def test_can_list_all_permissions(): role_one = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING) role_two = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_REPORTS) port_role = PortfolioRoleFactory.create( permission_sets=[role_one, role_two]) expected_perms = role_one.permissions + role_two.permissions assert expected_perms == expected_perms
def test_has_application_permission(): role_one = PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM) role_two = PermissionSets.get(PermissionSets.EDIT_APPLICATION_ENVIRONMENTS) app_role = ApplicationRoleFactory.create( permission_sets=[role_one, role_two]) different_user = UserFactory.create() assert Authorization.has_application_permission( app_role.user, app_role.application, Permissions.EDIT_ENVIRONMENT) assert not Authorization.has_portfolio_permission( app_role.user, app_role.application, Permissions.DELETE_ENVIRONMENT) assert not Authorization.has_portfolio_permission( different_user, app_role.application, Permissions.DELETE_ENVIRONMENT)
def test_has_portfolio_permission(): role_one = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING) role_two = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_REPORTS) port_role = PortfolioRoleFactory.create( permission_sets=[role_one, role_two]) different_user = UserFactory.create() assert Authorization.has_portfolio_permission( port_role.user, port_role.portfolio, Permissions.VIEW_PORTFOLIO_REPORTS) assert not Authorization.has_portfolio_permission( port_role.user, port_role.portfolio, Permissions.CREATE_TASK_ORDER) assert not Authorization.has_portfolio_permission( different_user, port_role.portfolio, Permissions.VIEW_PORTFOLIO_REPORTS)
def test_has_permission_set(): perm_sets = PermissionSets.get_many( [PermissionSets.VIEW_PORTFOLIO_FUNDING, PermissionSets.VIEW_PORTFOLIO_REPORTS] ) port_role = PortfolioRoleFactory.create(permission_sets=perm_sets) assert port_role.has_permission_set(PermissionSets.VIEW_PORTFOLIO_REPORTS)
def test_remove_portfolio_member_ppoc(client, user_session): portfolio = PortfolioFactory.create() user = UserFactory.create() PortfolioRoleFactory.create( portfolio=portfolio, user=user, permission_sets=[ PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_ADMIN) ], ) ppoc_port_role = PortfolioRoles.get(portfolio_id=portfolio.id, user_id=portfolio.owner.id) user_session(user) response = client.post( url_for( "portfolios.remove_member", portfolio_id=portfolio.id, portfolio_role_id=ppoc_port_role.id, ), follow_redirects=False, ) assert response.status_code == 404 assert (PortfolioRoles.get( portfolio_id=portfolio.id, user_id=portfolio.owner.id).status == PortfolioRoleStatus.ACTIVE)
def test_rerender_admin_page_if_member_perms_form_does_not_validate( client, user_session, monkeypatch): portfolio = PortfolioFactory.create() user = UserFactory.create() role = PortfolioRoleFactory.create( user=user, portfolio=portfolio, permission_sets=[ PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_ADMIN) ], ) user_session(user) form_data = { "members_permissions-0-member_id": role.id, "members_permissions-0-perms_app_mgmt": "bad input", "members_permissions-0-perms_funding": "view_portfolio_funding", "members_permissions-0-perms_reporting": "view_portfolio_reports", "members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin", } mock_route = MagicMock(return_value=("", 200, {})) monkeypatch.setattr("atst.routes.portfolios.admin.render_admin_page", mock_route) client.post(url_for("portfolios.edit_members", portfolio_id=portfolio.id), data=form_data) mock_route.assert_called()
