class TestMaxACLValidation(TestCase):
"""Test AccessControlList max roles validation."""
def setUp(self):
super(TestMaxACLValidation, self).setUp()
self.api = Api()
self.client.get("/login")
@ddt.data("Assignee", "Verifier")
def test_max_roles_validation(self, role):
"""Test validation of max {} roles in object(OrgGroup)"""
og_admin = db.session.query(all_models.AccessControlRole.id).filter(
all_models.AccessControlRole.object_type == "OrgGroup",
all_models.AccessControlRole.name == "Admin").one()[0]
og_role = db.session.query(all_models.AccessControlRole.id).filter(
all_models.AccessControlRole.object_type == "OrgGroup",
all_models.AccessControlRole.name == role).one()[0]
acl = [
{
"ac_role_id": og_admin,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
},
{
"ac_role_id": og_role,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
},
]
data = {
"org_group": {
"title": "org_group title",
"context": None,
"access_control_list": acl,
}
}
response = self.api.post(all_models.OrgGroup, data)
self.assertEqual(response.status_code, 201)
self.assertEqual(all_models.OrgGroup.query.count(), 1)
data["org_group"]["title"] = "org_group title2"
acl += [{
"ac_role_id": og_role,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
}]
response = self.api.post(all_models.OrgGroup, data)
self.assertEqual(response.status_code, 400)
self.assertEqual(all_models.OrgGroup.query.count(), 1)
class TestIssueDueDate(TestCase):
"""Test suite to test Due Date of Issue"""
def setUp(self):
self.clear_data()
super(TestIssueDueDate, self).setUp()
self.api = Api()
def test_issue_due_date_post(self):
"""Test POST requests to Issue.due_date"""
response = self.api.post(all_models.Issue,
data={
"issue": {
"title": "TestDueDate",
"context": None,
"due_date": "06/14/2018",
}
})
self.assertEqual(201, response.status_code)
due_date = all_models.Issue.query.first().due_date.strftime("%m/%d/%Y")
self.assertEqual(due_date, "06/14/2018")
def test_issue_due_date_get(self):
"""Test GET HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
response = self.api.get(all_models.Issue, issue.id)
issue_json = response.json
self.assert200(response)
self.assertEqual(issue_json["issue"]["due_date"], "2018-06-14")
def test_issue_due_date_put(self):
"""Test PUT HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
data = issue.log_json()
data["due_date"] = "2018-06-15"
response = self.api.put(issue, data)
self.assert200(response)
self.assertEqual(response.json["issue"]["due_date"], "2018-06-15")
def test_issue_due_date_mandatory(self):
"""Test Issue.due_date is mandatory field"""
response = self.api.post(
all_models.Issue,
data={"issue": {
"title": "TestDueDate",
"context": None
}})
self.assert400(response)
self.assertIn("Due Date for the issue is not specified", response.data)
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(
all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {
"id": audit.id
},
"context": {
"id": audit.context.id
},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some id",
hotlist_id="some host id",
)
template_id = factories.AssessmentTemplateFactory(
audit=audit, context=audit.context).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
self.assertEqual(
response.json["assessment_template"]["audit"], {
"type": "Audit",
"id": audit.id,
"href": "/api/audits/{}".format(audit.id),
"context_id": audit.context.id,
"issue_tracker": {
"component_id": "some id",
"enabled": False,
"issue_severity": None,
"hotlist_id": "some host id",
"issue_priority": None,
"issue_type": None
}
})
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {"id": audit.id},
"context": {"id": audit.context.id},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some id",
hotlist_id="some host id",
)
template_id = factories.AssessmentTemplateFactory(
audit=audit,
context=audit.context
).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
self.assertEqual(
response.json["assessment_template"]["audit"],
{
"type": "Audit",
"id": audit.id,
"href": "/api/audits/{}".format(audit.id),
"context_id": audit.context.id,
"issue_tracker": {
"component_id": "some id",
