def main():
    lines = []
    lines.append(HEADER)
    lines.append('')

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace('_', ' ').title()  # pylint: disable=no-member
        lines.append('%s' % (resource_title))
        lines.append('~' * len(resource_title))
        lines.append('')

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(permission_type)
            rows.append([permission_type, description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split('\n'))
        lines.append('')

    result = '\n'.join(lines)
    with open(DESTINATION_PATH, 'w') as fp:
        fp.write(result)

    print('Generated: %s' % (DESTINATION_PATH))
    return result
def main():
    lines = []
    lines.append(HEADER)
    lines.append("")

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace("_", " ").title()  # pylint: disable=no-member
        lines.append("%s" % (resource_title))
        lines.append("~" * len(resource_title))
        lines.append("")

        permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(permission_type)
            rows.append(["**%s**" % (permission_type), description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split("\n"))
        lines.append("")

    result = "\n".join(lines)
    with open(DESTINATION_PATH, "w") as fp:
        fp.write(result)

    print("Generated: %s" % (DESTINATION_PATH))
    return result
    def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type):
        log_context = {
            'user_db': user_db,
            'pack_uid': pack_uid,
            'resource_uid': resource_uid,
            'resource_type': self.resource_type,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user resource permissions', extra=log_context)

        # First check the system role permissions
        self._log('Checking grants via system role permissions', extra=log_context)
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role', extra=log_context)
            return True

        # Check custom roles
        view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
                                                                  permission_name='view')
        all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
                                                                 permission_name='all')

        if permission_type == view_permission_type:
            # Note: Some permissions such as "create", "modify", "delete" and "execute" also
            # grant / imply "view" permission
            permission_types = self.view_grant_permission_types[:] + [permission_type]
        elif permission_type not in all_permission_type:
            permission_types = [all_permission_type, permission_type]
        else:
            permission_types = [permission_type]

        # Check direct grants on the specified resource
        self._log('Checking direct grans on the specified resource', extra=log_context)
        resource_types = [self.resource_type]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=resource_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)
        if len(permission_grants) >= 1:
            self._log('Found a direct grant on the action', extra=log_context)
            return True

        # Check grants on the parent pack
        self._log('Checking grants on the parent resource', extra=log_context)
        resource_types = [ResourceType.PACK]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=pack_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the action parent pack', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
Beispiel #4
0
def main():
    lines = []
    lines.append(HEADER)
    lines.append('')

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace('_', ' ').title()  # pylint: disable=no-member
        lines.append('%s' % (resource_title))
        lines.append('~' * len(resource_title))
        lines.append('')

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(
                permission_type)
            rows.append(['**%s**' % (permission_type), description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split('\n'))
        lines.append('')

    result = '\n'.join(lines)
    with open(DESTINATION_PATH, 'w') as fp:
        fp.write(result)

    print('Generated: %s' % (DESTINATION_PATH))
    return result
Beispiel #5
0
 def test_get_permission_name(self):
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
                      'create')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
                      'delete')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL),
                      'all')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL),
                      'all')
Beispiel #6
0
    def _user_has_resource_permission(self, user_db, pack_uid, resource_uid, permission_type):
        log_context = {
            'user_db': user_db,
            'pack_uid': pack_uid,
            'resource_uid': resource_uid,
            'resource_type': self.resource_type,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user resource permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role', extra=log_context)
            return True

        # Check custom roles
        view_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
                                                                  permission_name='view')
        all_permission_type = PermissionType.get_permission_type(resource_type=self.resource_type,
                                                                 permission_name='all')

        if permission_type == view_permission_type:
            # Note: Some permissions such as "create", "modify", "delete" and "execute" also
            # grant / imply "view" permission
            permission_types = self.view_grant_permission_types[:] + [permission_type]
        elif permission_type not in all_permission_type:
            permission_types = [all_permission_type, permission_type]
        else:
            permission_types = [permission_type]

        # Check direct grants on the specified resource
        resource_types = [self.resource_type]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=resource_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)
        if len(permission_grants) >= 1:
            self._log('Found a direct grant on the action', extra=log_context)
            return True

