def generate_tasks_for_cycle(self, group_count, task_count):
"""generate number of task groups and task for current task group"""
role_names = ("Task Assignees", "Task Secondary Assignees")
results = {}
with single_commit():
workflow = factories.WorkflowFactory()
cycle = factories.CycleFactory(workflow=workflow)
task_group = factories.TaskGroupFactory(workflow=workflow)
for idx in range(group_count):
person = PersonFactory(name="user for group {}".format(idx))
cycle_task_group = factories.CycleTaskGroupFactory(
cycle=cycle, contact=person)
for _ in range(task_count):
task_group_task = factories.TaskGroupTaskFactory(
task_group=task_group)
for r_name in role_names:
ggrc_factories.AccessControlListFactory(
object=task_group_task,
person=person,
ac_role_id=self.get_role_id_for_obj(
task_group_task, r_name))
task = factories.CycleTaskGroupObjectTaskFactory(
cycle=cycle,
cycle_task_group=cycle_task_group,
task_group_task=task_group_task)
for r_name in role_names:
ggrc_factories.AccessControlListFactory(
object=task,
person=person,
ac_role_id=self.get_role_id_for_obj(task, r_name))
results[task.id] = cycle_task_group.slug
return results
def test_full_access_control_list(self):
"""Test if access_control_list property filters out propagated roles
Before sending the access_control_list to the frontend, propagated roles
need to be filtered out to help prevent performance issues"""
with factories.single_commit():
# Create an object with one external and one propagated role
obj = factories.ControlFactory()
acl = factories.AccessControlListFactory(object=obj,
ac_role=self.role,
person=self.person)
factories.AccessControlListFactory(object=obj,
ac_role=self.role,
person=self.person,
parent=acl)
# full_access_control_list should have all rows:
self.assertEqual(len(obj.full_access_control_list), 2,
"full_access_control_list doesn't include all roles")
# access_control_list should only have non propagated ones
self.assertEqual(len(obj.access_control_list), 1,
"access_control_list doesn't include all the roles")
obj_id, acl_id = obj.id, acl.id
api = api_helper.Api()
response = api.get(all_models.Control, obj_id)
acl = response.json["control"]["access_control_list"]
# Check if the response filtered out the propagated access_control_role
self.assertEqual(len(acl), 1,
"acl didn't filter out propagated roles correctly")
self.assertEqual(acl[0]["id"], acl_id,
"acl didn't filter out propagated roles correctly")
def test_propagate_all(self):
"""Test clean propagation of all ACL entries."""
with factories.single_commit():
person = factories.PersonFactory()
task = wf_factories.TaskGroupTaskFactory()
audit = factories.AuditFactory()
factories.RelationshipFactory(
source=audit,
destination=audit.program,
)
acl_ids = [
factories.AccessControlListFactory(
ac_role=self.roles["Program"]["Program Editors"],
object=audit.program,
person=person,
).id
]
factories.AccessControlListFactory(
ac_role=self.roles["Workflow"]["Workflow Member"],
object=task.workflow,
person=person,
)
# propagate all non WF entries
propagation._propagate(acl_ids)
self.assertEqual(all_models.AccessControlList.query.count(), 4)
all_models.AccessControlList.query.filter(
all_models.AccessControlList.parent_id.isnot(None)).delete()
self.assertEqual(all_models.AccessControlList.query.count(), 2)
# propagate all including WF entries
propagation.propagate_all()
self.assertEqual(all_models.AccessControlList.query.count(), 6)
def _create_assessments(self, audit, types, offset=1):
"""Create one assessment for each assessment type in a given audit."""
user = models.Person.query.first()
for i, type_ in enumerate(types):
assessment = self._create_obj(
factories.AssessmentFactory,
"Assessment {}".format(i + offset),
audit=audit,
assessment_type=type_,
)
if i % 2 == 0:
factories.RelationshipFactory(source=audit,
destination=assessment)
else:
factories.RelationshipFactory(source=assessment,
destination=audit)
factories.AccessControlListFactory(
ac_role_id=self.assignee_roles["Assignees"],
person=user,
object=assessment)
factories.AccessControlListFactory(
ac_role_id=self.assignee_roles["Creators"],
person=user,
object=assessment)
def test_partially_rights(self):
"""Test generation if user has rights on part of Assessments."""
