def __init__(self, user_id, acr, parent=None):
"""Set up objects for Document permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Document",
).one().id
self.setup_models(self.parent_name)
self.set_user(user_id)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Evidence permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
evidence = factories.EvidenceUrlFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=evidence).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=evidence).id
self.evidence_id = evidence.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Evidence",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def setUp(self):
super(TestIssue, self).setUp()
self.api = Api()
with factories.single_commit():
audit = factories.AuditFactory()
for status in all_models.Issue.VALID_STATES:
factories.IssueFactory(audit=audit, status=status)
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(
all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {
"id": audit.id
},
"context": {
"id": audit.context.id
},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some id",
hotlist_id="some host id",
)
template_id = factories.AssessmentTemplateFactory(
audit=audit, context=audit.context).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
self.assertEqual(
response.json["assessment_template"]["audit"], {
"type": "Audit",
"id": audit.id,
"href": "/api/audits/{}".format(audit.id),
"context_id": audit.context.id,
"issue_tracker": {
"component_id": "some id",
"enabled": False,
"issue_severity": None,
"hotlist_id": "some host id",
"issue_priority": None,
"issue_type": None
}
})
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Snapshot permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
control = factories.ControlFactory()
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(self.audit, [control])[0]
factories.RelationshipFactory(source=snapshot, destination=self.audit)
factories.RelationshipFactory(source=control, destination=self.program)
if parent == "Assessment":
factories.RelationshipFactory(source=snapshot,
destination=self.assessment)
self.control_id = control.id
self.snapshot_id = snapshot.id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class TestReindex(TestCase):
"""Tests for reindex procedure."""
def setUp(self):
super(TestReindex, self).setUp()
self.api = Api()
def test_reindex(self):
"""Test reindex of big portion of objects."""
obj_count = listeners.ReindexSet.CHUNK_SIZE + 1
with factories.single_commit():
audit = factories.AuditFactory()
for _ in range(obj_count):
factories.AssessmentFactory(audit=audit)
indexer = fulltext.get_indexer()
archived_index = indexer.record_type.query.filter(
mysql.MysqlRecordProperty.type == "Assessment",
mysql.MysqlRecordProperty.property == "archived",
mysql.MysqlRecordProperty.content == "True")
self.assertEqual(archived_index.count(), 0)
# Reindex of Audit.archived lead to reindex of all related assessments
self.api.put(audit, {"archived": True})
# Check that all Assessment.archived were properly reindexed
self.assertEqual(archived_index.count(), obj_count)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.admin_control_id = {
name: id
for id, name in access_control.role.get_custom_roles_for(
"Control").items()
}["Admin"]
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class TestReindex(TestCase):
"""Tests for reindex procedure."""
def setUp(self):
super(TestReindex, self).setUp()
self.api = Api()
def test_reindex(self):
"""Test reindex of big portion of objects."""
obj_count = listeners.ReindexSet.CHUNK_SIZE + 1
with factories.single_commit():
audit = factories.AuditFactory()
for _ in range(obj_count):
factories.AssessmentFactory(audit=audit)
indexer = fulltext.get_indexer()
archived_index = indexer.record_type.query.filter(
mysql.MysqlRecordProperty.type == "Assessment",
mysql.MysqlRecordProperty.property == "archived",
mysql.MysqlRecordProperty.content == "True"
)
self.assertEqual(archived_index.count(), 0)
# Reindex of Audit.archived lead to reindex of all related assessments
self.api.put(audit, {"archived": True})
# Check that all Assessment.archived were properly reindexed
self.assertEqual(archived_index.count(), obj_count)
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {"id": audit.id},
"context": {"id": audit.context.id},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some id",
hotlist_id="some host id",
)
template_id = factories.AssessmentTemplateFactory(
audit=audit,
context=audit.context
).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
self.assertEqual(
response.json["assessment_template"]["audit"],
{
"type": "Audit",
"id": audit.id,
"href": "/api/audits/{}".format(audit.id),
"context_id": audit.context.id,
"issue_tracker": {
"component_id": "some id",
"enabled": False,
"issue_severity": None,
"hotlist_id": "some host id",
"issue_priority": None,
"issue_type": None
}
}
)
class TestMaxACLValidation(TestCase):
"""Test AccessControlList max roles validation."""
def setUp(self):
super(TestMaxACLValidation, self).setUp()
self.api = Api()
self.client.get("/login")
@ddt.data("Assignee", "Verifier")
def test_max_roles_validation(self, role):
"""Test validation of max {} roles in object(OrgGroup)"""
og_admin = db.session.query(all_models.AccessControlRole.id).filter(
all_models.AccessControlRole.object_type == "OrgGroup",
all_models.AccessControlRole.name == "Admin").one()[0]
og_role = db.session.query(all_models.AccessControlRole.id).filter(
all_models.AccessControlRole.object_type == "OrgGroup",
all_models.AccessControlRole.name == role).one()[0]
acl = [
{
"ac_role_id": og_admin,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
},
{
"ac_role_id": og_role,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
},
]
data = {
"org_group": {
"title": "org_group title",
"context": None,
"access_control_list": acl,
}
}
response = self.api.post(all_models.OrgGroup, data)
self.assertEqual(response.status_code, 201)
self.assertEqual(all_models.OrgGroup.query.count(), 1)
data["org_group"]["title"] = "org_group title2"
acl += [{
"ac_role_id": og_role,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
}]
response = self.api.post(all_models.OrgGroup, data)
self.assertEqual(response.status_code, 400)
self.assertEqual(all_models.OrgGroup.query.count(), 1)
def setUp(self):
super(TestAccessControlListValidation, self).setUp()
self.api = Api()
self.client.get("/login")
role_ids = db.session.query(all_models.AccessControlRole.id).filter(
all_models.AccessControlRole.object_type.in_(
("Control", "Objective")),
all_models.AccessControlRole.name == "Admin").order_by(
all_models.AccessControlRole.object_type)
role_ids = [id_[0] for id_ in role_ids]
self.control_admin_acr_id, self.objective_admin_acr_id = role_ids
def generate_cycle(workflow_id, api=None):
"""Create cycle with task automatically."""
