Ejemplo n.º 1
0
    def test_get_valid_permission_for_resource_type(self):
        valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=ResourceType.ACTION)

        for name in valid_action_permissions:
            self.assertTrue(name.startswith(ResourceType.ACTION + '_'))

        valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=ResourceType.RULE)

        for name in valid_rule_permissions:
            self.assertTrue(name.startswith(ResourceType.RULE + '_'))
Ejemplo n.º 2
0
    def test_get_valid_permission_for_resource_type(self):
        valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=ResourceType.ACTION
        )

        for name in valid_action_permissions:
            self.assertTrue(name.startswith(ResourceType.ACTION + "_"))

        valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type(resource_type=ResourceType.RULE)

        for name in valid_rule_permissions:
            self.assertTrue(name.startswith(ResourceType.RULE + "_"))
def main():
    lines = []
    lines.append(HEADER)
    lines.append("")

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace("_", " ").title()  # pylint: disable=no-member
        lines.append("%s" % (resource_title))
        lines.append("~" * len(resource_title))
        lines.append("")

        permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(permission_type)
            rows.append(["**%s**" % (permission_type), description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split("\n"))
        lines.append("")

    result = "\n".join(lines)
    with open(DESTINATION_PATH, "w") as fp:
        fp.write(result)

    print("Generated: %s" % (DESTINATION_PATH))
    return result
def main():
    lines = []
    lines.append(HEADER)
    lines.append('')

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace('_', ' ').title()  # pylint: disable=no-member
        lines.append('%s' % (resource_title))
        lines.append('~' * len(resource_title))
        lines.append('')

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(permission_type)
            rows.append([permission_type, description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split('\n'))
        lines.append('')

    result = '\n'.join(lines)
    with open(DESTINATION_PATH, 'w') as fp:
        fp.write(result)

    print('Generated: %s' % (DESTINATION_PATH))
    return result
Ejemplo n.º 5
0
    def validate(self):
        # Parent JSON schema validation
        cleaned = super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = ('Invalid permission type "%s" for resource type "%s"' %
                                   (permission_type, resource_type))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if not permission_type.endswith('_list'):
                        message = ('Invalid permission type "%s". Only "list" permission types '
                                   'can be used without a resource id' % (permission_type))
                        raise ValueError(message)

            return cleaned
Ejemplo n.º 6
0
    def validate(self):
        # Parent JSON schema validation
        super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = (
                            'Invalid permission type "%s" for resource type "%s"'
                            % (permission_type, resource_type))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if not permission_type.endswith('_list'):
                        message = (
                            'Invalid permission type "%s". Only "list" permission types '
                            'can be used without a resource id' %
                            (permission_type))
                        raise ValueError(message)
Ejemplo n.º 7
0
def main():
    lines = []
    lines.append(HEADER)
    lines.append('')

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace('_', ' ').title()  # pylint: disable=no-member
        lines.append('%s' % (resource_title))
        lines.append('~' * len(resource_title))
        lines.append('')

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=resource_type)

        rows = []
        rows.append(TABLE_HEADER)

        for permission_type in permission_types:
            description = PermissionType.get_permission_description(
                permission_type)
            rows.append(['**%s**' % (permission_type), description])

        table = as_rest_table(rows, full=True)
        lines.extend(table.split('\n'))
        lines.append('')

    result = '\n'.join(lines)
    with open(DESTINATION_PATH, 'w') as fp:
        fp.write(result)

    print('Generated: %s' % (DESTINATION_PATH))
    return result
Ejemplo n.º 8
0
    def test_user_has_resource_db_permission(self):
        resolver = WebhookPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.WEBHOOK)

        # Admin user, should always return true
        resource_db = self.resources['webhook_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "webhook_send" grant on webhook_1
        user_db = self.users['custom_role_webhook_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.WEBHOOK_SEND)

        permission_types = [
            PermissionType.WEBHOOK_CREATE,
            PermissionType.WEBHOOK_DELETE,
            PermissionType.WEBHOOK_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Ejemplo n.º 9
0
    def test_user_has_resource_db_permission(self):
        resolver = WebhookPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.WEBHOOK)

