def test_can_list_all_permissions():
role_one = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING)
role_two = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_REPORTS)
port_role = PortfolioRoleFactory.create(
permission_sets=[role_one, role_two])
expected_perms = role_one.permissions + role_two.permissions
assert expected_perms == expected_perms
def test_has_application_permission():
role_one = PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
role_two = PermissionSets.get(PermissionSets.EDIT_APPLICATION_ENVIRONMENTS)
app_role = ApplicationRoleFactory.create(
permission_sets=[role_one, role_two])
different_user = UserFactory.create()
assert Authorization.has_application_permission(
app_role.user, app_role.application, Permissions.EDIT_ENVIRONMENT)
assert not Authorization.has_portfolio_permission(
app_role.user, app_role.application, Permissions.DELETE_ENVIRONMENT)
assert not Authorization.has_portfolio_permission(
different_user, app_role.application, Permissions.DELETE_ENVIRONMENT)
def test_has_portfolio_permission():
role_one = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING)
role_two = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_REPORTS)
port_role = PortfolioRoleFactory.create(
permission_sets=[role_one, role_two])
different_user = UserFactory.create()
assert Authorization.has_portfolio_permission(
port_role.user, port_role.portfolio,
Permissions.VIEW_PORTFOLIO_REPORTS)
assert not Authorization.has_portfolio_permission(
port_role.user, port_role.portfolio, Permissions.CREATE_TASK_ORDER)
assert not Authorization.has_portfolio_permission(
different_user, port_role.portfolio,
Permissions.VIEW_PORTFOLIO_REPORTS)
def test_remove_portfolio_member_ppoc(client, user_session):
portfolio = PortfolioFactory.create()
user = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=user,
permission_sets=[
PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_ADMIN)
],
)
ppoc_port_role = PortfolioRoles.get(portfolio_id=portfolio.id,
user_id=portfolio.owner.id)
user_session(user)
response = client.post(
url_for(
"portfolios.remove_member",
portfolio_id=portfolio.id,
portfolio_role_id=ppoc_port_role.id,
),
follow_redirects=False,
)
assert response.status_code == 404
assert (PortfolioRoles.get(
portfolio_id=portfolio.id,
user_id=portfolio.owner.id).status == PortfolioRoleStatus.ACTIVE)
def test_rerender_admin_page_if_member_perms_form_does_not_validate(
client, user_session, monkeypatch):
portfolio = PortfolioFactory.create()
user = UserFactory.create()
role = PortfolioRoleFactory.create(
user=user,
portfolio=portfolio,
permission_sets=[
PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_ADMIN)
],
)
user_session(user)
form_data = {
"members_permissions-0-member_id": role.id,
"members_permissions-0-perms_app_mgmt": "bad input",
"members_permissions-0-perms_funding": "view_portfolio_funding",
"members_permissions-0-perms_reporting": "view_portfolio_reports",
"members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin",
}
mock_route = MagicMock(return_value=("", 200, {}))
monkeypatch.setattr("atst.routes.portfolios.admin.render_admin_page",
mock_route)
client.post(url_for("portfolios.edit_members", portfolio_id=portfolio.id),
data=form_data)
mock_route.assert_called()
def test_has_application_role_history(session):
owner = UserFactory.create()
user = UserFactory.create()
PortfolioFactory.create(
owner=owner,
applications=[{
"name":
"starkiller",
"environments": [{
"name":
"bridge",
"members": [{
"user": user,
"role_name": "developer"
}],
}],
}],
)
app_role = user.application_roles[0]
app_role.permission_sets = [
PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
]
session.add(app_role)
session.commit()
changed_event = (session.query(AuditEvent).filter(
AuditEvent.resource_id == app_role.id,
AuditEvent.action == "update").one())
old_state, new_state = changed_event.changed_state["permission_sets"]
assert old_state == [PermissionSets.VIEW_APPLICATION]
assert new_state == [PermissionSets.EDIT_APPLICATION_TEAM]
def test_no_update_member_permissions_without_edit_access(
client, user_session):
portfolio = PortfolioFactory.create()
rando = UserFactory.create()
rando_pf_role = PortfolioRoleFactory.create(
user=rando,
portfolio=portfolio,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)
],
)
user = UserFactory.create()
PortfolioRoleFactory.create(
user=user,
portfolio=portfolio,
permission_sets=[
PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)
],
)
user_session(user)
form_data = {
"members_permissions-0-member_id": rando_pf_role.id,
"members_permissions-0-perms_app_mgmt":
"edit_portfolio_application_management",
"members_permissions-0-perms_funding": "view_portfolio_funding",
"members_permissions-0-perms_reporting": "view_portfolio_reports",
"members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin",
}
response = client.post(
url_for("portfolios.edit_members", portfolio_id=portfolio.id),
data=form_data,
follow_redirects=True,
)
assert response.status_code == 404
assert not rando_pf_role.has_permission_set(
PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT)
def test_successful_login_redirect_ccpo(client, monkeypatch):
monkeypatch.setattr(
"atst.domain.authnid.AuthenticationContext.authenticate", lambda *args: True
)
role = PermissionSets.get(PermissionSets.VIEW_AUDIT_LOG)
monkeypatch.setattr(
"atst.domain.authnid.AuthenticationContext.get_user",
