def test_invenio_access_permission_cache_redis(app):
"""Caching the user using redis."""
cache = RedisCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
identity_open = FakeIdentity(UserNeed(user_can_open.id))
permission_open = DynamicPermission(ActionNeed('open'))
assert not permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (set(
[Need(method='id', value=1)]), set([]))
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (set(
[Need(method='id', value=1),
Need(method='id', value=2)]), set([]))
def test_dynamic_permission_needs_cache_invalidation(app):
"""Testing DynamicPermission refreshes needs.
This is important when protecting a view with
@permission.require(http_exception=403)
If cache does not get invalidated, the needs will only be refreshed when
the Python process restarts.
"""
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.needs == set([Need(method='id', value=1)])
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
assert permission_open.needs == set(
[Need(method='id', value=1), Need(method='id', value=2)]
)
def identity_simple(users):
"""Simple identity fixture."""
user = users[0]
i = Identity(user.id)
i.provides.add(UserNeed(user.id))
i.provides.add(Need(method='system_role', value='any_user'))
i.provides.add(Need(method='system_role', value='authenticated_user'))
return i
def test_filter(self, project, identity, app):
identity.provides.add(Need("view:topic", "*"))
identity.provides.add(Need("view:design", "*"))
path = project.run_dir("models", "model-carbon-intensity",
"carbon.topic.m5oc")
m5o_file = M5ocFile.load(path)
topic_filter = TopicFilter()
with app.app_context():
scoped = list(topic_filter.filter("view:topic",
[m5o_file.content]))
assert len(scoped[0]["designs"]) == 1
def test_invenio_access_permission_cache(app):
"""Caching the user using memory caching."""
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
user_can_all = User(email='*****@*****.**')
user_can_open = User(email='*****@*****.**')
user_can_open_1 = User(email='*****@*****.**')
db.session.add(user_can_all)
db.session.add(user_can_open)
db.session.add(user_can_open_1)
db.session.add(ActionUsers(action='open', user=user_can_all))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
identity_open = FakeIdentity(UserNeed(user_can_open.id))
assert not permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1)]),
set([])
)
db.session.add(ActionUsers(action='open', user=user_can_open))
db.session.flush()
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_open)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
db.session.add(ActionUsers(action='open', argument=1,
user=user_can_open_1))
db.session.flush()
identity_open_1 = FakeIdentity(UserNeed(user_can_open_1.id))
permission_open_1 = DynamicPermission(
ParameterizedActionNeed('open', '1'))
assert not permission_open.allows(identity_open_1)
assert permission_open_1.allows(identity_open_1)
assert current_access.get_action_cache('open::1') == (
set([Need(method='id', value=1),
Need(method='id', value=2),
Need(method='id', value=3)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
def generate_principal_identity(user: "******"):
user_id = user.id
identity = Identity(user_id)
identity.provides.add(UserNeed(user_id))
# Assuming the User model has a list of roles, update the
# identity with the roles that the user provides
for role in user.roles:
identity.provides.add(RoleNeed(role.name))
# gets entity permissions granted to user or user's roles and add valid permissions
entity_permissions = get_user_entity_permissions(user_id)
for entity in entity_permissions:
for permission in [
Need(entity.entity_name, perm)
for perm in ["create", "edit"]
if getattr(entity, perm)
]:
identity.provides.add(permission)
identity.provides.add(OrganizationNeed(user.affiliation.organization.name))
return identity
def has_permission(entity: str,
permissions: List[Literal["create", "edit"]] = ["create"]):
"""checks if user has required permissions for this entity"""
permissions = [Permission(Need(entity, perm)) for perm in permissions]
def wrapper(fn: Callable):
@wraps(fn)
def wrapped(*args, **kwargs):
identity: Identity = g.identity
if False in [identity.can(perm) for perm in permissions]:
raise InvalidUsage.user_not_authorized()
return fn(*args, **kwargs)
return wrapped
return wrapper
def _identity_loaded_hook(sender, identity):
"""
Meltano uses a resource permission scheme.
