class CycleRBACFactory(base.BaseRBACFactory): """Cycle RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Cycle permission tests. Args: user_id: Id of user under which all operations will be run. object_acl: Dict with format: { acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new cycle for Workflow.""" return self.generate_cycle(self.workflow_id, self.api) def update(self): """Update existing cycle.""" cycle = all_models.Cycle.query.first() return self.api.put(cycle, {"title": factories.random_str()}) def delete(self): """Delete existing cycle.""" cycle = all_models.Cycle.query.first() return self.api.delete(cycle) def activate(self): """Activate Workflow.""" workflow = all_models.Workflow.query.get(self.workflow_id) cycle = wf_factories.CycleFactory(workflow=workflow) return self.api.put(workflow, { "status": "Active", "recurrences": bool(workflow.repeat_every and workflow.unit), "cycles": [{ "id": cycle.id, "type": "Cycle", }] }) def read(self): """Read existing Cycle object.""" cycle = all_models.Cycle.query.first() return self.api.get(cycle, cycle.id) def end(self): """End existing Cycle.""" cycle = all_models.Cycle.query.first() return self.api.put(cycle, {"is_current": False})
class CycleTaskEntryRBACFactory(base.BaseRBACFactory): """Cycle Task Entry RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Cycle Task Entry permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.api = Api() self.create() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Cycle Task Entry object.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.post(all_models.CycleTaskEntry, { "cycle_task_entry": { "description": "New Comment", "is_declining_review": "", "context": None, "cycle_task_group_object_task": { "id": cycle_task.id, "type": "CycleTaskGroupObjectTask", }, "cycle": { "id": cycle_task.cycle.id, "type": "Cycle", }, } }) def read(self): """Read existing Cycle Task Entry object.""" cycle_task_entry = all_models.CycleTaskEntry.query.first() return self.api.get(cycle_task_entry, cycle_task_entry.id) def update(self): """Update title of existing Cycle Task Entry object.""" cycle_task_entry = all_models.CycleTaskEntry.query.first() return self.api.put( cycle_task_entry, {"description": factories.random_str()} ) def delete(self): """Delete Cycle Task Entry object.""" cycle_task_entry = all_models.CycleTaskEntry.query.first() return self.api.delete(cycle_task_entry)
class CycleRBACFactory(base.BaseRBACFactory): """Cycle RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Cycle permission tests. Args: user_id: Id of user under which all operations will be run. object_acl: Dict with format: { acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new cycle for Workflow.""" return self.generate_cycle(self.workflow_id, self.api) def update(self): """Update existing cycle.""" cycle = all_models.Cycle.query.first() return self.api.put(cycle, {"title": factories.random_str()}) def delete(self): """Delete existing cycle.""" cycle = all_models.Cycle.query.first() return self.api.delete(cycle) def activate(self): """Activate Workflow.""" workflow = all_models.Workflow.query.get(self.workflow_id) cycle = wf_factories.CycleFactory(workflow=workflow) return self.api.put( workflow, { "status": "Active", "recurrences": bool(workflow.repeat_every and workflow.unit), "cycles": [{ "id": cycle.id, "type": "Cycle", }] }) def read(self): """Read existing Cycle object.""" cycle = all_models.Cycle.query.first() return self.api.get(cycle, cycle.id) def end(self): """End existing Cycle.""" cycle = all_models.Cycle.query.first() return self.api.put(cycle, {"is_current": False})
class CycleTaskGroupRBACFactory(base.BaseRBACFactory): """Cycle Task Group RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Cycle Task Group permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.admin_control_id = { name: id_ for id_, name in access_control.role.get_custom_roles_for( "Control").items() }["Admin"] self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def read(self): """Read existing Cycle Task Group object.""" cycle_tg = all_models.CycleTaskGroup.query.first() return self.api.get(all_models.CycleTaskGroup, cycle_tg.id) def update(self): """Update title of existing Cycle Task Group object.""" cycle_tg = all_models.CycleTaskGroup.query.first() return self.api.put(cycle_tg, {"title": factories.random_str()}) def delete(self): """Delete Cycle Task Group object.""" cycle_tg = all_models.CycleTaskGroup.query.first() return self.api.delete(cycle_tg)
class CycleTaskGroupRBACFactory(base.BaseRBACFactory): """Cycle Task Group RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Cycle Task Group permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.admin_control_id = { name: id_ for id_, name in access_control.role.get_custom_roles_for("Control").items() }["Admin"] self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def read(self): """Read existing Cycle Task Group object.""" cycle_tg = all_models.CycleTaskGroup.query.first() return self.api.get(all_models.CycleTaskGroup, cycle_tg.id) def update(self): """Update title of existing Cycle Task Group object.""" cycle_tg = all_models.CycleTaskGroup.query.first() return self.api.put(cycle_tg, {"title": factories.random_str()}) def delete(self): """Delete Cycle Task Group object.""" cycle_tg = all_models.CycleTaskGroup.query.first() return self.api.delete(cycle_tg)
class TaskGroupTaskRBACFactory(base.BaseRBACFactory): """Task Group Task RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Task Group Task permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Task Group Task object.""" person = factories.PersonFactory() return self.api.post(all_models.TaskGroupTask, { "task_group_task": { "title": "New Task Group Task", "start_date": datetime.now().strftime("%Y-%m-%d"), "end_date": datetime.now().strftime("%Y-%m-%d"), "contact": person, "context": None, "task_group": { "id": self.task_group_id, "type": "Task Group", }, } }) def read(self): """Read existing Task Group Task object.""" return self.api.get(all_models.TaskGroupTask, self.task_id) def update(self): """Update title of existing Task Group Task object.""" task = all_models.TaskGroupTask.query.get(self.task_id) return self.api.put(task, {"title": factories.random_str()}) def delete(self): """Delete Task Group Task object.""" task = all_models.TaskGroupTask.query.get(self.task_id) return self.api.delete(task) def read_revisions(self): """Read revisions for Task Group Task object.""" responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( all_models.TaskGroupTask, query.format("task_group_task", self.task_id) ) ) return responses
class TaskGroupRBACFactory(base.BaseRBACFactory): """Task Group RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Task Group permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.admin_control_id = { name: id_ for id_, name in access_control.role.get_custom_roles_for("Control").items() }["Admin"] self.api = Api() if user_id: self.user_id = user_id user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Task Group object.""" person = factories.PersonFactory() return self.api.post(all_models.TaskGroup, { "task_group": { "contact": { "id": person.id, "type": "Person", }, "title": "New Task Group", "context": None, "workflow": { "id": self.workflow_id, "type": "Workflow", }, } }) def read(self): """Read existing Task Group object.""" return self.api.get(all_models.TaskGroup, self.task_group_id) def update(self): """Update title of existing Task Group object.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) return self.api.put(task_group, {"title": factories.random_str()}) def delete(self): """Delete Task Group object.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) return self.api.delete(task_group) def read_revisions(self): """Read revisions for Task Group object.""" responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( all_models.TaskGroup, query.format("task_group", self.task_group_id) ) ) return responses def map_control(self): """Map Control on which user don't have any rights to Cycle Task.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) control = factories.ControlFactory() return self.api.post(all_models.TaskGroupObject, { "task_group_object": { "context": None, "object": { "id": control.id, "type": "Control", }, "task_group": { "id": task_group.id, "type": "TaskGroup", }, } }) def map_created_control(self): """Map Control that was created by user to Cycle Task.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) with factories.single_commit(): control = factories.ControlFactory() factories.AccessControlListFactory( ac_role_id=self.admin_control_id, object_id=control.id, object_type="Control", person_id=self.user_id ) return self.api.post(all_models.TaskGroupObject, { "task_group_object": { "context": None, "object": { "id": control.id, "type": "Control", }, "task_group": { "id": task_group.id, "type": "TaskGroup", }, } }) def read_mapped_control(self): """Read Control object mapped to Task Group.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) with factories.single_commit(): control = factories.ControlFactory() wf_factories.TaskGroupObjectFactory( task_group=task_group, object=control ) return self.api.get(control, control.id) def upmap_control(self): """Unmap Control from Task Group.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) with factories.single_commit(): control = factories.ControlFactory() tg_obj = wf_factories.TaskGroupObjectFactory( task_group=task_group, object=control ) return self.api.delete(tg_obj) def clone(self): """Clone existing Task Group object.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) wf_factories.TaskGroupTaskFactory(task_group=task_group) return self.api.post(all_models.TaskGroup, { "task_group": { "clone": self.task_group_id, "clone_objects": True, "clone_people": True, "clone_tasks": True, "context": None, } })
