def test_list(self):
# check that the user1 can't list network context elements
result_auth_u1 = sriutils.authorize_list_module(
self.user1, self.network_ctxt)
self.assertFalse(result_auth_u1)
# check that the user1 can list community context elements
result_auth_u2 = sriutils.authorize_list_module(
self.user2, self.community_ctxt)
self.assertTrue(result_auth_u2)
# check that the user1 can list contracts context elements
result_auth_u3 = sriutils.authorize_list_module(
self.user3, self.contracts_ctxt)
self.assertTrue(result_auth_u3)
def resolve_checkExistentOrganizationId(self, info, **kwargs):
ret = False
if info.context and info.context.user.is_authenticated:
# well use the community context to check if the user
# can read the rolegroup list
community_context = sriutils.get_community_context()
authorized = sriutils.authorize_list_module(
info.context.user, community_context)
if authorized:
id = kwargs.get('id', None)
handle_id = None
if id:
_type, handle_id = relay.Node.from_global_id(id)
organization_id = kwargs.get('organization_id')
ret = nc.models.OrganizationModel \
.check_existent_organization_id(
organization_id, handle_id, nc.graphdb.manager)
else:
raise GraphQLAuthException()
return ret
def resolve_context_activity(self, info, **kwargs):
'''
Connection resolver for the activity log, filtered by module name.
Actions are filtered to only show what the user has rights to list/read
'''
qs = ActionModel.objects.none()
if info.context and info.context.user.is_authenticated:
user = info.context.user
filter = kwargs.get('filter')
order_by = kwargs.get('orderBy')
if ContextModel.objects.filter(name=filter.context).exists():
# check list permission for this module/context
context = ContextModel.objects.get(name=filter.context)
authorized = sriutils.authorize_list_module(user, context)
if authorized:
# get readable handle_ids
readable_ids = sriutils.get_ids_user_canread(user)
qs = context_feed(filter.context, user)
if order_by:
if order_by == ActionOrderBy.timestamp_ASC:
qs = qs.order_by('timestamp')
elif order_by == ActionOrderBy.timestamp_DESC:
qs = qs.order_by('-timestamp')
else:
qs = qs.order_by('-timestamp')
else:
raise GraphQLAuthException()
return qs
def resolve_getAvailableRoleGroups(self, info, **kwargs):
ret = []
if info.context and info.context.user.is_authenticated:
# well use the community context to check if the user
# can read the rolegroup list
community_context = sriutils.get_community_context()
authorized = sriutils.authorize_list_module(
info.context.user, community_context)
if authorized:
ret = RoleGroupModel.objects.all()
else:
#401
raise GraphQLAuthException()
return ret
def resolve_getRolesFromRoleGroup(self, info, **kwargs):
ret = []
name = kwargs.get('name', DEFAULT_ROLEGROUP_NAME)
if info.context and info.context.user.is_authenticated:
# well use the community context to check if the user
# can read the rolegroup list
community_context = sriutils.get_community_context()
authorized = sriutils.authorize_list_module(
info.context.user, community_context)
if authorized:
role_group = RoleGroupModel.objects.get(name=name)
ret = RoleModel.objects.filter(role_group=role_group)
else:
#401
raise GraphQLAuthException()
return ret
def resolve_roles(self, info, **kwargs):
qs = RoleModel.objects.none()
if info.context and info.context.user.is_authenticated:
context = sriutils.get_community_context()
authorized = sriutils.authorize_list_module(
info.context.user, context)
if authorized:
filter = kwargs.get('filter')
order_by = kwargs.get('orderBy')
qs = RoleModel.objects.all()
if order_by:
if order_by == RoleOrderBy.handle_id_ASC:
qs = qs.order_by('handle_id')
elif order_by == RoleOrderBy.handle_id_DESC:
qs = qs.order_by('-handle_id')
elif order_by == RoleOrderBy.name_ASC:
qs = qs.order_by('name')
elif order_by == RoleOrderBy.name_DESC:
qs = qs.order_by('-name')
if filter:
if filter.id:
handle_id = relay.Node.from_global_id(filter.id)[1]
qs = qs.filter(handle_id=handle_id)
if filter.name:
qs = qs.filter(name=filter.name)
return qs
else:
#403
return qs
else:
# 401
raise GraphQLAuthException()
def test_grant_user_permissions(self):
# only run mutations if we have set this value
if not hasattr(self, 'test_type'):
return
another_user_id = self.another_user.id
other_user_id = self.other_user.id
for user in [self.another_user, self.other_user]:
# first query another_user permissions
user_id = user.id
query = """
{{
getUserById(ID: {user_id}){{
id
username
user_permissions{{
community{{
read
list
write
admin
}}
network{{
read
list
write
admin
}}
contracts{{
read
list
write
admin
}}
}}
}}
}}
""".format(user_id=user_id)
result = schema.execute(query, context=self.context)
assert not result.errors, pformat(result.errors, indent=1)
expected = {
'getUserById': {
'id': str(user_id),
'user_permissions': {
'community': {
'admin': False,
'list': False,
'read': False,
'write': False
},
'contracts': {
'admin': False,
'list': False,
'read': False,
