Ejemplo n.º 1
0
    def test_clean_requests_after_alpha_grant(self):
        session = db.session

        # Case 2. Two access requests from gamma and gamma2
        # Gamma becomes alpha, gamma2 gets granted
        # Check if request by gamma has been deleted

        access_request1 = create_access_request(
            session, 'table', 'birth_names', TEST_ROLE_1, 'gamma')
        create_access_request(
            session, 'table', 'birth_names', TEST_ROLE_2, 'gamma2')
        ds_1_id = access_request1.datasource_id
        # gamma becomes alpha
        alpha_role = sm.find_role('Alpha')
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.append(alpha_role)
        session.commit()
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertTrue(access_requests)
        self.client.get(EXTEND_ROLE_REQUEST.format(
            'table', ds_1_id, 'gamma2', TEST_ROLE_2))
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertFalse(access_requests)

        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role('Alpha'))
        session.commit()
Ejemplo n.º 2
0
    def test_clean_requests_after_db_grant(self):
        session = db.session

        # Case 3. Two access requests from gamma and gamma2
        # Gamma gets database access, gamma2 access request granted
        # Check if request by gamma has been deleted

        gamma_user = sm.find_user(username='******')
        access_request1 = create_access_request(
            session, 'table', 'long_lat', TEST_ROLE_1, 'gamma')
        create_access_request(
            session, 'table', 'long_lat', TEST_ROLE_2, 'gamma2')
        ds_1_id = access_request1.datasource_id
        # gamma gets granted database access
        database = session.query(models.Database).first()

        security.merge_perm(
            sm, 'database_access', database.perm)
        ds_perm_view = sm.find_permission_view_menu(
            'database_access', database.perm)
        sm.add_permission_role(
            sm.find_role(DB_ACCESS_ROLE), ds_perm_view)
        gamma_user.roles.append(sm.find_role(DB_ACCESS_ROLE))
        session.commit()
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertTrue(access_requests)
        # gamma2 request gets fulfilled
        self.client.get(EXTEND_ROLE_REQUEST.format(
            'table', ds_1_id, 'gamma2', TEST_ROLE_2))
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)

        self.assertFalse(access_requests)
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role(DB_ACCESS_ROLE))
        session.commit()
Ejemplo n.º 3
0
    def test_update_role(self):
        update_role_str = 'update_me'
        sm.add_role(update_role_str)
        db.session.commit()
        resp = self.client.post(
            '/superset/update_role/',
            data=json.dumps({
                'user_emails': ['*****@*****.**'],
                'role_name': update_role_str
            }),
            follow_redirects=True
        )
        update_role = sm.find_role(update_role_str)
        self.assertEquals(
            update_role.user, [sm.find_user(email='*****@*****.**')])
        self.assertEquals(resp.status_code, 201)

        resp = self.client.post(
            '/superset/update_role/',
            data=json.dumps({
                'user_emails': ['*****@*****.**', '*****@*****.**'],
                'role_name': update_role_str
            }),
            follow_redirects=True
        )
        self.assertEquals(resp.status_code, 201)
        update_role = sm.find_role(update_role_str)
        self.assertEquals(
            update_role.user, [sm.find_user(email='*****@*****.**')])

        db.session.delete(update_role)
        db.session.commit()
Ejemplo n.º 4
0
    def test_sql_json_has_access(self):
        main_db = self.get_main_database(db.session)
        sm.add_permission_view_menu('database_access', main_db.perm)
        db.session.commit()
        main_db_permission_view = (
            db.session.query(ab_models.PermissionView)
            .join(ab_models.ViewMenu)
            .filter(ab_models.ViewMenu.name == '[main].(id:1)')
            .first()
        )
        astronaut = sm.add_role("Astronaut")
        sm.add_permission_role(astronaut, main_db_permission_view)
        # Astronaut role is Gamma + sqllab +  main db permissions
        for perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(astronaut, perm)
        for perm in sm.find_role('sql_lab').permissions:
            sm.add_permission_role(astronaut, perm)

        gagarin = appbuilder.sm.find_user('gagarin')
        if not gagarin:
            appbuilder.sm.add_user(
                'gagarin', 'Iurii', 'Gagarin', '*****@*****.**',
                astronaut,
                password='******')
        data = self.run_sql('SELECT * FROM ab_user', "3", user_name='gagarin')
        db.session.query(models.Query).delete()
        db.session.commit()
        self.assertLess(0, len(data['data']))
Ejemplo n.º 5
0
 def tearDownClass(cls):
     override_me = sm.find_role('override_me')
     db.session.delete(override_me)
     db.session.delete(sm.find_role(TEST_ROLE_1))
     db.session.delete(sm.find_role(TEST_ROLE_2))
     db.session.delete(sm.find_role(DB_ACCESS_ROLE))
     db.session.delete(sm.find_role(SCHEMA_ACCESS_ROLE))
     db.session.commit()
Ejemplo n.º 6
0
    def test_update_role(self):
        update_role_str = 'update_me'
        sm.add_role(update_role_str)
        db.session.commit()
        resp = self.client.post(
            '/superset/update_role/',
            data=json.dumps({
                'users': [{
                        'username': '******',
                        'first_name': 'Gamma',
                        'last_name': 'Gamma',
                        'email': '*****@*****.**'
                    }],
                'role_name': update_role_str
            }),
            follow_redirects=True
        )
        update_role = sm.find_role(update_role_str)
        self.assertEquals(
            update_role.user, [sm.find_user(username='******')])
        self.assertEquals(resp.status_code, 201)

        resp = self.client.post(
            '/superset/update_role/',
            data=json.dumps({
                'users': [{
                    'username': '******',
                    'first_name': 'Alpha',
                    'last_name': 'Alpha',
                    'email': '*****@*****.**'
                }, {
                    'username': '******',
                    'first_name': 'Unknown1',
                    'last_name': 'Unknown2',
                    'email': '*****@*****.**'
                }],
                'role_name': update_role_str
            }),
            follow_redirects=True
        )
        self.assertEquals(resp.status_code, 201)
        update_role = sm.find_role(update_role_str)
        self.assertEquals(
            update_role.user, [
                sm.find_user(username='******'),
                sm.find_user(username='******'),
            ])
        unknown = sm.find_user(username='******')
        self.assertEquals('Unknown2', unknown.last_name)
        self.assertEquals('Unknown1', unknown.first_name)
        self.assertEquals('*****@*****.**', unknown.email)
        db.session.delete(update_role)
        db.session.delete(unknown)
        db.session.commit()
Ejemplo n.º 7
0
    def test_sql_json_has_access(self):
        main_db = self.get_main_database(db.session)
        utils.merge_perm(sm, 'database_access', main_db.perm)
        db.session.commit()
        main_db_permission_view = (db.session.query(
            ab_models.PermissionView).join(ab_models.ViewMenu).filter(
                ab_models.ViewMenu.name == '[main].(id:1)').first())
        astronaut = sm.add_role("Astronaut")
        sm.add_permission_role(astronaut, main_db_permission_view)
        # Astronaut role is Gamma + main db permissions
        for gamma_perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(astronaut, gamma_perm)

        gagarin = appbuilder.sm.find_user('gagarin')
        if not gagarin:
            appbuilder.sm.add_user('gagarin',
                                   'Iurii',
                                   'Gagarin',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Astronaut'),
                                   password='******')
        data = self.run_sql('SELECT * FROM ab_user', 'gagarin', "3")
        db.session.query(models.Query).delete()
        db.session.commit()
        self.assertLess(0, len(data['data']))
Ejemplo n.º 8
0
    def test_clean_requests_after_role_extend(self):
        session = db.session

        # Case 1. Gamma and gamma2 requested test_role1 on energy_usage access
        # Gamma already has role test_role1
        # Extend test_role1 with energy_usage access for gamma2
        # Check if access request for gamma at energy_usage was deleted

