def setUp(self): session = db.session security_manager.add_role(SCHEMA_ACCESS_ROLE) session.commit() ds = ( db.session.query(SqlaTable) .filter_by(table_name="wb_health_population") .first() ) ds.schema = "temp_schema" ds.schema_perm = ds.get_schema_perm() ds_slices = ( session.query(Slice) .filter_by(datasource_type="table") .filter_by(datasource_id=ds.id) .all() ) for s in ds_slices: s.schema_perm = ds.schema_perm create_schema_perm("[examples].[temp_schema]") gamma_user = security_manager.find_user(username="******") gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE)) session.commit()
def setUpClass(cls): security_manager.add_role('override_me') security_manager.add_role(TEST_ROLE_1) security_manager.add_role(TEST_ROLE_2) security_manager.add_role(DB_ACCESS_ROLE) security_manager.add_role(SCHEMA_ACCESS_ROLE) db.session.commit()
def setUpClass(cls): security_manager.add_role("override_me") security_manager.add_role(TEST_ROLE_1) security_manager.add_role(TEST_ROLE_2) security_manager.add_role(DB_ACCESS_ROLE) security_manager.add_role(SCHEMA_ACCESS_ROLE) db.session.commit()
def setUp(self): session = db.session # Create roles security_manager.add_role(self.NAME_AB_ROLE) security_manager.add_role(self.NAME_Q_ROLE) gamma_user = security_manager.find_user(username="******") gamma_user.roles.append(security_manager.find_role(self.NAME_AB_ROLE)) gamma_user.roles.append(security_manager.find_role(self.NAME_Q_ROLE)) self.create_user_with_roles("NoRlsRoleUser", ["Gamma"]) session.commit() # Create regular RowLevelSecurityFilter (energy_usage, unicode_test) self.rls_entry1 = RowLevelSecurityFilter() self.rls_entry1.tables.extend( session.query(SqlaTable).filter( SqlaTable.table_name.in_(["energy_usage", "unicode_test"])).all()) self.rls_entry1.filter_type = "Regular" self.rls_entry1.clause = "value > {{ cache_key_wrapper(1) }}" self.rls_entry1.group_key = None self.rls_entry1.roles.append(security_manager.find_role("Gamma")) self.rls_entry1.roles.append(security_manager.find_role("Alpha")) db.session.add(self.rls_entry1) # Create regular RowLevelSecurityFilter (birth_names name starts with A or B) self.rls_entry2 = RowLevelSecurityFilter() self.rls_entry2.tables.extend( session.query(SqlaTable).filter( SqlaTable.table_name.in_(["birth_names"])).all()) self.rls_entry2.filter_type = "Regular" self.rls_entry2.clause = "name like 'A%' or name like 'B%'" self.rls_entry2.group_key = "name" self.rls_entry2.roles.append(security_manager.find_role("NameAB")) db.session.add(self.rls_entry2) # Create Regular RowLevelSecurityFilter (birth_names name starts with Q) self.rls_entry3 = RowLevelSecurityFilter() self.rls_entry3.tables.extend( session.query(SqlaTable).filter( SqlaTable.table_name.in_(["birth_names"])).all()) self.rls_entry3.filter_type = "Regular" self.rls_entry3.clause = "name like 'Q%'" self.rls_entry3.group_key = "name" self.rls_entry3.roles.append(security_manager.find_role("NameQ")) db.session.add(self.rls_entry3) # Create Base RowLevelSecurityFilter (birth_names boys) self.rls_entry4 = RowLevelSecurityFilter() self.rls_entry4.tables.extend( session.query(SqlaTable).filter( SqlaTable.table_name.in_(["birth_names"])).all()) self.rls_entry4.filter_type = "Base" self.rls_entry4.clause = "gender = 'boy'" self.rls_entry4.group_key = "gender" self.rls_entry4.roles.append(security_manager.find_role("Admin")) db.session.add(self.rls_entry4) db.session.commit()
def setUpClass(cls): with app.app_context(): cls.create_druid_test_objects() security_manager.add_role("override_me") security_manager.add_role(TEST_ROLE_1) security_manager.add_role(TEST_ROLE_2) security_manager.add_role(DB_ACCESS_ROLE) security_manager.add_role(SCHEMA_ACCESS_ROLE) db.session.commit()
def create_role(self, role_name, datasourceIds, datasourceNames, isUser) -> None: pns = [] for idx, id in enumerate(datasourceIds): pns.append('datasource access on [Tracking].[' + datasourceNames[idx] + '](id:' + id + ')') if isUser: pns.append('can write on Dataset') pns.append('can read on Dataset') pns.append('menu access on Dataset') pns.append('can save on Datasource') role = sm.add_role(role_name) pvms = sm.get_session.query(PermissionView).all() role.permissions = [] for permission_view in pvms: for perm_name in pns: if self.custom_pvm_check(permission_view, perm_name): role.permissions.append(permission_view) break sm.get_session.merge(role) sm.get_session.commit()
