예제 #1
0
def test_filter_schemas(app, db, es, es_acl_prepare, test_users):
    if db.engine.dialect.name != 'postgresql':
        return

    assert DefaultACL.query.filter(DefaultACL.schemas.any('aaa')).count() == 0

    with db.session.begin_nested():
        acl = DefaultACL(name='test',
                         schemas=['aaa', RECORD_SCHEMA],
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)

    assert DefaultACL.query.filter(DefaultACL.schemas.any('aaa')).count() == 1
    assert DefaultACL.query.filter(
        DefaultACL.schemas.any(RECORD_SCHEMA)).count() == 1

    with db.session.begin_nested():
        acl1 = DefaultACL(name='test1',
                          schemas=[RECORD_SCHEMA],
                          operation='get',
                          originator=test_users.u1)
        db.session.add(acl1)

    assert DefaultACL.query.filter(DefaultACL.schemas.any('aaa')).count() == 1
    assert DefaultACL.query.filter(
        DefaultACL.schemas.any(RECORD_SCHEMA)).count() == 2

    with db.session.begin_nested():
        acl1.schemas = ['aaa']
        db.session.add(acl1)

    assert DefaultACL.query.filter(DefaultACL.schemas.any('aaa')).count() == 2
    assert DefaultACL.query.filter(
        DefaultACL.schemas.any(RECORD_SCHEMA)).count() == 1
예제 #2
0
def test_create_record_check_acl_priority(app, db, es, es_acl_prepare,
                                          test_users):
    with app.test_client() as client:
        with db.session.begin_nested():
            acl1 = DefaultACL(name='default',
                              schemas=[RECORD_SCHEMA],
                              priority=0,
                              originator=test_users.u1,
                              operation='get')
            actor1 = SystemRoleActor(name='auth',
                                     system_role='any_user',
                                     acl=acl1,
                                     originator=test_users.u1)

            acl2 = DefaultACL(name='default',
                              schemas=[RECORD_SCHEMA],
                              priority=1,
                              originator=test_users.u1,
                              operation='get')
            actor2 = SystemRoleActor(name='auth',
                                     system_role='authenticated_user',
                                     acl=acl2,
                                     originator=test_users.u1)

            db.session.add(acl1)
            db.session.add(actor1)
            db.session.add(acl2)
            db.session.add(actor2)

        login(client, test_users.u1)
        response = client.post(records_url(),
                               data=json.dumps({
                                   'title': 'blah',
                                   'contributors': []
                               }),
                               content_type='application/json')
        assert response.status_code == 201
        rest_metadata = get_json(response)['metadata']
        assert 'control_number' in rest_metadata

        index, doctype = schema_to_index(RECORD_SCHEMA)

        rec_md = current_search_client.get(
            index=index,
            doc_type=doctype,
            id=str(
                PersistentIdentifier.get(
                    'recid', rest_metadata['control_number']).object_uuid))

        clear_timestamp(rec_md)

        assert rec_md['_source']['_invenio_explicit_acls'] == [{
            'operation':
            'get',
            'id':
            acl2.id,
            'timestamp':
            'cleared',
            'system_role': ['authenticated_user']
        }]
예제 #3
0
def test_default_acl_delete(app, db, es, es_acl_prepare, test_users):
    # should pass as it does nothing
    with db.session.begin_nested():
        acl = DefaultACL(name='test',
                         schemas=[RECORD_SCHEMA],
                         priority=0,
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)
    acl.delete()
예제 #4
0
def test_get_record_no_acls_anonymous(app, db, es, es_acl_prepare, test_users):

    with db.session.begin_nested():
        # create an empty ACL in order to get the _invenio_explicit_acls filled
        acl = DefaultACL(name='test',
                         schemas=[RECORD_SCHEMA],
                         priority=0,
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)
        actor = UserActor(name='test',
                          acl=acl,
                          users=[],
                          originator=test_users.u1)
        db.session.add(actor)

    pid, record = create_record({}, clz=SchemaEnforcingRecord)
    RecordIndexer().index(record)

