Exemple #1
0
 def check_api_resource_permissions(resource_permissions):
     for _r_id, _r_perms in resource_permissions:
         urp_path = "/users/{}/resources/{}/permissions".format(
             self.test_user_name, _r_id)
         urp_resp = utils.test_request(self, "GET", urp_path)
         urp_body = utils.check_response_basic_info(urp_resp)
         ur_perms = [
             perm.json() for perm in _r_perms
             if isinstance(perm, PermissionSet)
         ]
         for perm in ur_perms:
             perm["type"] = PermissionType.DIRECT.value
         permissions = urp_body["permissions"]
         for perm in permissions:
             perm.pop("reason",
                      None)  # >= 3.4, don't care for this test
         utils.check_all_equal(permissions, ur_perms, any_order=True)
Exemple #2
0
 def check_ui_resource_permissions(perm_form, resource_id, permissions):
     select_res_id = "permission_resource_{}".format(resource_id)
     select_options = perm_form.fields[
         select_res_id]  # contains multiple select, one per applicable permission
     utils.check_val_equal(
         len(select_options),
         2,
         msg="Always 2 select combobox expected (read and write).")
     select_values = [select.value for select in select_options]
     if not permissions:
         utils.check_all_equal(
             ["", ""],
             select_values,
             msg="When no permission is selected, values are empty")
         return
     # value must match exactly the *explicit* permission representation
     for r_perm in permissions:
         utils.check_val_is_in(r_perm, select_values)
Exemple #3
0
    def test_register_permissions_existing_group_without_intermediate_entries(
            self):
        utils.TestSetup.create_TestService(
            self,
            override_service_name=self.test_perm_svc_name,
            override_service_type=ServiceAPI.service_type)
        utils.TestSetup.create_TestGroup(
            self, override_group_name=self.test_perm_grp_name)
        session = get_db_session_from_settings(self.app.app.registry.settings)

        res1_name = "test-resource"
        res2_name = "sub-test-resource"
        res3_name = "sub-sub-test-resource"
        res3_perm = Permission.WRITE_MATCH
        perm_config = {
            "permissions": [
                {
                    "service": self.test_perm_svc_name,  # exists
                    "resource": res1_name + "/" + res2_name + "/" +
                    res3_name,  # none exist, all created for perm
                    "permission": res3_perm.value,  # perm only to lowest child
                    "action": "create",
                    "group": self.test_perm_grp_name,
                },
            ]
        }
        utils.check_no_raise(
            lambda: register.magpie_register_permissions_from_config(
                perm_config, db_session=session))

        # check that all service, resources, group are created correctly
        services = utils.TestSetup.get_RegisteredServicesList(self)
        utils.check_val_is_in(self.test_perm_svc_name,
                              [s["service_name"] for s in services])
        groups = utils.TestSetup.get_RegisteredGroupsList(self)
        utils.check_val_is_in(self.test_perm_grp_name, groups)
        resp = utils.test_request(
            self.app, "GET",
            "/services/{}/resources".format(self.test_perm_svc_name))
        body = utils.check_response_basic_info(resp)
        svc_res = body[self.test_perm_svc_name]["resources"]
        svc_res_id = body[self.test_perm_svc_name]["resource_id"]
        utils.check_val_is_in(res1_name,
                              [svc_res[r]["resource_name"] for r in svc_res])
        res1_id = [
            svc_res[r]["resource_id"] for r in svc_res
            if svc_res[r]["resource_name"] == res1_name
        ][0]
        res1_sub = svc_res[str(res1_id)]["children"]
        utils.check_val_is_in(res2_name,
                              [res1_sub[r]["resource_name"] for r in res1_sub])
        res2_id = [
            res1_sub[r]["resource_id"] for r in res1_sub
            if res1_sub[r]["resource_name"] == res2_name
        ][0]
        res2_sub = res1_sub[str(res2_id)]["children"]
        utils.check_val_is_in(res3_name,
                              [res2_sub[r]["resource_name"] for r in res2_sub])
        res3_id = [
            res2_sub[r]["resource_id"] for r in res2_sub
            if res2_sub[r]["resource_name"] == res3_name
        ][0]

        # check that all permissions are created correctly (only for final item)
        path = "/groups/{}/resources/{}/permissions".format(
            self.test_perm_grp_name, svc_res_id)
        resp = utils.test_request(self.app, "GET", path)
        body = utils.check_response_basic_info(resp)
        utils.check_val_equal(body["permission_names"], [])
        path = "/groups/{}/resources/{}/permissions".format(
            self.test_perm_grp_name, res1_id)
        resp = utils.test_request(self.app, "GET", path)
        body = utils.check_response_basic_info(resp)
        utils.check_val_equal(body["permission_names"], [])
        path = "/groups/{}/resources/{}/permissions".format(
            self.test_perm_grp_name, res2_id)
        resp = utils.test_request(self.app, "GET", path)
        body = utils.check_response_basic_info(resp)
        utils.check_val_equal(body["permission_names"], [])
        path = "/groups/{}/resources/{}/permissions".format(
            self.test_perm_grp_name, res3_id)
        resp = utils.test_request(self.app, "GET", path)
        body = utils.check_response_basic_info(resp)
        utils.check_all_equal(body["permission_names"], [res3_perm.value])
    def test_format_permissions_allowed(self):
        """
        Validate that formats are also respected, but with additional auto-expansion of all *modifier* combinations on
        permission names when requesting :attr:`PermissionType.ALLOWED` permissions.