"enabled": False,
"issue_severity": None,
"hotlist_id": "some host id",
"issue_priority": None,
"issue_type": None
}
}
)
class CycleTaskEntryRBACFactory(base.BaseRBACFactory):
"""Cycle Task Entry RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task Entry permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
self.create()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Cycle Task Entry object."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.post(all_models.CycleTaskEntry, {
"cycle_task_entry": {
"description": "New Comment",
"is_declining_review": "",
"context": None,
"cycle_task_group_object_task": {
"id": cycle_task.id,
"type": "CycleTaskGroupObjectTask",
},
"cycle": {
"id": cycle_task.cycle.id,
"type": "Cycle",
},
}
})
def read(self):
"""Read existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.get(cycle_task_entry, cycle_task_entry.id)
def update(self):
"""Update title of existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.put(
cycle_task_entry,
{"description": factories.random_str()}
)
def delete(self):
"""Delete Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.delete(cycle_task_entry)
class CycleTaskEntryRBACFactory(base.BaseRBACFactory):
"""Cycle Task Entry RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task Entry permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
self.create()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Cycle Task Entry object."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.post(all_models.CycleTaskEntry, {
"cycle_task_entry": {
"description": "New Comment",
"is_declining_review": "",
"context": None,
"cycle_task_group_object_task": {
"id": cycle_task.id,
"type": "CycleTaskGroupObjectTask",
},
"cycle": {
"id": cycle_task.cycle.id,
"type": "Cycle",
},
}
})
def read(self):
"""Read existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.get(cycle_task_entry, cycle_task_entry.id)
def update(self):
"""Update title of existing Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.put(
cycle_task_entry,
{"description": factories.random_str()}
)
def delete(self):
"""Delete Cycle Task Entry object."""
cycle_task_entry = all_models.CycleTaskEntry.query.first()
return self.api.delete(cycle_task_entry)
def generate_cycle(workflow_id, api=None):
"""Create cycle with task automatically."""
if not api:
api = Api()
return api.post(all_models.Cycle, {
"cycle": {
"context": None,
"autogenerate": True,
"isOverdue": False,
"workflow": {
"id": workflow_id,
"type": "Workflow",
},
}
})
def generate_cycle(workflow_id, api=None):
"""Create cycle with task automatically."""
if not api:
api = Api()
return api.post(
all_models.Cycle, {
"cycle": {
"context": None,
"autogenerate": True,
"isOverdue": False,
"workflow": {
"id": workflow_id,
"type": "Workflow",
},
}
})
class TestAudit(TestCase):
""" Test Audit class. """
def setUp(self):
super(TestAudit, self).setUp()
self.api = Api()
self.gen = generator.ObjectGenerator()
def generate_control_mappings(self, control):
"""Map Control to several Assessments"""
acr_creator = all_models.AccessControlRole.query.filter_by(
name="Creators", object_type="Assessment").first()
with factories.single_commit():
person = factories.PersonFactory()
asmnt_ids = []
for _ in range(2):
asmnt = factories.AssessmentFactory()
asmnt_ids.append(asmnt.id)
factories.AccessControlListFactory(object=asmnt,
person=person,
ac_role=acr_creator)
for asmnt_id in asmnt_ids:
asmnt = all_models.Assessment.query.get(asmnt_id)
self.gen.generate_relationship(source=asmnt, destination=control)
def test_creation_mapped_control(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
control = factories.ControlFactory()
# Map original of control to several assessments to get propagated roles
self.generate_control_mappings(control)
# Existing control should be updated to create new revision with ACL
self.api.put(control, {"title": "Test Control"})
program = factories.ProgramFactory()
factories.RelationshipFactory(source=program, destination=control)
response = self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id
},
"status": "Planned",
