def test_create_record_success_with_multiple_roles(app, db, location, users, cli_runner, create_schema, auth_headers_for_superuser): create_schema('test', experiment='CMS') _datastore.find_or_create_role('*****@*****.**') _datastore.find_or_create_role('*****@*****.**') with NamedTemporaryFile('w+t') as tmp: tmp.write('{}') tmp.seek(0) res = cli_runner( f'fixtures create-deposit --file {tmp.name} --ana test -r [email protected] -r [email protected]' ) assert res.exit_code == 0 with app.test_client() as client: depid = re.search(r'id: (.*?)\n', res.output).group(1) resp = client.get(f'/deposits/{depid}', headers=auth_headers_for_superuser) assert resp.status_code == 200 assert resp.json['access']['deposit-read']['roles'] == [ '*****@*****.**', '*****@*****.**' ]
def test_create_record_success_with_user_and_owner(app, db, location, users, cli_runner, create_schema, auth_headers_for_superuser): user_mail = users['cms_user'].email user_mail2 = users['cms_user2'].email create_schema('test', experiment='CMS') _datastore.find_or_create_role('*****@*****.**') with NamedTemporaryFile('w+t') as tmp: tmp.write('{}') tmp.seek(0) res = cli_runner( f'fixtures create-deposit --file {tmp.name} --ana test -u {user_mail} -o {user_mail2}' ) assert res.exit_code == 0 with app.test_client() as client: depid = re.search(r'id: (.*?)\n', res.output).group(1) resp = client.get(f'/deposits/{depid}', headers=auth_headers_for_superuser) assert resp.status_code == 200 assert resp.json['access']['deposit-read']['users'] == [ user_mail2, user_mail ] assert resp.json['created_by'] == user_mail2
def test_deposit_publish_gives_acceess_to_members_of_exp( client, db, users, create_deposit): owner = users['superuser'] role = _datastore.find_or_create_role('*****@*****.**') db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role)) deposit = create_deposit(owner, 'test', {}, experiment='CMS', publish=True) _, record = deposit.fetch_published() assert record['_access'] == { 'record-read': { 'users': [owner.id, users['cms_user'].id, users['cms_user2'].id], 'roles': [role.id] }, 'record-update': { 'users': [owner.id], 'roles': [] }, 'record-admin': { 'users': [owner.id], 'roles': [] } } assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user']).one() assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user2']).one() assert ActionRoles.query.filter_by(action='record-read', argument=str(record.id), role=role).one()
def test_get_deposit_with_permissions_json_serializer_returns_serialized_permissions_properly( client, db, example_user, auth_headers_for_example_user, deposit): egroup = _datastore.find_or_create_role('*****@*****.**') deposit._add_egroup_permissions( egroup, ['deposit-read', 'deposit-update'], db.session, ) deposit.commit() db.session.commit() resp = client.get('/deposits/{}'.format(deposit['_deposit']['id']), headers=[('Accept', 'application/permissions+json')] + auth_headers_for_example_user) assert resp.status_code == 200 assert resp.json == { 'permissions': { 'admin': { 'roles': [], 'users': [example_user.email] }, 'read': { 'roles': [egroup.name], 'users': [example_user.email] }, 'update': { 'roles': [egroup.name], 'users': [example_user.email] } } }
def test_deposit_publish_gives_acceess_to_members_of_exp(app, db, users, create_deposit): owner = users['superuser'] role = _datastore.find_or_create_role('*****@*****.**') db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role)) deposit = create_deposit(owner, 'test-v1.0.0', {}, 'CMS', publish=True) _, record = deposit.fetch_published() assert record['_access'] == { 'record-read': { 'users': [owner.id, users['cms_user'].id, users['cms_user2'].id], 'roles': [role.id] }, 'record-update': { 'users': [owner.id], 'roles': [] }, 'record-admin': { 'users': [owner.id], 'roles': [] } } assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user']).one() assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user=users['cms_user2']).one() assert ActionRoles.query.filter_by(action='record-read', argument=str(record.id), role=role).one()