        # gamma2 and gamma request table_role on energy usage
        if app.config.get('ENABLE_ACCESS_REQUEST'):
            access_request1 = create_access_request(
                session, 'table', 'random_time_series', TEST_ROLE_1, 'gamma2')
            ds_1_id = access_request1.datasource_id
            create_access_request(
                session, 'table', 'random_time_series', TEST_ROLE_1, 'gamma')
            access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
            self.assertTrue(access_requests)
            # gamma gets test_role1
            self.get_resp(GRANT_ROLE_REQUEST.format(
                'table', ds_1_id, 'gamma', TEST_ROLE_1))
            # extend test_role1 with access on energy usage
            self.client.get(EXTEND_ROLE_REQUEST.format(
                'table', ds_1_id, 'gamma2', TEST_ROLE_1))
            access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
            self.assertFalse(access_requests)

            gamma_user = sm.find_user(username='******')
            gamma_user.roles.remove(sm.find_role('test_role1'))
Ejemplo n.º 9
0
    def test_filter_druid_datasource(self):
        CLUSTER_NAME = 'new_druid'
        cluster = self.get_or_create(
            DruidCluster,
            {'cluster_name': CLUSTER_NAME},
            db.session)
        db.session.merge(cluster)

        gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_for_gamma'},
            db.session)
        gamma_ds.cluster = cluster
        db.session.merge(gamma_ds)

        no_gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'},
            db.session)
        no_gamma_ds.cluster = cluster
        db.session.merge(no_gamma_ds)
        db.session.commit()

        security.merge_perm(sm, 'datasource_access', gamma_ds.perm)
        security.merge_perm(sm, 'datasource_access', no_gamma_ds.perm)

        perm = sm.find_permission_view_menu(
            'datasource_access', gamma_ds.get_perm())
        sm.add_permission_role(sm.find_role('Gamma'), perm)
        sm.get_session.commit()

        self.login(username='******')
        url = '/druiddatasourcemodelview/list/'
        resp = self.get_resp(url)
        self.assertIn('datasource_for_gamma', resp)
        self.assertNotIn('datasource_not_for_gamma', resp)
Ejemplo n.º 10
0
    def test_clean_requests_after_role_extend(self):
        session = db.session

        # Case 1. Gamma and gamma2 requested test_role1 on energy_usage access
        # Gamma already has role test_role1
        # Extend test_role1 with energy_usage access for gamma2
        # Check if access request for gamma at energy_usage was deleted

        # gamma2 and gamma request table_role on energy usage
        access_request1 = create_access_request(session, 'table',
                                                'random_time_series',
                                                TEST_ROLE_1, 'gamma2')
        ds_1_id = access_request1.datasource_id
        create_access_request(session, 'table', 'random_time_series',
                              TEST_ROLE_1, 'gamma')
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertTrue(access_requests)
        # gamma gets test_role1
        self.get_resp(
            GRANT_ROLE_REQUEST.format('table', ds_1_id, 'gamma', TEST_ROLE_1))
        # extend test_role1 with access on energy usage
        self.client.get(
            EXTEND_ROLE_REQUEST.format('table', ds_1_id, 'gamma2',
                                       TEST_ROLE_1))
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertFalse(access_requests)

        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role('test_role1'))
Ejemplo n.º 11
0
    def test_filter_druid_datasource(self):
        CLUSTER_NAME = 'new_druid'
        cluster = self.get_or_create(
            DruidCluster,
            {'cluster_name': CLUSTER_NAME},
            db.session)
        db.session.merge(cluster)

        gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_for_gamma'},
            db.session)
        gamma_ds.cluster = cluster
        db.session.merge(gamma_ds)

        no_gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'},
            db.session)
        no_gamma_ds.cluster = cluster
        db.session.merge(no_gamma_ds)

        utils.merge_perm(sm, 'datasource_access', gamma_ds.perm)
        utils.merge_perm(sm, 'datasource_access', no_gamma_ds.perm)

        db.session.commit()

        perm = sm.find_permission_view_menu('datasource_access', gamma_ds.perm)
        sm.add_permission_role(sm.find_role('Gamma'), perm)
        db.session.commit()

        self.login(username='******')
        url = '/druiddatasourcemodelview/list/'
        resp = self.get_resp(url)
        assert 'datasource_for_gamma' in resp
        assert 'datasource_not_for_gamma' not in resp
 def assert_admin_view_menus_in(role_name, assert_func):
     role = sm.find_role(role_name)
     view_menus = [p.view_menu.name for p in role.permissions]
     assert_func('ResetPasswordView', view_menus)
     assert_func('RoleModelView', view_menus)
     assert_func('Security', view_menus)
     assert_func('UserDBModelView', view_menus)
     assert_func('SQL Lab', view_menus)
Ejemplo n.º 13
0
 def assert_admin_view_menus_in(role_name, assert_func):
     role = sm.find_role(role_name)
     view_menus = [p.view_menu.name for p in role.permissions]
     assert_func('ResetPasswordView', view_menus)
     assert_func('RoleModelView', view_menus)
     assert_func('Security', view_menus)
     assert_func('UserDBModelView', view_menus)
     assert_func('SQL Lab',
                 view_menus)
Ejemplo n.º 14
0
    def test_override_role_permissions_drops_absent_perms(self):
        override_me = sm.find_role('override_me')
        override_me.permissions.append(
            sm.find_permission_view_menu(
                view_menu_name=self.get_table_by_name('long_lat').perm,
                permission_name='datasource_access'))
        db.session.flush()

        response = self.client.post('/superset/override_role_permissions/',
                                    data=json.dumps(ROLE_TABLES_PERM_DATA),
                                    content_type='application/json')
        self.assertEquals(201, response.status_code)
        updated_override_me = sm.find_role('override_me')
        self.assertEquals(1, len(updated_override_me.permissions))
        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(birth_names.perm,
                          updated_override_me.permissions[0].view_menu.name)
        self.assertEquals('datasource_access',
                          updated_override_me.permissions[0].permission.name)
Ejemplo n.º 15
0
 def test_update_role_do_not_exist(self):
     update_role_str = 'update_me'
     update_role = sm.find_role(update_role_str)
     if update_role:
         db.session.delete(update_role)
     db.session.commit()
     with self.assertRaises(AttributeError):
         self.get_resp('/superset/update_role/',
                       data=json.dumps({
                           'user_emails': ['*****@*****.**'],
                           'role_name': update_role_str,
                       }))
Ejemplo n.º 16
0
    def test_clean_requests_after_schema_grant(self):
        session = db.session

        # Case 4. Two access requests from gamma and gamma2
        # Gamma gets schema access, gamma2 access request granted
        # Check if request by gamma has been deleted

        gamma_user = sm.find_user(username='******')
        access_request1 = create_access_request(session, 'table',
                                                'wb_health_population',
                                                TEST_ROLE_1, 'gamma')
        access_request2 = create_access_request(session, 'table',
                                                'wb_health_population',
                                                TEST_ROLE_2, 'gamma2')
        ds_1_id = access_request1.datasource_id
        ds = session.query(models.SqlaTable).filter_by(
            table_name='wb_health_population').first()

        ds.schema = 'temp_schema'
        security.merge_perm(sm, 'schema_access', ds.schema_perm)
        schema_perm_view = sm.find_permission_view_menu(
            'schema_access', ds.schema_perm)
        sm.add_permission_role(sm.find_role(SCHEMA_ACCESS_ROLE),
                               schema_perm_view)
        gamma_user.roles.append(sm.find_role(SCHEMA_ACCESS_ROLE))
        session.commit()
        # gamma2 request gets fulfilled
        self.client.get(
            EXTEND_ROLE_REQUEST.format('table', ds_1_id, 'gamma2',
                                       TEST_ROLE_2))
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertFalse(access_requests)
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role(SCHEMA_ACCESS_ROLE))

        ds = session.query(models.SqlaTable).filter_by(
            table_name='wb_health_population').first()
        ds.schema = None

        session.commit()
Ejemplo n.º 17
0
    def test_clean_requests_after_schema_grant(self):
        session = db.session

