class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.tc.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
all_errors = []
base_models = set([
"Control", "DataAsset", "Contract", "Policy", "Regulation",
"Standard", "Document", "Facility", "Market", "Objective",
"OrgGroup", "Vendor", "Product", "Clause", "System", "Process",
"Issue", "Project", "AccessGroup"
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(
model, {
table_singular: {
"title": model_singular,
"context": None,
"reference_url": "ref",
"contact": {
"type": "Person",
"id": self.users["creator"].id,
},
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(
model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) != 0:
all_errors.append(
"{} can retrieve object if not owner (collection)".
format(model_singular))
continue
# Become an owner
response = self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": model_singular,
"id": obj_id
},
"context": None
}
})
if response.status_code != 201:
all_errors.append("{} can't create owner {}.".format(
model_singular, response.status))
continue
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) == 0:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".
format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {
"title": "Admin regulation",
"context": None
},
})
self.api.set_user(self.users['creator'])
response = self.api.post(all_models.Policy, {
"policy": {
"title": "Creator Policy",
"context": None
},
})
obj_id = response.json.get("policy").get("id")
self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": "Policy",
"id": obj_id,
},
"context": None
}
})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"].get("Regulation"),
None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_creator_cannot_be_owner(self):
"""Test if creator cannot become owner of the object he has not created"""
self.api.set_user(self.users['admin'])
_, obj = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation",
"context": None
},
})
self.api.set_user(self.users['creator'])
response = self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": "Regulation",
"id": obj.id,
},
"context": None
}
})
self.assertEqual(response.status_code, 403)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation",
{
"regulation": {
"title": "Test regulation",
"context": None
},
})
_, obj_1 = self.generator.generate(
all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation 2",
"context": None
},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"source": {
"id": obj_0.id,
"type": "Regulation"
},
"destination": {
"id": obj_1.id,
"type": "Regulation"
},
"context": None
},
})
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title):
return self.generator.generate(all_models.Section, "section", {
"section": {
"title": title,
"context": None
},
})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id))
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Section 1")
obj_2 = gen("Test Section 2")
self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": "Section",
"id": obj_2.id,
},
"context": None
}
})
self.api.set_user(self.users["creator"])
check(obj_1, 0)
check(obj_2, 2)
class TestReader(TestCase):
""" Test reader role """
def setUp(self):
super(TestReader, self).setUp()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("reader", "Reader"),
("admin", "Administrator"),
("creator", "Creator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
self.users["external"] = self.object_generator.generate_person(
data={"email": "*****@*****.**"})[1]
def test_admin_page_access(self):
"""Only admin can use admin requirement"""
for role, code in (("reader", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_reader_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["reader"])
all_errors = []
base_models = set([
"DataAsset", "Contract",
"Policy", "Regulation", "Standard", "Document", "Facility",
"Market", "Objective", "OrgGroup", "Vendor", "Product",
"System", "Process", "Project", "AccessGroup",
"Metric", "TechnologyEnvironment", "ProductGroup", "KeyReport",
"AccountBalance",
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response, _ = self.object_generator.generate_object(
model,
data={
table_singular: {
"title": model_singular,
"context": None,
"documents_reference_url": "ref",
"link": "https://example.com", # only for Document
"contact": {
"type": "Person",
"id": self.users["reader"].id,
}
},
}
)
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
obj_id = response.json.get(table_singular).get("id")
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if not collection:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".format(
model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_reader_search(self):
""" Test if reader can see the correct object while using search api """
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {"title": "Admin regulation", "context": None},
})
self.api.set_user(self.users['reader'])
response = self.api.post(all_models.Policy, {
"policy": {"title": "reader Policy", "context": None},
})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 2)
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"]["Regulation"], 1)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_reader_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['reader'])
reader_count = self._get_count("Person")
self.assertEqual(admin_count, reader_count)
def test_relationships_access(self):
"""Check if reader can access relationship objects"""
self.api.set_user(self.users['admin'])
_, first_regulation = self.object_generator.generate_object(
all_models.Regulation,
data={"regulation": {"title": "Test regulation", "context": None}}
)
_, second_regulation = self.object_generator.generate_object(
all_models.Regulation,
data={"regulation": {"title": "Test regulation 2", "context": None}}
)
response, rel = self.object_generator.generate_relationship(
first_regulation, second_regulation
)
self.assertStatus(response, 201)
self.api.set_user(self.users['reader'])
response = self.api.get_collection(all_models.Relationship, rel.id)
self.assert200(response)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 1)
def test_creation_of_mappings(self):
"""Check if reader can't create mappings"""
self.object_generator.api.set_user(self.users["external"])
_, control = self.object_generator.generate_object(
all_models.Control,
data={"control": {"title": "Test Control", "context": None}}
)
self.object_generator.api.set_user(self.users['reader'])
_, program = self.object_generator.generate_object(
all_models.Program,
data={"program": {"title": "Test Program", "context": None}}
)
response, _ = self.object_generator.generate_relationship(
control, program, program.context
)
self.assert403(response)
@ddt.data("creator", "reader")
def test_unmap_people(self, user_role):
"""Test that global reader/creator can't unmap people from program"""
user = self.users[user_role]
with factories.single_commit():
program = factories.ProgramFactory()
mapped_person = factories.ObjectPersonFactory(
personable=program, person=user, context=program.context
)
self.api.set_user(user)
db.session.add(mapped_person)
response = self.api.delete(mapped_person)
self.assert403(response)
def test_read_evidence_revision(self):
"""Global Read can read Evidence revision content"""
user = self.users["reader"]
link = "google.com"
evidence = factories.EvidenceUrlFactory(link=link)
evidence_id = evidence.id
self.api.set_user(user)
resp = self.api.client.get(
"/api/revisions?resource_type={}&resource_id={}".format(evidence.type,
evidence_id))
rev_content = resp.json["revisions_collection"]["revisions"][0]["content"]
self.assertTrue(rev_content)
self.assertEquals(link, rev_content["link"])
class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
"""Permissions to admin page."""
