def test_create_record_success_with_multiple_roles(app, db, location, users,
cli_runner, create_schema,
auth_headers_for_superuser):
create_schema('test', experiment='CMS')
_datastore.find_or_create_role('*****@*****.**')
_datastore.find_or_create_role('*****@*****.**')
with NamedTemporaryFile('w+t') as tmp:
tmp.write('{}')
tmp.seek(0)
res = cli_runner(
f'fixtures create-deposit --file {tmp.name} --ana test -r [email protected] -r [email protected]'
)
assert res.exit_code == 0
with app.test_client() as client:
depid = re.search(r'id: (.*?)\n', res.output).group(1)
resp = client.get(f'/deposits/{depid}',
headers=auth_headers_for_superuser)
assert resp.status_code == 200
assert resp.json['access']['deposit-read']['roles'] == [
'*****@*****.**', '*****@*****.**'
]
def test_create_record_success_with_user_and_owner(app, db, location, users,
cli_runner, create_schema,
auth_headers_for_superuser):
user_mail = users['cms_user'].email
user_mail2 = users['cms_user2'].email
create_schema('test', experiment='CMS')
_datastore.find_or_create_role('*****@*****.**')
with NamedTemporaryFile('w+t') as tmp:
tmp.write('{}')
tmp.seek(0)
res = cli_runner(
f'fixtures create-deposit --file {tmp.name} --ana test -u {user_mail} -o {user_mail2}'
)
assert res.exit_code == 0
with app.test_client() as client:
depid = re.search(r'id: (.*?)\n', res.output).group(1)
resp = client.get(f'/deposits/{depid}',
headers=auth_headers_for_superuser)
assert resp.status_code == 200
assert resp.json['access']['deposit-read']['users'] == [
user_mail2, user_mail
]
assert resp.json['created_by'] == user_mail2
def test_deposit_publish_gives_acceess_to_members_of_exp(
client, db, users, create_deposit):
owner = users['superuser']
role = _datastore.find_or_create_role('*****@*****.**')
db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role))
deposit = create_deposit(owner, 'test', {}, experiment='CMS', publish=True)
_, record = deposit.fetch_published()
assert record['_access'] == {
'record-read': {
'users': [owner.id, users['cms_user'].id, users['cms_user2'].id],
'roles': [role.id]
},
'record-update': {
'users': [owner.id],
'roles': []
},
'record-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user']).one()
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user2']).one()
assert ActionRoles.query.filter_by(action='record-read',
argument=str(record.id),
role=role).one()
def test_get_deposit_with_permissions_json_serializer_returns_serialized_permissions_properly(
client, db, example_user, auth_headers_for_example_user, deposit):
egroup = _datastore.find_or_create_role('*****@*****.**')
deposit._add_egroup_permissions(
egroup,
['deposit-read', 'deposit-update'],
db.session,
)
deposit.commit()
db.session.commit()
resp = client.get('/deposits/{}'.format(deposit['_deposit']['id']),
headers=[('Accept', 'application/permissions+json')] +
auth_headers_for_example_user)
assert resp.status_code == 200
assert resp.json == {
'permissions': {
'admin': {
'roles': [],
'users': [example_user.email]
},
'read': {
'roles': [egroup.name],
'users': [example_user.email]
},
'update': {
'roles': [egroup.name],
'users': [example_user.email]
}
}
}
def test_deposit_publish_gives_acceess_to_members_of_exp(app, db, users, create_deposit):
owner = users['superuser']
role = _datastore.find_or_create_role('*****@*****.**')
db.session.add(ActionRoles.allow(exp_need_factory('CMS'), role=role))
deposit = create_deposit(owner, 'test-v1.0.0', {}, 'CMS', publish=True)
_, record = deposit.fetch_published()
assert record['_access'] == {
'record-read': {
'users': [owner.id, users['cms_user'].id, users['cms_user2'].id],
'roles': [role.id]
},
'record-update': {
'users': [owner.id],
'roles': []
},
'record-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user']).one()
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user=users['cms_user2']).one()
assert ActionRoles.query.filter_by(action='record-read',
argument=str(record.id),
role=role).one()
def test_synchronize_cadi_entries_when_entry_doesnt_exist_creates_a_new_one(
base_app, es, location, create_schema):
create_schema('cms-analysis', experiment='CMS', version='0.0.1')
group_with_r_access = assign_egroup_to_experiment('*****@*****.**',
'CMS')
group_with_rw_access = _datastore.find_or_create_role(
'*****@*****.**')