def test_sql_json_has_access(self): main_db = get_main_database(db.session) security_manager.add_permission_view_menu('database_access', main_db.perm) db.session.commit() main_db_permission_view = (db.session.query( ab_models.PermissionView).join(ab_models.ViewMenu).join( ab_models.Permission ).filter(ab_models.ViewMenu.name == '[main].(id:1)').filter( ab_models.Permission.name == 'database_access').first()) astronaut = security_manager.add_role('Astronaut') security_manager.add_permission_role(astronaut, main_db_permission_view) # Astronaut role is Gamma + sqllab + main db permissions for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(astronaut, perm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(astronaut, perm) gagarin = security_manager.find_user('gagarin') if not gagarin: security_manager.add_user('gagarin', 'Iurii', 'Gagarin', '*****@*****.**', astronaut, password='******') data = self.run_sql('SELECT * FROM ab_user', '3', user_name='gagarin') db.session.query(Query).delete() db.session.commit() self.assertLess(0, len(data['data']))
def test_sql_json_has_access(self): examples_db = get_example_database() examples_db_permission_view = security_manager.add_permission_view_menu( "database_access", examples_db.perm) astronaut = security_manager.add_role("Astronaut") security_manager.add_permission_role(astronaut, examples_db_permission_view) # Astronaut role is Gamma + sqllab + db permissions for perm in security_manager.find_role("Gamma").permissions: security_manager.add_permission_role(astronaut, perm) for perm in security_manager.find_role("sql_lab").permissions: security_manager.add_permission_role(astronaut, perm) gagarin = security_manager.find_user("gagarin") if not gagarin: security_manager.add_user( "gagarin", "Iurii", "Gagarin", "*****@*****.**", astronaut, password="******", ) data = self.run_sql(QUERY_1, "3", user_name="gagarin") db.session.query(Query).delete() db.session.commit() self.assertLess(0, len(data["data"]))
def test_sql_json_has_access(self): main_db = self.get_main_database(db.session) security_manager.add_permission_view_menu('database_access', main_db.perm) db.session.commit() main_db_permission_view = ( db.session.query(ab_models.PermissionView) .join(ab_models.ViewMenu) .join(ab_models.Permission) .filter(ab_models.ViewMenu.name == '[main].(id:1)') .filter(ab_models.Permission.name == 'database_access') .first() ) astronaut = security_manager.add_role('Astronaut') security_manager.add_permission_role(astronaut, main_db_permission_view) # Astronaut role is Gamma + sqllab + main db permissions for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(astronaut, perm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(astronaut, perm) gagarin = security_manager.find_user('gagarin') if not gagarin: security_manager.add_user( 'gagarin', 'Iurii', 'Gagarin', '*****@*****.**', astronaut, password='******') data = self.run_sql('SELECT * FROM ab_user', '3', user_name='gagarin') db.session.query(Query).delete() db.session.commit() self.assertLess(0, len(data['data']))
def test_sql_json_has_access(self): main_db = get_main_database() security_manager.add_permission_view_menu("database_access", main_db.perm) db.session.commit() main_db_permission_view = (db.session.query( ab_models.PermissionView).join(ab_models.ViewMenu).join( ab_models.Permission ).filter(ab_models.ViewMenu.name == "[main].(id:1)").filter( ab_models.Permission.name == "database_access").first()) astronaut = security_manager.add_role("Astronaut") security_manager.add_permission_role(astronaut, main_db_permission_view) # Astronaut role is Gamma + sqllab + main db permissions for perm in security_manager.find_role("Gamma").permissions: security_manager.add_permission_role(astronaut, perm) for perm in security_manager.find_role("sql_lab").permissions: security_manager.add_permission_role(astronaut, perm) gagarin = security_manager.find_user("gagarin") if not gagarin: security_manager.add_user( "gagarin", "Iurii", "Gagarin", "*****@*****.**", astronaut, password="******", ) data = self.run_sql("SELECT * FROM ab_user", "3", user_name="gagarin") db.session.query(Query).delete() db.session.commit() self.assertLess(0, len(data["data"]))