        # Check grants on the parent pack
        resource_types = [ResourceType.PACK]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=pack_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the action parent pack', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
Beispiel #7
0
 def test_get_resource_type(self):
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_CREATE),
                      ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_DELETE),
                      ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_ALL),
                      ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_ALL),
                      ResourceType.PACK)
Beispiel #8
0
 def test_get_permission_type(self):
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='view'),
                     PermissionType.ACTION_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='all'),
                     PermissionType.ACTION_ALL)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='execute'),
                     PermissionType.ACTION_EXECUTE)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                         permission_name='view'),
                     PermissionType.RULE_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                         permission_name='delete'),
                     PermissionType.RULE_DELETE)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='view'),
                     PermissionType.SENSOR_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='all'),
                     PermissionType.SENSOR_ALL)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='modify'),
                     PermissionType.SENSOR_MODIFY)
     self.assertEqual(
         PermissionType.get_permission_type(resource_type=ResourceType.RULE_ENFORCEMENT,
                                            permission_name='view'),
         PermissionType.RULE_ENFORCEMENT_VIEW)
Beispiel #9
0
    def test_get_valid_permission_for_resource_type(self):
        valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=ResourceType.ACTION
        )

        for name in valid_action_permissions:
            self.assertTrue(name.startswith(ResourceType.ACTION + "_"))

        valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type(resource_type=ResourceType.RULE)

        for name in valid_rule_permissions:
            self.assertTrue(name.startswith(ResourceType.RULE + "_"))
Beispiel #10
0
    def test_get_valid_permission_for_resource_type(self):
        valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=ResourceType.ACTION)

        for name in valid_action_permissions:
            self.assertTrue(name.startswith(ResourceType.ACTION + '_'))

        valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=ResourceType.RULE)

        for name in valid_rule_permissions:
            self.assertTrue(name.startswith(ResourceType.RULE + '_'))
Beispiel #11
0
 def test_get_permission_type(self):
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='view'),
                     PermissionType.ACTION_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='all'),
                     PermissionType.ACTION_ALL)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.ACTION,
                                                         permission_name='execute'),
                     PermissionType.ACTION_EXECUTE)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                         permission_name='view'),
                     PermissionType.RULE_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                         permission_name='delete'),
                     PermissionType.RULE_DELETE)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='view'),
                     PermissionType.SENSOR_VIEW)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='all'),
                     PermissionType.SENSOR_ALL)
     self.assertEqual(PermissionType.get_permission_type(resource_type=ResourceType.SENSOR,
                                                         permission_name='modify'),
                     PermissionType.SENSOR_MODIFY)
Beispiel #12
0
 def test_get_permission_name(self):
     self.assertEqual(
         PermissionType.get_permission_name(PermissionType.ACTION_LIST),
         "list")
     self.assertEqual(
         PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
         "create")
     self.assertEqual(
         PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
         "delete")
     self.assertEqual(
         PermissionType.get_permission_name(PermissionType.ACTION_ALL),
         "all")
     self.assertEqual(
         PermissionType.get_permission_name(PermissionType.PACK_ALL), "all")
     self.assertEqual(
         PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY),
         "modify")
     self.assertEqual(
         PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE),
         "execute")
     self.assertEqual(
         PermissionType.get_permission_name(
             PermissionType.RULE_ENFORCEMENT_LIST),
         "list",
     )
    def test_user_has_resource_db_permission(self):
        resolver = WebhookPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.WEBHOOK)

        # Admin user, should always return true
        resource_db = self.resources['webhook_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "webhook_send" grant on webhook_1
        user_db = self.users['custom_role_webhook_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.WEBHOOK_SEND)

        permission_types = [
            PermissionType.WEBHOOK_CREATE,
            PermissionType.WEBHOOK_DELETE,
            PermissionType.WEBHOOK_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Beispiel #14
0
    def _user_has_list_permission(self, user_db, permission_type):
        """
        Common method for checking if a user has specific "list" resource permission (e.g.
        rules_list, action_list, etc.).
        """
        assert PermissionType.get_permission_name(permission_type) == 'list'

        log_context = {
            'user_db': user_db,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role', extra=log_context)
            return True

        # Check custom roles
        permission_types = [permission_type]

        # Check direct grants
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               permission_types=permission_types)
        if len(permission_grants) >= 1:
            self._log('Found a direct grant', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
 def _user_has_list_permission(self, user_db, permission_type):
     """
     Common method for checking if a user has specific "list" resource permission (e.g.
     rules_list, action_list, etc.).
     """
     assert PermissionType.get_permission_name(permission_type) == 'list'
     return self._user_has_global_permission(user_db=user_db, permission_type=permission_type)
Beispiel #16
0
    def _user_has_list_permission(self, user_db, permission_type):
        """
        Common method for checking if a user has specific "list" resource permission (e.g.
        rules_list, action_list, etc.).
        """
        assert PermissionType.get_permission_name(permission_type) == 'list'

        log_context = {
            'user_db': user_db,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role',
                      extra=log_context)
            return True

        # Check custom roles
        permission_types = [permission_type]

        # Check direct grants
        permission_grants = get_all_permission_grants_for_user(
            user_db=user_db, permission_types=permission_types)
        if len(permission_grants) >= 1:
            self._log('Found a direct grant', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
Beispiel #17
0
    def test_user_has_resource_db_permission(self):
        resolver = WebhookPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.WEBHOOK)