        # Admin user, should always return true
        resource_db = self.resources['webhook_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "webhook_send" grant on webhook_1
        user_db = self.users['custom_role_webhook_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.WEBHOOK_SEND)

        permission_types = [
            PermissionType.WEBHOOK_CREATE, PermissionType.WEBHOOK_DELETE,
            PermissionType.WEBHOOK_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Ejemplo n.º 10
0
    def test_user_has_resource_db_permission(self):
        resolver = RunnerPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RUNNER)

        # Admin user, should always return true
        resource_db = self.resources['runner_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "runner_view" grant on runner_1
        resource_db = self.resources['runner_1']
        user_db = self.users['custom_role_runner_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_VIEW)

        permission_types = [
            PermissionType.RUNNER_MODIFY,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role with "runner_modify" grant on runner_2
        resource_db = self.resources['runner_2']
        user_db = self.users['custom_role_runner_modify_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_MODIFY)

        permission_types = [
            PermissionType.RUNNER_VIEW,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Ejemplo n.º 11
0
    def test_user_has_resource_db_permission(self):
        resolver = RunnerPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RUNNER)

        # Admin user, should always return true
        resource_db = self.resources['runner_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "runner_view" grant on runner_1
        resource_db = self.resources['runner_1']
        user_db = self.users['custom_role_runner_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_VIEW)

        permission_types = [
            PermissionType.RUNNER_MODIFY,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role with "runner_modify" grant on runner_2
        resource_db = self.resources['runner_2']
        user_db = self.users['custom_role_runner_modify_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RUNNER_MODIFY)

        permission_types = [
            PermissionType.RUNNER_VIEW,
            PermissionType.RUNNER_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Ejemplo n.º 12
0
Archivo: rbac.py Proyecto: rlugojr/st2
def _validate_permission_types(resource_db, permission_types):
    """
    Validate that the permission_types list only contains valid values for the
    provided resource.
    """
    resource_db = _validate_resource_type(resource_db=resource_db)
    resource_type = resource_db.get_resource_type()
    valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type)

    for permission_type in permission_types:
        if permission_type not in valid_permission_types:
            raise ValueError("Invalid permission type: %s" % (permission_type))

    return permission_types
Ejemplo n.º 13
0
def _validate_permission_types(resource_db, permission_types):
    """
    Validate that the permission_types list only contains valid values for the
    provided resource.
    """
    resource_db = _validate_resource_type(resource_db=resource_db)
    resource_type = resource_db.get_resource_type()
    valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type)

    for permission_type in permission_types:
        if permission_type not in valid_permission_types:
            raise ValueError('Invalid permission type: %s' % (permission_type))

    return permission_types
Ejemplo n.º 14
0
    def setUpClass(cls):
        super(KeyValuePermissionsResolverTestCase, cls).setUpClass()

        cls.all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.KEY_VALUE_PAIR)

        cls.read_permission_types = [
            PermissionType.KEY_VALUE_PAIR_LIST,
            PermissionType.KEY_VALUE_PAIR_VIEW,
        ]

        cls.write_permission_types = [
            PermissionType.KEY_VALUE_PAIR_SET,
            PermissionType.KEY_VALUE_PAIR_DELETE,
        ]
Ejemplo n.º 15
0
    def test_user_has_resource_db_permissions(self):
        # Note: Right now we don't support granting permissions on key value items so we just check
        # that the method always returns True
        resolver = KeyValuePermissionsResolver()

