def configured_app(minimal_app_for_api): app = minimal_app_for_api create_user( app, # type: ignore username="******", role_name="Test", permissions=[ (permissions.ACTION_CAN_LIST, permissions.RESOURCE_ROLE_MODEL_VIEW), (permissions.ACTION_CAN_ADD, permissions.RESOURCE_ROLE_MODEL_VIEW), (permissions.ACTION_CAN_SHOW, permissions.RESOURCE_ROLE_MODEL_VIEW), (permissions.ACTION_CAN_LIST, permissions.RESOURCE_PERMISSION_MODEL_VIEW), (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_ROLE_MODEL_VIEW), (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_ROLE_MODEL_VIEW), ], ) create_user(app, username="******", role_name="TestNoPermissions") # type: ignore yield app delete_user(app, username="******") # type: ignore delete_user(app, username="******") # type: ignore
def setUpClass(cls) -> None: super().setUpClass() with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}): cls.app = app.create_app(testing=True) # type:ignore # TODO: Add new role for each view to test permission. create_user(cls.app, username="******", role="Admin") # type: ignore
def setUpClass(cls): settings.configure_orm() cls.session = settings.Session with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}): cls.app = app.create_app(testing=True) # TODO: Add new role for each view to test permission. create_user(cls.app, username="******", role="Admin")
def setUpClass(cls) -> None: super().setUpClass() with conf_vars({ ("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend" }): cls.app = app.create_app(testing=True) # type:ignore create_user( cls.app, # type: ignore username="******", role_name="Test", permissions=[('can_read', 'Dag'), ('can_read', 'DagRun'), ('can_read', 'Task')], ) create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore with DAG(cls.dag_id, start_date=datetime(2020, 6, 15), doc_md="details") as dag: DummyOperator(task_id=cls.task_id) cls.dag = dag # type:ignore dag_bag = DagBag(os.devnull, include_examples=False) dag_bag.dags = {dag.dag_id: dag} cls.app.dag_bag = dag_bag # type:ignore
def setUpClass(cls) -> None: super().setUpClass() with mock.patch.dict("os.environ", SKIP_DAGS_PARSING="True"), conf_vars( {("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"} ): cls.app = app.create_app(testing=True) # type:ignore # TODO: Add new role for each view to test permission. create_user(cls.app, username="******", role="Admin") # type: ignore
def factory(name, role_name, permissions): create_user(app, name, role_name, permissions) client = app.test_client() resp = client.post("/login/", data={ "username": name, "password": name }) assert resp.status_code == 302 return client
def setUpClass(cls) -> None: super().setUpClass() with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}): cls.app = app.create_app(testing=True) # type:ignore create_user( cls.app, # type:ignore username="******", role_name="Test", permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_AUDIT_LOG)], # type: ignore ) create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore
def configured_app(minimal_app_for_api): app = minimal_app_for_api create_user( app, # type:ignore username="******", role_name="Test", permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_CONFIG) ], # type: ignore ) yield minimal_app_for_api delete_user(app, username="******") # type: ignore
def setUpClass(cls) -> None: super().setUpClass() with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}): cls.app = app.create_app(testing=True) # type:ignore # TODO: Add new role for each view to test permission. create_user(cls.app, username="******", role="Admin") # type: ignore with DAG(cls.dag_id, start_date=datetime(2020, 6, 15), doc_md="details") as dag: DummyOperator(task_id=cls.task_id) cls.dag = dag # type:ignore dag_bag = DagBag(os.devnull, include_examples=False) dag_bag.dags = {dag.dag_id: dag} cls.app.dag_bag = dag_bag # type:ignore
def configured_app(minimal_app_for_api): app = minimal_app_for_api create_user( app, # type: ignore username="******", role_name="Test", permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_PROVIDER)], ) create_user(app, username="******", role_name="TestNoPermissions") # type: ignore yield app delete_user(app, username="******") # type: ignore delete_user(app, username="******") # type: ignore
def setUpClass(cls): with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}): cls.app = app.create_app(testing=True) create_user( cls.app, username="******", role_name="Test", permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE), ], ) create_user(cls.app, username="******", role_name="TestNoPermissions")