        # Admin user, should always return true
        resource_db = self.resources['webhook_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "webhook_send" grant on webhook_1
        user_db = self.users['custom_role_webhook_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.WEBHOOK_SEND)

        permission_types = [
            PermissionType.WEBHOOK_CREATE, PermissionType.WEBHOOK_DELETE,
            PermissionType.WEBHOOK_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Beispiel #18
0
    def validate(self):
        # Parent JSON schema validation
        super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = (
                            'Invalid permission type "%s" for resource type "%s"'
                            % (permission_type, resource_type))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if not permission_type.endswith('_list'):
                        message = (
                            'Invalid permission type "%s". Only "list" permission types '
                            'can be used without a resource id' %
                            (permission_type))
                        raise ValueError(message)
Beispiel #19
0
    def validate(self):
        # Parent JSON schema validation
        cleaned = super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = ('Invalid permission type "%s" for resource type "%s"' %
                                   (permission_type, resource_type))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if not permission_type.endswith('_list'):
                        message = ('Invalid permission type "%s". Only "list" permission types '
                                   'can be used without a resource id' % (permission_type))
                        raise ValueError(message)

            return cleaned
Beispiel #20
0
 def _get_all_permission_type_for_resource(self, resource_db):
     """
     Retrieve "ALL" permission type for the provided resource.
     """
     resource_type = resource_db.get_resource_type()
     permission_type = PermissionType.get_permission_type(resource_type=resource_type,
                                                          permission_name='all')
     return permission_type
Beispiel #21
0
 def _get_all_permission_type_for_resource(self, resource_db):
     """
     Retrieve "ALL" permission type for the provided resource.
     """
     resource_type = resource_db.get_resource_type()
     permission_type = PermissionType.get_permission_type(
         resource_type=resource_type, permission_name='all')
     return permission_type
Beispiel #22
0
def get_resolver_for_permission_type(permission_type):
    """
    Return resolver instance for the provided permission type.

    :rtype: Instance of :class:`PermissionsResolver`
    """
    resource_type = PermissionType.get_resource_type(permission_type=permission_type)
    resolver_instance = get_resolver_for_resource_type(resource_type=resource_type)
    return resolver_instance
Beispiel #23
0
 def test_get_permission_type(self):
     self.assertEqual(
         PermissionType.get_permission_type(
             resource_type=ResourceType.ACTION, permission_name="view"),
         PermissionType.ACTION_VIEW,
     )
     self.assertEqual(
         PermissionType.get_permission_type(
             resource_type=ResourceType.ACTION, permission_name="all"),
         PermissionType.ACTION_ALL,
     )
     self.assertEqual(
         PermissionType.get_permission_type(
             resource_type=ResourceType.ACTION, permission_name="execute"),
         PermissionType.ACTION_EXECUTE,
     )
     self.assertEqual(
         PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                            permission_name="view"),
         PermissionType.RULE_VIEW,
     )
     self.assertEqual(
         PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                            permission_name="delete"),
         PermissionType.RULE_DELETE,
     )
     self.assertEqual(
         PermissionType.get_permission_type(
             resource_type=ResourceType.SENSOR, permission_name="view"),
         PermissionType.SENSOR_VIEW,
     )
     self.assertEqual(
         PermissionType.get_permission_type(
             resource_type=ResourceType.SENSOR, permission_name="all"),
         PermissionType.SENSOR_ALL,
     )
     self.assertEqual(
         PermissionType.get_permission_type(
             resource_type=ResourceType.SENSOR, permission_name="modify"),
         PermissionType.SENSOR_MODIFY,
     )
     self.assertEqual(
         PermissionType.get_permission_type(
             resource_type=ResourceType.RULE_ENFORCEMENT,
             permission_name="view"),
         PermissionType.RULE_ENFORCEMENT_VIEW,
     )
Beispiel #24
0
    def test_user_has_resource_db_permission(self):
        resolver = RunnerPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RUNNER)

        # Admin user, should always return true
        resource_db = self.resources['runner_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "runner_view" grant on runner_1
        resource_db = self.resources['runner_1']
        user_db = self.users['custom_role_runner_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_VIEW)

        permission_types = [
            PermissionType.RUNNER_MODIFY,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role with "runner_modify" grant on runner_2
        resource_db = self.resources['runner_2']
        user_db = self.users['custom_role_runner_modify_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_MODIFY)

        permission_types = [
            PermissionType.RUNNER_VIEW,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
    def test_user_has_resource_db_permission(self):
        resolver = RunnerPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RUNNER)