This hook will add the specific Permission
to the current identity.
"""
# something weird is going on here when testing
# SQLAlchemy complains about the roles not being
# in a session.
for role in current_user.roles:
db.session.add(role)
# each permission is a Need(permission_type, context),
# i.e. ("view", "finance.*", "design")
for perm in (perm for role in current_user.roles
for perm in role.permissions):
perm = Need(perm.type, perm.context)
identity.provides.add(perm)
def require(name):
permission = Permission(Need("permission", name))
return permission.require(403)
def test_invenio_access_permission_cache_roles_updates(app):
"""Testing ActionRoles cache with inserts/updates/deletes."""
# This test case is doing the same of user test case but using roles.
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
# Creation of some data to test.
role_1 = Role(name='role_1')
role_2 = Role(name='role_2')
role_3 = Role(name='role_3')
role_4 = Role(name='role_4')
role_5 = Role(name='role_5')
role_6 = Role(name='role_6')
db.session.add(role_1)
db.session.add(role_2)
db.session.add(role_3)
db.session.add(role_4)
db.session.add(role_5)
db.session.add(role_6)
db.session.add(ActionRoles(action='open', role=role_1))
db.session.add(ActionRoles(action='write', role=role_4))
db.session.flush()
# Creation of identities to test.
identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name))
identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name))
identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name))
identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name))
identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name))
identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name))
# Test if role 1 can open. In this case, the cache should store only
# this object.
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_1)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name)]),
set([])
)
# Test if role 4 can write. In this case, the cache should have this
# new object and the previous one (Open is allowed to role_1)
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_4)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name)]),
set([])
)
# If we add a new role to the action open, the open action in cache
# should be removed but it should still containing the write entry.
db.session.add(ActionRoles(action='open', role=role_2))
db.session.flush()
assert current_access.get_action_cache('open') is None
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_2)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
# Test if the new role is added to the action 'open'
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_4)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
# If we update an action swapping a role, the cache containing the
# action, should be removed.
role_4_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_4).first()
role_4_action_write.role = role_3
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') is not None
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# Test if the role_3 can write now.
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_4)
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_3.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# If we remove a role from an action, the cache should clear the
# action item.
role_3_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_3).first()
db.session.delete(role_3_action_write)
db.session.flush()
assert current_access.get_action_cache('write') is None
# If no one is allowed to perform an action then everybody is allowed.
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([]),
set([])
)
db.session.add(ActionRoles(action='write', role=role_5))
db.session.flush()
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_5)
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_5.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# If you update the name of an existing action, the previous action
# and the new action should be remove from cache.
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_5)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_5.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
role_5_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_5).first()
role_5_action_write.action = 'open'
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') is None
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_1)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name)]),
set([])
)
db.session.add(ActionRoles(action='write', role=role_4))
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_5)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
db.session.add(ActionRoles(action='open', argument='1', role=role_6))
db.session.flush()
permission_open_1 = DynamicPermission(
ParameterizedActionNeed('open', '1'))
assert not permission_open.allows(identity_fake_role_6)
assert permission_open_1.allows(identity_fake_role_6)
assert current_access.get_action_cache('open::1') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name),
Need(method='role', value=role_6.name)]),
set([])
)
user_6_action_open_1 = ActionRoles.query.filter_by(
action='open', argument='1', role_id=role_6.id).first()
user_6_action_open_1.argument = '2'
db.session.flush()
assert current_access.get_action_cache('open::1') is None
assert current_access.get_action_cache('open::2') is None
permission_open_2 = DynamicPermission(
ParameterizedActionNeed('open', '2'))
assert permission_open_2.allows(identity_fake_role_6)
assert current_access.get_action_cache('open::2') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name),
Need(method='role', value=role_6.name)]),
set([])
)
# open action cache should remain as before
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name)]),
set([])
)
def test_invenio_access_permission_cache_users_updates(app):
"""Testing ActionUsers cache with inserts/updates/deletes."""