if not api:
api = Api()
return api.post(all_models.Cycle, {
"cycle": {
"context": None,
"autogenerate": True,
"isOverdue": False,
"workflow": {
"id": workflow_id,
"type": "Workflow",
},
}
})
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Workflow permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class TestIssueDueDate(TestCase):
"""Test suite to test Due Date of Issue"""
def setUp(self):
self.clear_data()
super(TestIssueDueDate, self).setUp()
self.api = Api()
def test_issue_due_date_post(self):
"""Test POST requests to Issue.due_date"""
response = self.api.post(all_models.Issue,
data={
"issue": {
"title": "TestDueDate",
"context": None,
"due_date": "06/14/2018",
}
})
self.assertEqual(201, response.status_code)
due_date = all_models.Issue.query.first().due_date.strftime("%m/%d/%Y")
self.assertEqual(due_date, "06/14/2018")
def test_issue_due_date_get(self):
"""Test GET HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
response = self.api.get(all_models.Issue, issue.id)
issue_json = response.json
self.assert200(response)
self.assertEqual(issue_json["issue"]["due_date"], "2018-06-14")
def test_issue_due_date_put(self):
"""Test PUT HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
data = issue.log_json()
data["due_date"] = "2018-06-15"
response = self.api.put(issue, data)
self.assert200(response)
self.assertEqual(response.json["issue"]["due_date"], "2018-06-15")
def test_issue_due_date_mandatory(self):
"""Test Issue.due_date is mandatory field"""
response = self.api.post(
all_models.Issue,
data={"issue": {
"title": "TestDueDate",
"context": None
}})
self.assert400(response)
self.assertIn("Due Date for the issue is not specified", response.data)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Snapshot permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
control = factories.ControlFactory()
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(self.audit, [control])[0]
factories.RelationshipFactory(source=snapshot, destination=self.audit)
factories.RelationshipFactory(source=control, destination=self.program)
if parent == "Assessment":
factories.RelationshipFactory(
source=snapshot, destination=self.assessment
)
self.control_id = control.id
self.snapshot_id = snapshot.id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def generate_cycle(workflow_id, api=None):
"""Create cycle with task automatically."""
if not api:
api = Api()
return api.post(
all_models.Cycle, {
"cycle": {
"context": None,
"autogenerate": True,
"isOverdue": False,
"workflow": {
"id": workflow_id,
"type": "Workflow",
},
}
})
def setUp(self):
super(TestIssue, self).setUp()
self.api = Api()
with factories.single_commit():
audit = factories.AuditFactory()
for status in all_models.Issue.VALID_STATES:
factories.IssueFactory(audit=audit, status=status)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Document permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Document",
).one().id
self.setup_models(self.parent_name)
self.set_user(user_id)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Evidence permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
evidence = factories.EvidenceUrlFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=evidence
).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=evidence
).id
self.evidence_id = evidence.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Evidence",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class TestAudit(TestCase):
""" Test Audit class. """
def setUp(self):
super(TestAudit, self).setUp()
self.api = Api()
self.gen = generator.ObjectGenerator()
def generate_control_mappings(self, control):
"""Map Control to several Assessments"""
acr_creator = all_models.AccessControlRole.query.filter_by(
name="Creators", object_type="Assessment").first()
with factories.single_commit():
person = factories.PersonFactory()
asmnt_ids = []
for _ in range(2):
asmnt = factories.AssessmentFactory()
asmnt_ids.append(asmnt.id)
factories.AccessControlListFactory(object=asmnt,
person=person,
ac_role=acr_creator)
for asmnt_id in asmnt_ids:
asmnt = all_models.Assessment.query.get(asmnt_id)
self.gen.generate_relationship(source=asmnt, destination=control)
def test_creation_mapped_control(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
control = factories.ControlFactory()
# Map original of control to several assessments to get propagated roles
self.generate_control_mappings(control)
# Existing control should be updated to create new revision with ACL
self.api.put(control, {"title": "Test Control"})
program = factories.ProgramFactory()
factories.RelationshipFactory(source=program, destination=control)
response = self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id
},
"status": "Planned",
"context": None
}
}])
self.assert200(response)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.setup_models(self.parent_name)
self.set_user(user_id)
class CycleRBACFactory(base.BaseRBACFactory):
"""Cycle RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle permission tests.
Args:
user_id: Id of user under which all operations will be run.
object_acl: Dict with format: {
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new cycle for Workflow."""
return self.generate_cycle(self.workflow_id, self.api)
def update(self):
"""Update existing cycle."""
cycle = all_models.Cycle.query.first()
return self.api.put(cycle, {"title": factories.random_str()})
def delete(self):
"""Delete existing cycle."""
cycle = all_models.Cycle.query.first()
return self.api.delete(cycle)
def activate(self):
"""Activate Workflow."""
workflow = all_models.Workflow.query.get(self.workflow_id)
cycle = wf_factories.CycleFactory(workflow=workflow)
return self.api.put(
workflow, {
"status": "Active",
"recurrences": bool(workflow.repeat_every and workflow.unit),
"cycles": [{
"id": cycle.id,
"type": "Cycle",
}]
})
def read(self):
"""Read existing Cycle object."""
cycle = all_models.Cycle.query.first()
return self.api.get(cycle, cycle.id)
def end(self):
"""End existing Cycle."""
cycle = all_models.Cycle.query.first()
return self.api.put(cycle, {"is_current": False})
class CycleRBACFactory(base.BaseRBACFactory):
"""Cycle RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle permission tests.
Args:
user_id: Id of user under which all operations will be run.
object_acl: Dict with format: {
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new cycle for Workflow."""
return self.generate_cycle(self.workflow_id, self.api)
def update(self):
"""Update existing cycle."""
cycle = all_models.Cycle.query.first()
return self.api.put(cycle, {"title": factories.random_str()})
def delete(self):
"""Delete existing cycle."""
cycle = all_models.Cycle.query.first()
return self.api.delete(cycle)
def activate(self):
"""Activate Workflow."""
workflow = all_models.Workflow.query.get(self.workflow_id)
cycle = wf_factories.CycleFactory(workflow=workflow)
return self.api.put(workflow, {
"status": "Active",
"recurrences": bool(workflow.repeat_every and workflow.unit),
"cycles": [{
"id": cycle.id,
"type": "Cycle",
}]
})
def read(self):
"""Read existing Cycle object."""
cycle = all_models.Cycle.query.first()
return self.api.get(cycle, cycle.id)
def end(self):
"""End existing Cycle."""
cycle = all_models.Cycle.query.first()
return self.api.put(cycle, {"is_current": False})
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment Template permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
with factories.single_commit():
template = factories.AssessmentTemplateFactory(audit=self.audit)
factories.RelationshipFactory(source=self.audit, destination=template)
self.template_id = template.id
self.default_assignees = "Admin"
self.default_verifiers = "Admin"
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class CycleTaskGroupRBACFactory(base.BaseRBACFactory):
"""Cycle Task Group RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task Group permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.admin_control_id = {
name: id_ for id_, name
in access_control.role.get_custom_roles_for("Control").items()
}["Admin"]
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def read(self):
"""Read existing Cycle Task Group object."""
cycle_tg = all_models.CycleTaskGroup.query.first()
return self.api.get(all_models.CycleTaskGroup, cycle_tg.id)
def update(self):
"""Update title of existing Cycle Task Group object."""
cycle_tg = all_models.CycleTaskGroup.query.first()
return self.api.put(cycle_tg, {"title": factories.random_str()})
def delete(self):
"""Delete Cycle Task Group object."""