audit_id, assessment_ids = self.setup_assessments(3)
changed_asmnt_id = assessment_ids[0]
norights_asmnt_ids = assessment_ids[1:]
_, assignee_user = self.gen.generate_person(user_role="Creator")
with factories.single_commit():
factories.AccessControlListFactory(
object_id=changed_asmnt_id,
object_type="Assessment",
ac_role_id=role.get_ac_roles_for("Assessment")["Creators"].id,
person_id=assignee_user.id,
)
audit_role = factories.AccessControlRoleFactory(
name="Edit Role", object_type="Audit", update=True)
factories.AccessControlListFactory(
object_id=audit_id,
object_type="Audit",
ac_role_id=audit_role.id,
person_id=assignee_user.id,
)
self.api.set_user(assignee_user)
response = self.generate_children_issues_for("Audit", audit_id,
"Assessment")
self.assert200(response)
self.assert_children_asmnt_issues([changed_asmnt_id])
self.assert_not_updated("Assessment", norights_asmnt_ids)
def test_put_mapped_roles(self):
"""Test mapped roles creation when assessment updated"""
with factories.single_commit():
person = factories.PersonFactory()
person_email = person.email
audit = factories.AuditFactory()
assessment = factories.AssessmentFactory(audit=audit)
factories.AccessControlListFactory(
ac_role_id=self.assignee_roles["Assignees"],
person=person,
object=assessment
)
factories.AccessControlListFactory(
ac_role_id=self.assignee_roles["Creators"],
person=person,
object=assessment
)
factories.RelationshipFactory(source=audit, destination=assessment)
# Add verifier to Assessment
response = self.api.put(assessment, {
"access_control_list": [
acl_helper.get_acl_json(role_id, person.id)
for role_id in self.assignee_roles.values()
]
})
self.assertEqual(response.status_code, 200)
db.session.add_all([audit, assessment])
self.assert_mapped_role("Verifiers", person_email, assessment)
self.assert_propagated_role("Verifiers", person_email, audit)
def setUp(self):
super(TestRevisionHistory, self).setUp()
self.api = Api()
roles = {r.name: r for r in all_models.Role.query.all()}
ac_roles = {
r.name: r
for r in all_models.AccessControlRole.query.all()
}
with factories.single_commit():
self.control = factories.ControlFactory()
acrs = {
"ACL_Reader":
factories.AccessControlRoleFactory(name="ACL_Reader",
object_type="Control",
update=0),
"ACL_Editor":
factories.AccessControlRoleFactory(name="ACL_Editor",
object_type="Control"),
}
self.program = factories.ProgramFactory()
self.program.context.related_object = self.program
self.relationship = factories.RelationshipFactory(
source=self.program,
destination=self.control,
context=self.program.context,
)
self.people = {
"Creator": factories.PersonFactory(),
"Reader": factories.PersonFactory(),
"Editor": factories.PersonFactory(),
"Administrator": factories.PersonFactory(),
"ACL_Reader": factories.PersonFactory(),
"ACL_Editor": factories.PersonFactory(),
"Program Editors": factories.PersonFactory(),
"Program Managers": factories.PersonFactory(),
"Program Readers": factories.PersonFactory(),
}
for role_name in ["Creator", "Reader", "Editor", "Administrator"]:
rbac_factories.UserRoleFactory(role=roles[role_name],
person=self.people[role_name])
for role_name in [
"Program Editors", "Program Managers", "Program Readers"
]:
person = self.people[role_name]
rbac_factories.UserRoleFactory(role=roles["Creator"],
person=person)
factories.AccessControlListFactory(
ac_role=ac_roles[role_name],
object=self.program,
person=self.people[role_name])
with factories.single_commit():
for role_name in ["ACL_Reader", "ACL_Editor"]:
rbac_factories.UserRoleFactory(role=roles["Creator"],
person=self.people[role_name])
factories.AccessControlListFactory(
ac_role=acrs[role_name],
object=self.control,
person=self.people[role_name])
def test_relationship_single_layer(self):
"""Test single layer propagation through relationships.