def test_applications_delete_access(post_url_assert_status, monkeypatch): ccpo = UserFactory.create_ccpo() owner = user_with() app_admin = user_with() rando = user_with() portfolio = PortfolioFactory.create( owner=owner, applications=[{"name": "mos eisley"}] ) application = portfolio.applications[0] ApplicationRoleFactory.create( user=app_admin, application=application, permission_sets=PermissionSets.get_many( [ PermissionSets.VIEW_APPLICATION, PermissionSets.EDIT_APPLICATION_ENVIRONMENTS, PermissionSets.EDIT_APPLICATION_TEAM, PermissionSets.DELETE_APPLICATION_ENVIRONMENTS, ] ), ) monkeypatch.setattr("atst.domain.applications.Applications.delete", lambda *a: True) url = url_for("applications.delete", application_id=application.id) post_url_assert_status(app_admin, url, 404) post_url_assert_status(rando, url, 404) post_url_assert_status(owner, url, 302) post_url_assert_status(ccpo, url, 302)
def test_has_application_role_history(session): owner = UserFactory.create() user = UserFactory.create() PortfolioFactory.create( owner=owner, applications=[{ "name": "starkiller", "environments": [{ "name": "bridge", "members": [{ "user": user, "role_name": "developer" }], }], }], ) app_role = user.application_roles[0] app_role.permission_sets = [ PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM) ] session.add(app_role) session.commit() changed_event = (session.query(AuditEvent).filter( AuditEvent.resource_id == app_role.id, AuditEvent.action == "update").one()) old_state, new_state = changed_event.changed_state["permission_sets"] assert old_state == [PermissionSets.VIEW_APPLICATION] assert new_state == [PermissionSets.EDIT_APPLICATION_TEAM]
def test_does_not_have_permission_set(): perm_sets = PermissionSets.get_many([ PermissionSets.VIEW_PORTFOLIO_FUNDING, PermissionSets.VIEW_PORTFOLIO_REPORTS ]) port_role = PortfolioRoleFactory.create(permission_sets=perm_sets) assert not port_role.has_permission_set( PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT)
def test_get_many(): perms_sets = PermissionSets.get_many([ PermissionSets.VIEW_PORTFOLIO_FUNDING, PermissionSets.EDIT_PORTFOLIO_FUNDING ]) assert len(perms_sets) == 2 assert first_or_none( lambda p: p.name == PermissionSets.VIEW_PORTFOLIO_FUNDING, perms_sets) assert first_or_none( lambda p: p.name == PermissionSets.EDIT_PORTFOLIO_FUNDING, perms_sets)
def create(cls, user, portfolio_attrs): portfolio = PortfoliosQuery.create(**portfolio_attrs) perms_sets = PermissionSets.get_many( PortfolioRoles.PORTFOLIO_PERMISSION_SETS) Portfolios._create_portfolio_role( user, portfolio, status=PortfolioRoleStatus.ACTIVE, permission_sets=perms_sets, ) PortfoliosQuery.add_and_commit(portfolio) return portfolio
def test_no_update_member_permissions_without_edit_access( client, user_session): portfolio = PortfolioFactory.create() rando = UserFactory.create() rando_pf_role = PortfolioRoleFactory.create( user=rando, portfolio=portfolio, permission_sets=[ PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN) ], ) user = UserFactory.create() PortfolioRoleFactory.create( user=user, portfolio=portfolio, permission_sets=[ PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN) ], ) user_session(user) form_data = { "members_permissions-0-member_id": rando_pf_role.id, "members_permissions-0-perms_app_mgmt": "edit_portfolio_application_management", "members_permissions-0-perms_funding": "view_portfolio_funding", "members_permissions-0-perms_reporting": "view_portfolio_reports", "members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin", } response = client.post( url_for("portfolios.edit_members", portfolio_id=portfolio.id), data=form_data, follow_redirects=True, ) assert response.status_code == 404 assert not rando_pf_role.has_permission_set( PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT)
def test_portfolio_admin_screen_when_not_ppoc(client, user_session): portfolio = PortfolioFactory.create() user = UserFactory.create() permission_sets = PermissionSets.get_many( [PermissionSets.EDIT_PORTFOLIO_ADMIN, PermissionSets.VIEW_PORTFOLIO_ADMIN] ) PortfolioRoleFactory.create( portfolio=portfolio, user=user, permission_sets=permission_sets ) user_session(user) response = client.get(url_for("portfolios.admin", portfolio_id=portfolio.id)) assert response.status_code == 200 assert portfolio.name in response.data.decode() assert translate("fragments.ppoc.update_btn").encode("utf8") not in response.data