class UniversalRBACFactory(base.BaseRBACFactory): """Universal RBAC factory class. Can be used in 'one rank' tests """ # pylint: disable=too-many-instance-attributes def __init__(self, user_id, acr, parent=None): """Set up objects for permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api self.acr = acr self.user_id = user_id self.parent_name = parent self.document_id = None self.parent = None self.parent_id = None self.setup_models(self.parent_name) self.set_user(user_id) def set_user(self, user_id): """Set user to send requests""" if self.user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def setup_models(self, parent_name): """Setup document, parent, relationship""" with factories.single_commit(): self.parent = get_model_factory(parent_name)() self.parent_id = self.parent.id self.parent_name = parent_name self.assign_person(self.parent, self.acr, self.user_id) def _setup_document(self): """Crate and map document""" with factories.single_commit(): document = factories.DocumentReferenceUrlFactory() parent = db.session.query(self.parent.__class__).get(self.parent_id) factories.RelationshipFactory(source=parent, destination=document) return document.id def _setup_comment(self): """Crate and map comment""" with factories.single_commit(): comment = factories.CommentFactory(description="Hey!") parent = db.session.query(self.parent.__class__).get(self.parent_id) factories.RelationshipFactory(source=parent, destination=comment) return comment.id def read_parent(self): """Can Read parent info.""" res = self.api.get(self.parent, self.parent_id) return res def create_and_map_document(self): """Create and map document object to parent.""" admin_acr_id = all_models.AccessControlRole.query.filter_by( name="Admin", object_type="Document", ).one().id _, document = self.objgen.generate_object( all_models.Document, { "link": factories.random_str(), "title": factories.random_str(), "context": None, "access_control_list": [ { "ac_role_id": admin_acr_id, "person": { "id": self.user_id, "type": "Person", } } ], } ) parent = db.session.query(self.parent.__class__).get(self.parent_id) return self.objgen.generate_relationship( source=document, destination=parent )[0] def read_document(self): """Read existing Document object.""" doc_id = self._setup_document() res = self.api.get(all_models.Document, doc_id) return res def update_document(self): """Update title of existing Document object.""" doc_id = self._setup_document() document = all_models.Document.query.get(doc_id) return self.api.put(document, {"title": factories.random_str()}) def delete_document(self): """Delete Document object.""" doc_id = self._setup_document() document = all_models.Document.query.get(doc_id) return self.api.delete(document) def create_and_map_comment(self): """Create new Comment object and map to parent.""" _, comment = self.objgen.generate_object( all_models.Comment, { "description": factories.random_str(), "context": None, } ) parent = db.session.query(self.parent.__class__).get(self.parent_id) return self.objgen.generate_relationship( source=parent, destination=comment )[0] def read_comment(self): """Read existing Comment object.""" comment_id = self._setup_comment() res = self.api.get(all_models.Comment, comment_id) return res def create_and_map_document_comment(self): """Map new comment to document.""" doc_id = self._setup_document() _, comment = self.objgen.generate_object( all_models.Comment, { "description": factories.random_str(), "context": None, } ) document = all_models.Document.query.get(doc_id) return self.objgen.generate_relationship( source=document, destination=comment )[0] def read_document_comment(self): """Read comments mapped to document""" doc_id = self._setup_document() document = all_models.Document.query.get(doc_id) with factories.single_commit(): comment = factories.CommentFactory(description=factories.random_str()) factories.RelationshipFactory(source=document, destination=comment) query_request_data = [ { "fields": [], "filters": { "expression": { "object_name": "Document", "op": { "name": "relevant" }, "ids": [document.id] } }, "object_name": "Comment", } ] response = self.api.send_request( self.api.client.post, data=query_request_data, api_link="/query" ) return response
class TestEvidenceRolePropagation(TestCase): """Evidence role propagation test case""" # pylint: disable=invalid-name def setUp(self): super(TestEvidenceRolePropagation, self).setUp() self.api = Api() self.generator = ObjectGenerator() # Propagation isn't work for 'Primary Contacts', 'Secondary Contacts' # just add them to data list to check if fix works. @ddt.data("Assignees", "Creators", "Verifiers") def test_assessment_role_propagation_edit(self, role_name): """Asses user with role '{0}' should be able to edit related evidence""" _, reader = self.generator.generate_person(user_role="Creator") with factories.single_commit(): assessment = factories.AssessmentFactory() assessment.add_person_with_role_name(reader, role_name) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=assessment, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) new_description = 'new description' resp = self.api.modify_object(evidence, {'description': new_description}) evidence = self.refresh_object(evidence) self.assert200(resp) self.assertEquals(new_description, evidence.description) self.assertEquals(reader.id, evidence.modified_by_id) @ddt.data( ("Creator", "Audit Captains", 200), ("Creator", "Auditors", 403), ("Reader", "Audit Captains", 200), ("Reader", "Auditors", 403), ("Editor", "Audit Captains", 200), ("Editor", "Auditors", 200), ) @ddt.unpack def test_audit_role_propagation_edit(self, user_role, audit_role, status_code): """'{0}' assigned as '{1}' should get '{2}' when editing audit evidence""" _, user = self.generator.generate_person(user_role=user_role) with factories.single_commit(): audit = factories.AuditFactory() audit.add_person_with_role_name(user, audit_role) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=audit, destination=evidence) self.api.set_user(user) evidence = all_models.Evidence.query.get(evidence_id) new_description = 'new description' resp = self.api.modify_object(evidence, {'description': new_description}) evidence = self.refresh_object(evidence) if status_code == 200: self.assert200(resp) self.assertEquals(new_description, evidence.description) self.assertEquals(user.id, evidence.modified_by_id) else: self.assertStatus(resp, status_code) def test_audit_role_propagation_not_delete(self): """Audit user with role Auditors can NOT delete related evidence""" role_name = "Auditors" _, reader = self.generator.generate_person(user_role="Reader") with factories.single_commit(): audit = factories.AuditFactory() audit.add_person_with_role_name(reader, role_name) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=audit, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) resp = self.api.delete(evidence) self.assertStatus(resp, 403) evidence = all_models.Evidence.query.get(evidence_id) self.assertTrue(evidence)
class EvidenceRBACFactory(base.BaseRBACFactory): """Evidence RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Evidence permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr) with factories.single_commit(): evidence = factories.EvidenceUrlFactory() if parent == "Audit": self.mapping_id = factories.RelationshipFactory( source=self.audit, destination=evidence ).id elif parent == "Assessment": self.mapping_id = factories.RelationshipFactory( source=self.assessment, destination=evidence ).id self.evidence_id = evidence.id self.parent = parent self.admin_acr_id = all_models.AccessControlRole.query.filter_by( name="Admin", object_type="Evidence", ).one().id self.user_id = user_id self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Evidence object.""" result = self.api.post(all_models.Evidence, { "evidence": { "access_control_list": [{ "ac_role_id": self.admin_acr_id, "person": { "id": self.user_id, "type": "Person", } }], "link": factories.random_str(), "title": factories.random_str(), "context": None, } }) return result def read(self): """Read existing Evidence object.""" res = self.api.get(all_models.Evidence, self.evidence_id) return res def update(self): """Update title of existing Evidence object.""" evidence = all_models.Evidence.query.get(self.evidence_id) return self.api.put(evidence, {"title": factories.random_str()}) def delete(self): """Delete Evidence object.""" evidence = all_models.Evidence.query.get(self.evidence_id) return self.api.delete(evidence) def map(self, evidence=None): """Map Evidence to parent object.""" if self.parent == "Audit": parent = all_models.Audit.query.get(self.audit_id) else: parent = all_models.Assessment.query.get(self.assessment_id) map_evidence = evidence if evidence else factories.EvidenceUrlFactory() return self.api.put(parent, { "actions": { "add_related": [{ "id": map_evidence.id, "type": "Evidence", }] } }) def create_and_map(self): """Create new Evidence and map it to parent.""" response = self.create() evidence_id = None if response.json and response.json.get("evidence"): evidence_id = response.json.get("evidence", {}).get("id") if not evidence_id: return response evidence = all_models.Evidence.query.get(evidence_id) return self.map(evidence) def add_comment(self): """Map new comment to evidence.""" evidence = all_models.Evidence.query.get(self.evidence_id) _, comment = self.objgen.generate_object(all_models.Comment, { "description": factories.random_str(), "context": None, }) return self.objgen.generate_relationship(source=evidence, destination=comment)[0] def read_comments(self): """Read comments mapped to evidence""" evidence = all_models.Evidence.query.get(self.evidence_id) with factories.single_commit(): comment = factories.CommentFactory(description=factories.random_str()) factories.RelationshipFactory(source=evidence, destination=comment) query_request_data = [{ "fields": [], "filters": { "expression": { "object_name": "Evidence", "op": { "name": "relevant" }, "ids": [evidence.id] } }, "object_name": "Comment", }] response = self.api.send_request( self.api.client.post, data=query_request_data, api_link="/query" ) return response
class SnapshotRBACFactory(base.BaseRBACFactory): """Snapshot RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Snapshot permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr) control = factories.ControlFactory() # pylint: disable=protected-access snapshot = TestCase._create_snapshots(self.audit, [control])[0] factories.RelationshipFactory(source=snapshot, destination=self.audit) factories.RelationshipFactory(source=control, destination=self.program) if parent == "Assessment": factories.RelationshipFactory(source=snapshot, destination=self.assessment) self.control_id = control.id self.snapshot_id = snapshot.id self.user_id = user_id self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def _update_orig_obj(self): """Update title of original object of Snapshot.""" snapshot = all_models.Snapshot.query.get(self.snapshot_id) original = get_model(snapshot.child_type).query.get(snapshot.child_id) # Assume that Admin is first in people table admin = all_models.Person.query.get(1) self.api.set_user(admin) self.api.put(original, {"title": factories.random_str()}) user = all_models.Person.query.get(self.user_id) self.api.set_user(user) def read(self): """Read Snapshot object.""" return self.api.get(all_models.Snapshot, self.snapshot_id) def read_original(self): """Read original object of Snapshot.""" snapshot = all_models.Snapshot.query.get(self.snapshot_id) original = get_model(snapshot.child_type).query.get(snapshot.child_id) return self.api.get(original, original.id) def get_latest_version(self): """Get latest revisions for original object of Snapshot""" self._update_orig_obj() snapshot = all_models.Snapshot.query.get(self.snapshot_id) last_revision = db.session.query( sa.sql.func.max(all_models.Revision.id)).filter( all_models.Revision.resource_type == snapshot.child_type, all_models.Revision.resource_id == snapshot.child_id, ).first()[0] return self.api.client.get("api/revisions?id__in={}%2C{}".format( snapshot.revision.id, last_revision)) def update(self): """Update snapshot to the latest version.""" self._update_orig_obj() snapshot = all_models.Snapshot.query.get(self.snapshot_id) return self.api.put(snapshot, {"update_revision": "latest"}) def delete(self): """Delete Snapshot object.""" snapshot = all_models.Snapshot.query.get(self.snapshot_id) return self.api.delete(snapshot)