Test propagation of a new relationship between audit and assessment. Here
we check that propagation happens both ways on the relationship creation.
"""
with factories.single_commit():
person = factories.PersonFactory()
audit = factories.AuditFactory()
assessment1 = factories.AssessmentFactory(audit=audit)
assessment2 = factories.AssessmentFactory(audit=audit)
# This is excluded from propagation to test for proper filtering
assessment3 = factories.AssessmentFactory(audit=audit)
factories.RelationshipFactory(source=assessment3,
destination=audit)
relationship_ids = [
factories.RelationshipFactory(
source=assessment1,
destination=audit,
).id,
factories.RelationshipFactory(
source=audit,
destination=assessment2,
).id,
]
factories.AccessControlListFactory(
ac_role=self.roles["Audit"]["Audit Captains"],
object=audit,
person=person,
)
factories.AccessControlListFactory(
ac_role=self.roles["Assessment"]["Assignees"],
object=assessment1,
person=person,
)
factories.AccessControlListFactory(
ac_role=self.roles["Assessment"]["Assignees"],
object=assessment2,
person=person,
)
child_ids = propagation._handle_relationship_step(relationship_ids, [])
self.assertEqual(
all_models.AccessControlList.query.count(), 3 + 2 + 2 + 4
# 3 Initial roles
# 2 roles for assessment 1 propagation to relationship and audit
# 2 roles for assessment 2 propagation to relationship and audit
# 4 for audit role propagation to two relationships and assessments
)
self.assertEqual(
db.session.execute(child_ids.alias("counts").count()).scalar(),
4, # audit captain to both assessments and both assignees to audit
)
def test_audit_clone_auditors(self):
"""Test that auditors get cloned correctly"""
auditor_role = AccessControlRole.query.filter_by(
name="Auditors").first()
audit = factories.AuditFactory()
audit_context = factories.ContextFactory()
audit.context = audit_context
users = ["*****@*****.**", "*****@*****.**", "*****@*****.**"]
auditors = []
for user in users:
person = factories.PersonFactory(email=user)
auditors += [person]
for auditor in auditors:
factories.AccessControlListFactory(ac_role=auditor_role,
object=audit,
person=auditor)
self.assertEqual(
AccessControlList.query.filter_by(ac_role_id=auditor_role.id,
object_type="Audit",
object_id=audit.id).count(), 3,
"Auditors not present")
self.clone_audit(audit)
audit_copy = db.session.query(models.Audit).filter(
models.Audit.title.like("%copy%")).first()
self.assertEqual(
AccessControlList.query.filter_by(ac_role_id=auditor_role.id,
object_type="Audit",
object_id=audit_copy.id).count(),
3, "Auditors not present on copy")
# Verify that contexts are different for original and copy audit
another_user_4 = factories.PersonFactory(email="*****@*****.**")
factories.AccessControlListFactory(ac_role=auditor_role,
object=audit,
person=another_user_4)
self.assertEqual(
AccessControlList.query.filter_by(ac_role_id=auditor_role.id,
object_type="Audit",
object_id=audit.id).count(), 4,
"Auditors not present")
self.assertEqual(
AccessControlList.query.filter_by(ac_role_id=auditor_role.id,
object_type="Audit",
object_id=audit_copy.id).count(),
3, "Auditors not present on copy")
def test_acl_no_reindex_snapshots(self):
"""Test that snapshot reindex is not happened for
acl where person has the same role for
different kind of objects."""
