def test_clean_requests_after_alpha_grant(self): session = db.session # Case 2. Two access requests from gamma and gamma2 # Gamma becomes alpha, gamma2 gets granted # Check if request by gamma has been deleted access_request1 = create_access_request( session, 'table', 'birth_names', TEST_ROLE_1, 'gamma') create_access_request( session, 'table', 'birth_names', TEST_ROLE_2, 'gamma2') ds_1_id = access_request1.datasource_id # gamma becomes alpha alpha_role = sm.find_role('Alpha') gamma_user = sm.find_user(username='******') gamma_user.roles.append(alpha_role) session.commit() access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertTrue(access_requests) self.client.get(EXTEND_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma2', TEST_ROLE_2)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('Alpha')) session.commit()
def test_clean_requests_after_db_grant(self): session = db.session # Case 3. Two access requests from gamma and gamma2 # Gamma gets database access, gamma2 access request granted # Check if request by gamma has been deleted gamma_user = sm.find_user(username='******') access_request1 = create_access_request( session, 'table', 'long_lat', TEST_ROLE_1, 'gamma') create_access_request( session, 'table', 'long_lat', TEST_ROLE_2, 'gamma2') ds_1_id = access_request1.datasource_id # gamma gets granted database access database = session.query(models.Database).first() security.merge_perm( sm, 'database_access', database.perm) ds_perm_view = sm.find_permission_view_menu( 'database_access', database.perm) sm.add_permission_role( sm.find_role(DB_ACCESS_ROLE), ds_perm_view) gamma_user.roles.append(sm.find_role(DB_ACCESS_ROLE)) session.commit() access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertTrue(access_requests) # gamma2 request gets fulfilled self.client.get(EXTEND_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma2', TEST_ROLE_2)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role(DB_ACCESS_ROLE)) session.commit()
def test_update_role(self): update_role_str = 'update_me' sm.add_role(update_role_str) db.session.commit() resp = self.client.post( '/superset/update_role/', data=json.dumps({ 'user_emails': ['*****@*****.**'], 'role_name': update_role_str }), follow_redirects=True ) update_role = sm.find_role(update_role_str) self.assertEquals( update_role.user, [sm.find_user(email='*****@*****.**')]) self.assertEquals(resp.status_code, 201) resp = self.client.post( '/superset/update_role/', data=json.dumps({ 'user_emails': ['*****@*****.**', '*****@*****.**'], 'role_name': update_role_str }), follow_redirects=True ) self.assertEquals(resp.status_code, 201) update_role = sm.find_role(update_role_str) self.assertEquals( update_role.user, [sm.find_user(email='*****@*****.**')]) db.session.delete(update_role) db.session.commit()
def test_sql_json_has_access(self): main_db = self.get_main_database(db.session) sm.add_permission_view_menu('database_access', main_db.perm) db.session.commit() main_db_permission_view = ( db.session.query(ab_models.PermissionView) .join(ab_models.ViewMenu) .filter(ab_models.ViewMenu.name == '[main].(id:1)') .first() ) astronaut = sm.add_role("Astronaut") sm.add_permission_role(astronaut, main_db_permission_view) # Astronaut role is Gamma + sqllab + main db permissions for perm in sm.find_role('Gamma').permissions: sm.add_permission_role(astronaut, perm) for perm in sm.find_role('sql_lab').permissions: sm.add_permission_role(astronaut, perm) gagarin = appbuilder.sm.find_user('gagarin') if not gagarin: appbuilder.sm.add_user( 'gagarin', 'Iurii', 'Gagarin', '*****@*****.**', astronaut, password='******') data = self.run_sql('SELECT * FROM ab_user', "3", user_name='gagarin') db.session.query(models.Query).delete() db.session.commit() self.assertLess(0, len(data['data']))
def tearDownClass(cls): override_me = sm.find_role('override_me') db.session.delete(override_me) db.session.delete(sm.find_role(TEST_ROLE_1)) db.session.delete(sm.find_role(TEST_ROLE_2)) db.session.delete(sm.find_role(DB_ACCESS_ROLE)) db.session.delete(sm.find_role(SCHEMA_ACCESS_ROLE)) db.session.commit()
def test_update_role(self): update_role_str = 'update_me' sm.add_role(update_role_str) db.session.commit() resp = self.client.post( '/superset/update_role/', data=json.dumps({ 'users': [{ 'username': '******', 'first_name': 'Gamma', 'last_name': 'Gamma', 'email': '*****@*****.**' }], 'role_name': update_role_str }), follow_redirects=True ) update_role = sm.find_role(update_role_str) self.assertEquals( update_role.user, [sm.find_user(username='******')]) self.assertEquals(resp.status_code, 201) resp = self.client.post( '/superset/update_role/', data=json.dumps({ 'users': [{ 'username': '******', 'first_name': 'Alpha', 'last_name': 'Alpha', 'email': '*****@*****.**' }, { 'username': '******', 'first_name': 'Unknown1', 'last_name': 'Unknown2', 'email': '*****@*****.**' }], 'role_name': update_role_str }), follow_redirects=True ) self.assertEquals(resp.status_code, 201) update_role = sm.find_role(update_role_str) self.assertEquals( update_role.user, [ sm.find_user(username='******'), sm.find_user(username='******'), ]) unknown = sm.find_user(username='******') self.assertEquals('Unknown2', unknown.last_name) self.assertEquals('Unknown1', unknown.first_name) self.assertEquals('*****@*****.**', unknown.email) db.session.delete(update_role) db.session.delete(unknown) db.session.commit()
def test_sql_json_has_access(self): main_db = self.get_main_database(db.session) utils.merge_perm(sm, 'database_access', main_db.perm) db.session.commit() main_db_permission_view = (db.session.query( ab_models.PermissionView).join(ab_models.ViewMenu).filter( ab_models.ViewMenu.name == '[main].(id:1)').first()) astronaut = sm.add_role("Astronaut") sm.add_permission_role(astronaut, main_db_permission_view) # Astronaut role is Gamma + main db permissions for gamma_perm in sm.find_role('Gamma').permissions: sm.add_permission_role(astronaut, gamma_perm) gagarin = appbuilder.sm.find_user('gagarin') if not gagarin: appbuilder.sm.add_user('gagarin', 'Iurii', 'Gagarin', '*****@*****.**', appbuilder.sm.find_role('Astronaut'), password='******') data = self.run_sql('SELECT * FROM ab_user', 'gagarin', "3") db.session.query(models.Query).delete() db.session.commit() self.assertLess(0, len(data['data']))