def configured_app(minimal_app_for_api): app = minimal_app_for_api create_user( app, # type:ignore username="******", role_name="Test", permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_CONFIG)], # type: ignore ) create_user(app, username="******", role_name="TestNoPermissions") # type: ignore with conf_vars({('webserver', 'expose_config'): 'True'}): yield minimal_app_for_api delete_user(app, username="******") # type: ignore delete_user(app, username="******") # type: ignore
def test_dont_get_inaccessible_dag_ids_for_dag_resource_permission(self): # In this test case, # get_readable_dag_ids() don't return DAGs to which the user has CAN_EDIT permission username = "******" role_name = "MyRole1" permission_action = [permissions.ACTION_CAN_EDIT] dag_id = "dag_id" user = api_connexion_utils.create_user( self.app, username, role_name, permissions=[ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG), ], ) dag_model = DagModel(dag_id=dag_id, fileloc="/tmp/dag_.py", schedule_interval="2 2 * * *") self.session.add(dag_model) self.session.commit() self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member dag_id, access_control={role_name: permission_action}) assert self.security_manager.get_readable_dag_ids(user) == set()
def test_get_accessible_dag_ids(self): role_name = 'MyRole1' permission_action = [permissions.ACTION_CAN_READ] dag_id = 'dag_id' username = "******" user = api_connexion_utils.create_user( self.app, username, role_name, permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), ], ) dag_model = DagModel(dag_id=dag_id, fileloc="/tmp/dag_.py", schedule_interval="2 2 * * *") self.session.add(dag_model) self.session.commit() self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member dag_id, access_control={role_name: permission_action}) assert self.security_manager.get_accessible_dag_ids(user) == {'dag_id'}
def test_get_current_user_permissions(self, mock_get_user_roles): role_name = 'MyRole5' role_perm = 'can_some_action' role_vm = 'SomeBaseView' username = '******' with self.app.app_context(): user = api_connexion_utils.create_user( self.app, username, role_name, permissions=[ (role_perm, role_vm), ], ) role = user.roles[0] mock_get_user_roles.return_value = [role] assert self.security_manager.get_current_user_permissions() == { (role_perm, role_vm) } mock_get_user_roles.return_value = [] assert len( self.security_manager.get_current_user_permissions()) == 0
def setUpClass(cls) -> None: super().setUpClass() with conf_vars({("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"}): cls.app = app.create_app(testing=True) # type:ignore create_user( cls.app, # type: ignore username="******", role_name="Test", permissions=[ ("can_create", "Connection"), ("can_read", "Connection"), ("can_edit", "Connection"), ("can_delete", "Connection"), ], ) create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore
def setUpClass(cls) -> None: super().setUpClass() with conf_vars({ ("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend" }): cls.app = app.create_app(testing=True) # type:ignore create_user( cls.app, # type: ignore username="******", role_name="Test", permissions=[('can_read', 'ImportError')], ) create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore
def test_access_control_is_set_on_init(self): username = '******' role_name = 'team-a' with self.app.app_context(): user = api_connexion_utils.create_user( self.app, username, role_name, permissions=[], ) self.expect_user_is_in_role(user, rolename='team-a') self.security_manager._sync_dag_view_permissions( 'access_control_test', access_control={ 'team-a': [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ] }, ) self.assert_user_has_dag_perms( perms=[ permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ ], dag_id='access_control_test', user=user, ) self.expect_user_is_in_role(user, rolename='NOT-team-a') self.assert_user_does_not_have_dag_perms( perms=[ permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ ], dag_id='access_control_test', user=user, )
def test_access_control_stale_perms_are_revoked(self): username = '******' role_name = 'team-a' with self.app.app_context(): user = api_connexion_utils.create_user( self.app, username, role_name, permissions=[], ) self.expect_user_is_in_role(user, rolename='team-a') self.security_manager._sync_dag_view_permissions( 'access_control_test', access_control={'team-a': READ_WRITE}) self.assert_user_has_dag_perms(perms=READ_WRITE, dag_id='access_control_test', user=user) self.security_manager._sync_dag_view_permissions( 'access_control_test', access_control={'team-a': READ_ONLY}) self.assert_user_has_dag_perms(perms=[permissions.ACTION_CAN_READ], dag_id='access_control_test', user=user) self.assert_user_does_not_have_dag_perms( perms=[permissions.ACTION_CAN_EDIT], dag_id='access_control_test', user=user)