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
creator_id = self.users["creator"].id
audit_id = factories.AuditFactory().id
all_errors = []
base_models = set([
"Control", "DataAsset", "Contract",
"Policy", "Regulation", "Standard", "Document", "Facility",
"Market", "Objective", "OrgGroup", "Vendor", "Product",
"Clause", "System", "Process", "Project", "AccessGroup",
"Metric"
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(model, {
table_singular: {
"title": model_singular,
"context": None,
"documents_reference_url": "ref",
"link": "https://example.com", # ignored except for Document
"contact": {
"type": "Person",
"id": creator_id,
},
"audit": { # this is ignored on everything but Issues
"id": audit_id,
"type": "Audit",
}
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if collection:
all_errors.append(
"{} can retrieve object if not owner (collection)"
.format(model_singular))
continue
# Test GET when owner
acr = all_models.AccessControlRole.query.filter_by(
object_type=model_singular,
name="Admin"
).first()
factories.AccessControlListFactory(
object_id=obj_id,
object_type=model_singular,
ac_role=acr,
person_id=creator_id
)
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if not collection:
all_errors.append(
"{} cannot retrieve object even if owner (collection)"
.format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {"title": "Admin regulation", "context": None},
})
self.api.set_user(self.users['creator'])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Policy",
name="Admin"
).first().id
response = self.api.post(all_models.Policy, {
"policy": {
"title": "Creator Policy",
"context": None,
"access_control_list": [
acl_helper.get_acl_json(acr_id, self.users["creator"].id)],
},
})
response.json.get("policy").get("id")
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(
response.json["results"]["counts"].get("Regulation"), None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation", "context": None},
})
_, obj_1 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation 2", "context": None},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {"source": {
"id": obj_0.id,
"type": "Regulation"
}, "destination": {
"id": obj_1.id,
"type": "Regulation"
}, "context": None},
}
)
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title, extra_data=None):
"""Generates section."""
section_content = {"title": title, "context": None}
if extra_data:
section_content.update(**extra_data)
return self.generator.generate(all_models.Section, "section", {
"section": section_content
})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id)
)
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected
)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Section 1")
self.api.set_user(self.users["creator"])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Section",
name="Admin"
).first().id
linked_acl = {
"access_control_list": [
acl_helper.get_acl_json(acr_id, self.users["creator"].id)],
}
check(obj_1, 0)
obj_2 = gen("Test Section 2", linked_acl)
obj2_acl = obj_2.access_control_list[0]
check(obj_2, 1)
check(obj2_acl, 1)
@ddt.data("creator", "admin")
def test_count_type_in_accordion(self, glob_role):
"""Return count of Persons in DB for side accordion."""
self.api.set_user(self.users[glob_role])
ocordion_api_person_count_link = (
"/search?"
"q=&types=Program%2CWorkflow_All%2C"
"Audit%2CAssessment%2CIssue%2CRegulation%2C"
"Policy%2CStandard%2CContract%2CClause%2CSection%2CControl%2C"
"Objective%2CPerson%2COrgGroup%2CVendor%2CAccessGroup%2CSystem%2C"
"Process%2CDataAsset%2CProduct%2CProject%2CFacility%2C"
"Market%2CRisk%2CThreat&counts_only=true&"
"extra_columns=Workflow_All%3DWorkflow%2C"
"Workflow_Active%3DWorkflow%2CWorkflow_Draft%3D"
"Workflow%2CWorkflow_Inactive%3DWorkflow&contact_id=1&"
"extra_params=Workflow%3Astatus%3DActive%3BWorkflow_Active"
"%3Astatus%3DActive%3BWorkflow_Inactive%3Astatus%3D"
"Inactive%3BWorkflow_Draft%3Astatus%3DDraft"
)
resp = self.api.client.get(ocordion_api_person_count_link)
self.assertIn("Person", resp.json["results"]["counts"])
self.assertEqual(all_models.Person.query.count(),
resp.json["results"]["counts"]["Person"])
@ddt.data(
("/api/revisions?resource_type={}&resource_id={}", 1),
("/api/revisions?source_type={}&source_id={}", 0),
("/api/revisions?destination_type={}&destination_id={}", 1),
)
@ddt.unpack
def test_changelog_access(self, link, revision_count):
"""Test accessing changelog under GC user who is assigned to object"""
with factories.single_commit():
audit = factories.AuditFactory()
asmnt = factories.AssessmentFactory(audit=audit)
asmnt_id = asmnt.id
factories.RelationshipFactory(source=audit, destination=asmnt)
verifier_role = all_models.AccessControlRole.query.filter_by(
object_type="Assessment",
name="Verifiers",
).first()
factories.AccessControlListFactory(
person=self.users["creator"],
ac_role=verifier_role,
object=asmnt,
)
self.api.set_user(self.users["creator"])
response = self.api.client.get(link.format("Assessment", asmnt_id))
self.assert200(response)
self.assertEqual(
len(response.json.get("revisions_collection", {}).get("revisions")),
revision_count
)
@ddt.data(all_models.ControlCategory, all_models.ControlAssertion)
def test_permissions_for_categories(self, category_model):
"""Test get collection for {0}."""
self.api.set_user(self.users["creator"])
resp = self.api.get_collection(category_model, None)
plural_name = category_model._inflector.table_plural
key_name = "{}_collection".format(plural_name)
self.assertIn(key_name, resp.json)
self.assertIn(plural_name, resp.json[key_name])
collection = resp.json[key_name][plural_name]
self.assertTrue(collection, "Collection shouldn't be empty")
class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
"""Permissions to admin page."""
