def test_is_alpha_only(self):
        self.assertFalse(security_manager.is_alpha_only(
            security_manager.find_permission_view_menu('can_show', 'TableModelView')))

        self.assertTrue(security_manager.is_alpha_only(
            security_manager.find_permission_view_menu('muldelete', 'TableModelView')))
        self.assertTrue(security_manager.is_alpha_only(
            security_manager.find_permission_view_menu(
                'all_datasource_access', 'all_datasource_access')))
        self.assertTrue(security_manager.is_alpha_only(
            security_manager.find_permission_view_menu(
                'can_edit', 'SqlMetricInlineView')))
        self.assertTrue(security_manager.is_alpha_only(
            security_manager.find_permission_view_menu(
                'can_delete', 'DruidMetricInlineView')))
Example #2
0
    def test_clean_requests_after_db_grant(self):
        session = db.session

        # Case 3. Two access requests from gamma and gamma2
        # Gamma gets database access, gamma2 access request granted
        # Check if request by gamma has been deleted

        gamma_user = security_manager.find_user(username='******')
        access_request1 = create_access_request(
            session, 'table', 'energy_usage', TEST_ROLE_1, 'gamma')
        create_access_request(
            session, 'table', 'energy_usage', TEST_ROLE_2, 'gamma2')
        ds_1_id = access_request1.datasource_id
        # gamma gets granted database access
        database = session.query(models.Database).first()

        security_manager.merge_perm('database_access', database.perm)
        ds_perm_view = security_manager.find_permission_view_menu(
            'database_access', database.perm)
        security_manager.add_permission_role(
            security_manager.find_role(DB_ACCESS_ROLE), ds_perm_view)
        gamma_user.roles.append(security_manager.find_role(DB_ACCESS_ROLE))
        session.commit()
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertTrue(access_requests)
        # gamma2 request gets fulfilled
        self.client.get(EXTEND_ROLE_REQUEST.format(
            'table', ds_1_id, 'gamma2', TEST_ROLE_2))
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)

        self.assertFalse(access_requests)
        gamma_user = security_manager.find_user(username='******')
        gamma_user.roles.remove(security_manager.find_role(DB_ACCESS_ROLE))
        session.commit()
Example #3
0
    def test_filter_druid_datasource(self):
        CLUSTER_NAME = 'new_druid'
        cluster = self.get_or_create(
            DruidCluster,
            {'cluster_name': CLUSTER_NAME},
            db.session)
        db.session.merge(cluster)

        gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_for_gamma'},
            db.session)
        gamma_ds.cluster = cluster
        db.session.merge(gamma_ds)

        no_gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'},
            db.session)
        no_gamma_ds.cluster = cluster
        db.session.merge(no_gamma_ds)
        db.session.commit()

        security_manager.merge_perm('datasource_access', gamma_ds.perm)
        security_manager.merge_perm('datasource_access', no_gamma_ds.perm)

        perm = security_manager.find_permission_view_menu(
            'datasource_access', gamma_ds.get_perm())
        security_manager.add_permission_role(security_manager.find_role('Gamma'), perm)
        security_manager.get_session.commit()

        self.login(username='******')
        url = '/druiddatasourcemodelview/list/'
        resp = self.get_resp(url)
        self.assertIn('datasource_for_gamma', resp)
        self.assertNotIn('datasource_not_for_gamma', resp)
Example #4
0
    def test_queryview_filter_owner_only(self) -> None:
        """
        Test queryview api with can_only_access_owned_queries perm added to
        Admin and make sure only Admin queries show up.
        """
        session = db.session

        # Add can_only_access_owned_queries perm to Admin user
        owned_queries_view = security_manager.find_permission_view_menu(
            'can_only_access_owned_queries',
            'can_only_access_owned_queries',
        )
        security_manager.add_permission_role(
            security_manager.find_role('Admin'),
            owned_queries_view,
        )
        session.commit()

        # Test search_queries for Admin user
        self.run_some_queries()
        self.login('admin')

        url = '/queryview/api/read'
        data = self.get_json_resp(url)
        admin = security_manager.find_user('admin')
        self.assertEquals(2, len(data['result']))
        all_admin_user_queries = all([
            result.get('username') == admin.username for result in data['result']
        ])
        assert all_admin_user_queries is True

        # Remove can_only_access_owned_queries from Admin
        owned_queries_view = security_manager.find_permission_view_menu(
            'can_only_access_owned_queries',
            'can_only_access_owned_queries',
        )
        security_manager.del_permission_role(
            security_manager.find_role('Admin'),
            owned_queries_view,
        )

        session.commit()
Example #5
0
def load_test_users_run():
    """
    Loads admin, alpha, and gamma user for testing purposes

    Syncs permissions for those users/roles
    """
    if config.get('TESTING'):
        security_manager.sync_role_definitions()
        gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
        for perm in security_manager.find_role('Gamma').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)
        utils.get_or_create_main_db()
        db_perm = utils.get_main_database(security_manager.get_session).perm
        security_manager.merge_perm('database_access', db_perm)
        db_pvm = security_manager.find_permission_view_menu(
            view_menu_name=db_perm, permission_name='database_access')
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in security_manager.find_role('sql_lab').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)

        admin = security_manager.find_user('admin')
        if not admin:
            security_manager.add_user(
                'admin', 'admin', ' user', '*****@*****.**',
                security_manager.find_role('Admin'),
                password='******')

        gamma = security_manager.find_user('gamma')
        if not gamma:
            security_manager.add_user(
                'gamma', 'gamma', 'user', '*****@*****.**',
                security_manager.find_role('Gamma'),
                password='******')

        gamma2 = security_manager.find_user('gamma2')
        if not gamma2:
            security_manager.add_user(
                'gamma2', 'gamma2', 'user', '*****@*****.**',
                security_manager.find_role('Gamma'),
                password='******')

        gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
        if not gamma_sqllab_user:
            security_manager.add_user(
                'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
                gamma_sqllab_role, password='******')

        alpha = security_manager.find_user('alpha')
        if not alpha:
            security_manager.add_user(
                'alpha', 'alpha', 'user', '*****@*****.**',
                security_manager.find_role('Alpha'),
                password='******')
        security_manager.get_session.commit()
Example #6
0
    def test_search_query_with_owner_only_perms(self) -> None:
        """
        Test a search query with can_only_access_owned_queries perm added to
        Admin and make sure only Admin queries show up.
        """
        session = db.session

        # Add can_only_access_owned_queries perm to Admin user
        owned_queries_view = security_manager.find_permission_view_menu(
            'can_only_access_owned_queries',
            'can_only_access_owned_queries',
        )
        security_manager.add_permission_role(
            security_manager.find_role('Admin'),
            owned_queries_view,
        )
        session.commit()

        # Test search_queries for Admin user
        self.run_some_queries()
        self.login('admin')

        user_id = security_manager.find_user('admin').id
        data = self.get_json_resp('/superset/search_queries')
        self.assertEquals(2, len(data))
        user_ids = {k['userId'] for k in data}
        self.assertEquals(set([user_id]), user_ids)