def test_clean_requests_after_role_extend(self): session = db.session # Case 1. Gamma and gamma2 requested test_role1 on energy_usage access # Gamma already has role test_role1 # Extend test_role1 with energy_usage access for gamma2 # Check if access request for gamma at energy_usage was deleted # gamma2 and gamma request table_role on energy usage if app.config.get('ENABLE_ACCESS_REQUEST'): access_request1 = create_access_request( session, 'table', 'random_time_series', TEST_ROLE_1, 'gamma2') ds_1_id = access_request1.datasource_id create_access_request( session, 'table', 'random_time_series', TEST_ROLE_1, 'gamma') access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertTrue(access_requests) # gamma gets test_role1 self.get_resp(GRANT_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma', TEST_ROLE_1)) # extend test_role1 with access on energy usage self.client.get(EXTEND_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma2', TEST_ROLE_1)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('test_role1'))
def test_filter_druid_datasource(self): CLUSTER_NAME = 'new_druid' cluster = self.get_or_create( DruidCluster, {'cluster_name': CLUSTER_NAME}, db.session) db.session.merge(cluster) gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_for_gamma'}, db.session) gamma_ds.cluster = cluster db.session.merge(gamma_ds) no_gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'}, db.session) no_gamma_ds.cluster = cluster db.session.merge(no_gamma_ds) db.session.commit() security.merge_perm(sm, 'datasource_access', gamma_ds.perm) security.merge_perm(sm, 'datasource_access', no_gamma_ds.perm) perm = sm.find_permission_view_menu( 'datasource_access', gamma_ds.get_perm()) sm.add_permission_role(sm.find_role('Gamma'), perm) sm.get_session.commit() self.login(username='******') url = '/druiddatasourcemodelview/list/' resp = self.get_resp(url) self.assertIn('datasource_for_gamma', resp) self.assertNotIn('datasource_not_for_gamma', resp)
def test_clean_requests_after_role_extend(self): session = db.session # Case 1. Gamma and gamma2 requested test_role1 on energy_usage access # Gamma already has role test_role1 # Extend test_role1 with energy_usage access for gamma2 # Check if access request for gamma at energy_usage was deleted # gamma2 and gamma request table_role on energy usage access_request1 = create_access_request(session, 'table', 'random_time_series', TEST_ROLE_1, 'gamma2') ds_1_id = access_request1.datasource_id create_access_request(session, 'table', 'random_time_series', TEST_ROLE_1, 'gamma') access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertTrue(access_requests) # gamma gets test_role1 self.get_resp( GRANT_ROLE_REQUEST.format('table', ds_1_id, 'gamma', TEST_ROLE_1)) # extend test_role1 with access on energy usage self.client.get( EXTEND_ROLE_REQUEST.format('table', ds_1_id, 'gamma2', TEST_ROLE_1)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('test_role1'))
def test_filter_druid_datasource(self): CLUSTER_NAME = 'new_druid' cluster = self.get_or_create( DruidCluster, {'cluster_name': CLUSTER_NAME}, db.session) db.session.merge(cluster) gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_for_gamma'}, db.session) gamma_ds.cluster = cluster db.session.merge(gamma_ds) no_gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'}, db.session) no_gamma_ds.cluster = cluster db.session.merge(no_gamma_ds) utils.merge_perm(sm, 'datasource_access', gamma_ds.perm) utils.merge_perm(sm, 'datasource_access', no_gamma_ds.perm) db.session.commit() perm = sm.find_permission_view_menu('datasource_access', gamma_ds.perm) sm.add_permission_role(sm.find_role('Gamma'), perm) db.session.commit() self.login(username='******') url = '/druiddatasourcemodelview/list/' resp = self.get_resp(url) assert 'datasource_for_gamma' in resp assert 'datasource_not_for_gamma' not in resp
def assert_admin_view_menus_in(role_name, assert_func): role = sm.find_role(role_name) view_menus = [p.view_menu.name for p in role.permissions] assert_func('ResetPasswordView', view_menus) assert_func('RoleModelView', view_menus) assert_func('Security', view_menus) assert_func('UserDBModelView', view_menus) assert_func('SQL Lab', view_menus)
def test_override_role_permissions_drops_absent_perms(self): override_me = sm.find_role('override_me') override_me.permissions.append( sm.find_permission_view_menu( view_menu_name=self.get_table_by_name('long_lat').perm, permission_name='datasource_access')) db.session.flush() response = self.client.post('/superset/override_role_permissions/', data=json.dumps(ROLE_TABLES_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_override_me = sm.find_role('override_me') self.assertEquals(1, len(updated_override_me.permissions)) birth_names = self.get_table_by_name('birth_names') self.assertEquals(birth_names.perm, updated_override_me.permissions[0].view_menu.name) self.assertEquals('datasource_access', updated_override_me.permissions[0].permission.name)
def test_update_role_do_not_exist(self): update_role_str = 'update_me' update_role = sm.find_role(update_role_str) if update_role: db.session.delete(update_role) db.session.commit() with self.assertRaises(AttributeError): self.get_resp('/superset/update_role/', data=json.dumps({ 'user_emails': ['*****@*****.**'], 'role_name': update_role_str, }))
def test_clean_requests_after_schema_grant(self): session = db.session # Case 4. Two access requests from gamma and gamma2 # Gamma gets schema access, gamma2 access request granted # Check if request by gamma has been deleted gamma_user = sm.find_user(username='******') access_request1 = create_access_request(session, 'table', 'wb_health_population', TEST_ROLE_1, 'gamma') access_request2 = create_access_request(session, 'table', 'wb_health_population', TEST_ROLE_2, 'gamma2') ds_1_id = access_request1.datasource_id ds = session.query(models.SqlaTable).filter_by( table_name='wb_health_population').first() ds.schema = 'temp_schema' security.merge_perm(sm, 'schema_access', ds.schema_perm) schema_perm_view = sm.find_permission_view_menu( 'schema_access', ds.schema_perm) sm.add_permission_role(sm.find_role(SCHEMA_ACCESS_ROLE), schema_perm_view) gamma_user.roles.append(sm.find_role(SCHEMA_ACCESS_ROLE)) session.commit() # gamma2 request gets fulfilled self.client.get( EXTEND_ROLE_REQUEST.format('table', ds_1_id, 'gamma2', TEST_ROLE_2)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role(SCHEMA_ACCESS_ROLE)) ds = session.query(models.SqlaTable).filter_by( table_name='wb_health_population').first() ds.schema = None session.commit()