        # No roles
        user_db = self.users['no_roles']
        resource_db = self.resources['kvp_1']

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.KEY_VALUE_PAIR)
        for permission_type in permission_types:
            self.assertTrue(resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=resource_db,
                permission_type=permission_type))
Ejemplo n.º 16
0
    def validate(self):
        # Parent JSON schema validation
        cleaned = super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, "permission_grants", [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get("resource_uid", None)
            permission_types = permission_grant.get("permission_types", [])

            if resource_uid:
                # Permission types which apply to a resource
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = (
                    PermissionType.get_valid_permissions_for_resource_type(
                        resource_type=resource_type))

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = (
                            'Invalid permission type "%s" for resource type "%s"'
                            % (
                                permission_type,
                                resource_type,
                            ))
                        raise ValueError(message)
            else:
                # Right now we only support single permission type (list) which is global and
                # doesn't apply to a resource
                for permission_type in permission_types:
                    if permission_type not in GLOBAL_PERMISSION_TYPES:
                        valid_global_permission_types = ", ".join(
                            GLOBAL_PERMISSION_TYPES)
                        message = (
                            'Invalid permission type "%s". Valid global permission types '
                            "which can be used without a resource id are: %s" %
                            (permission_type, valid_global_permission_types))
                        raise ValueError(message)

        return cleaned
def main():
    lines = []
    lines.append(HEADER)
    lines.append("")

    add_lines_for_permission_set("Global", GLOBAL_PERMISSION_TYPES, lines)

    for resource_type in RESOURCE_DISPLAY_ORDER:
        resource_title = resource_type.replace("_", " ").title()  # pylint: disable=no-member

        permission_types = PermissionType.get_valid_permissions_for_resource_type(
            resource_type=resource_type)

        add_lines_for_permission_set(resource_title, permission_types, lines)

    result = "\n".join(lines)
    with open(DESTINATION_PATH, "w") as fp:
        fp.write(result)

    print("Generated: %s" % (DESTINATION_PATH))
    return result
Ejemplo n.º 18
0
    def validate(self):
        # Parent JSON schema validation
        super(RoleDefinitionFileFormatAPI, self).validate()

        # Custom validation

        # Validate that only the correct permission types are used
        permission_grants = getattr(self, 'permission_grants', [])
        for permission_grant in permission_grants:
            resource_uid = permission_grant.get('resource_uid', None)
            permission_types = permission_grant.get('permission_types', [])

            if resource_uid:
                resource_type, _ = parse_uid(uid=resource_uid)
                valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(
                    resource_type=resource_type)

                for permission_type in permission_types:
                    if permission_type not in valid_permission_types:
                        message = ('Invalid permission type "%s" for resource type "%s"' %
                                   (permission_type, resource_type))
                        raise ValueError(message)
Ejemplo n.º 19
0
    def test_user_has_resource_db_permission(self):
        resolver = ActionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.ACTION)

        # Admin user, should always return true
        resource_db = self.resources['action_1']
        user_db = self.users['admin']

        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_MODIFY)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_DELETE)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_action_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with a direct grant on action
        user_db = self.users['custom_role_action_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role - "action_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_execute" grant on action_1
        user_db = self.users['custom_role_action_execute_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_EXECUTE)

        # "execute" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_VIEW)

        permission_types = [
            PermissionType.ACTION_CREATE,
            PermissionType.ACTION_MODIFY,
            PermissionType.ACTION_DELETE
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Ejemplo n.º 20
0
    def test_user_has_resource_db_permissions(self):
        resolver = RulePermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE)

        # Admin user, should always return true
        resource_db = self.resources['rule_1']
        user_db = self.users['admin']
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_DELETE))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_DELETE))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_1'],
                permission_type=PermissionType.RULE_DELETE))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_2'],
                permission_type=PermissionType.RULE_MODIFY))

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_ALL))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources['rule_3'],
                permission_type=PermissionType.RULE_DELETE))

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role - "rule_all" grant on the rule
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=all_permission_types))

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=resource_db,
                permission_type=PermissionType.RULE_MODIFY))