def setup_class(cls) -> None: with conf_vars({ ("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend" }): cls.app = app.create_app(testing=True) # type:ignore create_user( cls.app, username="******", role_name="Test", permissions=[('can_read', 'Config')] # type: ignore ) create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore cls.client = None
def setUpClass(cls) -> None: super().setUpClass() with mock.patch.dict("os.environ", SKIP_DAGS_PARSING="True"), conf_vars( {("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend"} ): cls.app = app.create_app(testing=True) # type:ignore create_user( cls.app, # type: ignore username="******", role_name="Test", permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE), ], ) create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore
def configured_app(minimal_app_for_api): app = minimal_app_for_api create_user( app, # type: ignore username="******", role_name="Test", permissions=[ (permissions.ACTION_CAN_LIST, permissions.RESOURCE_USER_DB_MODELVIEW), (permissions.ACTION_CAN_SHOW, permissions.RESOURCE_USER_DB_MODELVIEW), ], ) create_user(app, username="******", role_name="TestNoPermissions") # type: ignore yield app delete_user(app, username="******") # type: ignore delete_user(app, username="******") # type: ignore
def configured_app(minimal_app_for_api): app = minimal_app_for_api create_user( app, # type: ignore username="******", role_name="Test", permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG_RUN), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE), (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE), ], ) create_user(app, username="******", role_name="TestNoPermissions") # type: ignore yield app delete_user(app, username="******") # type: ignore
def user_all_dags(acl_app): return create_user( acl_app, username="******", role_name="role_all_dags", permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_WEBSITE), ], )
def setUpClass(cls): settings.configure_orm() cls.session = settings.Session with conf_vars({ ("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend" }): cls.app = app.create_app(testing=True) create_user( cls.app, username="******", role_name="Test", permissions=[('can_read', 'Dag'), ('can_read', 'DagRun'), ('can_read', 'Task')], ) create_user(cls.app, username="******", role_name="TestNoPermissions")
def user_edit_one_dag(acl_app): return create_user( acl_app, username="******", role_name="role_edit_one_dag", permissions=[ (permissions.ACTION_CAN_READ, 'DAG:example_bash_operator'), (permissions.ACTION_CAN_EDIT, 'DAG:example_bash_operator'), ], )
def user_only_dags_tis(acl_app): return create_user( acl_app, username="******", role_name="role_only_dags_tis", permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE), ], )
def user_all_dags_edit_tis(acl_app): return create_user( acl_app, username="******", role_name="role_all_dags_edit_tis", permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_TASK_INSTANCE), (permissions.ACTION_CAN_READ, permissions.RESOURCE_WEBSITE), ], )
def configured_app(minimal_app_for_api): app = minimal_app_for_api create_user( app, # type: ignore username="******", role_name="Test", permissions=[ (permissions.ACTION_CAN_CREATE, permissions.RESOURCE_VARIABLE), (permissions.ACTION_CAN_READ, permissions.RESOURCE_VARIABLE), (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_VARIABLE), (permissions.ACTION_CAN_DELETE, permissions.RESOURCE_VARIABLE), ], ) create_user(app, username="******", role_name="TestNoPermissions") # type: ignore yield app delete_user(app, username="******") # type: ignore delete_user(app, username="******") # type: ignore
def setup_class(cls) -> None: cls.exit_stack = ExitStack() cls.exit_stack.enter_context( conf_vars({('webserver', 'expose_config'): 'True'})) with conf_vars({ ("api", "auth_backend"): "tests.test_utils.remote_user_api_auth_backend" }): cls.app = app.create_app(testing=True) # type:ignore create_user( cls.app, # type:ignore username="******", role_name="Test", permissions=[(permissions.ACTION_CAN_READ, permissions.RESOURCE_CONFIG)], # type: ignore ) create_user(cls.app, username="******", role_name="TestNoPermissions") # type: ignore cls.client = None