def configured_app(minimal_app_for_api):
app = minimal_app_for_api
create_user(
app, # type: ignore
username="******",
role_name="Test",
permissions=[
(permissions.ACTION_CAN_LIST,
permissions.RESOURCE_ROLE_MODEL_VIEW),
(permissions.ACTION_CAN_ADD, permissions.RESOURCE_ROLE_MODEL_VIEW),
(permissions.ACTION_CAN_SHOW,
permissions.RESOURCE_ROLE_MODEL_VIEW),
(permissions.ACTION_CAN_LIST,
permissions.RESOURCE_PERMISSION_MODEL_VIEW),
(permissions.ACTION_CAN_DELETE,
permissions.RESOURCE_ROLE_MODEL_VIEW),
(permissions.ACTION_CAN_EDIT,
permissions.RESOURCE_ROLE_MODEL_VIEW),
],
)
create_user(app,
username="******",
role_name="TestNoPermissions") # type: ignore
yield app
delete_user(app, username="******") # type: ignore
delete_user(app, username="******") # type: ignore
def setUpClass(cls) -> None:
super().setUpClass()
with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}):
cls.app = app.create_app(testing=True) # type:ignore
# TODO: Add new role for each view to test permission.
create_user(cls.app, username="******", role="Admin") # type: ignore
def setUpClass(cls):
settings.configure_orm()
cls.session = settings.Session
with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}):
cls.app = app.create_app(testing=True)
# TODO: Add new role for each view to test permission.
create_user(cls.app, username="******", role="Admin")
def setUpClass(cls) -> None:
super().setUpClass()
with conf_vars({
("api", "auth_backend"):
"tests.test_utils.remote_user_api_auth_backend"
}):
cls.app = app.create_app(testing=True) # type:ignore
create_user(
cls.app, # type: ignore
username="******",
role_name="Test",
permissions=[('can_read', 'Dag'), ('can_read', 'DagRun'),
('can_read', 'Task')],
)
create_user(cls.app,
username="******",
role_name="TestNoPermissions") # type: ignore
with DAG(cls.dag_id,
start_date=datetime(2020, 6, 15),
doc_md="details") as dag:
DummyOperator(task_id=cls.task_id)
cls.dag = dag # type:ignore
dag_bag = DagBag(os.devnull, include_examples=False)
dag_bag.dags = {dag.dag_id: dag}
cls.app.dag_bag = dag_bag # type:ignore
def setUpClass(cls) -> None:
super().setUpClass()
with mock.patch.dict("os.environ", SKIP_DAGS_PARSING="True"), conf_vars(
{("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}
):
cls.app = app.create_app(testing=True) # type:ignore
# TODO: Add new role for each view to test permission.
create_user(cls.app, username="******", role="Admin") # type: ignore
def factory(name, role_name, permissions):
create_user(app, name, role_name, permissions)
client = app.test_client()
resp = client.post("/login/",
data={
"username": name,
"password": name
})
assert resp.status_code == 302
return client
def setUpClass(cls) -> None:
super().setUpClass()
with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}):
cls.app = app.create_app(testing=True) # type:ignore
create_user(
cls.app, # type:ignore
username="******",
role_name="Test",
permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG)], # type: ignore
)
create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore
def configured_app(minimal_app_for_api):
app = minimal_app_for_api
create_user(
app, # type:ignore
username="******",
role_name="Test",
permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_CONFIG)
], # type: ignore
)
yield minimal_app_for_api
delete_user(app, username="******") # type: ignore
def setUpClass(cls) -> None:
super().setUpClass()
with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}):