def test_synchronize_cadi_entries_when_entry_doesnt_exist_creates_a_new_one( base_app, es, location, create_schema): create_schema('cms-analysis', experiment='CMS', version='0.0.1') group_with_r_access = assign_egroup_to_experiment('*****@*****.**', 'CMS') group_with_rw_access = _datastore.find_or_create_role( '*****@*****.**') # deposit with this cadi id doesn't exist with raises(DepositDoesNotExist): get_deposit_by_cadi_id('ANA-00-001') synchronize_cadi_entries() current_search.flush_and_refresh('deposits-records') # deposit with this cadi id created deposit = get_deposit_by_cadi_id('ANA-00-001') assert deposit['cadi_info'] == { 'cadi_id': 'ANA-00-001', 'contact': '', 'created': '', 'description': '', 'name': '', 'paper': '', 'pas': '', 'publication_status': '', 'status': 'Free', 'twiki': '' } # sets cadi info correctly assert deposit['basic_info']['cadi_id'] == 'ANA-00-001' # sets cadi id assert deposit['general_title'] == 'ANA-00-001' # members of experiment got read access and cms-cap-admin egroup write access assert deposit['_access']['deposit-read'] == { 'users': [], 'roles': [group_with_r_access.id, group_with_rw_access.id] } assert deposit['_access']['deposit-update'] == { 'users': [], 'roles': [group_with_rw_access.id] } assert deposit['_access']['deposit-admin'] == {'users': [], 'roles': []} # deposit doesnt have owner assert deposit['_deposit']['owners'] == []
def test_deposit_publish_record_inherits_deposit_permissions(app, db, users, create_deposit): owner = users['superuser'] role = _datastore.find_or_create_role('*****@*****.**') deposit = create_deposit(owner, 'test-v1.0.0', {}) deposit._add_egroup_permissions(role, ['deposit-read', 'deposit-update'], db.session) deposit.publish() _, record = deposit.fetch_published() assert record['_access'] == { 'record-read': { 'users': [owner.id], 'roles': [role.id] }, 'record-update': { 'users': [owner.id], 'roles': [role.id] }, 'record-admin': { 'users': [owner.id], 'roles': [] } } assert ActionUsers.query.filter_by(action='record-read', argument=str(record.id), user_id=owner.id).one() assert ActionUsers.query.filter_by(action='record-update', argument=str(record.id), user_id=owner.id).one() assert ActionUsers.query.filter_by(action='record-admin', argument=str(record.id), user_id=owner.id).one() assert ActionRoles.query.filter_by(action='record-read', argument=str(record.id), role_id=role.id).one() assert ActionRoles.query.filter_by(action='record-update', argument=str(record.id), role_id=role.id).one() assert not ActionRoles.query.filter_by(action='record-admin', argument=str(record.id), role_id=role.id).one_or_none()
def test_get_deposit_with_default_serializer(client, users, auth_headers_for_user, create_deposit): owner = users['cms_user'] deposit = create_deposit( owner, 'cms-analysis', { '$schema': 'https://analysispreservation.cern.ch/schemas/deposits/records/cms-analysis-v1.0.0.json', 'basic_info': { 'analysis_number': 'dream_team', } }, files={'file_1.txt': BytesIO(b'Hello world!')}, experiment='CMS') depid = deposit['_deposit']['id'] metadata = deposit.get_record_metadata() file = deposit.files['file_1.txt'] role = _datastore.find_or_create_role('*****@*****.**') deposit.edit_permissions([{ 'email': role.name, 'type': 'egroup', 'op': 'add', 'action': 'deposit-read' }]) resp = client.get('/deposits/{}'.format(depid), headers=[('Accept', 'application/json')] + auth_headers_for_user(owner)) assert resp.status_code == 200 assert resp.json == { 'id': depid, 'type': 'deposit', 'revision': 3, 'schema': { 'name': 'cms-analysis', 'version': '1.0.0' }, 'experiment': 'CMS', 'status': 'draft', 'created_by': owner.email, 'created': metadata.created.strftime('%Y-%m-%dT%H:%M:%S.%f+00:00'), 'updated': metadata.updated.strftime('%Y-%m-%dT%H:%M:%S.%f+00:00'), 'metadata': { 'basic_info': { 'analysis_number': 'dream_team' } }, 'labels': [], 'files': [{ 'bucket': str(file.bucket), 'checksum': file.file.checksum, 'key': file.key, 'size': file.file.size, 'version_id': str(file.version_id) }], 'access': { 'deposit-admin': { 'roles': [], 'users': [owner.email] }, 'deposit-update': { 'roles': [], 'users': [owner.email] }, 'deposit-read': { 'roles': ['*****@*****.**'], 'users': [owner.email] } }, 'is_owner': True, 'links': { 'bucket': 'http://analysispreservation.cern.ch/api/files/{}'.format( deposit.files.bucket), 'clone': 'http://analysispreservation.cern.ch/api/deposits/{}/actions/clone' .format(depid), 'discard': 'http://analysispreservation.cern.ch/api/deposits/{}/actions/discard' .format(depid), 'edit': 'http://analysispreservation.cern.ch/api/deposits/{}/actions/edit'. format(depid), 'files': 'http://analysispreservation.cern.ch/api/deposits/{}/files'.format( depid), 'html': 'http://analysispreservation.cern.ch/drafts/{}'.format(depid), 'permissions': 'http://analysispreservation.cern.ch/api/deposits/{}/actions/permissions' .format(depid), 'publish': 'http://analysispreservation.cern.ch/api/deposits/{}/actions/publish' .format(depid), 'self': 'http://analysispreservation.cern.ch/api/deposits/{}'.format( depid), 'upload': 'http://analysispreservation.cern.ch/api/deposits/{}/actions/upload' .format(depid) } }
