def check_api_resource_permissions(resource_permissions):
for _r_id, _r_perms in resource_permissions:
urp_path = "/users/{}/resources/{}/permissions".format(
self.test_user_name, _r_id)
urp_resp = utils.test_request(self, "GET", urp_path)
urp_body = utils.check_response_basic_info(urp_resp)
ur_perms = [
perm.json() for perm in _r_perms
if isinstance(perm, PermissionSet)
]
for perm in ur_perms:
perm["type"] = PermissionType.DIRECT.value
permissions = urp_body["permissions"]
for perm in permissions:
perm.pop("reason",
None) # >= 3.4, don't care for this test
utils.check_all_equal(permissions, ur_perms, any_order=True)
def check_ui_resource_permissions(perm_form, resource_id, permissions):
select_res_id = "permission_resource_{}".format(resource_id)
select_options = perm_form.fields[
select_res_id] # contains multiple select, one per applicable permission
utils.check_val_equal(
len(select_options),
2,
msg="Always 2 select combobox expected (read and write).")
select_values = [select.value for select in select_options]
if not permissions:
utils.check_all_equal(
["", ""],
select_values,
msg="When no permission is selected, values are empty")
return
# value must match exactly the *explicit* permission representation
for r_perm in permissions:
utils.check_val_is_in(r_perm, select_values)
def test_register_permissions_existing_group_without_intermediate_entries(
self):
utils.TestSetup.create_TestService(
self,
override_service_name=self.test_perm_svc_name,
override_service_type=ServiceAPI.service_type)
utils.TestSetup.create_TestGroup(
self, override_group_name=self.test_perm_grp_name)
session = get_db_session_from_settings(self.app.app.registry.settings)
res1_name = "test-resource"
res2_name = "sub-test-resource"
res3_name = "sub-sub-test-resource"
res3_perm = Permission.WRITE_MATCH
perm_config = {
"permissions": [
{
"service": self.test_perm_svc_name, # exists
"resource": res1_name + "/" + res2_name + "/" +
res3_name, # none exist, all created for perm
"permission": res3_perm.value, # perm only to lowest child
"action": "create",
"group": self.test_perm_grp_name,
},
]
}
utils.check_no_raise(
lambda: register.magpie_register_permissions_from_config(
perm_config, db_session=session))
# check that all service, resources, group are created correctly
services = utils.TestSetup.get_RegisteredServicesList(self)
utils.check_val_is_in(self.test_perm_svc_name,
[s["service_name"] for s in services])
groups = utils.TestSetup.get_RegisteredGroupsList(self)
utils.check_val_is_in(self.test_perm_grp_name, groups)
resp = utils.test_request(
self.app, "GET",
"/services/{}/resources".format(self.test_perm_svc_name))
body = utils.check_response_basic_info(resp)
svc_res = body[self.test_perm_svc_name]["resources"]
svc_res_id = body[self.test_perm_svc_name]["resource_id"]
utils.check_val_is_in(res1_name,
[svc_res[r]["resource_name"] for r in svc_res])
res1_id = [
svc_res[r]["resource_id"] for r in svc_res
if svc_res[r]["resource_name"] == res1_name
][0]
res1_sub = svc_res[str(res1_id)]["children"]
utils.check_val_is_in(res2_name,
[res1_sub[r]["resource_name"] for r in res1_sub])
res2_id = [
res1_sub[r]["resource_id"] for r in res1_sub
if res1_sub[r]["resource_name"] == res2_name
][0]
res2_sub = res1_sub[str(res2_id)]["children"]
utils.check_val_is_in(res3_name,
[res2_sub[r]["resource_name"] for r in res2_sub])
res3_id = [
res2_sub[r]["resource_id"] for r in res2_sub
if res2_sub[r]["resource_name"] == res3_name
][0]
# check that all permissions are created correctly (only for final item)
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, svc_res_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_val_equal(body["permission_names"], [])
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, res1_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_val_equal(body["permission_names"], [])
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, res2_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_val_equal(body["permission_names"], [])
path = "/groups/{}/resources/{}/permissions".format(
self.test_perm_grp_name, res3_id)
resp = utils.test_request(self.app, "GET", path)
body = utils.check_response_basic_info(resp)
utils.check_all_equal(body["permission_names"], [res3_perm.value])
def test_format_permissions_allowed(self):
"""
Validate that formats are also respected, but with additional auto-expansion of all *modifier* combinations on
permission names when requesting :attr:`PermissionType.ALLOWED` permissions.
