Exemplo n.º 1
0
def test_can_list_all_permissions():
    role_one = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING)
    role_two = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_REPORTS)
    port_role = PortfolioRoleFactory.create(
        permission_sets=[role_one, role_two])
    expected_perms = role_one.permissions + role_two.permissions
    assert expected_perms == expected_perms
Exemplo n.º 2
0
def test_has_application_permission():
    role_one = PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
    role_two = PermissionSets.get(PermissionSets.EDIT_APPLICATION_ENVIRONMENTS)
    app_role = ApplicationRoleFactory.create(
        permission_sets=[role_one, role_two])
    different_user = UserFactory.create()
    assert Authorization.has_application_permission(
        app_role.user, app_role.application, Permissions.EDIT_ENVIRONMENT)
    assert not Authorization.has_portfolio_permission(
        app_role.user, app_role.application, Permissions.DELETE_ENVIRONMENT)
    assert not Authorization.has_portfolio_permission(
        different_user, app_role.application, Permissions.DELETE_ENVIRONMENT)
Exemplo n.º 3
0
def test_has_portfolio_permission():
    role_one = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_FUNDING)
    role_two = PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_REPORTS)
    port_role = PortfolioRoleFactory.create(
        permission_sets=[role_one, role_two])
    different_user = UserFactory.create()
    assert Authorization.has_portfolio_permission(
        port_role.user, port_role.portfolio,
        Permissions.VIEW_PORTFOLIO_REPORTS)
    assert not Authorization.has_portfolio_permission(
        port_role.user, port_role.portfolio, Permissions.CREATE_TASK_ORDER)
    assert not Authorization.has_portfolio_permission(
        different_user, port_role.portfolio,
        Permissions.VIEW_PORTFOLIO_REPORTS)
Exemplo n.º 4
0
def test_remove_portfolio_member_ppoc(client, user_session):
    portfolio = PortfolioFactory.create()

    user = UserFactory.create()
    PortfolioRoleFactory.create(
        portfolio=portfolio,
        user=user,
        permission_sets=[
            PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_ADMIN)
        ],
    )
    ppoc_port_role = PortfolioRoles.get(portfolio_id=portfolio.id,
                                        user_id=portfolio.owner.id)

    user_session(user)

    response = client.post(
        url_for(
            "portfolios.remove_member",
            portfolio_id=portfolio.id,
            portfolio_role_id=ppoc_port_role.id,
        ),
        follow_redirects=False,
    )

    assert response.status_code == 404
    assert (PortfolioRoles.get(
        portfolio_id=portfolio.id,
        user_id=portfolio.owner.id).status == PortfolioRoleStatus.ACTIVE)
Exemplo n.º 5
0
def test_rerender_admin_page_if_member_perms_form_does_not_validate(
        client, user_session, monkeypatch):
    portfolio = PortfolioFactory.create()
    user = UserFactory.create()
    role = PortfolioRoleFactory.create(
        user=user,
        portfolio=portfolio,
        permission_sets=[
            PermissionSets.get(PermissionSets.EDIT_PORTFOLIO_ADMIN)
        ],
    )
    user_session(user)
    form_data = {
        "members_permissions-0-member_id": role.id,
        "members_permissions-0-perms_app_mgmt": "bad input",
        "members_permissions-0-perms_funding": "view_portfolio_funding",
        "members_permissions-0-perms_reporting": "view_portfolio_reports",
        "members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin",
    }

    mock_route = MagicMock(return_value=("", 200, {}))
    monkeypatch.setattr("atst.routes.portfolios.admin.render_admin_page",
                        mock_route)
    client.post(url_for("portfolios.edit_members", portfolio_id=portfolio.id),
                data=form_data)
    mock_route.assert_called()
Exemplo n.º 6
0
def test_has_application_role_history(session):
    owner = UserFactory.create()
    user = UserFactory.create()