# deposit with this cadi id doesn't exist
with raises(DepositDoesNotExist):
get_deposit_by_cadi_id('ANA-00-001')
synchronize_cadi_entries()
current_search.flush_and_refresh('deposits-records')
# deposit with this cadi id created
deposit = get_deposit_by_cadi_id('ANA-00-001')
assert deposit['cadi_info'] == {
'cadi_id': 'ANA-00-001',
'contact': '',
'created': '',
'description': '',
'name': '',
'paper': '',
'pas': '',
'publication_status': '',
'status': 'Free',
'twiki': ''
} # sets cadi info correctly
assert deposit['basic_info']['cadi_id'] == 'ANA-00-001' # sets cadi id
assert deposit['general_title'] == 'ANA-00-001'
# members of experiment got read access and cms-cap-admin egroup write access
assert deposit['_access']['deposit-read'] == {
'users': [],
'roles': [group_with_r_access.id, group_with_rw_access.id]
}
assert deposit['_access']['deposit-update'] == {
'users': [],
'roles': [group_with_rw_access.id]
}
assert deposit['_access']['deposit-admin'] == {'users': [], 'roles': []}
# deposit doesnt have owner
assert deposit['_deposit']['owners'] == []
def test_deposit_publish_record_inherits_deposit_permissions(app, db, users, create_deposit):
owner = users['superuser']
role = _datastore.find_or_create_role('*****@*****.**')
deposit = create_deposit(owner, 'test-v1.0.0', {})
deposit._add_egroup_permissions(role,
['deposit-read',
'deposit-update'],
db.session)
deposit.publish()
_, record = deposit.fetch_published()
assert record['_access'] == {
'record-read': {
'users': [owner.id],
'roles': [role.id]
},
'record-update': {
'users': [owner.id],
'roles': [role.id]
},
'record-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionUsers.query.filter_by(action='record-read',
argument=str(record.id),
user_id=owner.id).one()
assert ActionUsers.query.filter_by(action='record-update',
argument=str(record.id),
user_id=owner.id).one()
assert ActionUsers.query.filter_by(action='record-admin',
argument=str(record.id),
user_id=owner.id).one()
assert ActionRoles.query.filter_by(action='record-read',
argument=str(record.id),
role_id=role.id).one()
assert ActionRoles.query.filter_by(action='record-update',
argument=str(record.id),
role_id=role.id).one()
assert not ActionRoles.query.filter_by(action='record-admin',
argument=str(record.id),
role_id=role.id).one_or_none()
def test_get_deposit_with_default_serializer(client, users,
auth_headers_for_user,
create_deposit):
owner = users['cms_user']
deposit = create_deposit(
owner,
'cms-analysis', {
'$schema':
'https://analysispreservation.cern.ch/schemas/deposits/records/cms-analysis-v1.0.0.json',
'basic_info': {
'analysis_number': 'dream_team',
}
},
files={'file_1.txt': BytesIO(b'Hello world!')},
experiment='CMS')
depid = deposit['_deposit']['id']
metadata = deposit.get_record_metadata()
file = deposit.files['file_1.txt']
role = _datastore.find_or_create_role('*****@*****.**')
deposit.edit_permissions([{
'email': role.name,
'type': 'egroup',
'op': 'add',
'action': 'deposit-read'
}])
resp = client.get('/deposits/{}'.format(depid),
headers=[('Accept', 'application/json')] +
auth_headers_for_user(owner))
assert resp.status_code == 200
assert resp.json == {
'id':
depid,
'type':
'deposit',
'revision':
3,
'schema': {
'name': 'cms-analysis',
'version': '1.0.0'
},
'experiment':
'CMS',
'status':
'draft',
'created_by':
owner.email,
'created':
metadata.created.strftime('%Y-%m-%dT%H:%M:%S.%f+00:00'),
'updated':
metadata.updated.strftime('%Y-%m-%dT%H:%M:%S.%f+00:00'),
'metadata': {
'basic_info': {
'analysis_number': 'dream_team'
}
},
'labels': [],
'files': [{
'bucket': str(file.bucket),
'checksum': file.file.checksum,
'key': file.key,
'size': file.file.size,
'version_id': str(file.version_id)
}],
'access': {
'deposit-admin': {
'roles': [],
'users': [owner.email]
},
'deposit-update': {
'roles': [],
'users': [owner.email]
},
'deposit-read': {
'roles': ['*****@*****.**'],
'users': [owner.email]
}
},
'is_owner':
True,
'links': {
'bucket':
'http://analysispreservation.cern.ch/api/files/{}'.format(
deposit.files.bucket),
'clone':
'http://analysispreservation.cern.ch/api/deposits/{}/actions/clone'
.format(depid),
'discard':
'http://analysispreservation.cern.ch/api/deposits/{}/actions/discard'
.format(depid),
'edit':
'http://analysispreservation.cern.ch/api/deposits/{}/actions/edit'.