def test_create_application_role(): application = ApplicationFactory.create() user = UserFactory.create() application_role = ApplicationRoles.create( application=application, user=user, permission_set_names=[PermissionSets.EDIT_APPLICATION_TEAM], ) assert application_role.permission_sets == PermissionSets.get_many([ PermissionSets.EDIT_APPLICATION_TEAM, PermissionSets.VIEW_APPLICATION ]) assert application_role.application == application assert application_role.user == user
def test_successful_login_redirect_ccpo(client, monkeypatch): monkeypatch.setattr( "atst.domain.authnid.AuthenticationContext.authenticate", lambda *args: True ) role = PermissionSets.get(PermissionSets.VIEW_AUDIT_LOG) monkeypatch.setattr( "atst.domain.authnid.AuthenticationContext.get_user", lambda *args: UserFactory.create(), ) resp = _login(client) assert resp.status_code == 302 assert "home" in resp.headers["Location"] assert session["user_id"]
def _create(cls, model_class, *args, **kwargs): with_applications = kwargs.pop("applications", []) owner = kwargs.pop("owner", UserFactory.create()) members = kwargs.pop("members", []) with_task_orders = kwargs.pop("task_orders", []) portfolio = super()._create(model_class, *args, **kwargs) applications = [ ApplicationFactory.create(portfolio=portfolio, **p) for p in with_applications ] task_orders = [ TaskOrderFactory.create(portfolio=portfolio, **to) for to in with_task_orders ] PortfolioRoleFactory.create( portfolio=portfolio, user=owner, status=PortfolioRoleStatus.ACTIVE, permission_sets=get_all_portfolio_permission_sets(), ) for member in members: user = member.get("user", UserFactory.create()) role_name = member["role_name"] perms_set = None if member.get("permissions_sets"): perms_set = [ PermissionSets.get(perm_set) for perm_set in member.get("permission_sets") ] else: perms_set = [] PortfolioRoleFactory.create( portfolio=portfolio, user=user, status=PortfolioRoleStatus.ACTIVE, permission_sets=perms_set, ) portfolio.applications = applications portfolio.task_orders = task_orders return portfolio
def test_scoped_portfolio_for_admin_missing_view_apps_perms( portfolio_owner, portfolio): Applications.create( portfolio.owner, portfolio, "My Application 2", "My application 2", ["dev", "staging", "prod"], ) restricted_admin = UserFactory.create() PortfolioRoleFactory.create( portfolio=portfolio, user=restricted_admin, permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO)], ) scoped_portfolio = Portfolios.get(restricted_admin, portfolio.id) assert scoped_portfolio.id == portfolio.id assert len(portfolio.applications) == 1 assert len(scoped_portfolio.applications) == 0
def test_member_table_access(client, user_session): admin = UserFactory.create() portfolio = PortfolioFactory.create(owner=admin) rando = UserFactory.create() PortfolioRoleFactory.create( user=rando, portfolio=portfolio, permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)], ) url = url_for("portfolios.admin", portfolio_id=portfolio.id) # editable user_session(admin) edit_resp = client.get(url) assert "<select" in edit_resp.data.decode() # not editable user_session(rando) view_resp = client.get(url) assert "<select" not in view_resp.data.decode()
def test_user_can_view(set_g): owner = UserFactory.create() app_user = UserFactory.create() rando = UserFactory.create() portfolio = PortfolioFactory.create(owner=owner) application = ApplicationFactory.create(portfolio=portfolio) ApplicationRoleFactory.create( user=app_user, application=application, permission_sets=PermissionSets.get_many([PermissionSets.VIEW_APPLICATION]), ) set_g("portfolio", portfolio) set_g("application", application) set_g("current_user", owner) assert user_can_view(Permissions.VIEW_APPLICATION) set_g("current_user", app_user) assert user_can_view(Permissions.VIEW_APPLICATION) set_g("current_user", rando) assert not user_can_view(Permissions.VIEW_APPLICATION)