"context": None
}
}])
self.assert200(response)
class TestIssueDueDate(TestCase):
"""Test suite to test Due Date of Issue"""
def setUp(self):
self.clear_data()
super(TestIssueDueDate, self).setUp()
self.api = Api()
def test_issue_due_date_post(self):
"""Test POST requests to Issue.due_date"""
response = self.api.post(all_models.Issue, data={
"issue": {
"title": "TestDueDate",
"context": None,
"due_date": "06/14/2018",
}
})
self.assertEqual(201, response.status_code)
due_date = all_models.Issue.query.first().due_date.strftime("%m/%d/%Y")
self.assertEqual(due_date, "06/14/2018")
def test_issue_due_date_get(self):
"""Test GET HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
response = self.api.get(all_models.Issue, issue.id)
issue_json = response.json
self.assert200(response)
self.assertEqual(issue_json["issue"]["due_date"], "2018-06-14")
def test_issue_due_date_put(self):
"""Test PUT HTTP requests to Issue.due_date"""
issue = factories.IssueFactory(due_date=datetime.date(2018, 6, 14))
data = issue.log_json()
data["due_date"] = "2018-06-15"
response = self.api.put(issue, data)
self.assert200(response)
self.assertEqual(response.json["issue"]["due_date"], "2018-06-15")
class TestAccessControlListValidation(TestCase):
"""Test AccessControlList validation."""
def setUp(self):
super(TestAccessControlListValidation, self).setUp()
self.api = Api()
self.client.get("/login")
role_ids = db.session.query(
all_models.AccessControlRole.id
).filter(
all_models.AccessControlRole.object_type.in_(("Control", "Objective")),
all_models.AccessControlRole.name == "Admin"
).order_by(all_models.AccessControlRole.object_type)
role_ids = [id_[0] for id_ in role_ids]
self.control_admin_acr_id, self.objective_admin_acr_id = role_ids
def test_create_with_wrong_acl(self):
"""Test creation of object with wrong ACR in ACL."""
response = self.api.post(all_models.Control, {
"control": {
"title": "Control title",
"context": None,
"access_control_list": [{
"ac_role_id": self.objective_admin_acr_id,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
}],
},
})
self.assert400(response)
self.assertEqual(all_models.Control.query.count(), 0)
def test_update_with_wrong_acl(self):
"""Test update of object with wrong ACR in ACL."""
with factories.single_commit():
control = factories.ControlFactory()
control_id = control.id
person_id = factories.PersonFactory().id
factories.AccessControlListFactory(
object_type="Control",
object_id=control_id,
person_id=person_id,
ac_role_id=self.control_admin_acr_id
)
response = self.api.put(
control,
{
"access_control_list": [{
"ac_role_id": self.objective_admin_acr_id,
"person": {
"type": "Person",
"id": person_id,
}
}]
}
)
self.assert400(response)
acls = all_models.AccessControlList.query.filter_by(
object_type="Control",
object_id=control_id
)
for acl in acls:
acl_obj_type = acl.object_type
acr_obj_type = acl.ac_role.object_type
self.assertEqual(acl_obj_type, acr_obj_type)
class EvidenceRBACFactory(base.BaseRBACFactory):
"""Evidence RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Evidence permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
evidence = factories.EvidenceUrlFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=evidence).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=evidence).id
self.evidence_id = evidence.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Evidence",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Evidence object."""
result = self.api.post(
all_models.Evidence, {
"evidence": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"link":
factories.random_str(),
"title":
factories.random_str(),
"context":
None,
}
})
return result
def read(self):
"""Read existing Evidence object."""
res = self.api.get(all_models.Evidence, self.evidence_id)
return res
def update(self):
"""Update title of existing Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.put(evidence, {"title": factories.random_str()})
def delete(self):
"""Delete Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.delete(evidence)
def map(self, evidence=None):
"""Map Evidence to parent object."""