        # Remove can_only_access_owned_queries from Admin
        owned_queries_view = security_manager.find_permission_view_menu(
            'can_only_access_owned_queries',
            'can_only_access_owned_queries',
        )
        security_manager.del_permission_role(
            security_manager.find_role('Admin'),
            owned_queries_view,
        )

        session.commit()
Example #7
0
 def test_get_or_create_db(self):
     get_or_create_db("test_db", "sqlite:///superset.db")
     database = db.session.query(Database).filter_by(
         database_name="test_db").one()
     self.assertIsNotNone(database)
     self.assertEqual(database.sqlalchemy_uri, "sqlite:///superset.db")
     self.assertIsNotNone(
         security_manager.find_permission_view_menu("database_access",
                                                    database.perm))
     # Test change URI
     get_or_create_db("test_db", "sqlite:///changed.db")
     database = db.session.query(Database).filter_by(
         database_name="test_db").one()
     self.assertEqual(database.sqlalchemy_uri, "sqlite:///changed.db")
     db.session.delete(database)
     db.session.commit()
Example #8
0
 def roles_with_datasource(self):
     action_list = ''
     perm = self.datasource.perm  # pylint: disable=no-member
     pv = security_manager.find_permission_view_menu('datasource_access', perm)
     for r in pv.role:
         if r.name in self.ROLES_BLACKLIST:
             continue
         url = (
             '/superset/approve?datasource_type={self.datasource_type}&'
             'datasource_id={self.datasource_id}&'
             'created_by={self.created_by.username}&role_to_grant={r.name}'
             .format(**locals())
         )
         href = '<a href="{}">Grant {} Role</a>'.format(url, r.name)
         action_list = action_list + '<li>' + href + '</li>'
     return '<ul>' + action_list + '</ul>'
Example #9
0
 def roles_with_datasource(self):
     action_list = ''
     perm = self.datasource.perm  # pylint: disable=no-member
     pv = security_manager.find_permission_view_menu('datasource_access', perm)
     for r in pv.role:
         if r.name in self.ROLES_BLACKLIST:
             continue
         # pylint: disable=no-member
         url = (
             f'/superset/approve?datasource_type={self.datasource_type}&'
             f'datasource_id={self.datasource_id}&'
             f'created_by={self.created_by.username}&role_to_grant={r.name}'
         )
         href = '<a href="{}">Grant {} Role</a>'.format(url, r.name)
         action_list = action_list + '<li>' + href + '</li>'
     return '<ul>' + action_list + '</ul>'
Example #10
0
 def roles_with_datasource(self):
     action_list = ""
     perm = self.datasource.perm  # pylint: disable=no-member
     pv = security_manager.find_permission_view_menu("datasource_access", perm)
     for r in pv.role:
         if r.name in self.ROLES_BLACKLIST:
             continue
         # pylint: disable=no-member
         url = (
             f"/superset/approve?datasource_type={self.datasource_type}&"
             f"datasource_id={self.datasource_id}&"
             f"created_by={self.created_by.username}&role_to_grant={r.name}"
         )
         href = '<a href="{}">Grant {} Role</a>'.format(url, r.name)
         action_list = action_list + "<li>" + href + "</li>"
     return "<ul>" + action_list + "</ul>"
Example #11
0
    def test_filter_druid_datasource(self):
        CLUSTER_NAME = "new_druid"
        cluster = self.get_or_create(DruidCluster,
                                     {"cluster_name": CLUSTER_NAME},
                                     db.session)
        db.session.merge(cluster)

        gamma_ds = self.get_or_create(
            DruidDatasource,
            {
                "datasource_name": "datasource_for_gamma",
                "cluster": cluster
            },
            db.session,
        )
        gamma_ds.cluster = cluster
        db.session.merge(gamma_ds)

        no_gamma_ds = self.get_or_create(
            DruidDatasource,
            {
                "datasource_name": "datasource_not_for_gamma",
                "cluster": cluster
            },
            db.session,
        )
        no_gamma_ds.cluster = cluster
        db.session.merge(no_gamma_ds)
        db.session.commit()

        security_manager.add_permission_view_menu("datasource_access",
                                                  gamma_ds.perm)
        security_manager.add_permission_view_menu("datasource_access",
                                                  no_gamma_ds.perm)

        perm = security_manager.find_permission_view_menu(
            "datasource_access", gamma_ds.get_perm())
        security_manager.add_permission_role(
            security_manager.find_role("Gamma"), perm)
        security_manager.get_session.commit()

        self.login(username="******")
        url = "/druiddatasourcemodelview/list/"
        resp = self.get_resp(url)
        self.assertIn("datasource_for_gamma", resp)
        self.assertNotIn("datasource_not_for_gamma", resp)
 def roles_with_datasource(self) -> str:
     action_list = ""
     perm = self.datasource.perm  # pylint: disable=no-member
     pv = security_manager.find_permission_view_menu(
         "datasource_access", perm)
     for role in pv.role:
         if role.name in self.ROLES_DENYLIST:
             continue
         # pylint: disable=no-member
         href = (
             f"/metrix/approve?datasource_type={self.datasource_type}&"
             f"datasource_id={self.datasource_id}&"
             f"created_by={self.created_by.username}&role_to_grant={role.name}"
         )
         link = '<a href="{}">Grant {} Role</a>'.format(href, role.name)
         action_list = action_list + "<li>" + link + "</li>"
     return "<ul>" + action_list + "</ul>"
Example #13
0
    def test_create_table_alpha(self) -> None:
        """Table API: Test create table with alpha."""
        tbl_name = "ab_permission"
        rv = self._create_table(user="******", tbl_name=tbl_name)
        self.assertEqual(rv.status_code, 201)

        # Verify the table is created.
        model = self.get_table_by_name(tbl_name)
        self.assertEqual(model.table_name, tbl_name)
        self.assertIsNotNone(model.get_col("id"))
        self.assertIsNotNone(model.get_col("name"))
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access", model.perm)
        )

        # Clean up.
        db.session.delete(model)
        db.session.commit()
Example #14
0
    def test_override_role_permissions_drops_absent_perms(self):
        override_me = security_manager.find_role('override_me')
        override_me.permissions.append(
            security_manager.find_permission_view_menu(
                view_menu_name=self.get_table_by_name('long_lat').perm,
                permission_name='datasource_access'), )
        db.session.flush()

        response = self.client.post('/superset/override_role_permissions/',
                                    data=json.dumps(ROLE_TABLES_PERM_DATA),
                                    content_type='application/json')
        self.assertEquals(201, response.status_code)
        updated_override_me = security_manager.find_role('override_me')
        self.assertEquals(1, len(updated_override_me.permissions))
        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(birth_names.perm,
                          updated_override_me.permissions[0].view_menu.name)
        self.assertEquals('datasource_access',
                          updated_override_me.permissions[0].permission.name)
Example #15
0
def create_access_request(session, ds_type, ds_name, role_name, username):
    # TODO: generalize datasource names
    if ds_type == "table":
        ds = session.query(SqlaTable).filter(
            SqlaTable.table_name == ds_name).first()
    else:
        # This function will only work for ds_type == "table"
        raise NotImplementedError()
    ds_perm_view = security_manager.find_permission_view_menu(
        "datasource_access", ds.perm)
    security_manager.add_permission_role(security_manager.find_role(role_name),
                                         ds_perm_view)
    access_request = DatasourceAccessRequest(
        datasource_id=ds.id,
        datasource_type=ds_type,
        created_by_fk=security_manager.find_user(username=username).id,
    )
    session.add(access_request)
    session.commit()
    return access_request
Example #16
0
    def setUpClass(cls):

        role = security_manager.role_model(name=TEST_ROLE)

        perm = security_manager.find_permission_view_menu(
            'can_add', 'SliceModelView')
        role.permissions.append(perm)

        appbuilder.sm.add_user(TEST_USER, 'datasource', 'user',
                               '*****@*****.**', role, 'general')

        database = Database(database_name=TEST_DB)

        table1 = SqlaTable(table_name='table_for_test_role', database=database)
        table2 = SqlaTable(table_name='table_not_for_test_role',
                           database=database)

        db.session.add_all([table1, table2])

        db.session.commit()
Example #17
0
def create_access_request(session, ds_type, ds_name, role_name, user_name):
    ds_class = ConnectorRegistry.sources[ds_type]
    # TODO: generalize datasource names
    if ds_type == 'table':
        ds = session.query(ds_class).filter(
            ds_class.table_name == ds_name).first()
    else:
        ds = session.query(ds_class).filter(
            ds_class.datasource_name == ds_name).first()
    ds_perm_view = security_manager.find_permission_view_menu(
        'datasource_access', ds.perm)
    security_manager.add_permission_role(
        security_manager.find_role(role_name), ds_perm_view)
    access_request = models.DatasourceAccessRequest(
        datasource_id=ds.id,
        datasource_type=ds_type,
        created_by_fk=security_manager.find_user(username=user_name).id,
    )
    session.add(access_request)
    session.commit()
    return access_request
def create_access_request(session, ds_type, ds_name, role_name, user_name):
    ds_class = ConnectorRegistry.sources[ds_type]
    # TODO: generalize datasource names
    if ds_type == "table":
        ds = session.query(ds_class).filter(ds_class.table_name == ds_name).first()
    else:
        ds = session.query(ds_class).filter(ds_class.datasource_name == ds_name).first()
    ds_perm_view = security_manager.find_permission_view_menu(
        "datasource_access", ds.perm
    )
    security_manager.add_permission_role(
        security_manager.find_role(role_name), ds_perm_view
    )
    access_request = models.DatasourceAccessRequest(
        datasource_id=ds.id,
        datasource_type=ds_type,
        created_by_fk=security_manager.find_user(username=user_name).id,
    )
    session.add(access_request)
    session.commit()
    return access_request
Example #19
0
    def test_clean_requests_after_schema_grant(self):
        session = db.session

