class TestFilteringByRequest(TestCase):
"""Test filter query by request"""
def setUp(self):
super(TestFilteringByRequest, self).setUp()
self.object_generator = ObjectGenerator()
self.api = Api()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = (
("creator", "Creator"),
("admin", "Administrator"),
("john", None),
)
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_no_role_users_filtering(self):
"""Test 'No Role' users filtering"""
self.api.set_user(self.users['admin'])
response = self.api.get_query(all_models.Person, "__no_role=true")
self.assertEqual(response.status_code, 200)
self.assertEqual(len(response.json['people_collection']['people']), 1)
self.assertEqual(
response.json['people_collection']['people'][0]['name'], 'john')
class TestFilteringByRequest(TestCase):
"""Test filter query by request"""
def setUp(self):
super(TestFilteringByRequest, self).setUp()
self.object_generator = ObjectGenerator()
self.api = Api()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = (
("creator", "Creator"),
("admin", "Administrator"),
("john", None),
)
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_no_role_users_filtering(self):
"""Test 'No Role' users filtering"""
self.api.set_user(self.users['admin'])
response = self.api.get_query(all_models.Person, "__no_role=true")
self.assertEqual(response.status_code, 200)
self.assertEqual(len(response.json['people_collection']['people']), 1)
self.assertEqual(
response.json['people_collection']['people'][0]['name'],
'john'
)
class TestFilteringByRequest(TestCase):
"""Test filter query by request"""
def setUp(self):
super(TestFilteringByRequest, self).setUp()
self.object_generator = ObjectGenerator()
self.api = Api()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = (
("creator", "Creator"),
("admin", "Administrator"),
("john", "WorkflowOwner")
)
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
context = (
db.session.query(all_models.Context).filter(
all_models.Context.id != 0
).first()
)
user_role = (
db.session.query(all_models.UserRole).join(all_models.Person).
filter(
and_(
all_models.UserRole.person_id == all_models.Person.id,
all_models.Person.name == "john"
)
).first()
)
user_role.context_id = context.id
db.session.commit()
db.session.flush()
def test_no_role_users_filtering(self):
"""Test 'No Role' users filtering"""
self.api.set_user(self.users['admin'])
response = self.api.get_query(all_models.Person, "__no_role=true")
self.assertEqual(response.status_code, 200)
self.assertEqual(len(response.json['people_collection']['people']), 1)
self.assertEqual(
response.json['people_collection']['people'][0]['name'],
'john'
)
class TestFilteringByRequest(TestCase):
"""Test filter query by request"""
def setUp(self):
super(TestFilteringByRequest, self).setUp()
self.object_generator = ObjectGenerator()
self.api = Api()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = (
("creator", "Creator"),
("admin", "Administrator"),
("john", "WorkflowOwner")
)
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
context = (
db.session.query(all_models.Context).filter(
all_models.Context.id != 0
).first()
)
user_role = (
db.session.query(all_models.UserRole).join(all_models.Person).
filter(
and_(
all_models.UserRole.person_id == all_models.Person.id,
all_models.Person.name == "john"
)
).first()
)
user_role.context_id = context.id
db.session.commit()
db.session.flush()
def test_no_role_users_filtering(self):
"""Test 'No Role' users filtering"""
self.api.set_user(self.users['admin'])
response = self.api.get_query(all_models.Person, "__no_role=true")
self.assertEqual(response.status_code, 200)
self.assertEqual(len(response.json['people_collection']['people']), 1)
self.assertEqual(
response.json['people_collection']['people'][0]['name'],
'john'
)
class TestFilterByAuditor(TestCase):
""" Test for filter by Auditor. """
def setUp(self):
super(TestFilterByAuditor, self).setUp()
self.api = Api()
self.generator = ObjectGenerator()
_, self.auditor = self.generator.generate_person(user_role="Creator")
auditor_role = all_models.AccessControlRole.query.filter_by(
name="Auditors").one()
with factories.single_commit():
self.audit = factories.AuditFactory(status="In Progress")
self.audit_id = self.audit.id
audit_context = factories.ContextFactory()
self.audit.context = audit_context
factories.AccessControlListFactory(
ac_role=auditor_role,
object=self.audit,
person=self.auditor
)
self.api.set_user(self.auditor)
def test_query_audits_by_auditor(self):
"""test get audit as query get"""
objects = self.api.get_query(all_models.Audit, "")
self.assertEqual(1, len(objects.json["audits_collection"]["audits"]))
audit_dict = objects.json["audits_collection"]["audits"][0]
self.assertEqual(self.audit_id, audit_dict["id"])
def test_filter_audits_by_auditor(self):
"""Test query on audit Global Search.
This query is the fact query that frontend is sending in global search.
"""
query_request_data = [
{
u'fields': [],
u'filters': {
u'expression': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Planned'
},
u'op': {u'name': u'OR'},
u'right': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'In Progress'
},
u'op': {u'name': u'OR'},
u'right': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Manager Review'
},
u'op': {u'name': u'OR'},
u'right': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Ready for External Review',
},
u'op': {u'name': u'OR'},
u'right': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Completed',
}
},
},
},
},
u'keys': [u'status'],
u'order_by': {
u'compare': None,
u'keys': [],
u'order': u'',
}
},
u'limit': [0, 5],
u'object_name': u'Audit',
u'permissions': u'read',
u'type': u'values',
},
{
u'filters': {
u'expression': {
u'ids': [u'150'],
u'object_name': u'undefined',
u'op': {u'name': u'relevant'}
},
u'keys': [],
u'order_by': {u'compare': None, u'keys': [], u'order': u''}
},
u'object_name': u'Audit',
u'type': u'ids',
},
]
resp = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
self.assertEqual(1, resp.json[0]["Audit"]["count"])
self.assertEqual(self.audit_id, resp.json[0]["Audit"]["values"][0]["id"])
class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.tc.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
all_errors = []
base_models = set([
"Control", "DataAsset", "Contract", "Policy", "Regulation",
"Standard", "Document", "Facility", "Market", "Objective",
"OrgGroup", "Vendor", "Product", "Clause", "System", "Process",
"Issue", "Project", "AccessGroup"
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(
model, {
table_singular: {
"title": model_singular,
"context": None,
"reference_url": "ref",
"contact": {
"type": "Person",
"id": self.users["creator"].id,
},
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(
model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) != 0:
all_errors.append(
"{} can retrieve object if not owner (collection)".
format(model_singular))
continue
# Become an owner
response = self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": model_singular,
"id": obj_id
},
"context": None
}
})
if response.status_code != 201:
all_errors.append("{} can't create owner {}.".format(
model_singular, response.status))
continue
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) == 0:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".