if self.parent == "Audit":
parent = all_models.Audit.query.get(self.audit_id)
else:
parent = all_models.Assessment.query.get(self.assessment_id)
map_evidence = evidence if evidence else factories.EvidenceUrlFactory()
return self.api.put(
parent, {
"actions": {
"add_related": [{
"id": map_evidence.id,
"type": "Evidence",
}]
}
})
def create_and_map(self):
"""Create new Evidence and map it to parent."""
response = self.create()
evidence_id = None
if response.json and response.json.get("evidence"):
evidence_id = response.json.get("evidence", {}).get("id")
if not evidence_id:
return response
evidence = all_models.Evidence.query.get(evidence_id)
return self.map(evidence)
def add_comment(self):
"""Map new comment to evidence."""
evidence = all_models.Evidence.query.get(self.evidence_id)
_, comment = self.objgen.generate_object(
all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=evidence,
destination=comment)[0]
def read_comments(self):
"""Read comments mapped to evidence"""
evidence = all_models.Evidence.query.get(self.evidence_id)
with factories.single_commit():
comment = factories.CommentFactory(
description=factories.random_str())
factories.RelationshipFactory(source=evidence, destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "Evidence",
"op": {
"name": "relevant"
},
"ids": [evidence.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
return response
class TestManualAudit(TestCase):
""" Test Audit with manual snapshot mapping"""
# pylint: disable=invalid-name
def setUp(self):
super(TestManualAudit, self).setUp()
self.api = Api()
self.gen = generator.ObjectGenerator()
def assertSnapshotCount(self, count):
"""Assert snapshots count"""
snapshot_count = all_models.Snapshot.query.count()
self.assertEqual(snapshot_count, count)
def count_related_objectives(self, snapshot_id):
"""Returns related objectives count for control snapshot"""
query_data = [{
"object_name":
"Snapshot",
"filters": {
"expression": {
"left": {
"left": "child_type",
"op": {
"name": "="
},
"right": "Objective"
},
"op": {
"name": "AND"
},
"right": {
"object_name": "Snapshot",
"op": {
"name": "relevant"
},
"ids": [str(snapshot_id)]
}
}
},
"fields": ["child_id", "child_type", "revision", "parent"]
}]
response = self.api.send_request(self.api.client.post,
data=query_data,
api_link="/query")
self.assert200(response)
return response.json[0]["Snapshot"]["count"]
def test_audit_upsert(self):
"""Test upsert audit with manual mapping
Audit with manual mapping should not add new snapshots
after calling "Update objects to latest version"
"""
with factories.single_commit():
program = factories.ProgramFactory()
control = factories.ControlFactory()
factories.RelationshipFactory(source=program, destination=control)
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None,
"manual_snapshots": True,
}
}])
self.assertSnapshotCount(0)
audit = all_models.Audit.query.first()
self.api.put(audit, data={"snapshots": {"operation": "upsert"}})
self.assertSnapshotCount(0)
def test_audit_manual_snapshots(self):
"""Test audit with manual snapshot mapping"""
with factories.single_commit():
program = factories.ProgramFactory()
control = factories.ControlFactory()
control_id = control.id
control2 = factories.ControlFactory(
) # wouldn't be mapped to objective
control2_id = control2.id
objective = factories.ObjectiveFactory()
factories.RelationshipFactory(source=program, destination=control)
factories.RelationshipFactory(source=program, destination=control2)
factories.RelationshipFactory(source=program,
destination=objective)
factories.RelationshipFactory(source=control,
destination=objective)
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None,
"manual_snapshots": True,
}
}])
self.assertSnapshotCount(0)
audit = all_models.Audit.query.first()
control = all_models.Control.query.get(control_id)
control2 = all_models.Control.query.get(control2_id)
objective = all_models.Objective.query.first()
self.gen.generate_relationship(audit, control)