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
creator_id = self.users["creator"].id
audit_id = factories.AuditFactory().id
all_errors = []
base_models = {
"Control", "DataAsset", "Contract", "Policy", "Regulation",
"Standard", "Document", "Facility", "Market", "Objective",
"OrgGroup", "Vendor", "Product", "Clause", "System", "Process",
"Project", "AccessGroup", "Metric", "ProductGroup",
"TechnologyEnvironment"
}
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(model, {
table_singular: {
"title": model_singular,
"context": None,
"documents_reference_url": "ref",
"link": "https://example.com", # ignored except for Document
"contact": {
"type": "Person",
"id": creator_id,
},
"audit": { # this is ignored on everything but Issues
"id": audit_id,
"type": "Audit",
}
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(
model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if collection:
all_errors.append(
"{} can retrieve object if not owner (collection)".
format(model_singular))
continue
# Test GET when owner
acr = all_models.AccessControlRole.query.filter_by(
object_type=model_singular, name="Admin").first()
factories.AccessControlListFactory(object_id=obj_id,
object_type=model_singular,
ac_role=acr,
person_id=creator_id)
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if not collection:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".
format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {
"title": "Admin regulation",
"context": None
},
})
self.api.set_user(self.users['creator'])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Policy", name="Admin").first().id
response = self.api.post(
all_models.Policy, {
"policy": {
"title":
"Creator Policy",
"context":
None,
"access_control_list": [
acl_helper.get_acl_json(acr_id,
self.users["creator"].id)
],
},
})
response.json.get("policy").get("id")
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"].get("Regulation"),
None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation",
{
"regulation": {
"title": "Test regulation",
"context": None
},
})
_, obj_1 = self.generator.generate(
all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation 2",
"context": None
},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"source": {
"id": obj_0.id,
"type": "Regulation"
},
"destination": {
"id": obj_1.id,
"type": "Regulation"
},
"context": None
},
})
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title, extra_data=None):
"""Generates requirement."""
requirement_content = {"title": title, "context": None}
if extra_data:
requirement_content.update(**extra_data)
return self.generator.generate(
all_models.Requirement, "requirement",
{"requirement": requirement_content})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id))
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Requirement 1")
self.api.set_user(self.users["creator"])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Requirement", name="Admin").first().id
linked_acl = {
"access_control_list":
[acl_helper.get_acl_json(acr_id, self.users["creator"].id)],
}
check(obj_1, 0)
obj_2 = gen("Test Requirement 2", linked_acl)
obj2_acl = obj_2.access_control_list[0]
check(obj_2, 1)
check(obj2_acl, 1)
@ddt.data("creator", "admin")
def test_count_type_in_accordion(self, glob_role):
"""Return count of Persons in DB for side accordion."""
self.api.set_user(self.users[glob_role])
ocordion_api_person_count_link = (
"/search?"
"q=&types=Program%2CWorkflow_All%2C"
"Audit%2CAssessment%2CIssue%2CRegulation%2C"
"Policy%2CStandard%2CContract%2CClause%2CRequirement%2CControl%2C"
"Objective%2CPerson%2COrgGroup%2CVendor%2CAccessGroup%2CSystem%2C"
"Process%2CDataAsset%2CProduct%2CProject%2CFacility%2C"
"Market%2CRisk%2CThreat&counts_only=true&"
"extra_columns=Workflow_All%3DWorkflow%2C"
"Workflow_Active%3DWorkflow%2CWorkflow_Draft%3D"
"Workflow%2CWorkflow_Inactive%3DWorkflow&contact_id=1&"
"extra_params=Workflow%3Astatus%3DActive%3BWorkflow_Active"
"%3Astatus%3DActive%3BWorkflow_Inactive%3Astatus%3D"
"Inactive%3BWorkflow_Draft%3Astatus%3DDraft")
resp = self.api.client.get(ocordion_api_person_count_link)
self.assertIn("Person", resp.json["results"]["counts"])
self.assertEqual(all_models.Person.query.count(),
resp.json["results"]["counts"]["Person"])
@ddt.data(
("/api/revisions?resource_type={}&resource_id={}", 1),
("/api/revisions?source_type={}&source_id={}", 0),
("/api/revisions?destination_type={}&destination_id={}", 1),
)
@ddt.unpack
def test_changelog_access(self, link, revision_count):
"""Test accessing changelog under GC user who is assigned to object"""
with factories.single_commit():
audit = factories.AuditFactory()
asmnt = factories.AssessmentFactory(audit=audit)
asmnt_id = asmnt.id
factories.RelationshipFactory(source=audit, destination=asmnt)
verifier_role = all_models.AccessControlRole.query.filter_by(
object_type="Assessment",
name="Verifiers",
).first()
factories.AccessControlListFactory(
person=self.users["creator"],
ac_role=verifier_role,
object=asmnt,
)
self.api.set_user(self.users["creator"])
response = self.api.client.get(link.format("Assessment", asmnt_id))
self.assert200(response)
self.assertEqual(
len(
response.json.get("revisions_collection",
{}).get("revisions")), revision_count)
@ddt.data(all_models.ControlCategory, all_models.ControlAssertion)
def test_permissions_for_categories(self, category_model):
"""Test get collection for {0}."""