format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {
"title": "Admin regulation",
"context": None
},
})
self.api.set_user(self.users['creator'])
response = self.api.post(all_models.Policy, {
"policy": {
"title": "Creator Policy",
"context": None
},
})
obj_id = response.json.get("policy").get("id")
self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": "Policy",
"id": obj_id,
},
"context": None
}
})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"].get("Regulation"),
None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_creator_cannot_be_owner(self):
"""Test if creator cannot become owner of the object he has not created"""
self.api.set_user(self.users['admin'])
_, obj = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation",
"context": None
},
})
self.api.set_user(self.users['creator'])
response = self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": "Regulation",
"id": obj.id,
},
"context": None
}
})
self.assertEqual(response.status_code, 403)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation",
{
"regulation": {
"title": "Test regulation",
"context": None
},
})
_, obj_1 = self.generator.generate(
all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation 2",
"context": None
},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"source": {
"id": obj_0.id,
"type": "Regulation"
},
"destination": {
"id": obj_1.id,
"type": "Regulation"
},
"context": None
},
})
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title):
return self.generator.generate(all_models.Section, "section", {
"section": {
"title": title,
"context": None
},
})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id))
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Section 1")
obj_2 = gen("Test Section 2")
self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
},
"ownable": {
"type": "Section",
"id": obj_2.id,
},
"context": None
}
})
self.api.set_user(self.users["creator"])
check(obj_1, 0)
check(obj_2, 2)
class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
"""Permissions to admin page."""
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
creator_id = self.users["creator"].id
audit_id = factories.AuditFactory().id
all_errors = []
base_models = {
"Control", "DataAsset", "Contract", "Policy", "Regulation",
"Standard", "Document", "Facility", "Market", "Objective",
"OrgGroup", "Vendor", "Product", "Clause", "System", "Process",
"Project", "AccessGroup", "Metric", "ProductGroup",
"TechnologyEnvironment"
}
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(model, {
table_singular: {
"title": model_singular,
"context": None,
"documents_reference_url": "ref",
"link": "https://example.com", # ignored except for Document
"contact": {
"type": "Person",
"id": creator_id,
},
"audit": { # this is ignored on everything but Issues
"id": audit_id,
"type": "Audit",
}
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(
model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if collection:
all_errors.append(
"{} can retrieve object if not owner (collection)".
format(model_singular))
continue
# Test GET when owner
acr = all_models.AccessControlRole.query.filter_by(
object_type=model_singular, name="Admin").first()
factories.AccessControlListFactory(object_id=obj_id,
object_type=model_singular,
ac_role=acr,
person_id=creator_id)
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if not collection:
all_errors.append(
"{} cannot retrieve object even if owner (collection)".
format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {
"title": "Admin regulation",
"context": None
},
})
self.api.set_user(self.users['creator'])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Policy", name="Admin").first().id
response = self.api.post(
all_models.Policy, {
"policy": {
"title":
"Creator Policy",
"context":
None,
"access_control_list": [
acl_helper.get_acl_json(acr_id,
self.users["creator"].id)
],
},
})
response.json.get("policy").get("id")
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(response.json["results"]["counts"].get("Regulation"),
None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation",
{
"regulation": {
"title": "Test regulation",
"context": None
},
})
_, obj_1 = self.generator.generate(
all_models.Regulation, "regulation", {
"regulation": {
"title": "Test regulation 2",
"context": None
},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {
"source": {
"id": obj_0.id,
"type": "Regulation"
},
"destination": {
"id": obj_1.id,
"type": "Regulation"
},
"context": None
},
})
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title, extra_data=None):
"""Generates requirement."""
requirement_content = {"title": title, "context": None}
if extra_data:
requirement_content.update(**extra_data)
return self.generator.generate(
all_models.Requirement, "requirement",
{"requirement": requirement_content})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id))
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Requirement 1")
self.api.set_user(self.users["creator"])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Requirement", name="Admin").first().id
linked_acl = {
"access_control_list":
[acl_helper.get_acl_json(acr_id, self.users["creator"].id)],
}
check(obj_1, 0)
obj_2 = gen("Test Requirement 2", linked_acl)
obj2_acl = obj_2.access_control_list[0]
check(obj_2, 1)
check(obj2_acl, 1)
@ddt.data("creator", "admin")
def test_count_type_in_accordion(self, glob_role):
"""Return count of Persons in DB for side accordion."""
self.api.set_user(self.users[glob_role])
ocordion_api_person_count_link = (
"/search?"
"q=&types=Program%2CWorkflow_All%2C"
"Audit%2CAssessment%2CIssue%2CRegulation%2C"
"Policy%2CStandard%2CContract%2CClause%2CRequirement%2CControl%2C"
"Objective%2CPerson%2COrgGroup%2CVendor%2CAccessGroup%2CSystem%2C"
"Process%2CDataAsset%2CProduct%2CProject%2CFacility%2C"
"Market%2CRisk%2CThreat&counts_only=true&"
"extra_columns=Workflow_All%3DWorkflow%2C"
"Workflow_Active%3DWorkflow%2CWorkflow_Draft%3D"
"Workflow%2CWorkflow_Inactive%3DWorkflow&contact_id=1&"
"extra_params=Workflow%3Astatus%3DActive%3BWorkflow_Active"
"%3Astatus%3DActive%3BWorkflow_Inactive%3Astatus%3D"
"Inactive%3BWorkflow_Draft%3Astatus%3DDraft")
resp = self.api.client.get(ocordion_api_person_count_link)
self.assertIn("Person", resp.json["results"]["counts"])
self.assertEqual(all_models.Person.query.count(),
resp.json["results"]["counts"]["Person"])
@ddt.data(
("/api/revisions?resource_type={}&resource_id={}", 1),
("/api/revisions?source_type={}&source_id={}", 0),
("/api/revisions?destination_type={}&destination_id={}", 1),
)
@ddt.unpack
def test_changelog_access(self, link, revision_count):
"""Test accessing changelog under GC user who is assigned to object"""
with factories.single_commit():
audit = factories.AuditFactory()
asmnt = factories.AssessmentFactory(audit=audit)
asmnt_id = asmnt.id
factories.RelationshipFactory(source=audit, destination=asmnt)
verifier_role = all_models.AccessControlRole.query.filter_by(
object_type="Assessment",
name="Verifiers",
).first()
factories.AccessControlListFactory(
person=self.users["creator"],
ac_role=verifier_role,
object=asmnt,
)
self.api.set_user(self.users["creator"])
response = self.api.client.get(link.format("Assessment", asmnt_id))
self.assert200(response)
self.assertEqual(
len(
response.json.get("revisions_collection",
{}).get("revisions")), revision_count)
@ddt.data(all_models.ControlCategory, all_models.ControlAssertion)
def test_permissions_for_categories(self, category_model):
"""Test get collection for {0}."""
self.api.set_user(self.users["creator"])
resp = self.api.get_collection(category_model, None)
plural_name = category_model._inflector.table_plural
key_name = "{}_collection".format(plural_name)
self.assertIn(key_name, resp.json)
self.assertIn(plural_name, resp.json[key_name])
collection = resp.json[key_name][plural_name]
self.assertTrue(collection, "Collection shouldn't be empty")
class TestCreatorAudit(TestCase):
"""Set up necessary objects and test Creator role with Audit roles"""
def setUp(self):
super(TestCreatorAudit, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
self.init_roles()
self.init_test_cases()
self.objects = {}
def init_test_cases(self):
"""Create a dict of all possible test cases."""