        # Admin user, should always return true
        resource_db = self.resources['runner_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "runner_view" grant on runner_1
        resource_db = self.resources['runner_1']
        user_db = self.users['custom_role_runner_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_VIEW)

        permission_types = [
            PermissionType.RUNNER_MODIFY,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role with "runner_modify" grant on runner_2
        resource_db = self.resources['runner_2']
        user_db = self.users['custom_role_runner_modify_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_MODIFY)

        permission_types = [
            PermissionType.RUNNER_VIEW,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Beispiel #26
0
def _validate_permission_types(resource_db, permission_types):
    """
    Validate that the permission_types list only contains valid values for the
    provided resource.
    """
    resource_db = _validate_resource_type(resource_db=resource_db)
    resource_type = resource_db.get_resource_type()
    valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type)

    for permission_type in permission_types:
        if permission_type not in valid_permission_types:
            raise ValueError('Invalid permission type: %s' % (permission_type))

    return permission_types
Beispiel #27
0
def _validate_permission_types(resource_db, permission_types):
    """
    Validate that the permission_types list only contains valid values for the
    provided resource.
    """
    resource_db = _validate_resource_type(resource_db=resource_db)
    resource_type = resource_db.get_resource_type()
    valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type)

    for permission_type in permission_types:
        if permission_type not in valid_permission_types:
            raise ValueError("Invalid permission type: %s" % (permission_type))

    return permission_types
Beispiel #28
0
 def test_get_permission_name(self):
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST),
                      'list')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
                      'create')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
                      'delete')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL),
                      'all')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL),
                      'all')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY),
                      'modify')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE),
                      'execute')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.RULE_ENFORCEMENT_LIST),
                      'list')
Beispiel #29
0
    def setUpClass(cls):
        super(KeyValuePermissionsResolverTestCase, cls).setUpClass()

        cls.all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.KEY_VALUE_PAIR)

        cls.read_permission_types = [
            PermissionType.KEY_VALUE_PAIR_LIST,
            PermissionType.KEY_VALUE_PAIR_VIEW,
        ]

        cls.write_permission_types = [
            PermissionType.KEY_VALUE_PAIR_SET,
            PermissionType.KEY_VALUE_PAIR_DELETE,
        ]
Beispiel #30
0
    def test_user_has_resource_db_permissions(self):
        # Note: Right now we don't support granting permissions on key value items so we just check
        # that the method always returns True
        resolver = KeyValuePermissionsResolver()

        # No roles
        user_db = self.users['no_roles']
        resource_db = self.resources['kvp_1']

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.KEY_VALUE_PAIR)
        for permission_type in permission_types:
            self.assertTrue(resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=resource_db,
                permission_type=permission_type))
def add_lines_for_permission_set(resource_title, permission_types, lines):
    lines.append(resource_title)
    lines.append("~" * len(resource_title))
    lines.append("")

    rows = []
    rows.append(TABLE_HEADER)

    for permission_type in permission_types:
        description = PermissionType.get_permission_description(
            permission_type)
        rows.append([f"**{permission_type}**", description])

    table = as_rest_table(rows, full=True)
    lines.extend(table.split("\n"))
    lines.append("")
Beispiel #32
0
 def test_get_permission_name(self):
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_LIST),
                      'list')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE),
                      'create')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE),
                      'delete')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL),
                      'all')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL),
                      'all')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.SENSOR_MODIFY),
                      'modify')
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_EXECUTE),
                      'execute')
Beispiel #33
0
    def validate(self):
        # Parent JSON schema validation
        cleaned = super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, "permission_grants", [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get("resource_uid", None)
            permission_types = permission_grant.get("permission_types", [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = (
                    PermissionType.get_valid_permissions_for_resource_type(
                        resource_type=resource_type))

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = (
                            'Invalid permission type "%s" for resource type "%s"'
                            % (
                                permission_type,
                                resource_type,
                            ))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if permission_type not in GLOBAL_PERMISSION_TYPES:
                        valid_global_permission_types = ", ".join(
                            GLOBAL_PERMISSION_TYPES)
                        message = (
                            'Invalid permission type "%s". Valid global permission types '
                            "which can be used without a resource id are: %s" %
                            (permission_type, valid_global_permission_types))
                        raise ValueError(message)

        return cleaned
def main():
    lines = []
    lines.append(HEADER)
    lines.append("")

    add_lines_for_permission_set("Global", GLOBAL_PERMISSION_TYPES, lines)

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace("_", " ").title()  # pylint: disable=no-member

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=resource_type)

        add_lines_for_permission_set(resource_title, permission_types, lines)

    result = "\n".join(lines)
    with open(DESTINATION_PATH, "w") as fp:
        fp.write(result)

    print("Generated: %s" % (DESTINATION_PATH))
    return result
Beispiel #35
0
    def validate(self):
        # Parent JSON schema validation
        super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = ('Invalid permission type "%s" for resource type "%s"' %
                                   (permission_type, resource_type))
                        raise ValueError(message)
Beispiel #36
0
    def _user_has_system_role_permission(self, user_db, permission_type):
        """
        Check the user system roles and return True if user has the required permission.