        .. seealso::
            :meth:`test_format_permissions_applied`
        """
        utils.warn_version(__meta__.__version__,
                           "permission format validation",
                           "3.0",
                           skip=True)

        # add duplicates with extra modifiers only to test removal
        # provide in random order to validate proper sorting
        # use multiple permission implementation to validate they are still handled
        test_perms = [
            PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE),
            PermissionSet(Permission.READ, Access.DENY, Scope.MATCH),
            PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE),
            PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH),
            Permission.READ,
            "write-match",  # old implicit format
            Permission.WRITE,
        ]
        format_perms = format_permissions(test_perms, PermissionType.ALLOWED)
        expect_names = [
            Permission.READ.value + "-" + Scope.MATCH.value,
            str(PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH)),
            Permission.READ.value,
            str(PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE)),
            # no implicit name for denied
            str(PermissionSet(Permission.READ, Access.DENY, Scope.MATCH)),
            str(PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE)),
            Permission.WRITE.value + "-" + Scope.MATCH.value,
            str(PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH)),
            Permission.WRITE.value,
            str(PermissionSet(Permission.WRITE, Access.ALLOW,
                              Scope.RECURSIVE)),
            # no implicit name for denied
            str(PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH)),
            str(PermissionSet(Permission.WRITE, Access.DENY, Scope.RECURSIVE)),
        ]
        expect_perms = [
            PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH,
                          PermissionType.ALLOWED).json(),
            PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE,
                          PermissionType.ALLOWED).json(),
            PermissionSet(Permission.READ, Access.DENY, Scope.MATCH,
                          PermissionType.ALLOWED).json(),
            PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE,
                          PermissionType.ALLOWED).json(),
            PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH,
                          PermissionType.ALLOWED).json(),
            PermissionSet(Permission.WRITE, Access.ALLOW, Scope.RECURSIVE,
                          PermissionType.ALLOWED).json(),
            PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH,
                          PermissionType.ALLOWED).json(),
            PermissionSet(Permission.WRITE, Access.DENY, Scope.RECURSIVE,
                          PermissionType.ALLOWED).json(),
        ]
        utils.check_all_equal(format_perms["permission_names"],
                              expect_names,
                              any_order=False)
        utils.check_all_equal(format_perms["permissions"],
                              expect_perms,
                              any_order=False)
    def test_compare_and_sort_operations(self):
        perm_ram = PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH)
        perm_rar = PermissionSet(Permission.READ, Access.ALLOW,
                                 Scope.RECURSIVE)
        perm_rdm = PermissionSet(Permission.READ, Access.DENY, Scope.MATCH)
        perm_rdr = PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE)
        perm_wam = PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH)
        perm_war = PermissionSet(Permission.WRITE, Access.ALLOW,
                                 Scope.RECURSIVE)
        perm_wdm = PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH)
        perm_wdr = PermissionSet(Permission.WRITE, Access.DENY,
                                 Scope.RECURSIVE)
        perm_sorted = [
            perm_ram, perm_rar, perm_rdm, perm_rdr, perm_wam, perm_war,
            perm_wdm, perm_wdr
        ]
        perm_random = [
            perm_rdr, perm_wam, perm_wdm, perm_rar, perm_war, perm_ram,
            perm_wdr, perm_rdm
        ]

        utils.check_val_equal(
            perm_rar,
            Permission.READ,
            msg="Should be equal because of defaults and name conversion")
        utils.check_val_not_equal(perm_rar,
                                  Permission.WRITE,
                                  msg="Not equal because of mismatch name")
        utils.check_val_equal(
            perm_rar,
            perm_rar.json(),
            msg="Pre-convert any known representation before equal check")

        utils.check_all_equal(list(sorted(perm_random)),
                              perm_sorted,
                              any_order=False)