def test_clean_requests_after_schema_grant(self): session = db.session # Case 4. Two access requests from gamma and gamma2 # Gamma gets schema access, gamma2 access request granted # Check if request by gamma has been deleted gamma_user = sm.find_user(username='******') access_request1 = create_access_request( session, 'table', 'wb_health_population', TEST_ROLE_1, 'gamma') access_request2 = create_access_request( session, 'table', 'wb_health_population', TEST_ROLE_2, 'gamma2') ds_1_id = access_request1.datasource_id ds = session.query(SqlaTable).filter_by( table_name='wb_health_population').first() ds.schema = 'temp_schema' security.merge_perm( sm, 'schema_access', ds.schema_perm) schema_perm_view = sm.find_permission_view_menu( 'schema_access', ds.schema_perm) sm.add_permission_role( sm.find_role(SCHEMA_ACCESS_ROLE) , schema_perm_view) gamma_user.roles.append(sm.find_role(SCHEMA_ACCESS_ROLE)) session.commit() # gamma2 request gets fulfilled self.client.get(EXTEND_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma2', TEST_ROLE_2)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role(SCHEMA_ACCESS_ROLE)) ds = session.query(SqlaTable).filter_by( table_name='wb_health_population').first() ds.schema = None session.commit()
def test_override_role_permissions_1_table(self): response = self.client.post('/superset/override_role_permissions/', data=json.dumps(ROLE_TABLES_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_override_me = sm.find_role('override_me') self.assertEquals(1, len(updated_override_me.permissions)) birth_names = self.get_table_by_name('birth_names') self.assertEquals(birth_names.perm, updated_override_me.permissions[0].view_menu.name) self.assertEquals('datasource_access', updated_override_me.permissions[0].permission.name)
def test_update_role_do_not_exist(self): update_role_str = 'update_me' update_role = sm.find_role(update_role_str) if update_role: db.session.delete(update_role) db.session.commit() with self.assertRaises(AttributeError): self.get_resp( '/superset/update_role/', data=json.dumps({ 'user_emails': ['*****@*****.**'], 'role_name': update_role_str, }) )
def test_override_role_permissions_drops_absent_perms(self): override_me = sm.find_role('override_me') override_me.permissions.append( sm.find_permission_view_menu( view_menu_name=self.get_table_by_name('long_lat').perm, permission_name='datasource_access') ) db.session.flush() response = self.client.post( '/superset/override_role_permissions/', data=json.dumps(ROLE_TABLES_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_override_me = sm.find_role('override_me') self.assertEquals(1, len(updated_override_me.permissions)) birth_names = self.get_table_by_name('birth_names') self.assertEquals( birth_names.perm, updated_override_me.permissions[0].view_menu.name) self.assertEquals( 'datasource_access', updated_override_me.permissions[0].permission.name)
def test_gamma_permissions(self): def assert_can_read(view_menu): self.assertIn(('can_show', view_menu), gamma_perm_set) self.assertIn(('can_list', view_menu), gamma_perm_set) def assert_can_write(view_menu): self.assertIn(('can_add', view_menu), gamma_perm_set) self.assertIn(('can_download', view_menu), gamma_perm_set) self.assertIn(('can_delete', view_menu), gamma_perm_set) self.assertIn(('can_edit', view_menu), gamma_perm_set) def assert_cannot_write(view_menu): self.assertNotIn(('can_add', view_menu), gamma_perm_set) self.assertNotIn(('can_download', view_menu), gamma_perm_set) self.assertNotIn(('can_delete', view_menu), gamma_perm_set) self.assertNotIn(('can_edit', view_menu), gamma_perm_set) self.assertNotIn(('can_save', view_menu), gamma_perm_set) def assert_can_all(view_menu): assert_can_read(view_menu) assert_can_write(view_menu) gamma_perm_set = set() for perm in sm.find_role('Gamma').permissions: gamma_perm_set.add((perm.permission.name, perm.view_menu.name)) # check read only perms assert_can_read('TableModelView') assert_cannot_write('DruidColumnInlineView') # make sure that user can create slices and dashboards assert_can_all('SliceModelView') assert_can_all('DashboardModelView') self.assertIn(('can_add_slices', 'Superset'), gamma_perm_set) self.assertIn(('can_copy_dash', 'Superset'), gamma_perm_set) self.assertIn(('can_activity_per_day', 'Superset'), gamma_perm_set) self.assertIn(('can_created_dashboards', 'Superset'), gamma_perm_set) self.assertIn(('can_created_slices', 'Superset'), gamma_perm_set) self.assertIn(('can_csv', 'Superset'), gamma_perm_set) self.assertIn(('can_dashboard', 'Superset'), gamma_perm_set) self.assertIn(('can_explore', 'Superset'), gamma_perm_set) self.assertIn(('can_explore_json', 'Superset'), gamma_perm_set) self.assertIn(('can_fave_dashboards', 'Superset'), gamma_perm_set) self.assertIn(('can_fave_slices', 'Superset'), gamma_perm_set) self.assertIn(('can_save_dash', 'Superset'), gamma_perm_set) self.assertIn(('can_slice', 'Superset'), gamma_perm_set) self.assertIn(('can_update_explore', 'Superset'), gamma_perm_set)
def test_override_role_permissions_1_table(self): response = self.client.post( '/superset/override_role_permissions/', data=json.dumps(ROLE_TABLES_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_override_me = sm.find_role('override_me') self.assertEquals(1, len(updated_override_me.permissions)) birth_names = self.get_table_by_name('birth_names') self.assertEquals( birth_names.perm, updated_override_me.permissions[0].view_menu.name) self.assertEquals( 'datasource_access', updated_override_me.permissions[0].permission.name)