cls.app = app.create_app(testing=True) # type:ignore
# TODO: Add new role for each view to test permission.
create_user(cls.app, username="******", role="Admin") # type: ignore
with DAG(cls.dag_id, start_date=datetime(2020, 6, 15), doc_md="details") as dag:
DummyOperator(task_id=cls.task_id)
cls.dag = dag # type:ignore
dag_bag = DagBag(os.devnull, include_examples=False)
dag_bag.dags = {dag.dag_id: dag}
cls.app.dag_bag = dag_bag # type:ignore
def configured_app(minimal_app_for_api):
app = minimal_app_for_api
create_user(
app, # type: ignore
username="******",
role_name="Test",
permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_PROVIDER)],
)
create_user(app, username="******", role_name="TestNoPermissions") # type: ignore
yield app
delete_user(app, username="******") # type: ignore
delete_user(app, username="******") # type: ignore
def setUpClass(cls):
with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}):
cls.app = app.create_app(testing=True)
create_user(
cls.app,
username="******",
role_name="Test",
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE),
],
)
create_user(cls.app, username="******", role_name="TestNoPermissions")
def configured_app(minimal_app_for_api):
app = minimal_app_for_api
create_user(
app, # type:ignore
username="******",
role_name="Test",
permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_CONFIG)], # type: ignore
)
create_user(app, username="******", role_name="TestNoPermissions") # type: ignore
with conf_vars({('webserver', 'expose_config'): 'True'}):
yield minimal_app_for_api
delete_user(app, username="******") # type: ignore
delete_user(app, username="******") # type: ignore
def test_dont_get_inaccessible_dag_ids_for_dag_resource_permission(self):
# In this test case,
# get_readable_dag_ids() don't return DAGs to which the user has CAN_EDIT permission
username = "******"
role_name = "MyRole1"
permission_action = [permissions.ACTION_CAN_EDIT]
dag_id = "dag_id"
user = api_connexion_utils.create_user(
self.app,
username,
role_name,
permissions=[
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG),
],
)
dag_model = DagModel(dag_id=dag_id,
fileloc="/tmp/dag_.py",
schedule_interval="2 2 * * *")
self.session.add(dag_model)
self.session.commit()
self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member
dag_id,
access_control={role_name: permission_action})
assert self.security_manager.get_readable_dag_ids(user) == set()
def test_get_accessible_dag_ids(self):
role_name = 'MyRole1'
permission_action = [permissions.ACTION_CAN_READ]
dag_id = 'dag_id'
username = "******"
user = api_connexion_utils.create_user(
self.app,
username,
role_name,
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
],
)
dag_model = DagModel(dag_id=dag_id,
fileloc="/tmp/dag_.py",
schedule_interval="2 2 * * *")
self.session.add(dag_model)
self.session.commit()
self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member
dag_id,
access_control={role_name: permission_action})
assert self.security_manager.get_accessible_dag_ids(user) == {'dag_id'}
def test_get_current_user_permissions(self, mock_get_user_roles):
role_name = 'MyRole5'
role_perm = 'can_some_action'
role_vm = 'SomeBaseView'
username = '******'
with self.app.app_context():
user = api_connexion_utils.create_user(
self.app,
username,
role_name,
permissions=[
(role_perm, role_vm),
],
)
role = user.roles[0]
mock_get_user_roles.return_value = [role]
assert self.security_manager.get_current_user_permissions() == {
(role_perm, role_vm)
}
mock_get_user_roles.return_value = []
assert len(
self.security_manager.get_current_user_permissions()) == 0
def setUpClass(cls) -> None:
super().setUpClass()
with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}):
cls.app = app.create_app(testing=True) # type:ignore
create_user(
cls.app, # type: ignore
username="******",
role_name="Test",
permissions=[
("can_create", "Connection"),
("can_read", "Connection"),
("can_edit", "Connection"),
("can_delete", "Connection"),
],
)
create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore
def setUpClass(cls) -> None:
super().setUpClass()
with conf_vars({
("api", "auth_backend"):
"tests.test_utils.remote_user_api_auth_backend"
}):
cls.app = app.create_app(testing=True) # type:ignore
create_user(
cls.app, # type: ignore
username="******",
role_name="Test",
permissions=[('can_read', 'ImportError')],
)
create_user(cls.app,
username="******",
role_name="TestNoPermissions") # type: ignore
def test_access_control_is_set_on_init(self):
username = '******'
role_name = 'team-a'
with self.app.app_context():
user = api_connexion_utils.create_user(
self.app,
username,
role_name,
permissions=[],
)
self.expect_user_is_in_role(user, rolename='team-a')
self.security_manager._sync_dag_view_permissions(
'access_control_test',
access_control={
'team-a':
[permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ]
},
)
self.assert_user_has_dag_perms(
perms=[
permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ
],
dag_id='access_control_test',
user=user,
)
self.expect_user_is_in_role(user, rolename='NOT-team-a')
self.assert_user_does_not_have_dag_perms(