        # cannot sort elements with other type representations although 'PermissionSet' can, because they don't know it
        # (ie: str.__lt__ and dict.__ls__ could be called with 'other' being 'PermissionSet' depending on random order)
        # can still do the individual compares though if the reference object is 'PermissionSet' and other is anything
        utils.check_val_equal(perm_sorted[0] < perm_sorted[1], True)
        utils.check_val_equal(perm_sorted[0] < perm_sorted[1].json(), True)
        utils.check_val_equal(
            perm_sorted[0] < perm_sorted[1].implicit_permission, True)
        utils.check_val_equal(
            perm_sorted[0] < perm_sorted[1].explicit_permission, True)
        utils.check_val_equal(perm_sorted[0] > perm_sorted[1], False)
        utils.check_val_equal(perm_sorted[0] > perm_sorted[1].json(), False)
        utils.check_val_equal(
            perm_sorted[0] > perm_sorted[1].implicit_permission, False)
        utils.check_val_equal(
            perm_sorted[0] > perm_sorted[1].explicit_permission, False)

        # validate similarity comparison with inplace conversion at the same time
        for perm_1, perm_2 in itertools.product(perm_sorted[0:4],
                                                perm_sorted[0:4]):
            utils.check_val_equal(perm_1.like(perm_2.json()),
                                  True,
                                  msg="Expected {!r} ~ {!r}".format(
                                      perm_1, perm_2))
        for perm_1, perm_2 in itertools.product(perm_sorted[0:4],
                                                perm_sorted[4:8]):
            utils.check_val_equal(perm_1.like(perm_2.json()),
                                  False,
                                  msg="Expected {!r} !~ {!r}".format(
                                      perm_1, perm_2))
    def test_format_permissions_applied(self):
        """
        Validate that provided permission sets are formatted as intended, with both implicit and explicit variants, and
        with both name strings and detailed JSON objects.
        """
        utils.warn_version(__meta__.__version__,
                           "permission format validation",
                           "3.0",
                           skip=True)

        usr_perm = models.UserPermission()
        usr_perm.perm_name = Permission.GET_FEATURE.value
        grp_perm = models.GroupPermission()
        grp_perm.perm_name = "write-match"  # using string for backward compatibility
        dup_perm = Permission.READ.value  # only one should remain in result
        dup_usr_perm = models.UserPermission()
        dup_usr_perm.perm_name = dup_perm  # also only one remains although different type
        only_perm = Permission.GET_CAPABILITIES
        deny_match_perm = PermissionSet(Permission.GET_LEGEND_GRAPHIC,
                                        Access.DENY, Scope.MATCH)
        deny_str_perm = Permission.GET_MAP.value + "-" + Access.DENY.value
        deny_recur_perm = PermissionSet(Permission.GET_METADATA, Access.DENY,
                                        Scope.RECURSIVE)
        # purposely use a random order to test sorting simultaneously to duplicate removal
        any_perms = [
            deny_match_perm, dup_perm, only_perm, usr_perm, dup_usr_perm,
            grp_perm, deny_str_perm, deny_recur_perm, deny_recur_perm
        ]

        perm_type = PermissionType.DIRECT  # anything else than 'allowed' to only get 'applied' permissions
        format_perms = format_permissions(any_perms, perm_type)
        expect_names = [
            # both implicit/explicit variants added for backward compatibility and new format for each applicable case
            only_perm.value,
            str(PermissionSet(only_perm, Access.ALLOW, Scope.RECURSIVE)),
            usr_perm.perm_name,
            str(PermissionSet(usr_perm.perm_name)),
            # deny only have explicit representation
            str(deny_match_perm),
            str(PermissionSet(deny_str_perm, Access.DENY, Scope.RECURSIVE)),
            str(
                PermissionSet(deny_recur_perm.name, deny_recur_perm.access,
                              Scope.RECURSIVE)),
            dup_perm,  # only one, other not present
            str(PermissionSet(dup_perm, Access.ALLOW, Scope.RECURSIVE)),
            grp_perm.perm_name,
            str(PermissionSet(grp_perm.perm_name, Access.ALLOW, Scope.MATCH)),
        ]
        expect_perms = [
            PermissionSet(Permission.GET_CAPABILITIES, Access.ALLOW,
                          Scope.RECURSIVE, perm_type).json(),
            PermissionSet(Permission.GET_FEATURE, Access.ALLOW,
                          Scope.RECURSIVE, perm_type).json(),
            PermissionSet(Permission.GET_LEGEND_GRAPHIC, Access.DENY,
                          Scope.MATCH, perm_type).json(),
            PermissionSet(Permission.GET_MAP, Access.DENY, Scope.RECURSIVE,
                          perm_type).json(),
            PermissionSet(Permission.GET_METADATA, Access.DENY,
                          Scope.RECURSIVE, perm_type).json(),
            PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE,
                          perm_type).json(),
            PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH,
                          perm_type).json(),
        ]
        utils.check_all_equal(format_perms["permission_names"],
                              expect_names,
                              any_order=False)
        utils.check_all_equal(format_perms["permissions"],
                              expect_perms,
                              any_order=False)
Exemple #7
0
 def test_enum_values_listing(self):
     utils.check_all_equal(DummyEnum.values(), ["value-1", "value-2"],
                           any_order=True)