        # "modify" also grants "view"
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=resource_db,
                permission_type=PermissionType.RULE_VIEW))

        permission_types = [
            PermissionType.RULE_CREATE, PermissionType.RULE_DELETE
        ]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver,
                user_db=user_db,
                resource_db=resource_db,
                permission_types=permission_types))
Ejemplo n.º 21
0
    def test_user_has_resource_db_permission(self):
        resolver = ActionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.ACTION)

        # Admin user, should always return true
        resource_db = self.resources['action_1']
        user_db = self.users['admin']

        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_MODIFY)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_DELETE)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_action_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_1'],
            permission_type=PermissionType.ACTION_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role with a direct grant on action
        user_db = self.users['custom_role_action_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_2'],
            permission_type=PermissionType.ACTION_EXECUTE)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['action_3'],
            permission_type=PermissionType.ACTION_EXECUTE)

        # Custom role - "action_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_execute" grant on action_1
        user_db = self.users['custom_role_action_execute_grant']
        resource_db = self.resources['action_1']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_EXECUTE)

        # "execute" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.ACTION_VIEW)

        permission_types = [
            PermissionType.ACTION_CREATE,
            PermissionType.ACTION_MODIFY,
            PermissionType.ACTION_DELETE
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)
Ejemplo n.º 22
0
    def test_user_has_resource_db_permission(self):
        resolver = InquiryPermissionsResolver()

        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.INQUIRY)
        all_permission_types.remove(PermissionType.INQUIRY_LIST)

        # Admin user, should always return true
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # View user should be able to view
        user_db = self.users['custom_role_inquiry_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        # Respond user should be able to respond
        user_db = self.users['custom_role_inquiry_respond_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)

        # ALL user should have all db perms
        user_db = self.users['custom_role_inquiry_all_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # Now to test inheritance from action_execution for parent workflow.
        # We still have to pass in INQUIRY_RESPOND to permission_type here to keep the resolver
        # enum assert happy, but we haven't granted INQUIRY_RESPOND to this role, proving
        # that the effective permission is inherited.
        user_db = self.users['custom_role_inquiry_inherit']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_2'],
            permission_type=PermissionType.INQUIRY_RESPOND)
    def test_user_has_resource_db_permission(self):
        resolver = SensorPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.SENSOR)

        # Admin user, should always return true
        resource_db = self.resources['sensor_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_ALL)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_sensor_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW)

        # Custom role with a direct grant on sensor
        user_db = self.users['custom_role_sensor_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_ALL)

        # Custom role - "sensor_all" grant on the sensor parent pack
        user_db = self.users['custom_role_pack_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "sensor_all" grant on the sensor
        user_db = self.users['custom_role_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)
Ejemplo n.º 24
0
    def test_user_has_resource_permissions(self):
        resolver = ExecutionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.EXECUTION)

        # Admin user, should always return true
        resource_db = self.resources['exec_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_STOP))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_ALL))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with an action_view grant on unrelated pack, should return false for
        # everything
        user_db = self.users['custom_role_unrelated_pack_action_grant']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack, should return false for
        # everything
        user_db = self.users['custom_role_pack_action_grant_unrelated_permission']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with "action_view" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_view_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW
        ))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN
        ))

        # Custom role with "action_view" grant on the action the resource belongs to
        user_db = self.users['custom_role_action_view_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW
        ))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN
        ))

        # Custom role with "action_execute" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_execute_grant']
        permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP]
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        # Custom role with "action_execute" grant on the action resource belongs to
        user_db = self.users['custom_role_action_execute_grant']
        permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP]
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))

        # Custom role - "action_all" grant on the action parent pack the execution belongs to
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "action_all" grant on the action the execution belongs to
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))
    def test_user_has_resource_db_permission(self):
        resolver = RuleEnforcementPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE_ENFORCEMENT)

        # Admin user, should always return true
        resource_db = self.resources['rule_enforcement_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_3'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_all" grant on the rule
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_enforcement_1']