self.api.set_user(self.users["creator"])
resp = self.api.get_collection(category_model, None)
plural_name = category_model._inflector.table_plural
key_name = "{}_collection".format(plural_name)
self.assertIn(key_name, resp.json)
self.assertIn(plural_name, resp.json[key_name])
collection = resp.json[key_name][plural_name]
self.assertTrue(collection, "Collection shouldn't be empty")
class TestReader(TestCase):
""" Test reader role """
def setUp(self):
super(TestReader, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("reader", "Reader"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
for role, code in (("reader", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_reader_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["reader"])
all_errors = []
base_models = set([
"Control",
"DataAsset",
"Contract",
"Policy",
"Regulation",
"Standard",
"Document",
"Facility",
"Market",
"Objective",
"OrgGroup",
"Vendor",
"Product",
"Clause",
"System",
"Process",
"Project",
"AccessGroup",
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(
model, {
table_singular: {
"title": model_singular,
"context": None,
"reference_url": "ref",
"contact": {
"type": "Person",
"id": self.users["reader"].id,
},
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
obj_id = response.json.get(table_singular).get("id")
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) == 0:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".
format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_reader_search(self):
""" Test if reader can see the correct object while using search api """
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {
"title": "Admin regulation",
"context": None
},
})
self.api.set_user(self.users['reader'])
response = self.api.post(all_models.Policy, {
"policy": {
"title": "reader Policy",
"context": None
},
})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 2)
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"]["Regulation"], 1)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_reader_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['reader'])
reader_count = self._get_count("Person")
self.assertEqual(admin_count, reader_count)
def test_relationships_access(self):
"""Check if reader can access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation",
{
"regulation": {
"title": "Test regulation",
"context": None
},
})
_, obj_1 = self.generator.generate(
all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation 2",
"context": None
},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"source": {
"id": obj_0.id,
"type": "Regulation"
},
"destination": {
"id": obj_1.id,
"type": "Regulation"
},
"context": None
},
})
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['reader'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 1)
def test_creation_of_mappings(self):
"""Check if reader can't create mappings"""
self.generator.api.set_user(self.users["admin"])
_, control = self.generator.generate(all_models.Control, "control", {
"control": {
"title": "Test Control",
"context": None
},
})
self.generator.api.set_user(self.users['reader'])
_, program = self.generator.generate(all_models.Program, "program", {
"program": {
"title": "Test Program",
"context": None
},
})
response, _ = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"destination": {
"id": program.id,
"type": "Program"
},
"source": {
"id": control.id,
"type": "Control"
},
"context": {
"id": program.context.id,
"type": "context"
}
},
})
self.assertEqual(response.status_code, 403)
class TestReader(TestCase):
""" Test reader role """
def setUp(self):
super(TestReader, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("reader", "Reader"), ("admin", "Administrator"),
("creator", "Creator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
"""Only admin can use admin section"""
for role, code in (("reader", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_reader_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["reader"])
all_errors = []
base_models = set([
"Control", "DataAsset", "Contract", "Policy", "Regulation",
"Standard", "Document", "Facility", "Market", "Objective",
"OrgGroup", "Vendor", "Product", "Clause", "System", "Process",
"Project", "AccessGroup", "Metric"
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(
model,
{
table_singular: {
"title": model_singular,
"context": None,
"documents_reference_url": "ref",
"link":
"https://example.com", # ignored except for Document
"contact": {
"type": "Person",
"id": self.users["reader"].id,
},
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
obj_id = response.json.get(table_singular).get("id")
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if not collection:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".
format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_reader_search(self):
""" Test if reader can see the correct object while using search api """
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {
"title": "Admin regulation",
"context": None
},
})
self.api.set_user(self.users['reader'])
response = self.api.post(all_models.Policy, {
"policy": {
"title": "reader Policy",
"context": None
},
})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 2)
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"]["Regulation"], 1)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_reader_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['reader'])
reader_count = self._get_count("Person")
self.assertEqual(admin_count, reader_count)
def test_relationships_access(self):
"""Check if reader can access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation",
{
"regulation": {
"title": "Test regulation",
"context": None
},
})
_, obj_1 = self.generator.generate(
all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation 2",
"context": None
},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"source": {
"id": obj_0.id,
"type": "Regulation"
},
"destination": {
"id": obj_1.id,
"type": "Regulation"
},
"context": None
},
})
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['reader'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 1)
def test_creation_of_mappings(self):
"""Check if reader can't create mappings"""
self.generator.api.set_user(self.users["admin"])
_, control = self.generator.generate(all_models.Control, "control", {
"control": {
"title": "Test Control",
"context": None
},
})
self.generator.api.set_user(self.users['reader'])
_, program = self.generator.generate(all_models.Program, "program", {
"program": {
"title": "Test Program",
"context": None
},
})
response, _ = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"destination": {