lambda *args: UserFactory.create(),
)
resp = _login(client)
assert resp.status_code == 302
assert "home" in resp.headers["Location"]
assert session["user_id"]
def _create(cls, model_class, *args, **kwargs):
with_applications = kwargs.pop("applications", [])
owner = kwargs.pop("owner", UserFactory.create())
members = kwargs.pop("members", [])
with_task_orders = kwargs.pop("task_orders", [])
portfolio = super()._create(model_class, *args, **kwargs)
applications = [
ApplicationFactory.create(portfolio=portfolio, **p)
for p in with_applications
]
task_orders = [
TaskOrderFactory.create(portfolio=portfolio, **to)
for to in with_task_orders
]
PortfolioRoleFactory.create(
portfolio=portfolio,
user=owner,
status=PortfolioRoleStatus.ACTIVE,
permission_sets=get_all_portfolio_permission_sets(),
)
for member in members:
user = member.get("user", UserFactory.create())
role_name = member["role_name"]
perms_set = None
if member.get("permissions_sets"):
perms_set = [
PermissionSets.get(perm_set)
for perm_set in member.get("permission_sets")
]
else:
perms_set = []
PortfolioRoleFactory.create(
portfolio=portfolio,
user=user,
status=PortfolioRoleStatus.ACTIVE,
permission_sets=perms_set,
)
portfolio.applications = applications
portfolio.task_orders = task_orders
return portfolio
def test_scoped_portfolio_for_admin_missing_view_apps_perms(
portfolio_owner, portfolio):
Applications.create(
portfolio.owner,
portfolio,
"My Application 2",
"My application 2",
["dev", "staging", "prod"],
)
restricted_admin = UserFactory.create()
PortfolioRoleFactory.create(
portfolio=portfolio,
user=restricted_admin,
permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO)],
)
scoped_portfolio = Portfolios.get(restricted_admin, portfolio.id)
assert scoped_portfolio.id == portfolio.id
assert len(portfolio.applications) == 1
assert len(scoped_portfolio.applications) == 0
def test_member_table_access(client, user_session):
admin = UserFactory.create()
portfolio = PortfolioFactory.create(owner=admin)
rando = UserFactory.create()
PortfolioRoleFactory.create(
user=rando,
portfolio=portfolio,
permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)],
)
url = url_for("portfolios.admin", portfolio_id=portfolio.id)
# editable
user_session(admin)
edit_resp = client.get(url)
assert "<select" in edit_resp.data.decode()
# not editable
user_session(rando)
view_resp = client.get(url)
assert "<select" not in view_resp.data.decode()
def test_get_nonexistent_permission_set():
with pytest.raises(NotFoundError):
PermissionSets.get("nonexistent")
def test_get_existing_permission_set():
role = PermissionSets.get("portfolio_poc")
assert role.name == "portfolio_poc"
def base_application_permission_sets():
return [PermissionSets.get(PermissionSets.VIEW_APPLICATION)]
def base_portfolio_permission_sets():
return [
PermissionSets.get(prms)
for prms in PortfolioRoles.DEFAULT_PORTFOLIO_PERMISSION_SETS
]
def test_update_member(client, user_session, session):
role = PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
# create an app role with only edit team perms
app_role = ApplicationRoleFactory.create(permission_sets=[role])
application = app_role.application
env = EnvironmentFactory.create(application=application)
env_1 = EnvironmentFactory.create(application=application)
env_2 = EnvironmentFactory.create(application=application)
# add user to two of the environments: env and env_1
EnvironmentRoleFactory.create(environment=env,
application_role=app_role,
role=CSPRole.BASIC_ACCESS.value)
EnvironmentRoleFactory.create(environment=env_1,
application_role=app_role,
role=CSPRole.BASIC_ACCESS.value)
user_session(application.portfolio.owner)
# update the user's app permissions to have edit team and env perms
# update user's role in env, remove user from env_1, and add user to env_2
response = client.post(
url_for(
"applications.update_member",
application_id=application.id,
application_role_id=app_role.id,
),
data={
"environment_roles-0-environment_id": env.id,
"environment_roles-0-role": CSPRole.TECHNICAL_READ.value,
"environment_roles-0-environment_name": env.name,
"environment_roles-1-environment_id": env_1.id,
"environment_roles-1-role": NO_ACCESS,
"environment_roles-1-environment_name": env_1.name,
"environment_roles-2-environment_id": env_2.id,
"environment_roles-2-role": CSPRole.NETWORK_ADMIN.value,
"environment_roles-2-environment_name": env_2.name,
"perms_env_mgmt": True,
"perms_team_mgmt": True,
"perms_del_env": True,
},
)
assert response.status_code == 302
expected_url = url_for(
"applications.settings",
application_id=application.id,
fragment="application-members",
_anchor="application-members",
_external=True,
)
assert response.location == expected_url
# make sure new application role was not created
assert len(application.roles) == 1
# check that new app perms were added
assert bool(
app_role.has_permission_set(PermissionSets.EDIT_APPLICATION_TEAM))
assert bool(
app_role.has_permission_set(
PermissionSets.EDIT_APPLICATION_ENVIRONMENTS))
assert bool(
app_role.has_permission_set(
PermissionSets.DELETE_APPLICATION_ENVIRONMENTS))
environment_roles = application.roles[0].environment_roles
# make sure that old env role was deleted and there are only 2 env roles
assert len(environment_roles) == 2
# check that the user has roles in the correct envs
assert environment_roles[0].environment in [env, env_2]
assert environment_roles[1].environment in [env, env_2]