self.test_cases = {
"Auditor": {
"audit_role": "Auditor",
"objects": {
"audit": {
"get": 200,
"put": 403,
"delete": 403
},
"mapped_Issue": {
"get": 200,
"put": 200,
"delete": 200
},
"unrelated_Issue": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
},
"mapped_Assessment": {
"get": 200,
"put": 200,
"delete": 200
},
"unrelated_Assessment": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
}
def init_roles(self):
"""Create a delete request for the given object."""
response = self.api.get_query(all_models.Role, "")
self.roles = {}
for role in response.json.get("roles_collection").get("roles"):
self.roles[role.get("name")] = role
def init_users(self):
"""Create users used by test cases."""
self.people = {}
for name in ["creator", "notmapped", "mapped", "Auditor"]:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role="Creator")
self.people[name] = user
_, user = self.object_generator.generate_person(
data={"name": "editor"}, user_role="Editor")
self.people["editor"] = user
def delete(self, obj):
"""Create a delete request for the given object.
Args:
obj (model instance): target object to delete
Returns:
int: http response status code
"""
return self.api.delete(obj).status_code
def get(self, obj):
"""Create a get request for the given object.
Args:
obj (model instance): target object to get
Returns:
int: http response status code
"""
return self.api.get(obj.__class__, obj.id).status_code
def put(self, obj):
"""Create a put request for the given object.
Args:
obj (model instance): target object to put
Returns:
int: http response status code
"""
response = self.api.get(obj.__class__, obj.id)
if response.status_code == 200:
return self.api.put(obj, response.json).status_code
else:
return response.status_code
def map(self, dest):
"""Map audit to dest.
Args:
dest (model instance): target object to map to the audit
Returns:
int: http response status code
"""
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": self.objects["audit"].id,
"type": self.objects["audit"].type,
},
"destination": {
"id": dest.id,
"type": dest.type
},
"context": None
},
})
return response.status_code
def init_objects(self, test_case_name):
"""Create a Program, an Audit, and a Mapped object for the test case.
Args:
test_case_name (string): test case to init for
"""
# Create a program
dummy_audit = factories.AuditFactory()
unrelated_audit = {
"type": "Audit",
"context_id": dummy_audit.context.id,
"id": dummy_audit.id,
}
test_case = self.test_cases[test_case_name]
editor = self.people.get('editor')
self.api.set_user(editor)
random_title = factories.random_str()
response = self.api.post(all_models.Program, {
"program": {
"title": random_title,
"context": None
},
})
self.assertEqual(response.status_code, 201)
program_id = response.json.get("program").get("id")
self.objects["program"] = all_models.Program.query.get(program_id)
response = self.api.post(
all_models.Audit, {
"audit": {
"title": random_title + " audit",
'program': {
'id': program_id
},
"status": "Planned",
"context": None
}
})
self.assertEqual(response.status_code, 201)
context = response.json.get("audit").get("context")
audit_id = response.json.get("audit").get("id")
self.objects["audit"] = all_models.Audit.query.get(audit_id)
audits = {
"mapped": {
"type": "Audit",
"context_id": context["id"],
"id": audit_id,
},
"unrelated": unrelated_audit,
}
for prefix, audit_dict in audits.items():
random_title = factories.random_str()
response = self.api.post(all_models.Issue, {
"issue": {
"title": random_title,
"context": None,
},
})
self.assertEqual(response.status_code, 201)
issue_id = response.json.get("issue").get("id")
self.objects[prefix +
"_Issue"] = all_models.Issue.query.get(issue_id)
response = self.api.post(
all_models.Assessment, {
"assessment": {
"title": random_title,
"context": {
"type": "Context",
"id": audit_dict["context_id"],
},
"audit": audit_dict,
},
})
self.assertEqual(response.status_code, 201)
assessment_id = response.json.get("assessment").get("id")
self.objects[prefix + "_Assessment"] = \
all_models.Assessment.query.get(assessment_id)
self.assertEqual(self.map(self.objects["mapped_Issue"]), 201)
self.assertEqual(self.map(self.objects["mapped_Assessment"]), 201)
# Add roles to mapped users:
if "audit_role" in test_case:
person = self.people.get(test_case_name)
role = self.roles[test_case["audit_role"]]
response = self.api.post(
all_models.UserRole, {
"user_role": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
},
"role": {
"type": "Role",
"href": "/api/roles/{}".format(role["id"]),
"id": role["id"],
},
"context": {
"type": "Context",
"id": context.get("id"),
"href": "/api/contexts/{}".format(
context.get("id"))
}
}
})
self.assertEqual(response.status_code, 201)
def test_creator_audit_roles(self):
""" Test creator role with all audit scoped roles """
# Check permissions based on test_cases:
errors = []
for test_case in self.test_cases:
self.init_objects(test_case)
person = self.people.get(test_case)
objects = self.test_cases.get(test_case).get('objects')
self.api.set_user(person)
for obj, actions in objects.iteritems():
for action in ("map", "get", "put", "delete"):
if action not in actions:
continue
# reset sesion:
db.session.commit()
func = getattr(self, action)
res = func(self.objects[obj])
if res != actions[action]:
errors.append(
"{}: Tried {} on {}, but received {} instead of {}"
.format(test_case, action, obj, res,
actions[action]))
self.assertEqual(errors, [])
class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
"""Permissions to admin page."""
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
creator_id = self.users["creator"].id
audit_id = factories.AuditFactory().id
all_errors = []
base_models = set([
"Control", "DataAsset", "Contract",
"Policy", "Regulation", "Standard", "Document", "Facility",
"Market", "Objective", "OrgGroup", "Vendor", "Product",
"Clause", "System", "Process", "Project", "AccessGroup",
"Metric"
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(model, {
table_singular: {
"title": model_singular,
"context": None,
"documents_reference_url": "ref",
"link": "https://example.com", # ignored except for Document
"contact": {
"type": "Person",
"id": creator_id,
},
"audit": { # this is ignored on everything but Issues
"id": audit_id,
"type": "Audit",
}
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if collection:
all_errors.append(
"{} can retrieve object if not owner (collection)"
.format(model_singular))
continue
# Test GET when owner
acr = all_models.AccessControlRole.query.filter_by(
object_type=model_singular,
name="Admin"
).first()
factories.AccessControlListFactory(
object_id=obj_id,
object_type=model_singular,
ac_role=acr,
person_id=creator_id
)
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if not collection:
all_errors.append(
"{} cannot retrieve object even if owner (collection)"
.format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {"title": "Admin regulation", "context": None},
})
self.api.set_user(self.users['creator'])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Policy",
name="Admin"
).first().id
response = self.api.post(all_models.Policy, {
"policy": {
"title": "Creator Policy",
"context": None,
"access_control_list": [
acl_helper.get_acl_json(acr_id, self.users["creator"].id)],
},
})
response.json.get("policy").get("id")
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(
response.json["results"]["counts"].get("Regulation"), None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation", "context": None},
})
_, obj_1 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation 2", "context": None},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {"source": {
"id": obj_0.id,
"type": "Regulation"
}, "destination": {
"id": obj_1.id,
"type": "Regulation"
}, "context": None},
}
)
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title, extra_data=None):
"""Generates section."""