        # "modify" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
Ejemplo n.º 26
0
    def test_user_has_resource_permissions(self):
        resolver = SensorPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.SENSOR)

        # Admin user, should always return true
        resource_db = self.resources['sensor_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_ALL))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_sensor_pack_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_1'],
            permission_type=PermissionType.SENSOR_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_2'],
            permission_type=PermissionType.SENSOR_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        # Custom role with a direct grant on sensor
        user_db = self.users['custom_role_sensor_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['sensor_3'],
            permission_type=PermissionType.SENSOR_ALL))

        # Custom role - "sensor_all" grant on the sensor parent pack
        user_db = self.users['custom_role_pack_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "sensor_all" grant on the sensor
        user_db = self.users['custom_role_sensor_all_grant']
        resource_db = self.resources['sensor_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))
Ejemplo n.º 27
0
    def test_user_has_resource_db_permission(self):
        resolver = RuleEnforcementPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE_ENFORCEMENT)

        # Admin user, should always return true
        resource_db = self.resources['rule_enforcement_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_1'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_2'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['rule_enforcement_3'],
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_all" grant on the rule
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_enforcement_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_enforcement_1']

        # "modify" also grants "view"
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
Ejemplo n.º 28
0
    def test_user_has_resource_db_permission(self):
        resolver = InquiryPermissionsResolver()

        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.INQUIRY)
        all_permission_types.remove(PermissionType.INQUIRY_LIST)

        # Admin user, should always return true
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_types=all_permission_types)

        # View user should be able to view
        user_db = self.users['custom_role_inquiry_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_VIEW)

        # Respond user should be able to respond
        user_db = self.users['custom_role_inquiry_respond_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_RESPOND)

        # ALL user should have all db perms
        user_db = self.users['custom_role_inquiry_all_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_1'],
            permission_type=PermissionType.INQUIRY_ALL)

        # Now to test inheritance from action_execution for parent workflow.
        # We still have to pass in INQUIRY_RESPOND to permission_type here to keep the resolver
        # enum assert happy, but we haven't granted INQUIRY_RESPOND to this role, proving
        # that the effective permission is inherited.
        user_db = self.users['custom_role_inquiry_inherit']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['inquiry_2'],
            permission_type=PermissionType.INQUIRY_RESPOND)
Ejemplo n.º 29
0
    def test_user_has_resource_permissions(self):
        resolver = RulePermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.RULE)

        # Admin user, should always return true
        resource_db = self.resources['rule_1']
        user_db = self.users['admin']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_DELETE))

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users['custom_role_pack_grant']
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_DELETE))

        # Custom role with with grant on the parent pack
        user_db = self.users['custom_role_rule_pack_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_VIEW))
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_1'],
            permission_type=PermissionType.RULE_DELETE))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_2'],
            permission_type=PermissionType.RULE_MODIFY))

        # Custom role with a direct grant on rule
        user_db = self.users['custom_role_rule_grant']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_VIEW))

        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_ALL))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_MODIFY))
        self.assertFalse(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=self.resources['rule_3'],
            permission_type=PermissionType.RULE_DELETE))

        # Custom role - "rule_all" grant on the action parent pack
        user_db = self.users['custom_role_pack_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "action_all" grant on the action
        user_db = self.users['custom_role_rule_all_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types))

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users['custom_role_rule_modify_grant']
        resource_db = self.resources['rule_1']
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_MODIFY))

        # "modify" also grants "view"
        self.assertTrue(resolver.user_has_resource_permission(
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.RULE_VIEW))

        permission_types = [
            PermissionType.RULE_CREATE,
            PermissionType.RULE_DELETE
        ]
        self.assertFalse(self._user_has_resource_permissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types))
Ejemplo n.º 30
0
    def test_user_has_resource_db_permission(self):
        resolver = ExecutionPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(
            ResourceType.EXECUTION)
        all_permission_types.remove(PermissionType.EXECUTION_LIST)