"id": program.id,
"type": "Program"
},
"source": {
"id": control.id,
"type": "Control"
},
"context": {
"id": program.context.id,
"type": "context"
}
},
})
self.assertEqual(response.status_code, 403)
@ddt.data("creator", "reader")
def test_unmap_people(self, user_role):
"""Test that global reader/creator can't unmap people from program"""
user = self.users[user_role]
with factories.single_commit():
program = factories.ProgramFactory()
mapped_person = factories.ObjectPersonFactory(
personable=program, person=user, context=program.context)
self.api.set_user(user)
db.session.add(mapped_person)
response = self.api.delete(mapped_person)
self.assertEqual(response.status_code, 403)
def test_read_evidence_revision(self):
"""Global Read can read Evidence revision content"""
user = self.users["reader"]
link = "google.com"
evidence = factories.EvidenceUrlFactory(link=link)
evidence_id = evidence.id
self.api.set_user(user)
resp = self.api.client.get(
"/api/revisions?resource_type={}&resource_id={}".format(
evidence.type, evidence_id))
rev_content = resp.json["revisions_collection"]["revisions"][0][
"content"]
self.assertTrue(rev_content)
self.assertEquals(link, rev_content["link"])
class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
audit_id = factories.AuditFactory().id
all_errors = []
base_models = set([
"Control", "DataAsset", "Contract",
"Policy", "Regulation", "Standard", "Document", "Facility",
"Market", "Objective", "OrgGroup", "Vendor", "Product",
"Clause", "System", "Process", "Project", "AccessGroup"
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(model, {
table_singular: {
"title": model_singular,
"context": None,
"reference_url": "ref",
"contact": {
"type": "Person",
"id": self.users["creator"].id,
},
"audit": { # this is ignored on everything but Issues
"id": audit_id,
"type": "Audit",
}
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) != 0:
all_errors.append(
"{} can retrieve object if not owner (collection)"
.format(model_singular))
continue
# Become an owner
response = self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": model_singular,
"id": obj_id
}, "context": None}})
if response.status_code != 201:
all_errors.append("{} can't create owner {}.".format(
model_singular, response.status))
continue
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) == 0:
all_errors.append(
"{} cannot retrieve object even if owner (collection)"
.format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {"title": "Admin regulation", "context": None},
})
self.api.set_user(self.users['creator'])
response = self.api.post(all_models.Policy, {
"policy": {"title": "Creator Policy", "context": None},
})
obj_id = response.json.get("policy").get("id")
self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": "Policy",
"id": obj_id,
}, "context": None}})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(
response.json["results"]["counts"].get("Regulation"), None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_creator_cannot_be_owner(self):
"""Test if creator cannot become owner of the object he has not created"""
self.api.set_user(self.users['admin'])
_, obj = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation", "context": None},
})
self.api.set_user(self.users['creator'])
response = self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": "Regulation",
"id": obj.id,
}, "context": None}})
self.assertEqual(response.status_code, 403)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation", "context": None},
})
_, obj_1 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation 2", "context": None},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {"source": {
"id": obj_0.id,
"type": "Regulation"
}, "destination": {
"id": obj_1.id,
"type": "Regulation"
}, "context": None},
}
)
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title):
return self.generator.generate(all_models.Section, "section", {
"section": {"title": title, "context": None},
})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id)
)
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected
)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Section 1")
obj_2 = gen("Test Section 2")
self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": "Section",
"id": obj_2.id,
}, "context": None}})
self.api.set_user(self.users["creator"])
check(obj_1, 0)
check(obj_2, 2)
class TestReviewApi(TestCase):
"""Base TestCase class proposal api tests."""
def setUp(self):
super(TestReviewApi, self).setUp()
self.api = Api()
self.api.client.get("/login")
self.generator = generator.ObjectGenerator()
def test_simple_get(self):
"""Test simple get"""
with factories.single_commit():
control = factories.ControlFactory()
review = factories.ReviewFactory(
email_message="test email message",
notification_type="email",
reviewable=control,
status=all_models.Review.STATES.UNREVIEWED,
)
resp = self.api.get(all_models.Review, review.id)
self.assert200(resp)
self.assertIn("review", resp.json)
resp_review = resp.json["review"]
self.assertEqual(all_models.Review.STATES.UNREVIEWED,
resp_review["status"])
self.assertEqual(all_models.Review.NotificationTypes.EMAIL_TYPE,
resp_review["notification_type"])
self.assertEqual("test email message", resp_review["email_message"])
def test_collection_get(self):
"""Test simple collection get"""
with factories.single_commit():
review1 = factories.ReviewFactory(
status=all_models.Review.STATES.UNREVIEWED)
review2 = factories.ReviewFactory(
status=all_models.Review.STATES.REVIEWED)
resp = self.api.get_collection(all_models.Review,
[review1.id, review2.id])
self.assert200(resp)
self.assertIn("reviews_collection", resp.json)
self.assertIn("reviews", resp.json["reviews_collection"])
self.assertEquals(2, len(resp.json["reviews_collection"]["reviews"]))
def test_create_review(self):
"""Create review via API, check that single relationship is created"""
control = factories.ControlFactory()
control_id = control.id
resp = self.api.post(
all_models.Review,
{
"review": {
"reviewable": {
"type": control.type,
"id": control.id,
},
"context": None,
"notification_type": "email",
"status": all_models.Review.STATES.UNREVIEWED,
"access_control_list": build_reviewer_acl()
},
},
)
self.assertEqual(201, resp.status_code)
review_id = resp.json["review"]["id"]
review = all_models.Review.query.get(review_id)
self.assertEqual(all_models.Review.STATES.UNREVIEWED, review.status)
self.assertEqual(control.type, review.reviewable_type)
self.assertEqual(control_id, review.reviewable_id)
control_review_rel_count = all_models.Relationship.query.filter(
all_models.Relationship.source_id == review.id,