        # Case 4. Two access requests from gamma and gamma2
        # Gamma gets schema access, gamma2 access request granted
        # Check if request by gamma has been deleted

        gamma_user = sm.find_user(username='******')
        access_request1 = create_access_request(
            session, 'table', 'wb_health_population', TEST_ROLE_1, 'gamma')
        access_request2 = create_access_request(
            session, 'table', 'wb_health_population', TEST_ROLE_2, 'gamma2')
        ds_1_id = access_request1.datasource_id
        ds = session.query(SqlaTable).filter_by(
            table_name='wb_health_population').first()


        ds.schema = 'temp_schema'
        security.merge_perm(
            sm, 'schema_access', ds.schema_perm)
        schema_perm_view = sm.find_permission_view_menu(
            'schema_access', ds.schema_perm)
        sm.add_permission_role(
            sm.find_role(SCHEMA_ACCESS_ROLE) , schema_perm_view)
        gamma_user.roles.append(sm.find_role(SCHEMA_ACCESS_ROLE))
        session.commit()
        # gamma2 request gets fulfilled
        self.client.get(EXTEND_ROLE_REQUEST.format(
            'table', ds_1_id, 'gamma2', TEST_ROLE_2))
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertFalse(access_requests)
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role(SCHEMA_ACCESS_ROLE))

        ds = session.query(SqlaTable).filter_by(
            table_name='wb_health_population').first()
        ds.schema = None

        session.commit()
Ejemplo n.º 18
0
    def test_override_role_permissions_1_table(self):
        response = self.client.post('/superset/override_role_permissions/',
                                    data=json.dumps(ROLE_TABLES_PERM_DATA),
                                    content_type='application/json')
        self.assertEquals(201, response.status_code)

        updated_override_me = sm.find_role('override_me')
        self.assertEquals(1, len(updated_override_me.permissions))
        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(birth_names.perm,
                          updated_override_me.permissions[0].view_menu.name)
        self.assertEquals('datasource_access',
                          updated_override_me.permissions[0].permission.name)
Ejemplo n.º 19
0
 def test_update_role_do_not_exist(self):
     update_role_str = 'update_me'
     update_role = sm.find_role(update_role_str)
     if update_role:
         db.session.delete(update_role)
     db.session.commit()
     with self.assertRaises(AttributeError):
         self.get_resp(
             '/superset/update_role/',
             data=json.dumps({
                 'user_emails': ['*****@*****.**'],
                 'role_name': update_role_str,
             })
         )
Ejemplo n.º 20
0
    def test_override_role_permissions_drops_absent_perms(self):
        override_me = sm.find_role('override_me')
        override_me.permissions.append(
            sm.find_permission_view_menu(
                view_menu_name=self.get_table_by_name('long_lat').perm,
                permission_name='datasource_access')
        )
        db.session.flush()

        response = self.client.post(
            '/superset/override_role_permissions/',
            data=json.dumps(ROLE_TABLES_PERM_DATA),
            content_type='application/json')
        self.assertEquals(201, response.status_code)
        updated_override_me = sm.find_role('override_me')
        self.assertEquals(1, len(updated_override_me.permissions))
        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(
            birth_names.perm,
            updated_override_me.permissions[0].view_menu.name)
        self.assertEquals(
            'datasource_access',
            updated_override_me.permissions[0].permission.name)
Ejemplo n.º 21
0
    def test_gamma_permissions(self):
        def assert_can_read(view_menu):
            self.assertIn(('can_show', view_menu), gamma_perm_set)
            self.assertIn(('can_list', view_menu), gamma_perm_set)

        def assert_can_write(view_menu):
            self.assertIn(('can_add', view_menu), gamma_perm_set)
            self.assertIn(('can_download', view_menu), gamma_perm_set)
            self.assertIn(('can_delete', view_menu), gamma_perm_set)
            self.assertIn(('can_edit', view_menu), gamma_perm_set)

        def assert_cannot_write(view_menu):
            self.assertNotIn(('can_add', view_menu), gamma_perm_set)
            self.assertNotIn(('can_download', view_menu), gamma_perm_set)
            self.assertNotIn(('can_delete', view_menu), gamma_perm_set)
            self.assertNotIn(('can_edit', view_menu), gamma_perm_set)
            self.assertNotIn(('can_save', view_menu), gamma_perm_set)

        def assert_can_all(view_menu):
            assert_can_read(view_menu)
            assert_can_write(view_menu)

        gamma_perm_set = set()
        for perm in sm.find_role('Gamma').permissions:
            gamma_perm_set.add((perm.permission.name, perm.view_menu.name))

        # check read only perms
        assert_can_read('TableModelView')
        assert_cannot_write('DruidColumnInlineView')

        # make sure that user can create slices and dashboards
        assert_can_all('SliceModelView')
        assert_can_all('DashboardModelView')

        self.assertIn(('can_add_slices', 'Superset'), gamma_perm_set)
        self.assertIn(('can_copy_dash', 'Superset'), gamma_perm_set)
        self.assertIn(('can_activity_per_day', 'Superset'), gamma_perm_set)
        self.assertIn(('can_created_dashboards', 'Superset'), gamma_perm_set)
        self.assertIn(('can_created_slices', 'Superset'), gamma_perm_set)
        self.assertIn(('can_csv', 'Superset'), gamma_perm_set)
        self.assertIn(('can_dashboard', 'Superset'), gamma_perm_set)
        self.assertIn(('can_explore', 'Superset'), gamma_perm_set)
        self.assertIn(('can_explore_json', 'Superset'), gamma_perm_set)
        self.assertIn(('can_fave_dashboards', 'Superset'), gamma_perm_set)
        self.assertIn(('can_fave_slices', 'Superset'), gamma_perm_set)
        self.assertIn(('can_save_dash', 'Superset'), gamma_perm_set)
        self.assertIn(('can_slice', 'Superset'), gamma_perm_set)
        self.assertIn(('can_update_explore', 'Superset'), gamma_perm_set)
Ejemplo n.º 22
0
    def test_gamma_permissions(self):
        def assert_can_read(view_menu):
            self.assertIn(('can_show', view_menu), gamma_perm_set)
            self.assertIn(('can_list', view_menu), gamma_perm_set)

        def assert_can_write(view_menu):
            self.assertIn(('can_add', view_menu), gamma_perm_set)
            self.assertIn(('can_download', view_menu), gamma_perm_set)
            self.assertIn(('can_delete', view_menu), gamma_perm_set)
            self.assertIn(('can_edit', view_menu), gamma_perm_set)

        def assert_cannot_write(view_menu):
            self.assertNotIn(('can_add', view_menu), gamma_perm_set)
            self.assertNotIn(('can_download', view_menu), gamma_perm_set)
            self.assertNotIn(('can_delete', view_menu), gamma_perm_set)
            self.assertNotIn(('can_edit', view_menu), gamma_perm_set)
            self.assertNotIn(('can_save', view_menu), gamma_perm_set)

        def assert_can_all(view_menu):
            assert_can_read(view_menu)
            assert_can_write(view_menu)

        gamma_perm_set = set()
        for perm in sm.find_role('Gamma').permissions:
            gamma_perm_set.add((perm.permission.name, perm.view_menu.name))

        # check read only perms
        assert_can_read('TableModelView')
        assert_cannot_write('DruidColumnInlineView')

        # make sure that user can create slices and dashboards
        assert_can_all('SliceModelView')
        assert_can_all('DashboardModelView')

        self.assertIn(('can_add_slices', 'Superset'), gamma_perm_set)
        self.assertIn(('can_copy_dash', 'Superset'), gamma_perm_set)
        self.assertIn(('can_activity_per_day', 'Superset'), gamma_perm_set)
        self.assertIn(('can_created_dashboards', 'Superset'), gamma_perm_set)
        self.assertIn(('can_created_slices', 'Superset'), gamma_perm_set)
        self.assertIn(('can_csv', 'Superset'), gamma_perm_set)
        self.assertIn(('can_dashboard', 'Superset'), gamma_perm_set)
        self.assertIn(('can_explore', 'Superset'), gamma_perm_set)
        self.assertIn(('can_explore_json', 'Superset'), gamma_perm_set)
        self.assertIn(('can_fave_dashboards', 'Superset'), gamma_perm_set)
        self.assertIn(('can_fave_slices', 'Superset'), gamma_perm_set)
        self.assertIn(('can_save_dash', 'Superset'), gamma_perm_set)
        self.assertIn(('can_slice', 'Superset'), gamma_perm_set)
        self.assertIn(('can_update_explore', 'Superset'), gamma_perm_set)
Ejemplo n.º 23
0
    def test_override_role_permissions_1_table(self):
        response = self.client.post(
            '/superset/override_role_permissions/',
            data=json.dumps(ROLE_TABLES_PERM_DATA),
            content_type='application/json')
        self.assertEquals(201, response.status_code)

        updated_override_me = sm.find_role('override_me')
        self.assertEquals(1, len(updated_override_me.permissions))
        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(
            birth_names.perm,
            updated_override_me.permissions[0].view_menu.name)
        self.assertEquals(
            'datasource_access',
            updated_override_me.permissions[0].permission.name)
Ejemplo n.º 24
0
    def test_gamma_permissions(self):
        def assert_can_read(view_menu):
            self.assertIn(("can_show", view_menu), gamma_perm_set)
            self.assertIn(("can_list", view_menu), gamma_perm_set)

        def assert_can_write(view_menu):
            self.assertIn(("can_add", view_menu), gamma_perm_set)
            self.assertIn(("can_download", view_menu), gamma_perm_set)
            self.assertIn(("can_delete", view_menu), gamma_perm_set)
            self.assertIn(("can_edit", view_menu), gamma_perm_set)

        def assert_cannot_write(view_menu):
            self.assertNotIn(("can_add", view_menu), gamma_perm_set)
            self.assertNotIn(("can_download", view_menu), gamma_perm_set)
            self.assertNotIn(("can_delete", view_menu), gamma_perm_set)
            self.assertNotIn(("can_edit", view_menu), gamma_perm_set)
            self.assertNotIn(("can_save", view_menu), gamma_perm_set)

        def assert_can_all(view_menu):
            assert_can_read(view_menu)
            assert_can_write(view_menu)

        gamma_perm_set = set()
        for perm in sm.find_role("Gamma").permissions:
            gamma_perm_set.add((perm.permission.name, perm.view_menu.name))