'write': False
},
'network': {
'admin': False,
'list': False,
'read': False,
'write': False
}
},
'username': user.username
}
}
# they must be blank as we didn't set anything yet
self.assert_correct(result, expected)
# add read, list and write permissions over our module
query_t = """
mutation{{
grant_users_permissions(input:{{
users_ids:[ {users_ids} ]
context: "{context_name}"
read: {read}
list: {list}
write: {write}
{admin}
}}){{
results{{
success
errors{{
field
messages
}}
user{{
id
username
user_permissions{{
network{{
read
list
write
admin
}}
}}
}}
}}
}}
}}
"""
# check the user permissions query
net_ctxt = sriutils.get_network_context()
context_name = net_ctxt.name
read = str(True).lower()
list = str(True).lower()
write = str(True).lower()
users_ids = ", ".join(['"{}"'.format(x) \
for x in [other_user_id, another_user_id]])
query = query_t.format(users_ids=users_ids,
context_name=context_name,
read=read,
list=list,
write=write,
admin="")
# test vakt functions before
for user in [self.other_user, self.another_user]:
can_read = sriutils.authorize_read_module(user, net_ctxt)
can_list = sriutils.authorize_list_module(user, net_ctxt)
can_write = sriutils.authorize_create_resource(user, net_ctxt)
self.assertFalse(can_read)
self.assertFalse(can_list)
self.assertFalse(can_write)
# run mutation and check response
result = schema.execute(query, context=self.context)
assert not result.errors, pformat(result.errors, indent=1)
expected = OrderedDict([('grant_users_permissions', {
'results': [{
'errors': None,
'success': True,
'user': {
'id': str(other_user_id),
'user_permissions': {
'network': {
'admin': False,
'list': True,
'read': True,
'write': True
}
},
'username': self.other_user.username
}
}, {
'errors': None,
'success': True,
'user': {
'id': str(another_user_id),
'user_permissions': {
'network': {
'admin': False,
'list': True,
'read': True,
'write': True
}
},
'username': self.another_user.username
}
}]
})])
self.assert_correct(result, expected)
# after
for user in [self.other_user, self.another_user]:
can_read = sriutils.authorize_read_module(user, net_ctxt)
can_list = sriutils.authorize_list_module(user, net_ctxt)
can_write = sriutils.authorize_create_resource(user, net_ctxt)
self.assertTrue(can_read)
self.assertTrue(can_list)
self.assertTrue(can_write)
# revoke write permission
write = str(False).lower()
query = query_t.format(users_ids=users_ids,
context_name=context_name,
read=read,
list=list,
write=write,
admin="")
result = schema.execute(query, context=self.context)
assert not result.errors, pformat(result.errors, indent=1)
expected = OrderedDict([('grant_users_permissions', {
'results': [{
'errors': None,
'success': True,
'user': {
'id': str(other_user_id),
'user_permissions': {
'network': {
'admin': False,
'list': True,
'read': True,
'write': False
}
},
'username': self.other_user.username
}
}, {
'errors': None,
'success': True,
'user': {
'id': str(another_user_id),
'user_permissions': {
'network': {
'admin': False,
'list': True,
'read': True,
'write': False
}
},
'username': self.another_user.username
}
}]
})])
# check the user permissions query
self.assert_correct(result, expected)
# test vakt functions
for user in [self.other_user, self.another_user]:
can_write = sriutils.authorize_create_resource(user, net_ctxt)
self.assertFalse(can_write)
# grand admin rights
admin = "admin: true"
query = query_t.format(users_ids=users_ids,
context_name=context_name,
read=read,
list=list,
write=write,
admin=admin)
result = schema.execute(query, context=self.context)
assert not result.errors, pformat(result.errors, indent=1)
expected = None
if self.test_type == "admin":
# if it's not check the error
expected = OrderedDict([('grant_users_permissions', {
'results': [{
'errors': [{
'field':
'_',
'messages':
['Only superadmins can '
'grant admin rights']
}],
'success':
False,
'user': {
'id': str(other_user_id),
'user_permissions': {
'network': {
'admin': False,
'list': True,
'read': True,
'write': False
}
},
'username': self.other_user.username
}
}, {
'errors': [{
'field':
'_',
'messages':
['Only superadmins can '
'grant admin rights']
}],
'success':
False,
'user': {
'id': str(another_user_id),
'user_permissions': {
'network': {
'admin': False,
'list': True,
'read': True,
'write': False
}
},
'username': self.another_user.username
}
}]
})])
elif self.test_type == "superadmin":
# if it's superadmin test it should be possible
expected = OrderedDict([('grant_users_permissions', {
'results': [{
'errors': None,
'success': True,
'user': {
'id': str(other_user_id),
'user_permissions': {
'network': {
'admin': True,
'list': True,
'read': True,
'write': False
}
},
'username': self.other_user.username
}
}, {
'errors': None,
'success': True,
'user': {
'id': str(another_user_id),
'user_permissions': {
'network': {
'admin': True,
'list': True,
'read': True,
'write': False
}
},
'username': self.another_user.username
}
}]
})])
self.assert_correct(result, expected)