        :rtype: ``bool``
        """
        permission_name = PermissionType.get_permission_name(permission_type)

        user_role_dbs = get_roles_for_user(user_db=user_db)
        user_role_names = [role_db.name for role_db in user_role_dbs]

        if SystemRole.SYSTEM_ADMIN in user_role_names:
            # System admin has all the permissions
            return True
        elif SystemRole.ADMIN in user_role_names:
            # Admin has all the permissions
            return True
        elif SystemRole.OBSERVER in user_role_names and permission_name in READ_PERMISSION_NAMES:
            # Observer role has "view" permission on all the resources
            return True

        return False
Beispiel #37
0
    def _user_has_system_role_permission(self, user_db, permission_type):
        """
        Check the user system roles and return True if user has the required permission.

        :rtype: ``bool``
        """
        permission_name = PermissionType.get_permission_name(permission_type)

        user_role_dbs = get_roles_for_user(user_db=user_db)
        user_role_names = [role_db.name for role_db in user_role_dbs]

        if SystemRole.SYSTEM_ADMIN in user_role_names:
            # System admin has all the permissions
            return True
        elif SystemRole.ADMIN in user_role_names:
            # Admin has all the permissions
            return True
        elif SystemRole.OBSERVER in user_role_names and permission_name == 'view':
            # Observer role has "view" permission on all the resources
            return True

        return False
Beispiel #38
0
class RoleDefinitionFileFormatAPI(BaseAPI):
    """
    JSON schema for the role definition file format.
    """

    schema = {
        'type': 'object',
        'properties': {
            'name': {
                'type': 'string',
                'description': 'Role name',
                'required': True,
                'default': None
            },
            'description': {
                'type': 'string',
                'description': 'Role description',
                'required': False
            },
            'enabled': {
                'type':
                'boolean',
                'description':
                ('Flag indicating if this role is enabled. Note: Disabled roles '
                 'are simply ignored when loading definitions from disk.'),
                'default':
                True
            },
            'permission_grants': {
                'type': 'array',
                'items': {
                    'type': 'object',
                    'properties': {
                        'resource_uid': {
                            'type': 'string',
                            'description':
                            'UID of a resource to which this grant applies to.',
                            'required': False,
                            'default': None
                        },
                        'permission_types': {
                            'type': 'array',
                            'description':
                            'A list of permission types to grant',
                            'uniqueItems': True,
                            'items': {
                                'type': 'string',
                                # Note: We permission aditional validation for based on the
                                # resource type in other place
                                'enum': PermissionType.get_valid_values()
                            },
                            'default': []
                        }
                    }
                }
            }
        },
        'additionalProperties': False
    }

    def validate(self):
        # Parent JSON schema validation
        cleaned = super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = (
                            'Invalid permission type "%s" for resource type "%s"'
                            % (permission_type, resource_type))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if not permission_type.endswith('_list'):
                        message = (
                            'Invalid permission type "%s". Only "list" permission types '
                            'can be used without a resource id' %
                            (permission_type))
                        raise ValueError(message)

            return cleaned
    def test_user_has_resource_db_permission(self):
        resolver = ActionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.ACTION)

        # Admin user, should always return true
        resource_db = self.resources['action_1']
        user_db = self.users['admin']

        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_MODIFY)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_DELETE)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_action_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with a direct grant on action
        user_db = self.users['custom_role_action_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role - "action_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_execute" grant on action_1
        user_db = self.users['custom_role_action_execute_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_EXECUTE)