cycle_tg = all_models.CycleTaskGroup.query.first()
return self.api.delete(cycle_tg)
class CycleTaskGroupRBACFactory(base.BaseRBACFactory):
"""Cycle Task Group RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task Group permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.admin_control_id = {
name: id_
for id_, name in access_control.role.get_custom_roles_for(
"Control").items()
}["Admin"]
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def read(self):
"""Read existing Cycle Task Group object."""
cycle_tg = all_models.CycleTaskGroup.query.first()
return self.api.get(all_models.CycleTaskGroup, cycle_tg.id)
def update(self):
"""Update title of existing Cycle Task Group object."""
cycle_tg = all_models.CycleTaskGroup.query.first()
return self.api.put(cycle_tg, {"title": factories.random_str()})
def delete(self):
"""Delete Cycle Task Group object."""
cycle_tg = all_models.CycleTaskGroup.query.first()
return self.api.delete(cycle_tg)
def setUp(self):
super(TestAccessControlListValidation, self).setUp()
self.api = Api()
self.client.get("/login")
role_ids = db.session.query(
all_models.AccessControlRole.id
).filter(
all_models.AccessControlRole.object_type.in_(("Control", "Objective")),
all_models.AccessControlRole.name == "Admin"
).order_by(all_models.AccessControlRole.object_type)
role_ids = [id_[0] for id_ in role_ids]
self.control_admin_acr_id, self.objective_admin_acr_id = role_ids
class TestIssueDueDate(TestCase):
"""Test suite to test Due Date of Issue"""
def setUp(self):
self.clear_data()
super(TestIssueDueDate, self).setUp()
self.api = Api()
def test_issue_due_date_post(self):
"""Test POST requests to Issue.due_date"""
response = self.api.post(all_models.Issue, data={
"issue": {
"title": "TestDueDate",
"context": None,
"due_date": "06/14/2018",
}
})
self.assertEqual(201, response.status_code)
due_date = all_models.Issue.query.first().due_date.strftime("%m/%d/%Y")
self.assertEqual(due_date, "06/14/2018")
def test_issue_due_date_get(self):
"""Test GET HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
response = self.api.get(all_models.Issue, issue.id)
issue_json = response.json
self.assert200(response)
self.assertEqual(issue_json["issue"]["due_date"], "2018-06-14")
def test_issue_due_date_put(self):
"""Test PUT HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
data = issue.log_json()
data["due_date"] = "2018-06-15"
response = self.api.put(issue, data)
self.assert200(response)
self.assertEqual(response.json["issue"]["due_date"], "2018-06-15")
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Workflow permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class CycleTaskEntryRBACFactory(base.BaseRBACFactory):
"""Cycle Task Entry RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task Entry permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
self.create()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Cycle Task Entry object."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.post(all_models.CycleTaskEntry, {
"cycle_task_entry": {
"description": "New Comment",
"is_declining_review": "",
"context": None,
"cycle_task_group_object_task": {
"id": cycle_task.id,
"type": "CycleTaskGroupObjectTask",
},
"cycle": {
"id": cycle_task.cycle.id,
"type": "Cycle",
},
}
})
def read(self):
"""Read existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.get(cycle_task_entry, cycle_task_entry.id)
def update(self):
"""Update title of existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.put(
cycle_task_entry,
{"description": factories.random_str()}
)
def delete(self):
"""Delete Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.delete(cycle_task_entry)
class CycleTaskEntryRBACFactory(base.BaseRBACFactory):
"""Cycle Task Entry RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task Entry permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
self.create()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Cycle Task Entry object."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.post(all_models.CycleTaskEntry, {
"cycle_task_entry": {
"description": "New Comment",
"is_declining_review": "",
"context": None,
"cycle_task_group_object_task": {
"id": cycle_task.id,
"type": "CycleTaskGroupObjectTask",
},
"cycle": {
"id": cycle_task.cycle.id,
"type": "Cycle",
},
}
})
def read(self):
"""Read existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.get(cycle_task_entry, cycle_task_entry.id)
def update(self):
"""Update title of existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.put(
cycle_task_entry,
{"description": factories.random_str()}
)
def delete(self):
"""Delete Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.delete(cycle_task_entry)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class TestIssue(TestCase):
""" Test Issue class. """
def setUp(self):
super(TestIssue, self).setUp()
self.api = Api()
with factories.single_commit():
audit = factories.AuditFactory()
for status in all_models.Issue.VALID_STATES:
factories.IssueFactory(audit=audit, status=status)
def test_filter_by_status(self):
"""Test Issue filtering by status."""
query_request_data = [{
'fields': [],
'filters': {
'expression': {
'left': {
'left': 'status',
'op': {
'name': '='
},
'right': 'Fixed'
},
'op': {
'name': 'OR'
},
'right': {
'left': 'status',
'op': {
'name': '='
},
'right': 'Fixed and Verified'
},
},
},
'object_name': 'Issue',
'permissions': 'read',
'type': 'values',
}]
response = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
self.assertEqual(response.status_code, 200)
statuses = {i["status"] for i in response.json[0]["Issue"]["values"]}
self.assertEqual(statuses, {"Fixed", "Fixed and Verified"})
class TestIssue(TestCase):
""" Test Issue class. """
def setUp(self):
super(TestIssue, self).setUp()
self.api = Api()
with factories.single_commit():
audit = factories.AuditFactory()
for status in all_models.Issue.VALID_STATES:
factories.IssueFactory(audit=audit, status=status)
def test_filter_by_status(self):
"""Test Issue filtering by status."""
query_request_data = [{
'fields': [],
'filters': {
'expression': {
'left': {
'left': 'status',
'op': {'name': '='},
'right': 'Fixed'
},
'op': {'name': 'OR'},
'right': {
'left': 'status',
'op': {'name': '='},
'right': 'Fixed and Verified'
},
},
},
'object_name': 'Issue',
'permissions': 'read',
'type': 'values',
}]
response = self.api.send_request(
self.api.client.post,
data=query_request_data,
api_link="/query"
)
self.assertEqual(response.status_code, 200)
statuses = {i["status"] for i in response.json[0]["Issue"]["values"]}
self.assertEqual(statuses, {"Fixed", "Fixed and Verified"})
def __init__(self, user_id, acr, parent=None):
"""Set up objects for permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.setup_models(self.parent_name)
self.set_user(user_id)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task Group permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.admin_control_id = {
name: id_ for id_, name
in access_control.role.get_custom_roles_for("Control").items()
}["Admin"]
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment Template permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
with factories.single_commit():
template = factories.AssessmentTemplateFactory(audit=self.audit)
factories.RelationshipFactory(source=self.audit, destination=template)
self.template_id = template.id
self.default_assignees = "Admin"
self.default_verifiers = "Admin"
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Program permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_program_scope(user_id, acr, "Program")
self.admin_control_id = {
name: id for id, name
in access_control.role.get_custom_roles_for("Control").items()
}["Admin"]
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
class ProgramRBACFactory(base.BaseRBACFactory):
"""Program RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Program permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_program_scope(user_id, acr, "Program")
self.admin_control_id = {
name: id
for id, name in access_control.role.get_custom_roles_for(
"Control").items()
}["Admin"]
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Program object."""
