def test_create_record_check_acl_priority(app, db, es, es_acl_prepare,
test_users):
with app.test_client() as client:
with db.session.begin_nested():
acl1 = DefaultACL(name='default',
schemas=[RECORD_SCHEMA],
priority=0,
originator=test_users.u1,
operation='get')
actor1 = SystemRoleActor(name='auth',
system_role='any_user',
acl=acl1,
originator=test_users.u1)
acl2 = DefaultACL(name='default',
schemas=[RECORD_SCHEMA],
priority=1,
originator=test_users.u1,
operation='get')
actor2 = SystemRoleActor(name='auth',
system_role='authenticated_user',
acl=acl2,
originator=test_users.u1)
db.session.add(acl1)
db.session.add(actor1)
db.session.add(acl2)
db.session.add(actor2)
login(client, test_users.u1)
response = client.post(records_url(),
data=json.dumps({
'title': 'blah',
'contributors': []
}),
content_type='application/json')
assert response.status_code == 201
rest_metadata = get_json(response)['metadata']
assert 'control_number' in rest_metadata
index, doctype = schema_to_index(RECORD_SCHEMA)
rec_md = current_search_client.get(
index=index,
doc_type=doctype,
id=str(
PersistentIdentifier.get(
'recid', rest_metadata['control_number']).object_uuid))
clear_timestamp(rec_md)
assert rec_md['_source']['_invenio_explicit_acls'] == [{
'operation':
'get',
'id':
acl2.id,
'timestamp':
'cleared',
'system_role': ['authenticated_user']
}]
def test_cli_full_reindex(app, db, es, capsys, es_acl_prepare, test_users):
pid, record = create_record(
{
'$schema': RECORD_SCHEMA,
'keywords': ['blah']
},
clz=SchemaEnforcingRecord)
RecordIndexer().index(record)
current_search_client.indices.flush()
with db.session.begin_nested():
acl = ElasticsearchACL(name='test',
schemas=[RECORD_SCHEMA],
priority=0,
operation='get',
originator=test_users.u1,
record_selector={'term': {
'keywords': 'blah'
}})
db.session.add(acl)
u = UserActor(name='test',
acl=acl,
originator=test_users.u1,
users=[test_users.u1])
db.session.add(u)
# now the record is not indexed and ACL is not in the helper index, check it ...
retrieved = RecordsSearch(
index=schema_to_index(RECORD_SCHEMA)[0]).get_record(
record.id).execute().hits[0].to_dict()
assert '_invenio_explicit_acls' not in retrieved
# just a precaution test
assert current_explicit_acls.enabled_schemas == {RECORD_SCHEMA}
# and run the reindex - should reindex one record
from invenio_explicit_acls.cli import full_reindex_impl
full_reindex_impl(verbose=True, records=True, in_bulk=False)
captured = capsys.readouterr()
assert captured.out.strip() == """
Reindexing ACLs
Updating ACL representation for "test" (%s) on schemas ['records/record-v1.0.0.json']
Getting records for schema records/record-v1.0.0.json
... collected 1 records
Adding 1 records to indexing queue""".strip() % (acl.id)
current_search_client.indices.flush()
retrieved = RecordsSearch(
index=schema_to_index(RECORD_SCHEMA)[0]).get_record(
record.id).execute().hits[0].to_dict()
assert clear_timestamp(retrieved['_invenio_explicit_acls']) == [{
'id':
str(acl.id),
'operation':
'get',
'timestamp':
'cleared',
'user': [1]
}]
def test_aclrecordsearch_returnall(app, db, es, es_acl_prepare, test_users):
with db.session.begin_nested():
acl1 = ElasticsearchACL(name='test', schemas=[RECORD_SCHEMA],
priority=0, operation='get', originator=test_users.u1,
record_selector={'term': {
'keywords': 'test'
}})
actor1 = SystemRoleActor(name='auth', system_role='any_user', acl=acl1, originator=test_users.u1)
db.session.add(acl1)
db.session.add(actor1)
current_explicit_acls.reindex_acl(acl1, delayed=False)
with app.test_client() as client:
login(client, test_users.u1)
response = client.post(records_url(),
data=json.dumps({'title': 'blah', 'contributors': [], 'keywords': ['blah']}),