def test_gamma_permissions(self): def assert_can_read(view_menu): self.assertIn(("can_show", view_menu), gamma_perm_set) self.assertIn(("can_list", view_menu), gamma_perm_set) def assert_can_write(view_menu): self.assertIn(("can_add", view_menu), gamma_perm_set) self.assertIn(("can_download", view_menu), gamma_perm_set) self.assertIn(("can_delete", view_menu), gamma_perm_set) self.assertIn(("can_edit", view_menu), gamma_perm_set) def assert_cannot_write(view_menu): self.assertNotIn(("can_add", view_menu), gamma_perm_set) self.assertNotIn(("can_download", view_menu), gamma_perm_set) self.assertNotIn(("can_delete", view_menu), gamma_perm_set) self.assertNotIn(("can_edit", view_menu), gamma_perm_set) self.assertNotIn(("can_save", view_menu), gamma_perm_set) def assert_can_all(view_menu): assert_can_read(view_menu) assert_can_write(view_menu) gamma_perm_set = set() for perm in sm.find_role("Gamma").permissions: gamma_perm_set.add((perm.permission.name, perm.view_menu.name)) # check read only perms assert_can_read("TableModelView") assert_cannot_write("DruidColumnInlineView") # make sure that user can create slices and dashboards assert_can_all("SliceModelView") assert_can_all("DashboardModelView") self.assertIn(("can_add_slices", "Superset"), gamma_perm_set) self.assertIn(("can_copy_dash", "Superset"), gamma_perm_set) self.assertIn(("can_activity_per_day", "Superset"), gamma_perm_set) self.assertIn(("can_created_dashboards", "Superset"), gamma_perm_set) self.assertIn(("can_created_slices", "Superset"), gamma_perm_set) self.assertIn(("can_csv", "Superset"), gamma_perm_set) self.assertIn(("can_dashboard", "Superset"), gamma_perm_set) self.assertIn(("can_explore", "Superset"), gamma_perm_set) self.assertIn(("can_explore_json", "Superset"), gamma_perm_set) self.assertIn(("can_fave_dashboards", "Superset"), gamma_perm_set) self.assertIn(("can_fave_slices", "Superset"), gamma_perm_set) self.assertIn(("can_save_dash", "Superset"), gamma_perm_set) self.assertIn(("can_slice", "Superset"), gamma_perm_set)
def test_update_role_do_not_exist(self): update_role_str = 'update_me' update_role = sm.find_role(update_role_str) if update_role: db.session.delete(update_role) db.session.commit() data = json.dumps({ 'users': [{ 'username': '******', 'first_name': 'Gamma', 'last_name': 'Gamma', 'email': '*****@*****.**', }], 'role_name': update_role_str}) r = self.client.post('/superset/update_role/', data=data, follow_redirects=True) self.assertEquals(500, r.status_code)
def create_access_request(session, ds_type, ds_name, role_name, user_name): ds_class = SourceRegistry.sources[ds_type] # TODO: generalize datasource names if ds_type == 'table': ds = session.query(ds_class).filter( ds_class.table_name == ds_name).first() else: ds = session.query(ds_class).filter( ds_class.datasource_name == ds_name).first() ds_perm_view = sm.find_permission_view_menu('datasource_access', ds.perm) sm.add_permission_role(sm.find_role(role_name), ds_perm_view) access_request = models.DatasourceAccessRequest( datasource_id=ds.id, datasource_type=ds_type, created_by_fk=sm.find_user(username=user_name).id, ) session.add(access_request) session.commit() return access_request
def create_access_request(ds_type, ds_name, role_name): ds_class = SourceRegistry.sources[ds_type] # TODO: generalize datasource names if ds_type == 'table': ds = session.query(ds_class).filter( ds_class.table_name == ds_name).first() else: ds = session.query(ds_class).filter( ds_class.datasource_name == ds_name).first() ds_perm_view = sm.find_permission_view_menu( 'datasource_access', ds.perm) sm.add_permission_role(sm.find_role(role_name), ds_perm_view) access_request = models.DatasourceAccessRequest( datasource_id=ds.id, datasource_type=ds_type, created_by_fk=sm.find_user(username='******').id, ) session.add(access_request) session.commit() return access_request
def test_override_role_permissions_druid_and_table(self): response = self.client.post('/superset/override_role_permissions/', data=json.dumps(ROLE_ALL_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_role = sm.find_role('override_me') perms = sorted(updated_role.permissions, key=lambda p: p.view_menu.name) druid_ds_1 = self.get_druid_ds_by_name('druid_ds_1') self.assertEquals(druid_ds_1.perm, perms[0].view_menu.name) self.assertEquals('datasource_access', perms[0].permission.name) druid_ds_2 = self.get_druid_ds_by_name('druid_ds_2') self.assertEquals(druid_ds_2.perm, perms[1].view_menu.name) self.assertEquals('datasource_access', updated_role.permissions[1].permission.name) birth_names = self.get_table_by_name('birth_names') self.assertEquals(birth_names.perm, perms[2].view_menu.name) self.assertEquals('datasource_access', updated_role.permissions[2].permission.name) self.assertEquals(3, len(perms))
def test_override_role_permissions_druid_and_table(self): response = self.client.post( '/superset/override_role_permissions/', data=json.dumps(ROLE_ALL_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_role = sm.find_role('override_me') perms = sorted( updated_role.permissions, key=lambda p: p.view_menu.name) self.assertEquals(3, len(perms)) druid_ds_1 = self.get_druid_ds_by_name('druid_ds_1') self.assertEquals(druid_ds_1.perm, perms[0].view_menu.name) self.assertEquals('datasource_access', perms[0].permission.name) druid_ds_2 = self.get_druid_ds_by_name('druid_ds_2') self.assertEquals(druid_ds_2.perm, perms[1].view_menu.name) self.assertEquals( 'datasource_access', updated_role.permissions[1].permission.name) birth_names = self.get_table_by_name('birth_names') self.assertEquals(birth_names.perm, perms[2].view_menu.name) self.assertEquals( 'datasource_access', updated_role.permissions[2].permission.name)
def get_perm_tuples(role_name): perm_set = set() for perm in sm.find_role(role_name).permissions: perm_set.add((perm.permission.name, perm.view_menu.name)) return perm_set
def __init__(self, *args, **kwargs): if (self.requires_examples and not os.environ.get('SOLO_TEST') and not os.environ.get('examples_loaded')): logging.info('Loading examples') cli.load_examples(load_test_data=True) logging.info('Done loading examples') sync_role_definitions() os.environ['examples_loaded'] = '1' else: sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab_role = sm.add_role('gamma_sqllab') for perm in sm.find_role('Gamma').permissions: sm.add_permission_role(gamma_sqllab_role, perm) db_perm = self.get_main_database(sm.get_session).perm security.merge_perm(sm, 'database_access', db_perm) db_pvm = sm.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in sm.find_role('sql_lab').permissions: sm.add_permission_role(gamma_sqllab_role, perm) admin = appbuilder.sm.find_user('admin') if not admin: appbuilder.sm.add_user('admin', 'admin', ' user', '*****@*****.**', appbuilder.sm.find_role('Admin'), password='******') gamma = appbuilder.sm.find_user('gamma') if not gamma: appbuilder.sm.add_user('gamma', 'gamma', 'user', '*****@*****.**', appbuilder.sm.find_role('Gamma'), password='******') gamma2 = appbuilder.sm.find_user('gamma2') if not gamma2: appbuilder.sm.add_user('gamma2', 'gamma2', 'user', '*****@*****.**', appbuilder.sm.find_role('Gamma'), password='******') gamma_sqllab_user = appbuilder.sm.find_user('gamma_sqllab') if not gamma_sqllab_user: appbuilder.sm.add_user('gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = appbuilder.sm.find_user('alpha') if not alpha: appbuilder.sm.add_user('alpha', 'alpha', 'user', '*****@*****.**', appbuilder.sm.find_role('Alpha'), password='******') sm.get_session.commit() # create druid cluster and druid datasources session = db.session cluster = (session.query(DruidCluster).filter_by( cluster_name='druid_test').first()) if not cluster: cluster = DruidCluster(cluster_name='druid_test') session.add(cluster) session.commit() druid_datasource1 = DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test', ) session.add(druid_datasource1) druid_datasource2 = DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test', ) session.add(druid_datasource2) session.commit()