class TaskGroupRBACFactory(base.BaseRBACFactory): """Task Group RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Task Group permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.admin_control_id = { name: id_ for id_, name in access_control.role.get_custom_roles_for( "Control").items() }["Admin"] self.api = Api() if user_id: self.user_id = user_id user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Task Group object.""" person = factories.PersonFactory() return self.api.post( all_models.TaskGroup, { "task_group": { "contact": { "id": person.id, "type": "Person", }, "title": "New Task Group", "context": None, "workflow": { "id": self.workflow_id, "type": "Workflow", }, } }) def read(self): """Read existing Task Group object.""" return self.api.get(all_models.TaskGroup, self.task_group_id) def update(self): """Update title of existing Task Group object.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) return self.api.put(task_group, {"title": factories.random_str()}) def delete(self): """Delete Task Group object.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) return self.api.delete(task_group) def read_revisions(self): """Read revisions for Task Group object.""" responses = [] for query in [ "source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}" ]: responses.append( self.api.get_query( all_models.TaskGroup, query.format("task_group", self.task_group_id))) return responses def map_control(self): """Map Control on which user don't have any rights to Cycle Task.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) control = factories.ControlFactory() return self.api.post( all_models.TaskGroupObject, { "task_group_object": { "context": None, "object": { "id": control.id, "type": "Control", }, "task_group": { "id": task_group.id, "type": "TaskGroup", }, } }) def map_created_control(self): """Map Control that was created by user to Cycle Task.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) with factories.single_commit(): control = factories.ControlFactory() for acl in control._access_control_list: if acl.ac_role_id == self.admin_control_id: factories.AccessControlPersonFactory( person_id=self.user_id, ac_list=acl, ) return self.api.post( all_models.TaskGroupObject, { "task_group_object": { "context": None, "object": { "id": control.id, "type": "Control", }, "task_group": { "id": task_group.id, "type": "TaskGroup", }, } }) def read_mapped_control(self): """Read Control object mapped to Task Group.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) with factories.single_commit(): control = factories.ControlFactory() wf_factories.TaskGroupObjectFactory(task_group=task_group, object=control) return self.api.get(control, control.id) def upmap_control(self): """Unmap Control from Task Group.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) with factories.single_commit(): control = factories.ControlFactory() tg_obj = wf_factories.TaskGroupObjectFactory(task_group=task_group, object=control) return self.api.delete(tg_obj) def clone(self): """Clone existing Task Group object.""" task_group = all_models.TaskGroup.query.get(self.task_group_id) wf_factories.TaskGroupTaskFactory(task_group=task_group) return self.api.post( all_models.TaskGroup, { "task_group": { "clone": self.task_group_id, "clone_objects": True, "clone_people": True, "clone_tasks": True, "context": None, } })
class ProgramRBACFactory(base.BaseRBACFactory): """Program RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Program permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_program_scope(user_id, acr, "Program") self.admin_control_id = { name: id for id, name in access_control.role.get_custom_roles_for("Control").items() }["Admin"] self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: self.user_id = user_id user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Program object.""" return self.api.post(all_models.Program, { "program": { "title": "New program", "program": {"id": self.program_id}, "context": None, "access_control_list": [], } }) def read(self): """Read existing Audit object.""" return self.api.get(all_models.Program, self.program_id) def update(self): """Update title of existing Audit object.""" program = all_models.Program.query.get(self.program_id) return self.api.put(program, {"title": factories.random_str()}) def delete(self): """Delete Audit object.""" program = all_models.Program.query.get(self.program_id) return self.api.delete(program) def read_revisions(self): """Read revisions for Assessment object.""" responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( all_models.Program, query.format("program", self.program_id) ) ) return responses def map_control(self): """Map new Control to Program.""" with factories.single_commit(): control = factories.ControlFactory() factories.AccessControlListFactory( ac_role_id=self.admin_control_id, object_id=control.id, object_type="Control", person_id=self.user_id ) program = all_models.Program.query.get(self.program_id) return self.objgen.generate_relationship( source=program, destination=control, )[0] def unmap_control(self): """Unmap Control from Program.""" control = factories.ControlFactory() program = all_models.Program.query.get(self.program_id) rel = factories.RelationshipFactory(source=control, destination=program) return self.api.delete(rel) def read_mapped(self): """Read control mapped to Program.""" program = all_models.Program.query.get(self.program_id) with factories.single_commit(): control = factories.ControlFactory() factories.RelationshipFactory(source=control, destination=program) return self.api.get(control, control.id) def update_mapped(self): """Update control mapped to Program.""" program = all_models.Program.query.get(self.program_id) with factories.single_commit(): control = factories.ControlFactory() factories.RelationshipFactory(source=control, destination=program) return self.api.put(control, {"title": factories.random_str()}) def delete_mapped(self): """Delete control mapped to Program.""" program = all_models.Program.query.get(self.program_id) with factories.single_commit(): control = factories.ControlFactory() factories.RelationshipFactory(source=control, destination=program) return self.api.delete(control)
class SnapshotRBACFactory(base.BaseRBACFactory): """Snapshot RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Snapshot permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr) control = factories.ControlFactory() # pylint: disable=protected-access snapshot = TestCase._create_snapshots(self.audit, [control])[0] factories.RelationshipFactory(source=snapshot, destination=self.audit) factories.RelationshipFactory(source=control, destination=self.program) if parent == "Assessment": factories.RelationshipFactory( source=snapshot, destination=self.assessment ) self.control_id = control.id self.snapshot_id = snapshot.id self.user_id = user_id self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def _update_orig_obj(self): """Update title of original object of Snapshot.""" snapshot = all_models.Snapshot.query.get(self.snapshot_id) original = get_model(snapshot.child_type).query.get(snapshot.child_id) # Assume that Admin is first in people table admin = all_models.Person.query.get(1) self.api.set_user(admin) self.api.put(original, {"title": factories.random_str()}) user = all_models.Person.query.get(self.user_id) self.api.set_user(user) def read(self): """Read Snapshot object.""" return self.api.get(all_models.Snapshot, self.snapshot_id) def read_original(self): """Read original object of Snapshot.""" snapshot = all_models.Snapshot.query.get(self.snapshot_id) original = get_model(snapshot.child_type).query.get(snapshot.child_id) return self.api.get(original, original.id) def get_latest_version(self): """Get latest revisions for original object of Snapshot""" self._update_orig_obj() snapshot = all_models.Snapshot.query.get(self.snapshot_id) last_revision = db.session.query( sa.sql.func.max(all_models.Revision.id) ).filter( all_models.Revision.resource_type == snapshot.child_type, all_models.Revision.resource_id == snapshot.child_id, ).first()[0] return self.api.client.get( "api/revisions?id__in={}%2C{}".format( snapshot.revision.id, last_revision ) ) def update(self): """Update snapshot to the latest version.""" self._update_orig_obj() snapshot = all_models.Snapshot.query.get(self.snapshot_id) return self.api.put(snapshot, {"update_revision": "latest"})
class TestEvidenceRolePropagation(TestCase): """Evidence role propagation test case""" # pylint: disable=invalid-name def setUp(self): super(TestEvidenceRolePropagation, self).setUp() self.api = Api() self.generator = ObjectGenerator() # Propagation isn't work for 'Primary Contacts', 'Secondary Contacts' # just add them to data list to check if fix works. @ddt.data("Assignees", "Creators", "Verifiers") def test_assessment_role_propagation_edit(self, role): """Asses user with role '{0}' should be able to edit related evidence""" _, reader = self.generator.generate_person(user_role="Creator") assignees_role = all_models.AccessControlRole.query.filter_by( object_type=all_models.Assessment.__name__, name=role).first() with factories.single_commit(): assessment = factories.AssessmentFactory() factories.AccessControlListFactory(ac_role=assignees_role, object=assessment, person=reader) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=assessment, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) new_description = 'new description' resp = self.api.modify_object(evidence, {'description': new_description}) evidence = self.refresh_object(evidence) self.assert200(resp) self.assertEquals(new_description, evidence.description) self.assertEquals(reader.id, evidence.modified_by_id) @ddt.data("Audit Captains", "Auditors") def test_audit_role_propagation_edit(self, role): """Audit user with role '{0}' should be able to edit related evidence""" _, reader = self.generator.generate_person(user_role="Reader") assignees_role = all_models.AccessControlRole.query.filter_by( object_type=all_models.Audit.__name__, name=role).first() with factories.single_commit(): audit = factories.AuditFactory() factories.AccessControlListFactory(ac_role=assignees_role, object=audit, person=reader) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=audit, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) new_description = 'new description' resp = self.api.modify_object(evidence, {'description': new_description}) evidence = self.refresh_object(evidence) self.assert200(resp) self.assertEquals(new_description, evidence.description) self.assertEquals(reader.id, evidence.modified_by_id) def test_audit_role_propagation_not_delete(self, role="Auditors"): """Audit user with role Auditors can NOT delete related evidence""" _, reader = self.generator.generate_person(user_role="Reader") assignees_role = all_models.AccessControlRole.query.filter_by( object_type=all_models.Audit.__name__, name=role).first() with factories.single_commit(): audit = factories.AuditFactory() factories.AccessControlListFactory(ac_role=assignees_role, object=audit, person=reader) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=audit, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) resp = self.api.delete(evidence) self.assertStatus(resp, 403) evidence = all_models.Evidence.query.get(evidence_id) self.assertTrue(evidence)