content_type='application/json')
assert response.status_code == 201
rest_metadata = get_json(response)['metadata']
assert 'control_number' in rest_metadata
# make sure indices are flushed
current_search_client.indices.refresh()
current_search_client.indices.flush()
index, doc_type = schema_to_index(RECORD_SCHEMA)
record_uuid = PersistentIdentifier.get('recid', rest_metadata['control_number']).object_uuid
with app.test_request_context():
login_user(test_users.u1)
set_identity(test_users.u1)
assert current_user == test_users.u1
# acl1 does not apply to the resource so the search must return no data
assert not len(
ACLRecordsSearch(index=index, doc_type=doc_type, operation='get').get_record(record_uuid).execute())
# when acl_return_all is specified, return all matching records regardless of ACL
with_all = ACLRecordsSearch(index=index, doc_type=doc_type).acl_return_all().get_record(
record_uuid).execute().hits
assert len(with_all) == 1
assert with_all[0]['_invenio_explicit_acls'] == []
# add another acl, this one maps to the record
with db.session.begin_nested():
acl2 = ElasticsearchACL(name='test', schemas=[RECORD_SCHEMA],
priority=0, operation='get', originator=test_users.u1,
record_selector={'term': {
'keywords': 'blah'
}})
actor2 = UserActor(name='u2', users=[test_users.u2], acl=acl2, originator=test_users.u1)
db.session.add(acl2)
db.session.add(actor2)
current_explicit_acls.reindex_acl(acl2, delayed=False)
# make sure indices are flushed
current_search_client.indices.refresh()
current_search_client.indices.flush()
# for the same user acl_return_all() must return the record and effective acls
with app.test_request_context():
login_user(test_users.u1)
set_identity(test_users.u1)
# when acl_return_all is specified, return all matching records regardless of ACL
with_all = ACLRecordsSearch(index=index, doc_type=doc_type).acl_return_all().get_record(
record_uuid).execute().hits
assert len(with_all) == 1
assert clear_timestamp(with_all[0].to_dict()['_invenio_explicit_acls']) == [
{
'operation': 'get',
'id': acl2.id,
'timestamp': 'cleared',
'user': [2]
}
]
# for user2 plain ACLRecordsSearch must return the record and effective acls
with app.test_request_context():
login_user(test_users.u2)
set_identity(test_users.u2)
# when acl_return_all is specified, return all matching records regardless of ACL
with_all = ACLRecordsSearch(index=index, doc_type=doc_type).get_record(record_uuid).execute().hits
assert len(with_all) == 1
assert clear_timestamp(with_all[0].to_dict()['_invenio_explicit_acls']) == [
{
'operation': 'get',
'id': acl2.id,
'timestamp': 'cleared',
'user': [2]
}
]
def test_used_in_records(app, db, es, es_acl_prepare, test_users):
with db.session.begin_nested():
acl1 = ElasticsearchACL(name='test',
schemas=[RECORD_SCHEMA],
priority=0,
operation='get',
originator=test_users.u1,
record_selector={'term': {
'keywords': 'blah'
}})
actor1 = SystemRoleActor(name='auth',
acl=acl1,
originator=test_users.u1,
system_role='authenticated_user')
db.session.add(acl1)
db.session.add(actor1)
acl2 = ElasticsearchACL(name='test',
schemas=[RECORD_SCHEMA],
priority=0,
operation='get',
originator=test_users.u1,
record_selector={'term': {
'keywords': 'test'
}})
actor2 = SystemRoleActor(name='noauth',
acl=acl2,
originator=test_users.u1,
system_role='any_user')
db.session.add(actor2)
db.session.add(acl2)
acl1.update()
acl2.update()
pid1, record1 = create_record(
{
'$schema': RECORD_SCHEMA,
'keywords': ['blah']
},
clz=SchemaEnforcingRecord)
pid2, record2 = create_record(
{
'$schema': RECORD_SCHEMA,
'keywords': ['test']
},
clz=SchemaEnforcingRecord)
ts1 = datetime.datetime.now(datetime.timezone.utc)