section_content = {"title": title, "context": None}
if extra_data:
section_content.update(**extra_data)
return self.generator.generate(all_models.Section, "section", {
"section": section_content
})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id)
)
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected
)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Section 1")
self.api.set_user(self.users["creator"])
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="Section",
name="Admin"
).first().id
linked_acl = {
"access_control_list": [
acl_helper.get_acl_json(acr_id, self.users["creator"].id)],
}
check(obj_1, 0)
obj_2 = gen("Test Section 2", linked_acl)
obj2_acl = obj_2.access_control_list[0]
check(obj_2, 1)
check(obj2_acl, 1)
@ddt.data("creator", "admin")
def test_count_type_in_accordion(self, glob_role):
"""Return count of Persons in DB for side accordion."""
self.api.set_user(self.users[glob_role])
ocordion_api_person_count_link = (
"/search?"
"q=&types=Program%2CWorkflow_All%2C"
"Audit%2CAssessment%2CIssue%2CRegulation%2C"
"Policy%2CStandard%2CContract%2CClause%2CSection%2CControl%2C"
"Objective%2CPerson%2COrgGroup%2CVendor%2CAccessGroup%2CSystem%2C"
"Process%2CDataAsset%2CProduct%2CProject%2CFacility%2C"
"Market%2CRisk%2CThreat&counts_only=true&"
"extra_columns=Workflow_All%3DWorkflow%2C"
"Workflow_Active%3DWorkflow%2CWorkflow_Draft%3D"
"Workflow%2CWorkflow_Inactive%3DWorkflow&contact_id=1&"
"extra_params=Workflow%3Astatus%3DActive%3BWorkflow_Active"
"%3Astatus%3DActive%3BWorkflow_Inactive%3Astatus%3D"
"Inactive%3BWorkflow_Draft%3Astatus%3DDraft"
)
resp = self.api.client.get(ocordion_api_person_count_link)
self.assertIn("Person", resp.json["results"]["counts"])
self.assertEqual(all_models.Person.query.count(),
resp.json["results"]["counts"]["Person"])
@ddt.data(
("/api/revisions?resource_type={}&resource_id={}", 1),
("/api/revisions?source_type={}&source_id={}", 0),
("/api/revisions?destination_type={}&destination_id={}", 1),
)
@ddt.unpack
def test_changelog_access(self, link, revision_count):
"""Test accessing changelog under GC user who is assigned to object"""
with factories.single_commit():
audit = factories.AuditFactory()
asmnt = factories.AssessmentFactory(audit=audit)
asmnt_id = asmnt.id
factories.RelationshipFactory(source=audit, destination=asmnt)
verifier_role = all_models.AccessControlRole.query.filter_by(
object_type="Assessment",
name="Verifiers",
).first()
factories.AccessControlListFactory(
person=self.users["creator"],
ac_role=verifier_role,
object=asmnt,
)
self.api.set_user(self.users["creator"])
response = self.api.client.get(link.format("Assessment", asmnt_id))
self.assert200(response)
self.assertEqual(
len(response.json.get("revisions_collection", {}).get("revisions")),
revision_count
)
@ddt.data(all_models.ControlCategory, all_models.ControlAssertion)
def test_permissions_for_categories(self, category_model):
"""Test get collection for {0}."""
self.api.set_user(self.users["creator"])
resp = self.api.get_collection(category_model, None)
plural_name = category_model._inflector.table_plural
key_name = "{}_collection".format(plural_name)
self.assertIn(key_name, resp.json)
self.assertIn(plural_name, resp.json[key_name])
collection = resp.json[key_name][plural_name]
self.assertTrue(collection, "Collection shouldn't be empty")
class TestFilterByAuditor(TestCase):
""" Test for filter by Auditor. """
def setUp(self):
super(TestFilterByAuditor, self).setUp()
self.api = Api()
self.generator = ObjectGenerator()
_, self.auditor = self.generator.generate_person(user_role="Creator")
auditor_role = all_models.Role.query.filter_by(name="Auditor").first()
with factories.single_commit():
self.audit = factories.AuditFactory(status="In Progress")
self.audit_id = self.audit.id
audit_context = factories.ContextFactory()
self.audit.context = audit_context
rbac_factories.UserRoleFactory(
context=audit_context,
role=auditor_role,
person=self.auditor)
self.api.set_user(self.auditor)
def test_query_audits_by_auditor(self):
"""test get audit as query get"""
objects = self.api.get_query(all_models.Audit, "")
self.assertEqual(1, len(objects.json["audits_collection"]["audits"]))
audit_dict = objects.json["audits_collection"]["audits"][0]
self.assertEqual(self.audit_id, audit_dict["id"])
def test_filter_audits_by_auditor(self):
"""Test query on audit Global Search.
This query is the fact query that frontend is sending in global search.
"""
query_request_data = [
{
u'fields': [],
u'filters': {
u'expression': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Planned'
},
u'op': {u'name': u'OR'},
u'right': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'In Progress'
},
u'op': {u'name': u'OR'},
u'right': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Manager Review'
},
u'op': {u'name': u'OR'},
u'right': {
u'left': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Ready for External Review',
},
u'op': {u'name': u'OR'},
u'right': {
u'left': u'status',
u'op': {u'name': u'='},
u'right': u'Completed',
}
},
},
},
},
u'keys': [u'status'],
u'order_by': {
u'compare': None,
u'keys': [],
u'order': u'',
}
},
u'limit': [0, 5],
u'object_name': u'Audit',
u'permissions': u'read',
u'type': u'values',
},
{
u'filters': {
u'expression': {
u'ids': [u'150'],
u'object_name': u'undefined',
u'op': {u'name': u'relevant'}
},
u'keys': [],
u'order_by': {u'compare': None, u'keys': [], u'order': u''}
},
u'object_name': u'Audit',
u'type': u'ids',
},
]
resp = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
self.assertEqual(1, resp.json[0]["Audit"]["count"])
self.assertEqual(self.audit_id, resp.json[0]["Audit"]["values"][0]["id"])
class TestCreatorAudit(TestCase):
"""Set up necessary objects and test Creator role with Audit roles"""
def setUp(self):
super(TestCreatorAudit, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
self.init_roles()
self.init_test_cases()
self.objects = {}
def init_test_cases(self):
"""Create a dict of all possible test cases."""
self.test_cases = {
"Auditor": {
"audit_role": "Auditor",
"objects": {
"audit": {
"get": 200,
"put": 403,
"delete": 403
},
"mapped_Issue": {
"get": 200,
"put": 200,
"delete": 200
},
"unrelated_Issue": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
},
"mapped_Assessment": {
"get": 200,
"put": 200,
"delete": 200
},
"unrelated_Assessment": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
}
def init_roles(self):
"""Create a delete request for the given object."""
response = self.api.get_query(all_models.Role, "")
self.roles = {}
for role in response.json.get("roles_collection").get("roles"):
self.roles[role.get("name")] = role
def init_users(self):
"""Create users used by test cases."""
self.people = {}
for name in ["creator", "notmapped", "mapped", "Auditor"]:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role="Creator")
self.people[name] = user
_, user = self.object_generator.generate_person(
data={"name": "editor"}, user_role="Editor")
self.people["editor"] = user
def delete(self, obj):
"""Create a delete request for the given object.