        # Case 4. Two access requests from gamma and gamma2
        # Gamma gets schema access, gamma2 access request granted
        # Check if request by gamma has been deleted

        gamma_user = security_manager.find_user(username="******")
        access_request1 = create_access_request(session, "table",
                                                "wb_health_population",
                                                TEST_ROLE_1, "gamma")
        create_access_request(session, "table", "wb_health_population",
                              TEST_ROLE_2, "gamma2")
        ds_1_id = access_request1.datasource_id
        ds = (session.query(SqlaTable).filter_by(
            table_name="wb_health_population").first())

        ds.schema = "temp_schema"
        security_manager.add_permission_view_menu("schema_access",
                                                  ds.schema_perm)
        schema_perm_view = security_manager.find_permission_view_menu(
            "schema_access", ds.schema_perm)
        security_manager.add_permission_role(
            security_manager.find_role(SCHEMA_ACCESS_ROLE), schema_perm_view)
        gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE))
        session.commit()
        # gamma2 request gets fulfilled
        self.client.get(
            EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2",
                                       TEST_ROLE_2))
        access_requests = self.get_access_requests("gamma", "table", ds_1_id)
        self.assertFalse(access_requests)
        gamma_user = security_manager.find_user(username="******")
        gamma_user.roles.remove(security_manager.find_role(SCHEMA_ACCESS_ROLE))

        ds = (session.query(SqlaTable).filter_by(
            table_name="wb_health_population").first())
        ds.schema = None

        session.commit()
Example #20
0
    def test_override_role_permissions_drops_absent_perms(self):
        override_me = security_manager.find_role("override_me")
        override_me.permissions.append(
            security_manager.find_permission_view_menu(
                view_menu_name=self.get_table_by_name("energy_usage").perm,
                permission_name="datasource_access",
            ))
        db.session.flush()

        response = self.client.post(
            "/superset/override_role_permissions/",
            data=json.dumps(ROLE_TABLES_PERM_DATA),
            content_type="application/json",
        )
        self.assertEquals(201, response.status_code)
        updated_override_me = security_manager.find_role("override_me")
        self.assertEquals(1, len(updated_override_me.permissions))
        birth_names = self.get_table_by_name("birth_names")
        self.assertEquals(birth_names.perm,
                          updated_override_me.permissions[0].view_menu.name)
        self.assertEquals("datasource_access",
                          updated_override_me.permissions[0].permission.name)
Example #21
0
    def test_override_role_permissions_drops_absent_perms(self):
        override_me = security_manager.find_role('override_me')
        override_me.permissions.append(
            security_manager.find_permission_view_menu(
                view_menu_name=self.get_table_by_name('energy_usage').perm,
                permission_name='datasource_access'),
        )
        db.session.flush()

        response = self.client.post(
            '/superset/override_role_permissions/',
            data=json.dumps(ROLE_TABLES_PERM_DATA),
            content_type='application/json')
        self.assertEquals(201, response.status_code)
        updated_override_me = security_manager.find_role('override_me')
        self.assertEquals(1, len(updated_override_me.permissions))
        birth_names = self.get_table_by_name('birth_names')
        self.assertEquals(
            birth_names.perm,
            updated_override_me.permissions[0].view_menu.name)
        self.assertEquals(
            'datasource_access',
            updated_override_me.permissions[0].permission.name)
Example #22
0
    def test_clean_requests_after_schema_grant(self):
        session = db.session

        # Case 4. Two access requests from gamma and gamma2
        # Gamma gets schema access, gamma2 access request granted
        # Check if request by gamma has been deleted

        gamma_user = security_manager.find_user(username='******')
        access_request1 = create_access_request(
            session, 'table', 'wb_health_population', TEST_ROLE_1, 'gamma')
        create_access_request(
            session, 'table', 'wb_health_population', TEST_ROLE_2, 'gamma2')
        ds_1_id = access_request1.datasource_id
        ds = session.query(SqlaTable).filter_by(
            table_name='wb_health_population').first()

        ds.schema = 'temp_schema'
        security_manager.merge_perm('schema_access', ds.schema_perm)
        schema_perm_view = security_manager.find_permission_view_menu(
            'schema_access', ds.schema_perm)
        security_manager.add_permission_role(
            security_manager.find_role(SCHEMA_ACCESS_ROLE), schema_perm_view)
        gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE))
        session.commit()
        # gamma2 request gets fulfilled
        self.client.get(EXTEND_ROLE_REQUEST.format(
            'table', ds_1_id, 'gamma2', TEST_ROLE_2))
        access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
        self.assertFalse(access_requests)
        gamma_user = security_manager.find_user(username='******')
        gamma_user.roles.remove(security_manager.find_role(SCHEMA_ACCESS_ROLE))

        ds = session.query(SqlaTable).filter_by(
            table_name='wb_health_population').first()
        ds.schema = None

        session.commit()
    def test_clean_requests_after_db_grant(self):
        session = db.session

        # Case 3. Two access requests from gamma and gamma2
        # Gamma gets database access, gamma2 access request granted
        # Check if request by gamma has been deleted

        gamma_user = security_manager.find_user(username="******")
        access_request1 = create_access_request(
            session, "table", "energy_usage", TEST_ROLE_1, "gamma"
        )
        create_access_request(session, "table", "energy_usage", TEST_ROLE_2, "gamma2")
        ds_1_id = access_request1.datasource_id
        # gamma gets granted database access
        database = session.query(models.Database).first()

        security_manager.add_permission_view_menu("database_access", database.perm)
        ds_perm_view = security_manager.find_permission_view_menu(
            "database_access", database.perm
        )
        security_manager.add_permission_role(
            security_manager.find_role(DB_ACCESS_ROLE), ds_perm_view
        )
        gamma_user.roles.append(security_manager.find_role(DB_ACCESS_ROLE))
        session.commit()
        access_requests = self.get_access_requests("gamma", "table", ds_1_id)
        self.assertTrue(access_requests)
        # gamma2 request gets fulfilled
        self.client.get(
            EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)
        )
        access_requests = self.get_access_requests("gamma", "table", ds_1_id)

        self.assertFalse(access_requests)
        gamma_user = security_manager.find_user(username="******")
        gamma_user.roles.remove(security_manager.find_role(DB_ACCESS_ROLE))
        session.commit()
Example #24
0
    def test_is_admin_only(self):
        self.assertFalse(security_manager.is_admin_only(
            security_manager.find_permission_view_menu('can_show', 'TableModelView')))
        self.assertFalse(security_manager.is_admin_only(
            security_manager.find_permission_view_menu(
                'all_datasource_access', 'all_datasource_access')))

        self.assertTrue(security_manager.is_admin_only(
            security_manager.find_permission_view_menu('can_delete', 'DatabaseView')))
        if app.config.get('ENABLE_ACCESS_REQUEST'):
            self.assertTrue(security_manager.is_admin_only(
                security_manager.find_permission_view_menu(
                    'can_show', 'AccessRequestsModelView')))
        self.assertTrue(security_manager.is_admin_only(
            security_manager.find_permission_view_menu(
                'can_edit', 'UserDBModelView')))
        self.assertTrue(security_manager.is_admin_only(
            security_manager.find_permission_view_menu(
                'can_approve', 'Superset')))
        self.assertTrue(security_manager.is_admin_only(
            security_manager.find_permission_view_menu(
                'all_database_access', 'all_database_access')))
    def test_is_admin_only(self):
        self.assertFalse(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu("can_list", "TableModelView")
            )
        )
        self.assertFalse(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu(
                    "all_datasource_access", "all_datasource_access"
                )
            )
        )