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
# Creation of some data to test.
user_1 = User(email='*****@*****.**')
user_2 = User(email='*****@*****.**')
user_3 = User(email='*****@*****.**')
user_4 = User(email='*****@*****.**')
user_5 = User(email='*****@*****.**')
user_6 = User(email='*****@*****.**')
db.session.add(user_1)
db.session.add(user_2)
db.session.add(user_3)
db.session.add(user_4)
db.session.add(user_5)
db.session.add(user_6)
db.session.add(ActionUsers(action='open', user=user_1))
db.session.add(ActionUsers(action='write', user=user_4))
db.session.flush()
# Creation identities to test.
identity_user_1 = FakeIdentity(UserNeed(user_1.id))
identity_user_2 = FakeIdentity(UserNeed(user_2.id))
identity_user_3 = FakeIdentity(UserNeed(user_3.id))
identity_user_4 = FakeIdentity(UserNeed(user_4.id))
identity_user_5 = FakeIdentity(UserNeed(user_5.id))
identity_user_6 = FakeIdentity(UserNeed(user_6.id))
# Test if user 1 can open. In this case, the cache should store only
# this object.
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_user_1)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1)]),
set([])
)
# Test if user 4 can write. In this case, the cache should have this
# new object and the previous one (Open is allowed to user_1)
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_user_4)
assert current_access.get_action_cache('write') == (
set([Need(method='id', value=4)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1)]),
set([])
)
# If we add a new user to the action open, the open action in cache
# should be removed but it should still containing the write entry.
db.session.add(ActionUsers(action='open', user=user_2))
db.session.flush()
assert current_access.get_action_cache('open') is None
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_user_2)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='id', value=4)]),
set([])
)
# Test if the new user is added to the action 'open'
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_user_4)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='id', value=4)]),
set([])
)
# If we update an action swapping a user, the cache containing the
# action, should be removed.
user_4_action_write = ActionUsers.query.filter(
ActionUsers.action == 'write' and
ActionUsers.user == user_4).first()
user_4_action_write.user = user_3
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
# Test if the user_3 can now write.
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_user_4)
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_user_3)
assert current_access.get_action_cache('write') == (
set([Need(method='id', value=3)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
# If we remove a user from an action, the cache should clear the
# action item.
user_3_action_write = ActionUsers.query.filter(
ActionUsers.action == 'write' and
ActionUsers.user == user_3).first()
db.session.delete(user_3_action_write)
db.session.flush()
assert current_access.get_action_cache('write') is None
# If no one is allowed to perform an action then everybody is allowed.
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_user_3)
assert current_access.get_action_cache('write') == (
set([]),
set([])
)
db.session.add(ActionUsers(action='write', user=user_5))
db.session.flush()
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_user_5)
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_user_3)
assert current_access.get_action_cache('write') == (
set([Need(method='id', value=5)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
# If you update the name of an existing action, the previous action
# and the new action should be remove from cache.
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_user_5)
assert current_access.get_action_cache('write') == (
set([Need(method='id', value=5)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2)]),
set([])
)
user_5_action_write = ActionUsers.query.filter(
ActionUsers.action == 'write' and
ActionUsers.user == user_5).first()
user_5_action_write.action = 'open'
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') is None
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_user_1)
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2),
Need(method='id', value=5)]),
set([])
)
db.session.add(ActionUsers(action='write', user=user_4))
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_user_5)
assert current_access.get_action_cache('write') == (
set([Need(method='id', value=4)]),
set([])
)
db.session.add(ActionUsers(action='open', argument='1', user=user_6))
db.session.flush()
permission_open_1 = DynamicPermission(
ParameterizedActionNeed('open', '1'))
assert not permission_open.allows(identity_user_6)
assert permission_open_1.allows(identity_user_6)
assert current_access.get_action_cache('open::1') == (
set([Need(method='id', value=1),
Need(method='id', value=2),
Need(method='id', value=5),
Need(method='id', value=6)]),
set([])
)
user_6_action_open_1 = ActionUsers.query.filter_by(
action='open', argument='1', user_id=user_6.id).first()
user_6_action_open_1.argument = '2'
db.session.flush()
assert current_access.get_action_cache('open::1') is None
assert current_access.get_action_cache('open::2') is None
permission_open_2 = DynamicPermission(
ParameterizedActionNeed('open', '2'))
assert permission_open_2.allows(identity_user_6)
assert current_access.get_action_cache('open::2') == (
set([Need(method='id', value=1),
Need(method='id', value=2),
Need(method='id', value=5),
Need(method='id', value=6)]),
set([])
)
# open action cache should remain as before
assert current_access.get_action_cache('open') == (
set([Need(method='id', value=1),
Need(method='id', value=2),
Need(method='id', value=5)]),
set([])
)
def permission_for(permission_type, context):
return ResourcePermission(Need(permission_type, context))
from flask_principal import Permission, Need
from invenio_access.permissions import DynamicPermission
AllowAllPermission = type('Allow', (), {
'can': lambda self: True,
'allows': lambda *args: True,
})()
"""Permission that always allow an access."""