.. seealso::
:meth:`test_format_permissions_applied`
"""
utils.warn_version(__meta__.__version__,
"permission format validation",
"3.0",
skip=True)
# add duplicates with extra modifiers only to test removal
# provide in random order to validate proper sorting
# use multiple permission implementation to validate they are still handled
test_perms = [
PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE),
PermissionSet(Permission.READ, Access.DENY, Scope.MATCH),
PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE),
PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH),
Permission.READ,
"write-match", # old implicit format
Permission.WRITE,
]
format_perms = format_permissions(test_perms, PermissionType.ALLOWED)
expect_names = [
Permission.READ.value + "-" + Scope.MATCH.value,
str(PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH)),
Permission.READ.value,
str(PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE)),
# no implicit name for denied
str(PermissionSet(Permission.READ, Access.DENY, Scope.MATCH)),
str(PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE)),
Permission.WRITE.value + "-" + Scope.MATCH.value,
str(PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH)),
Permission.WRITE.value,
str(PermissionSet(Permission.WRITE, Access.ALLOW,
Scope.RECURSIVE)),
# no implicit name for denied
str(PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH)),
str(PermissionSet(Permission.WRITE, Access.DENY, Scope.RECURSIVE)),
]
expect_perms = [
PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH,
PermissionType.ALLOWED).json(),
PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE,
PermissionType.ALLOWED).json(),
PermissionSet(Permission.READ, Access.DENY, Scope.MATCH,
PermissionType.ALLOWED).json(),
PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE,
PermissionType.ALLOWED).json(),
PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH,
PermissionType.ALLOWED).json(),
PermissionSet(Permission.WRITE, Access.ALLOW, Scope.RECURSIVE,
PermissionType.ALLOWED).json(),
PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH,
PermissionType.ALLOWED).json(),
PermissionSet(Permission.WRITE, Access.DENY, Scope.RECURSIVE,
PermissionType.ALLOWED).json(),
]
utils.check_all_equal(format_perms["permission_names"],
expect_names,
any_order=False)
utils.check_all_equal(format_perms["permissions"],
expect_perms,
any_order=False)
def test_compare_and_sort_operations(self):
perm_ram = PermissionSet(Permission.READ, Access.ALLOW, Scope.MATCH)
perm_rar = PermissionSet(Permission.READ, Access.ALLOW,
Scope.RECURSIVE)
perm_rdm = PermissionSet(Permission.READ, Access.DENY, Scope.MATCH)
perm_rdr = PermissionSet(Permission.READ, Access.DENY, Scope.RECURSIVE)
perm_wam = PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH)
perm_war = PermissionSet(Permission.WRITE, Access.ALLOW,
Scope.RECURSIVE)
perm_wdm = PermissionSet(Permission.WRITE, Access.DENY, Scope.MATCH)
perm_wdr = PermissionSet(Permission.WRITE, Access.DENY,
Scope.RECURSIVE)
perm_sorted = [
perm_ram, perm_rar, perm_rdm, perm_rdr, perm_wam, perm_war,
perm_wdm, perm_wdr
]
perm_random = [
perm_rdr, perm_wam, perm_wdm, perm_rar, perm_war, perm_ram,
perm_wdr, perm_rdm
]
utils.check_val_equal(
perm_rar,
Permission.READ,
msg="Should be equal because of defaults and name conversion")
utils.check_val_not_equal(perm_rar,
Permission.WRITE,
msg="Not equal because of mismatch name")
utils.check_val_equal(
perm_rar,
perm_rar.json(),
msg="Pre-convert any known representation before equal check")
utils.check_all_equal(list(sorted(perm_random)),
perm_sorted,
any_order=False)
# cannot sort elements with other type representations although 'PermissionSet' can, because they don't know it
# (ie: str.__lt__ and dict.__ls__ could be called with 'other' being 'PermissionSet' depending on random order)
# can still do the individual compares though if the reference object is 'PermissionSet' and other is anything
utils.check_val_equal(perm_sorted[0] < perm_sorted[1], True)
utils.check_val_equal(perm_sorted[0] < perm_sorted[1].json(), True)
utils.check_val_equal(
perm_sorted[0] < perm_sorted[1].implicit_permission, True)
utils.check_val_equal(
perm_sorted[0] < perm_sorted[1].explicit_permission, True)
utils.check_val_equal(perm_sorted[0] > perm_sorted[1], False)
utils.check_val_equal(perm_sorted[0] > perm_sorted[1].json(), False)
utils.check_val_equal(
perm_sorted[0] > perm_sorted[1].implicit_permission, False)
utils.check_val_equal(
perm_sorted[0] > perm_sorted[1].explicit_permission, False)
# validate similarity comparison with inplace conversion at the same time
for perm_1, perm_2 in itertools.product(perm_sorted[0:4],
perm_sorted[0:4]):
utils.check_val_equal(perm_1.like(perm_2.json()),
True,
msg="Expected {!r} ~ {!r}".format(
perm_1, perm_2))
for perm_1, perm_2 in itertools.product(perm_sorted[0:4],
perm_sorted[4:8]):
utils.check_val_equal(perm_1.like(perm_2.json()),
False,
msg="Expected {!r} !~ {!r}".format(
perm_1, perm_2))
def test_format_permissions_applied(self):
"""
Validate that provided permission sets are formatted as intended, with both implicit and explicit variants, and
with both name strings and detailed JSON objects.