class AuditRBACFactory(base.BaseRBACFactory): """Audit RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Audit permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_program_scope(user_id, acr, "Audit") self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api self.admin_control_id = { name: id for id, name in access_control.role.get_custom_roles_for("Control").items() }["Admin"] if user_id: self.user_id = user_id user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Audit object.""" return self.api.post(all_models.Audit, { "audit": { "title": "New audit", "program": {"id": self.program_id}, "context": None, "access_control_list": [], } }) def read(self): """Read existing Audit object.""" return self.api.get(all_models.Audit, self.audit_id) def update(self): """Update title of existing Audit object.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.put(audit, {"title": factories.random_str()}) def delete(self): """Delete Audit object.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.delete(audit) def clone(self): """Clone existing Audit with Assessment Templates.""" return self.api.post(all_models.Audit, { "audit": { "program": {"id": self.program_id, "type": "Program"}, # workaround - title is required for validation "title": "", "context": None, "operation": "clone", "cloneOptions": { "sourceObjectId": self.audit_id, "mappedObjects": "AssessmentTemplate" } } }) def read_revisions(self): """Read revisions for Audit object.""" model_class = get_model("Audit") responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query(model_class, query.format("audit", self.audit_id)) ) return responses def map_external_control(self): """Map Control (on which current user don't have any rights) to Audit.""" control = factories.ControlFactory() audit = all_models.Audit.query.get(self.audit_id) return self.objgen.generate_relationship( source=audit, destination=control, )[0] def map_control(self): """Map new snapshot of Control to Audit.""" with factories.single_commit(): control = factories.ControlFactory() acl = [ acl for acl in control._access_control_list if acl.ac_role_id == self.admin_control_id ][0] factories.AccessControlPersonFactory( person_id=self.user_id, ac_list=acl ) audit = all_models.Audit.query.get(self.audit_id) return self.objgen.generate_relationship( source=audit, destination=control, )[0] def deprecate(self): """Set status 'Deprecated' for Audit.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.modify_object(audit, { "status": "Deprecated" }) def archive(self): """Move Audit into archived state.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.modify_object(audit, { "archived": True }) def unarchive(self): """Move Audit into unarchived state.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.modify_object(audit, { "archived": False }) def summary(self): """Get Audit summary information.""" return self.api.client.get( "api/audits/{}/{}".format(self.audit_id, "summary") )
class TestBulkCompleteNotification(TestCase): """Base class for testing notification creation for assignable mixin.""" def setUp(self): super(TestBulkCompleteNotification, self).setUp() self.client.get("/login") self.api = Api() self.object_generator = ObjectGenerator() self.init_taskqueue() def test_complete_successfully(self): """Test assessment complete finished successfully""" assessments = [] with factories.single_commit(): for _ in range(3): assessments.append(factories.AssessmentFactory()) assessments_ids = [assessment.id for assessment in assessments] assessments_titles = [ assessment.title for assessment in assessments ] data = { "assessments_ids": assessments_ids, "attributes": [], } with mock.patch("ggrc.notifications.common.send_email") as send_mock: response = self.client.post("/api/bulk_operations/complete", data=json.dumps(data), headers=self.headers) self.assert200(response) send_mock.assert_called_once() _, mail_title, body = send_mock.call_args[0] self.assertEqual(mail_title, "Bulk update of Assessments is finished") self.assertIn("Bulk Assesments update is finished successfully", body) self.assertNotIn("Bulk Assesments update is finished partitially", body) self.assertNotIn("Bulk Assesments update has failed", body) for asmt_title in assessments_titles: self.assertIn(asmt_title, body) def test_not_completed(self): """Test assessment complete fail notification""" assessments = [] with factories.single_commit(): for _ in range(3): assessments.append(factories.AssessmentFactory()) factories.CustomAttributeDefinitionFactory( definition_type="assessment", mandatory=True, ) assessments_ids = [assessment.id for assessment in assessments] assessments_titles = [ assessment.title for assessment in assessments ] data = { "assessments_ids": assessments_ids, "attributes": [], } with mock.patch("ggrc.notifications.common.send_email") as send_mock: response = self.client.post("/api/bulk_operations/complete", data=json.dumps(data), headers=self.headers) self.assert200(response) send_mock.assert_called_once() _, mail_title, body = send_mock.call_args[0] self.assertEqual(mail_title, "Bulk update of Assessments is finished") self.assertNotIn("Bulk Assesments update is finished successfully", body) self.assertNotIn("Bulk Assesments update has failed", body) self.assertIn("Bulk Assesments update is finished partitially", body) for asmt_title in assessments_titles: self.assertIn(asmt_title, body) def test_attributes_failed(self): """Test notification if bulk couldn't fill attributes""" assessments = [] with factories.single_commit(): for _ in range(3): assessment = factories.AssessmentFactory() assessments.append(assessment) factories.CustomAttributeDefinitionFactory( definition_type="assessment", definition_id=assessment.id, attribute_type="Dropdown", title="lca_title", ) assessments_ids = [assmt.id for assmt in assessments] assessments_titles = [assmt.title for assmt in assessments] bulk_update = [{ "assessment_id": assmt.id, "attribute_definition_id": None, "slug": assmt.slug } for assmt in assessments] data = { "assessments_ids": assessments_ids, "attributes": [{ "attribute_value": "lcavalue", "attribute_title": "lca_title", "attribute_type": "Dropdown", "extra": None, "bulk_update": bulk_update }], } with mock.patch("ggrc.notifications.common.send_email") as send_mock: response = self.client.post("/api/bulk_operations/complete", data=json.dumps(data), headers=self.headers) self.assert200(response) send_mock.assert_called_once() _, mail_title, body = send_mock.call_args[0] self.assertEqual(mail_title, "Bulk update of Assessments is finished") self.assertNotIn("Bulk Assesments update is finished successfully", body) self.assertNotIn("Bulk Assesments update is finished partitially", body) self.assertIn("Bulk Assesments update has failed", body) for asmt_title in assessments_titles: self.assertIn(asmt_title, body) def test_verify_successfully(self): """Test bulk assessment verify finished successfully""" assessments = [] user = models.Person.query.first() with factories.single_commit(): for _ in range(3): assmt = factories.AssessmentFactory(status="In Review") assessments.append(assmt) assmt.add_person_with_role_name(user, "Verifiers") assessments_ids = [assessment.id for assessment in assessments] assessments_titles = [ assessment.title for assessment in assessments ] data = { "assessments_ids": assessments_ids, "attributes": [], } with mock.patch("ggrc.notifications.common.send_email") as send_mock: response = self.client.post("/api/bulk_operations/verify", data=json.dumps(data), headers=self.headers) self.assert200(response) send_mock.assert_called_once() _, mail_title, body = send_mock.call_args[0] self.assertEqual(mail_title, "Bulk update of Assessments is finished") self.assertIn("Bulk Assesments update is finished successfully", body) self.assertNotIn("Bulk Assesments update is finished partitially", body) self.assertNotIn("Bulk Assesments update has failed", body) for asmt_title in assessments_titles: self.assertIn(asmt_title, body) def test_not_verified(self): """Test bulk assessment verify fail notification""" assessments = [] with factories.single_commit(): for _ in range(3): assessments.append(factories.AssessmentFactory()) factories.CustomAttributeDefinitionFactory( definition_type="assessment", mandatory=True, ) assessments_ids = [assessment.id for assessment in assessments] assessments_titles = [ assessment.title for assessment in assessments ] _, user = self.object_generator.generate_person(user_role="Creator") self.api.set_user(user) data = { "assessments_ids": assessments_ids, "attributes": [], } with mock.patch("ggrc.notifications.common.send_email") as send_mock: response = self.api.client.post("/api/bulk_operations/verify", data=json.dumps(data), headers=self.headers) self.assert200(response) send_mock.assert_called_once() _, mail_title, body = send_mock.call_args[0] self.assertEqual(mail_title, "Bulk update of Assessments is finished") self.assertNotIn("Bulk Assesments update is finished successfully", body) self.assertIn("Bulk Assesments update has failed", body) self.assertNotIn("Bulk Assesments update is finished partitially", body) for asmt_title in assessments_titles: self.assertIn(asmt_title, body)