return self.api.post(
all_models.Program, {
"program": {
"title": "New program",
"program": {
"id": self.program_id
},
"context": None,
"access_control_list": [],
}
})
def read(self):
"""Read existing Audit object."""
return self.api.get(all_models.Program, self.program_id)
def update(self):
"""Update title of existing Audit object."""
program = all_models.Program.query.get(self.program_id)
return self.api.put(program, {"title": factories.random_str()})
def delete(self):
"""Delete Audit object."""
program = all_models.Program.query.get(self.program_id)
return self.api.delete(program)
def read_revisions(self):
"""Read revisions for Assessment object."""
responses = []
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(all_models.Program,
query.format("program", self.program_id)))
return responses
def map_control(self):
"""Map new Control to Program."""
with factories.single_commit():
control = factories.ControlFactory()
for acl in control._access_control_list:
if acl.ac_role_id == self.admin_control_id:
factories.AccessControlPersonFactory(
person_id=self.user_id,
ac_list=acl,
)
program = all_models.Program.query.get(self.program_id)
return self.objgen.generate_relationship(
source=program,
destination=control,
)[0]
def unmap_control(self):
"""Unmap Control from Program."""
control = factories.ControlFactory()
program = all_models.Program.query.get(self.program_id)
rel = factories.RelationshipFactory(source=control,
destination=program)
return self.api.delete(rel)
def read_mapped(self):
"""Read project mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
project = factories.ProjectFactory()
factories.RelationshipFactory(source=project, destination=program)
return self.api.get(project, project.id)
def update_mapped(self):
"""Update project mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
project = factories.ProjectFactory()
factories.RelationshipFactory(source=project, destination=program)
return self.api.put(project, {"title": factories.random_str()})
def delete_mapped(self):
"""Delete project mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
project = factories.ProjectFactory()
factories.RelationshipFactory(source=project, destination=program)
return self.api.delete(project)
def setUp(self): super(TestAudit, self).setUp() self.api = Api() self.gen = generator.ObjectGenerator()
class EvidenceRBACFactory(base.BaseRBACFactory):
"""Evidence RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Evidence permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
evidence = factories.EvidenceUrlFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=evidence).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=evidence).id
self.evidence_id = evidence.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Evidence",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Evidence object."""
result = self.api.post(
all_models.Evidence, {
"evidence": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"link":
factories.random_str(),
"title":
factories.random_str(),
"context":
None,
}
})
return result
def read(self):
"""Read existing Evidence object."""
res = self.api.get(all_models.Evidence, self.evidence_id)
return res
def update(self):
"""Update title of existing Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.put(evidence, {"title": factories.random_str()})
def delete(self):
"""Delete Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.delete(evidence)
def map(self, evidence=None):
"""Map Evidence to parent object."""
if self.parent == "Audit":
parent = all_models.Audit.query.get(self.audit_id)
else:
parent = all_models.Assessment.query.get(self.assessment_id)
map_evidence = evidence if evidence else factories.EvidenceUrlFactory()
return self.api.put(
parent, {
"actions": {
"add_related": [{
"id": map_evidence.id,
"type": "Evidence",
}]
}
})
def create_and_map(self):
"""Create new Evidence and map it to parent."""
response = self.create()
evidence_id = None
if response.json and response.json.get("evidence"):
evidence_id = response.json.get("evidence", {}).get("id")
if not evidence_id:
return response
evidence = all_models.Evidence.query.get(evidence_id)
return self.map(evidence)
def add_comment(self):
"""Map new comment to evidence."""
evidence = all_models.Evidence.query.get(self.evidence_id)
_, comment = self.objgen.generate_object(
all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=evidence,
destination=comment)[0]
def read_comments(self):
"""Read comments mapped to evidence"""
evidence = all_models.Evidence.query.get(self.evidence_id)
with factories.single_commit():
comment = factories.CommentFactory(
description=factories.random_str())
factories.RelationshipFactory(source=evidence, destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "Evidence",
"op": {
"name": "relevant"
},
"ids": [evidence.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
return response
def setUp(self): self.clear_data() super(TestIssueDueDate, self).setUp() self.api = Api()
class TestEvidenceRolePropagation(TestCase):
"""Evidence role propagation test case"""
# pylint: disable=invalid-name
def setUp(self):
super(TestEvidenceRolePropagation, self).setUp()
self.api = Api()
self.generator = ObjectGenerator()