        log_permissions = ["can_list", "can_show"]
        for log_permission in log_permissions:
            self.assertTrue(
                security_manager._is_admin_only(
                    security_manager.find_permission_view_menu(
                        log_permission, "LogModelView"
                    )
                )
            )

        if app.config["ENABLE_ACCESS_REQUEST"]:
            self.assertTrue(
                security_manager._is_admin_only(
                    security_manager.find_permission_view_menu(
                        "can_list", "AccessRequestsModelView"
                    )
                )
            )
        self.assertTrue(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu(
                    "can_edit", "UserDBModelView"
                )
            )
        )
        self.assertTrue(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu("can_approve", "Superset")
            )
        )
Example #26
0
    def test_filter_druid_datasource(self):
        CLUSTER_NAME = 'new_druid'
        cluster = self.get_or_create(DruidCluster,
                                     {'cluster_name': CLUSTER_NAME},
                                     db.session)
        db.session.merge(cluster)

        gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_for_gamma'},
            db.session)
        gamma_ds.cluster = cluster
        db.session.merge(gamma_ds)

        no_gamma_ds = self.get_or_create(
            DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'},
            db.session)
        no_gamma_ds.cluster = cluster
        db.session.merge(no_gamma_ds)
        db.session.commit()

        security_manager.add_permission_view_menu('datasource_access',
                                                  gamma_ds.perm)
        security_manager.add_permission_view_menu('datasource_access',
                                                  no_gamma_ds.perm)

        perm = security_manager.find_permission_view_menu(
            'datasource_access', gamma_ds.get_perm())
        security_manager.add_permission_role(
            security_manager.find_role('Gamma'), perm)
        security_manager.get_session.commit()

        self.login(username='******')
        url = '/druiddatasourcemodelview/list/'
        resp = self.get_resp(url)
        self.assertIn('datasource_for_gamma', resp)
        self.assertNotIn('datasource_not_for_gamma', resp)
Example #27
0
    def test_is_alpha_only(self):
        self.assertFalse(
            security_manager._is_alpha_only(
                security_manager.find_permission_view_menu("can_show", "TableModelView")
            )
        )

        self.assertTrue(
            security_manager._is_alpha_only(
                security_manager.find_permission_view_menu(
                    "muldelete", "TableModelView"
                )
            )
        )
        self.assertTrue(
            security_manager._is_alpha_only(
                security_manager.find_permission_view_menu(
                    "all_datasource_access", "all_datasource_access"
                )
            )
        )
        self.assertTrue(
            security_manager._is_alpha_only(
                security_manager.find_permission_view_menu(
                    "can_edit", "SqlMetricInlineView"
                )
            )
        )
        self.assertTrue(
            security_manager._is_alpha_only(
                security_manager.find_permission_view_menu(
                    "can_delete", "DruidMetricInlineView"
                )
            )
        )
        self.assertTrue(
            security_manager._is_alpha_only(
                security_manager.find_permission_view_menu(
                    "all_database_access", "all_database_access"
                )
            )
        )
    def test_is_admin_only(self):
        self.assertFalse(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu("can_show", "TableModelView")
            )
        )
        self.assertFalse(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu(
                    "all_datasource_access", "all_datasource_access"
                )
            )
        )

        self.assertTrue(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu("can_delete", "DatabaseView")
            )
        )
        if app.config.get("ENABLE_ACCESS_REQUEST"):
            self.assertTrue(
                security_manager._is_admin_only(
                    security_manager.find_permission_view_menu(
                        "can_show", "AccessRequestsModelView"
                    )
                )
            )
        self.assertTrue(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu(
                    "can_edit", "UserDBModelView"
                )
            )
        )
        self.assertTrue(
            security_manager._is_admin_only(
                security_manager.find_permission_view_menu("can_approve", "Superset")
            )
        )
Example #29
0
 def test_is_gamma_pvm(self):
     self.assertTrue(
         security_manager._is_gamma_pvm(
             security_manager.find_permission_view_menu(
                 "can_show", "TableModelView")))
    def test_approve(self, mock_send_mime):
        if app.config.get("ENABLE_ACCESS_REQUEST"):
            session = db.session
            TEST_ROLE_NAME = "table_role"
            security_manager.add_role(TEST_ROLE_NAME)

            # Case 1. Grant new role to the user.

            access_request1 = create_access_request(
                session, "table", "unicode_test", TEST_ROLE_NAME, "gamma"
            )
            ds_1_id = access_request1.datasource_id
            self.get_resp(
                GRANT_ROLE_REQUEST.format("table", ds_1_id, "gamma", TEST_ROLE_NAME)
            )
            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual(
                [
                    security_manager.find_user(username="******").email,
                    security_manager.find_user(username="******").email,
                ],
                call_args[1],
            )
            self.assertEqual(
                "[Superset] Access to the datasource {} was granted".format(
                    self.get_table(ds_1_id).full_name
                ),
                call_args[2]["Subject"],
            )
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn("unicode_test", call_args[2].as_string())

            access_requests = self.get_access_requests("gamma", "table", ds_1_id)
            # request was removed
            self.assertFalse(access_requests)
            # user was granted table_role
            user_roles = [r.name for r in security_manager.find_user("gamma").roles]
            self.assertIn(TEST_ROLE_NAME, user_roles)

            # Case 2. Extend the role to have access to the table

            access_request2 = create_access_request(
                session, "table", "energy_usage", TEST_ROLE_NAME, "gamma"
            )
            ds_2_id = access_request2.datasource_id
            energy_usage_perm = access_request2.datasource.perm

            self.client.get(
                EXTEND_ROLE_REQUEST.format(
                    "table", access_request2.datasource_id, "gamma", TEST_ROLE_NAME
                )
            )
            access_requests = self.get_access_requests("gamma", "table", ds_2_id)

            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual(
                [
                    security_manager.find_user(username="******").email,
                    security_manager.find_user(username="******").email,
                ],
                call_args[1],
            )
            self.assertEqual(
                "[Superset] Access to the datasource {} was granted".format(
                    self.get_table(ds_2_id).full_name
                ),
                call_args[2]["Subject"],
            )
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn("energy_usage", call_args[2].as_string())

            # request was removed
            self.assertFalse(access_requests)
            # table_role was extended to grant access to the energy_usage table/
            perm_view = security_manager.find_permission_view_menu(
                "datasource_access", energy_usage_perm
            )
            TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME)
            self.assertIn(perm_view, TEST_ROLE.permissions)

            # Case 3. Grant new role to the user to access the druid datasource.

            security_manager.add_role("druid_role")
            access_request3 = create_access_request(
                session, "druid", "druid_ds_1", "druid_role", "gamma"
            )
            self.get_resp(
                GRANT_ROLE_REQUEST.format(
                    "druid", access_request3.datasource_id, "gamma", "druid_role"
                )
            )

            # user was granted table_role
            user_roles = [r.name for r in security_manager.find_user("gamma").roles]
            self.assertIn("druid_role", user_roles)

            # Case 4. Extend the role to have access to the druid datasource

            access_request4 = create_access_request(
                session, "druid", "druid_ds_2", "druid_role", "gamma"
            )
            druid_ds_2_perm = access_request4.datasource.perm

            self.client.get(
                EXTEND_ROLE_REQUEST.format(
                    "druid", access_request4.datasource_id, "gamma", "druid_role"
                )
            )
            # druid_role was extended to grant access to the druid_access_ds_2
            druid_role = security_manager.find_role("druid_role")
            perm_view = security_manager.find_permission_view_menu(
                "datasource_access", druid_ds_2_perm
            )
            self.assertIn(perm_view, druid_role.permissions)

            # cleanup
            gamma_user = security_manager.find_user(username="******")
            gamma_user.roles.remove(security_manager.find_role("druid_role"))
            gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME))
            session.delete(security_manager.find_role("druid_role"))
            session.delete(security_manager.find_role(TEST_ROLE_NAME))
            session.commit()
    def test_set_perm_sqla_table(self):
        session = db.session
        table = SqlaTable(
            schema="tmp_schema",
            table_name="tmp_perm_table",
            database=get_example_database(),
        )
        session.add(table)
        session.commit()