        # check read only perms
        assert_can_read("TableModelView")
        assert_cannot_write("DruidColumnInlineView")

        # make sure that user can create slices and dashboards
        assert_can_all("SliceModelView")
        assert_can_all("DashboardModelView")

        self.assertIn(("can_add_slices", "Superset"), gamma_perm_set)
        self.assertIn(("can_copy_dash", "Superset"), gamma_perm_set)
        self.assertIn(("can_activity_per_day", "Superset"), gamma_perm_set)
        self.assertIn(("can_created_dashboards", "Superset"), gamma_perm_set)
        self.assertIn(("can_created_slices", "Superset"), gamma_perm_set)
        self.assertIn(("can_csv", "Superset"), gamma_perm_set)
        self.assertIn(("can_dashboard", "Superset"), gamma_perm_set)
        self.assertIn(("can_explore", "Superset"), gamma_perm_set)
        self.assertIn(("can_explore_json", "Superset"), gamma_perm_set)
        self.assertIn(("can_fave_dashboards", "Superset"), gamma_perm_set)
        self.assertIn(("can_fave_slices", "Superset"), gamma_perm_set)
        self.assertIn(("can_save_dash", "Superset"), gamma_perm_set)
        self.assertIn(("can_slice", "Superset"), gamma_perm_set)
Ejemplo n.º 25
0
 def test_update_role_do_not_exist(self):
     update_role_str = 'update_me'
     update_role = sm.find_role(update_role_str)
     if update_role:
         db.session.delete(update_role)
     db.session.commit()
     data = json.dumps({
         'users': [{
             'username': '******',
             'first_name': 'Gamma',
             'last_name': 'Gamma',
             'email': '*****@*****.**',
         }],
         'role_name': update_role_str})
     r = self.client.post('/superset/update_role/', data=data,
                          follow_redirects=True)
     self.assertEquals(500, r.status_code)
Ejemplo n.º 26
0
 def test_update_role_do_not_exist(self):
     update_role_str = 'update_me'
     update_role = sm.find_role(update_role_str)
     if update_role:
         db.session.delete(update_role)
     db.session.commit()
     data = json.dumps({
         'users': [{
             'username': '******',
             'first_name': 'Gamma',
             'last_name': 'Gamma',
             'email': '*****@*****.**',
         }],
         'role_name': update_role_str})
     r = self.client.post('/superset/update_role/', data=data,
                          follow_redirects=True)
     self.assertEquals(500, r.status_code)
Ejemplo n.º 27
0
def create_access_request(session, ds_type, ds_name, role_name, user_name):
    ds_class = SourceRegistry.sources[ds_type]
    # TODO: generalize datasource names
    if ds_type == 'table':
        ds = session.query(ds_class).filter(
            ds_class.table_name == ds_name).first()
    else:
        ds = session.query(ds_class).filter(
            ds_class.datasource_name == ds_name).first()
    ds_perm_view = sm.find_permission_view_menu('datasource_access', ds.perm)
    sm.add_permission_role(sm.find_role(role_name), ds_perm_view)
    access_request = models.DatasourceAccessRequest(
        datasource_id=ds.id,
        datasource_type=ds_type,
        created_by_fk=sm.find_user(username=user_name).id,
    )
    session.add(access_request)
    session.commit()
    return access_request
Ejemplo n.º 28
0
 def create_access_request(ds_type, ds_name, role_name):
     ds_class = SourceRegistry.sources[ds_type]
     # TODO: generalize datasource names
     if ds_type == 'table':
         ds = session.query(ds_class).filter(
             ds_class.table_name == ds_name).first()
     else:
         ds = session.query(ds_class).filter(
             ds_class.datasource_name == ds_name).first()
     ds_perm_view = sm.find_permission_view_menu(
         'datasource_access', ds.perm)
     sm.add_permission_role(sm.find_role(role_name), ds_perm_view)
     access_request = models.DatasourceAccessRequest(
         datasource_id=ds.id,
         datasource_type=ds_type,
         created_by_fk=sm.find_user(username='******').id,
     )
     session.add(access_request)
     session.commit()
     return access_request
Ejemplo n.º 29
0
    def test_override_role_permissions_druid_and_table(self):
        response = self.client.post('/superset/override_role_permissions/',
                                    data=json.dumps(ROLE_ALL_PERM_DATA),
                                    content_type='application/json')
        self.assertEquals(201, response.status_code)

        updated_role = sm.find_role('override_me')
        perms = sorted(updated_role.permissions,
                       key=lambda p: p.view_menu.name)
        druid_ds_1 = self.get_druid_ds_by_name('druid_ds_1')
        self.assertEquals(druid_ds_1.perm, perms[0].view_menu.name)
        self.assertEquals('datasource_access', perms[0].permission.name)

        druid_ds_2 = self.get_druid_ds_by_name('druid_ds_2')
        self.assertEquals(druid_ds_2.perm, perms[1].view_menu.name)
        self.assertEquals('datasource_access',
                          updated_role.permissions[1].permission.name)

        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(birth_names.perm, perms[2].view_menu.name)
        self.assertEquals('datasource_access',
                          updated_role.permissions[2].permission.name)
        self.assertEquals(3, len(perms))
Ejemplo n.º 30
0
    def test_override_role_permissions_druid_and_table(self):
        response = self.client.post(
            '/superset/override_role_permissions/',
            data=json.dumps(ROLE_ALL_PERM_DATA),
            content_type='application/json')
        self.assertEquals(201, response.status_code)

        updated_role = sm.find_role('override_me')
        perms = sorted(
            updated_role.permissions, key=lambda p: p.view_menu.name)
        self.assertEquals(3, len(perms))
        druid_ds_1 = self.get_druid_ds_by_name('druid_ds_1')
        self.assertEquals(druid_ds_1.perm, perms[0].view_menu.name)
        self.assertEquals('datasource_access', perms[0].permission.name)

        druid_ds_2 = self.get_druid_ds_by_name('druid_ds_2')
        self.assertEquals(druid_ds_2.perm, perms[1].view_menu.name)
        self.assertEquals(
            'datasource_access', updated_role.permissions[1].permission.name)

        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(birth_names.perm, perms[2].view_menu.name)
        self.assertEquals(
            'datasource_access', updated_role.permissions[2].permission.name)
Ejemplo n.º 31
0
def get_perm_tuples(role_name):
    perm_set = set()
    for perm in sm.find_role(role_name).permissions:
        perm_set.add((perm.permission.name, perm.view_menu.name))
    return perm_set
Ejemplo n.º 32
0
    def __init__(self, *args, **kwargs):
        if (self.requires_examples and not os.environ.get('SOLO_TEST')
                and not os.environ.get('examples_loaded')):
            logging.info('Loading examples')
            cli.load_examples(load_test_data=True)
            logging.info('Done loading examples')
            sync_role_definitions()
            os.environ['examples_loaded'] = '1'
        else:
            sync_role_definitions()
        super(SupersetTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
        self.maxDiff = None

        gamma_sqllab_role = sm.add_role('gamma_sqllab')
        for perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(gamma_sqllab_role, perm)
        db_perm = self.get_main_database(sm.get_session).perm
        security.merge_perm(sm, 'database_access', db_perm)
        db_pvm = sm.find_permission_view_menu(
            view_menu_name=db_perm, permission_name='database_access')
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in sm.find_role('sql_lab').permissions:
            sm.add_permission_role(gamma_sqllab_role, perm)

        admin = appbuilder.sm.find_user('admin')
        if not admin:
            appbuilder.sm.add_user('admin',
                                   'admin',
                                   ' user',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Admin'),
                                   password='******')

        gamma = appbuilder.sm.find_user('gamma')
        if not gamma:
            appbuilder.sm.add_user('gamma',
                                   'gamma',
                                   'user',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Gamma'),
                                   password='******')

        gamma2 = appbuilder.sm.find_user('gamma2')
        if not gamma2:
            appbuilder.sm.add_user('gamma2',
                                   'gamma2',
                                   'user',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Gamma'),
                                   password='******')