all_models.Relationship.source_type == review.type,
all_models.Relationship.destination_id == control_id,
all_models.Relationship.destination_type == control.type,
).union(
all_models.Relationship.query.filter(
all_models.Relationship.destination_id == review.id,
all_models.Relationship.destination_type == review.type,
all_models.Relationship.source_id == control_id,
all_models.Relationship.source_type == control.type,
)).count()
self.assertEqual(1, control_review_rel_count)
def test_delete_review(self):
"""Test delete review via API"""
with factories.single_commit():
control = factories.ControlFactory()
control_id = control.id
review = factories.ReviewFactory(reviewable=control)
review_id = review.id
resp = self.api.delete(review)
self.assert200(resp)
review = all_models.Review.query.get(review_id)
control = all_models.Control.query.get(control_id)
self.assertIsNone(review)
self.assertEquals(0, len(control.related_objects(_types=["Review"])))
def test_last_reviewed(self):
"""last_reviewed_by, last_reviewed_by should be set if reviewed"""
control = factories.ControlFactory()
resp, review = self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": control.type,
"id": control.id,
},
"context": None,
"status": all_models.Review.STATES.UNREVIEWED,
"access_control_list": build_reviewer_acl(),
"notification_type":
all_models.Review.NotificationTypes.EMAIL_TYPE
},
)
review_id = review.id
resp = self.api.put(
review,
{
"status": all_models.Review.STATES.REVIEWED,
},
)
self.assert200(resp)
self.assertIsNotNone(resp.json["review"]["last_reviewed_by"])
self.assertIsNotNone(resp.json["review"]["last_reviewed_at"])
review = all_models.Review.query.get(review_id)
self.assertIsNotNone(review.last_reviewed_by)
self.assertIsNotNone(review.last_reviewed_at)
def test_reviewable_revisions(self):
"""Check that proper revisions are created"""
control = factories.ControlFactory()
resp, review = self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": control.type,
"id": control.id,
},
"context": None,
"status": all_models.Review.STATES.UNREVIEWED,
"access_control_list": build_reviewer_acl(),
"notification_type":
all_models.Review.NotificationTypes.EMAIL_TYPE
},
)
control_id = control.id
reviewable = review.reviewable
control_revisions = all_models.Revision.query.filter_by(
resource_id=control_id, resource_type=control.type).order_by(
all_models.Revision.created_at, ).all()
self.assertEquals(2, len(control_revisions))
self.assertEquals(all_models.Review.STATES.UNREVIEWED,
control_revisions[0].content["review_status"])
self.assertEquals(all_models.Review.STATES.UNREVIEWED,
control_revisions[1].content["review_status"])
resp = self.api.put(
review,
{
"status": all_models.Review.STATES.REVIEWED,
},
)
self.assert200(resp)
control_revisions = all_models.Revision.query.filter_by(
resource_id=control_id, resource_type=control.type).order_by(
all_models.Revision.created_at, ).all()
self.assertEquals(3, len(control_revisions))
self.assertEquals(all_models.Review.STATES.REVIEWED,
control_revisions[2].content["review_status"])
resp = self.api.put(reviewable,
{"description": "some new description"})
self.assert200(resp)
control_revisions = all_models.Revision.query.filter_by(
resource_id=control_id, resource_type=control.type).order_by(
all_models.Revision.created_at, ).all()
self.assertEquals(4, len(control_revisions))
self.assertEquals(all_models.Review.STATES.UNREVIEWED,
control_revisions[3].content["review_status"])
class TestReviewApi(TestCase):
"""Base TestCase class proposal api tests."""
def setUp(self):
super(TestReviewApi, self).setUp()
self.api = Api()
self.api.client.get("/login")
self.generator = generator.ObjectGenerator()
def test_simple_get(self):
"""Test simple get"""
with factories.single_commit():
risk = factories.RiskFactory()
review = factories.ReviewFactory(
email_message="test email message",
notification_type="email",
reviewable=risk,
status=all_models.Review.STATES.UNREVIEWED,
)
resp = self.api.get(all_models.Review, review.id)
self.assert200(resp)
self.assertIn("review", resp.json)
resp_review = resp.json["review"]
self.assertEqual(all_models.Review.STATES.UNREVIEWED,
resp_review["status"])
self.assertEqual(all_models.Review.NotificationTypes.EMAIL_TYPE,
resp_review["notification_type"])
self.assertEqual("test email message",
resp_review["email_message"])
def test_collection_get(self):
"""Test simple collection get"""
with factories.single_commit():
review1 = factories.ReviewFactory(
status=all_models.Review.STATES.UNREVIEWED
)
review2 = factories.ReviewFactory(
status=all_models.Review.STATES.REVIEWED
)
resp = self.api.get_collection(all_models.Review,
[review1.id, review2.id])
self.assert200(resp)
self.assertIn("reviews_collection", resp.json)
self.assertIn("reviews", resp.json["reviews_collection"])
self.assertEquals(2, len(resp.json["reviews_collection"]["reviews"]))
def test_create_review(self):
"""Create review via API, check that single relationship is created"""
program = factories.ProgramFactory()
program_id = program.id
resp = self.api.post(
all_models.Review,
{
"review": {
"reviewable": {
"type": program.type,
"id": program.id,
},
"context": None,
"notification_type": "email",
"status": all_models.Review.STATES.UNREVIEWED,
"access_control_list": build_reviewer_acl()
},
},
)
self.assertEqual(201, resp.status_code)
review_id = resp.json["review"]["id"]
review = all_models.Review.query.get(review_id)
self.assertEqual(all_models.Review.STATES.UNREVIEWED, review.status)
self.assertEqual(program.type, review.reviewable_type)
self.assertEqual(program_id, review.reviewable_id)
control_review_rel_count = all_models.Relationship.query.filter(
all_models.Relationship.source_id == review.id,
all_models.Relationship.source_type == review.type,
all_models.Relationship.destination_id == program_id,
all_models.Relationship.destination_type == program.type,
).union(
all_models.Relationship.query.filter(
all_models.Relationship.destination_id == review.id,
all_models.Relationship.destination_type == review.type,
all_models.Relationship.source_id == program_id,
all_models.Relationship.source_type == program.type,
)
).count()
self.assertEqual(1, control_review_rel_count)
def test_delete_review(self):
"""Test delete review via API"""
with factories.single_commit():
risk = factories.RiskFactory()
risk_id = risk.id
review = factories.ReviewFactory(reviewable=risk)
review_id = review.id
resp = self.api.delete(review)
self.assert200(resp)
review = all_models.Review.query.get(review_id)
risk = all_models.Risk.query.get(risk_id)
self.assertIsNone(review)
self.assertEquals(0, len(risk.related_objects(_types=["Review"])))
