def test_access_control_is_set_on_init(self): username = '******' role_name = 'team-a' with self.app.app_context(): user = fab_utils.create_user( self.app, username, role_name, permissions=[], ) self.expect_user_is_in_role(user, rolename='team-a') self.security_manager.sync_perm_for_dag( 'access_control_test', access_control={ 'team-a': [permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ] }, ) self.assert_user_has_dag_perms( perms=[ permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ ], dag_id='access_control_test', user=user, ) self.expect_user_is_in_role(user, rolename='NOT-team-a') self.assert_user_does_not_have_dag_perms( perms=[ permissions.ACTION_CAN_EDIT, permissions.ACTION_CAN_READ ], dag_id='access_control_test', user=user, )
def test_access_control_stale_perms_are_revoked(self): username = '******' role_name = 'team-a' with self.app.app_context(): user = fab_utils.create_user( self.app, username, role_name, permissions=[], ) self.expect_user_is_in_role(user, rolename='team-a') self.security_manager.sync_perm_for_dag( 'access_control_test', access_control={'team-a': READ_WRITE}) self.assert_user_has_dag_perms(perms=READ_WRITE, dag_id='access_control_test', user=user) self.security_manager.sync_perm_for_dag( 'access_control_test', access_control={'team-a': READ_ONLY}) self.assert_user_has_dag_perms(perms=[permissions.ACTION_CAN_READ], dag_id='access_control_test', user=user) self.assert_user_does_not_have_dag_perms( perms=[permissions.ACTION_CAN_EDIT], dag_id='access_control_test', user=user)
def test_get_accessible_dag_ids(self): role_name = 'MyRole1' permission_action = [permissions.ACTION_CAN_READ] dag_id = 'dag_id' username = "******" user = fab_utils.create_user( self.app, username, role_name, permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), ], ) dag_model = DagModel(dag_id=dag_id, fileloc="/tmp/dag_.py", schedule_interval="2 2 * * *") self.session.add(dag_model) self.session.commit() self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member dag_id, access_control={role_name: permission_action}) self.assertEqual(self.security_manager.get_accessible_dag_ids(user), {'dag_id'})
def test_dont_get_inaccessible_dag_ids_for_dag_resource_permission(self): # In this test case, # get_readable_dag_ids() don't return DAGs to which the user has CAN_EDIT permission username = "******" role_name = "MyRole1" permission_action = [permissions.ACTION_CAN_EDIT] dag_id = "dag_id" user = fab_utils.create_user( self.app, username, role_name, permissions=[ (permissions.ACTION_CAN_EDIT, permissions.RESOURCE_DAG), ], ) dag_model = DagModel(dag_id=dag_id, fileloc="/tmp/dag_.py", schedule_interval="2 2 * * *") self.session.add(dag_model) self.session.commit() self.security_manager.sync_perm_for_dag( # type: ignore # pylint: disable=no-member dag_id, access_control={role_name: permission_action}) assert self.security_manager.get_readable_dag_ids(user) == set()
def test_get_current_user_permissions(self, mock_get_user_roles): role_name = 'MyRole5' role_perm = 'can_some_action' role_vm = 'SomeBaseView' username = '******' with self.app.app_context(): user = fab_utils.create_user( self.app, username, role_name, permissions=[ (role_perm, role_vm), ], ) role = user.roles[0] mock_get_user_roles.return_value = [role] assert self.security_manager.get_current_user_permissions() == { (role_perm, role_vm) } mock_get_user_roles.return_value = [] assert len( self.security_manager.get_current_user_permissions()) == 0
def test_access_control_with_invalid_permission(self): invalid_permissions = [ 'can_varimport', # a real permission, but not a member of DAG_PERMS 'can_eat_pudding', # clearly not a real permission ] username = "******" user = fab_utils.create_user( self.app, username=username, role_name='team-a', ) for permission in invalid_permissions: self.expect_user_is_in_role(user, rolename='team-a') with self.assertRaises(AirflowException) as context: self.security_manager.sync_perm_for_dag( 'access_control_test', access_control={'team-a': {permission}}) self.assertIn("invalid permissions", str(context.exception))
def test_all_dag_access_doesnt_give_non_dag_access(self): username = '******' role_name = 'dag_access_role' with self.app.app_context(): user = fab_utils.create_user( self.app, username, role_name, permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG), ], ) assert self.security_manager.has_access( permissions.ACTION_CAN_READ, permissions.RESOURCE_DAG, user) assert not self.security_manager.has_access( permissions.ACTION_CAN_READ, permissions.RESOURCE_TASK_INSTANCE, user)
def test_all_dag_access_doesnt_give_non_dag_access(self): username = '******' role_name = 'dag_access_role' with self.app.app_context(): user = fab_utils.create_user( self.app, username, role_name, permissions=[ (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAGS), (permissions.ACTION_CAN_READ, permissions.RESOURCE_DAGS), ], ) self.assertTrue( self.security_manager.has_access(permissions.ACTION_CAN_READ, permissions.RESOURCE_DAGS, user)) self.assertFalse( self.security_manager.has_access(permissions.ACTION_CAN_READ, 'Task', user))
def test_get_all_permissions_views(self, mock_get_user_roles): role_name = 'MyRole5' role_perm = 'can_some_action' role_vm = 'SomeBaseView' username = '******' with self.app.app_context(): user = fab_utils.create_user( self.app, username, role_name, permissions=[ (role_perm, role_vm), ], ) role = user.roles[0] mock_get_user_roles.return_value = [role] self.assertEqual(self.security_manager.get_all_permissions_views(), {(role_perm, role_vm)}) mock_get_user_roles.return_value = [] self.assertEqual( len(self.security_manager.get_all_permissions_views()), 0)