Exemple #1
0
def test_invenio_access_permission_for_system_roles(app):
    """User can access to an action allowed/denied to their system roles."""
    InvenioAccess(app)
    with app.test_request_context():
        db.session.begin(nested=True)
        user = User(email='*****@*****.**')

        db.session.add(user)

        db.session.add(ActionSystemRoles.allow(
            action=ActionNeed('open'), role=authenticated_user))
        db.session.add(ActionSystemRoles.allow(
            action=ActionNeed('write'), role_name='any_user'))
        db.session.commit()

        permission_open = DynamicPermission(ActionNeed('open'))
        permission_write = DynamicPermission(ActionNeed('write'))

        identity_anon_user = FakeIdentity(any_user)
        identity_auth_user = FakeIdentity(authenticated_user, any_user)

        assert not permission_open.allows(identity_anon_user)
        assert permission_open.allows(identity_auth_user)

        assert permission_write.allows(identity_anon_user)
        assert permission_write.allows(identity_auth_user)
Exemple #2
0
def test_system_role_name(access_app):
    """Test that ActionSystemRoles fails when created with undeclared names."""
    state = access_app.extensions["invenio-access"]
    db.session.begin(nested=True)
    # Declare a system role.
    state.system_roles = {"any_user": any_user}
    # Create with a declared name.
    ActionSystemRoles(action="read", role_name="any_user")
    # Create with an undeclared name.
    with pytest.raises(AssertionError):
        ActionSystemRoles(action="read", role_name="unknown")
Exemple #3
0
def test_invenio_access_system_role_name(app):
    """Check that ActionSystemRoles cannot be created with undeclared names.
    """
    InvenioAccess(app)
    state = app.extensions['invenio-access']
    with app.test_request_context():
        db.session.begin(nested=True)
        # Declare a system role.
        state.system_roles = {'any_user': any_user}
        # Create with a declared name.
        ActionSystemRoles(action='read', role_name='any_user')
        # Create with an undeclared name.
        with pytest.raises(AssertionError):
            ActionSystemRoles(action='read', role_name='unknown')
    def add_read_access_for_all_users(self):
        """Give read access to all authenticated users."""
        assert self.id

        db.session.add(
            ActionSystemRoles.allow(SchemaReadAction(self.id),
                                    role=authenticated_user))
        db.session.flush()
Exemple #5
0
 def add_read_access_to_all(self):
     """Give read access to all authenticated users."""
     try:
         db.session.add(
             ActionSystemRoles.allow(SchemaReadAction(self.id),
                                     role=authenticated_user))
         db.session.flush()
     except IntegrityError:
         db.session.rollback()
 def add_read_access_to_all(self):
     """Give read access to all authenticated users."""
     try:
         db.session.add(
             ActionSystemRoles.allow(
                 SchemaReadAction(self.id),
                 role=authenticated_user
             )
         )
         db.session.flush()
     except IntegrityError:
         db.session.rollback()
Exemple #7
0
def test_invenio_access_permission_cache_system_roles_updates(app):
    """Testing ActionSystemRoles cache with inserts/updates/deletes."""
    # This test case is doing the same of user test case but using
    # system roles.
    cache = SimpleCache()
    InvenioAccess(app, cache=cache)
    with app.test_request_context():
        system_role_1 = SystemRoleNeed('system_role_1')
        system_role_2 = SystemRoleNeed('system_role_2')
        system_role_3 = SystemRoleNeed('system_role_3')
        system_role_4 = SystemRoleNeed('system_role_4')
        system_role_5 = SystemRoleNeed('system_role_5')
        system_role_6 = SystemRoleNeed('system_role_6')
        current_access.system_roles = {
            'system_role_1': system_role_1,
            'system_role_2': system_role_2,
            'system_role_3': system_role_3,
            'system_role_4': system_role_4,
            'system_role_5': system_role_5,
            'system_role_6': system_role_6,
        }

        # Creation of some data to test.
        db.session.add(ActionSystemRoles(action='open',
                                         role_name=system_role_1.value))
        db.session.add(ActionSystemRoles(action='write',
                                         role_name=system_role_4.value))

        db.session.flush()

        # Creation of identities to test.
        identity_fake_1 = FakeIdentity(system_role_1)
        identity_fake_2 = FakeIdentity(system_role_2)
        identity_fake_3 = FakeIdentity(system_role_3)
        identity_fake_4 = FakeIdentity(system_role_4)
        identity_fake_5 = FakeIdentity(system_role_5)
        identity_fake_6 = FakeIdentity(system_role_6)