Args:
obj (model instance): target object to delete
Returns:
int: http response status code
"""
return self.api.delete(obj).status_code
def get(self, obj):
"""Create a get request for the given object.
Args:
obj (model instance): target object to get
Returns:
int: http response status code
"""
return self.api.get(obj.__class__, obj.id).status_code
def put(self, obj):
"""Create a put request for the given object.
Args:
obj (model instance): target object to put
Returns:
int: http response status code
"""
response = self.api.get(obj.__class__, obj.id)
if response.status_code == 200:
return self.api.put(obj, response.json).status_code
else:
return response.status_code
def map(self, dest):
"""Map audit to dest.
Args:
dest (model instance): target object to map to the audit
Returns:
int: http response status code
"""
response = self.api.post(all_models.Relationship, {
"relationship": {"source": {
"id": self.objects["audit"].id,
"type": self.objects["audit"].type,
}, "destination": {
"id": dest.id,
"type": dest.type
}, "context": None},
})
return response.status_code
def init_objects(self, test_case_name):
"""Create a Program, an Audit, and a Mapped object for the test case.
Args:
test_case_name (string): test case to init for
"""
# Create a program
dummy_audit = factories.AuditFactory()
unrelated_audit = {
"type": "Audit",
"context_id": dummy_audit.context.id,
"id": dummy_audit.id,
}
test_case = self.test_cases[test_case_name]
editor = self.people.get('editor')
self.api.set_user(editor)
random_title = factories.random_str()
response = self.api.post(all_models.Program, {
"program": {"title": random_title, "context": None},
})
self.assertEqual(response.status_code, 201)
program_id = response.json.get("program").get("id")
self.objects["program"] = all_models.Program.query.get(program_id)
response = self.api.post(all_models.Audit, {
"audit": {
"title": random_title + " audit",
'program': {'id': program_id},
"status": "Planned",
"context": None
}
})
self.assertEqual(response.status_code, 201)
context = response.json.get("audit").get("context")
audit_id = response.json.get("audit").get("id")
self.objects["audit"] = all_models.Audit.query.get(audit_id)
audits = {
"mapped": {
"type": "Audit",
"context_id": context["id"],
"id": audit_id,
},
"unrelated": unrelated_audit,
}
for prefix, audit_dict in audits.items():
random_title = factories.random_str()
response = self.api.post(all_models.Issue, {
"issue": {
"title": random_title,
"context": {
"type": "Context",
"id": audit_dict["context_id"],
},
"audit": audit_dict,
},
})
self.assertEqual(response.status_code, 201)
issue_id = response.json.get("issue").get("id")
self.objects[prefix + "_Issue"] = all_models.Issue.query.get(issue_id)
response = self.api.post(all_models.Assessment, {
"assessment": {
"title": random_title,
"context": {
"type": "Context",
"id": audit_dict["context_id"],
},
"audit": audit_dict,
},
})
self.assertEqual(response.status_code, 201)
assessment_id = response.json.get("assessment").get("id")
self.objects[prefix + "_Assessment"] = \
all_models.Assessment.query.get(assessment_id)
self.assertEqual(self.map(self.objects["mapped_Issue"]), 201)
self.assertEqual(self.map(self.objects["mapped_Assessment"]), 201)
# Add roles to mapped users:
if "audit_role" in test_case:
person = self.people.get(test_case_name)
role = self.roles[test_case["audit_role"]]
response = self.api.post(all_models.UserRole, {"user_role": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
}, "role": {
"type": "Role",
"href": "/api/roles/{}".format(role["id"]),
"id": role["id"],
}, "context": {
"type": "Context",
"id": context.get("id"),
"href": "/api/contexts/{}".format(context.get("id"))
}}})
self.assertEqual(response.status_code, 201)
def test_creator_audit_roles(self):
""" Test creator role with all audit scoped roles """
# Check permissions based on test_cases:
errors = []
for test_case in self.test_cases:
self.init_objects(test_case)
person = self.people.get(test_case)
objects = self.test_cases.get(test_case).get('objects')
self.api.set_user(person)
for obj, actions in objects.iteritems():
for action in ("map", "get", "put", "delete"):
if action not in actions:
continue
# reset sesion:
db.session.commit()
func = getattr(self, action)
res = func(self.objects[obj])
if res != actions[action]:
errors.append(
"{}: Tried {} on {}, but received {} instead of {}".format(
test_case, action, obj, res, actions[action]))
self.assertEqual(errors, [])
class TestCreator(TestCase):
""" TestCreator """
def setUp(self):
super(TestCreator, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
def init_users(self):
""" Init users needed by the test cases """
users = [("creator", "Creator"), ("admin", "Administrator")]
self.users = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.users[name] = user
def test_admin_page_access(self):
for role, code in (("creator", 403), ("admin", 200)):
self.api.set_user(self.users[role])
self.assertEqual(self.api.client.get("/admin").status_code, code)
def test_creator_can_crud(self):
""" Test Basic create/read,update/delete operations """
self.api.set_user(self.users["creator"])
audit_id = factories.AuditFactory().id
all_errors = []
base_models = set([
"Control", "DataAsset", "Contract",
"Policy", "Regulation", "Standard", "Document", "Facility",
"Market", "Objective", "OrgGroup", "Vendor", "Product",
"Clause", "System", "Process", "Project", "AccessGroup"
])
for model_singular in base_models:
try:
model = get_model(model_singular)
table_singular = model._inflector.table_singular
table_plural = model._inflector.table_plural
# Test POST creation
response = self.api.post(model, {
table_singular: {
"title": model_singular,
"context": None,
"reference_url": "ref",
"contact": {
"type": "Person",
"id": self.users["creator"].id,
},
"audit": { # this is ignored on everything but Issues
"id": audit_id,
"type": "Audit",
}
},
})
if response.status_code != 201:
all_errors.append("{} post creation failed {} {}".format(
model_singular, response.status, response.data))
continue
# Test GET when not owner
obj_id = response.json.get(table_singular).get("id")
response = self.api.get(model, obj_id)