        gamma_sqllab_user = appbuilder.sm.find_user('gamma_sqllab')
        if not gamma_sqllab_user:
            appbuilder.sm.add_user('gamma_sqllab',
                                   'gamma_sqllab',
                                   'user',
                                   '*****@*****.**',
                                   gamma_sqllab_role,
                                   password='******')

        alpha = appbuilder.sm.find_user('alpha')
        if not alpha:
            appbuilder.sm.add_user('alpha',
                                   'alpha',
                                   'user',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Alpha'),
                                   password='******')
        sm.get_session.commit()
        # create druid cluster and druid datasources
        session = db.session
        cluster = (session.query(DruidCluster).filter_by(
            cluster_name='druid_test').first())
        if not cluster:
            cluster = DruidCluster(cluster_name='druid_test')
            session.add(cluster)
            session.commit()

            druid_datasource1 = DruidDatasource(
                datasource_name='druid_ds_1',
                cluster_name='druid_test',
            )
            session.add(druid_datasource1)
            druid_datasource2 = DruidDatasource(
                datasource_name='druid_ds_2',
                cluster_name='druid_test',
            )
            session.add(druid_datasource2)
            session.commit()
Ejemplo n.º 33
0
 def tearDown(self):
     self.logout()
     override_me = sm.find_role('override_me')
     override_me.permissions = []
     db.session.commit()
     db.session.close()
Ejemplo n.º 34
0
    def __init__(self, *args, **kwargs):
        if (
                self.requires_examples and
                not os.environ.get('SOLO_TEST') and
                not os.environ.get('examples_loaded')
            ):
            logging.info("Loading examples")
            cli.load_examples(load_test_data=True)
            logging.info("Done loading examples")
            sync_role_definitions()
            os.environ['examples_loaded'] = '1'
        else:
            sync_role_definitions()
        super(SupersetTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
        self.maxDiff = None

        gamma_sqllab = sm.add_role("gamma_sqllab")
        for perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(gamma_sqllab, perm)
        for perm in sm.find_role('sql_lab').permissions:
            sm.add_permission_role(gamma_sqllab, perm)

        admin = appbuilder.sm.find_user('admin')
        if not admin:
            appbuilder.sm.add_user(
                'admin', 'admin', ' user', '*****@*****.**',
                appbuilder.sm.find_role('Admin'),
                password='******')

        gamma = appbuilder.sm.find_user('gamma')
        if not gamma:
            appbuilder.sm.add_user(
                'gamma', 'gamma', 'user', '*****@*****.**',
                appbuilder.sm.find_role('Gamma'),
                password='******')

        gamma_sqllab = appbuilder.sm.find_user('gamma_sqllab')
        if not gamma_sqllab:
            gamma_sqllab = appbuilder.sm.add_user(
                'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
                appbuilder.sm.find_role('gamma_sqllab'),
                password='******')

        alpha = appbuilder.sm.find_user('alpha')
        if not alpha:
            appbuilder.sm.add_user(
                'alpha', 'alpha', 'user', '*****@*****.**',
                appbuilder.sm.find_role('Alpha'),
                password='******')

        # create druid cluster and druid datasources
        session = db.session
        cluster = session.query(models.DruidCluster).filter_by(
            cluster_name="druid_test").first()
        if not cluster:
            cluster = models.DruidCluster(cluster_name="druid_test")
            session.add(cluster)
            session.commit()

            druid_datasource1 = models.DruidDatasource(
                datasource_name='druid_ds_1',
                cluster_name='druid_test'
            )
            session.add(druid_datasource1)
            druid_datasource2 = models.DruidDatasource(
                datasource_name='druid_ds_2',
                cluster_name='druid_test'
            )
            session.add(druid_datasource2)
            session.commit()
Ejemplo n.º 35
0
    def test_request_access(self):
        session = db.session
        self.logout()
        self.login(username='******')
        gamma_user = sm.find_user(username='******')
        sm.add_role('dummy_role')
        gamma_user.roles.append(sm.find_role('dummy_role'))
        session.commit()

        ACCESS_REQUEST = ('/superset/request_access?'
                          'datasource_type={}&'
                          'datasource_id={}&'
                          'action={}&')
        ROLE_EXTEND_LINK = (
            '<a href="/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_extend={}">Extend {} Role</a>')
        ROLE_GRANT_LINK = (
            '<a href="/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_grant={}">Grant {} Role</a>')

        # Request table access, there are no roles have this table.

        table1 = session.query(models.SqlaTable).filter_by(
            table_name='random_time_series').first()
        table_1_id = table1.id

        # request access to the table
        resp = self.get_resp(ACCESS_REQUEST.format('table', table_1_id, 'go'))
        assert "Access was requested" in resp
        access_request1 = self.get_access_requests('gamma', 'table',
                                                   table_1_id)
        assert access_request1 is not None

        # Request access, roles exist that contains the table.
        # add table to the existing roles
        table3 = session.query(
            models.SqlaTable).filter_by(table_name='energy_usage').first()
        table_3_id = table3.id
        table3_perm = table3.perm

        sm.add_role('energy_usage_role')
        alpha_role = sm.find_role('Alpha')
        sm.add_permission_role(
            alpha_role,
            sm.find_permission_view_menu('datasource_access', table3_perm))
        sm.add_permission_role(
            sm.find_role("energy_usage_role"),
            sm.find_permission_view_menu('datasource_access', table3_perm))
        session.commit()

        self.get_resp(ACCESS_REQUEST.format('table', table_3_id, 'go'))
        access_request3 = self.get_access_requests('gamma', 'table',
                                                   table_3_id)
        approve_link_3 = ROLE_GRANT_LINK.format('table', table_3_id, 'gamma',
                                                'energy_usage_role',
                                                'energy_usage_role')
        self.assertEqual(access_request3.roles_with_datasource,
                         '<ul><li>{}</li></ul>'.format(approve_link_3))

        # Request druid access, there are no roles have this table.
        druid_ds_4 = session.query(models.DruidDatasource).filter_by(
            datasource_name='druid_ds_1').first()
        druid_ds_4_id = druid_ds_4.id

        # request access to the table
        self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
        access_request4 = self.get_access_requests('gamma', 'druid',
                                                   druid_ds_4_id)

        self.assertEqual(access_request4.roles_with_datasource,
                         '<ul></ul>'.format(access_request4.id))

        # Case 5. Roles exist that contains the druid datasource.
        # add druid ds to the existing roles
        druid_ds_5 = session.query(models.DruidDatasource).filter_by(
            datasource_name='druid_ds_2').first()
        druid_ds_5_id = druid_ds_5.id
        druid_ds_5_perm = druid_ds_5.perm

        druid_ds_2_role = sm.add_role('druid_ds_2_role')
        admin_role = sm.find_role('Admin')
        sm.add_permission_role(
            admin_role,
            sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
        sm.add_permission_role(
            druid_ds_2_role,
            sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
        session.commit()

        self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
        access_request5 = self.get_access_requests('gamma', 'druid',
                                                   druid_ds_5_id)
        approve_link_5 = ROLE_GRANT_LINK.format('druid', druid_ds_5_id,
                                                'gamma', 'druid_ds_2_role',
                                                'druid_ds_2_role')
        self.assertEqual(access_request5.roles_with_datasource,
                         '<ul><li>{}</li></ul>'.format(approve_link_5))

        # cleanup
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role('dummy_role'))
        session.commit()
Ejemplo n.º 36
0
 def tearDownClass(cls):
     override_me = sm.find_role('override_me')
     db.session.delete(override_me)
     db.session.commit()
Ejemplo n.º 37
0
    def test_approve(self, mock_send_mime):
        if app.config.get('ENABLE_ACCESS_REQUEST'):
            session = db.session
            TEST_ROLE_NAME = 'table_role'
            sm.add_role(TEST_ROLE_NAME)

            # Case 1. Grant new role to the user.

            access_request1 = create_access_request(
                session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma')
            ds_1_id = access_request1.datasource_id
            self.get_resp(GRANT_ROLE_REQUEST.format(
                'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual([sm.find_user(username='******').email,
                              sm.find_user(username='******').email],
                             call_args[1])
            self.assertEqual(
                '[Superset] Access to the datasource {} was granted'.format(
                    self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn('unicode_test', call_args[2].as_string())

            access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
            # request was removed
            self.assertFalse(access_requests)
            # user was granted table_role
            user_roles = [r.name for r in sm.find_user('gamma').roles]
            self.assertIn(TEST_ROLE_NAME, user_roles)

