def test_access_control_is_set_on_init(self):
username = '******'
role_name = 'team-a'
with self.app.app_context():
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[],
)
self.expect_user_is_in_role(user, rolename='team-a')
self.security_manager.sync_perm_for_dag(
'access_control_test',
access_control={
'team-a':
[permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
},
)
self.assert_user_has_dag_perms(
perms=[
permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ
],
dag_id='access_control_test',
user=user,
)
self.expect_user_is_in_role(user, rolename='NOT-team-a')
self.assert_user_does_not_have_dag_perms(
perms=[
permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ
],
dag_id='access_control_test',
user=user,
)
def test_access_control_stale_perms_are_revoked(self):
username = '******'
role_name = 'team-a'
with self.app.app_context():
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[],
)
self.expect_user_is_in_role(user, rolename='team-a')
self.security_manager.sync_perm_for_dag(
'access_control_test', access_control={'team-a': READ_WRITE})
self.assert_user_has_dag_perms(perms=READ_WRITE,
dag_id='access_control_test',
user=user)
self.security_manager.sync_perm_for_dag(
'access_control_test', access_control={'team-a': READ_ONLY})
self.assert_user_has_dag_perms(perms=[permissions.ACTION_CAN_READ],
dag_id='access_control_test',
user=user)
self.assert_user_does_not_have_dag_perms(
perms=[permissions.ACTION_CAN_EDIT],
dag_id='access_control_test',
user=user)
def test_get_accessible_dag_ids(self):
role_name = 'MyRole1'
permission_action = [permissions.ACTION_CAN_READ]
dag_id = 'dag_id'
username = "******"
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
],
)
dag_model = DagModel(dag_id=dag_id,
fileloc="/tmp/dag_.py",
schedule_interval="2 2 * * *")
self.session.add(dag_model)
self.session.commit()
self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member
dag_id,
access_control={role_name: permission_action})
self.assertEqual(self.security_manager.get_accessible_dag_ids(user),
{'dag_id'})
def test_dont_get_inaccessible_dag_ids_for_dag_resource_permission(self):
# In this test case,
# get_readable_dag_ids() don't return DAGs to which the user has CAN_EDIT permission
username = "******"
role_name = "MyRole1"
permission_action = [permissions.ACTION_CAN_EDIT]
dag_id = "dag_id"
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG),
],
)
dag_model = DagModel(dag_id=dag_id,
fileloc="/tmp/dag_.py",
schedule_interval="2 2 * * *")
self.session.add(dag_model)
self.session.commit()
self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member
dag_id,
access_control={role_name: permission_action})
assert self.security_manager.get_readable_dag_ids(user) == set()
def test_get_current_user_permissions(self, mock_get_user_roles):
role_name = 'MyRole5'
role_perm = 'can_some_action'
role_vm = 'SomeBaseView'
username = '******'
with self.app.app_context():
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[
(role_perm, role_vm),
],
)
role = user.roles[0]
mock_get_user_roles.return_value = [role]
assert self.security_manager.get_current_user_permissions() == {
(role_perm, role_vm)
}
mock_get_user_roles.return_value = []
assert len(
self.security_manager.get_current_user_permissions()) == 0
def test_access_control_with_invalid_permission(self):
invalid_permissions = [
'can_varimport', # a real permission, but not a member of DAG_PERMS
'can_eat_pudding', # clearly not a real permission
]
username = "******"
user = fab_utils.create_user(
self.app,
username=username,
role_name='team-a',
)
for permission in invalid_permissions:
self.expect_user_is_in_role(user, rolename='team-a')
with self.assertRaises(AirflowException) as context:
self.security_manager.sync_perm_for_dag(
'access_control_test',
access_control={'team-a': {permission}})
self.assertIn("invalid permissions", str(context.exception))
def test_all_dag_access_doesnt_give_non_dag_access(self):
username = '******'
role_name = 'dag_access_role'
with self.app.app_context():
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
],
)
assert self.security_manager.has_access(
permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG, user)
assert not self.security_manager.has_access(
permissions.ACTION_CAN_READ,
permissions.RESOURCE_TASK_INSTANCE, user)
def test_all_dag_access_doesnt_give_non_dag_access(self):
username = '******'
role_name = 'dag_access_role'
with self.app.app_context():
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAGS),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAGS),
],
)
self.assertTrue(
self.security_manager.has_access(permissions.ACTION_CAN_READ,
permissions.RESOURCE_DAGS,
user))
self.assertFalse(
self.security_manager.has_access(permissions.ACTION_CAN_READ,
'Task', user))
def test_get_all_permissions_views(self, mock_get_user_roles):
role_name = 'MyRole5'
role_perm = 'can_some_action'
role_vm = 'SomeBaseView'
username = '******'
with self.app.app_context():
user = fab_utils.create_user(
self.app,
username,
role_name,
permissions=[
(role_perm, role_vm),
],
)
role = user.roles[0]
mock_get_user_roles.return_value = [role]
self.assertEqual(self.security_manager.get_all_permissions_views(),
{(role_perm, role_vm)})
mock_get_user_roles.return_value = []
self.assertEqual(
len(self.security_manager.get_all_permissions_views()), 0)