        # Admin user, should always return true
        resource_db = self.resources['exec_1']
        user_db = self.users['admin']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Observer, should always return true for VIEW permission
        user_db = self.users['observer']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_STOP)
        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=self.resources['exec_1'],
            permission_type=PermissionType.EXECUTION_ALL)

        # No roles, should return false for everything
        user_db = self.users['no_roles']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with no permission grants, should return false for everything
        user_db = self.users['1_custom_role_no_permissions']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with an action_view grant on unrelated pack, should return false for
        # everything
        user_db = self.users['custom_role_unrelated_pack_action_grant']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with unrelated permission grant to parent pack, should return false for
        # everything
        user_db = self.users[
            'custom_role_pack_action_grant_unrelated_permission']
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role with "action_view" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN)

        # Custom role with "action_view" grant on the action the resource belongs to
        user_db = self.users['custom_role_action_view_grant']
        self.assertUserHasResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_VIEW)

        self.assertUserDoesntHaveResourceDbPermission(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_type=PermissionType.EXECUTION_RE_RUN)

        # Custom role with "action_execute" grant on the pack of the action resource belongs to
        user_db = self.users['custom_role_pack_action_execute_grant']
        permission_types = [
            PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP
        ]
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        permission_types = [
            PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role with "action_execute" grant on the action resource belongs to
        user_db = self.users['custom_role_action_execute_grant']
        permission_types = [
            PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP
        ]
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        permission_types = [
            PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL
        ]
        self.assertUserDoesntHaveResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=permission_types)

        # Custom role - "action_all" grant on the action parent pack the execution belongs to
        user_db = self.users['custom_role_pack_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)

        # Custom role - "action_all" grant on the action the execution belongs to
        user_db = self.users['custom_role_action_all_grant']
        resource_db = self.resources['exec_1']
        self.assertUserHasResourceDbPermissions(
            resolver=resolver,
            user_db=user_db,
            resource_db=resource_db,
            permission_types=all_permission_types)
    def test_user_has_resource_db_permission(self):
        resolver = RuleEnforcementPermissionsResolver()
        all_permission_types = PermissionType.get_valid_permissions_for_resource_type(ResourceType.RULE_ENFORCEMENT)

        # Admin user, should always return true
        resource_db = self.resources["rule_enforcement_1"]
        user_db = self.users["admin"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Observer, should always return true for VIEW permission
        user_db = self.users["observer"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # No roles, should return false for everything
        user_db = self.users["no_roles"]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role with no permission grants, should return false for everything
        user_db = self.users["1_custom_role_no_permissions"]
        self.assertFalse(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role with unrelated permission grant to parent pack
        user_db = self.users["custom_role_pack_grant"]
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertFalse(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role with with grant on the parent pack
        user_db = self.users["custom_role_rule_pack_grant"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_1"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_2"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role with a direct grant on rule
        user_db = self.users["custom_role_rule_grant"]
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db,
                resource_db=self.resources["rule_enforcement_3"],
                permission_type=PermissionType.RULE_ENFORCEMENT_VIEW,
            )
        )

        # Custom role - "rule_all" grant on the rule parent pack
        user_db = self.users["custom_role_pack_rule_all_grant"]
        resource_db = self.resources["rule_enforcement_1"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role - "rule_all" grant on the rule
        user_db = self.users["custom_role_rule_all_grant"]
        resource_db = self.resources["rule_enforcement_1"]
        self.assertTrue(
            self._user_has_resource_db_permissions(
                resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types
            )
        )

        # Custom role - "rule_modify" grant on rule_1
        user_db = self.users["custom_role_rule_modify_grant"]
        resource_db = self.resources["rule_enforcement_1"]

        # "modify" also grants "view"
        self.assertTrue(
            resolver.user_has_resource_db_permission(
                user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_ENFORCEMENT_VIEW
            )
        )