class TestEvidenceRolePropagation(TestCase): """Evidence role propagation test case""" # pylint: disable=invalid-name def setUp(self): super(TestEvidenceRolePropagation, self).setUp() self.api = Api() self.generator = ObjectGenerator() # Propagation isn't work for 'Primary Contacts', 'Secondary Contacts' # just add them to data list to check if fix works. @ddt.data("Assignees", "Creators", "Verifiers") def test_assessment_role_propagation_edit(self, role): """Asses user with role '{0}' should be able to edit related evidence""" _, reader = self.generator.generate_person(user_role="Creator") assignees_role = all_models.AccessControlRole.query.filter_by( object_type=all_models.Assessment.__name__, name=role ).first() with factories.single_commit(): assessment = factories.AssessmentFactory() factories.AccessControlListFactory( ac_role=assignees_role, object=assessment, person=reader ) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=assessment, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) new_description = 'new description' resp = self.api.modify_object(evidence, {'description': new_description}) evidence = self.refresh_object(evidence) self.assert200(resp) self.assertEquals(new_description, evidence.description) self.assertEquals(reader.id, evidence.modified_by_id) @ddt.data("Audit Captains", "Auditors") def test_audit_role_propagation_edit(self, role): """Audit user with role '{0}' should be able to edit related evidence""" _, reader = self.generator.generate_person(user_role="Reader") assignees_role = all_models.AccessControlRole.query.filter_by( object_type=all_models.Audit.__name__, name=role ).first() with factories.single_commit(): audit = factories.AuditFactory() factories.AccessControlListFactory( ac_role=assignees_role, object=audit, person=reader ) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=audit, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) new_description = 'new description' resp = self.api.modify_object(evidence, {'description': new_description}) evidence = self.refresh_object(evidence) self.assert200(resp) self.assertEquals(new_description, evidence.description) self.assertEquals(reader.id, evidence.modified_by_id) def test_audit_role_propagation_not_delete(self, role="Auditors"): """Audit user with role Auditors can NOT delete related evidence""" _, reader = self.generator.generate_person(user_role="Reader") assignees_role = all_models.AccessControlRole.query.filter_by( object_type=all_models.Audit.__name__, name=role ).first() with factories.single_commit(): audit = factories.AuditFactory() factories.AccessControlListFactory( ac_role=assignees_role, object=audit, person=reader ) evidence = factories.EvidenceFactory() evidence_id = evidence.id factories.RelationshipFactory(source=audit, destination=evidence) self.api.set_user(reader) evidence = all_models.Evidence.query.get(evidence_id) resp = self.api.delete(evidence) self.assertStatus(resp, 403) evidence = all_models.Evidence.query.get(evidence_id) self.assertTrue(evidence)
class AssessmentRBACFactory(base.BaseRBACFactory): """Assessment RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Assessment permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr, parent) self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Assessment object.""" return self.api.post( all_models.Assessment, { "assessment": { "title": "New Assessment", "context": None, "audit": { "id": self.audit_id }, }, }) def generate(self): """Generate new Assessment object.""" with factories.single_commit(): control = factories.ControlFactory() template_id = factories.AssessmentTemplateFactory().id audit = all_models.Audit.query.get(self.audit_id) # pylint: disable=protected-access snapshot = TestCase._create_snapshots(audit, [control])[0] snapshot_id = snapshot.id factories.RelationshipFactory(source=snapshot, destination=audit) responses = [] asmnt_data = { "assessment": { "_generated": True, "audit": { "id": self.audit_id, "type": "Audit" }, "object": { "id": snapshot_id, "type": "Snapshot" }, "context": None, "title": "New assessment", } } responses.append(self.api.post(all_models.Assessment, asmnt_data)) asmnt_data["assessment"]["template"] = { "id": template_id, "type": "AssessmentTemplate" } responses.append(self.api.post(all_models.Assessment, asmnt_data)) return responses def read(self): """Read existing Assessment object.""" return self.api.get(all_models.Assessment, self.assessment_id) def update(self): """Update title of existing Assessment object.""" asmnt = all_models.Assessment.query.get(self.assessment_id) return self.api.put(asmnt, {"title": factories.random_str()}) def delete(self): """Delete Assessment object.""" asmnt = all_models.Assessment.query.get(self.assessment_id) return self.api.delete(asmnt) def read_revisions(self): """Read revisions for Assessment object.""" model_class = get_model("Assessment") responses = [] for query in [ "source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}" ]: responses.append( self.api.get_query( model_class, query.format("assessment", self.assessment_id))) return responses def map_snapshot(self): """Map snapshot to assessment.""" audit = all_models.Audit.query.get(self.audit_id) assessment = all_models.Assessment.query.get(self.assessment_id) control = factories.ControlFactory() # pylint: disable=protected-access snapshot = TestCase._create_snapshots(audit, [control])[0] factories.RelationshipFactory(source=snapshot, destination=audit) return self.objgen.generate_relationship( source=assessment, destination=snapshot, )[0] def deprecate(self): """Set status 'Deprecated' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.modify_object(assessment, {"status": "Deprecated"}) def complete(self): """Set status 'Completed' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "Completed"}) def in_progress(self): """Set status 'In Progress' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "In Progress"}) def not_started(self): """Set status 'Not Started' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "Not Started"}) def decline(self): """Set status 'Rework Needed' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "Rework Needed"}) def verify(self): """Set status 'Verified' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, { "status": "Completed", "verified": True }) def map_comment(self): """Map new comment to assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put( assessment, { "actions": { "add_related": [{ "id": None, "type": "Comment", "description": factories.random_str(), "custom_attribute_definition_id": None, }] } }) def map_evidence(self): """Map new evidence to assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put( assessment, { "actions": { "add_related": [{ "id": None, "type": "Evidence", "kind": "URL", "title": factories.random_str(), "link": factories.random_str(), }] } }) def related_assessments(self): """Get related Assessments for existing object.""" audit = all_models.Audit.query.get(self.audit_id) assessment = all_models.Assessment.query.get(self.assessment_id) with factories.single_commit(): control = factories.ControlFactory() # pylint: disable=protected-access snapshot = TestCase._create_snapshots(audit, [control])[0] factories.RelationshipFactory(source=audit, destination=snapshot) factories.RelationshipFactory(source=assessment, destination=snapshot) assessment2 = factories.AssessmentFactory( assessment_type=assessment.assessment_type) factories.RelationshipFactory(source=assessment2, destination=snapshot) return self.api.client.get( "/api/related_assessments?object_id={}&object_type=Assessment". format(self.assessment_id)) def related_objects(self): """Get related objects for existing Assessment.""" return self.api.client.get( "/api/assessments/{}/related_objects".format(self.assessment_id))
class AssessmentTemplateRBACFactory(base.BaseRBACFactory): """Assessment Template RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Assessment Template permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr, parent) with factories.single_commit(): template = factories.AssessmentTemplateFactory(audit=self.audit) factories.RelationshipFactory(source=self.audit, destination=template) self.template_id = template.id self.default_assignees = "Admin" self.default_verifiers = "Admin" self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Assessment Template object.""" return self.api.post( all_models.AssessmentTemplate, { "assessment_template": { "audit": { "id": self.audit_id, "type": "Audit" }, "context": None, "default_people": { "assignees": self.default_assignees, "verifiers": self.default_verifiers, }, "title": "New Assessment Template" } }) def read(self): """Read existing Assessment Template object.""" return self.api.get(all_models.AssessmentTemplate, self.template_id) def update(self): """Update title of existing Assessment Template object.""" template = all_models.AssessmentTemplate.query.get(self.template_id) return self.api.put(template, {"title": factories.random_str()}) def delete(self): """Delete Assessment Template object.""" template = all_models.AssessmentTemplate.query.get(self.template_id) return self.api.delete(template) def read_revisions(self): """Read revisions for Assessment Template object.""" model_class = get_model("AssessmentTemplate") responses = [] for query in [ "source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}" ]: responses.append( self.api.get_query( model_class, query.format("assessment_template", self.template_id))) return responses
class CycleTaskRBACFactory(base.BaseRBACFactory): """Cycle Task RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Cycle Task permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.admin_control_id = { name: id for id, name in access_control.role.get_custom_roles_for( "Control").items() }["Admin"] self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: self.user_id = user_id user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Cycle Task object.""" cycle_tg = all_models.CycleTaskGroup.query.first() return self.api.post( all_models.CycleTaskGroupObjectTask, { "cycle_task_group_object_task": { "title": "New Cycle Task", "start_date": datetime.now().strftime("%Y-%m-%d"), "end_date": datetime.now().strftime("%Y-%m-%d"), "context": None, "task_type": "text", "cycle_task_group": { "id": cycle_tg.id, "type": "Task Group", }, "cycle": { "id": cycle_tg.cycle.id, "type": "Cycle", }, } }) def read(self): """Read existing Cycle Task object.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.get(cycle_task, cycle_task.id) def update(self): """Update title of existing Cycle Task object.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.put(cycle_task, {"title": factories.random_str()}) def delete(self): """Delete Cycle Task object.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.delete(cycle_task) def read_revisions(self): """Read revisions for Cycle Task object.""" responses = [] cycle_task = all_models.CycleTaskGroupObjectTask.query.first() for query in [ "source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}" ]: responses.append( self.api.get_query( all_models.CycleTaskGroupObjectTask, query.format("cycle_task_group_object_task", cycle_task.id))) return responses def add_comment(self): """Map new comment to cycle task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.get( self.cycle_task_id) _, comment = self.objgen.generate_object( all_models.Comment, { "description": factories.random_str(), "context": None, }) return self.objgen.generate_relationship(source=cycle_task, destination=comment)[0] def read_comment(self): """Read comments mapped to cycle task""" cycle_task = all_models.CycleTaskGroupObjectTask.query.get( self.cycle_task_id) with factories.single_commit(): comment = factories.CommentFactory( description=factories.random_str()) factories.RelationshipFactory(source=cycle_task, destination=comment) query_request_data = [{ "fields": [], "filters": { "expression": { "object_name": "CycleTaskGroupObjectTask", "op": { "name": "relevant" }, "ids": [cycle_task.id] } }, "object_name": "Comment", }] response = self.api.send_request(self.api.client.post, data=query_request_data, api_link="/query") return response def map_control(self): """Map Control on which user don't have any rights to Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() control = factories.ControlFactory() return self.objgen.generate_relationship( source=cycle_task, destination=control, )[0] def map_created_control(self): """Map Control that was created by user to Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() control = factories.ControlFactory() # pylint: disable=protected-access for acl in control._access_control_list: if acl.ac_role_id == self.admin_control_id: factories.AccessControlPersonFactory( person_id=self.user_id, ac_list=acl, ) return self.objgen.generate_relationship( source=cycle_task, destination=control, )[0] def read_mapped_control(self): """Read Control object mapped to Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() with factories.single_commit(): control = factories.ControlFactory() factories.RelationshipFactory(source=cycle_task, destination=control) return self.api.get(control, control.id) def upmap_control(self): """Unmap Control from Task Group.