        # "execute" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_VIEW)

        permission_types = [
            PermissionType.ACTION_CREATE,
            PermissionType.ACTION_MODIFY,
            PermissionType.ACTION_DELETE
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Beispiel #40
0
    def test_get_resource_type(self):
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_LIST),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_VIEW),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_CREATE),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_MODIFY),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_DELETE),
                         SystemType.PACK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_ALL),
                         SystemType.PACK)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_LIST),
                         SystemType.SENSOR_TYPE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_VIEW),
                         SystemType.SENSOR_TYPE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_MODIFY),
                         SystemType.SENSOR_TYPE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.SENSOR_ALL),
                         SystemType.SENSOR_TYPE)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_LIST),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_VIEW),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_CREATE),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_MODIFY),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_DELETE),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_EXECUTE),
                         SystemType.ACTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_ALL),
                         SystemType.ACTION)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_LIST),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_VIEW),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_RE_RUN),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_STOP),
                         SystemType.EXECUTION)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.EXECUTION_ALL),
                         SystemType.EXECUTION)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_LIST),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_VIEW),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_CREATE),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_MODIFY),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_DELETE),
                         SystemType.RULE)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ALL),
                         SystemType.RULE)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ENFORCEMENT_LIST),
                         SystemType.RULE_ENFORCEMENT)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.RULE_ENFORCEMENT_VIEW),
                         SystemType.RULE_ENFORCEMENT)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_VIEW),
                         SystemType.KEY_VALUE_PAIR)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_SET),
                         SystemType.KEY_VALUE_PAIR)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.KEY_VALUE_DELETE),
                         SystemType.KEY_VALUE_PAIR)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_CREATE),
                         SystemType.WEBHOOK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_SEND),
                         SystemType.WEBHOOK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_DELETE),
                         SystemType.WEBHOOK)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.WEBHOOK_ALL),
                         SystemType.WEBHOOK)

        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_LIST),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_VIEW),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_CREATE),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_DELETE),
                         SystemType.API_KEY)
        self.assertEqual(PermissionType.get_resource_type(PermissionType.API_KEY_ALL),
                         SystemType.API_KEY)
    def test_user_has_resource_db_permission(self):
        resolver = RuleEnforcementPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(ResourceType.RULE_ENFORCEMENT)

        # Admin user, should always return true
        resource_db = self.resources["rule_enforcement_1"]
        user_db = self.users["admin"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Observer, should always return true for VIEW permission
        user_db = self.users["observer"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # No roles, should return false for everything
        user_db = self.users["no_roles"]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role with no permission grants, should return false for everything
        user_db = self.users["1_custom_role_no_permissions"]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users["custom_role_pack_grant"]
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role with with grant on the parent pack
        user_db = self.users["custom_role_rule_pack_grant"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role with a direct grant on rule
        user_db = self.users["custom_role_rule_grant"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_3"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users["custom_role_pack_rule_all_grant"]
        resource_db = self.resources["rule_enforcement_1"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role - "rule_all" grant on the rule
        user_db = self.users["custom_role_rule_all_grant"]
        resource_db = self.resources["rule_enforcement_1"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users["custom_role_rule_modify_grant"]
        resource_db = self.resources["rule_enforcement_1"]

        # "modify" also grants "view"
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_ENFORCEMENT_VIEW
            )
        )
    def test_user_has_resource_permissions(self):
        resolver = ExecutionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.EXECUTION)

        # Admin user, should always return true
        resource_db = self.resources['exec_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_STOP))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_ALL))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with an action_view grant on unrelated pack, should return false for
        # everything
        user_db = self.users['custom_role_unrelated_pack_action_grant']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack, should return false for
        # everything
        user_db = self.users['custom_role_pack_action_grant_unrelated_permission']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with "action_view" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_view_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW
        ))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN
        ))

        # Custom role with "action_view" grant on the action the resource belongs to
        user_db = self.users['custom_role_action_view_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW
        ))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN
        ))

        # Custom role with "action_execute" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_execute_grant']
        permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP]
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        # Custom role with "action_execute" grant on the action resource belongs to
        user_db = self.users['custom_role_action_execute_grant']
        permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP]
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        # Custom role - "action_all" grant on the action parent pack the execution belongs to
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "action_all" grant on the action the execution belongs to
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))
    def test_user_has_resource_db_permission(self):
        resolver = SensorPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.SENSOR)

        # Admin user, should always return true
        resource_db = self.resources['sensor_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_ALL)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_sensor_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW)

        # Custom role with a direct grant on sensor
        user_db = self.users['custom_role_sensor_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_ALL)

        # Custom role - "sensor_all" grant on the sensor parent pack
        user_db = self.users['custom_role_pack_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "sensor_all" grant on the sensor
        user_db = self.users['custom_role_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)
Beispiel #44
0
    def user_has_resource_db_permission(self, user_db, resource_db,
                                        permission_type):
        log_context = {
            'user_db': user_db,
            'resource_db': resource_db,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user resource permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role',
                      extra=log_context)
            return True

        # Check custom roles
        rule_spec = getattr(resource_db, 'rule', None)
        rule_uid = rule_spec.uid
        rule_id = rule_spec.id
        rule_pack = ResourceReference.get_pack(rule_spec.ref)

        if not rule_uid or not rule_id or not rule_pack:
            LOG.error(
                'Rule UID or ID or PACK not present in enforcement object. ' +
                ('UID = %s, ID = %s, PACK = %s' %
                 (rule_uid, rule_id, rule_pack)) +
                'Cannot assess access permissions without it. Defaulting to DENY.'
            )
            return False