def tearDown(self): self.logout() override_me = sm.find_role('override_me') override_me.permissions = [] db.session.commit() db.session.close()
def __init__(self, *args, **kwargs): if ( self.requires_examples and not os.environ.get('SOLO_TEST') and not os.environ.get('examples_loaded') ): logging.info("Loading examples") cli.load_examples(load_test_data=True) logging.info("Done loading examples") sync_role_definitions() os.environ['examples_loaded'] = '1' else: sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab = sm.add_role("gamma_sqllab") for perm in sm.find_role('Gamma').permissions: sm.add_permission_role(gamma_sqllab, perm) for perm in sm.find_role('sql_lab').permissions: sm.add_permission_role(gamma_sqllab, perm) admin = appbuilder.sm.find_user('admin') if not admin: appbuilder.sm.add_user( 'admin', 'admin', ' user', '*****@*****.**', appbuilder.sm.find_role('Admin'), password='******') gamma = appbuilder.sm.find_user('gamma') if not gamma: appbuilder.sm.add_user( 'gamma', 'gamma', 'user', '*****@*****.**', appbuilder.sm.find_role('Gamma'), password='******') gamma_sqllab = appbuilder.sm.find_user('gamma_sqllab') if not gamma_sqllab: gamma_sqllab = appbuilder.sm.add_user( 'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', appbuilder.sm.find_role('gamma_sqllab'), password='******') alpha = appbuilder.sm.find_user('alpha') if not alpha: appbuilder.sm.add_user( 'alpha', 'alpha', 'user', '*****@*****.**', appbuilder.sm.find_role('Alpha'), password='******') # create druid cluster and druid datasources session = db.session cluster = session.query(models.DruidCluster).filter_by( cluster_name="druid_test").first() if not cluster: cluster = models.DruidCluster(cluster_name="druid_test") session.add(cluster) session.commit() druid_datasource1 = models.DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test' ) session.add(druid_datasource1) druid_datasource2 = models.DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test' ) session.add(druid_datasource2) session.commit()
def test_request_access(self): session = db.session self.logout() self.login(username='******') gamma_user = sm.find_user(username='******') sm.add_role('dummy_role') gamma_user.roles.append(sm.find_role('dummy_role')) session.commit() ACCESS_REQUEST = ('/superset/request_access?' 'datasource_type={}&' 'datasource_id={}&' 'action={}&') ROLE_EXTEND_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_extend={}">Extend {} Role</a>') ROLE_GRANT_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_grant={}">Grant {} Role</a>') # Request table access, there are no roles have this table. table1 = session.query(models.SqlaTable).filter_by( table_name='random_time_series').first() table_1_id = table1.id # request access to the table resp = self.get_resp(ACCESS_REQUEST.format('table', table_1_id, 'go')) assert "Access was requested" in resp access_request1 = self.get_access_requests('gamma', 'table', table_1_id) assert access_request1 is not None # Request access, roles exist that contains the table. # add table to the existing roles table3 = session.query( models.SqlaTable).filter_by(table_name='energy_usage').first() table_3_id = table3.id table3_perm = table3.perm sm.add_role('energy_usage_role') alpha_role = sm.find_role('Alpha') sm.add_permission_role( alpha_role, sm.find_permission_view_menu('datasource_access', table3_perm)) sm.add_permission_role( sm.find_role("energy_usage_role"), sm.find_permission_view_menu('datasource_access', table3_perm)) session.commit() self.get_resp(ACCESS_REQUEST.format('table', table_3_id, 'go')) access_request3 = self.get_access_requests('gamma', 'table', table_3_id) approve_link_3 = ROLE_GRANT_LINK.format('table', table_3_id, 'gamma', 'energy_usage_role', 'energy_usage_role') self.assertEqual(access_request3.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_3)) # Request druid access, there are no roles have this table. druid_ds_4 = session.query(models.DruidDatasource).filter_by( datasource_name='druid_ds_1').first() druid_ds_4_id = druid_ds_4.id # request access to the table self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go')) access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id) self.assertEqual(access_request4.roles_with_datasource, '<ul></ul>'.format(access_request4.id)) # Case 5. Roles exist that contains the druid datasource. # add druid ds to the existing roles druid_ds_5 = session.query(models.DruidDatasource).filter_by( datasource_name='druid_ds_2').first() druid_ds_5_id = druid_ds_5.id druid_ds_5_perm = druid_ds_5.perm druid_ds_2_role = sm.add_role('druid_ds_2_role') admin_role = sm.find_role('Admin') sm.add_permission_role( admin_role, sm.find_permission_view_menu('datasource_access', druid_ds_5_perm)) sm.add_permission_role( druid_ds_2_role, sm.find_permission_view_menu('datasource_access', druid_ds_5_perm)) session.commit() self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go')) access_request5 = self.get_access_requests('gamma', 'druid', druid_ds_5_id) approve_link_5 = ROLE_GRANT_LINK.format('druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role', 'druid_ds_2_role') self.assertEqual(access_request5.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_5)) # cleanup gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('dummy_role')) session.commit()
def tearDownClass(cls): override_me = sm.find_role('override_me') db.session.delete(override_me) db.session.commit()