format(depid),
'files':
'http://analysispreservation.cern.ch/api/deposits/{}/files'.format(
depid),
'html':
'http://analysispreservation.cern.ch/drafts/{}'.format(depid),
'permissions':
'http://analysispreservation.cern.ch/api/deposits/{}/actions/permissions'
.format(depid),
'publish':
'http://analysispreservation.cern.ch/api/deposits/{}/actions/publish'
.format(depid),
'self':
'http://analysispreservation.cern.ch/api/deposits/{}'.format(
depid),
'upload':
'http://analysispreservation.cern.ch/api/deposits/{}/actions/upload'
.format(depid)
}
}
def test_synchronize_cadi_entries_when_entry_doesnt_exist_creates_a_new_one_and_assigns_all_the_permissions_correctly(
base_app, db, es, location, create_schema):
create_schema('cms-analysis', experiment='CMS', version='0.0.1')
owner = create_test_user('*****@*****.**')
cms_members_group_with_r_access = assign_egroup_to_experiment(
'*****@*****.**', 'CMS')
cms_admin_groups_with_admin_access = [
_datastore.find_or_create_role('*****@*****.**'),
_datastore.find_or_create_role('*****@*****.**'),
_datastore.find_or_create_role('*****@*****.**'),
]
db.session.commit()
# deposit with this cadi id doesn't exist
with raises(DepositDoesNotExist):
get_deposit_by_cadi_id('EXO-00-000')
synchronize_cadi_entries()
current_search.flush_and_refresh('deposits-records')
# deposit with this cadi id created
deposit = get_deposit_by_cadi_id('EXO-00-000')
assert deposit == {
'cadi_info': {
'description':
'Projections for 2HDM Higgs studies (H->ZZ and A->Zh) in 3000 fb-1',
'name':
'2HDM Higgs studies (H->ZZ and A->Zh)',
'contact':
'*****@*****.**',
'creator':
'*****@*****.**',
'updater':
'*****@*****.**',
'created':
'2014-02-05',
'updated':
'2014-07-26',
'twiki':
'https://twiki.cern.ch/twikiurl',
'paper':
'http://cms.cern.ch:80/paper.pdf',
'paper_tar':
'http://cms.cern.ch:80/paper.tgz',
'pas':
'******',
'awg':
'HIG',
'publication_status':
'Free',
'status':
'PUB',
'conference':
'',
'hepData':
'',
'relatedNotes': [{
'id':
'AN-2014/000',
'url':
'http://cms.cern.ch/noteInfo.jsp?cmsnoteid=CMS+AN-2014%2F000'
}, {
'id':
'AN-2013/000',
'url':
'http://cms.cern.ch/noteInfo.jsp?cmsnoteid=CMS+AN-2013%2F000'
}]
},
'general_title': '2HDM Higgs studies (H->ZZ and A->Zh)',
'_fetched_from': 'cadi',
'_user_edited': False,
'basic_info': {
'cadi_id': 'EXO-00-000'
},
'$schema':
'https://analysispreservation.cern.ch/schemas/deposits/records/cms-analysis-v0.0.1.json',
'_deposit': {
'id': deposit['_deposit']['id'],
'status': 'draft',
'owners': []
},
'_experiment': 'CMS',
'_access': {
'deposit-read': {
'users': [owner.id],
'roles': [cms_members_group_with_r_access.id] +
[x.id for x in cms_admin_groups_with_admin_access]
},
'deposit-update': {
'users': [owner.id],
'roles': [x.id for x in cms_admin_groups_with_admin_access]
},
'deposit-admin': {
'users': [owner.id],
'roles': [x.id for x in cms_admin_groups_with_admin_access]
}
},
'_files': []
}
def test_add_and_remove_egroup_permissions_set_access_object_properly_and_updates_actions_in_the_db(
app, db, users, create_deposit):
owner = users['cms_user']
egroup = _datastore.find_or_create_role('*****@*****.**')
deposit = create_deposit(owner, 'alice-analysis-v0.0.1')
assert deposit['_access'] == {
'deposit-read': {
'users': [owner.id],
'roles': []
},
'deposit-update': {
'users': [owner.id],
'roles': []
},
'deposit-admin': {
'users': [owner.id],
'roles': []
}
}
assert not ActionRoles.query.filter_by(
action='deposit-read',
argument=str(deposit.id),
role_id=egroup.id,
).all()
deposit._add_egroup_permissions(
egroup,
['deposit-read', 'deposit-update'],
db.session,
)
assert deposit['_access'] == {
'deposit-read': {
'users': [owner.id],
'roles': [egroup.id]
},
'deposit-update': {
'users': [owner.id],
'roles': [egroup.id]
},
'deposit-admin': {
'users': [owner.id],
'roles': []
}
}
assert ActionRoles.query.filter_by(
action='deposit-read',
argument=str(deposit.id),
role_id=egroup.id,
).one()
deposit._remove_egroup_permissions(
egroup,
['deposit-read', 'deposit-update'],
db.session,
)
assert deposit['_access'] == {
'deposit-read': {
'users': [owner.id],
'roles': []
},
'deposit-update': {
'users': [owner.id],
'roles': []
},
'deposit-admin': {
'users': [owner.id],
'roles': []
}
}
assert not ActionRoles.query.filter_by(
action='deposit-read',
argument=str(deposit.id),
role_id=egroup.id,
).all()