        # TODO: Add utility methods for constructing uids from parts
        pack_db = PackDB(ref=rule_pack)
        rule_pack_uid = pack_db.get_uid()

        rule_permission_type = None
        if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW:
            rule_permission_type = PermissionType.RULE_VIEW
        elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST:
            rule_permission_type = PermissionType.RULE_LIST
        else:
            raise ValueError('Invalid permission type: %s' % (permission_type))

        permission_types = [PermissionType.RULE_ALL, rule_permission_type]

        view_permission_type = PermissionType.get_permission_type(
            resource_type=ResourceType.RULE, permission_name='view')

        if rule_permission_type == view_permission_type:
            permission_types = (
                RulePermissionsResolver.view_grant_permission_types[:] +
                [rule_permission_type])

        # Check grants on the pack of the rule to which enforcement belongs to
        resource_types = [ResourceType.PACK]
        permission_grants = get_all_permission_grants_for_user(
            user_db=user_db,
            resource_uid=rule_pack_uid,
            resource_types=resource_types,
            permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the enforcement rule parent pack',
                      extra=log_context)
            return True

        # Check grants on the rule the enforcement belongs to
        resource_types = [ResourceType.RULE]
        permission_grants = get_all_permission_grants_for_user(
            user_db=user_db,
            resource_uid=rule_uid,
            resource_types=resource_types,
            permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the enforcement\'s rule.',
                      extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
Beispiel #45
0
    def user_has_resource_db_permission(self, user_db, resource_db, permission_type):
        log_context = {
            'user_db': user_db,
            'resource_db': resource_db,
            'permission_type': permission_type,
            'resolver': self.__class__.__name__
        }
        self._log('Checking user resource permissions', extra=log_context)

        # First check the system role permissions
        has_system_role_permission = self._user_has_system_role_permission(
            user_db=user_db, permission_type=permission_type)

        if has_system_role_permission:
            self._log('Found a matching grant via system role', extra=log_context)
            return True

        # Check custom roles
        rule_spec = getattr(resource_db, 'rule', None)
        rule_uid = rule_spec.uid
        rule_id = rule_spec.id
        rule_pack = ResourceReference.get_pack(rule_spec.ref)

        if not rule_uid or not rule_id or not rule_pack:
            LOG.error('Rule UID or ID or PACK not present in enforcement object. ' +
                      ('UID = %s, ID = %s, PACK = %s' % (rule_uid, rule_id, rule_pack)) +
                      'Cannot assess access permissions without it. Defaulting to DENY.')
            return False

        # TODO: Add utility methods for constructing uids from parts
        pack_db = PackDB(ref=rule_pack)
        rule_pack_uid = pack_db.get_uid()

        rule_permission_type = None
        if permission_type == PermissionType.RULE_ENFORCEMENT_VIEW:
            rule_permission_type = PermissionType.RULE_VIEW
        elif permission_type == PermissionType.RULE_ENFORCEMENT_LIST:
            rule_permission_type = PermissionType.RULE_LIST
        else:
            raise ValueError('Invalid permission type: %s' % (permission_type))

        permission_types = [PermissionType.RULE_ALL, rule_permission_type]

        view_permission_type = PermissionType.get_permission_type(resource_type=ResourceType.RULE,
                                                                  permission_name='view')

        if rule_permission_type == view_permission_type:
            permission_types = (RulePermissionsResolver.view_grant_permission_types[:] +
                                [rule_permission_type])

        # Check grants on the pack of the rule to which enforcement belongs to
        resource_types = [ResourceType.PACK]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=rule_pack_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the enforcement rule parent pack', extra=log_context)
            return True

        # Check grants on the rule the enforcement belongs to
        resource_types = [ResourceType.RULE]
        permission_grants = get_all_permission_grants_for_user(user_db=user_db,
                                                               resource_uid=rule_uid,
                                                               resource_types=resource_types,
                                                               permission_types=permission_types)

        if len(permission_grants) >= 1:
            self._log('Found a grant on the enforcement\'s rule.', extra=log_context)
            return True

        self._log('No matching grants found', extra=log_context)
        return False
    def test_user_has_resource_db_permission(self):
        resolver = InquiryPermissionsResolver()

        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.INQUIRY)
        all_permission_types.remove(PermissionType.INQUIRY_LIST)

        # Admin user, should always return true
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # View user should be able to view
        user_db = self.users['custom_role_inquiry_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        # Respond user should be able to respond
        user_db = self.users['custom_role_inquiry_respond_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)