def test_slices_V2(self): # Add explore-v2-beta role to admin user # Test all slice urls as user with with explore-v2-beta role security_manager.add_role('explore-v2-beta') security_manager.add_user( 'explore_beta', 'explore_beta', ' user', '*****@*****.**', security_manager.find_role('explore-v2-beta'), password='******') self.login(username='******', password='******') Slc = models.Slice urls = [] for slc in db.session.query(Slc).all(): urls += [ (slc.slice_name, 'slice_url', slc.slice_url), ] for name, method, url in urls: print('[{name}]/[{method}]: {url}'.format(**locals())) response = self.client.get(url)
def load_test_users_run(): """ Loads admin, alpha, and gamma user for testing purposes Syncs permissions for those users/roles """ if config.get('TESTING'): security_manager.sync_role_definitions() gamma_sqllab_role = security_manager.add_role('gamma_sqllab') for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = utils.get_main_database(security_manager.get_session).perm security_manager.merge_perm('database_access', db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user('admin') if not admin: security_manager.add_user( 'admin', 'admin', ' user', '*****@*****.**', security_manager.find_role('Admin'), password='******') gamma = security_manager.find_user('gamma') if not gamma: security_manager.add_user( 'gamma', 'gamma', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma2 = security_manager.find_user('gamma2') if not gamma2: security_manager.add_user( 'gamma2', 'gamma2', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma_sqllab_user = security_manager.find_user('gamma_sqllab') if not gamma_sqllab_user: security_manager.add_user( 'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = security_manager.find_user('alpha') if not alpha: security_manager.add_user( 'alpha', 'alpha', 'user', '*****@*****.**', security_manager.find_role('Alpha'), password='******') security_manager.get_session.commit()
def test_sql_json_schema_access(self): examples_db = get_example_database() db_backend = examples_db.backend if db_backend == "sqlite": # sqlite doesn't support database creation return sqllab_test_db_schema_permission_view = ( security_manager.add_permission_view_menu( "schema_access", f"[{examples_db.name}].[{CTAS_SCHEMA_NAME}]" ) ) schema_perm_role = security_manager.add_role("SchemaPermission") security_manager.add_permission_role( schema_perm_role, sqllab_test_db_schema_permission_view ) self.create_user_with_roles( "SchemaUser", ["SchemaPermission", "Gamma", "sql_lab"] ) examples_db.get_sqla_engine().execute( f"CREATE TABLE IF NOT EXISTS {CTAS_SCHEMA_NAME}.test_table AS SELECT 1 as c1, 2 as c2" ) data = self.run_sql( f"SELECT * FROM {CTAS_SCHEMA_NAME}.test_table", "3", username="******" ) self.assertEqual(1, len(data["data"])) data = self.run_sql( f"SELECT * FROM {CTAS_SCHEMA_NAME}.test_table", "4", username="******", schema=CTAS_SCHEMA_NAME, ) self.assertEqual(1, len(data["data"])) # postgres needs a schema as a part of the table name. if db_backend == "mysql": data = self.run_sql( "SELECT * FROM test_table", "5", username="******", schema=CTAS_SCHEMA_NAME, ) self.assertEqual(1, len(data["data"])) db.session.query(Query).delete() get_example_database().get_sqla_engine().execute( f"DROP TABLE IF EXISTS {CTAS_SCHEMA_NAME}.test_table" ) db.session.commit()
def test_slices_V2(self): # Add explore-v2-beta role to admin user # Test all slice urls as user with with explore-v2-beta role security_manager.add_role("explore-v2-beta") security_manager.add_user( "explore_beta", "explore_beta", " user", "*****@*****.**", security_manager.find_role("explore-v2-beta"), password="******", ) self.login(username="******", password="******") Slc = Slice urls = [] for slc in db.session.query(Slc).all(): urls += [(slc.slice_name, "slice_url", slc.slice_url)] for name, method, url in urls: print(f"[{name}]/[{method}]: {url}") self.client.get(url)