if response.status_code != 403: # we are not onwers yet
all_errors.append(
"{} can retrieve object if not owner".format(model_singular))
continue
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) != 0:
all_errors.append(
"{} can retrieve object if not owner (collection)"
.format(model_singular))
continue
# Become an owner
response = self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": model_singular,
"id": obj_id
}, "context": None}})
if response.status_code != 201:
all_errors.append("{} can't create owner {}.".format(
model_singular, response.status))
continue
# Test GET when owner
response = self.api.get(model, obj_id)
if response.status_code != 200:
all_errors.append("{} can't GET object {}".format(
model_singular, response.status))
continue
# Test GET collection when owner
response = self.api.get_collection(model, obj_id)
collection = response.json.get(
"{}_collection".format(table_plural)).get(table_plural)
if len(collection) == 0:
all_errors.append(
"{} cannot retrieve object even if owner (collection)"
.format(model_singular))
continue
except:
all_errors.append("{} exception thrown".format(model_singular))
raise
self.assertEqual(all_errors, [])
def test_creator_search(self):
"""Test if creator can see the correct object while using the search api"""
self.api.set_user(self.users['admin'])
self.api.post(all_models.Regulation, {
"regulation": {"title": "Admin regulation", "context": None},
})
self.api.set_user(self.users['creator'])
response = self.api.post(all_models.Policy, {
"policy": {"title": "Creator Policy", "context": None},
})
obj_id = response.json.get("policy").get("id")
self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": "Policy",
"id": obj_id,
}, "context": None}})
response, _ = self.api.search("Regulation,Policy")
entries = response.json["results"]["entries"]
self.assertEqual(len(entries), 1)
self.assertEqual(entries[0]["type"], "Policy")
response, _ = self.api.search("Regulation,Policy", counts=True)
self.assertEqual(response.json["results"]["counts"]["Policy"], 1)
self.assertEqual(
response.json["results"]["counts"].get("Regulation"), None)
def _get_count(self, obj):
""" Return the number of counts for the given object from search """
response, _ = self.api.search(obj, counts=True)
return response.json["results"]["counts"].get(obj)
def test_creator_should_see_users(self):
""" Test if creator can see all the users in the system """
self.api.set_user(self.users['admin'])
admin_count = self._get_count("Person")
self.api.set_user(self.users['creator'])
creator_count = self._get_count("Person")
self.assertEqual(admin_count, creator_count)
def test_creator_cannot_be_owner(self):
"""Test if creator cannot become owner of the object he has not created"""
self.api.set_user(self.users['admin'])
_, obj = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation", "context": None},
})
self.api.set_user(self.users['creator'])
response = self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": "Regulation",
"id": obj.id,
}, "context": None}})
self.assertEqual(response.status_code, 403)
def test_relationships_access(self):
"""Check if creator cannot access relationship objects"""
self.api.set_user(self.users['admin'])
_, obj_0 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation", "context": None},
})
_, obj_1 = self.generator.generate(all_models.Regulation, "regulation", {
"regulation": {"title": "Test regulation 2", "context": None},
})
response, rel = self.generator.generate(
all_models.Relationship, "relationship", {
"relationship": {"source": {
"id": obj_0.id,
"type": "Regulation"
}, "destination": {
"id": obj_1.id,
"type": "Regulation"
}, "context": None},
}
)
relationship_id = rel.id
self.assertEqual(response.status_code, 201)
self.api.set_user(self.users['creator'])
response = self.api.get_collection(all_models.Relationship,
relationship_id)
self.assertEqual(response.status_code, 200)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 0)
def test_revision_access(self):
"""Check if creator can access the right revision objects."""
def gen(title):
return self.generator.generate(all_models.Section, "section", {
"section": {"title": title, "context": None},
})[1]
def check(obj, expected):
"""Check that how many revisions of an object current user can see."""
response = self.api.get_query(
all_models.Revision,
"resource_type={}&resource_id={}".format(obj.type, obj.id)
)
self.assertEqual(response.status_code, 200)
self.assertEqual(
len(response.json['revisions_collection']['revisions']),
expected
)
self.api.set_user(self.users["admin"])
obj_1 = gen("Test Section 1")
obj_2 = gen("Test Section 2")
self.api.post(all_models.ObjectOwner, {"object_owner": {
"person": {
"id": self.users['creator'].id,
"type": "Person",
}, "ownable": {
"type": "Section",
"id": obj_2.id,
}, "context": None}})
self.api.set_user(self.users["creator"])
check(obj_1, 0)
check(obj_2, 2)
class TestEnableDisableNotifications(TestCase):
"""Test enable / disable notifications by user with
specific global role.
"""
def setUp(self):
super(TestEnableDisableNotifications, self).setUp()
self.api = Api()
@ddt.data("Reader", "Creator", "Editor", "Administrator")
def test_default_notif_settings(self, role_name):
"""Test setting 'Daily email digest' checkbox to False
by the user with global role {0}."""
with factories.single_commit():
name = "Test Name"
email = "*****@*****.**"
person = factories.PersonFactory(name=name, email=email)
role = all_models.Role.query.filter(
all_models.Role.name == role_name).one()
rbac_factories.UserRoleFactory(role=role, person=person)
person = all_models.Person.query.get(person.id)
self.api.set_user(person=person)
response = self.api.post(
all_models.NotificationConfig,
data={
"notification_config": {
"person_id": person.id,
"notif_type": "Email_Digest",
"enable_flag": True,
"context": {
"id": None,
"type": "Context"
}
}
},
)
self.assertEqual(response.status_code, 201)
@ddt.data("Reader", "Creator", "Editor", "Administrator")
def test_get_notif_settings(self, role_name):
"""Tests notification configs list is returned after
it has been established by the user with role {0}."""