def test_last_reviewed(self):
"""last_reviewed_by, last_reviewed_by should be set if reviewed"""
risk = factories.RiskFactory()
resp, review = self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": risk.type,
"id": risk.id,
},
"context": None,
"status": all_models.Review.STATES.UNREVIEWED,
"access_control_list": build_reviewer_acl(),
"notification_type": all_models.Review.NotificationTypes.EMAIL_TYPE
},
)
review_id = review.id
resp = self.api.put(
review,
{
"status": all_models.Review.STATES.REVIEWED,
},
)
self.assert200(resp)
self.assertIsNotNone(resp.json["review"]["last_reviewed_by"])
self.assertIsNotNone(resp.json["review"]["last_reviewed_at"])
review = all_models.Review.query.get(review_id)
self.assertIsNotNone(review.last_reviewed_by)
self.assertIsNotNone(review.last_reviewed_at)
def test_reviewable_revisions(self):
"""Check that proper revisions are created"""
program = factories.ProgramFactory()
resp, review = self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": program.type,
"id": program.id,
},
"context": None,
"status": all_models.Review.STATES.UNREVIEWED,
"access_control_list": build_reviewer_acl(),
"notification_type": all_models.Review.NotificationTypes.EMAIL_TYPE
},
)
program_id = program.id
reviewable = review.reviewable
program_revisions = all_models.Revision.query.filter_by(
resource_id=program_id,
resource_type=program.type
).order_by(
all_models.Revision.id,
).all()
self.assertEquals(2, len(program_revisions))
self.assertEquals(all_models.Review.STATES.UNREVIEWED,
program_revisions[0].content["review_status"])
self.assertEquals(all_models.Review.STATES.UNREVIEWED,
program_revisions[1].content["review_status"])
resp = self.api.put(
review,
{
"status": all_models.Review.STATES.REVIEWED,
},
)
self.assert200(resp)
program_revisions = all_models.Revision.query.filter_by(
resource_id=program_id,
resource_type=program.type
).order_by(
all_models.Revision.id,
).all()
self.assertEquals(3, len(program_revisions))
self.assertEquals(all_models.Review.STATES.REVIEWED,
program_revisions[2].content["review_status"])
resp = self.api.put(
reviewable,
{
"description": "some new description"
}
)
self.assert200(resp)
program_revisions = all_models.Revision.query.filter_by(
resource_id=program_id,
resource_type=program.type
).order_by(
all_models.Revision.id,
).all()
self.assertEquals(4, len(program_revisions))
self.assertEquals(all_models.Review.STATES.UNREVIEWED,
program_revisions[3].content["review_status"])
class TestReader(TestCase):
""" Test reader role """
def setUp(self):
super(TestReader, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("reader", "Reader"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
return
for role, code in (("reader", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_reader_can_crud(self):
return
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["reader"])
all_errors = []
base_models = set([
"Control", "Assessment", "DataAsset", "Contract",
"Policy", "Regulation", "Standard", "Document", "Facility",
"Market", "Objective", "OrgGroup", "Vendor", "Product",
"Clause", "System", "Process", "Issue", "Project", "AccessGroup",
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(model, {
table_singular: {
"title": model_singular,
"context": None,
"reference_url": "ref",
"contact": {
"type": "Person",
"id": self.users["reader"].id,
},
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
obj_id = response.json.get(table_singular).get("id")
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) == 0:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".format(
model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_reader_search(self):
return
""" Test if reader can see the correct object while using search api """
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {"title": "Admin regulation", "context": None},
})
self.api.set_user(self.users['reader'])
response = self.api.post(all_models.Policy, {
"policy": {"title": "reader Policy", "context": None},
})
obj_id = response.json.get("policy").get("id")
self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['reader'].id,
"type": "Person",
}, "ownable": {
"type": "Policy",
"id": obj_id,
}, "context": None}})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 2)
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"]["Regulation"], 1)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_reader_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['reader'])
reader_count = self._get_count("Person")
self.assertEqual(admin_count, reader_count)
def test_relationships_access(self):
"""Check if reader can access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation", "context": None},
})
_, obj_1 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation 2", "context": None},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {"source": {
"id": obj_0.id,
"type": "Regulation"
}, "destination": {
"id": obj_1.id,
"type": "Regulation"
}, "context": None},
}
)
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['reader'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 1)
def test_creation_of_mappings(self):
self.generator.api.set_user(self.users["admin"])
_, control = self.generator.generate(all_models.Control, "control", {
"control": {"title": "Test Control", "context": None},
})
self.generator.api.set_user(self.users['reader'])
_, program = self.generator.generate(all_models.Program, "program", {
"program": {"title": "Test Program", "context": None},
})
response, _ = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {"destination": {
"id": program.id,
"type": "Program"
}, "source": {
"id": control.id,
"type": "Control"
}, "context": {
"id": program.context.id,
"type": "context"
}},
})
self.assertEqual(response.status_code, 403)
class TestCreatorProgram(TestCase):
"""Set up necessary objects and test Creator role with Program roles"""
def setUp(self):
TestCase.setUp(self)
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
self.init_roles()
self.init_test_cases()
self.objects = {}
def init_test_cases(self):
""" Create a dict of all possible test cases """
self.test_cases = {
"notmapped": {
"objects": {
"program": {
"get": 403,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 403,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
},
},
"mapped": {
"objects": {
"program": {
"get": 403,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 403,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramReader": {
"program_role": "ProgramReader",
"objects": {
"program": {
"get": 200,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 200,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramOwner": {