DenyAllPermission = type('Deny', (), {
'can': lambda self: False,
'allows': lambda *args: False,
})()
"""Permission that always deny an access."""
AuthenticatedNeed = Need('authenticated', True)
"""Need provided by any authenticated user."""
class StrictDynamicPermission(DynamicPermission):
"""Stricter DynamicPermission.
It adds the given needs to the returned needs instead of using only
those found in the database.
This has two effects:
- Identities can also provide aneed without using the database.
- The permission is not given even if there are no needs in the
database. Thus the action is not allowed by default.
"""
def __init__(self, *needs):
self.explicit_excludes = set()
def design_need(self, permission_type, design_name):
return Need(permission_type, design_name)
def design_need(self, permission_type, report):
return Need("view:design", report["design"])
def name_need(self, permission_type, resource):
return Need(permission_type, resource["name"])
def test_allows_reject(self, identity):
item_need = Need("view:design", "finance")
assert not ResourcePermission(item_need).allows(identity)
def test_allows(self, identity):
resource_need = Need("view:design", "*")
identity.provides.add(resource_need)
item_need = Need("view:design", "finance")
assert ResourcePermission(item_need).allows(identity)
def can(self, name):
if pm(Need("permission", name)).can():
return True
return False
def identity_simple():
"""Simple identity fixture."""
i = Identity(1)
i.provides.add(UserNeed(1))
i.provides.add(Need(method="system_role", value="any_user"))
return i
BOARD_ALL_PERMS = [
LISTAR_CONTENIDO, ACTUALIZAR_CONTENIDO, PONER_CONTENIDO,
ELIMINAR_CONTENIDO, ENVIAR_CONTENIDO
]
BOARD_PERMS_DESCRIPTIONS = {
LISTAR_CONTENIDO: "Listar articulos en el board",
ACTUALIZAR_CONTENIDO: "Editar articulos en el board",
PONER_CONTENIDO: "Mover articulos a este board",
ENVIAR_CONTENIDO: "Mover/sacar articulos desde este board a otro",
ELIMINAR_CONTENIDO: "Eliminar articulo en el board"
}
# Needs y Permission generales a todos los boards
ActualizarArticulosNeed = Need(ACTUALIZAR_CONTENIDO, 'board')
ListarArticulosNeed = Need(LISTAR_CONTENIDO, 'board')
PonerArticulosNeed = Need(PONER_CONTENIDO, 'board')
EnviarAritulosNeed = Need(ENVIAR_CONTENIDO, 'board')
# Permisos concretos
class ActualizarArticulosPermission(Permission):
"""Permiso para editar un articulo en un Board"""
def __init__(self, board_name):
need = ItemNeed(ACTUALIZAR_CONTENIDO, board_name, 'board')
super().__init__(need, AdminRolNeed, ActualizarArticulosNeed)
class ListarArticulosPermission(Permission):
"""Permiso de ver los articulos en un board"""