perms=[
permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ
],
dag_id='access_control_test',
user=user,
)
def test_access_control_stale_perms_are_revoked(self):
username = '******'
role_name = 'team-a'
with self.app.app_context():
user = api_connexion_utils.create_user(
self.app,
username,
role_name,
permissions=[],
)
self.expect_user_is_in_role(user, rolename='team-a')
self.security_manager._sync_dag_view_permissions(
'access_control_test', access_control={'team-a': READ_WRITE})
self.assert_user_has_dag_perms(perms=READ_WRITE,
dag_id='access_control_test',
user=user)
self.security_manager._sync_dag_view_permissions(
'access_control_test', access_control={'team-a': READ_ONLY})
self.assert_user_has_dag_perms(perms=[permissions.ACTION_CAN_READ],
dag_id='access_control_test',
user=user)
self.assert_user_does_not_have_dag_perms(
perms=[permissions.ACTION_CAN_EDIT],
dag_id='access_control_test',
user=user)
def setup_class(cls) -> None:
with conf_vars({
("api", "auth_backend"):
"tests.test_utils.remote_user_api_auth_backend"
}):
cls.app = app.create_app(testing=True) # type:ignore
create_user(
cls.app,
username="******",
role_name="Test",
permissions=[('can_read', 'Config')] # type: ignore
)
create_user(cls.app,
username="******",
role_name="TestNoPermissions") # type: ignore
cls.client = None
def setUpClass(cls) -> None:
super().setUpClass()
with mock.patch.dict("os.environ", SKIP_DAGS_PARSING="True"), conf_vars(
{("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}
):
cls.app = app.create_app(testing=True) # type:ignore
create_user(
cls.app, # type: ignore
username="******",
role_name="Test",
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE),
],
)
create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore
def configured_app(minimal_app_for_api):
app = minimal_app_for_api
create_user(
app, # type: ignore
username="******",
role_name="Test",
permissions=[
(permissions.ACTION_CAN_LIST, permissions.RESOURCE_USER_DB_MODELVIEW),
(permissions.ACTION_CAN_SHOW, permissions.RESOURCE_USER_DB_MODELVIEW),
],
)
create_user(app, username="******", role_name="TestNoPermissions") # type: ignore
yield app
delete_user(app, username="******") # type: ignore
delete_user(app, username="******") # type: ignore
def configured_app(minimal_app_for_api):
app = minimal_app_for_api
create_user(
app, # type: ignore
username="******",
role_name="Test",
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE),
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE),
],
)
create_user(app, username="******", role_name="TestNoPermissions") # type: ignore
yield app
delete_user(app, username="******") # type: ignore
def user_all_dags(acl_app):
return create_user(
acl_app,
username="******",
role_name="role_all_dags",
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_WEBSITE),
],
)
def setUpClass(cls):
settings.configure_orm()
cls.session = settings.Session
with conf_vars({
("api", "auth_backend"):
"tests.test_utils.remote_user_api_auth_backend"
}):
cls.app = app.create_app(testing=True)
create_user(
cls.app,
username="******",
role_name="Test",
permissions=[('can_read', 'Dag'), ('can_read', 'DagRun'),
('can_read', 'Task')],
)
create_user(cls.app,
username="******",
role_name="TestNoPermissions")
def user_edit_one_dag(acl_app):
return create_user(
acl_app,
username="******",
role_name="role_edit_one_dag",
permissions=[
(permissions.ACTION_CAN_READ, 'DAG:example_bash_operator'),
(permissions.ACTION_CAN_EDIT, 'DAG:example_bash_operator'),
],
)
def user_only_dags_tis(acl_app):
return create_user(
acl_app,
username="******",
role_name="role_only_dags_tis",
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE),
],
)
def user_all_dags_edit_tis(acl_app):
return create_user(
acl_app,
username="******",
role_name="role_all_dags_edit_tis",
permissions=[
(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG),
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_WEBSITE),
],
)
def configured_app(minimal_app_for_api):
app = minimal_app_for_api
create_user(
app, # type: ignore
username="******",
role_name="Test",
permissions=[
(permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VARIABLE),
(permissions.ACTION_CAN_READ, permissions.RESOURCE_VARIABLE),
(permissions.ACTION_CAN_EDIT, permissions.RESOURCE_VARIABLE),
(permissions.ACTION_CAN_DELETE, permissions.RESOURCE_VARIABLE),
],
)
create_user(app, username="******", role_name="TestNoPermissions") # type: ignore
yield app
delete_user(app, username="******") # type: ignore
delete_user(app, username="******") # type: ignore
def setup_class(cls) -> None:
cls.exit_stack = ExitStack()
cls.exit_stack.enter_context(
conf_vars({('webserver', 'expose_config'): 'True'}))
with conf_vars({
("api", "auth_backend"):
"tests.test_utils.remote_user_api_auth_backend"
}):
cls.app = app.create_app(testing=True) # type:ignore
create_user(
cls.app, # type:ignore
username="******",
role_name="Test",
permissions=[(permissions.ACTION_CAN_READ,
permissions.RESOURCE_CONFIG)], # type: ignore
)
create_user(cls.app,
username="******",
role_name="TestNoPermissions") # type: ignore
cls.client = None