product_admin = all_models.AccessControlRole.query.filter_by(
object_type="Product",
name="Admin"
).first()
system_admin = all_models.AccessControlRole.query.filter_by(
object_type="System",
name="Admin"
).first()
with factories.single_commit():
person = factories.PersonFactory(name="Test Name")
system = factories.SystemFactory()
audit = factories.AuditFactory()
factories.AccessControlListFactory(
ac_role=product_admin,
object=system,
person=person,
)
system_role = factories.AccessControlListFactory(
ac_role=system_admin,
object=system,
person=person,
)
audit_id = audit.id
system_id = system.id
system_role_name = system_role.ac_role.name
person_id = person.id
person_name = person.name
person_email = person.email
revision = all_models.Revision.query.filter(
all_models.Revision.resource_id == system.id,
all_models.Revision.resource_type == system.type
).one()
revision.content = system.log_json()
db.session.add(revision)
db.session.commit()
self._create_snapshots(audit, [system])
self.client.post("/admin/reindex_snapshots")
snapshot = all_models.Snapshot.query.filter(
all_models.Snapshot.parent_id == audit_id,
all_models.Snapshot.parent_type == 'Audit',
all_models.Snapshot.child_id == system_id,
all_models.Snapshot.child_type == 'System',
).one()
self.assert_indexed_fields(snapshot, system_role_name, {
"{}-email".format(person_id): person_email,
"{}-name".format(person_id): person_name,
"__sort__": person_email,
})
def setUp(self):
super(TestCTGOT, self).setUp()
self.api = api_helper.Api()
with factories.single_commit():
assignee_1 = factories.PersonFactory(email=self.TASK_ASSIGNEE_1)
assignee_2 = factories.PersonFactory(email=self.TASK_ASSIGNEE_2)
workflow_admin = factories.PersonFactory(email=self.WORKFLOW_ADMIN)
nobody = factories.PersonFactory(email=self.NOBODY)
reader_role = all_models.Role.query.filter_by(name="Reader").one()
for person in [assignee_1, assignee_2, workflow_admin, nobody]:
bp_factories.UserRoleFactory(person=person,
role=reader_role,
context=None)
workflow = wf_factories.WorkflowFactory()
taskgroup = wf_factories.TaskGroupFactory(workflow=workflow)
task_1 = wf_factories.TaskGroupTaskFactory(task_group=taskgroup)
task_2 = wf_factories.TaskGroupTaskFactory(task_group=taskgroup)
task_role = all_models.AccessControlRole.query.filter(
all_models.AccessControlRole.name == "Task Assignees",
all_models.AccessControlRole.object_type == task_1.type,
).one()
factories.AccessControlListFactory(ac_role=task_role,
object=task_1,
person=assignee_1)
factories.AccessControlListFactory(ac_role=task_role,
object=task_2,
person=assignee_2)
sec_assignee = factories.PersonFactory(
email=self.TASK_SEC_ASSIGNEE)
task_role = all_models.AccessControlRole.query.filter(
all_models.AccessControlRole.name ==
"Task Secondary Assignees",
all_models.AccessControlRole.object_type == task_1.type,
).one()
factories.AccessControlListFactory(ac_role=task_role,
object=task_1,
person=sec_assignee)
wf_admin_role = all_models.AccessControlRole.query.filter(
all_models.AccessControlRole.name == "Admin",
all_models.AccessControlRole.object_type == workflow.type,
).one()
factories.AccessControlListFactory(ac_role=wf_admin_role,
object=workflow,
person=workflow_admin)
generator = wf_generator.WorkflowsGenerator()
self.cycle_id = generator.generate_cycle(workflow)[1].id
generator.activate_workflow(workflow)
def create_audit(self, archived=False):
"""Create an audit object and fix the it's context"""
audit = factories.AuditFactory(archived=archived)
# Add auditor & program editor roles
factories.AccessControlListFactory(ac_role=self.roles['auditors'],
object=audit,
person=self.users['auditor'])
factories.AccessControlListFactory(
ac_role=self.roles['program_editors'],
object=audit,
person=self.users['programeditor'])
return audit
def test_assignee_deletion_unmap(self):
"""Test deletion of assignee roles when snapshot is unmapped."""