            # Case 2. Extend the role to have access to the table

            access_request2 = create_access_request(
                session, 'table', 'long_lat', TEST_ROLE_NAME, 'gamma')
            ds_2_id = access_request2.datasource_id
            long_lat_perm = access_request2.datasource.perm

            self.client.get(EXTEND_ROLE_REQUEST.format(
                'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
            access_requests = self.get_access_requests('gamma', 'table', ds_2_id)

            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual([sm.find_user(username='******').email,
                              sm.find_user(username='******').email],
                             call_args[1])
            self.assertEqual(
                '[Superset] Access to the datasource {} was granted'.format(
                    self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn('long_lat', call_args[2].as_string())

            # request was removed
            self.assertFalse(access_requests)
            # table_role was extended to grant access to the long_lat table/
            perm_view = sm.find_permission_view_menu(
                'datasource_access', long_lat_perm)
            TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
            self.assertIn(perm_view, TEST_ROLE.permissions)

            # Case 3. Grant new role to the user to access the druid datasource.

            sm.add_role('druid_role')
            access_request3 = create_access_request(
                session, 'druid', 'druid_ds_1', 'druid_role', 'gamma')
            self.get_resp(GRANT_ROLE_REQUEST.format(
                'druid', access_request3.datasource_id, 'gamma', 'druid_role'))

            # user was granted table_role
            user_roles = [r.name for r in sm.find_user('gamma').roles]
            self.assertIn('druid_role', user_roles)

            # Case 4. Extend the role to have access to the druid datasource

            access_request4 = create_access_request(
                session, 'druid', 'druid_ds_2', 'druid_role', 'gamma')
            druid_ds_2_perm = access_request4.datasource.perm

            self.client.get(EXTEND_ROLE_REQUEST.format(
                'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
            # druid_role was extended to grant access to the druid_access_ds_2
            druid_role = sm.find_role('druid_role')
            perm_view = sm.find_permission_view_menu(
                'datasource_access', druid_ds_2_perm)
            self.assertIn(perm_view, druid_role.permissions)

            # cleanup
            gamma_user = sm.find_user(username='******')
            gamma_user.roles.remove(sm.find_role('druid_role'))
            gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
            session.delete(sm.find_role('druid_role'))
            session.delete(sm.find_role(TEST_ROLE_NAME))
            session.commit()
Ejemplo n.º 38
0
    def test_approve(self):
        session = db.session
        TEST_ROLE_NAME = 'table_role'
        sm.add_role(TEST_ROLE_NAME)

        def create_access_request(ds_type, ds_name, role_name):
            ds_class = SourceRegistry.sources[ds_type]
            # TODO: generalize datasource names
            if ds_type == 'table':
                ds = session.query(ds_class).filter(
                    ds_class.table_name == ds_name).first()
            else:
                ds = session.query(ds_class).filter(
                    ds_class.datasource_name == ds_name).first()
            ds_perm_view = sm.find_permission_view_menu(
                'datasource_access', ds.perm)
            sm.add_permission_role(sm.find_role(role_name), ds_perm_view)
            access_request = models.DatasourceAccessRequest(
                datasource_id=ds.id,
                datasource_type=ds_type,
                created_by_fk=sm.find_user(username='******').id,
            )
            session.add(access_request)
            session.commit()
            return access_request

        EXTEND_ROLE_REQUEST = (
            '/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_extend={}')
        GRANT_ROLE_REQUEST = (
            '/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_grant={}')

        # Case 1. Grant new role to the user.

        access_request1 = create_access_request(
            'table', 'unicode_test', TEST_ROLE_NAME)
        ds_1_id = access_request1.datasource_id
        self.get_resp(GRANT_ROLE_REQUEST.format(
            'table', ds_1_id, 'gamma', TEST_ROLE_NAME))

        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        # request was removed
        self.assertFalse(access_requests)
        # user was granted table_role
        user_roles = [r.name for r in sm.find_user('gamma').roles]
        self.assertIn(TEST_ROLE_NAME, user_roles)

        # Case 2. Extend the role to have access to the table

        access_request2 = create_access_request('table', 'long_lat', TEST_ROLE_NAME)
        ds_2_id = access_request2.datasource_id
        long_lat_perm = access_request2.datasource.perm

        self.client.get(EXTEND_ROLE_REQUEST.format(
            'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
        access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
        # request was removed
        self.assertFalse(access_requests)
        # table_role was extended to grant access to the long_lat table/
        perm_view = sm.find_permission_view_menu(
            'datasource_access', long_lat_perm)
        TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
        self.assertIn(perm_view, TEST_ROLE.permissions)

        # Case 3. Grant new role to the user to access the druid datasource.

        sm.add_role('druid_role')
        access_request3 = create_access_request('druid', 'druid_ds_1', 'druid_role')
        self.get_resp(GRANT_ROLE_REQUEST.format(
            'druid', access_request3.datasource_id, 'gamma', 'druid_role'))

        # user was granted table_role
        user_roles = [r.name for r in sm.find_user('gamma').roles]
        self.assertIn('druid_role', user_roles)

        # Case 4. Extend the role to have access to the druid datasource

        access_request4 = create_access_request('druid', 'druid_ds_2', 'druid_role')
        druid_ds_2_perm = access_request4.datasource.perm

        self.client.get(EXTEND_ROLE_REQUEST.format(
            'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
        # druid_role was extended to grant access to the druid_access_ds_2
        druid_role = sm.find_role('druid_role')
        perm_view = sm.find_permission_view_menu(
            'datasource_access', druid_ds_2_perm)
        self.assertIn(perm_view, druid_role.permissions)

        # cleanup
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role('druid_role'))
        gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
        session.delete(sm.find_role('druid_role'))
        session.delete(sm.find_role(TEST_ROLE_NAME))
        session.commit()
Ejemplo n.º 39
0
    def test_request_access(self):
        session = db.session
        self.logout()
        self.login(username='******')
        gamma_user = sm.find_user(username='******')
        sm.add_role('dummy_role')
        gamma_user.roles.append(sm.find_role('dummy_role'))
        session.commit()

        ACCESS_REQUEST = (
            '/superset/request_access?'
            'datasource_type={}&'
            'datasource_id={}&'
            'action={}&')
        ROLE_EXTEND_LINK = (
            '<a href="/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_extend={}">Extend {} Role</a>')
        ROLE_GRANT_LINK = (
            '<a href="/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_grant={}">Grant {} Role</a>')

        # Request table access, there are no roles have this table.

        table1 = session.query(models.SqlaTable).filter_by(
            table_name='random_time_series').first()
        table_1_id = table1.id

        # request access to the table
        resp = self.get_resp(
            ACCESS_REQUEST.format('table', table_1_id, 'go'))
        assert "Access was requested" in resp
        access_request1 = self.get_access_requests('gamma', 'table', table_1_id)
        assert access_request1 is not None

        # Request access, roles exist that contains the table.
        # add table to the existing roles
        table3 = session.query(models.SqlaTable).filter_by(
            table_name='energy_usage').first()
        table_3_id = table3.id
        table3_perm = table3.perm

        sm.add_role('energy_usage_role')
        alpha_role = sm.find_role('Alpha')
        sm.add_permission_role(
            alpha_role,
            sm.find_permission_view_menu('datasource_access', table3_perm))
        sm.add_permission_role(
            sm.find_role("energy_usage_role"),
            sm.find_permission_view_menu('datasource_access', table3_perm))
        session.commit()

        self.get_resp(
            ACCESS_REQUEST.format('table', table_3_id, 'go'))
        access_request3 = self.get_access_requests('gamma', 'table', table_3_id)
        approve_link_3 = ROLE_GRANT_LINK.format(
            'table', table_3_id, 'gamma', 'energy_usage_role',
            'energy_usage_role')
        self.assertEqual(access_request3.roles_with_datasource,
                         '<ul><li>{}</li></ul>'.format(approve_link_3))

        # Request druid access, there are no roles have this table.
        druid_ds_4 = session.query(models.DruidDatasource).filter_by(
            datasource_name='druid_ds_1').first()
        druid_ds_4_id = druid_ds_4.id

        # request access to the table
        self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
        access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id)

        self.assertEqual(
            access_request4.roles_with_datasource,
            '<ul></ul>'.format(access_request4.id))