    # make sure it is flushed
    current_search_client.indices.flush()

    # try to get it ...
    with app.test_client() as client:
        res = client.get(record_url(pid))
        assert res.status_code == 401  # unauthorized

    # get it directly from ES
    res = get_from_es(pid)['_source']
    assert res['control_number'] == pid.pid_value
    assert res['$schema'] == 'https://localhost/schemas/' + RECORD_SCHEMA
    assert '_invenio_explicit_acls' in res
예제 #5
0
def test_rest_delete_record(app, db, es, es_acl_prepare, test_users):
    with app.test_client() as client:
        with db.session.begin_nested():
            acl = DefaultACL(name='default',
                             schemas=[RECORD_SCHEMA],
                             priority=0,
                             originator=test_users.u1,
                             operation='update')
            actor = UserActor(name='u1',
                              users=[test_users.u1],
                              acl=acl,
                              originator=test_users.u1)

            db.session.add(acl)
            db.session.add(actor)

        pid, record = create_record({'keywords': ['blah']},
                                    clz=SchemaEnforcingRecord)
        RecordIndexer().index(record)
        current_search_client.indices.refresh()
        current_search_client.indices.flush()

        login(client, test_users.u2)
        response = client.delete(record_url(pid))
        assert response.status_code == 403

        login(client, test_users.u1)
        response = client.delete(record_url(pid))
        assert response.status_code == 204

        with pytest.raises(NoResultFound):
            Record.get_record(pid.object_uuid)
예제 #6
0
def test_aclserializer(app, db, es, es_acl_prepare, test_users):
    with db.session.begin_nested():
        acl1 = DefaultACL(name='default',
                          schemas=[RECORD_SCHEMA],
                          priority=0,
                          originator=test_users.u1,
                          operation='get')
        actor1 = UserActor(name='auth',
                           users=[test_users.u1],
                           acl=acl1,
                           originator=test_users.u1)

        db.session.add(acl1)
        db.session.add(actor1)

    pid, rec = create_record({'title': 'blah'}, clz=SchemaEnforcingRecord)
    RecordIndexer().index(rec)
    current_search_client.indices.flush()

    assert current_jsonschemas.url_to_path(
        rec['$schema']) in current_explicit_acls.enabled_schemas
    assert list(DefaultACL.get_record_acls(rec)) != []

    index, doc_type = schema_to_index(RECORD_SCHEMA)
    data = current_search_client.get(index=index,
                                     doc_type=doc_type,
                                     id=str(pid.object_uuid))['_source']
    assert '_invenio_explicit_acls' in data
    assert len(data['_invenio_explicit_acls']) == 1

    with app.test_request_context():
        login_user(test_users.u1)
        set_identity(test_users.u1)

        acljson_serializer = ACLJSONSerializer(RecordSchemaV1,
                                               acl_rest_endpoint='recid',
                                               replace_refs=True)
        serialized = json.loads(acljson_serializer.serialize(pid, rec))
        assert serialized['invenio_explicit_acls'] == ["get"]

    with app.test_client() as client:
        login(client, test_users.u1)
        search_results = client.get(url_for('invenio_records_rest.recid_list'))
        search_results = get_json(search_results)
        hits = search_results['hits']['hits']
        assert len(hits) == 1
        assert hits[0]['invenio_explicit_acls'] == ["get"]
예제 #7
0
def test_default_acl_get_matching_resources(app, db, es, es_acl_prepare,
                                            test_users):
    pid, record = create_record({'$schema': RECORD_SCHEMA},
                                clz=SchemaEnforcingRecord)
    RecordIndexer().index(record)
    current_search_client.indices.flush()