def test_approve(self, mock_send_mime): if app.config.get('ENABLE_ACCESS_REQUEST'): session = db.session TEST_ROLE_NAME = 'table_role' sm.add_role(TEST_ROLE_NAME) # Case 1. Grant new role to the user. access_request1 = create_access_request( session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma') ds_1_id = access_request1.datasource_id self.get_resp(GRANT_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma', TEST_ROLE_NAME)) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([sm.find_user(username='******').email, sm.find_user(username='******').email], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_1_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('unicode_test', call_args[2].as_string()) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) # request was removed self.assertFalse(access_requests) # user was granted table_role user_roles = [r.name for r in sm.find_user('gamma').roles] self.assertIn(TEST_ROLE_NAME, user_roles) # Case 2. Extend the role to have access to the table access_request2 = create_access_request( session, 'table', 'long_lat', TEST_ROLE_NAME, 'gamma') ds_2_id = access_request2.datasource_id long_lat_perm = access_request2.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME)) access_requests = self.get_access_requests('gamma', 'table', ds_2_id) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([sm.find_user(username='******').email, sm.find_user(username='******').email], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_2_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('long_lat', call_args[2].as_string()) # request was removed self.assertFalse(access_requests) # table_role was extended to grant access to the long_lat table/ perm_view = sm.find_permission_view_menu( 'datasource_access', long_lat_perm) TEST_ROLE = sm.find_role(TEST_ROLE_NAME) self.assertIn(perm_view, TEST_ROLE.permissions) # Case 3. Grant new role to the user to access the druid datasource. sm.add_role('druid_role') access_request3 = create_access_request( session, 'druid', 'druid_ds_1', 'druid_role', 'gamma') self.get_resp(GRANT_ROLE_REQUEST.format( 'druid', access_request3.datasource_id, 'gamma', 'druid_role')) # user was granted table_role user_roles = [r.name for r in sm.find_user('gamma').roles] self.assertIn('druid_role', user_roles) # Case 4. Extend the role to have access to the druid datasource access_request4 = create_access_request( session, 'druid', 'druid_ds_2', 'druid_role', 'gamma') druid_ds_2_perm = access_request4.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'druid', access_request4.datasource_id, 'gamma', 'druid_role')) # druid_role was extended to grant access to the druid_access_ds_2 druid_role = sm.find_role('druid_role') perm_view = sm.find_permission_view_menu( 'datasource_access', druid_ds_2_perm) self.assertIn(perm_view, druid_role.permissions) # cleanup gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('druid_role')) gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME)) session.delete(sm.find_role('druid_role')) session.delete(sm.find_role(TEST_ROLE_NAME)) session.commit()
def test_approve(self): session = db.session TEST_ROLE_NAME = 'table_role' sm.add_role(TEST_ROLE_NAME) def create_access_request(ds_type, ds_name, role_name): ds_class = SourceRegistry.sources[ds_type] # TODO: generalize datasource names if ds_type == 'table': ds = session.query(ds_class).filter( ds_class.table_name == ds_name).first() else: ds = session.query(ds_class).filter( ds_class.datasource_name == ds_name).first() ds_perm_view = sm.find_permission_view_menu( 'datasource_access', ds.perm) sm.add_permission_role(sm.find_role(role_name), ds_perm_view) access_request = models.DatasourceAccessRequest( datasource_id=ds.id, datasource_type=ds_type, created_by_fk=sm.find_user(username='******').id, ) session.add(access_request) session.commit() return access_request EXTEND_ROLE_REQUEST = ( '/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_extend={}') GRANT_ROLE_REQUEST = ( '/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_grant={}') # Case 1. Grant new role to the user. access_request1 = create_access_request( 'table', 'unicode_test', TEST_ROLE_NAME) ds_1_id = access_request1.datasource_id self.get_resp(GRANT_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma', TEST_ROLE_NAME)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) # request was removed self.assertFalse(access_requests) # user was granted table_role user_roles = [r.name for r in sm.find_user('gamma').roles] self.assertIn(TEST_ROLE_NAME, user_roles) # Case 2. Extend the role to have access to the table access_request2 = create_access_request('table', 'long_lat', TEST_ROLE_NAME) ds_2_id = access_request2.datasource_id long_lat_perm = access_request2.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME)) access_requests = self.get_access_requests('gamma', 'table', ds_2_id) # request was removed self.assertFalse(access_requests) # table_role was extended to grant access to the long_lat table/ perm_view = sm.find_permission_view_menu( 'datasource_access', long_lat_perm) TEST_ROLE = sm.find_role(TEST_ROLE_NAME) self.assertIn(perm_view, TEST_ROLE.permissions) # Case 3. Grant new role to the user to access the druid datasource. sm.add_role('druid_role') access_request3 = create_access_request('druid', 'druid_ds_1', 'druid_role') self.get_resp(GRANT_ROLE_REQUEST.format( 'druid', access_request3.datasource_id, 'gamma', 'druid_role')) # user was granted table_role user_roles = [r.name for r in sm.find_user('gamma').roles] self.assertIn('druid_role', user_roles) # Case 4. Extend the role to have access to the druid datasource access_request4 = create_access_request('druid', 'druid_ds_2', 'druid_role') druid_ds_2_perm = access_request4.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'druid', access_request4.datasource_id, 'gamma', 'druid_role')) # druid_role was extended to grant access to the druid_access_ds_2 druid_role = sm.find_role('druid_role') perm_view = sm.find_permission_view_menu( 'datasource_access', druid_ds_2_perm) self.assertIn(perm_view, druid_role.permissions) # cleanup gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('druid_role')) gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME)) session.delete(sm.find_role('druid_role')) session.delete(sm.find_role(TEST_ROLE_NAME)) session.commit()