def test_sql_json_has_access(self): examples_db = get_example_database() examples_db_permission_view = security_manager.add_permission_view_menu( "database_access", examples_db.perm ) astronaut = security_manager.add_role("ExampleDBAccess") security_manager.add_permission_role(astronaut, examples_db_permission_view) # Gamma user, with sqllab and db permission self.create_user_with_roles("Gagarin", ["ExampleDBAccess", "Gamma", "sql_lab"]) data = self.run_sql(QUERY_1, "1", user_name="Gagarin") db.session.query(Query).delete() db.session.commit() self.assertLess(0, len(data["data"]))
def test_request_access(self): if app.config.get('ENABLE_ACCESS_REQUEST'): session = db.session self.logout() self.login(username='******') gamma_user = security_manager.find_user(username='******') security_manager.add_role('dummy_role') gamma_user.roles.append(security_manager.find_role('dummy_role')) session.commit() ACCESS_REQUEST = ( '/superset/request_access?' 'datasource_type={}&' 'datasource_id={}&' 'action={}&') ROLE_GRANT_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_grant={}">Grant {} Role</a>') # Request table access, there are no roles have this table. table1 = session.query(SqlaTable).filter_by( table_name='random_time_series').first() table_1_id = table1.id # request access to the table resp = self.get_resp( ACCESS_REQUEST.format('table', table_1_id, 'go')) assert 'Access was requested' in resp access_request1 = self.get_access_requests('gamma', 'table', table_1_id) assert access_request1 is not None # Request access, roles exist that contains the table. # add table to the existing roles table3 = session.query(SqlaTable).filter_by( table_name='energy_usage').first() table_3_id = table3.id table3_perm = table3.perm security_manager.add_role('energy_usage_role') alpha_role = security_manager.find_role('Alpha') security_manager.add_permission_role( alpha_role, security_manager.find_permission_view_menu( 'datasource_access', table3_perm)) security_manager.add_permission_role( security_manager.find_role('energy_usage_role'), security_manager.find_permission_view_menu( 'datasource_access', table3_perm)) session.commit() self.get_resp( ACCESS_REQUEST.format('table', table_3_id, 'go')) access_request3 = self.get_access_requests('gamma', 'table', table_3_id) approve_link_3 = ROLE_GRANT_LINK.format( 'table', table_3_id, 'gamma', 'energy_usage_role', 'energy_usage_role') self.assertEqual(access_request3.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_3)) # Request druid access, there are no roles have this table. druid_ds_4 = session.query(DruidDatasource).filter_by( datasource_name='druid_ds_1').first() druid_ds_4_id = druid_ds_4.id # request access to the table self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go')) access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id) self.assertEqual( access_request4.roles_with_datasource, '<ul></ul>'.format(access_request4.id)) # Case 5. Roles exist that contains the druid datasource. # add druid ds to the existing roles druid_ds_5 = session.query(DruidDatasource).filter_by( datasource_name='druid_ds_2').first() druid_ds_5_id = druid_ds_5.id druid_ds_5_perm = druid_ds_5.perm druid_ds_2_role = security_manager.add_role('druid_ds_2_role') admin_role = security_manager.find_role('Admin') security_manager.add_permission_role( admin_role, security_manager.find_permission_view_menu( 'datasource_access', druid_ds_5_perm)) security_manager.add_permission_role( druid_ds_2_role, security_manager.find_permission_view_menu( 'datasource_access', druid_ds_5_perm)) session.commit() self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go')) access_request5 = self.get_access_requests( 'gamma', 'druid', druid_ds_5_id) approve_link_5 = ROLE_GRANT_LINK.format( 'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role', 'druid_ds_2_role') self.assertEqual(access_request5.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_5)) # cleanup gamma_user = security_manager.find_user(username='******') gamma_user.roles.remove(security_manager.find_role('dummy_role')) session.commit()