        # ALL user should have all db perms
        user_db = self.users['custom_role_inquiry_all_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # Now to test inheritance from action_execution for parent workflow.
        # We still have to pass in INQUIRY_RESPOND to permission_type here to keep the resolver
        # enum assert happy, but we haven't granted INQUIRY_RESPOND to this role, proving
        # that the effective permission is inherited.
        user_db = self.users['custom_role_inquiry_inherit']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_2'],
            permission_type=PermissionType.INQUIRY_RESPOND)
    def test_user_has_resource_db_permission(self):
        resolver = RuleEnforcementPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE_ENFORCEMENT)

        # Admin user, should always return true
        resource_db = self.resources['rule_enforcement_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_3'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_all" grant on the rule
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_enforcement_1']

        # "modify" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
    def test_user_has_resource_permissions(self):
        resolver = SensorPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.SENSOR)

        # Admin user, should always return true
        resource_db = self.resources['sensor_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_ALL))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_sensor_pack_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        # Custom role with a direct grant on sensor
        user_db = self.users['custom_role_sensor_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_ALL))

        # Custom role - "sensor_all" grant on the sensor parent pack
        user_db = self.users['custom_role_pack_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "sensor_all" grant on the sensor
        user_db = self.users['custom_role_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))
Beispiel #49
0
    def test_user_has_resource_permissions(self):
        resolver = RulePermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE)

        # Admin user, should always return true
        resource_db = self.resources['rule_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_DELETE))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_DELETE))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_DELETE))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_MODIFY))

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_ALL))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_DELETE))

        # Custom role - "rule_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_MODIFY))

        # "modify" also grants "view"
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_VIEW))

        permission_types = [
            PermissionType.RULE_CREATE,
            PermissionType.RULE_DELETE
        ]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))
Beispiel #50
0
    def test_user_has_resource_db_permissions(self):
        resolver = RulePermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE)

        # Admin user, should always return true
        resource_db = self.resources['rule_1']
        user_db = self.users['admin']
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_DELETE))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_DELETE))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_DELETE))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_MODIFY))

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_ALL))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_DELETE))

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role - "rule_all" grant on the rule
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=resource_db,
                permission_type=PermissionType.RULE_MODIFY))

        # "modify" also grants "view"
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=resource_db,
                permission_type=PermissionType.RULE_VIEW))

        permission_types = [
            PermissionType.RULE_CREATE, PermissionType.RULE_DELETE
        ]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=permission_types))
Beispiel #51
0
    def test_user_has_resource_db_permission(self):
        resolver = ActionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.ACTION)

        # Admin user, should always return true
        resource_db = self.resources['action_1']
        user_db = self.users['admin']

        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_MODIFY)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_DELETE)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_action_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with a direct grant on action
        user_db = self.users['custom_role_action_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role - "action_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_execute" grant on action_1
        user_db = self.users['custom_role_action_execute_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_EXECUTE)

        # "execute" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_VIEW)

        permission_types = [
            PermissionType.ACTION_CREATE,
            PermissionType.ACTION_MODIFY,
            PermissionType.ACTION_DELETE
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Beispiel #52
0
 def test_get_resource_type(self):
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_CREATE), ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_DELETE), ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.ACTION_ALL), ResourceType.ACTION)
     self.assertEqual(PermissionType.get_resource_type(PermissionType.PACK_ALL), ResourceType.PACK)
Beispiel #53
0
    def test_user_has_resource_db_permission(self):
        resolver = ExecutionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.EXECUTION)
        all_permission_types.remove(PermissionType.EXECUTION_LIST)

        # Admin user, should always return true
        resource_db = self.resources['exec_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_STOP)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_ALL)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with an action_view grant on unrelated pack, should return false for
        # everything
        user_db = self.users['custom_role_unrelated_pack_action_grant']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack, should return false for
        # everything
        user_db = self.users[
            'custom_role_pack_action_grant_unrelated_permission']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "action_view" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN)

        # Custom role with "action_view" grant on the action the resource belongs to
        user_db = self.users['custom_role_action_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN)

        # Custom role with "action_execute" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_execute_grant']
        permission_types = [
            PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP
        ]
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        permission_types = [
            PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role with "action_execute" grant on the action resource belongs to
        user_db = self.users['custom_role_action_execute_grant']
        permission_types = [
            PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP
        ]
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        permission_types = [
            PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role - "action_all" grant on the action parent pack the execution belongs to
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_all" grant on the action the execution belongs to
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)
Beispiel #54
0
 def test_get_permission_name(self):
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_CREATE), "create")
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_DELETE), "delete")
     self.assertEqual(PermissionType.get_permission_name(PermissionType.ACTION_ALL), "all")
     self.assertEqual(PermissionType.get_permission_name(PermissionType.PACK_ALL), "all")