    PortfolioFactory.create(
        owner=owner,
        applications=[{
            "name":
            "starkiller",
            "environments": [{
                "name":
                "bridge",
                "members": [{
                    "user": user,
                    "role_name": "developer"
                }],
            }],
        }],
    )

    app_role = user.application_roles[0]
    app_role.permission_sets = [
        PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
    ]
    session.add(app_role)
    session.commit()

    changed_event = (session.query(AuditEvent).filter(
        AuditEvent.resource_id == app_role.id,
        AuditEvent.action == "update").one())
    old_state, new_state = changed_event.changed_state["permission_sets"]
    assert old_state == [PermissionSets.VIEW_APPLICATION]
    assert new_state == [PermissionSets.EDIT_APPLICATION_TEAM]
Exemplo n.º 7
0
def test_no_update_member_permissions_without_edit_access(
        client, user_session):
    portfolio = PortfolioFactory.create()
    rando = UserFactory.create()
    rando_pf_role = PortfolioRoleFactory.create(
        user=rando,
        portfolio=portfolio,
        permission_sets=[
            PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)
        ],
    )

    user = UserFactory.create()
    PortfolioRoleFactory.create(
        user=user,
        portfolio=portfolio,
        permission_sets=[
            PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)
        ],
    )
    user_session(user)

    form_data = {
        "members_permissions-0-member_id": rando_pf_role.id,
        "members_permissions-0-perms_app_mgmt":
        "edit_portfolio_application_management",
        "members_permissions-0-perms_funding": "view_portfolio_funding",
        "members_permissions-0-perms_reporting": "view_portfolio_reports",
        "members_permissions-0-perms_portfolio_mgmt": "view_portfolio_admin",
    }

    response = client.post(
        url_for("portfolios.edit_members", portfolio_id=portfolio.id),
        data=form_data,
        follow_redirects=True,
    )

    assert response.status_code == 404
    assert not rando_pf_role.has_permission_set(
        PermissionSets.EDIT_PORTFOLIO_APPLICATION_MANAGEMENT)
Exemplo n.º 8
0
def test_successful_login_redirect_ccpo(client, monkeypatch):
    monkeypatch.setattr(
        "atst.domain.authnid.AuthenticationContext.authenticate", lambda *args: True
    )
    role = PermissionSets.get(PermissionSets.VIEW_AUDIT_LOG)
    monkeypatch.setattr(
        "atst.domain.authnid.AuthenticationContext.get_user",
        lambda *args: UserFactory.create(),
    )

    resp = _login(client)

    assert resp.status_code == 302
    assert "home" in resp.headers["Location"]
    assert session["user_id"]
Exemplo n.º 9
0
    def _create(cls, model_class, *args, **kwargs):
        with_applications = kwargs.pop("applications", [])
        owner = kwargs.pop("owner", UserFactory.create())
        members = kwargs.pop("members", [])
        with_task_orders = kwargs.pop("task_orders", [])

        portfolio = super()._create(model_class, *args, **kwargs)

        applications = [
            ApplicationFactory.create(portfolio=portfolio, **p)
            for p in with_applications
        ]

        task_orders = [
            TaskOrderFactory.create(portfolio=portfolio, **to)
            for to in with_task_orders
        ]

        PortfolioRoleFactory.create(
            portfolio=portfolio,
            user=owner,
            status=PortfolioRoleStatus.ACTIVE,
            permission_sets=get_all_portfolio_permission_sets(),
        )

        for member in members:
            user = member.get("user", UserFactory.create())
            role_name = member["role_name"]

            perms_set = None
            if member.get("permissions_sets"):
                perms_set = [
                    PermissionSets.get(perm_set)
                    for perm_set in member.get("permission_sets")
                ]
            else:
                perms_set = []

            PortfolioRoleFactory.create(
                portfolio=portfolio,
                user=user,
                status=PortfolioRoleStatus.ACTIVE,
                permission_sets=perms_set,
            )

        portfolio.applications = applications
        portfolio.task_orders = task_orders
        return portfolio
Exemplo n.º 10
0
def test_scoped_portfolio_for_admin_missing_view_apps_perms(
        portfolio_owner, portfolio):
    Applications.create(
        portfolio.owner,
        portfolio,
        "My Application 2",
        "My application 2",
        ["dev", "staging", "prod"],
    )
    restricted_admin = UserFactory.create()
    PortfolioRoleFactory.create(
        portfolio=portfolio,
        user=restricted_admin,
        permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO)],
    )
    scoped_portfolio = Portfolios.get(restricted_admin, portfolio.id)
    assert scoped_portfolio.id == portfolio.id
    assert len(portfolio.applications) == 1
    assert len(scoped_portfolio.applications) == 0
Exemplo n.º 11
0
def test_member_table_access(client, user_session):
    admin = UserFactory.create()
    portfolio = PortfolioFactory.create(owner=admin)
    rando = UserFactory.create()
    PortfolioRoleFactory.create(
        user=rando,
        portfolio=portfolio,
        permission_sets=[PermissionSets.get(PermissionSets.VIEW_PORTFOLIO_ADMIN)],
    )

    url = url_for("portfolios.admin", portfolio_id=portfolio.id)