def __init__(self, *args, **kwargs): if ( self.requires_examples and not os.environ.get('examples_loaded') ): logging.info('Loading examples') cli.load_examples(load_test_data=True) logging.info('Done loading examples') security_manager.sync_role_definitions() os.environ['examples_loaded'] = '1' else: security_manager.sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab_role = security_manager.add_role('gamma_sqllab') for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = self.get_main_database(security_manager.get_session).perm security_manager.merge_perm('database_access', db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user('admin') if not admin: security_manager.add_user( 'admin', 'admin', ' user', '*****@*****.**', security_manager.find_role('Admin'), password='******') gamma = security_manager.find_user('gamma') if not gamma: security_manager.add_user( 'gamma', 'gamma', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma2 = security_manager.find_user('gamma2') if not gamma2: security_manager.add_user( 'gamma2', 'gamma2', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma_sqllab_user = security_manager.find_user('gamma_sqllab') if not gamma_sqllab_user: security_manager.add_user( 'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = security_manager.find_user('alpha') if not alpha: security_manager.add_user( 'alpha', 'alpha', 'user', '*****@*****.**', security_manager.find_role('Alpha'), password='******') security_manager.get_session.commit() # create druid cluster and druid datasources session = db.session cluster = ( session.query(DruidCluster) .filter_by(cluster_name='druid_test') .first() ) if not cluster: cluster = DruidCluster(cluster_name='druid_test') session.add(cluster) session.commit() druid_datasource1 = DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test', ) session.add(druid_datasource1) druid_datasource2 = DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test', ) session.add(druid_datasource2) session.commit()
def test_request_access(self): if app.config.get("ENABLE_ACCESS_REQUEST"): session = db.session self.logout() self.login(username="******") gamma_user = security_manager.find_user(username="******") security_manager.add_role("dummy_role") gamma_user.roles.append(security_manager.find_role("dummy_role")) session.commit() ACCESS_REQUEST = ( "/superset/request_access?" "datasource_type={}&" "datasource_id={}&" "action={}&" ) ROLE_GRANT_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_grant={}">Grant {} Role</a>' ) # Request table access, there are no roles have this table. table1 = ( session.query(SqlaTable) .filter_by(table_name="random_time_series") .first() ) table_1_id = table1.id # request access to the table resp = self.get_resp(ACCESS_REQUEST.format("table", table_1_id, "go")) assert "Access was requested" in resp access_request1 = self.get_access_requests("gamma", "table", table_1_id) assert access_request1 is not None # Request access, roles exist that contains the table. # add table to the existing roles table3 = ( session.query(SqlaTable).filter_by(table_name="energy_usage").first() ) table_3_id = table3.id table3_perm = table3.perm security_manager.add_role("energy_usage_role") alpha_role = security_manager.find_role("Alpha") security_manager.add_permission_role( alpha_role, security_manager.find_permission_view_menu( "datasource_access", table3_perm ), ) security_manager.add_permission_role( security_manager.find_role("energy_usage_role"), security_manager.find_permission_view_menu( "datasource_access", table3_perm ), ) session.commit() self.get_resp(ACCESS_REQUEST.format("table", table_3_id, "go")) access_request3 = self.get_access_requests("gamma", "table", table_3_id) approve_link_3 = ROLE_GRANT_LINK.format( "table", table_3_id, "gamma", "energy_usage_role", "energy_usage_role" ) self.assertEqual( access_request3.roles_with_datasource, "<ul><li>{}</li></ul>".format(approve_link_3), ) # Request