def test_request_access(self): session = db.session self.logout() self.login(username='******') gamma_user = sm.find_user(username='******') sm.add_role('dummy_role') gamma_user.roles.append(sm.find_role('dummy_role')) session.commit() ACCESS_REQUEST = ( '/superset/request_access?' 'datasource_type={}&' 'datasource_id={}&' 'action={}&') ROLE_EXTEND_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_extend={}">Extend {} Role</a>') ROLE_GRANT_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_grant={}">Grant {} Role</a>') # Request table access, there are no roles have this table. table1 = session.query(models.SqlaTable).filter_by( table_name='random_time_series').first() table_1_id = table1.id # request access to the table resp = self.get_resp( ACCESS_REQUEST.format('table', table_1_id, 'go')) assert "Access was requested" in resp access_request1 = self.get_access_requests('gamma', 'table', table_1_id) assert access_request1 is not None # Request access, roles exist that contains the table. # add table to the existing roles table3 = session.query(models.SqlaTable).filter_by( table_name='energy_usage').first() table_3_id = table3.id table3_perm = table3.perm sm.add_role('energy_usage_role') alpha_role = sm.find_role('Alpha') sm.add_permission_role( alpha_role, sm.find_permission_view_menu('datasource_access', table3_perm)) sm.add_permission_role( sm.find_role("energy_usage_role"), sm.find_permission_view_menu('datasource_access', table3_perm)) session.commit() self.get_resp( ACCESS_REQUEST.format('table', table_3_id, 'go')) access_request3 = self.get_access_requests('gamma', 'table', table_3_id) approve_link_3 = ROLE_GRANT_LINK.format( 'table', table_3_id, 'gamma', 'energy_usage_role', 'energy_usage_role') self.assertEqual(access_request3.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_3)) # Request druid access, there are no roles have this table. druid_ds_4 = session.query(models.DruidDatasource).filter_by( datasource_name='druid_ds_1').first() druid_ds_4_id = druid_ds_4.id # request access to the table self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go')) access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id) self.assertEqual( access_request4.roles_with_datasource, '<ul></ul>'.format(access_request4.id)) # Case 5. Roles exist that contains the druid datasource. # add druid ds to the existing roles druid_ds_5 = session.query(models.DruidDatasource).filter_by( datasource_name='druid_ds_2').first() druid_ds_5_id = druid_ds_5.id druid_ds_5_perm = druid_ds_5.perm druid_ds_2_role = sm.add_role('druid_ds_2_role') admin_role = sm.find_role('Admin') sm.add_permission_role( admin_role, sm.find_permission_view_menu('datasource_access', druid_ds_5_perm)) sm.add_permission_role( druid_ds_2_role, sm.find_permission_view_menu('datasource_access', druid_ds_5_perm)) session.commit() self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go')) access_request5 = self.get_access_requests( 'gamma', 'druid', druid_ds_5_id) approve_link_5 = ROLE_GRANT_LINK.format( 'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role', 'druid_ds_2_role') self.assertEqual(access_request5.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_5)) # cleanup gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('dummy_role')) session.commit()
def __init__(self, *args, **kwargs): if ( self.requires_examples and not os.environ.get('SOLO_TEST') and not os.environ.get('examples_loaded') ): logging.info("Loading examples") cli.load_examples(load_test_data=True) logging.info("Done loading examples") sync_role_definitions() os.environ['examples_loaded'] = '1' else: sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab_role = sm.add_role("gamma_sqllab") for perm in sm.find_role('Gamma').permissions: sm.add_permission_role(gamma_sqllab_role, perm) db_perm = self.get_main_database(sm.get_session).perm security.merge_perm(sm, 'database_access', db_perm) db_pvm = sm.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in sm.find_role('sql_lab').permissions: sm.add_permission_role(gamma_sqllab_role, perm) admin = appbuilder.sm.find_user('admin') if not admin: appbuilder.sm.add_user( 'admin', 'admin', ' user', '*****@*****.**', appbuilder.sm.find_role('Admin'), password='******') gamma = appbuilder.sm.find_user('gamma') if not gamma: appbuilder.sm.add_user( 'gamma', 'gamma', 'user', '*****@*****.**', appbuilder.sm.find_role('Gamma'), password='******') gamma2 = appbuilder.sm.find_user('gamma2') if not gamma2: appbuilder.sm.add_user( 'gamma2', 'gamma2', 'user', '*****@*****.**', appbuilder.sm.find_role('Gamma'), password='******') gamma_sqllab_user = appbuilder.sm.find_user('gamma_sqllab') if not gamma_sqllab_user: appbuilder.sm.add_user( 'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = appbuilder.sm.find_user('alpha') if not alpha: appbuilder.sm.add_user( 'alpha', 'alpha', 'user', '*****@*****.**', appbuilder.sm.find_role('Alpha'), password='******') sm.get_session.commit() # create druid cluster and druid datasources session = db.session cluster = ( session.query(DruidCluster) .filter_by(cluster_name="druid_test") .first() ) if not cluster: cluster = DruidCluster(cluster_name="druid_test") session.add(cluster) session.commit() druid_datasource1 = DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test' ) session.add(druid_datasource1) druid_datasource2 = DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test' ) session.add(druid_datasource2) session.commit()
def test_approve(self, mock_send_mime): session = db.session TEST_ROLE_NAME = 'table_role' sm.add_role(TEST_ROLE_NAME) # Case 1. Grant new role to the user. access_request1 = create_access_request(session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma') ds_1_id = access_request1.datasource_id resp = self.get_resp( GRANT_ROLE_REQUEST.format('table', ds_1_id, 'gamma', TEST_ROLE_NAME)) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([ sm.find_user(username='******').email, sm.find_user(username='******').email ], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_1_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('unicode_test', call_args[2].as_string()) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) # request was removed self.assertFalse(access_requests) # user was granted table_role user_roles = [r.name for r in sm.find_user('gamma').roles] self.assertIn(TEST_ROLE_NAME, user_roles) # Case 2. Extend the role to have access to the table access_request2 = create_access_request(session, 'table', 