    with db.session.begin_nested():
        acl = DefaultACL(name='test',
                         schemas=[RECORD_SCHEMA],
                         priority=0,
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)
    ids = list(acl.get_matching_resources())
    assert len(ids) == 1
    assert ids[0] == str(pid.object_uuid)
예제 #8
0
def test_default_acl_repr(app, db, es, es_acl_prepare, test_users):
    # should pass as it does nothing
    with db.session.begin_nested():
        acl = DefaultACL(name='test',
                         schemas=[RECORD_SCHEMA],
                         priority=0,
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)
    assert repr(acl) == "Default ACL on ['records/record-v1.0.0.json']"
예제 #9
0
def test_existing_acls_database_queries(app, db, es, es_acl_prepare,
                                        test_users):
    with db.session.begin_nested():
        acl = DefaultACL(name='test',
                         schemas=['aaa', RECORD_SCHEMA],
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)

    assert set(current_explicit_acls.enabled_schemas) == {'aaa', RECORD_SCHEMA}

    with db.session.begin_nested():
        acl = DefaultACL(name='test1',
                         schemas=[RECORD_SCHEMA],
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)

    assert DefaultACL.query.count() == 2
    assert set(current_explicit_acls.enabled_schemas) == {'aaa', RECORD_SCHEMA}
    assert len(list(current_explicit_acls.enabled_schemas)) == 2
예제 #10
0
def test_default_acl_get_record_acl(app, db, es, es_acl_prepare, test_users):
    with db.session.begin_nested():
        acl = DefaultACL(name='test',
                         schemas=[RECORD_SCHEMA],
                         priority=0,
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)
        acl2 = DefaultACL(name='test 2',
                          schemas=[ANOTHER_SCHEMA],
                          priority=0,
                          operation='get',
                          originator=test_users.u1)
        db.session.add(acl2)

    pid, record = create_record({'$schema': RECORD_SCHEMA},
                                clz=SchemaEnforcingRecord)

    acls = list(DefaultACL.get_record_acls(record))
    assert len(acls) == 1
    assert isinstance(acls[0], DefaultACL)
    assert acls[0].id == acl.id
예제 #11
0
def test_get_enabled_schema(app, db, test_users):
    with db.session.begin_nested():
        # add ACL for the record schema
        acl = DefaultACL(name='test',
                         schemas=[RECORD_SCHEMA],
                         priority=0,
                         operation='get',
                         originator=test_users.u1)
        db.session.add(acl)

    assert 'records/record-v1.0.0.json' == get_record_acl_enabled_schema(
        {'$schema': 'records/record-v1.0.0.json'})
    assert 'records/record-v1.0.0.json' == get_record_acl_enabled_schema(
        {'$schema': 'https://localhost/schemas/records/record-v1.0.0.json'})
    assert get_record_acl_enabled_schema(
        {'$schema': 'https://localhost/schemas/unknown/unknown-v1.0.0.json'
         }) is None
예제 #12
0
def test_create_record_no_acls_authenticated(app, db, es, es_acl_prepare,
                                             test_users):
    with app.test_client() as client:

        with db.session.begin_nested():
            # create an empty ACL in order to get the _invenio_explicit_acls filled
            acl = DefaultACL(name='test',
                             schemas=[RECORD_SCHEMA],
                             priority=0,
                             operation='get',
                             originator=test_users.u1)
            db.session.add(acl)
            actor = UserActor(name='test',
                              acl=acl,
                              users=[],
                              originator=test_users.u1)
            db.session.add(actor)

        login(client, test_users.u1)
        response = client.post(records_url(),
                               data=json.dumps({
                                   'title': 'blah',
                                   'contributors': []
                               }),
                               content_type='application/json')
        # print("Response", response.get_data(as_text=True))
        assert response.status_code == 201

        created_record_metadata = get_json(response)['metadata']

        # check that ACLs are not leaking
        assert 'invenio_explicit_acls' not in created_record_metadata

        pid = PersistentIdentifier.get(
            'recid', created_record_metadata['control_number'])
        res = get_from_es(pid)['_source']

        assert res['control_number'] == pid.pid_value
        assert res['$schema'] == 'https://localhost/schemas/' + RECORD_SCHEMA
        assert '_invenio_explicit_acls' in res