"""
utils.warn_version(__meta__.__version__,
"permission format validation",
"3.0",
skip=True)
usr_perm = models.UserPermission()
usr_perm.perm_name = Permission.GET_FEATURE.value
grp_perm = models.GroupPermission()
grp_perm.perm_name = "write-match" # using string for backward compatibility
dup_perm = Permission.READ.value # only one should remain in result
dup_usr_perm = models.UserPermission()
dup_usr_perm.perm_name = dup_perm # also only one remains although different type
only_perm = Permission.GET_CAPABILITIES
deny_match_perm = PermissionSet(Permission.GET_LEGEND_GRAPHIC,
Access.DENY, Scope.MATCH)
deny_str_perm = Permission.GET_MAP.value + "-" + Access.DENY.value
deny_recur_perm = PermissionSet(Permission.GET_METADATA, Access.DENY,
Scope.RECURSIVE)
# purposely use a random order to test sorting simultaneously to duplicate removal
any_perms = [
deny_match_perm, dup_perm, only_perm, usr_perm, dup_usr_perm,
grp_perm, deny_str_perm, deny_recur_perm, deny_recur_perm
]
perm_type = PermissionType.DIRECT # anything else than 'allowed' to only get 'applied' permissions
format_perms = format_permissions(any_perms, perm_type)
expect_names = [
# both implicit/explicit variants added for backward compatibility and new format for each applicable case
only_perm.value,
str(PermissionSet(only_perm, Access.ALLOW, Scope.RECURSIVE)),
usr_perm.perm_name,
str(PermissionSet(usr_perm.perm_name)),
# deny only have explicit representation
str(deny_match_perm),
str(PermissionSet(deny_str_perm, Access.DENY, Scope.RECURSIVE)),
str(
PermissionSet(deny_recur_perm.name, deny_recur_perm.access,
Scope.RECURSIVE)),
dup_perm, # only one, other not present
str(PermissionSet(dup_perm, Access.ALLOW, Scope.RECURSIVE)),
grp_perm.perm_name,
str(PermissionSet(grp_perm.perm_name, Access.ALLOW, Scope.MATCH)),
]
expect_perms = [
PermissionSet(Permission.GET_CAPABILITIES, Access.ALLOW,
Scope.RECURSIVE, perm_type).json(),
PermissionSet(Permission.GET_FEATURE, Access.ALLOW,
Scope.RECURSIVE, perm_type).json(),
PermissionSet(Permission.GET_LEGEND_GRAPHIC, Access.DENY,
Scope.MATCH, perm_type).json(),
PermissionSet(Permission.GET_MAP, Access.DENY, Scope.RECURSIVE,
perm_type).json(),
PermissionSet(Permission.GET_METADATA, Access.DENY,
Scope.RECURSIVE, perm_type).json(),
PermissionSet(Permission.READ, Access.ALLOW, Scope.RECURSIVE,
perm_type).json(),
PermissionSet(Permission.WRITE, Access.ALLOW, Scope.MATCH,
perm_type).json(),
]
utils.check_all_equal(format_perms["permission_names"],
expect_names,
any_order=False)
utils.check_all_equal(format_perms["permissions"],
expect_perms,
any_order=False)
def test_enum_values_listing(self):
utils.check_all_equal(DummyEnum.values(), ["value-1", "value-2"],
any_order=True)