with factories.single_commit():
person = factories.PersonFactory()
person_email = person.email
audit = factories.AuditFactory()
assessment = factories.AssessmentFactory(audit=audit)
for ac_role_id in self.assignee_roles.values():
factories.AccessControlListFactory(
ac_role_id=ac_role_id,
person=person,
object=assessment
)
factories.RelationshipFactory(source=audit, destination=assessment)
snapshot = self._create_snapshots(audit, [factories.ControlFactory()])[0]
rel = factories.RelationshipFactory(
source=assessment, destination=snapshot
)
for ac_role in self.assignee_roles.keys():
self.assert_propagated_role(
"{}".format(ac_role), person_email, snapshot
)
response = self.api.delete(rel)
self.assertEqual(response.status_code, 200)
snap_acls = all_models.AccessControlList.query.filter_by(
object_type="Snapshot"
)
self.assertEqual(snap_acls.count(), 0)
def test_index_by_acr(self):
"""Test index by ACR."""
role_name = "Test name"
with factories.single_commit():
acr = factories.AccessControlRoleFactory(name=role_name,
object_type="Control")
person = factories.PersonFactory(email="*****@*****.**",
name='test')
control = factories.ControlFactory()
factories.AccessControlListFactory(ac_role=acr,
person=person,
object=control)
revision = all_models.Revision.query.filter(
all_models.Revision.resource_id == control.id,
all_models.Revision.resource_type == control.type,
).one()
revision.content = control.log_json()
db.session.add(revision)
with factories.single_commit():
snapshot = factories.SnapshotFactory(child_id=control.id,
child_type=control.type,
revision=revision)
db.session.expire_all()
person_id = person.id
snapshot_id = snapshot.id
self.client.post("/admin/full_reindex")
person = all_models.Person.query.get(person_id)
snapshot = all_models.Snapshot.query.get(snapshot_id)
self.assert_indexed_fields(
snapshot, role_name, {
"{}-email".format(person.id): person.email,
"{}-name".format(person.id): person.name,
"__sort__": person.email,
})
def test_single_acl_to_multiple(self, count):
"""Test propagation of single ACL entry to multiple children."""
with factories.single_commit():
person = factories.PersonFactory()
program = factories.ProgramFactory()
for i in range(count):
audit = factories.AuditFactory(program=program)
factories.RelationshipFactory(
source=program if i % 2 == 0 else audit,
destination=program if i % 2 == 1 else audit,
)
acl_entry = factories.AccessControlListFactory(
ac_role=self.roles["Program"]["Program Editors"],
object=program,
person=person,
)
self.assertEqual(all_models.AccessControlList.query.count(), 1)
child_ids = propagation._handle_acl_step([acl_entry.id])
self.assertEqual(
all_models.AccessControlList.query.count(),
# 1 original ACL entry, 2*count for objects+relationships
1 + count * 2)
self.assertEqual(
db.session.execute(child_ids.alias("counts").count()).scalar(),
count,
)
def test_index_deleted_acr(self):
"""Test index by removed ACR."""
role_name = "Test name"
with factories.single_commit():
acr = factories.AccessControlRoleFactory(name=role_name,
object_type="Control")
person = factories.PersonFactory(email="*****@*****.**",
name='test')
control = factories.ControlFactory()
factories.AccessControlListFactory(ac_role=acr,
person=person,
object=control)
revision = all_models.Revision.query.filter(
all_models.Revision.resource_id == control.id,
all_models.Revision.resource_type == control.type,
).one()
revision.content = control.log_json()
db.session.add(revision)
with factories.single_commit():
snapshot = factories.SnapshotFactory(child_id=control.id,
child_type=control.type,
revision=revision)
db.session.expire_all()
db.session.delete(acr)
db.session.commit()
snapshot_id = snapshot.id
self.client.post("/admin/full_reindex")
snapshot = all_models.Snapshot.query.get(snapshot_id)
all_found_records = dict(
Record.query.filter(Record.key == snapshot.id,
Record.type == snapshot.type,
Record.property == role_name.lower()).values(
"subproperty", "content"))
self.assertFalse(all_found_records)
def test_propagation_conflict(self):
"""Test propagation conflicts
When we create a new acl entry and a new relationship in the same commit
some roles would be propagated twice and would cause unique constraint
errors. This test checks for the most basic such scenario.