        # still can not get it
        res = client.get(record_url(pid))
        assert res.status_code == 403  # Forbidden
예제 #13
0
def test_aclrecordsearch_explicit_user(app, db, es, es_acl_prepare, test_users):
    current_explicit_acls.prepare(RECORD_SCHEMA)

    with db.session.begin_nested():
        acl1 = DefaultACL(name='test', schemas=[RECORD_SCHEMA],
                          priority=0, operation='get', originator=test_users.u1)
        actor1 = UserActor(name='auth', acl=acl1, users=[test_users.u1], originator=test_users.u1)
        db.session.add(acl1)
        db.session.add(actor1)

    current_explicit_acls.reindex_acl(acl1, delayed=False)

    record_uuid = uuid.uuid4()
    data = {'title': 'blah', 'contributors': [], 'keywords': ['blah']}
    recid_minter(record_uuid, data)
    rec = SchemaEnforcingRecord.create(data, id_=record_uuid)
    RecordIndexer().index(rec)

    current_search_client.indices.refresh()
    current_search_client.indices.flush()

    rs = ACLRecordsSearch(user=test_users.u1, context={
        'system_roles': ['authenticated_user']
    })
    rec_id = str(rec.id)
    print(json.dumps(rs.query(Ids(values=[rec_id])).query.to_dict(), indent=4))
    assert rs.query(Ids(values=[rec_id])).query.to_dict() == {
        "bool": {
            "minimum_should_match": "100%",
            "filter": [
                {
                    "bool": {
                        "should": [
                            {
                                "nested": {
                                    "path": "_invenio_explicit_acls",
                                    "_name": "invenio_explicit_acls_match_get",
                                    "query": {
                                        "bool": {
                                            "must": [
                                                {
                                                    "term": {
                                                        "_invenio_explicit_acls.operation": "get"
                                                    }
                                                },
                                                {
                                                    "bool": {
                                                        "minimum_should_match": 1,
                                                        "should": [
                                                            {
                                                                "terms": {
                                                                    "_invenio_explicit_acls.role": [
                                                                        1
                                                                    ]
                                                                }
                                                            },
                                                            {
                                                                "term": {
                                                                    "_invenio_explicit_acls.user": 1
                                                                }
                                                            },
                                                            {
                                                                "terms": {
                                                                    "_invenio_explicit_acls.role": [
                                                                        1
                                                                    ]
                                                                }
                                                            },
                                                            {
                                                                "terms": {
                                                                    "_invenio_explicit_acls.system_role": [
                                                                        "authenticated_user"
                                                                    ]
                                                                }
                                                            },
                                                            {
                                                                "term": {
                                                                    "_invenio_explicit_acls.user": 1
                                                                }
                                                            }
                                                        ]
                                                    }
                                                }
                                            ]
                                        }
                                    }
                                }
                            }
                        ],
                        "minimum_should_match": 1
                    }
                }
            ],
            "must": [
                {
                    "ids": {
                        "values": [
                            rec_id
                        ]
                    }
                }
            ]
        }
    }

    hits = list(ACLRecordsSearch(user=test_users.u1, context={
        'system_roles': [authenticated_user]
    }).get_record(rec.id).execute())

    assert len(hits) == 1
    assert hits[0].meta.id == rec_id
    print(hits)

    hits = list(ACLRecordsSearch(user=test_users.u2, context={
        'system_roles': [authenticated_user]
    }).get_record(rec.id).execute())
    assert hits == []
예제 #14
0
def test_rest_update_record(app, db, es, es_acl_prepare, test_users):
    with app.test_client() as client:
        with db.session.begin_nested():
            acl = DefaultACL(name='default',
                             schemas=[RECORD_SCHEMA],
                             priority=0,
                             originator=test_users.u1,
                             operation='update')
            actor = UserActor(name='u1',
                              users=[test_users.u1],
                              acl=acl,
                              originator=test_users.u1)

            db.session.add(acl)
            db.session.add(actor)

        pid, record = create_record({'keywords': ['blah']},
                                    clz=SchemaEnforcingRecord)
        RecordIndexer().index(record)
        current_search_client.indices.refresh()
        current_search_client.indices.flush()

        login(client, test_users.u1)
        response = client.put(record_url(pid),
                              data=json.dumps({
                                  'keywords': ['test'],
                                  'title': 'blah',
                                  'contributors': []
                              }),
                              content_type='application/json')
        assert response.status_code == 200