        # Case 5. Roles exist that contains the druid datasource.
        # add druid ds to the existing roles
        druid_ds_5 = session.query(models.DruidDatasource).filter_by(
            datasource_name='druid_ds_2').first()
        druid_ds_5_id = druid_ds_5.id
        druid_ds_5_perm = druid_ds_5.perm

        druid_ds_2_role = sm.add_role('druid_ds_2_role')
        admin_role = sm.find_role('Admin')
        sm.add_permission_role(
            admin_role,
            sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
        sm.add_permission_role(
            druid_ds_2_role,
            sm.find_permission_view_menu('datasource_access', druid_ds_5_perm))
        session.commit()

        self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
        access_request5 = self.get_access_requests(
            'gamma', 'druid', druid_ds_5_id)
        approve_link_5 = ROLE_GRANT_LINK.format(
            'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role',
            'druid_ds_2_role')
        self.assertEqual(access_request5.roles_with_datasource,
                         '<ul><li>{}</li></ul>'.format(approve_link_5))

        # cleanup
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role('dummy_role'))
        session.commit()
Ejemplo n.º 40
0
    def test_approve(self):
        session = db.session
        TEST_ROLE_NAME = 'table_role'
        sm.add_role(TEST_ROLE_NAME)

        def create_access_request(ds_type, ds_name, role_name):
            ds_class = SourceRegistry.sources[ds_type]
            # TODO: generalize datasource names
            if ds_type == 'table':
                ds = session.query(ds_class).filter(
                    ds_class.table_name == ds_name).first()
            else:
                ds = session.query(ds_class).filter(
                    ds_class.datasource_name == ds_name).first()
            ds_perm_view = sm.find_permission_view_menu(
                'datasource_access', ds.perm)
            sm.add_permission_role(sm.find_role(role_name), ds_perm_view)
            access_request = models.DatasourceAccessRequest(
                datasource_id=ds.id,
                datasource_type=ds_type,
                created_by_fk=sm.find_user(username='******').id,
            )
            session.add(access_request)
            session.commit()
            return access_request

        EXTEND_ROLE_REQUEST = (
            '/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_extend={}')
        GRANT_ROLE_REQUEST = (
            '/superset/approve?datasource_type={}&datasource_id={}&'
            'created_by={}&role_to_grant={}')

        # Case 1. Grant new role to the user.

        access_request1 = create_access_request(
            'table', 'unicode_test', TEST_ROLE_NAME)
        ds_1_id = access_request1.datasource_id
        self.get_resp(GRANT_ROLE_REQUEST.format(
            'table', ds_1_id, 'gamma', TEST_ROLE_NAME))

        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        # request was removed
        self.assertFalse(access_requests)
        # user was granted table_role
        user_roles = [r.name for r in sm.find_user('gamma').roles]
        self.assertIn(TEST_ROLE_NAME, user_roles)

        # Case 2. Extend the role to have access to the table

        access_request2 = create_access_request('table', 'long_lat', TEST_ROLE_NAME)
        ds_2_id = access_request2.datasource_id
        long_lat_perm = access_request2.datasource.perm

        self.client.get(EXTEND_ROLE_REQUEST.format(
            'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
        access_requests = self.get_access_requests('gamma', 'table', ds_2_id)
        # request was removed
        self.assertFalse(access_requests)
        # table_role was extended to grant access to the long_lat table/
        perm_view = sm.find_permission_view_menu(
            'datasource_access', long_lat_perm)
        TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
        self.assertIn(perm_view, TEST_ROLE.permissions)

        # Case 3. Grant new role to the user to access the druid datasource.

        sm.add_role('druid_role')
        access_request3 = create_access_request('druid', 'druid_ds_1', 'druid_role')
        self.get_resp(GRANT_ROLE_REQUEST.format(
            'druid', access_request3.datasource_id, 'gamma', 'druid_role'))

        # user was granted table_role
        user_roles = [r.name for r in sm.find_user('gamma').roles]
        self.assertIn('druid_role', user_roles)

        # Case 4. Extend the role to have access to the druid datasource

        access_request4 = create_access_request('druid', 'druid_ds_2', 'druid_role')
        druid_ds_2_perm = access_request4.datasource.perm

        self.client.get(EXTEND_ROLE_REQUEST.format(
            'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
        # druid_role was extended to grant access to the druid_access_ds_2
        druid_role = sm.find_role('druid_role')
        perm_view = sm.find_permission_view_menu(
            'datasource_access', druid_ds_2_perm)
        self.assertIn(perm_view, druid_role.permissions)

        # cleanup
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role('druid_role'))
        gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
        session.delete(sm.find_role('druid_role'))
        session.delete(sm.find_role(TEST_ROLE_NAME))
        session.commit()
Ejemplo n.º 41
0
    def __init__(self, *args, **kwargs):
        if (
                        self.requires_examples and
                        not os.environ.get('SOLO_TEST') and
                        not os.environ.get('examples_loaded')
        ):
            logging.info("Loading examples")
            cli.load_examples(load_test_data=True)
            logging.info("Done loading examples")
            sync_role_definitions()
            os.environ['examples_loaded'] = '1'
        else:
            sync_role_definitions()
        super(SupersetTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
        self.maxDiff = None

        gamma_sqllab_role = sm.add_role("gamma_sqllab")
        for perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(gamma_sqllab_role, perm)
        db_perm = self.get_main_database(sm.get_session).perm
        security.merge_perm(sm, 'database_access', db_perm)
        db_pvm = sm.find_permission_view_menu(
            view_menu_name=db_perm, permission_name='database_access')
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in sm.find_role('sql_lab').permissions:
            sm.add_permission_role(gamma_sqllab_role, perm)

        admin = appbuilder.sm.find_user('admin')
        if not admin:
            appbuilder.sm.add_user(
                'admin', 'admin', ' user', '*****@*****.**',
                appbuilder.sm.find_role('Admin'),
                password='******')

        gamma = appbuilder.sm.find_user('gamma')
        if not gamma:
            appbuilder.sm.add_user(
                'gamma', 'gamma', 'user', '*****@*****.**',
                appbuilder.sm.find_role('Gamma'),
                password='******')

        gamma2 = appbuilder.sm.find_user('gamma2')
        if not gamma2:
            appbuilder.sm.add_user(
                'gamma2', 'gamma2', 'user', '*****@*****.**',
                appbuilder.sm.find_role('Gamma'),
                password='******')

        gamma_sqllab_user = appbuilder.sm.find_user('gamma_sqllab')
        if not gamma_sqllab_user:
            appbuilder.sm.add_user(
                'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
                gamma_sqllab_role, password='******')

        alpha = appbuilder.sm.find_user('alpha')
        if not alpha:
            appbuilder.sm.add_user(
                'alpha', 'alpha', 'user', '*****@*****.**',
                appbuilder.sm.find_role('Alpha'),
                password='******')
        sm.get_session.commit()
        # create druid cluster and druid datasources
        session = db.session
        cluster = (
            session.query(DruidCluster)
            .filter_by(cluster_name="druid_test")
            .first()
        )
        if not cluster:
            cluster = DruidCluster(cluster_name="druid_test")
            session.add(cluster)
            session.commit()

            druid_datasource1 = DruidDatasource(
                datasource_name='druid_ds_1',
                cluster_name='druid_test'
            )
            session.add(druid_datasource1)
            druid_datasource2 = DruidDatasource(
                datasource_name='druid_ds_2',
                cluster_name='druid_test'
            )
            session.add(druid_datasource2)
            session.commit()
Ejemplo n.º 42
0
def get_perm_tuples(role_name):
    perm_set = set()
    for perm in sm.find_role(role_name).permissions:
        perm_set.add((perm.permission.name, perm.view_menu.name))
    return perm_set
Ejemplo n.º 43
0
 def tearDown(self):
     self.logout()
     override_me = sm.find_role('override_me')
     override_me.permissions = []
     db.session.commit()
     db.session.close()
Ejemplo n.º 44
0
    def test_approve(self, mock_send_mime):
        session = db.session
        TEST_ROLE_NAME = 'table_role'
        sm.add_role(TEST_ROLE_NAME)

        # Case 1. Grant new role to the user.

        access_request1 = create_access_request(session, 'table',
                                                'unicode_test', TEST_ROLE_NAME,
                                                'gamma')
        ds_1_id = access_request1.datasource_id
        resp = self.get_resp(
            GRANT_ROLE_REQUEST.format('table', ds_1_id, 'gamma',
                                      TEST_ROLE_NAME))

        # Test email content.
        self.assertTrue(mock_send_mime.called)
        call_args = mock_send_mime.call_args[0]
        self.assertEqual([
            sm.find_user(username='******').email,
            sm.find_user(username='******').email
        ], call_args[1])
        self.assertEqual(
            '[Superset] Access to the datasource {} was granted'.format(
                self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
        self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
        self.assertIn('unicode_test', call_args[2].as_string())