# Propagation isn't work for 'Primary Contacts', 'Secondary Contacts'
# just add them to data list to check if fix works.
@ddt.data("Assignees", "Creators", "Verifiers")
def test_assessment_role_propagation_edit(self, role_name):
"""Asses user with role '{0}' should be able to edit related evidence"""
_, reader = self.generator.generate_person(user_role="Creator")
with factories.single_commit():
assessment = factories.AssessmentFactory()
assessment.add_person_with_role_name(reader, role_name)
evidence = factories.EvidenceFactory()
evidence_id = evidence.id
factories.RelationshipFactory(source=assessment, destination=evidence)
self.api.set_user(reader)
evidence = all_models.Evidence.query.get(evidence_id)
new_description = 'new description'
resp = self.api.modify_object(evidence, {'description': new_description})
evidence = self.refresh_object(evidence)
self.assert200(resp)
self.assertEquals(new_description, evidence.description)
self.assertEquals(reader.id, evidence.modified_by_id)
@ddt.data(
("Creator", "Audit Captains", 200),
("Creator", "Auditors", 403),
("Reader", "Audit Captains", 200),
("Reader", "Auditors", 403),
("Editor", "Audit Captains", 200),
("Editor", "Auditors", 200),
)
@ddt.unpack
def test_audit_role_propagation_edit(self, user_role, audit_role,
status_code):
"""'{0}' assigned as '{1}' should get '{2}' when editing audit evidence"""
_, user = self.generator.generate_person(user_role=user_role)
with factories.single_commit():
audit = factories.AuditFactory()
audit.add_person_with_role_name(user, audit_role)
evidence = factories.EvidenceFactory()
evidence_id = evidence.id
factories.RelationshipFactory(source=audit, destination=evidence)
self.api.set_user(user)
evidence = all_models.Evidence.query.get(evidence_id)
new_description = 'new description'
resp = self.api.modify_object(evidence, {'description': new_description})
evidence = self.refresh_object(evidence)
if status_code == 200:
self.assert200(resp)
self.assertEquals(new_description, evidence.description)
self.assertEquals(user.id, evidence.modified_by_id)
else:
self.assertStatus(resp, status_code)
def test_audit_role_propagation_not_delete(self):
"""Audit user with role Auditors can NOT delete related evidence"""
role_name = "Auditors"
_, reader = self.generator.generate_person(user_role="Reader")
with factories.single_commit():
audit = factories.AuditFactory()
audit.add_person_with_role_name(reader, role_name)
evidence = factories.EvidenceFactory()
evidence_id = evidence.id
factories.RelationshipFactory(source=audit, destination=evidence)
self.api.set_user(reader)
evidence = all_models.Evidence.query.get(evidence_id)
resp = self.api.delete(evidence)
self.assertStatus(resp, 403)
evidence = all_models.Evidence.query.get(evidence_id)
self.assertTrue(evidence)
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(
all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {
"id": audit.id
},
"context": {
"id": audit.context.id
},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some component id",
hotlist_id="some host id",
title="some title",
issue_id="some issue id")
template_id = factories.AssessmentTemplateFactory(
audit=audit, context=audit.context).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
default_issue_type = constants.DEFAULT_ISSUETRACKER_VALUES[
'issue_type']
self.assertEqual(
response.json["assessment_template"]["audit"], {
u"type": u"Audit",
u"id": long(audit.id),
u'title': unicode(audit.title),
u"href": u"/api/audits/{}".format(long(audit.id)),
u"context_id": long(audit.context.id),
u"issue_tracker": {
u'_warnings': [],
u"component_id": u"some component id",
u"enabled": False,
u"issue_severity": None,
u"hotlist_id": u"some host id",
u"issue_id": u"some issue id",
u"issue_priority": None,
u"issue_type": default_issue_type,
u"issue_url": None,
u"title": "some title",
u"people_sync_enabled": True,
}
})
class TestEvidenceRolePropagation(TestCase):
"""Evidence role propagation test case"""
# pylint: disable=invalid-name
def setUp(self):
super(TestEvidenceRolePropagation, self).setUp()
self.api = Api()
self.generator = ObjectGenerator()
# Propagation isn't work for 'Primary Contacts', 'Secondary Contacts'
# just add them to data list to check if fix works.
@ddt.data("Assignees", "Creators", "Verifiers")
def test_assessment_role_propagation_edit(self, role_name):
"""Asses user with role '{0}' should be able to edit related evidence"""
_, reader = self.generator.generate_person(user_role="Creator")
with factories.single_commit():
assessment = factories.AssessmentFactory()
assessment.add_person_with_role_name(reader, role_name)
evidence = factories.EvidenceFactory()
evidence_id = evidence.id
factories.RelationshipFactory(source=assessment,
destination=evidence)
self.api.set_user(reader)
evidence = all_models.Evidence.query.get(evidence_id)
new_description = 'new description'
resp = self.api.modify_object(evidence,
{'description': new_description})
evidence = self.refresh_object(evidence)
self.assert200(resp)
self.assertEquals(new_description, evidence.description)
self.assertEquals(reader.id, evidence.modified_by_id)
@ddt.data(
("Creator", "Audit Captains", 200),
("Creator", "Auditors", 403),
("Reader", "Audit Captains", 200),
("Reader", "Auditors", 403),
("Editor", "Audit Captains", 200),
("Editor", "Auditors", 200),
)
@ddt.unpack
def test_audit_role_propagation_edit(self, user_role, audit_role,
status_code):
"""'{0}' assigned as '{1}' should get '{2}' when editing audit evidence"""
_, user = self.generator.generate_person(user_role=user_role)
with factories.single_commit():
audit = factories.AuditFactory()
audit.add_person_with_role_name(user, audit_role)
evidence = factories.EvidenceFactory()
evidence_id = evidence.id
factories.RelationshipFactory(source=audit, destination=evidence)
self.api.set_user(user)
evidence = all_models.Evidence.query.get(evidence_id)
new_description = 'new description'
resp = self.api.modify_object(evidence,
{'description': new_description})
evidence = self.refresh_object(evidence)
if status_code == 200:
self.assert200(resp)
self.assertEquals(new_description, evidence.description)
self.assertEquals(user.id, evidence.modified_by_id)
else:
self.assertStatus(resp, status_code)
def test_audit_role_propagation_not_delete(self):
"""Audit user with role Auditors can NOT delete related evidence"""
role_name = "Auditors"
_, reader = self.generator.generate_person(user_role="Reader")
with factories.single_commit():
audit = factories.AuditFactory()
audit.add_person_with_role_name(reader, role_name)
evidence = factories.EvidenceFactory()
evidence_id = evidence.id
factories.RelationshipFactory(source=audit, destination=evidence)
self.api.set_user(reader)
evidence = all_models.Evidence.query.get(evidence_id)
resp = self.api.delete(evidence)
self.assertStatus(resp, 403)
evidence = all_models.Evidence.query.get(evidence_id)
self.assertTrue(evidence)
def setUp(self):
super(TestReindex, self).setUp()
self.api = Api()
class EvidenceRBACFactory(base.BaseRBACFactory):
"""Evidence RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Evidence permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
evidence = factories.EvidenceUrlFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=evidence
).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=evidence
).id
self.evidence_id = evidence.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Evidence",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Evidence object."""
result = self.api.post(all_models.Evidence, {
"evidence": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"link": factories.random_str(),
"title": factories.random_str(),
"context": None,
}
})
return result
def read(self):
"""Read existing Evidence object."""
res = self.api.get(all_models.Evidence, self.evidence_id)
return res
def update(self):
"""Update title of existing Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.put(evidence, {"title": factories.random_str()})
def delete(self):
"""Delete Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.delete(evidence)
def map(self, evidence=None):
"""Map Evidence to parent object."""
if self.parent == "Audit":
parent = all_models.Audit.query.get(self.audit_id)
else:
parent = all_models.Assessment.query.get(self.assessment_id)
map_evidence = evidence if evidence else factories.EvidenceUrlFactory()
return self.api.put(parent, {
"actions": {
"add_related": [{
"id": map_evidence.id,
"type": "Evidence",
}]
}
})
def create_and_map(self):
"""Create new Evidence and map it to parent."""
response = self.create()
evidence_id = None
if response.json and response.json.get("evidence"):
evidence_id = response.json.get("evidence", {}).get("id")
if not evidence_id:
return response
evidence = all_models.Evidence.query.get(evidence_id)
return self.map(evidence)
def add_comment(self):
"""Map new comment to evidence."""