"""
with factories.single_commit():
person = factories.PersonFactory()
audit = factories.AuditFactory()
relationship = factories.RelationshipFactory(
source=audit,
destination=audit.program,
)
acl_entry = factories.AccessControlListFactory(
ac_role=self.roles["Program"]["Program Editors"],
object=audit.program,
person=person,
)
with app.app.app_context():
flask.g.new_acl_ids = {acl_entry.id}
flask.g.new_relationship_ids = {relationship.id}
flask.g.deleted_objects = set()
propagation.propagate()
db.session.commit()
self.assertEqual(all_models.AccessControlList.query.count(), 3)
def test_acl_roles_clear(self):
"""Test clearing ACL roles for Program with '--' value"""
with factories.single_commit():
program = factories.ProgramFactory()
for role in [
"Program Editors", "Program Editors", "Program Readers"
]:
person = factories.PersonFactory()
ac_role = models.all_models.AccessControlRole.query.filter_by(
object_type=program.type,
name=role,
).first()
factories.AccessControlListFactory(
ac_role=ac_role,
object=program,
person=person,
)
for role in {"Program Editors", "Program Readers"}:
response = self.import_data(
OrderedDict([
("object_type", program.type),
("code", program.slug),
(role, "--"),
]))
self._check_csv_response(response, {})
program = models.all_models.Program.query.first()
for acl in program.access_control_list:
self.assertNotEqual(acl.ac_role.name, role)
def test_partial_acl_to_multiple(self, partial_count):
"""Test propagating only a few acl entries to multiple objects."""
audit_count = 3
people_count = 4
program_roles = ["Program Editors", "Program Readers"]
with factories.single_commit():
people = [factories.PersonFactory() for _ in range(people_count)]
program = factories.ProgramFactory()
for i in range(audit_count):
audit = factories.AuditFactory(program=program)
factories.RelationshipFactory(
source=program if i % 2 == 0 else audit,
destination=program if i % 2 == 1 else audit,
)
acl_ids = []
for person in people:
for role_name in program_roles:
acl_ids.append(
factories.AccessControlListFactory(
ac_role=self.roles["Program"][role_name],
object=program,
person=person,
).id, )
self.assertEqual(all_models.AccessControlList.query.count(),
people_count * len(program_roles))
propagate_acl_ids = acl_ids[:partial_count]
child_ids = propagation._handle_acl_step(propagate_acl_ids)
self.assertEqual(
all_models.AccessControlList.query.count(),
len(acl_ids) + len(propagate_acl_ids) * audit_count * 2)
self.assertEqual(
db.session.execute(child_ids.alias("counts").count()).scalar(),
audit_count * len(propagate_acl_ids))
def create_assignees(cls, obj, persons):
"""Create assignees for object.
This is used only during object creation because we cannot create
assignees at that point yet.
Args:
obj: Assignable object.
persons: [("(string) email", "Assignee roles"), ...] A list of people
and their roles
Returns:
[(person, acr_role), ...] A list of persons with their roles.
"""
from ggrc.access_control.role import get_custom_roles_for
ac_roles = {
acr_name: acr_id
for acr_id, acr_name in get_custom_roles_for(obj.type).items()
}
assignees = []
with factories.single_commit():
for person, roles in persons:
person = factories.PersonFactory(email=person)
for role in roles.split(","):
factories.AccessControlListFactory(
person=person,
ac_role_id=ac_roles[role],
object=obj
)
assignees.append((person, role))
return assignees
def test_no_reindex_acr_for_diff_obj(self, logger):
"""Test that no reindex records appear if
acl is populated with other's obj role."""
product_admin = all_models.AccessControlRole.query.filter_by(
object_type="Product", name="Admin").first()
with factories.single_commit():
person = factories.PersonFactory(name="Test Name")
system = factories.SystemFactory()
audit = factories.AuditFactory()
factories.AccessControlListFactory(
ac_role=product_admin,
object=system,
person=person,
)
system_id = system.id
revision = all_models.Revision.query.filter(
all_models.Revision.resource_id == system.id,
all_models.Revision.resource_type == system.type).one()
revision.content = system.log_json()
db.session.add(revision)
db.session.commit()
self._create_snapshots(audit, [system])
fulltext_records = Record.query.filter(
Record.key == system_id,
Record.type == "System",
Record.property == "Admin",
).all()
self.assertEqual(len(fulltext_records), 0)
logger.warning.assert_called_once_with(
"Reindex: role %s, id %s is skipped for %s, id %s, "
"because it relates to %s", product_admin.name, product_admin.id,
system.__class__.__name__, system.id, product_admin.object_type)
def test_mapped_regulations_acl(self):
"""Test creation of acl roles for Regulations and Objective snapshots."""