    # editable
    user_session(admin)
    edit_resp = client.get(url)
    assert "<select" in edit_resp.data.decode()

    # not editable
    user_session(rando)
    view_resp = client.get(url)
    assert "<select" not in view_resp.data.decode()
Exemplo n.º 12
0
def test_get_nonexistent_permission_set():
    with pytest.raises(NotFoundError):
        PermissionSets.get("nonexistent")
Exemplo n.º 13
0
def test_get_existing_permission_set():
    role = PermissionSets.get("portfolio_poc")
    assert role.name == "portfolio_poc"
Exemplo n.º 14
0
def base_application_permission_sets():
    return [PermissionSets.get(PermissionSets.VIEW_APPLICATION)]
Exemplo n.º 15
0
def base_portfolio_permission_sets():
    return [
        PermissionSets.get(prms)
        for prms in PortfolioRoles.DEFAULT_PORTFOLIO_PERMISSION_SETS
    ]
Exemplo n.º 16
0
def test_update_member(client, user_session, session):
    role = PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
    # create an app role with only edit team perms
    app_role = ApplicationRoleFactory.create(permission_sets=[role])
    application = app_role.application
    env = EnvironmentFactory.create(application=application)
    env_1 = EnvironmentFactory.create(application=application)
    env_2 = EnvironmentFactory.create(application=application)
    # add user to two of the environments: env and env_1
    EnvironmentRoleFactory.create(environment=env,
                                  application_role=app_role,
                                  role=CSPRole.BASIC_ACCESS.value)
    EnvironmentRoleFactory.create(environment=env_1,
                                  application_role=app_role,
                                  role=CSPRole.BASIC_ACCESS.value)

    user_session(application.portfolio.owner)
    # update the user's app permissions to have edit team and env perms
    # update user's role in env, remove user from env_1, and add user to env_2
    response = client.post(
        url_for(
            "applications.update_member",
            application_id=application.id,
            application_role_id=app_role.id,
        ),
        data={
            "environment_roles-0-environment_id": env.id,
            "environment_roles-0-role": CSPRole.TECHNICAL_READ.value,
            "environment_roles-0-environment_name": env.name,
            "environment_roles-1-environment_id": env_1.id,
            "environment_roles-1-role": NO_ACCESS,
            "environment_roles-1-environment_name": env_1.name,
            "environment_roles-2-environment_id": env_2.id,
            "environment_roles-2-role": CSPRole.NETWORK_ADMIN.value,
            "environment_roles-2-environment_name": env_2.name,
            "perms_env_mgmt": True,
            "perms_team_mgmt": True,
            "perms_del_env": True,
        },
    )

    assert response.status_code == 302
    expected_url = url_for(
        "applications.settings",
        application_id=application.id,
        fragment="application-members",
        _anchor="application-members",
        _external=True,
    )
    assert response.location == expected_url
    # make sure new application role was not created
    assert len(application.roles) == 1
    # check that new app perms were added
    assert bool(
        app_role.has_permission_set(PermissionSets.EDIT_APPLICATION_TEAM))
    assert bool(
        app_role.has_permission_set(
            PermissionSets.EDIT_APPLICATION_ENVIRONMENTS))
    assert bool(
        app_role.has_permission_set(
            PermissionSets.DELETE_APPLICATION_ENVIRONMENTS))

    environment_roles = application.roles[0].environment_roles
    # make sure that old env role was deleted and there are only 2 env roles
    assert len(environment_roles) == 2
    # check that the user has roles in the correct envs
    assert environment_roles[0].environment in [env, env_2]
    assert environment_roles[1].environment in [env, env_2]