time.sleep(0.1)
RecordIndexer().index(record1)
current_search_client.indices.refresh()
current_search_client.indices.flush()
time.sleep(1)
ts2 = datetime.datetime.now(datetime.timezone.utc)
time.sleep(0.1)
RecordIndexer().index(record2)
current_search_client.indices.refresh()
current_search_client.indices.flush()
time.sleep(1)
ts3 = datetime.datetime.now(datetime.timezone.utc)
# the records should have cached ACLs, let's check
idx, doc_type = schema_to_index(RECORD_SCHEMA)
assert clear_timestamp(
current_search_client.get(
index=idx, doc_type=doc_type,
id=str(record1.id))['_source']['_invenio_explicit_acls']) == [{
'operation':
'get',
'id':
acl1.id,
'timestamp':
'cleared',
'system_role': ['authenticated_user']
}]
assert clear_timestamp(
current_search_client.get(
index=idx, doc_type=doc_type,
id=str(record2.id))['_source']['_invenio_explicit_acls']) == [{
'operation':
'get',
'id':
acl2.id,
'timestamp':
'cleared',
'system_role': ['any_user']
}]
# there should be no resource for acl1 before ts1
assert list(acl1.used_in_records(older_than_timestamp=ts1)) == []
# one record before ts2 and ts3
assert list(
acl1.used_in_records(older_than_timestamp=ts2)) == [str(record1.id)]
assert list(
acl1.used_in_records(older_than_timestamp=ts3)) == [str(record1.id)]
# and one record before now
assert list(acl1.used_in_records()) == [str(record1.id)]
# there should be no resource for acl2 before ts1 and ts2
assert list(acl2.used_in_records(older_than_timestamp=ts1)) == []
assert list(acl2.used_in_records(older_than_timestamp=ts2)) == []
# one record before ts3
assert list(
acl2.used_in_records(older_than_timestamp=ts3)) == [str(record2.id)]
# and one record before now
assert list(acl2.used_in_records()) == [str(record2.id)]
def test_create_acl_after_record(app, db, es, es_acl_prepare, test_users):
with app.test_client() as client:
login(client, test_users.u1)
response = client.post(records_url(),
data=json.dumps({
'title': 'blah',
'contributors': []
}),
content_type='application/json')
assert response.status_code == 201
rest_metadata = get_json(response)['metadata']
assert 'control_number' in rest_metadata
current_search_client.indices.refresh()
current_search_client.indices.flush()
with db.session.begin_nested():
acl1 = DefaultACL(name='default',
schemas=[RECORD_SCHEMA],
priority=0,
originator=test_users.u1,
operation='get')
actor1 = SystemRoleActor(name='auth',
system_role='any_user',
acl=acl1,
originator=test_users.u1)
db.session.add(acl1)
db.session.add(actor1)
# reindex all resources that might be affected by the ACL change
current_explicit_acls.reindex_acl(acl1, delayed=False)
index, doctype = schema_to_index(RECORD_SCHEMA)
rec_md = current_search_client.get(
index=index,
doc_type=doctype,
id=str(
PersistentIdentifier.get(
'recid', rest_metadata['control_number']).object_uuid))
clear_timestamp(rec_md)
assert rec_md['_source']['_invenio_explicit_acls'] == [{
'operation':
'get',
'id':
acl1.id,
'timestamp':
'cleared',
'system_role': ['any_user']
}]
# remove the ACL from the database
with db.session.begin_nested():
db.session.delete(acl1)
# reindex records affected by the removal of ACL
current_explicit_acls.reindex_acl_removed(acl1, delayed=False)
# make sure all changes had time to propagate and test
current_search_client.indices.refresh()
current_search_client.indices.flush()
rec_md = current_search_client.get(
index=index,
doc_type=doctype,
id=str(
PersistentIdentifier.get(
'recid', rest_metadata['control_number']).object_uuid))
# there is no ACL in the database => no acls are defined nor enforced on the record
print(json.dumps(rec_md, indent=4))
assert '_invenio_explicit_acls' not in rec_md['_source']