        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table").one())
        self.assertEqual(stored_table.perm,
                         f"[examples].[tmp_perm_table](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu(
                "schema_access", stored_table.schema_perm))

        # table name change
        stored_table.table_name = "tmp_perm_table_v2"
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[examples].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        # no changes in schema
        self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu(
                "schema_access", stored_table.schema_perm))

        # schema name change
        stored_table.schema = "tmp_schema_v2"
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[examples].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        # no changes in schema
        self.assertEqual(stored_table.schema_perm,
                         "[examples].[tmp_schema_v2]")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu(
                "schema_access", stored_table.schema_perm))

        # database change
        new_db = Database(sqlalchemy_uri="some_uri", database_name="tmp_db")
        session.add(new_db)
        stored_table.database = (session.query(Database).filter_by(
            database_name="tmp_db").one())
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        # no changes in schema
        self.assertEqual(stored_table.schema_perm, "[tmp_db].[tmp_schema_v2]")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu(
                "schema_access", stored_table.schema_perm))

        # no schema
        stored_table.schema = None
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        self.assertIsNone(stored_table.schema_perm)

        session.delete(new_db)
        session.delete(stored_table)
        session.commit()
 def test_is_gamma_pvm(self):
     self.assertTrue(
         security_manager._is_gamma_pvm(
             security_manager.find_permission_view_menu(
                 "can_read", "Dataset")))
Example #33
0
    def test_request_access(self):
        if app.config.get('ENABLE_ACCESS_REQUEST'):
            session = db.session
            self.logout()
            self.login(username='******')
            gamma_user = security_manager.find_user(username='******')
            security_manager.add_role('dummy_role')
            gamma_user.roles.append(security_manager.find_role('dummy_role'))
            session.commit()

            ACCESS_REQUEST = (
                '/superset/request_access?'
                'datasource_type={}&'
                'datasource_id={}&'
                'action={}&')
            ROLE_GRANT_LINK = (
                '<a href="/superset/approve?datasource_type={}&datasource_id={}&'
                'created_by={}&role_to_grant={}">Grant {} Role</a>')

            # Request table access, there are no roles have this table.

            table1 = session.query(SqlaTable).filter_by(
                table_name='random_time_series').first()
            table_1_id = table1.id

            # request access to the table
            resp = self.get_resp(
                ACCESS_REQUEST.format('table', table_1_id, 'go'))
            assert 'Access was requested' in resp
            access_request1 = self.get_access_requests('gamma', 'table', table_1_id)
            assert access_request1 is not None

            # Request access, roles exist that contains the table.
            # add table to the existing roles
            table3 = session.query(SqlaTable).filter_by(
                table_name='energy_usage').first()
            table_3_id = table3.id
            table3_perm = table3.perm

            security_manager.add_role('energy_usage_role')
            alpha_role = security_manager.find_role('Alpha')
            security_manager.add_permission_role(
                alpha_role,
                security_manager.find_permission_view_menu(
                    'datasource_access', table3_perm))
            security_manager.add_permission_role(
                security_manager.find_role('energy_usage_role'),
                security_manager.find_permission_view_menu(
                    'datasource_access', table3_perm))
            session.commit()

            self.get_resp(
                ACCESS_REQUEST.format('table', table_3_id, 'go'))
            access_request3 = self.get_access_requests('gamma', 'table', table_3_id)
            approve_link_3 = ROLE_GRANT_LINK.format(
                'table', table_3_id, 'gamma', 'energy_usage_role',
                'energy_usage_role')
            self.assertEqual(access_request3.roles_with_datasource,
                             '<ul><li>{}</li></ul>'.format(approve_link_3))

            # Request druid access, there are no roles have this table.
            druid_ds_4 = session.query(DruidDatasource).filter_by(
                datasource_name='druid_ds_1').first()
            druid_ds_4_id = druid_ds_4.id

            # request access to the table
            self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
            access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id)

            self.assertEqual(
                access_request4.roles_with_datasource,
                '<ul></ul>'.format(access_request4.id))

            # Case 5. Roles exist that contains the druid datasource.
            # add druid ds to the existing roles
            druid_ds_5 = session.query(DruidDatasource).filter_by(
                datasource_name='druid_ds_2').first()
            druid_ds_5_id = druid_ds_5.id
            druid_ds_5_perm = druid_ds_5.perm

            druid_ds_2_role = security_manager.add_role('druid_ds_2_role')
            admin_role = security_manager.find_role('Admin')
            security_manager.add_permission_role(
                admin_role,
                security_manager.find_permission_view_menu(
                    'datasource_access', druid_ds_5_perm))
            security_manager.add_permission_role(
                druid_ds_2_role,
                security_manager.find_permission_view_menu(
                    'datasource_access', druid_ds_5_perm))
            session.commit()

            self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
            access_request5 = self.get_access_requests(
                'gamma', 'druid', druid_ds_5_id)
            approve_link_5 = ROLE_GRANT_LINK.format(
                'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role',
                'druid_ds_2_role')
            self.assertEqual(access_request5.roles_with_datasource,
                             '<ul><li>{}</li></ul>'.format(approve_link_5))

            # cleanup
            gamma_user = security_manager.find_user(username='******')
            gamma_user.roles.remove(security_manager.find_role('dummy_role'))
            session.commit()
Example #34
0
def load_test_users_run():
    """
    Loads admin, alpha, and gamma user for testing purposes

    Syncs permissions for those users/roles
    """
    if config.get("TESTING"):
        security_manager.sync_role_definitions()
        gamma_sqllab_role = security_manager.add_role("gamma_sqllab")
        for perm in security_manager.find_role("Gamma").permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)
        utils.get_or_create_main_db()
        db_perm = utils.get_main_database().perm
        security_manager.add_permission_view_menu("database_access", db_perm)
        db_pvm = security_manager.find_permission_view_menu(
            view_menu_name=db_perm, permission_name="database_access"
        )
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in security_manager.find_role("sql_lab").permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)

        admin = security_manager.find_user("admin")
        if not admin:
            security_manager.add_user(
                "admin",
                "admin",
                " user",
                "*****@*****.**",
                security_manager.find_role("Admin"),
                password="******",
            )

        gamma = security_manager.find_user("gamma")
        if not gamma:
            security_manager.add_user(
                "gamma",
                "gamma",
                "user",
                "*****@*****.**",
                security_manager.find_role("Gamma"),
                password="******",
            )

        gamma2 = security_manager.find_user("gamma2")
        if not gamma2:
            security_manager.add_user(
                "gamma2",
                "gamma2",
                "user",
                "*****@*****.**",
                security_manager.find_role("Gamma"),
                password="******",
            )

        gamma_sqllab_user = security_manager.find_user("gamma_sqllab")
        if not gamma_sqllab_user:
            security_manager.add_user(
                "gamma_sqllab",
                "gamma_sqllab",
                "user",
                "*****@*****.**",
                gamma_sqllab_role,
                password="******",
            )

        alpha = security_manager.find_user("alpha")
        if not alpha:
            security_manager.add_user(
                "alpha",
                "alpha",
                "user",
                "*****@*****.**",
                security_manager.find_role("Alpha"),
                password="******",
            )
        security_manager.get_session.commit()
Example #35
0
    def test_approve(self, mock_send_mime):
        if app.config.get('ENABLE_ACCESS_REQUEST'):
            session = db.session
            TEST_ROLE_NAME = 'table_role'
            security_manager.add_role(TEST_ROLE_NAME)

            # Case 1. Grant new role to the user.

            access_request1 = create_access_request(
                session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma')
            ds_1_id = access_request1.datasource_id
            self.get_resp(GRANT_ROLE_REQUEST.format(
                'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual([security_manager.find_user(username='******').email,
                              security_manager.find_user(username='******').email],
                             call_args[1])
            self.assertEqual(
                '[Superset] Access to the datasource {} was granted'.format(
                    self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn('unicode_test', call_args[2].as_string())

            access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
            # request was removed
            self.assertFalse(access_requests)
            # user was granted table_role
            user_roles = [r.name for r in security_manager.find_user('gamma').roles]
            self.assertIn(TEST_ROLE_NAME, user_roles)