'long_lat', TEST_ROLE_NAME, 'gamma') ds_2_id = access_request2.datasource_id long_lat_perm = access_request2.datasource.perm self.client.get( EXTEND_ROLE_REQUEST.format('table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME)) access_requests = self.get_access_requests('gamma', 'table', ds_2_id) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([ sm.find_user(username='******').email, sm.find_user(username='******').email ], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_2_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('long_lat', call_args[2].as_string()) # request was removed self.assertFalse(access_requests) # table_role was extended to grant access to the long_lat table/ perm_view = sm.find_permission_view_menu('datasource_access', long_lat_perm) TEST_ROLE = sm.find_role(TEST_ROLE_NAME) self.assertIn(perm_view, TEST_ROLE.permissions) # Case 3. Grant new role to the user to access the druid datasource. sm.add_role('druid_role') access_request3 = create_access_request(session, 'druid', 'druid_ds_1', 'druid_role', 'gamma') self.get_resp( GRANT_ROLE_REQUEST.format('druid', access_request3.datasource_id, 'gamma', 'druid_role')) # user was granted table_role user_roles = [r.name for r in sm.find_user('gamma').roles] self.assertIn('druid_role', user_roles) # Case 4. Extend the role to have access to the druid datasource access_request4 = create_access_request(session, 'druid', 'druid_ds_2', 'druid_role', 'gamma') druid_ds_2_perm = access_request4.datasource.perm self.client.get( EXTEND_ROLE_REQUEST.format('druid', access_request4.datasource_id, 'gamma', 'druid_role')) # druid_role was extended to grant access to the druid_access_ds_2 druid_role = sm.find_role('druid_role') perm_view = sm.find_permission_view_menu('datasource_access', druid_ds_2_perm) self.assertIn(perm_view, druid_role.permissions) # cleanup gamma_user = sm.find_user(username='******') gamma_user.roles.remove(sm.find_role('druid_role')) gamma_user.roles.remove(sm.find_role(TEST_ROLE_NAME)) session.delete(sm.find_role('druid_role')) session.delete(sm.find_role(TEST_ROLE_NAME)) session.commit()
def __init__(self, *args, **kwargs): if (self.requires_examples and not os.environ.get('SOLO_TEST') and not os.environ.get('examples_loaded')): logging.info("Loading examples") cli.load_examples(load_test_data=True) logging.info("Done loading examples") sync_role_definitions() os.environ['examples_loaded'] = '1' else: sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab = sm.add_role("gamma_sqllab") for perm in sm.find_role('Gamma').permissions: sm.add_permission_role(gamma_sqllab, perm) for perm in sm.find_role('sql_lab').permissions: sm.add_permission_role(gamma_sqllab, perm) admin = appbuilder.sm.find_user('admin') if not admin: appbuilder.sm.add_user('admin', 'admin', ' user', '*****@*****.**', appbuilder.sm.find_role('Admin'), password='******') gamma = appbuilder.sm.find_user('gamma') if not gamma: appbuilder.sm.add_user('gamma', 'gamma', 'user', '*****@*****.**', appbuilder.sm.find_role('Gamma'), password='******') gamma_sqllab = appbuilder.sm.find_user('gamma_sqllab') if not gamma_sqllab: gamma_sqllab = appbuilder.sm.add_user( 'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', appbuilder.sm.find_role('gamma_sqllab'), password='******') alpha = appbuilder.sm.find_user('alpha') if not alpha: appbuilder.sm.add_user('alpha', 'alpha', 'user', '*****@*****.**', appbuilder.sm.find_role('Alpha'), password='******') # create druid cluster and druid datasources session = db.session cluster = session.query( models.DruidCluster).filter_by(cluster_name="druid_test").first() if not cluster: cluster = models.DruidCluster(cluster_name="druid_test") session.add(cluster) session.commit() druid_datasource1 = models.DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test') session.add(druid_datasource1) druid_datasource2 = models.DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test') session.add(druid_datasource2) session.commit()
def assert_admin_permission_in(role_name, assert_func): role = sm.find_role(role_name) permissions = [p.permission.name for p in role.permissions] assert_func('can_sync_druid_source', permissions) assert_func('can_approve', permissions)
def __init__(self, *args, **kwargs): if self.requires_examples and not os.environ.get("SOLO_TEST") and not os.environ.get("examples_loaded"): logging.info("Loading examples") cli.load_examples(load_test_data=True) logging.info("Done loading examples") sync_role_definitions() os.environ["examples_loaded"] = "1" else: sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab_role = sm.add_role("gamma_sqllab") for perm in sm.find_role("Gamma").permissions: sm.add_permission_role(gamma_sqllab_role, perm) db_perm = self.get_main_database(sm.get_session).perm security.merge_perm(sm, "database_access", db_perm) db_pvm = sm.find_permission_view_menu(view_menu_name=db_perm, permission_name="database_access") gamma_sqllab_role.permissions.append(db_pvm) for perm in sm.find_role("sql_lab").permissions: sm.add_permission_role(gamma_sqllab_role, perm) admin = appbuilder.sm.find_user("admin") if not admin: appbuilder.sm.add_user( "admin", "admin", " user", "*****@*****.**", appbuilder.sm.find_role("Admin"), password="******" ) gamma = appbuilder.sm.find_user("gamma") if not gamma: appbuilder.sm.add_user( "gamma", "gamma", "user", "*****@*****.**", appbuilder.sm.find_role("Gamma"), password="******" ) gamma_sqllab_user = appbuilder.sm.find_user("gamma_sqllab") if not gamma_sqllab_user: appbuilder.sm.add_user( "gamma_sqllab", "gamma_sqllab", "user", "*****@*****.**", gamma_sqllab_role, password="******" ) alpha = appbuilder.sm.find_user("alpha") if not alpha: appbuilder.sm.add_user( "alpha", "alpha", "user", "*****@*****.**", appbuilder.sm.find_role("Alpha"), password="******" ) sm.get_session.commit() # create druid cluster and druid datasources session = db.session cluster = session.query(models.DruidCluster).filter_by(cluster_name="druid_test").first() if not cluster: cluster = models.DruidCluster(cluster_name="druid_test") session.add(cluster) session.commit() druid_datasource1 = models.DruidDatasource(datasource_name="druid_ds_1", cluster_name="druid_test") session.add(druid_datasource1) druid_datasource2 = models.DruidDatasource(datasource_name="druid_ds_2", cluster_name="druid_test") session.add(druid_datasource2) session.commit()