))

        db.session.add(ActionUsers(action='not_logged', user=user_can_all))

        db.session.commit()

        permission_open = DynamicPermission(ActionNeed('open'))
        permission_read = DynamicPermission(ActionNeed('read'))
        permission_not_logged = DynamicPermission(ActionNeed('not_logged'))

        identity_superuser = FakeIdentity(UserNeed(superuser.id))
        identity_all = FakeIdentity(UserNeed(user_can_all.id))
        identity_read = FakeIdentity(UserNeed(user_can_read.id))
        identity_open = FakeIdentity(UserNeed(user_can_open.id))
        identity_unknown = AnonymousIdentity()

        # global permissions
        assert permission_open.allows(identity_superuser)
        assert permission_read.allows(identity_superuser)

        assert permission_open.allows(identity_all)
        assert permission_read.allows(identity_all)
        assert permission_not_logged.allows(identity_all)

        assert permission_open.allows(identity_open)
        assert not permission_read.allows(identity_open)
        assert not permission_not_logged.allows(identity_open)

        assert not permission_open.allows(identity_read)
        assert permission_read.allows(identity_read)
        assert not permission_not_logged.allows(identity_read)

        assert not permission_open.allows(identity_unknown)
        assert not permission_read.allows(identity_unknown)
def test_invenio_access_argument_permission_for_users(app):
    """User can access to an action allowed/denied with argument to the user"""
    InvenioAccess(app)
    with app.test_request_context():
        db.session.begin(nested=True)
        superuser = User(email='*****@*****.**')
        user_can_all = User(email='*****@*****.**')
        user_can_argument_dummy = User(email='*****@*****.**')

        db.session.add(superuser)
        db.session.add(user_can_all)
        db.session.add(user_can_argument_dummy)

        db.session.add(ActionUsers(action='superuser-access', user=superuser))

        db.session.add(ActionUsers(action='argument1',
                                   user=user_can_all))
        db.session.add(ActionUsers(action='argument1',
                                   argument='other',
                                   user=user_can_all))
        db.session.add(ActionUsers(action='argument1',
                                   argument='dummy',
                                   user=user_can_argument_dummy))
        db.session.add(ActionUsers(action='argument2',
                                   argument='other',
                                   user=user_can_all))
        db.session.commit()

        permission_argument1 = DynamicPermission(ActionNeed('argument1'))
        permission_argument1_dummy = DynamicPermission(
            ParameterizedActionNeed('argument1', 'dummy'))
        permission_argument1_other = DynamicPermission(
            ParameterizedActionNeed('argument1', 'other'))
        permission_argument2 = DynamicPermission(ActionNeed('argument2'))
        permission_argument2_dummy = DynamicPermission(
            ParameterizedActionNeed('argument2', 'dummy'))
        permission_argument2_other = DynamicPermission(
            ParameterizedActionNeed('argument2', 'other'))

        identity_superuser = FakeIdentity(UserNeed(superuser.id))
        identity_all = FakeIdentity(UserNeed(user_can_all.id))
        identity_unknown = AnonymousIdentity()
        identity_argument_dummy = FakeIdentity(
            UserNeed(user_can_argument_dummy.id))

        # tests for super user
        assert permission_argument1.allows(identity_superuser)
        assert permission_argument1_dummy.allows(identity_superuser)
        assert permission_argument1_other.allows(identity_superuser)
        assert permission_argument2.allows(identity_superuser)
        assert permission_argument2_dummy.allows(identity_superuser)
        assert permission_argument2_other.allows(identity_superuser)

        # first tests for permissions with argument
        assert permission_argument1.allows(identity_all)
        assert permission_argument1_dummy.allows(identity_all)
        assert permission_argument1_other.allows(identity_all)

        assert not permission_argument1.allows(identity_argument_dummy)
        assert permission_argument1_dummy.allows(identity_argument_dummy)
        assert not permission_argument1_other.allows(identity_argument_dummy)

        assert not permission_argument1.allows(identity_unknown)
        assert not permission_argument1_dummy.allows(identity_unknown)
        assert not permission_argument1_other.allows(identity_unknown)

        # second tests for permissions with arguments
#        assert permission_argument2.allows(identity_all)
#        assert permission_argument2_dummy.allows(identity_all)
        assert permission_argument2_other.allows(identity_all)

#        assert permission_argument2.allows(identity_argument_dummy)
#        assert permission_argument2_dummy.allows(identity_argument_dummy)
        assert not permission_argument2_other.allows(identity_argument_dummy)

#        assert permission_argument2.allows(identity_unknown)
#        assert permission_argument2_dummy.allows(identity_unknown)
        assert not permission_argument2_other.allows(identity_unknown)