def user_with(*perm_sets_names): return UserFactory.create(permission_sets=PermissionSets.get_many(perm_sets_names))
def test_update_member(client, user_session, session): role = PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM) # create an app role with only edit team perms app_role = ApplicationRoleFactory.create(permission_sets=[role]) application = app_role.application env = EnvironmentFactory.create(application=application) env_1 = EnvironmentFactory.create(application=application) env_2 = EnvironmentFactory.create(application=application) # add user to two of the environments: env and env_1 EnvironmentRoleFactory.create(environment=env, application_role=app_role, role=CSPRole.BASIC_ACCESS.value) EnvironmentRoleFactory.create(environment=env_1, application_role=app_role, role=CSPRole.BASIC_ACCESS.value) user_session(application.portfolio.owner) # update the user's app permissions to have edit team and env perms # update user's role in env, remove user from env_1, and add user to env_2 response = client.post( url_for( "applications.update_member", application_id=application.id, application_role_id=app_role.id, ), data={ "environment_roles-0-environment_id": env.id, "environment_roles-0-role": CSPRole.TECHNICAL_READ.value, "environment_roles-0-environment_name": env.name, "environment_roles-1-environment_id": env_1.id, "environment_roles-1-role": NO_ACCESS, "environment_roles-1-environment_name": env_1.name, "environment_roles-2-environment_id": env_2.id, "environment_roles-2-role": CSPRole.NETWORK_ADMIN.value, "environment_roles-2-environment_name": env_2.name, "perms_env_mgmt": True, "perms_team_mgmt": True, "perms_del_env": True, }, ) assert response.status_code == 302 expected_url = url_for( "applications.settings", application_id=application.id, fragment="application-members", _anchor="application-members", _external=True, ) assert response.location == expected_url # make sure new application role was not created assert len(application.roles) == 1 # check that new app perms were added assert bool( app_role.has_permission_set(PermissionSets.EDIT_APPLICATION_TEAM)) assert bool( app_role.has_permission_set( PermissionSets.EDIT_APPLICATION_ENVIRONMENTS)) assert bool( app_role.has_permission_set( PermissionSets.DELETE_APPLICATION_ENVIRONMENTS)) environment_roles = application.roles[0].environment_roles # make sure that old env role was deleted and there are only 2 env roles assert len(environment_roles) == 2 # check that the user has roles in the correct envs assert environment_roles[0].environment in [env, env_2] assert environment_roles[1].environment in [env, env_2]
def test_get_all(): roles = PermissionSets.get_all() assert roles
def test_get_many_nonexistent(): with pytest.raises(NotFoundError): PermissionSets.get_many(["nonexistent", "not real"])
def test_get_nonexistent_permission_set(): with pytest.raises(NotFoundError): PermissionSets.get("nonexistent")
def test_get_existing_permission_set(): role = PermissionSets.get("portfolio_poc") assert role.name == "portfolio_poc"
def create_ccpo(cls, **kwargs): return cls.create(permission_sets=PermissionSets.get_all(), **kwargs)
def get_all_portfolio_permission_sets(): return PermissionSets.get_many(PortfolioRoles.PORTFOLIO_PERMISSION_SETS)
def base_application_permission_sets(): return [PermissionSets.get(PermissionSets.VIEW_APPLICATION)]
def base_portfolio_permission_sets(): return [ PermissionSets.get(prms) for prms in PortfolioRoles.DEFAULT_PORTFOLIO_PERMISSION_SETS ]