with factories.single_commit():
name = "Test Name"
email = "*****@*****.**"
person = factories.PersonFactory(name=name, email=email)
role = all_models.Role.query.filter(
all_models.Role.name == role_name).one()
rbac_factories.UserRoleFactory(role=role, person=person)
person = all_models.Person.query.get(person.id)
self.api.set_user(person=person)
response = self.api.post(
all_models.NotificationConfig,
data={
"notification_config": {
"person_id": person.id,
"notif_type": "Email_Digest",
"enable_flag": True,
"context": {
"id": None,
"type": "Context"
}
}
},
)
self.assertEqual(response.status_code, 201)
response = self.api.get_query(all_models.NotificationConfig,
"person_id=%s" % person.id)
result_configs_list = response.json['notification_configs_collection']
self.assertTrue(result_configs_list['notification_configs'] != [])
class TestCreatorProgram(TestCase):
"""Set up necessary objects and test Creator role with Program roles"""
def setUp(self):
super(TestCreatorProgram, self).setUp()
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
self.init_roles()
self.init_test_cases()
self.objects = {}
def init_test_cases(self):
""" Create a dict of all possible test cases """
self.test_cases = {
"notmapped": {
"objects": {
"program": {
"get": 403,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 403,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
},
},
"mapped": {
"objects": {
"program": {
"get": 403,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 403,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramReader": {
"program_role": "ProgramReader",
"objects": {
"program": {
"get": 200,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 200,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramOwner": {
"program_role": "ProgramOwner",
"objects": {
"program": {
"get": 200,
"put": 200,
"delete": 200
},
"mapped_object": {
"get": 200,
"put": 200,
"delete": 200,
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramEditor": {
"program_role": "ProgramEditor",
"objects": {
"program": {
"get": 200,
"put": 200,
"delete": 200
},
"mapped_object": {
"get": 200,
"put": 200,
"delete": 200
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
}
def init_roles(self):
""" Create a delete request for the given object """
response = self.api.get_query(all_models.Role, "")
self.roles = {}
for role in response.json.get("roles_collection").get("roles"):
self.roles[role.get("name")] = role
def init_users(self):
""" Create users used by test cases """
users = [
("creator", "Creator"),
("notmapped", "Creator"),
("mapped", "Creator"),
("ProgramReader", "Creator"),
("ProgramEditor", "Creator"),
("ProgramOwner", "Creator")]
self.people = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.people[name] = user
def delete(self, obj):
""" Create a delete request for the given object """
return self.api.delete(obj).status_code
def get(self, obj):
""" Create a get request for the given object """
return self.api.get(obj.__class__, obj.id).status_code
def put(self, obj):
""" Create a put request for the given object """
response = self.api.get(obj.__class__, obj.id)
if response.status_code == 200:
return self.api.put(obj, response.json).status_code
else:
return response.status_code
def map(self, dest):
""" Map src to dest """
response = self.api.post(all_models.Relationship, {
"relationship": {"source": {
"id": self.objects["program"].id,
"type": self.objects["program"].type,
}, "destination": {
"id": dest.id,
"type": dest.type
}, "context": None},
})
return response.status_code
def init_objects(self, test_case_name):
""" Create a Program and a Mapped object for a given test case """
# Create a program
test_case = self.test_cases[test_case_name]
creator = self.people.get('creator')
self.api.set_user(creator)
random_title = factories.random_str()
response = self.api.post(all_models.Program, {
"program": {"title": random_title, "context": None},
})
self.assertEqual(response.status_code, 201)
context_id = response.json.get("program").get("context").get("id")
program_id = response.json.get("program").get("id")
# Use admin owner role to map it with system
acr_id = all_models.AccessControlRole.query.filter_by(
object_type="System",
name="Admin"
).first().id
self.objects["program"] = all_models.Program.query.get(program_id)
# Create an object:
for obj in ("mapped_object", "unrelated"):
random_title = factories.random_str()
response = self.api.post(all_models.System, {
"system": {
"title": random_title,
"context": None,
"access_control_list": [{
"person": {
"id": creator.id,
"type": "Person",
},
"ac_role_id": acr_id,
"context": None
}],
},
})
self.assertEqual(response.status_code, 201)
system_id = response.json.get("system").get("id")
self.objects[obj] = all_models.System.query.get(system_id)
# Map Object to Program
response = self.api.post(all_models.Relationship, {
"relationship": {"source": {
"id": program_id,
"type": "Program"
}, "destination": {
"id": self.objects["mapped_object"].id,
"type": "System"
}, "context": None},
})
self.assertEqual(response.status_code, 201)
# Map people to Program:
if test_case_name != "notmapped":
person = self.people.get(test_case_name)
response = self.api.post(all_models.ObjectPerson, {"object_person": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
}, "personable": {
"type": "Program",
"href": "/api/programs/{}".format(program_id),
"id": program_id,
}, "context": {
"type": "Context",
"id": context_id,
"href": "/api/contexts/{}".format(context_id)
}}})
# Add roles to mapped users:
if "program_role" in test_case:
person = self.people.get(test_case_name)
role = self.roles[test_case["program_role"]]
response = self.api.post(all_models.UserRole, {"user_role": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
}, "role": {
"type": "Role",
"href": "/api/roles/{}".format(role["id"]),
"id": role["id"],
}, "context": {
"type": "Context",
"id": context_id,
"href": "/api/contexts/{}".format(context_id)
}}})
self.assertEqual(response.status_code, 201)
def test_creator_program_roles(self):
""" Test creator role with all program scoped roles """
# Check permissions based on test_cases:
errors = []
for test_case in self.test_cases:
self.init_objects(test_case)
person = self.people.get(test_case)
objects = self.test_cases.get(test_case).get('objects')
self.api.set_user(person)
for obj in ("unrelated", "mapped_object", "program"):
actions = objects[obj]
for action in ("map", "get", "put", "delete"):
# reset sesion:
db.session.commit()
if action not in actions:
continue
func = getattr(self, action)
res = func(self.objects[obj])
if res != actions[action]:
errors.append(
"{}: Tried {} on {}, but received {} instead of {}".format(
test_case, action, obj, res, actions[action]))
# Try mapping
self.assertEqual(errors, [])
class TestEnableDisableNotifications(TestCase):
"""Test enable / disable notifications by user with
specific global role.
"""
def setUp(self):
super(TestEnableDisableNotifications, self).setUp()
self.api = Api()
@ddt.data("Reader", "Creator", "Editor", "Administrator")
def test_default_notif_settings(self, role_name):
"""Test setting 'Daily email digest' checkbox to False
by the user with global role {0}."""
with factories.single_commit():
name = "Test Name"
email = "*****@*****.**"
person = factories.PersonFactory(name=name, email=email)
role = all_models.Role.query.filter(
all_models.Role.name == role_name
).one()
rbac_factories.UserRoleFactory(role=role,
person=person)
person = all_models.Person.query.get(person.id)
self.api.set_user(person=person)
response = self.api.post(
all_models.NotificationConfig,
data={
"notification_config": {
"person_id": person.id,
"notif_type": "Email_Digest",
"enable_flag": True,
"context": {
"id": None,
"type": "Context"
}
}
},
)
self.assertEqual(response.status_code, 201)
@ddt.data("Reader", "Creator", "Editor", "Administrator")
def test_get_notif_settings(self, role_name):
"""Tests notification configs list is returned after
it has been established by the user with role {0}."""