        # put valid but relative schema
        response = client.put(record_url(pid),
                              data=json.dumps({
                                  'keywords': ['test'],
                                  'title':
                                  'blah',
                                  'contributors': [],
                                  '$schema':
                                  'records/record-v1.0.0.json'
                              }),
                              content_type='application/json')
        assert response.status_code == 200

        rec1 = Record.get_record(pid.object_uuid)
        assert rec1['keywords'] == ['test']
        assert rec1['$schema'] == 'https://localhost/schemas/' + RECORD_SCHEMA

        login(client, test_users.u2)
        response = client.put(record_url(pid),
                              data=json.dumps({
                                  'keywords': ['test1'],
                                  'title': 'blah',
                                  'contributors': [],
                              }),
                              content_type='application/json')
        assert response.status_code == 403

        rec1 = Record.get_record(pid.object_uuid)
        assert rec1['keywords'] == ['test']  # check value not overwritten

        # try to pu invalid schema
        login(client, test_users.u1)
        response = client.put(record_url(pid),
                              data=json.dumps({
                                  'keywords': ['test-invalid'],
                                  'title':
                                  'blah-invalid',
                                  'contributors': [],
                                  '$schema':
                                  'https://localhost/invalid-schema'
                              }),
                              content_type='application/json')
        assert response.status_code == 400
예제 #15
0
def test_create_acl_after_record(app, db, es, es_acl_prepare, test_users):
    with app.test_client() as client:
        login(client, test_users.u1)
        response = client.post(records_url(),
                               data=json.dumps({
                                   'title': 'blah',
                                   'contributors': []
                               }),
                               content_type='application/json')
        assert response.status_code == 201
        rest_metadata = get_json(response)['metadata']
        assert 'control_number' in rest_metadata

        current_search_client.indices.refresh()
        current_search_client.indices.flush()

        with db.session.begin_nested():
            acl1 = DefaultACL(name='default',
                              schemas=[RECORD_SCHEMA],
                              priority=0,
                              originator=test_users.u1,
                              operation='get')
            actor1 = SystemRoleActor(name='auth',
                                     system_role='any_user',
                                     acl=acl1,
                                     originator=test_users.u1)
            db.session.add(acl1)
            db.session.add(actor1)

        # reindex all resources that might be affected by the ACL change
        current_explicit_acls.reindex_acl(acl1, delayed=False)

        index, doctype = schema_to_index(RECORD_SCHEMA)

        rec_md = current_search_client.get(
            index=index,
            doc_type=doctype,
            id=str(
                PersistentIdentifier.get(
                    'recid', rest_metadata['control_number']).object_uuid))

        clear_timestamp(rec_md)

        assert rec_md['_source']['_invenio_explicit_acls'] == [{
            'operation':
            'get',
            'id':
            acl1.id,
            'timestamp':
            'cleared',
            'system_role': ['any_user']
        }]

        # remove the ACL from the database
        with db.session.begin_nested():
            db.session.delete(acl1)

        # reindex records affected by the removal of ACL
        current_explicit_acls.reindex_acl_removed(acl1, delayed=False)

        # make sure all changes had time to propagate and test
        current_search_client.indices.refresh()
        current_search_client.indices.flush()

        rec_md = current_search_client.get(
            index=index,
            doc_type=doctype,
            id=str(
                PersistentIdentifier.get(
                    'recid', rest_metadata['control_number']).object_uuid))

        # there is no ACL in the database => no acls are defined nor enforced on the record
        print(json.dumps(rec_md, indent=4))
        assert '_invenio_explicit_acls' not in rec_md['_source']
예제 #16
0
def test_default_acl_prepare_schema_acl(app, db, es, es_acl_prepare,
                                        test_users):
    # should pass as it does nothing
    DefaultACL.prepare_schema_acls(RECORD_SCHEMA)