druid access, there are no roles have this table. druid_ds_4 = ( session.query(DruidDatasource) .filter_by(datasource_name="druid_ds_1") .first() ) druid_ds_4_id = druid_ds_4.id # request access to the table self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_4_id, "go")) access_request4 = self.get_access_requests("gamma", "druid", druid_ds_4_id) self.assertEqual( access_request4.roles_with_datasource, "<ul></ul>".format(access_request4.id), ) # Case 5. Roles exist that contains the druid datasource. # add druid ds to the existing roles druid_ds_5 = ( session.query(DruidDatasource) .filter_by(datasource_name="druid_ds_2") .first() ) druid_ds_5_id = druid_ds_5.id druid_ds_5_perm = druid_ds_5.perm druid_ds_2_role = security_manager.add_role("druid_ds_2_role") admin_role = security_manager.find_role("Admin") security_manager.add_permission_role( admin_role, security_manager.find_permission_view_menu( "datasource_access", druid_ds_5_perm ), ) security_manager.add_permission_role( druid_ds_2_role, security_manager.find_permission_view_menu( "datasource_access", druid_ds_5_perm ), ) session.commit() self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_5_id, "go")) access_request5 = self.get_access_requests("gamma", "druid", druid_ds_5_id) approve_link_5 = ROLE_GRANT_LINK.format( "druid", druid_ds_5_id, "gamma", "druid_ds_2_role", "druid_ds_2_role" ) self.assertEqual( access_request5.roles_with_datasource, "<ul><li>{}</li></ul>".format(approve_link_5), ) # cleanup gamma_user = security_manager.find_user(username="******") gamma_user.roles.remove(security_manager.find_role("dummy_role")) session.commit()
def test_approve(self, mock_send_mime): if app.config.get("ENABLE_ACCESS_REQUEST"): session = db.session TEST_ROLE_NAME = "table_role" security_manager.add_role(TEST_ROLE_NAME) # Case 1. Grant new role to the user. access_request1 = create_access_request( session, "table", "unicode_test", TEST_ROLE_NAME, "gamma" ) ds_1_id = access_request1.datasource_id self.get_resp( GRANT_ROLE_REQUEST.format("table", ds_1_id, "gamma", TEST_ROLE_NAME) ) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual( [ security_manager.find_user(username="******").email, security_manager.find_user(username="******").email, ], call_args[1], ) self.assertEqual( "[Superset] Access to the datasource {} was granted".format( self.get_table(ds_1_id).full_name ), call_args[2]["Subject"], ) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn("unicode_test", call_args[2].as_string()) access_requests = self.get_access_requests("gamma", "table", ds_1_id) # request was removed self.assertFalse(access_requests) # user was granted table_role user_roles = [r.name for r in security_manager.find_user("gamma").roles] self.assertIn(TEST_ROLE_NAME, user_roles) # Case 2. Extend the role to have access to the table access_request2 = create_access_request( session, "table", "energy_usage", TEST_ROLE_NAME, "gamma" ) ds_2_id = access_request2.datasource_id energy_usage_perm = access_request2.datasource.perm self.client.get( EXTEND_ROLE_REQUEST.format( "table", access_request2.datasource_id, "gamma", TEST_ROLE_NAME ) ) access_requests = self.get_access_requests("gamma", "table", ds_2_id) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual( [ security_manager.find_user(username="******").email, security_manager.find_user(username="******").email, ], call_args[1], ) self.assertEqual( "[Superset] Access to the datasource {} was granted".format( self.get_table(ds_2_id).full_name ), call_args[2]["Subject"], ) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn("energy_usage", call_args[2].as_string()) # request was removed self.assertFalse(access_requests) # table_role was extended to grant access to the energy_usage table/ perm_view = security_manager.find_permission_view_menu( "datasource_access", energy_usage_perm ) TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME) self.assertIn(perm_view, TEST_ROLE.permissions) # Case 3. Grant new role to the user to access the druid datasource. security_manager.add_role("druid_role") access_request3 = create_access_request( session, "druid", "druid_ds_1", "druid_role", "gamma" ) self.get_resp( GRANT_ROLE_REQUEST.format( "druid", access_request3.datasource_id, "gamma", "druid_role" ) ) # user was granted table_role user_roles = [r.name for r in security_manager.find_user("gamma").roles] self.assertIn("druid_role", user_roles) # Case 4. Extend the role to have access to the druid datasource access_request4 = create_access_request( session, "druid", "druid_ds_2", "druid_role", "gamma" ) druid_ds_2_perm = access_request4.datasource.perm self.client.get( EXTEND_ROLE_REQUEST.format( "druid", access_request4.datasource_id, "gamma", "druid_role" ) ) # druid_role was extended to grant access to the druid_access_ds_2 druid_role = security_manager.find_role("druid_role") perm_view = security_manager.find_permission_view_menu( "datasource_access", druid_ds_2_perm ) self.assertIn(perm_view, druid_role.permissions) # cleanup gamma_user = security_manager.find_user(username="******") gamma_user.roles.remove(security_manager.find_role("druid_role")) gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME)) session.delete(security_manager.find_role("druid_role")) session.delete(security_manager.find_role(TEST_ROLE_NAME)) session.commit()
def test_approve(self, mock_send_mime): if app.config.get('ENABLE_ACCESS_REQUEST'): session = db.session TEST_ROLE_NAME = 'table_role' security_manager.add_role(TEST_ROLE_NAME) # Case 1. Grant new role to the user. access_request1 = create_access_request( session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma') ds_1_id = access_request1.datasource_id self.get_resp(GRANT_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma', TEST_ROLE_NAME)) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([security_manager.find_user(username='******').email, security_manager.find_user(username='******').email], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_1_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('unicode_test', call_args[2].as_string()) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) # request was removed self.assertFalse(access_requests) # user was granted table_role user_roles = [r.name for r in security_manager.find_user('gamma').roles] self.assertIn(TEST_ROLE_NAME, user_roles) # Case 2. Extend the role to have access to the table access_request2 = create_access_request( session, 'table', 'energy_usage', TEST_ROLE_NAME, 'gamma') ds_2_id = access_request2.datasource_id energy_usage_perm = access_request2.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME)) access_requests = self.get_access_requests('gamma', 'table', ds_2_id) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([security_manager.find_user(username='******').email, security_manager.find_user(username='******').email], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_2_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('energy_usage', call_args[2].as_string()) # request was removed self.assertFalse(access_requests) # table_role was extended to grant access to the energy_usage table/ perm_view = security_manager.find_permission_view_menu( 'datasource_access', energy_usage_perm) TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME) self.assertIn(perm_view, TEST_ROLE.permissions) # Case 3. Grant new role to the user to access the druid datasource. security_manager.add_role('druid_role') access_request3 = create_access_request( session, 'druid', 'druid_ds_1', 'druid_role', 'gamma') self.get_resp(GRANT_ROLE_REQUEST.format( 'druid', access_request3.datasource_id, 'gamma', 'druid_role')) # user was granted table_role user_roles = [r.name for r in security_manager.find_user('gamma').roles] self.assertIn('druid_role', user_roles) # Case 4. Extend the role to have access to the druid datasource access_request4 = create_access_request( session, 'druid', 'druid_ds_2', 'druid_role', 'gamma') druid_ds_2_perm = access_request4.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'druid', access_request4.datasource_id, 'gamma', 'druid_role')) # druid_role was extended to grant access to the druid_access_ds_2 druid_role = security_manager.find_role('druid_role') perm_view = security_manager.find_permission_view_menu( 'datasource_access', druid_ds_2_perm) self.assertIn(perm_view, druid_role.permissions) # cleanup gamma_user = security_manager.find_user(username='******') gamma_user.roles.remove(security_manager.find_role('druid_role')) gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME)) session.delete(security_manager.find_role('druid_role')) session.delete(security_manager.find_role(TEST_ROLE_NAME)) session.commit()