evidence = all_models.Evidence.query.get(self.evidence_id)
_, comment = self.objgen.generate_object(all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=evidence,
destination=comment)[0]
def read_comments(self):
"""Read comments mapped to evidence"""
evidence = all_models.Evidence.query.get(self.evidence_id)
with factories.single_commit():
comment = factories.CommentFactory(description=factories.random_str())
factories.RelationshipFactory(source=evidence, destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "Evidence",
"op": {
"name": "relevant"
},
"ids": [evidence.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(
self.api.client.post,
data=query_request_data,
api_link="/query"
)
return response
def setUp(self):
super(TestSnapshot, self).setUp()
self.api = Api()
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {"id": audit.id},
"context": {"id": audit.context.id},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some component id",
hotlist_id="some host id",
title="some title",
issue_id="some issue id"
)
template_id = factories.AssessmentTemplateFactory(
audit=audit,
context=audit.context
).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
default_issue_type = constants.DEFAULT_ISSUETRACKER_VALUES['issue_type']
self.assertEqual(
response.json["assessment_template"]["audit"],
{
u"type": u"Audit",
u"id": long(audit.id),
u'title': unicode(audit.title),
u"href": u"/api/audits/{}".format(long(audit.id)),
u"context_id": long(audit.context.id),
u"issue_tracker": {
u'_warnings': [],
u"component_id": u"some component id",
u"enabled": False,
u"issue_severity": None,
u"hotlist_id": u"some host id",
u"issue_id": u"some issue id",
u"issue_priority": None,
u"issue_type": default_issue_type,
u"issue_url": None,
u"title": "some title",
u"people_sync_enabled": True,
}
}
)
class DocumentReferenceUrlRBACFactory(base.BaseRBACFactory):
"""Document Reference Url RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Document permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Document",
).one().id
self.setup_models(self.parent_name)
self.set_user(user_id)
def set_user(self, user_id):
"""Set user to send requests"""
if self.user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def setup_models(self, parent_name):
"""Setup document, parent, relationship"""
with factories.single_commit():
document = factories.DocumentReferenceUrlFactory()
self.document_id = document.id
self.parent = self.build_parent(parent_name)
self.parent_id = self.parent.id
factories.RelationshipFactory(source=self.parent, destination=document)
self.assign_person(self.parent, self.acr, self.user_id)
@staticmethod
def build_parent(parent_name):
"""Create parent based on Name"""
try:
parent = FACTORIES_MAPPING[parent_name]()
except KeyError():
raise ValueError("Unknown parent {}".format(parent_name))
return parent
def create(self):
"""Create new Document object."""
result = self.api.post(all_models.Document, {
"document": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"link": factories.random_str(),
"title": factories.random_str(),
"context": None,
}
})
return result
def read(self):
"""Read existing Document object."""
res = self.api.get(all_models.Document, self.document_id)
return res
def update(self):
"""Update title of existing Document object."""
document = all_models.Document.query.get(self.document_id)
return self.api.put(document, {"title": factories.random_str()})
def delete(self):
"""Delete Document object."""
document = all_models.Document.query.get(self.document_id)
return self.api.delete(document)
def map(self, document=None):
"""Map Document to parent object."""
parent = self.parent.__class__.query.get(self.parent_id)
map_document = document if document \
else factories.DocumentReferenceUrlFactory()
return self.objgen.generate_relationship(
source=parent,
destination=map_document
)[0]
def create_and_map(self):
"""Create new Document and map it to parent."""
response = self.create()
document_id = None
if response.json and response.json.get("document"):
document_id = response.json.get("document", {}).get("id")
if not document_id:
return response
document = all_models.Document.query.get(document_id)
return self.map(document)
def add_comment(self):
"""Map new comment to document."""
document = all_models.Document.query.get(self.document_id)
_, comment = self.objgen.generate_object(all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=document,
destination=comment)[0]
def read_comments(self):
"""Read comments mapped to document"""
document = all_models.Document.query.get(self.document_id)
with factories.single_commit():
comment = factories.CommentFactory(description=factories.random_str())
factories.RelationshipFactory(source=document, destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "Document",
"op": {
"name": "relevant"
},
"ids": [document.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(
self.api.client.post,
data=query_request_data,
api_link="/query"
)
return response
def setUp(self): super(TestAssessmentTemplate, self).setUp() self.api = Api()
class UniversalRBACFactory(base.BaseRBACFactory):
"""Universal RBAC factory class.
Can be used in 'one rank' tests
"""
# pylint: disable=too-many-instance-attributes
def __init__(self, user_id, acr, parent=None):
"""Set up objects for permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.setup_models(self.parent_name)
self.set_user(user_id)
def set_user(self, user_id):
"""Set user to send requests"""
if self.user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def setup_models(self, parent_name):
"""Setup document, parent, relationship"""
with factories.single_commit():
self.parent = get_model_factory(parent_name)()
self.parent_id = self.parent.id
self.parent_name = parent_name
self.assign_person(self.parent, self.acr, self.user_id)
def _setup_document(self):
"""Crate and map document"""
with factories.single_commit():
document = factories.DocumentReferenceUrlFactory()
parent = db.session.query(self.parent.__class__).get(self.parent_id)
factories.RelationshipFactory(source=parent, destination=document)
return document.id
def _setup_comment(self):
"""Crate and map comment"""
with factories.single_commit():
comment = factories.CommentFactory(description="Hey!")
parent = db.session.query(self.parent.__class__).get(self.parent_id)
factories.RelationshipFactory(source=parent, destination=comment)
return comment.id
def read_parent(self):
"""Can Read parent info."""
res = self.api.get(self.parent, self.parent_id)
return res
def create_and_map_document(self):
"""Create and map document object to parent."""
admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Document",
).one().id
_, document = self.objgen.generate_object(
all_models.Document, {
"link":
factories.random_str(),
"title":
factories.random_str(),
"context":
None,
"access_control_list": [
{
"ac_role_id": admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}
],
}
)
parent = db.session.query(self.parent.__class__).get(self.parent_id)
return self.objgen.generate_relationship(
source=document, destination=parent
)[0]
def read_document(self):
"""Read existing Document object."""
doc_id = self._setup_document()
res = self.api.get(all_models.Document, doc_id)
return res
def update_document(self):
"""Update title of existing Document object."""
doc_id = self._setup_document()
document = all_models.Document.query.get(doc_id)
return self.api.put(document, {"title": factories.random_str()})
def delete_document(self):
"""Delete Document object."""
doc_id = self._setup_document()
document = all_models.Document.query.get(doc_id)
return self.api.delete(document)
def create_and_map_comment(self):
"""Create new Comment object and map to parent."""