            # Case 2. Extend the role to have access to the table

            access_request2 = create_access_request(
                session, 'table', 'energy_usage', TEST_ROLE_NAME, 'gamma')
            ds_2_id = access_request2.datasource_id
            energy_usage_perm = access_request2.datasource.perm

            self.client.get(EXTEND_ROLE_REQUEST.format(
                'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
            access_requests = self.get_access_requests('gamma', 'table', ds_2_id)

            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual([security_manager.find_user(username='******').email,
                              security_manager.find_user(username='******').email],
                             call_args[1])
            self.assertEqual(
                '[Superset] Access to the datasource {} was granted'.format(
                    self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn('energy_usage', call_args[2].as_string())

            # request was removed
            self.assertFalse(access_requests)
            # table_role was extended to grant access to the energy_usage table/
            perm_view = security_manager.find_permission_view_menu(
                'datasource_access', energy_usage_perm)
            TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME)
            self.assertIn(perm_view, TEST_ROLE.permissions)

            # Case 3. Grant new role to the user to access the druid datasource.

            security_manager.add_role('druid_role')
            access_request3 = create_access_request(
                session, 'druid', 'druid_ds_1', 'druid_role', 'gamma')
            self.get_resp(GRANT_ROLE_REQUEST.format(
                'druid', access_request3.datasource_id, 'gamma', 'druid_role'))

            # user was granted table_role
            user_roles = [r.name for r in security_manager.find_user('gamma').roles]
            self.assertIn('druid_role', user_roles)

            # Case 4. Extend the role to have access to the druid datasource

            access_request4 = create_access_request(
                session, 'druid', 'druid_ds_2', 'druid_role', 'gamma')
            druid_ds_2_perm = access_request4.datasource.perm

            self.client.get(EXTEND_ROLE_REQUEST.format(
                'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
            # druid_role was extended to grant access to the druid_access_ds_2
            druid_role = security_manager.find_role('druid_role')
            perm_view = security_manager.find_permission_view_menu(
                'datasource_access', druid_ds_2_perm)
            self.assertIn(perm_view, druid_role.permissions)

            # cleanup
            gamma_user = security_manager.find_user(username='******')
            gamma_user.roles.remove(security_manager.find_role('druid_role'))
            gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME))
            session.delete(security_manager.find_role('druid_role'))
            session.delete(security_manager.find_role(TEST_ROLE_NAME))
            session.commit()
Example #36
0
def load_test_users_run():
    """
    Loads admin, alpha, and gamma user for testing purposes

    Syncs permissions for those users/roles
    """
    if config.get('TESTING'):
        security_manager.sync_role_definitions()
        gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
        for perm in security_manager.find_role('Gamma').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)
        utils.get_or_create_main_db()
        db_perm = utils.get_main_database(security_manager.get_session).perm
        security_manager.merge_perm('database_access', db_perm)
        db_pvm = security_manager.find_permission_view_menu(
            view_menu_name=db_perm, permission_name='database_access')
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in security_manager.find_role('sql_lab').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)

        admin = security_manager.find_user('admin')
        if not admin:
            security_manager.add_user('admin',
                                      'admin',
                                      ' user',
                                      '*****@*****.**',
                                      security_manager.find_role('Admin'),
                                      password='******')

        gamma = security_manager.find_user('gamma')
        if not gamma:
            security_manager.add_user('gamma',
                                      'gamma',
                                      'user',
                                      '*****@*****.**',
                                      security_manager.find_role('Gamma'),
                                      password='******')

        gamma2 = security_manager.find_user('gamma2')
        if not gamma2:
            security_manager.add_user('gamma2',
                                      'gamma2',
                                      'user',
                                      '*****@*****.**',
                                      security_manager.find_role('Gamma'),
                                      password='******')

        gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
        if not gamma_sqllab_user:
            security_manager.add_user('gamma_sqllab',
                                      'gamma_sqllab',
                                      'user',
                                      '*****@*****.**',
                                      gamma_sqllab_role,
                                      password='******')

        alpha = security_manager.find_user('alpha')
        if not alpha:
            security_manager.add_user('alpha',
                                      'alpha',
                                      'user',
                                      '*****@*****.**',
                                      security_manager.find_role('Alpha'),
                                      password='******')
        security_manager.get_session.commit()
    def test_request_access(self):
        if app.config.get("ENABLE_ACCESS_REQUEST"):
            session = db.session
            self.logout()
            self.login(username="******")
            gamma_user = security_manager.find_user(username="******")
            security_manager.add_role("dummy_role")
            gamma_user.roles.append(security_manager.find_role("dummy_role"))
            session.commit()

            ACCESS_REQUEST = (
                "/superset/request_access?"
                "datasource_type={}&"
                "datasource_id={}&"
                "action={}&"
            )
            ROLE_GRANT_LINK = (
                '<a href="/superset/approve?datasource_type={}&datasource_id={}&'
                'created_by={}&role_to_grant={}">Grant {} Role</a>'
            )

            # Request table access, there are no roles have this table.

            table1 = (
                session.query(SqlaTable)
                .filter_by(table_name="random_time_series")
                .first()
            )
            table_1_id = table1.id

            # request access to the table
            resp = self.get_resp(ACCESS_REQUEST.format("table", table_1_id, "go"))
            assert "Access was requested" in resp
            access_request1 = self.get_access_requests("gamma", "table", table_1_id)
            assert access_request1 is not None

            # Request access, roles exist that contains the table.
            # add table to the existing roles
            table3 = (
                session.query(SqlaTable).filter_by(table_name="energy_usage").first()
            )
            table_3_id = table3.id
            table3_perm = table3.perm

            security_manager.add_role("energy_usage_role")
            alpha_role = security_manager.find_role("Alpha")
            security_manager.add_permission_role(
                alpha_role,
                security_manager.find_permission_view_menu(
                    "datasource_access", table3_perm
                ),
            )
            security_manager.add_permission_role(
                security_manager.find_role("energy_usage_role"),
                security_manager.find_permission_view_menu(
                    "datasource_access", table3_perm
                ),
            )
            session.commit()

            self.get_resp(ACCESS_REQUEST.format("table", table_3_id, "go"))
            access_request3 = self.get_access_requests("gamma", "table", table_3_id)
            approve_link_3 = ROLE_GRANT_LINK.format(
                "table", table_3_id, "gamma", "energy_usage_role", "energy_usage_role"
            )
            self.assertEqual(
                access_request3.roles_with_datasource,
                "<ul><li>{}</li></ul>".format(approve_link_3),
            )

            # Request druid access, there are no roles have this table.
            druid_ds_4 = (
                session.query(DruidDatasource)
                .filter_by(datasource_name="druid_ds_1")
                .first()
            )
            druid_ds_4_id = druid_ds_4.id

            # request access to the table
            self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_4_id, "go"))
            access_request4 = self.get_access_requests("gamma", "druid", druid_ds_4_id)

            self.assertEqual(
                access_request4.roles_with_datasource,
                "<ul></ul>".format(access_request4.id),
            )

            # Case 5. Roles exist that contains the druid datasource.
            # add druid ds to the existing roles
            druid_ds_5 = (
                session.query(DruidDatasource)
                .filter_by(datasource_name="druid_ds_2")
                .first()
            )
            druid_ds_5_id = druid_ds_5.id
            druid_ds_5_perm = druid_ds_5.perm

            druid_ds_2_role = security_manager.add_role("druid_ds_2_role")
            admin_role = security_manager.find_role("Admin")
            security_manager.add_permission_role(
                admin_role,
                security_manager.find_permission_view_menu(
                    "datasource_access", druid_ds_5_perm
                ),
            )
            security_manager.add_permission_role(
                druid_ds_2_role,
                security_manager.find_permission_view_menu(
                    "datasource_access", druid_ds_5_perm
                ),
            )
            session.commit()

            self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_5_id, "go"))
            access_request5 = self.get_access_requests("gamma", "druid", druid_ds_5_id)
            approve_link_5 = ROLE_GRANT_LINK.format(
                "druid", druid_ds_5_id, "gamma", "druid_ds_2_role", "druid_ds_2_role"
            )
            self.assertEqual(
                access_request5.roles_with_datasource,
                "<ul><li>{}</li></ul>".format(approve_link_5),
            )