with factories.single_commit():
person = factories.PersonFactory()
person_email = person.email
audit = factories.AuditFactory()
assessment = factories.AssessmentFactory(audit=audit)
for ac_role_id in self.assignee_roles.values():
factories.AccessControlListFactory(
ac_role_id=ac_role_id, person=person, object=assessment
)
factories.RelationshipFactory(source=audit, destination=assessment)
control = factories.ControlFactory()
objective = factories.ObjectiveFactory()
regulation = factories.RegulationFactory()
snapshots = self._create_snapshots(
audit, [control, objective, regulation]
)
factories.RelationshipFactory(
source=snapshots[0], destination=snapshots[1]
)
factories.RelationshipFactory(
source=snapshots[2], destination=snapshots[0]
)
factories.RelationshipFactory(
source=assessment, destination=snapshots[0]
)
for role in ["Assignees", "Creators", "Verifiers"]:
for snapshot in snapshots:
# Mapped Assignee roles should be created for all snapshots, not only
# for control that related to assessment
self.assert_propagated_role(role, person_email, snapshot)
def test_no_reindex_acr_for_same_obj(self):
"""Test that reindex records appear if
acl is populated with current obj's role."""
system_admin = all_models.AccessControlRole.query.filter_by(
object_type="System", name="Admin").first()
with factories.single_commit():
person = factories.PersonFactory(name="Test Name")
system = factories.SystemFactory()
audit = factories.AuditFactory()
system_role = factories.AccessControlListFactory(
ac_role=system_admin,
object=system,
person=person,
)
system_role_name = system_role.ac_role.name
person_id = person.id
person_name = person.name
person_email = person.email
revision = all_models.Revision.query.filter(
all_models.Revision.resource_id == system.id,
all_models.Revision.resource_type == system.type).one()
revision.content = system.log_json()
db.session.add(revision)
db.session.commit()
self._create_snapshots(audit, [system])
self.assert_indexed_fields(
system, system_role_name, {
"{}-email".format(person_id): person_email,
"{}-name".format(person_id): person_name,
"__sort__": person_email,
})
def test_acl_people(self, my_work_flags, should_return):
"""Owned returns objects where person has role with my_work set."""
with factories.single_commit():
for my_work in my_work_flags:
role = factories.AccessControlRoleFactory(
object_type="Control", my_work=my_work)
factories.AccessControlListFactory(
ac_role=role,
person=self.person,
object=self.control,
)
control_id = self.control.id
ids = self._get_first_result_set(
{
"object_name": "Control",
"type": "ids",
"filters": {
"expression": {
"object_name": "Person",
"op": {
"name": "owned"
},
"ids": [self.person.id]
}
}
}, "Control", "ids")
if should_return:
self.assertEqual(ids, [control_id])
else:
self.assertEqual(ids, [])
def test_autogenerated_no_tmpl(self):
"""Test autogenerated assessment without template ."""
auditors = ["*****@*****.**", "*****@*****.**"]
prince_assignees = ["*****@*****.**", "*****@*****.**"]
with factories.single_commit():
self.generate_acls(auditors, self.auditor_role)
ac_role_id = all_models.AccessControlRole.query.filter_by(
name="Principal Assignees",
object_type=self.snapshot.child_type,
).first().id
users = [factories.PersonFactory(email=e) for e in prince_assignees]
for user in users:
factories.AccessControlListFactory(
person=user,
object_id=self.snapshot.child_id,
object_type=self.snapshot.child_type,
ac_role_id=ac_role_id,
)
self.snapshot.revision.content = self.control.log_json()
db.session.add(self.snapshot.revision)
response = self.assessment_post()
self.assert_assignees("Assignees", response, *prince_assignees)
self.assert_assignees("Verifiers", response, *auditors)
self.assert_assignees("Creators", response, "*****@*****.**")
def test_deletion_mapped_roles(self):
"""Test deletion of mapped roles."""