_, comment = self.objgen.generate_object(
all_models.Comment, {
"description": factories.random_str(),
"context": None,
}
)
parent = db.session.query(self.parent.__class__).get(self.parent_id)
return self.objgen.generate_relationship(
source=parent, destination=comment
)[0]
def read_comment(self):
"""Read existing Comment object."""
comment_id = self._setup_comment()
res = self.api.get(all_models.Comment, comment_id)
return res
def create_and_map_document_comment(self):
"""Map new comment to document."""
doc_id = self._setup_document()
_, comment = self.objgen.generate_object(
all_models.Comment, {
"description": factories.random_str(),
"context": None,
}
)
document = all_models.Document.query.get(doc_id)
return self.objgen.generate_relationship(
source=document, destination=comment
)[0]
def read_document_comment(self):
"""Read comments mapped to document"""
doc_id = self._setup_document()
document = all_models.Document.query.get(doc_id)
with factories.single_commit():
comment = factories.CommentFactory(description=factories.random_str())
factories.RelationshipFactory(source=document, destination=comment)
query_request_data = [
{
"fields": [],
"filters": {
"expression": {
"object_name": "Document",
"op": {
"name": "relevant"
},
"ids": [document.id]
}
},
"object_name": "Comment",
}
]
response = self.api.send_request(
self.api.client.post, data=query_request_data, api_link="/query"
)
return response
class WorkflowRBACFactory(base.BaseRBACFactory):
"""Workflow RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Workflow permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Workflow object."""
return self.api.post(all_models.Workflow, {
"workflow": {
"title": "New workflow",
"context": None,
}
})
def read(self):
"""Read existing Workflow object."""
return self.api.get(all_models.Workflow, self.workflow_id)
def update(self):
"""Update title of existing Workflow object."""
workflow = all_models.Workflow.query.get(self.workflow_id)
return self.api.put(workflow, {"title": factories.random_str()})
def delete(self):
"""Delete Workflow object."""
workflow = all_models.Workflow.query.get(self.workflow_id)
return self.api.delete(workflow)
def read_revisions(self):
"""Read revisions for Workflow object."""
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
all_models.Workflow, query.format("workflow", self.workflow_id)
)
)
return responses
def clone(self):
"""Clone existing Workflow object."""
with factories.single_commit():
task_group = wf_factories.TaskGroupFactory(workflow_id=self.workflow_id)
wf_factories.TaskGroupTaskFactory(task_group=task_group)
return self.api.post(all_models.Workflow, {
"workflow": {
# workaround - title is required for validation
"title": "",
"clone": self.workflow_id,
"clone_objects": True,
"clone_people": True,
"clone_tasks": True,
"context": None,
}
})
class TestReviewNotification(TestCase):
"""Test notification on Review status change."""
def setUp(self):
super(TestReviewNotification, self).setUp()
self.client.get("/login")
self.generator = generator.ObjectGenerator()
self.api = Api()
@ddt.data(
(all_models.Review.NotificationTypes.EMAIL_TYPE, 1),
(all_models.Review.NotificationTypes.ISSUE_TRACKER, 0),
)
@ddt.unpack
def test_notification_add_new_review(self, notification_type,
expected_notifications):
"""After creation of new review notification should be created"""
program = factories.ProgramFactory()
resp, _ = self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": program.type,
"id": program.id,
},
"context": None,
"notification_type": notification_type,
"status": all_models.Review.STATES.UNREVIEWED,
"access_control_list": build_reviewer_acl(),
},
)
self.assertEqual(201, resp.status_code)
self.assertEqual(expected_notifications,
len(all_models.Notification.query.all()))
@ddt.data(
(all_models.Review.NotificationTypes.EMAIL_TYPE, 1),
(all_models.Review.NotificationTypes.ISSUE_TRACKER, 0),
)
@ddt.unpack
def test_reviewable_attributes(self, notification_type,
expected_notifications):
"""Review change state to Unreviewed
Notification with notification type STATUS_UNREVIEWED created
"""
with factories.single_commit():
program = factories.ProgramFactory()
review = factories.ReviewFactory(
status=all_models.Review.STATES.REVIEWED,
reviewable=program,
notification_type=notification_type)
review_id = review.id
reviewable = review.reviewable
self.api.modify_object(reviewable, {"title": "new title"})
review = all_models.Review.query.get(review_id)
self.assertEqual(review.status, all_models.Review.STATES.UNREVIEWED)
review_notif_types = all_models.Review.NotificationObjectTypes
notyf_unreviewed_type = all_models.Notification.query.join(
all_models.NotificationType).filter(
all_models.NotificationType.name ==
review_notif_types.STATUS_UNREVIEWED).all()
self.assertEqual(expected_notifications, len(notyf_unreviewed_type))
@ddt.data(
(all_models.Review.NotificationTypes.EMAIL_TYPE, 1),
(all_models.Review.NotificationTypes.ISSUE_TRACKER, 0),
)
@ddt.unpack
def test_map_snapshotable_notification(self, notification_type,
expected_notifications):
"""Map snapshotable should change review status and add notification"""
with factories.single_commit():
program = factories.ProgramFactory()
review = factories.ReviewFactory(
status=all_models.Review.STATES.REVIEWED,
reviewable=program,
notification_type=notification_type)
review_id = review.id
self.generator.generate_relationship(
source=program,
destination=factories.ProductFactory(),
context=None,
)
review = all_models.Review.query.get(review_id)
self.assertEqual(review.status, all_models.Review.STATES.UNREVIEWED)
review_notif_types = all_models.Review.NotificationObjectTypes
notyf_unreviewed_type = all_models.Notification.query.join(
all_models.NotificationType).filter(
all_models.NotificationType.name ==
review_notif_types.STATUS_UNREVIEWED).all()
self.assertEqual(expected_notifications, len(notyf_unreviewed_type))
@ddt.data(
(all_models.Review.NotificationTypes.EMAIL_TYPE, 1),
(all_models.Review.NotificationTypes.ISSUE_TRACKER, 0),
)
@ddt.unpack
def test_proposal_apply_notification(self, notification_type,
expected_notifications):
"""Reviewable object changed via proposal -> notification created"""
with factories.single_commit():
program = factories.ProgramFactory()
review = factories.ReviewFactory(
status=all_models.Review.STATES.REVIEWED,
reviewable=program,
notification_type=notification_type)
review_id = review.id
proposal_content = {
"fields": {
"title": "new title"
},
}
proposal = factories.ProposalFactory(instance=program,
content=proposal_content,
agenda="agenda content")
self.api.modify_object(proposal, {"status": proposal.STATES.APPLIED})
review = all_models.Review.query.get(review_id)
self.assertEqual(review.status, all_models.Review.STATES.UNREVIEWED)
review_notif_types = all_models.Review.NotificationObjectTypes
notyf_unreviewed_type = all_models.Notification.query.join(
all_models.NotificationType).filter(
all_models.NotificationType.name ==
review_notif_types.STATUS_UNREVIEWED).all()
self.assertEqual(expected_notifications, len(notyf_unreviewed_type))
@patch("google.appengine.api.mail.send_mail")
def test_reviewer_notification_on_create_review(self, _):