            # cleanup
            gamma_user = security_manager.find_user(username="******")
            gamma_user.roles.remove(security_manager.find_role("dummy_role"))
            session.commit()
Example #38
0
    def __init__(self, *args, **kwargs):
        if (
            self.requires_examples and
            not os.environ.get('examples_loaded')
        ):
            logging.info('Loading examples')
            cli.load_examples(load_test_data=True)
            logging.info('Done loading examples')
            security_manager.sync_role_definitions()
            os.environ['examples_loaded'] = '1'
        else:
            security_manager.sync_role_definitions()
        super(SupersetTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
        self.maxDiff = None

        gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
        for perm in security_manager.find_role('Gamma').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)
        utils.get_or_create_main_db()
        db_perm = self.get_main_database(security_manager.get_session).perm
        security_manager.merge_perm('database_access', db_perm)
        db_pvm = security_manager.find_permission_view_menu(
            view_menu_name=db_perm, permission_name='database_access')
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in security_manager.find_role('sql_lab').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)

        admin = security_manager.find_user('admin')
        if not admin:
            security_manager.add_user(
                'admin', 'admin', ' user', '*****@*****.**',
                security_manager.find_role('Admin'),
                password='******')

        gamma = security_manager.find_user('gamma')
        if not gamma:
            security_manager.add_user(
                'gamma', 'gamma', 'user', '*****@*****.**',
                security_manager.find_role('Gamma'),
                password='******')

        gamma2 = security_manager.find_user('gamma2')
        if not gamma2:
            security_manager.add_user(
                'gamma2', 'gamma2', 'user', '*****@*****.**',
                security_manager.find_role('Gamma'),
                password='******')

        gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
        if not gamma_sqllab_user:
            security_manager.add_user(
                'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**',
                gamma_sqllab_role, password='******')

        alpha = security_manager.find_user('alpha')
        if not alpha:
            security_manager.add_user(
                'alpha', 'alpha', 'user', '*****@*****.**',
                security_manager.find_role('Alpha'),
                password='******')
        security_manager.get_session.commit()
        # create druid cluster and druid datasources
        session = db.session
        cluster = (
            session.query(DruidCluster)
            .filter_by(cluster_name='druid_test')
            .first()
        )
        if not cluster:
            cluster = DruidCluster(cluster_name='druid_test')
            session.add(cluster)
            session.commit()

            druid_datasource1 = DruidDatasource(
                datasource_name='druid_ds_1',
                cluster_name='druid_test',
            )
            session.add(druid_datasource1)
            druid_datasource2 = DruidDatasource(
                datasource_name='druid_ds_2',
                cluster_name='druid_test',
            )
            session.add(druid_datasource2)
            session.commit()
Example #39
0
    def test_approve(self, mock_send_mime):
        if app.config.get('ENABLE_ACCESS_REQUEST'):
            session = db.session
            TEST_ROLE_NAME = 'table_role'
            security_manager.add_role(TEST_ROLE_NAME)

            # Case 1. Grant new role to the user.

            access_request1 = create_access_request(
                session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma')
            ds_1_id = access_request1.datasource_id
            self.get_resp(GRANT_ROLE_REQUEST.format(
                'table', ds_1_id, 'gamma', TEST_ROLE_NAME))
            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual([security_manager.find_user(username='******').email,
                              security_manager.find_user(username='******').email],
                             call_args[1])
            self.assertEqual(
                '[Superset] Access to the datasource {} was granted'.format(
                    self.get_table(ds_1_id).full_name), call_args[2]['Subject'])
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn('unicode_test', call_args[2].as_string())

            access_requests = self.get_access_requests('gamma', 'table', ds_1_id)
            # request was removed
            self.assertFalse(access_requests)
            # user was granted table_role
            user_roles = [r.name for r in security_manager.find_user('gamma').roles]
            self.assertIn(TEST_ROLE_NAME, user_roles)

            # Case 2. Extend the role to have access to the table

            access_request2 = create_access_request(
                session, 'table', 'energy_usage', TEST_ROLE_NAME, 'gamma')
            ds_2_id = access_request2.datasource_id
            energy_usage_perm = access_request2.datasource.perm

            self.client.get(EXTEND_ROLE_REQUEST.format(
                'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME))
            access_requests = self.get_access_requests('gamma', 'table', ds_2_id)

            # Test email content.
            self.assertTrue(mock_send_mime.called)
            call_args = mock_send_mime.call_args[0]
            self.assertEqual([security_manager.find_user(username='******').email,
                              security_manager.find_user(username='******').email],
                             call_args[1])
            self.assertEqual(
                '[Superset] Access to the datasource {} was granted'.format(
                    self.get_table(ds_2_id).full_name), call_args[2]['Subject'])
            self.assertIn(TEST_ROLE_NAME, call_args[2].as_string())
            self.assertIn('energy_usage', call_args[2].as_string())

            # request was removed
            self.assertFalse(access_requests)
            # table_role was extended to grant access to the energy_usage table/
            perm_view = security_manager.find_permission_view_menu(
                'datasource_access', energy_usage_perm)
            TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME)
            self.assertIn(perm_view, TEST_ROLE.permissions)

            # Case 3. Grant new role to the user to access the druid datasource.

            security_manager.add_role('druid_role')
            access_request3 = create_access_request(
                session, 'druid', 'druid_ds_1', 'druid_role', 'gamma')
            self.get_resp(GRANT_ROLE_REQUEST.format(
                'druid', access_request3.datasource_id, 'gamma', 'druid_role'))

            # user was granted table_role
            user_roles = [r.name for r in security_manager.find_user('gamma').roles]
            self.assertIn('druid_role', user_roles)

            # Case 4. Extend the role to have access to the druid datasource

            access_request4 = create_access_request(
                session, 'druid', 'druid_ds_2', 'druid_role', 'gamma')
            druid_ds_2_perm = access_request4.datasource.perm

            self.client.get(EXTEND_ROLE_REQUEST.format(
                'druid', access_request4.datasource_id, 'gamma', 'druid_role'))
            # druid_role was extended to grant access to the druid_access_ds_2
            druid_role = security_manager.find_role('druid_role')
            perm_view = security_manager.find_permission_view_menu(
                'datasource_access', druid_ds_2_perm)
            self.assertIn(perm_view, druid_role.permissions)

            # cleanup
            gamma_user = security_manager.find_user(username='******')
            gamma_user.roles.remove(security_manager.find_role('druid_role'))
            gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME))
            session.delete(security_manager.find_role('druid_role'))
            session.delete(security_manager.find_role(TEST_ROLE_NAME))
            session.commit()
Example #40
0
 def test_is_gamma_pvm(self):
     self.assertTrue(security_manager.is_gamma_pvm(
         security_manager.find_permission_view_menu('can_show', 'TableModelView')))
    def test_set_perm_sqla_table(self):
        security_manager.on_view_menu_after_insert = Mock()
        security_manager.on_permission_view_after_insert = Mock()

        session = db.session
        table = SqlaTable(
            schema="tmp_schema",
            table_name="tmp_perm_table",
            database=get_example_database(),
        )
        session.add(table)
        session.commit()

        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table").one())
        self.assertEqual(stored_table.perm,
                         f"[examples].[tmp_perm_table](id:{stored_table.id})")

        pvm_dataset = security_manager.find_permission_view_menu(
            "datasource_access", stored_table.perm)
        pvm_schema = security_manager.find_permission_view_menu(
            "schema_access", stored_table.schema_perm)

        self.assertIsNotNone(pvm_dataset)
        self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]")
        self.assertIsNotNone(pvm_schema)

        # assert on permission hooks
        view_menu_dataset = security_manager.find_view_menu(
            f"[examples].[tmp_perm_table](id:{stored_table.id})")
        view_menu_schema = security_manager.find_view_menu(
            f"[examples].[tmp_schema]")
        security_manager.on_view_menu_after_insert.assert_has_calls([
            call(ANY, ANY, view_menu_dataset),
            call(ANY, ANY, view_menu_schema),
        ])
        security_manager.on_permission_view_after_insert.assert_has_calls([
            call(ANY, ANY, pvm_dataset),
            call(ANY, ANY, pvm_schema),
        ])