with factories.single_commit():
person = factories.PersonFactory()
person_email = person.email
audit = factories.AuditFactory()
assessment = factories.AssessmentFactory(audit=audit)
for ac_role_id in self.assignee_roles.values():
factories.AccessControlListFactory(
ac_role_id=ac_role_id,
person=person,
object=assessment
)
factories.RelationshipFactory(source=audit, destination=assessment)
# Remove verifier and assignee from Assessment
response = self.api.put(assessment, {
"access_control_list": [
acl_helper.get_acl_json(self.assignee_roles["Creators"], person.id)
]
})
self.assertEqual(response.status_code, 200)
db.session.add(audit)
self.assert_mapped_role("Creators", person_email, assessment)
self.assert_propagated_role("Creators", person_email, audit)
def create_ac_roles(cls, obj, person_id, role_name="Admin"):
"""Create access control roles"""
ac_role = models.AccessControlRole.query.filter_by(
object_type=obj.type, name=role_name).first()
factories.AccessControlListFactory(ac_role=ac_role,
object=obj,
person_id=person_id)
def test_mapped_roles_saving(self):
"""Test that removing roles for one assessment will not touch second"""
with factories.single_commit():
person = factories.PersonFactory()
person_email = person.email
audit = factories.AuditFactory()
assessments = [
factories.AssessmentFactory(audit=audit) for _ in range(2)
]
snapshot = self._create_snapshots(audit, [factories.ControlFactory()])[0]
snapshot_id = snapshot.id
snap_rels = []
for assessment in assessments:
for ac_role_id in self.assignee_roles.values():
factories.AccessControlListFactory(
ac_role_id=ac_role_id,
person=person,
object=assessment
)
factories.RelationshipFactory(source=audit, destination=assessment)
snap_rels.append(factories.RelationshipFactory(
source=assessment, destination=snapshot
))
response = self.api.delete(snap_rels[0])
self.assertEqual(response.status_code, 200)
snapshot = all_models.Snapshot.query.get(snapshot_id)
for ac_role in self.assignee_roles.keys():
self.assert_propagated_role(
"{}".format(ac_role), person_email, snapshot
)
def test_old_comments(self):
"""Test if notifications will be sent for mix of old and new comments"""
cur_user = all_models.Person.query.filter_by(
email="*****@*****.**").first()
assigee_role_id = {
v: k
for k, v in get_custom_roles_for("Assessment").items()
}["Assignees"]
with factories.single_commit():
assessment = factories.AssessmentFactory()
factories.AccessControlListFactory(ac_role_id=assigee_role_id,
person=cur_user,
object=assessment)
with freeze_time("2015-04-01 17:13:10"):
self.generator.generate_comment(assessment,
"",
"some comment1",
send_notification="true")
self.generator.generate_comment(assessment,
"",
"some comment2",
send_notification="true")
response = self.client.get("/_notifications/show_pending")
for comment in ["some comment1", "some comment2"]:
self.assertIn(
comment, response.data,
"Information about comment '{}' absent in report".format(
comment))
def test_audit_roles_saving(self):
"""Test that snapshot unmapping will not affect audit"""
with factories.single_commit():
person = factories.PersonFactory()
person_email = person.email
audit = factories.AuditFactory()
assessment = factories.AssessmentFactory(audit=audit)
snapshot = self._create_snapshots(audit, [factories.ControlFactory()])[0]
for ac_role_id in self.assignee_roles.values():
factories.AccessControlListFactory(
ac_role_id=ac_role_id,
person=person,
object=assessment
)
factories.RelationshipFactory(source=audit, destination=assessment)
snap_rel = factories.RelationshipFactory(
source=assessment, destination=snapshot
)
response = self.api.delete(snap_rel)
self.assertEqual(response.status_code, 200)
db.session.add(audit)
for ac_role in self.assignee_roles.keys():
self.assert_propagated_role(
"{}".format(ac_role), person_email, audit
)