def __init__(self, *args, **kwargs): if (self.requires_examples and not os.environ.get('examples_loaded')): logging.info('Loading examples') cli.load_examples_run(load_test_data=True) logging.info('Done loading examples') security_manager.sync_role_definitions() os.environ['examples_loaded'] = '1' else: security_manager.sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab_role = security_manager.add_role('gamma_sqllab') for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = self.get_main_database(security_manager.get_session).perm security_manager.merge_perm('database_access', db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user('admin') if not admin: security_manager.add_user('admin', 'admin', ' user', '*****@*****.**', security_manager.find_role('Admin'), password='******') gamma = security_manager.find_user('gamma') if not gamma: security_manager.add_user('gamma', 'gamma', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma2 = security_manager.find_user('gamma2') if not gamma2: security_manager.add_user('gamma2', 'gamma2', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma_sqllab_user = security_manager.find_user('gamma_sqllab') if not gamma_sqllab_user: security_manager.add_user('gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = security_manager.find_user('alpha') if not alpha: security_manager.add_user('alpha', 'alpha', 'user', '*****@*****.**', security_manager.find_role('Alpha'), password='******') security_manager.get_session.commit() # create druid cluster and druid datasources session = db.session cluster = (session.query(DruidCluster).filter_by( cluster_name='druid_test').first()) if not cluster: cluster = DruidCluster(cluster_name='druid_test') session.add(cluster) session.commit() druid_datasource1 = DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test', ) session.add(druid_datasource1) druid_datasource2 = DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test', ) session.add(druid_datasource2) session.commit()
def load_test_users_run(): """ Loads admin, alpha, and gamma user for testing purposes Syncs permissions for those users/roles """ if config.get("TESTING"): security_manager.sync_role_definitions() gamma_sqllab_role = security_manager.add_role("gamma_sqllab") for perm in security_manager.find_role("Gamma").permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = utils.get_main_database().perm security_manager.add_permission_view_menu("database_access", db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name="database_access" ) gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role("sql_lab").permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user("admin") if not admin: security_manager.add_user( "admin", "admin", " user", "*****@*****.**", security_manager.find_role("Admin"), password="******", ) gamma = security_manager.find_user("gamma") if not gamma: security_manager.add_user( "gamma", "gamma", "user", "*****@*****.**", security_manager.find_role("Gamma"), password="******", ) gamma2 = security_manager.find_user("gamma2") if not gamma2: security_manager.add_user( "gamma2", "gamma2", "user", "*****@*****.**", security_manager.find_role("Gamma"), password="******", ) gamma_sqllab_user = security_manager.find_user("gamma_sqllab") if not gamma_sqllab_user: security_manager.add_user( "gamma_sqllab", "gamma_sqllab", "user", "*****@*****.**", gamma_sqllab_role, password="******", ) alpha = security_manager.find_user("alpha") if not alpha: security_manager.add_user( "alpha", "alpha", "user", "*****@*****.**", security_manager.find_role("Alpha"), password="******", ) security_manager.get_session.commit()