        # Test if system_role_1 can open. In this case, the cache should store
        # only this object.
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_1)
        assert current_access.get_action_cache('open') == (
            set([system_role_1]),
            set([])
        )

        # Test if system_role_2 can write. In this case, the cache should
        # have this new object and the previous one (Open is allowed to
        # system_role_1)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_4)
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1]),
            set([])
        )

        # If we add a new system role to the action open, the open action in
        # cache should be removed but it should still containing the write
        # entry.
        db.session.add(ActionSystemRoles(action='open',
                                         role_name=system_role_2.value))
        db.session.flush()
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_2)
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )

        # Test if the new role is added to the action 'open'
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_4)
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )

        # If we update an action swapping a role, the cache containing the
        # action, should be removed.
        role_4_action_write = ActionSystemRoles.query.filter(
            ActionSystemRoles.action == 'write' and
            ActionSystemRoles.role_name == system_role_4.value).first()
        role_4_action_write.role_name = system_role_3.value
        db.session.flush()

        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is not None
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )

        # Test if the system_role_3 can write now.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_4)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_3)
        assert current_access.get_action_cache('write') == (
            set([system_role_3]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )

        # If we remove a role from an action, the cache should clear the
        # action item.
        cust_action_write = ActionSystemRoles.query.filter(
            ActionSystemRoles.action == 'write' and
            ActionSystemRoles.role_name == system_role_3).first()
        db.session.delete(cust_action_write)
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        # If no one is allowed to perform an action then everybody is allowed.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_3)
        assert current_access.get_action_cache('write') == (
            set([]),
            set([])
        )
        db.session.add(ActionSystemRoles(action='write',
                                         role_name=system_role_5.value))
        db.session.flush()
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_5)
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_3)
        assert current_access.get_action_cache('write') == (
            set([system_role_5]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )

        # If you update the name of an existing action, the previous action
        # and the new action should be remove from cache.
        permission_write = DynamicPermission(ActionNeed('write'))
        assert permission_write.allows(identity_fake_5)
        assert current_access.get_action_cache('write') == (
            set([system_role_5]),
            set([])
        )
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2]),
            set([])
        )
        role_5_action_write = ActionSystemRoles.query.filter(
            ActionSystemRoles.action == 'write' and
            ActionSystemRoles.role_name == system_role_5.value).first()
        role_5_action_write.action = 'open'
        db.session.flush()
        assert current_access.get_action_cache('write') is None
        assert current_access.get_action_cache('open') is None
        permission_open = DynamicPermission(ActionNeed('open'))
        assert permission_open.allows(identity_fake_1)
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2, system_role_5]),
            set([])
        )
        db.session.add(ActionSystemRoles(action='write',
                                         role_name=system_role_4.value))
        permission_write = DynamicPermission(ActionNeed('write'))
        assert not permission_write.allows(identity_fake_5)
        assert current_access.get_action_cache('write') == (
            set([system_role_4]),
            set([])
        )

        db.session.add(ActionSystemRoles(action='open', argument='1',
                                         role_name=system_role_6.value))
        db.session.flush()
        permission_open_1 = DynamicPermission(
            ParameterizedActionNeed('open', '1'))
        assert not permission_open.allows(identity_fake_6)
        assert permission_open_1.allows(identity_fake_6)
        assert current_access.get_action_cache('open::1') == (
            set([system_role_1, system_role_2, system_role_5, system_role_6]),
            set([])
        )
        user_6_action_open_1 = ActionSystemRoles.query.filter_by(
            action='open', argument='1', role_name=system_role_6.value).first()
        user_6_action_open_1.argument = '2'
        db.session.flush()
        assert current_access.get_action_cache('open::1') is None
        assert current_access.get_action_cache('open::2') is None
        permission_open_2 = DynamicPermission(
            ParameterizedActionNeed('open', '2'))
        assert permission_open_2.allows(identity_fake_6)
        assert current_access.get_action_cache('open::2') == (
            set([system_role_1, system_role_2, system_role_5, system_role_6]),
            set([])
        )
        # open action cache should remain as before
        assert current_access.get_action_cache('open') == (
            set([system_role_1, system_role_2, system_role_5]),
            set([])
        )