"""Reviewer should receive email notification"""
reviewer = factories.PersonFactory()
reviewer_role_id = all_models.AccessControlRole.query.filter_by(
name="Reviewers",
object_type="Review",
).one().id
program = factories.ProgramFactory()
email_message = "email email_message"
self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": program.type,
"id": program.id,
},
"context":
None,
"notification_type":
all_models.Review.NotificationTypes.EMAIL_TYPE,
"status":
all_models.Review.STATES.UNREVIEWED,
"email_message":
email_message,
"access_control_list": [{
"ac_role_id": reviewer_role_id,
"person": {
"id": reviewer.id
},
}],
},
)
with mock.patch.object(fast_digest.DIGEST_TMPL,
"render") as bodybuilder_mock:
fast_digest.send_notification()
template_args = bodybuilder_mock.call_args[1]
self.assertListEqual([], template_args["proposals"])
self.assertListEqual([], template_args["review_owners"])
self.assertEqual(1, len(template_args["review_reviewers"]))
self.assertEqual(
program.id, template_args["review_reviewers"][0].reviewable.id)
self.assertEqual(
email_message,
template_args["review_reviewers"][0].email_message)
@patch("google.appengine.api.mail.send_mail")
def test_self_reviewer_notification_on_create_review(self, _):
"""Auto assigned Reviewer should NOT receive email notification"""
current_user = all_models.Person.query.filter_by(
email="*****@*****.**").one()
reviewer_role_id = all_models.AccessControlRole.query.filter_by(
name="Reviewers",
object_type="Review",
).one().id
program = factories.ProgramFactory()
email_message = "email email_message"
self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": program.type,
"id": program.id,
},
"context":
None,
"notification_type":
all_models.Review.NotificationTypes.EMAIL_TYPE,
"status":
all_models.Review.STATES.REVIEWED,
"email_message":
email_message,
"access_control_list": [{
"ac_role_id": reviewer_role_id,
"person": {
"id": current_user.id
},
}],
},
)
with mock.patch.object(fast_digest.DIGEST_TMPL,
"render") as bodybuilder_mock:
fast_digest.send_notification()
# assert no email sent
bodybuilder_mock.assert_not_called()
@patch("google.appengine.api.mail.send_mail")
def test_reviewer_owner_notification(self, _):
"""Object owners should receive notifications
System should send notification(s) to object's managers,
primary contacts, secondary contacts,
if object is reverted to 'Unreviewed'.
"""
reviewer = factories.PersonFactory(name='reviewers')
reviewer_role_id = all_models.AccessControlRole.query.filter_by(
name="Reviewers",
object_type="Review",
).one().id
with factories.single_commit():
program_primary_contact = factories.PersonFactory(name='primary')
program_secondary_contact = factories.PersonFactory(
name='secondary')
program = factories.ProgramFactory()
program.add_person_with_role_name(program_primary_contact,
"Primary Contacts")
program.add_person_with_role_name(program_secondary_contact,
"Secondary Contacts")
email_message = "email email_message"
self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": program.type,
"id": program.id,
},
"context":
None,
"notification_type":
all_models.Review.NotificationTypes.EMAIL_TYPE,
"status":
all_models.Review.STATES.REVIEWED,
"email_message":
email_message,
"access_control_list": [{
"ac_role_id": reviewer_role_id,
"person": {
"id": reviewer.id
},
}],
},
)
self.api.put(program, {"title": "new title"})
with mock.patch.object(fast_digest.DIGEST_TMPL,
"render") as bodybuilder_mock:
fast_digest.send_notification()
# 4 emails to each user
self.assertEqual(3, bodybuilder_mock.call_count)
call_count = _call_counter(bodybuilder_mock)
# 1 email to reviewer -> need to review
self.assertEqual(1, call_count["review_reviewers"])
# 1 emails to owners -> object state updated
self.assertEqual(2, call_count["review_owners"])
@patch("google.appengine.api.mail.send_mail")
@freezegun.freeze_time("2019-01-15 12:00:00")
def test_notification_subject(self, send_mail_mock):
"""Test that emails are sent with proper subject."""
expected_subject = "GGRC Change requests review digest " \
"for 01/15/2019 04:00:00 PST"
reviewer = factories.PersonFactory()
reviewer_role_id = all_models.AccessControlRole.query.filter_by(
name="Reviewers",
object_type="Review",
).one().id
with factories.single_commit():
program_manager = factories.PersonFactory()
program = factories.ProgramFactory()
program.add_person_with_role_name(program_manager,
"Program managers")
email_message = "email email_message"
_, review = self.generator.generate_object(
all_models.Review,
{
"reviewable": {
"type": program.type,
"id": program.id,
},
"context":
None,
"notification_type":
all_models.Review.NotificationTypes.EMAIL_TYPE,
"status":
all_models.Review.STATES.REVIEWED,
"email_message":
email_message,
"access_control_list": [{
"ac_role_id": reviewer_role_id,
"person": {
"id": reviewer.id
},
}],
},
)
self.api.modify_object(review.reviewable, {"title": "new title"})
with mock.patch.object(fast_digest.DIGEST_TMPL, "render"):
fast_digest.send_notification()
for call_item in send_mail_mock.call_args_list:
self.assertEqual(expected_subject, call_item[1]["subject"])
def setUp(self):
super(TestReviewNotification, self).setUp()
self.client.get("/login")
self.generator = generator.ObjectGenerator()
self.api = Api()
def setUp(self):
super(TestEvidenceRolePropagation, self).setUp()
self.api = Api()
self.generator = ObjectGenerator()
class AssessmentTemplateRBACFactory(base.BaseRBACFactory):
"""Assessment Template RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment Template permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
with factories.single_commit():
template = factories.AssessmentTemplateFactory(audit=self.audit)
factories.RelationshipFactory(source=self.audit, destination=template)
self.template_id = template.id
self.default_assignees = "Admin"
self.default_verifiers = "Admin"
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Assessment Template object."""
return self.api.post(all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {"id": self.audit_id, "type": "Audit"},
"context": None,
"default_people": {
"assignees": self.default_assignees,
"verifiers": self.default_verifiers,
},
"title": "New Assessment Template"
}
})
def read(self):
"""Read existing Assessment Template object."""
return self.api.get(all_models.AssessmentTemplate, self.template_id)
def update(self):
"""Update title of existing Assessment Template object."""
template = all_models.AssessmentTemplate.query.get(self.template_id)
return self.api.put(template, {"title": factories.random_str()})
def delete(self):
"""Delete Assessment Template object."""
template = all_models.AssessmentTemplate.query.get(self.template_id)
return self.api.delete(template)
def read_revisions(self):
"""Read revisions for Assessment Template object."""
model_class = get_model("AssessmentTemplate")
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
model_class,
query.format("assessment_template", self.template_id)
)
)
return responses
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def setUp(self): super(TestEvidenceRolePropagation, self).setUp() self.api = Api() self.generator = ObjectGenerator()