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() with factories.single_commit(): control = factories.ControlFactory() rel = factories.RelationshipFactory(source=cycle_task, destination=control) return self.api.delete(rel) def start(self): """Start Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.put(cycle_task, {"status": "InProgress"}) def end(self): """End Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.put(cycle_task, {"status": "Finished"}) def verify(self): """Verify Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.put(cycle_task, {"status": "Verified"}) def decline(self): """Decline Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.put(cycle_task, {"status": "Declined"}) def deprecate(self): """Deprecate Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.put(cycle_task, {"status": "Deprecated"}) def restore(self): """Restore Cycle Task.""" cycle_task = all_models.CycleTaskGroupObjectTask.query.first() return self.api.put(cycle_task, {"status": "Assigned"})
class AssessmentTemplateRBACFactory(base.BaseRBACFactory): """Assessment Template RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Assessment Template permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr, parent) with factories.single_commit(): template = factories.AssessmentTemplateFactory(audit=self.audit) factories.RelationshipFactory(source=self.audit, destination=template) self.template_id = template.id self.default_assignees = "Admin" self.default_verifiers = "Admin" self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Assessment Template object.""" return self.api.post(all_models.AssessmentTemplate, { "assessment_template": { "audit": {"id": self.audit_id, "type": "Audit"}, "context": None, "default_people": { "assignees": self.default_assignees, "verifiers": self.default_verifiers, }, "title": "New Assessment Template" } }) def read(self): """Read existing Assessment Template object.""" return self.api.get(all_models.AssessmentTemplate, self.template_id) def update(self): """Update title of existing Assessment Template object.""" template = all_models.AssessmentTemplate.query.get(self.template_id) return self.api.put(template, {"title": factories.random_str()}) def delete(self): """Delete Assessment Template object.""" template = all_models.AssessmentTemplate.query.get(self.template_id) return self.api.delete(template) def read_revisions(self): """Read revisions for Assessment Template object.""" model_class = get_model("AssessmentTemplate") responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( model_class, query.format("assessment_template", self.template_id) ) ) return responses
class EvidenceRBACFactory(base.BaseRBACFactory): """Evidence RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Evidence permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr) with factories.single_commit(): evidence = factories.EvidenceUrlFactory() if parent == "Audit": self.mapping_id = factories.RelationshipFactory( source=self.audit, destination=evidence).id elif parent == "Assessment": self.mapping_id = factories.RelationshipFactory( source=self.assessment, destination=evidence).id self.evidence_id = evidence.id self.parent = parent self.admin_acr_id = all_models.AccessControlRole.query.filter_by( name="Admin", object_type="Evidence", ).one().id self.user_id = user_id self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Evidence object.""" result = self.api.post( all_models.Evidence, { "evidence": { "access_control_list": [{ "ac_role_id": self.admin_acr_id, "person": { "id": self.user_id, "type": "Person", } }], "link": factories.random_str(), "title": factories.random_str(), "context": None, } }) return result def read(self): """Read existing Evidence object.""" res = self.api.get(all_models.Evidence, self.evidence_id) return res def update(self): """Update title of existing Evidence object.""" evidence = all_models.Evidence.query.get(self.evidence_id) return self.api.put(evidence, {"title": factories.random_str()}) def delete(self): """Delete Evidence object.""" evidence = all_models.Evidence.query.get(self.evidence_id) return self.api.delete(evidence) def map(self, evidence=None): """Map Evidence to parent object.""" if self.parent == "Audit": parent = all_models.Audit.query.get(self.audit_id) else: parent = all_models.Assessment.query.get(self.assessment_id) map_evidence = evidence if evidence else factories.EvidenceUrlFactory() return self.api.put( parent, { "actions": { "add_related": [{ "id": map_evidence.id, "type": "Evidence", }] } }) def create_and_map(self): """Create new Evidence and map it to parent.""" response = self.create() evidence_id = None if response.json and response.json.get("evidence"): evidence_id = response.json.get("evidence", {}).get("id") if not evidence_id: return response evidence = all_models.Evidence.query.get(evidence_id) return self.map(evidence) def add_comment(self): """Map new comment to evidence.""" evidence = all_models.Evidence.query.get(self.evidence_id) _, comment = self.objgen.generate_object( all_models.Comment, { "description": factories.random_str(), "context": None, }) return self.objgen.generate_relationship(source=evidence, destination=comment)[0] def read_comments(self): """Read comments mapped to evidence""" evidence = all_models.Evidence.query.get(self.evidence_id) with factories.single_commit(): comment = factories.CommentFactory( description=factories.random_str()) factories.RelationshipFactory(source=evidence, destination=comment) query_request_data = [{ "fields": [], "filters": { "expression": { "object_name": "Evidence", "op": { "name": "relevant" }, "ids": [evidence.id] } }, "object_name": "Comment", }] response = self.api.send_request(self.api.client.post, data=query_request_data, api_link="/query") return response
class DocumentReferenceUrlRBACFactory(base.BaseRBACFactory): """Document Reference Url RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Document permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api self.acr = acr self.user_id = user_id self.parent_name = parent self.document_id = None self.parent = None self.parent_id = None self.admin_acr_id = all_models.AccessControlRole.query.filter_by( name="Admin", object_type="Document", ).one().id self.setup_models(self.parent_name) self.set_user(user_id) def set_user(self, user_id): """Set user to send requests""" if self.user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def setup_models(self, parent_name): """Setup document, parent, relationship""" with factories.single_commit(): document = factories.DocumentReferenceUrlFactory() self.document_id = document.id self.parent = self.build_parent(parent_name) self.parent_id = self.parent.id factories.RelationshipFactory(source=self.parent, destination=document) self.assign_person(self.parent, self.acr, self.user_id) @staticmethod def build_parent(parent_name): """Create parent based on Name""" try: parent = FACTORIES_MAPPING[parent_name]() except KeyError(): raise ValueError("Unknown parent {}".format(parent_name)) return parent def create(self): """Create new Document object.""" result = self.api.post( all_models.Document, { "document": { "access_control_list": [{ "ac_role_id": self.admin_acr_id, "person": { "id": self.user_id, "type": "Person", } }], "link": factories.random_str(), "title": factories.random_str(), "context": None, } }) return result def read(self): """Read existing Document object.""" res = self.api.get(all_models.Document, self.document_id) return res def update(self): """Update title of existing Document object.""" document = all_models.Document.query.get(self.document_id) return self.api.put(document, {"title": factories.random_str()}) def delete(self): """Delete Document object.""" document = all_models.Document.query.get(self.document_id) return self.api.delete(document) def map(self, document=None): """Map Document to parent object.""" parent = self.parent.__class__.query.get(self.parent_id) map_document = document if document \ else factories.DocumentReferenceUrlFactory() return self.objgen.generate_relationship(source=parent, destination=map_document)[0] def create_and_map(self): """Create new Document and map it to parent.""" response = self.create() document_id = None if response.json and response.json.get("document"): document_id = response.json.get("document", {}).get("id") if not document_id: return response document = all_models.Document.query.get(document_id) return self.map(document) def add_comment(self): """Map new comment to document.""" document = all_models.Document.query.get(self.document_id) _, comment = self.objgen.generate_object( all_models.Comment, { "description": factories.random_str(), "context": None, }) return self.objgen.generate_relationship(source=document, destination=comment)[0] def read_comments(self): """Read comments mapped to document""" document = all_models.Document.query.get(self.document_id) with factories.single_commit(): comment = factories.CommentFactory( description=factories.random_str()) factories.RelationshipFactory(source=document, destination=comment) query_request_data = [{ "fields": [], "filters": { "expression": { "object_name": "Document", "op": { "name": "relevant" }, "ids": [document.id] } }, "object_name": "Comment", }] response = self.api.send_request(self.api.client.post, data=query_request_data, api_link="/query") return response
class WorkflowRBACFactory(base.BaseRBACFactory): """Workflow RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Workflow permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Workflow object.""" return self.api.post(all_models.Workflow, { "workflow": { "title": "New workflow", "context": None, } }) def read(self): """Read existing Workflow object.""" return self.api.get(all_models.Workflow, self.workflow_id) def update(self): """Update title of existing Workflow object.""" workflow = all_models.Workflow.query.get(self.workflow_id) return self.api.put(workflow, {"title": factories.random_str()}) def delete(self): """Delete Workflow object.""" workflow = all_models.Workflow.query.get(self.workflow_id) return self.api.delete(workflow) def read_revisions(self): """Read revisions for Workflow object.""" responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( all_models.Workflow, query.format("workflow", self.workflow_id) ) ) return responses def clone(self): """Clone existing Workflow object.""" with factories.single_commit(): task_group = wf_factories.TaskGroupFactory(workflow_id=self.workflow_id) wf_factories.TaskGroupTaskFactory(task_group=task_group) return self.api.post(all_models.Workflow, { "workflow": { # workaround - title is required for validation "title": "", "clone": self.workflow_id, "clone_objects": True, "clone_people": True, "clone_tasks": True, "context": None, } })