def test_synchronize_cadi_entries_when_entry_doesnt_exist_creates_a_new_one_and_assigns_all_the_permissions_correctly( base_app, db, es, location, create_schema): create_schema('cms-analysis', experiment='CMS', version='0.0.1') owner = create_test_user('*****@*****.**') cms_members_group_with_r_access = assign_egroup_to_experiment( '*****@*****.**', 'CMS') cms_admin_groups_with_admin_access = [ _datastore.find_or_create_role('*****@*****.**'), _datastore.find_or_create_role('*****@*****.**'), _datastore.find_or_create_role('*****@*****.**'), ] db.session.commit() # deposit with this cadi id doesn't exist with raises(DepositDoesNotExist): get_deposit_by_cadi_id('EXO-00-000') synchronize_cadi_entries() current_search.flush_and_refresh('deposits-records') # deposit with this cadi id created deposit = get_deposit_by_cadi_id('EXO-00-000') assert deposit == { 'cadi_info': { 'description': 'Projections for 2HDM Higgs studies (H->ZZ and A->Zh) in 3000 fb-1', 'name': '2HDM Higgs studies (H->ZZ and A->Zh)', 'contact': '*****@*****.**', 'creator': '*****@*****.**', 'updater': '*****@*****.**', 'created': '2014-02-05', 'updated': '2014-07-26', 'twiki': 'https://twiki.cern.ch/twikiurl', 'paper': 'http://cms.cern.ch:80/paper.pdf', 'paper_tar': 'http://cms.cern.ch:80/paper.tgz', 'pas': '******', 'awg': 'HIG', 'publication_status': 'Free', 'status': 'PUB', 'conference': '', 'hepData': '', 'relatedNotes': [{ 'id': 'AN-2014/000', 'url': 'http://cms.cern.ch/noteInfo.jsp?cmsnoteid=CMS+AN-2014%2F000' }, { 'id': 'AN-2013/000', 'url': 'http://cms.cern.ch/noteInfo.jsp?cmsnoteid=CMS+AN-2013%2F000' }] }, 'general_title': '2HDM Higgs studies (H->ZZ and A->Zh)', '_fetched_from': 'cadi', '_user_edited': False, 'basic_info': { 'cadi_id': 'EXO-00-000' }, '$schema': 'https://analysispreservation.cern.ch/schemas/deposits/records/cms-analysis-v0.0.1.json', '_deposit': { 'id': deposit['_deposit']['id'], 'status': 'draft', 'owners': [] }, '_experiment': 'CMS', '_access': { 'deposit-read': { 'users': [owner.id], 'roles': [cms_members_group_with_r_access.id] + [x.id for x in cms_admin_groups_with_admin_access] }, 'deposit-update': { 'users': [owner.id], 'roles': [x.id for x in cms_admin_groups_with_admin_access] }, 'deposit-admin': { 'users': [owner.id], 'roles': [x.id for x in cms_admin_groups_with_admin_access] } }, '_files': [] }
def test_add_and_remove_egroup_permissions_set_access_object_properly_and_updates_actions_in_the_db( app, db, users, create_deposit): owner = users['cms_user'] egroup = _datastore.find_or_create_role('*****@*****.**') deposit = create_deposit(owner, 'alice-analysis-v0.0.1') assert deposit['_access'] == { 'deposit-read': { 'users': [owner.id], 'roles': [] }, 'deposit-update': { 'users': [owner.id], 'roles': [] }, 'deposit-admin': { 'users': [owner.id], 'roles': [] } } assert not ActionRoles.query.filter_by( action='deposit-read', argument=str(deposit.id), role_id=egroup.id, ).all() deposit._add_egroup_permissions( egroup, ['deposit-read', 'deposit-update'], db.session, ) assert deposit['_access'] == { 'deposit-read': { 'users': [owner.id], 'roles': [egroup.id] }, 'deposit-update': { 'users': [owner.id], 'roles': [egroup.id] }, 'deposit-admin': { 'users': [owner.id], 'roles': [] } } assert ActionRoles.query.filter_by( action='deposit-read', argument=str(deposit.id), role_id=egroup.id, ).one() deposit._remove_egroup_permissions( egroup, ['deposit-read', 'deposit-update'], db.session, ) assert deposit['_access'] == { 'deposit-read': { 'users': [owner.id], 'roles': [] }, 'deposit-update': { 'users': [owner.id], 'roles': [] }, 'deposit-admin': { 'users': [owner.id], 'roles': [] } } assert not ActionRoles.query.filter_by( action='deposit-read', argument=str(deposit.id), role_id=egroup.id, ).all()