with factories.single_commit():
name = "Test Name"
email = "*****@*****.**"
person = factories.PersonFactory(name=name, email=email)
role = all_models.Role.query.filter(
all_models.Role.name == role_name
).one()
rbac_factories.UserRoleFactory(role=role,
person=person)
person = all_models.Person.query.get(person.id)
self.api.set_user(person=person)
response = self.api.post(
all_models.NotificationConfig,
data={
"notification_config": {
"person_id": person.id,
"notif_type": "Email_Digest",
"enable_flag": True,
"context": {
"id": None,
"type": "Context"
}
}
},
)
self.assertEqual(response.status_code, 201)
response = self.api.get_query(all_models.NotificationConfig,
"person_id=%s" % person.id)
result_configs_list = response.json['notification_configs_collection']
self.assertTrue(result_configs_list['notification_configs'] != [])
class TestCreatorProgram(TestCase):
"""Set up necessary objects and test Creator role with Program roles"""
def setUp(self):
TestCase.setUp(self)
self.generator = Generator()
self.api = Api()
self.object_generator = ObjectGenerator()
self.init_users()
self.init_roles()
self.init_test_cases()
self.objects = {}
def init_test_cases(self):
""" Create a dict of all possible test cases """
self.test_cases = {
"notmapped": {
"objects": {
"program": {
"get": 403,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 403,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
},
},
"mapped": {
"objects": {
"program": {
"get": 403,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 403,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramReader": {
"program_role": "ProgramReader",
"objects": {
"program": {
"get": 200,
"put": 403,
"delete": 403
},
"mapped_object": {
"get": 200,
"put": 403,
"delete": 403
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramOwner": {
"program_role": "ProgramOwner",
"objects": {
"program": {
"get": 200,
"put": 200,
"delete": 200
},
"mapped_object": {
"get": 200,
"put": 200,
"delete": 200,
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
"ProgramEditor": {
"program_role": "ProgramEditor",
"objects": {
"program": {
"get": 200,
"put": 200,
"delete": 200
},
"mapped_object": {
"get": 200,
"put": 200,
"delete": 200
},
"unrelated": {
"get": 403,
"put": 403,
"delete": 403,
"map": 403,
}
}
},
}
def init_roles(self):
""" Create a delete request for the given object """
response = self.api.get_query(all_models.Role, "")
self.roles = {}
for role in response.json.get("roles_collection").get("roles"):
self.roles[role.get("name")] = role
def init_users(self):
""" Create users used by test cases """
users = [("creator", "Creator"), ("notmapped", "Creator"),
("mapped", "Creator"), ("ProgramReader", "Creator"),
("ProgramEditor", "Creator"), ("ProgramOwner", "Creator")]
self.people = {}
for (name, role) in users:
_, user = self.object_generator.generate_person(
data={"name": name}, user_role=role)
self.people[name] = user
def delete(self, obj):
""" Create a delete request for the given object """
return self.api.delete(obj).status_code
def get(self, obj):
""" Create a get request for the given object """
return self.api.get(obj.__class__, obj.id).status_code
def put(self, obj):
""" Create a put request for the given object """
response = self.api.get(obj.__class__, obj.id)
if response.status_code == 200:
return self.api.put(obj, response.json).status_code
else:
return response.status_code
def map(self, dest):
""" Map src to dest """
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": self.objects["program"].id,
"type": self.objects["program"].type,
},
"destination": {
"id": dest.id,
"type": dest.type
},
"context": None
},
})
return response.status_code
def init_objects(self, test_case_name):
""" Create a Program and a Mapped object for a given test case """
# Create a program
test_case = self.test_cases[test_case_name]
creator = self.people.get('creator')
self.api.set_user(creator)
random_title = factories.random_str()
response = self.api.post(all_models.Program, {
"program": {
"title": random_title,
"context": None
},
})
self.assertEqual(response.status_code, 201)
context_id = response.json.get("program").get("context").get("id")
program_id = response.json.get("program").get("id")
self.objects["program"] = all_models.Program.query.get(program_id)
# Create an object:
for obj in ("mapped_object", "unrelated"):
random_title = factories.random_str()
response = self.api.post(all_models.System, {
"system": {
"title": random_title,
"context": None
},
})
self.assertEqual(response.status_code, 201)
system_id = response.json.get("system").get("id")
self.objects[obj] = all_models.System.query.get(system_id)
# Become the owner
response = self.api.post(
all_models.ObjectOwner, {
"object_owner": {
"person": {
"id": creator.id,
"type": "Person",
},
"ownable": {
"id": system_id,
"type": "System"
},
"context": None
}
})
# Map Object to Program
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": program_id,
"type": "Program"
},
"destination": {
"id": self.objects["mapped_object"].id,
"type": "System"
},
"context": None
},
})
self.assertEqual(response.status_code, 201)
# Map people to Program:
if test_case_name != "notmapped":
person = self.people.get(test_case_name)
response = self.api.post(
all_models.ObjectPerson, {
"object_person": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
},
"personable": {
"type": "Program",
"href": "/api/programs/{}".format(program_id),
"id": program_id,
},
"context": {
"type": "Context",
"id": context_id,
"href": "/api/contexts/{}".format(context_id)
}
}
})
# Add roles to mapped users:
if "program_role" in test_case:
person = self.people.get(test_case_name)
role = self.roles[test_case["program_role"]]
response = self.api.post(
all_models.UserRole, {
"user_role": {
"person": {
"id": person.id,
"type": "Person",
"href": "/api/people/{}".format(person.id),
},
"role": {
"type": "Role",
"href": "/api/roles/{}".format(role["id"]),
"id": role["id"],
},
"context": {
"type": "Context",
"id": context_id,
"href": "/api/contexts/{}".format(context_id)
}
}
})
self.assertEqual(response.status_code, 201)
def test_creator_program_roles(self):
""" Test creator role with all program scoped roles """
# Check permissions based on test_cases:
errors = []
for test_case in self.test_cases:
self.init_objects(test_case)
person = self.people.get(test_case)
objects = self.test_cases.get(test_case).get('objects')
self.api.set_user(person)
for obj in ("unrelated", "mapped_object", "program"):
actions = objects[obj]
for action in ("map", "get", "put", "delete"):
# reset sesion:
db.session.commit()
if action not in actions:
continue
func = getattr(self, action)
res = func(self.objects[obj])
if res != actions[action]:
errors.append(
"{}: Tried {} on {}, but received {} instead of {}"
.format(test_case, action, obj, res,
actions[action]))
# Try mapping
self.assertEqual(errors, [])
def test_creator_audit_request_creation(self):
self.init_objects("ProgramOwner")
program = self.objects.get("program")
creator = self.people.get("creator")
# Create an audit
response = self.api.post(
all_models.Audit, {
"audit": {
"title": "Audit for program",
"status": "Planned",
"context": {
"id": program.context_id,
"type": "Context"
},
"program": {
"context_id": program.context_id,
"id": program.id,
"type": "Program",
},
"contact": {
"id": creator.id,
"type": "Person"
}
},
})
self.assertEqual(response.status_code, 201)
audit_id = response.json.get("audit").get("id")
audit_context_id = response.json.get("audit").get("context").get("id")
# Create a request
response = self.api.post(
all_models.Request, {
"request": {
"title": "Request for audit",
"status": "In Progress",
"context": {
"id": audit_context_id,
"type": "Context"
},
"audit": {
"id": audit_id,
"type": "Audit",
},
"end_date": "2015-12-08",
"start_date": "2015-12-01",
"request_type": "documentation"
},
})
self.assertEqual(response.status_code, 201)
request_id = response.json.get("request").get("id")
# Create assignee/requester relationships
assignee = self.people.get("notmapped")
response = self.api.post(
all_models.Relationship, {
"relationship": {
"attrs": {
"AssigneeType": "Assignee"
},
"context": {
"id": audit_context_id,
"type": "Context",
},
"destination": {
"id": request_id,
"type": "Request",
},
"source": {
"id": assignee.id,
"type": "Person"
}
},
})
self.assertEqual(response.status_code, 201)
relationship_id = response.json.get("relationship").get("id")
response = self.api.get_collection(all_models.Relationship,
relationship_id)
num = len(response.json["relationships_collection"]["relationships"])
self.assertEqual(num, 2)