"program_role": "ProgramOwner",
"objects": {
"program": {
"get": 200,
"put": 200,
"delete": 200
},
"mapped_object": {
"get": 200,
"put": 200,
"delete": 200,
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramEditor": {
"program_role": "ProgramEditor",
"objects": {
"program": {
"get": 200,
"put": 200,
"delete": 200
},
"mapped_object": {
"get": 200,
"put": 200,
"delete": 200
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
}
def init_roles(self):
""" Create a delete request for the given object """
response = self.api.get_query(all_models.Role, "")
self.roles = {}
for role in response.json.get("roles_collection").get("roles"):
self.roles[role.get("name")] = role
def init_users(self):
""" Create users used by test cases """
users = [("creator", "Creator"), ("notmapped", "Creator"),
("mapped", "Creator"), ("ProgramReader", "Creator"),
("ProgramEditor", "Creator"), ("ProgramOwner", "Creator")]
self.people = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.people[name] = user
def delete(self, obj):
""" Create a delete request for the given object """
return self.api.delete(obj).status_code
def get(self, obj):
""" Create a get request for the given object """
return self.api.get(obj.__class__, obj.id).status_code
def put(self, obj):
""" Create a put request for the given object """
response = self.api.get(obj.__class__, obj.id)
if response.status_code == 200:
return self.api.put(obj, response.json).status_code
else:
return response.status_code
def map(self, dest):
""" Map src to dest """
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": self.objects["program"].id,
"type": self.objects["program"].type,
},
"destination": {
"id": dest.id,
"type": dest.type
},
"context": None
},
})
return response.status_code
def init_objects(self, test_case_name):
""" Create a Program and a Mapped object for a given test case """
# Create a program
test_case = self.test_cases[test_case_name]
creator = self.people.get('creator')
self.api.set_user(creator)
random_title = factories.random_str()
response = self.api.post(all_models.Program, {
"program": {
"title": random_title,
"context": None
},
})
self.assertEqual(response.status_code, 201)
context_id = response.json.get("program").get("context").get("id")
program_id = response.json.get("program").get("id")
self.objects["program"] = all_models.Program.query.get(program_id)
# Create an object:
for obj in ("mapped_object", "unrelated"):
random_title = factories.random_str()
response = self.api.post(all_models.System, {
"system": {
"title": random_title,
"context": None
},
})
self.assertEqual(response.status_code, 201)
system_id = response.json.get("system").get("id")
self.objects[obj] = all_models.System.query.get(system_id)
# Become the owner
response = self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": creator.id,
"type": "Person",
},
"ownable": {
"id": system_id,
"type": "System"
},
"context": None
}
})
# Map Object to Program
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": program_id,
"type": "Program"
},
"destination": {
"id": self.objects["mapped_object"].id,
"type": "System"
},
"context": None
},
})
self.assertEqual(response.status_code, 201)
# Map people to Program:
if test_case_name != "notmapped":
person = self.people.get(test_case_name)
response = self.api.post(
all_models.ObjectPerson, {
"object_person": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
},
"personable": {
"type": "Program",
"href": "/api/programs/{}".format(program_id),
"id": program_id,
},
"context": {
"type": "Context",
"id": context_id,
"href": "/api/contexts/{}".format(context_id)
}
}
})
# Add roles to mapped users:
if "program_role" in test_case:
person = self.people.get(test_case_name)
role = self.roles[test_case["program_role"]]
response = self.api.post(
all_models.UserRole, {
"user_role": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
},
"role": {
"type": "Role",
"href": "/api/roles/{}".format(role["id"]),
"id": role["id"],
},
"context": {
"type": "Context",
"id": context_id,
"href": "/api/contexts/{}".format(context_id)
}
}
})
self.assertEqual(response.status_code, 201)
def test_creator_program_roles(self):
""" Test creator role with all program scoped roles """
# Check permissions based on test_cases:
errors = []
for test_case in self.test_cases:
self.init_objects(test_case)
person = self.people.get(test_case)
objects = self.test_cases.get(test_case).get('objects')
self.api.set_user(person)
for obj in ("unrelated", "mapped_object", "program"):
actions = objects[obj]
for action in ("map", "get", "put", "delete"):
# reset sesion:
db.session.commit()
if action not in actions:
continue
func = getattr(self, action)
res = func(self.objects[obj])
if res != actions[action]:
errors.append(
"{}: Tried {} on {}, but received {} instead of {}"
.format(test_case, action, obj, res,
actions[action]))
# Try mapping
self.assertEqual(errors, [])
def test_creator_audit_request_creation(self):
self.init_objects("ProgramOwner")
program = self.objects.get("program")
creator = self.people.get("creator")
# Create an audit
response = self.api.post(
all_models.Audit, {
"audit": {
"title": "Audit for program",
"status": "Planned",
"context": {
"id": program.context_id,
"type": "Context"
},
"program": {
"context_id": program.context_id,
"id": program.id,
"type": "Program",
},
"contact": {
"id": creator.id,
"type": "Person"
}
},
})
self.assertEqual(response.status_code, 201)
audit_id = response.json.get("audit").get("id")
audit_context_id = response.json.get("audit").get("context").get("id")
# Create a request
response = self.api.post(
all_models.Request, {
"request": {
"title": "Request for audit",
"status": "In Progress",
"context": {
"id": audit_context_id,
"type": "Context"
},
"audit": {
"id": audit_id,
"type": "Audit",
},
"end_date": "2015-12-08",
"start_date": "2015-12-01",
"request_type": "documentation"
},
})
self.assertEqual(response.status_code, 201)
request_id = response.json.get("request").get("id")
# Create assignee/requester relationships
assignee = self.people.get("notmapped")
response = self.api.post(
all_models.Relationship, {
"relationship": {
"attrs": {
"AssigneeType": "Assignee"
},
"context": {
"id": audit_context_id,
"type": "Context",
},
"destination": {
"id": request_id,
"type": "Request",
},
"source": {
"id": assignee.id,
"type": "Person"
}
},
})
self.assertEqual(response.status_code, 201)
relationship_id = response.json.get("relationship").get("id")
response = self.api.get_collection(all_models.Relationship,
relationship_id)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 2)
