def test_fetch_permissions(self, monkeypatch):
"""Test permission fetching and parsing"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
perms = rbac_mng.fetch_permissions(0)
assert RBAC_PERM_VULN_RES in perms
assert RBAC_PERM_OPT_WRITE in perms
def test_fetch_rbac_not_disabled(self, monkeypatch):
"""Test RBAC fetch with not set url and not disabled"""
rbac_mng = RbacManager()
monkeypatch.setattr(rbac_mng, "rbac_url", None)
monkeypatch.setattr(manager.rbac_manager.CFG, "disable_rbac", False)
with pytest.raises(RbacException):
rbac_mng.fetch_permissions(0)
def test_need_permission_has_multiple(self, monkeypatch):
"""Test permission checking AND operator"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.need_permissions(RBAC_REQUIRED_PERMS)
def test_fun():
return True
# user has one set of permission from permission sets, return true
res = test_fun()
assert res is True # pylint:disable=unsubscriptable-object
def test_need_permissions_has_single(self, monkeypatch):
"""Test permissions checking OR operator"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.need_permissions(RBAC_REQUIRED_PERMS)
def test_fun():
return True
# user has one of requested permission sets, thus function should be run
res = test_fun()
assert res is True
def test_fetch_rbac_unavailable(self, monkeypatch):
"""Test RBAC permission fetch with rbac not working"""
rbac_mng = RbacManager()
def _mock_get(*_, **__):
raise requests.exceptions.RequestException
monkeypatch.setattr(manager.rbac_manager.CFG, "disable_rbac", False)
monkeypatch.setattr(requests, "get", _mock_get)
with pytest.raises(RbacException):
rbac_mng.fetch_permissions(0)
def test_filter_parameters_excluded_filtered(self, monkeypatch):
"""Test filter parameters when change is needed
(user does not have permissions)"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.filter_parameters([filter_excluded])
def test_handler(*_, **kwargs):
return kwargs
res = test_handler()
# user does not have opt_out:read perms, cannot show excluded systems
assert res["excluded"] == [False]
def test_need_permissions_any(self, monkeypatch):
"""Test permissions for ANY permission"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE_ANY, rbac_mng,
monkeypatch)
@rbac_mng.need_permissions(RBAC_REQUIRED_PERMS)
def test_fun():
return True
# user has vulnerability:*:* permission, thus function should be run
res = test_fun()
assert res is True
def test_filter_parameters_excluded_unfiltered(self, monkeypatch):
"""Test filter parameters when change is needed
(user does not have permissions)"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE_READ, rbac_mng,
monkeypatch)
@rbac_mng.filter_parameters([filter_excluded])
def test_handler(*_, **kwargs):
return kwargs
res = test_handler(excluded=[True, False])
# user does have opt_out:read perms, systems need to be original value
assert res["excluded"] == [True, False]
def test_filter_value_perms_ignore(self, monkeypatch):
"""Test permissions for filter values, with ignored value"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.need_permissions_filter_value(RBAC_FILTER_VALUE_PERMS)
def test_filter(*_, **__):
return True
# run the filter function with other filter value
res = test_filter(test_field=False)
# test_field has other value, thus permission check should be ignored
assert res is True
def test_filter_value_perms_hasnot_multiple(self, monkeypatch):
"""Test permissions for filter values"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.need_permissions_filter_value(RBAC_FILTER_VALUE_PERMS)
def test_filter(*_, **__):
return True
# run the filter function with given filter value
res = test_filter(test_field4="+test")
# test_field4 has value +test, but user does not any set of given permissions, return 403
assert res[1] == 403 # pylint:disable=unsubscriptable-object
def test_filter_value_perms_has_multiple(self, monkeypatch):
"""Test permissions for filter values"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.need_permissions_filter_value(RBAC_FILTER_VALUE_PERMS)
def test_filter(*_, **__):
return True
# run the filter function with given filter value
res = test_filter(test_field2="-sort")
# test_field2 has value -sort and user user have permission set from sets, function should be run
assert res is True
def test_fetch_rbac_disabled(self, monkeypatch):
"""Test RBAC fetch with not set url and disabled RBAC"""
rbac_mng = RbacManager()
monkeypatch.setattr(rbac_mng, "rbac_url", None)
monkeypatch.setattr(manager.rbac_manager.CFG, "disable_rbac", True)
perms = rbac_mng.fetch_permissions(0)
# if rbac does not have set URL and is disabled return vulnerability:*:*
assert perms == [
RbacPermission(RbacApp.VULNERABILITY, RbacResource.ANY,
RbacAction.ANY),
RbacPermission(RbacApp.INVENTORY, RbacResource.HOSTS,
RbacAction.READ)
]
def test_need_permissions_hasnot_multiple(self, monkeypatch):
"""Test permission checking AND operator wrong permissions"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.need_permissions([[RBAC_PERM_ADV_REPORT],
[RBAC_PERM_BR_STATUS, RBAC_PERM_OPT_WRITE],
[RBAC_PERM_VULN_RES,
RBAC_PERM_ADV_REPORT]])
def test_fun():
return True
# user has none of requested permission sets, return 403
res = test_fun()
assert res[1] == 403 # pylint:disable=unsubscriptable-object
def test_need_permissions_hasnot_single(self, monkeypatch):
"""Test permissions checking OR operator wrong permissions"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
@rbac_mng.need_permissions([[
RbacPermission(RbacApp.VULNERABILITY,
RbacResource.CVE_BUSINESS_RISK_AND_STATUS,
RbacAction.READ)
]])
def test_fun():
return True
# user has none of requested permission sets, return 403
res = test_fun()
assert res[1] == 403 # pylint:disable=unsubscriptable-object
def test_filter_parameters_change(self, monkeypatch):
"""Test filter parameters when change is needed
(user does not have permissions)"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
def test_rbac_filter1(perms):
if RBAC_PERM_BR_STATUS not in perms:
return {"test1": True}
return None
def test_rbac_filter2(perms):
if RBAC_PERM_OPT_READ not in perms:
return {"test2": True}
return None
@rbac_mng.filter_parameters([test_rbac_filter1, test_rbac_filter2])
def test_handler(*_, **kwargs):
return kwargs
res = test_handler()
# user does not have br status or opt_out write perm, values must be edited
assert res["test1"] is True
assert res["test2"] is True
def test_filter_parameters_no_change(self, monkeypatch):
"""Test filter parameters when change is not needed
(user has needed permissions)"""
rbac_mng = RbacManager()
self._prepare_user_permissions(RBAC_RESPONSE, rbac_mng, monkeypatch)
def test_rbac_filter1(perms):
if RBAC_PERM_VULN_RES not in perms:
return {"test1": True}
return None
def test_rbac_filter2(perms):
if RBAC_PERM_OPT_WRITE not in perms:
return {"test2": True}
return None
@rbac_mng.filter_parameters([test_rbac_filter1, test_rbac_filter2])
def test_handler(*_, **kwargs):
return kwargs
# user has vuln_res:read and opt_out:read permissions, arguments cannot be changed
res = test_handler(test1=False, test2=False)
assert res["test1"] is False
assert res["test2"] is False