        # table name change
        stored_table.table_name = "tmp_perm_table_v2"
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[examples].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        # no changes in schema
        self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu(
                "schema_access", stored_table.schema_perm))

        # schema name change
        stored_table.schema = "tmp_schema_v2"
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[examples].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        # no changes in schema
        self.assertEqual(stored_table.schema_perm,
                         "[examples].[tmp_schema_v2]")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu(
                "schema_access", stored_table.schema_perm))

        # database change
        new_db = Database(sqlalchemy_uri="sqlite://", database_name="tmp_db")
        session.add(new_db)
        stored_table.database = (session.query(Database).filter_by(
            database_name="tmp_db").one())
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        # no changes in schema
        self.assertEqual(stored_table.schema_perm, "[tmp_db].[tmp_schema_v2]")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu(
                "schema_access", stored_table.schema_perm))

        # no schema
        stored_table.schema = None
        session.commit()
        stored_table = (session.query(SqlaTable).filter_by(
            table_name="tmp_perm_table_v2").one())
        self.assertEqual(
            stored_table.perm,
            f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})")
        self.assertIsNotNone(
            security_manager.find_permission_view_menu("datasource_access",
                                                       stored_table.perm))
        self.assertIsNone(stored_table.schema_perm)

        session.delete(new_db)
        session.delete(stored_table)
        session.commit()
Example #42
0
    def __init__(self, *args, **kwargs):
        if (self.requires_examples and not os.environ.get('examples_loaded')):
            logging.info('Loading examples')
            cli.load_examples_run(load_test_data=True)
            logging.info('Done loading examples')
            security_manager.sync_role_definitions()
            os.environ['examples_loaded'] = '1'
        else:
            security_manager.sync_role_definitions()
        super(SupersetTestCase, self).__init__(*args, **kwargs)
        self.client = app.test_client()
        self.maxDiff = None

        gamma_sqllab_role = security_manager.add_role('gamma_sqllab')
        for perm in security_manager.find_role('Gamma').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)
        utils.get_or_create_main_db()
        db_perm = self.get_main_database(security_manager.get_session).perm
        security_manager.merge_perm('database_access', db_perm)
        db_pvm = security_manager.find_permission_view_menu(
            view_menu_name=db_perm, permission_name='database_access')
        gamma_sqllab_role.permissions.append(db_pvm)
        for perm in security_manager.find_role('sql_lab').permissions:
            security_manager.add_permission_role(gamma_sqllab_role, perm)

        admin = security_manager.find_user('admin')
        if not admin:
            security_manager.add_user('admin',
                                      'admin',
                                      ' user',
                                      '*****@*****.**',
                                      security_manager.find_role('Admin'),
                                      password='******')

        gamma = security_manager.find_user('gamma')
        if not gamma:
            security_manager.add_user('gamma',
                                      'gamma',
                                      'user',
                                      '*****@*****.**',
                                      security_manager.find_role('Gamma'),
                                      password='******')

        gamma2 = security_manager.find_user('gamma2')
        if not gamma2:
            security_manager.add_user('gamma2',
                                      'gamma2',
                                      'user',
                                      '*****@*****.**',
                                      security_manager.find_role('Gamma'),
                                      password='******')

        gamma_sqllab_user = security_manager.find_user('gamma_sqllab')
        if not gamma_sqllab_user:
            security_manager.add_user('gamma_sqllab',
                                      'gamma_sqllab',
                                      'user',
                                      '*****@*****.**',
                                      gamma_sqllab_role,
                                      password='******')

        alpha = security_manager.find_user('alpha')
        if not alpha:
            security_manager.add_user('alpha',
                                      'alpha',
                                      'user',
                                      '*****@*****.**',
                                      security_manager.find_role('Alpha'),
                                      password='******')
        security_manager.get_session.commit()
        # create druid cluster and druid datasources
        session = db.session
        cluster = (session.query(DruidCluster).filter_by(
            cluster_name='druid_test').first())
        if not cluster:
            cluster = DruidCluster(cluster_name='druid_test')
            session.add(cluster)
            session.commit()

            druid_datasource1 = DruidDatasource(
                datasource_name='druid_ds_1',
                cluster_name='druid_test',
            )
            session.add(druid_datasource1)
            druid_datasource2 = DruidDatasource(
                datasource_name='druid_ds_2',
                cluster_name='druid_test',
            )
            session.add(druid_datasource2)
            session.commit()
Example #43
0
    def test_request_access(self):
        if app.config.get('ENABLE_ACCESS_REQUEST'):
            session = db.session
            self.logout()
            self.login(username='******')
            gamma_user = security_manager.find_user(username='******')
            security_manager.add_role('dummy_role')
            gamma_user.roles.append(security_manager.find_role('dummy_role'))
            session.commit()

            ACCESS_REQUEST = (
                '/superset/request_access?'
                'datasource_type={}&'
                'datasource_id={}&'
                'action={}&')
            ROLE_GRANT_LINK = (
                '<a href="/superset/approve?datasource_type={}&datasource_id={}&'
                'created_by={}&role_to_grant={}">Grant {} Role</a>')

            # Request table access, there are no roles have this table.

            table1 = session.query(SqlaTable).filter_by(
                table_name='random_time_series').first()
            table_1_id = table1.id

            # request access to the table
            resp = self.get_resp(
                ACCESS_REQUEST.format('table', table_1_id, 'go'))
            assert 'Access was requested' in resp
            access_request1 = self.get_access_requests('gamma', 'table', table_1_id)
            assert access_request1 is not None

            # Request access, roles exist that contains the table.
            # add table to the existing roles
            table3 = session.query(SqlaTable).filter_by(
                table_name='energy_usage').first()
            table_3_id = table3.id
            table3_perm = table3.perm

            security_manager.add_role('energy_usage_role')
            alpha_role = security_manager.find_role('Alpha')
            security_manager.add_permission_role(
                alpha_role,
                security_manager.find_permission_view_menu(
                    'datasource_access', table3_perm))
            security_manager.add_permission_role(
                security_manager.find_role('energy_usage_role'),
                security_manager.find_permission_view_menu(
                    'datasource_access', table3_perm))
            session.commit()

            self.get_resp(
                ACCESS_REQUEST.format('table', table_3_id, 'go'))
            access_request3 = self.get_access_requests('gamma', 'table', table_3_id)
            approve_link_3 = ROLE_GRANT_LINK.format(
                'table', table_3_id, 'gamma', 'energy_usage_role',
                'energy_usage_role')
            self.assertEqual(access_request3.roles_with_datasource,
                             '<ul><li>{}</li></ul>'.format(approve_link_3))

            # Request druid access, there are no roles have this table.
            druid_ds_4 = session.query(DruidDatasource).filter_by(
                datasource_name='druid_ds_1').first()
            druid_ds_4_id = druid_ds_4.id

            # request access to the table
            self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go'))
            access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id)

            self.assertEqual(
                access_request4.roles_with_datasource,
                '<ul></ul>'.format(access_request4.id))

            # Case 5. Roles exist that contains the druid datasource.
            # add druid ds to the existing roles
            druid_ds_5 = session.query(DruidDatasource).filter_by(
                datasource_name='druid_ds_2').first()
            druid_ds_5_id = druid_ds_5.id
            druid_ds_5_perm = druid_ds_5.perm

            druid_ds_2_role = security_manager.add_role('druid_ds_2_role')
            admin_role = security_manager.find_role('Admin')
            security_manager.add_permission_role(
                admin_role,
                security_manager.find_permission_view_menu(
                    'datasource_access', druid_ds_5_perm))
            security_manager.add_permission_role(
                druid_ds_2_role,
                security_manager.find_permission_view_menu(
                    'datasource_access', druid_ds_5_perm))
            session.commit()

            self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go'))
            access_request5 = self.get_access_requests(
                'gamma', 'druid', druid_ds_5_id)
            approve_link_5 = ROLE_GRANT_LINK.format(
                'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role',
                'druid_ds_2_role')
            self.assertEqual(access_request5.roles_with_datasource,
                             '<ul><li>{}</li></ul>'.format(approve_link_5))

            # cleanup
            gamma_user = security_manager.find_user(username='******')
            gamma_user.roles.remove(security_manager.find_role('dummy_role'))
            session.commit()