        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        # request was removed
        self.assertFalse(access_requests)
        # user was granted table_role
        user_roles = [r.name for r in sm.find_user('gamma').roles]
        self.assertIn(TEST_ROLE_NAME, user_roles)

        # Case 2. Extend the role to have access to the table

        access_request2 = create_access_request(session, 'table', 'long_lat',
                                                TEST_ROLE_NAME, 'gamma')
        ds_2_id = access_request2.datasource_id
        long_lat_perm = access_request2.datasource.perm

        self.client.get(
            EXTEND_ROLE_REQUEST.format('table', access_request2.datasource_id,
                                       'gamma', TEST_ROLE_NAME))
        access_requests = self.get_access_requests('gamma', 'table', ds_2_id)

        # Test email content.
        self.assertTrue(mock_send_mime.called)
        call_args = mock_send_mime.call_args[0]
        self.assertEqual([
            sm.find_user(username='******').email,
            sm.find_user(username='******').email
        ], call_args[1])
        self.assertEqual(
            '[Superset] Access to the datasource {} was granted'.format(
                self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
        self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
        self.assertIn('long_lat', call_args[2].as_string())

        # request was removed
        self.assertFalse(access_requests)
        # table_role was extended to grant access to the long_lat table/
        perm_view = sm.find_permission_view_menu('datasource_access',
                                                 long_lat_perm)
        TEST_ROLE = sm.find_role(TEST_ROLE_NAME)
        self.assertIn(perm_view, TEST_ROLE.permissions)

        # Case 3. Grant new role to the user to access the druid datasource.

        sm.add_role('druid_role')
        access_request3 = create_access_request(session, 'druid', 'druid_ds_1',
                                                'druid_role', 'gamma')
        self.get_resp(
            GRANT_ROLE_REQUEST.format('druid', access_request3.datasource_id,
                                      'gamma', 'druid_role'))

        # user was granted table_role
        user_roles = [r.name for r in sm.find_user('gamma').roles]
        self.assertIn('druid_role', user_roles)

        # Case 4. Extend the role to have access to the druid datasource

        access_request4 = create_access_request(session, 'druid', 'druid_ds_2',
                                                'druid_role', 'gamma')
        druid_ds_2_perm = access_request4.datasource.perm

        self.client.get(
            EXTEND_ROLE_REQUEST.format('druid', access_request4.datasource_id,
                                       'gamma', 'druid_role'))
        # druid_role was extended to grant access to the druid_access_ds_2
        druid_role = sm.find_role('druid_role')
        perm_view = sm.find_permission_view_menu('datasource_access',
                                                 druid_ds_2_perm)
        self.assertIn(perm_view, druid_role.permissions)

        # cleanup
        gamma_user = sm.find_user(username='******')
        gamma_user.roles.remove(sm.find_role('druid_role'))
        gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME))
        session.delete(sm.find_role('druid_role'))
        session.delete(sm.find_role(TEST_ROLE_NAME))
        session.commit()
Ejemplo n.º 45
0
 def tearDownClass(cls):
     override_me = sm.find_role('override_me')
     db.session.delete(override_me)
     db.session.commit()
Ejemplo n.º 46
0
    def __init__(self, *args, **kwargs):
        if (self.requires_examples and not os.environ.get('SOLO_TEST')
                and not os.environ.get('examples_loaded')):
            logging.info("Loading examples")
            cli.load_examples(load_test_data=True)
            logging.info("Done loading examples")
            sync_role_definitions()
            os.environ['examples_loaded'] = '1'
        else:
            sync_role_definitions()
        super(SupersetTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
        self.maxDiff = None

        gamma_sqllab = sm.add_role("gamma_sqllab")
        for perm in sm.find_role('Gamma').permissions:
            sm.add_permission_role(gamma_sqllab, perm)
        for perm in sm.find_role('sql_lab').permissions:
            sm.add_permission_role(gamma_sqllab, perm)

        admin = appbuilder.sm.find_user('admin')
        if not admin:
            appbuilder.sm.add_user('admin',
                                   'admin',
                                   ' user',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Admin'),
                                   password='******')

        gamma = appbuilder.sm.find_user('gamma')
        if not gamma:
            appbuilder.sm.add_user('gamma',
                                   'gamma',
                                   'user',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Gamma'),
                                   password='******')

        gamma_sqllab = appbuilder.sm.find_user('gamma_sqllab')
        if not gamma_sqllab:
            gamma_sqllab = appbuilder.sm.add_user(
                'gamma_sqllab',
                'gamma_sqllab',
                'user',
                '*****@*****.**',
                appbuilder.sm.find_role('gamma_sqllab'),
                password='******')

        alpha = appbuilder.sm.find_user('alpha')
        if not alpha:
            appbuilder.sm.add_user('alpha',
                                   'alpha',
                                   'user',
                                   '*****@*****.**',
                                   appbuilder.sm.find_role('Alpha'),
                                   password='******')

        # create druid cluster and druid datasources
        session = db.session
        cluster = session.query(
            models.DruidCluster).filter_by(cluster_name="druid_test").first()
        if not cluster:
            cluster = models.DruidCluster(cluster_name="druid_test")
            session.add(cluster)
            session.commit()

            druid_datasource1 = models.DruidDatasource(
                datasource_name='druid_ds_1', cluster_name='druid_test')
            session.add(druid_datasource1)
            druid_datasource2 = models.DruidDatasource(
                datasource_name='druid_ds_2', cluster_name='druid_test')
            session.add(druid_datasource2)
            session.commit()
Ejemplo n.º 47
0
 def assert_admin_permission_in(role_name, assert_func):
     role = sm.find_role(role_name)
     permissions = [p.permission.name for p in role.permissions]
     assert_func('can_sync_druid_source', permissions)
     assert_func('can_approve', permissions)
Ejemplo n.º 48
0
 def assert_admin_permission_in(role_name, assert_func):
     role = sm.find_role(role_name)
     permissions = [p.permission.name for p in role.permissions]
     assert_func('can_sync_druid_source', permissions)
     assert_func('can_approve', permissions)
Ejemplo n.º 49
0
    def __init__(self, *args, **kwargs):
        if self.requires_examples and not os.environ.get("SOLO_TEST") and not os.environ.get("examples_loaded"):
            logging.info("Loading examples")
            cli.load_examples(load_test_data=True)
            logging.info("Done loading examples")
            sync_role_definitions()
            os.environ["examples_loaded"] = "1"
        else:
            sync_role_definitions()
        super(SupersetTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
        self.maxDiff = None

        gamma_sqllab_role = sm.add_role("gamma_sqllab")
        for perm in sm.find_role("Gamma").permissions:
            sm.add_permission_role(gamma_sqllab_role, perm)
        db_perm = self.get_main_database(sm.get_session).perm
        security.merge_perm(sm, "database_access", db_perm)
        db_pvm = sm.find_permission_view_menu(view_menu_name=db_perm, permission_name="database_access")
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in sm.find_role("sql_lab").permissions:
            sm.add_permission_role(gamma_sqllab_role, perm)

        admin = appbuilder.sm.find_user("admin")
        if not admin:
            appbuilder.sm.add_user(
                "admin", "admin", " user", "*****@*****.**", appbuilder.sm.find_role("Admin"), password="******"
            )

        gamma = appbuilder.sm.find_user("gamma")
        if not gamma:
            appbuilder.sm.add_user(
                "gamma", "gamma", "user", "*****@*****.**", appbuilder.sm.find_role("Gamma"), password="******"
            )

        gamma_sqllab_user = appbuilder.sm.find_user("gamma_sqllab")
        if not gamma_sqllab_user:
            appbuilder.sm.add_user(
                "gamma_sqllab", "gamma_sqllab", "user", "*****@*****.**", gamma_sqllab_role, password="******"
            )

        alpha = appbuilder.sm.find_user("alpha")
        if not alpha:
            appbuilder.sm.add_user(
                "alpha", "alpha", "user", "*****@*****.**", appbuilder.sm.find_role("Alpha"), password="******"
            )
        sm.get_session.commit()

        # create druid cluster and druid datasources
        session = db.session
        cluster = session.query(models.DruidCluster).filter_by(cluster_name="druid_test").first()
        if not cluster:
            cluster = models.DruidCluster(cluster_name="druid_test")
            session.add(cluster)
            session.commit()

            druid_datasource1 = models.DruidDatasource(datasource_name="druid_ds_1", cluster_name="druid_test")
            session.add(druid_datasource1)
            druid_datasource2 = models.DruidDatasource(datasource_name="druid_ds_2", cluster_name="druid_test")
            session.add(druid_datasource2)
            session.commit()