class WorkflowRBACFactory(base.BaseRBACFactory): """Workflow RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Workflow permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_workflow_scope(user_id, acr) self.api = Api() if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Workflow object.""" return self.api.post(all_models.Workflow, { "workflow": { "title": "New workflow", "context": None, } }) def read(self): """Read existing Workflow object.""" return self.api.get(all_models.Workflow, self.workflow_id) def update(self): """Update title of existing Workflow object.""" workflow = all_models.Workflow.query.get(self.workflow_id) return self.api.put(workflow, {"title": factories.random_str()}) def delete(self): """Delete Workflow object.""" workflow = all_models.Workflow.query.get(self.workflow_id) return self.api.delete(workflow) def read_revisions(self): """Read revisions for Workflow object.""" responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( all_models.Workflow, query.format("workflow", self.workflow_id) ) ) return responses def clone(self): """Clone existing Workflow object.""" with factories.single_commit(): task_group = wf_factories.TaskGroupFactory(workflow_id=self.workflow_id) wf_factories.TaskGroupTaskFactory(task_group=task_group) return self.api.post(all_models.Workflow, { "workflow": { "clone": self.workflow_id, "clone_objects": True, "clone_people": True, "clone_tasks": True, "context": None, } })
class IssueRBACFactory(base.BaseRBACFactory): """Issue RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Issue permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr) with factories.single_commit(): issue = factories.IssueFactory() if parent == "Audit": self.mapping_id = factories.RelationshipFactory( source=self.audit, destination=issue ).id elif parent == "Assessment": self.mapping_id = factories.RelationshipFactory( source=self.assessment, destination=issue ).id self.issue_id = issue.id self.parent = parent self.admin_acr_id = all_models.AccessControlRole.query.filter_by( name="Admin", object_type="Issue", ).one().id self.user_id = user_id self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Issue object.""" return self.api.post(all_models.Issue, { "issue": { "access_control_list": [{ "ac_role_id": self.admin_acr_id, "person": { "id": self.user_id, "type": "Person", } }], "title": factories.random_str(), "context": None, } }) def read(self): """Read existing Issue object.""" return self.api.get(all_models.Issue, self.issue_id) def update(self): """Update title of existing Issue object.""" issue = all_models.Issue.query.get(self.issue_id) return self.api.put(issue, {"title": factories.random_str()}) def delete(self): """Delete Issue object.""" issue = all_models.Issue.query.get(self.issue_id) return self.api.delete(issue) def read_revisions(self): """Read revisions of Issue object.""" model_class = get_model("Issue") responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( model_class, query.format("issue", self.issue_id) ) ) return responses def map(self, issue=None): """Map Issue to parent object.""" if self.parent == "Audit": parent = all_models.Audit.query.get(self.audit_id) else: parent = all_models.Assessment.query.get(self.assessment_id) map_issue = issue if issue else factories.IssueFactory() return self.objgen.generate_relationship( source=parent, destination=map_issue )[0] def create_and_map(self): """Create new Issue and map it to parent.""" response = self.create() issue_id = None if response.json and response.json.get("issue"): issue_id = response.json.get("issue", {}).get("id") if not issue_id: return response issue = all_models.Issue.query.get(issue_id) return self.map(issue) def unmap(self): """Unmap Issue from parent object.""" mapping = all_models.Relationship.query.get(self.mapping_id) return self.api.delete(mapping) def raise_issue(self): """Raise issue for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) data = [{ "issue": { "assessment": { "id": assessment.id, "type": assessment.type, }, "title": factories.random_str(), "context": None } }] return self.api.post(all_models.Issue, data)
class DocumentReferenceUrlRBACFactory(base.BaseRBACFactory): """Document Reference Url RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Document permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api self.acr = acr self.user_id = user_id self.parent_name = parent self.document_id = None self.parent = None self.parent_id = None self.admin_acr_id = all_models.AccessControlRole.query.filter_by( name="Admin", object_type="Document", ).one().id self.setup_models(self.parent_name) self.set_user(user_id) def set_user(self, user_id): """Set user to send requests""" if self.user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def setup_models(self, parent_name): """Setup document, parent, relationship""" with factories.single_commit(): document = factories.DocumentReferenceUrlFactory() self.document_id = document.id self.parent = self.build_parent(parent_name) self.parent_id = self.parent.id factories.RelationshipFactory(source=self.parent, destination=document) self.assign_person(self.parent, self.acr, self.user_id) @staticmethod def build_parent(parent_name): """Create parent based on Name""" try: parent = FACTORIES_MAPPING[parent_name]() except KeyError(): raise ValueError("Unknown parent {}".format(parent_name)) return parent def create(self): """Create new Document object.""" result = self.api.post(all_models.Document, { "document": { "access_control_list": [{ "ac_role_id": self.admin_acr_id, "person": { "id": self.user_id, "type": "Person", } }], "link": factories.random_str(), "title": factories.random_str(), "context": None, } }) return result def read(self): """Read existing Document object.""" res = self.api.get(all_models.Document, self.document_id) return res def update(self): """Update title of existing Document object.""" document = all_models.Document.query.get(self.document_id) return self.api.put(document, {"title": factories.random_str()}) def delete(self): """Delete Document object.""" document = all_models.Document.query.get(self.document_id) return self.api.delete(document) def map(self, document=None): """Map Document to parent object.""" parent = self.parent.__class__.query.get(self.parent_id) map_document = document if document \ else factories.DocumentReferenceUrlFactory() return self.objgen.generate_relationship( source=parent, destination=map_document )[0] def create_and_map(self): """Create new Document and map it to parent.""" response = self.create() document_id = None if response.json and response.json.get("document"): document_id = response.json.get("document", {}).get("id") if not document_id: return response document = all_models.Document.query.get(document_id) return self.map(document) def add_comment(self): """Map new comment to document.""" document = all_models.Document.query.get(self.document_id) _, comment = self.objgen.generate_object(all_models.Comment, { "description": factories.random_str(), "context": None, }) return self.objgen.generate_relationship(source=document, destination=comment)[0] def read_comments(self): """Read comments mapped to document""" document = all_models.Document.query.get(self.document_id) with factories.single_commit(): comment = factories.CommentFactory(description=factories.random_str()) factories.RelationshipFactory(source=document, destination=comment) query_request_data = [{ "fields": [], "filters": { "expression": { "object_name": "Document", "op": { "name": "relevant" }, "ids": [document.id] } }, "object_name": "Comment", }] response = self.api.send_request( self.api.client.post, data=query_request_data, api_link="/query" ) return response
class AssessmentRBACFactory(base.BaseRBACFactory): """Assessment RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Assessment permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr, parent) self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Assessment object.""" return self.api.post(all_models.Assessment, { "assessment": { "title": "New Assessment", "context": None, "audit": {"id": self.audit_id}, }, }) def generate(self): """Generate new Assessment object.""" with factories.single_commit(): control = factories.ControlFactory() template_id = factories.AssessmentTemplateFactory().id audit = all_models.Audit.query.get(self.audit_id) # pylint: disable=protected-access snapshot = TestCase._create_snapshots(audit, [control])[0] snapshot_id = snapshot.id factories.RelationshipFactory(source=snapshot, destination=audit) responses = [] asmnt_data = { "assessment": { "_generated": True, "audit": { "id": self.audit_id, "type": "Audit" }, "object": { "id": snapshot_id, "type": "Snapshot" }, "context": None, "title": "New assessment", } } responses.append(self.api.post(all_models.Assessment, asmnt_data)) asmnt_data["assessment"]["template"] = { "id": template_id, "type": "AssessmentTemplate" } responses.append(self.api.post(all_models.Assessment, asmnt_data)) return responses def read(self): """Read existing Assessment object.""" return self.api.get(all_models.Assessment, self.assessment_id) def update(self): """Update title of existing Assessment object.""" asmnt = all_models.Assessment.query.get(self.assessment_id) return self.api.put(asmnt, {"title": factories.random_str()}) def delete(self): """Delete Assessment object.""" asmnt = all_models.Assessment.query.get(self.assessment_id) return self.api.delete(asmnt) def read_revisions(self): """Read revisions for Assessment object.""" model_class = get_model("Assessment") responses = [] for query in ["source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}"]: responses.append( self.api.get_query( model_class, query.format("assessment", self.assessment_id) ) ) return responses def map_snapshot(self): """Map snapshot to assessment.""" audit = all_models.Audit.query.get(self.audit_id) assessment = all_models.Assessment.query.get(self.assessment_id) control = factories.ControlFactory() # pylint: disable=protected-access snapshot = TestCase._create_snapshots(audit, [control])[0] factories.RelationshipFactory(source=snapshot, destination=audit) return self.objgen.generate_relationship( source=assessment, destination=snapshot, )[0] def deprecate(self): """Set status 'Deprecated' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.modify_object(assessment, {"status": "Deprecated"}) def complete(self): """Set status 'Completed' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "Completed"}) def in_progress(self): """Set status 'In Progress' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "In Progress"}) def not_started(self): """Set status 'Not Started' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "Not Started"}) def decline(self): """Set status 'Rework Needed' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "Rework Needed"}) def verify(self): """Set status 'Verified' for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, {"status": "Completed", "verified": True}) def map_comment(self): """Map new comment to assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, { "actions": { "add_related": [{ "id": None, "type": "Comment", "description": factories.random_str(), "custom_attribute_definition_id": None, }] } }) def map_evidence(self): """Map new evidence to assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) return self.api.put(assessment, { "actions": { "add_related": [{ "id": None, "type": "Evidence", "kind": "URL", "title": factories.random_str(), "link": factories.random_str(), }] } }) def related_assessments(self): """Get related Assessments for existing object.""" audit = all_models.Audit.query.get(self.audit_id) assessment = all_models.Assessment.query.get(self.assessment_id) with factories.single_commit(): control = factories.ControlFactory() # pylint: disable=protected-access snapshot = TestCase._create_snapshots(audit, [control])[0] factories.RelationshipFactory(source=audit, destination=snapshot) factories.RelationshipFactory(source=assessment, destination=snapshot) assessment2 = factories.AssessmentFactory( assessment_type=assessment.assessment_type ) factories.RelationshipFactory(source=assessment2, destination=snapshot) return self.api.client.get( "/api/related_assessments?object_id={}&object_type=Assessment".format( self.assessment_id ) ) def related_objects(self): """Get related objects for existing Assessment.""" return self.api.client.get( "/api/assessments/{}/related_objects".format(self.assessment_id) )
class ProgramRBACFactory(base.BaseRBACFactory): """Program RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Program permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_program_scope(user_id, acr, "Program") self.admin_control_id = { name: id for id, name in access_control.role.get_custom_roles_for( "Control").items() }["Admin"] self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: self.user_id = user_id user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Program object.""" return self.api.post( all_models.Program, { "program": { "title": "New program", "program": { "id": self.program_id }, "context": None, "access_control_list": [], } }) def read(self): """Read existing Audit object.""" return self.api.get(all_models.Program, self.program_id) def update(self): """Update title of existing Audit object.""" program = all_models.Program.query.get(self.program_id) return self.api.put(program, {"title": factories.random_str()}) def delete(self): """Delete Audit object.""" program = all_models.Program.query.get(self.program_id) return self.api.delete(program) def read_revisions(self): """Read revisions for Assessment object.""" responses = [] for query in [ "source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}" ]: responses.append( self.api.get_query(all_models.Program, query.format("program", self.program_id))) return responses def map_control(self): """Map new Control to Program.""" with factories.single_commit(): control = factories.ControlFactory() for acl in control._access_control_list: if acl.ac_role_id == self.admin_control_id: factories.AccessControlPersonFactory( person_id=self.user_id, ac_list=acl, ) program = all_models.Program.query.get(self.program_id) return self.objgen.generate_relationship( source=program, destination=control, )[0] def unmap_control(self): """Unmap Control from Program.""" control = factories.ControlFactory() program = all_models.Program.query.get(self.program_id) rel = factories.RelationshipFactory(source=control, destination=program) return self.api.delete(rel) def read_mapped(self): """Read project mapped to Program.""" program = all_models.Program.query.get(self.program_id) with factories.single_commit(): project = factories.ProjectFactory() factories.RelationshipFactory(source=project, destination=program) return self.api.get(project, project.id) def update_mapped(self): """Update project mapped to Program.""" program = all_models.Program.query.get(self.program_id) with factories.single_commit(): project = factories.ProjectFactory() factories.RelationshipFactory(source=project, destination=program) return self.api.put(project, {"title": factories.random_str()}) def delete_mapped(self): """Delete project mapped to Program.""" program = all_models.Program.query.get(self.program_id) with factories.single_commit(): project = factories.ProjectFactory() factories.RelationshipFactory(source=project, destination=program) return self.api.delete(project)
class IssueRBACFactory(base.BaseRBACFactory): """Issue RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Issue permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ self.setup_program_scope(user_id, acr) with factories.single_commit(): issue = factories.IssueFactory() if parent == "Audit": self.mapping_id = factories.RelationshipFactory( source=self.audit, destination=issue).id elif parent == "Assessment": self.mapping_id = factories.RelationshipFactory( source=self.assessment, destination=issue).id self.issue_id = issue.id self.parent = parent self.admin_acr_id = all_models.AccessControlRole.query.filter_by( name="Admin", object_type="Issue", ).one().id self.user_id = user_id self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api if user_id: user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Issue object.""" return self.api.post( all_models.Issue, { "issue": { "access_control_list": [{ "ac_role_id": self.admin_acr_id, "person": { "id": self.user_id, "type": "Person", } }], "title": factories.random_str(), "context": None, } }) def read(self): """Read existing Issue object.""" return self.api.get(all_models.Issue, self.issue_id) def update(self): """Update title of existing Issue object.""" issue = all_models.Issue.query.get(self.issue_id) return self.api.put(issue, {"title": factories.random_str()}) def delete(self): """Delete Issue object.""" issue = all_models.Issue.query.get(self.issue_id) return self.api.delete(issue) def read_revisions(self): """Read revisions of Issue object.""" model_class = get_model("Issue") responses = [] for query in [ "source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}" ]: responses.append( self.api.get_query(model_class, query.format("issue", self.issue_id))) return responses def map(self, issue=None): """Map Issue to parent object.""" if self.parent == "Audit": parent = all_models.Audit.query.get(self.audit_id) else: parent = all_models.Assessment.query.get(self.assessment_id) map_issue = issue if issue else factories.IssueFactory() return self.objgen.generate_relationship(source=parent, destination=map_issue)[0] def create_and_map(self): """Create new Issue and map it to parent.""" response = self.create() issue_id = None if response.json and response.json.get("issue"): issue_id = response.json.get("issue", {}).get("id") if not issue_id: return response issue = all_models.Issue.query.get(issue_id) return self.map(issue) def unmap(self): """Unmap Issue from parent object.""" mapping = all_models.Relationship.query.get(self.mapping_id) return self.api.delete(mapping) def raise_issue(self): """Raise issue for Assessment.""" assessment = all_models.Assessment.query.get(self.assessment_id) data = [{ "issue": { "assessment": { "id": assessment.id, "type": assessment.type, }, "title": factories.random_str(), "context": None } }] return self.api.post(all_models.Issue, data)
class AuditRBACFactory(base.BaseRBACFactory): """Audit RBAC factory class.""" def __init__(self, user_id, acr, parent=None): """Set up objects for Audit permission tests. Args: user_id: Id of user under which all operations will be run. acr: Instance of ACR that should be assigned for tested user. parent: Model name in scope of which objects should be set up. """ # pylint: disable=unused-argument self.setup_program_scope(user_id, acr, "Audit") self.api = Api() self.objgen = generator.ObjectGenerator() self.objgen.api = self.api self.admin_control_id = { name: id for id, name in access_control.role.get_custom_roles_for( "Control").items() }["Admin"] if user_id: self.user_id = user_id user = all_models.Person.query.get(user_id) self.api.set_user(user) def create(self): """Create new Audit object.""" return self.api.post( all_models.Audit, { "audit": { "title": "New audit", "program": { "id": self.program_id }, "context": None, "access_control_list": [], } }) def read(self): """Read existing Audit object.""" return self.api.get(all_models.Audit, self.audit_id) def update(self): """Update title of existing Audit object.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.put(audit, {"title": factories.random_str()}) def delete(self): """Delete Audit object.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.delete(audit) def clone(self): """Clone existing Audit with Assessment Templates.""" return self.api.post( all_models.Audit, { "audit": { "program": { "id": self.program_id, "type": "Program" }, "context": None, "operation": "clone", "cloneOptions": { "sourceObjectId": self.audit_id, "mappedObjects": "AssessmentTemplate" } } }) def read_revisions(self): """Read revisions for Audit object.""" model_class = get_model("Audit") responses = [] for query in [ "source_type={}&source_id={}", "destination_type={}&destination_id={}", "resource_type={}&resource_id={}" ]: responses.append( self.api.get_query(model_class, query.format("audit", self.audit_id))) return responses def map_external_control(self): """Map Control (on which current user don't have any rights) to Audit.""" control = factories.ControlFactory() audit = all_models.Audit.query.get(self.audit_id) return self.objgen.generate_relationship( source=audit, destination=control, )[0] def map_control(self): """Map new snapshot of Control to Audit.""" with factories.single_commit(): control = factories.ControlFactory() acl = [ acl for acl in control._access_control_list if acl.ac_role_id == self.admin_control_id ][0] factories.AccessControlPersonFactory(person_id=self.user_id, ac_list=acl) audit = all_models.Audit.query.get(self.audit_id) return self.objgen.generate_relationship( source=audit, destination=control, )[0] def deprecate(self): """Set status 'Deprecated' for Audit.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.modify_object(audit, {"status": "Deprecated"}) def archive(self): """Move Audit into archived state.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.modify_object(audit, {"archived": True}) def unarchive(self): """Move Audit into unarchived state.""" audit = all_models.Audit.query.get(self.audit_id) return self.api.modify_object(audit, {"archived": False}) def summary(self): """Get Audit summary information.""" return self.api.client.get("api/audits/{}/{}".format( self.audit_id, "summary"))