control_snapshot_id = all_models.Snapshot.query.filter_by(
child_id=control_id, child_type="Control").first().id
self.assertEqual(self.count_related_objectives(control_snapshot_id), 0)
self.gen.generate_relationship(audit, objective)
self.assertEqual(self.count_related_objectives(control_snapshot_id), 1)
self.gen.generate_relationship(audit, control2)
control2_snapshot_id = all_models.Snapshot.query.filter_by(
child_id=control2_id, child_type="Control").first().id
self.assertEqual(self.count_related_objectives(control2_snapshot_id),
0)
self.assertSnapshotCount(3)
class TestSnapshot(TestCase):
"""Basic tests snapshots"""
def setUp(self):
super(TestSnapshot, self).setUp()
self.api = Api()
self.generator = generator.ObjectGenerator()
def test_search_by_reference_url(self):
"""Test search audit related snapshots of control type by reference_url"""
expected_ref_url = "xxx"
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
doc1 = factories.DocumentReferenceUrlFactory(link=expected_ref_url,
title=expected_ref_url)
doc_id1 = doc1.id
doc2 = factories.DocumentReferenceUrlFactory(link="yyy", title="yyy")
doc_id2 = doc2.id
control = factories.ControlFactory()
control_id = control.id
response = self.api.post(all_models.Relationship, {
"relationship": {
"source": {"id": control_id, "type": control.type},
"destination": {"id": doc_id1, "type": doc1.type},
"context": None
},
})
self.assertStatus(response, 201)
response = self.api.post(all_models.Relationship, {
"relationship": {
"source": {"id": control_id, "type": control.type},
"destination": {"id": doc_id2, "type": doc2.type},
"context": None
},
})
self.assertStatus(response, 201)
response = self.api.post(all_models.Relationship, {
"relationship": {
"source": {"id": control_id, "type": control.type},
"destination": {"id": audit_id, "type": audit.type},
"context": None
},
})
self.assertStatus(response, 201)
query_request_data = [{
"object_name": "Snapshot",
"filters": {
"expression": {
"left": {
"left": "child_type",
"op": {"name": "="},
"right": "Control"
},
"op": {"name": "AND"},
"right": {
"left": {
"object_name": "Audit",
"op": {"name": "relevant"},
"ids": [audit_id]
},
"op": {"name": "AND"},
"right": {
"left": {
"left": "Reference URL",
"op": {"name": "~"},
"right": expected_ref_url
},
"op": {"name": "AND"},
"right": {
"left": "Status",
"op": {"name": "IN"},
"right": ["Active", "Draft", "Deprecated"]
}
}
}
}
},
}]
response = self.api.send_request(
self.api.client.post,
data=query_request_data,
api_link="/query"
)
self.assert200(response)
self.assertEquals(1, response.json[0]["Snapshot"]["count"])
# pylint: disable=invalid-name
def test_identity_revision_after_adding_comment(self):
"""Test checks identity of revisions after adding comment"""
with factories.single_commit():
audit = factories.AuditFactory()
standard = factories.StandardFactory()
snapshot = self._create_snapshots(audit, [standard])[0]
snapshot_id = snapshot.id
self.generator.generate_comment(standard, "", "some comment")
response = self.api.get(snapshot.__class__, snapshot_id)
self.assertStatus(response, 200)
self.assertTrue(response.json['snapshot']['is_identical_revision'])
def test_is_identical_revision(self):
"""Test checks correctly work of is_identical_revision flag"""
with factories.single_commit():
audit = factories.AuditFactory()
standard = factories.StandardFactory()
standard_id = standard.id
snapshot = self._create_snapshots(audit, [standard])[0]
snapshot_id = snapshot.id
standard = all_models.Standard.query.get(standard_id)
self.api.put(standard, {"title": "Test standard 1"})
snapshot = all_models.Snapshot.query.get(snapshot_id)
self.assertFalse(snapshot.is_identical_revision)
class TaskGroupRBACFactory(base.BaseRBACFactory):
"""Task Group RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Task Group permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.admin_control_id = {
name: id_
for id_, name in access_control.role.get_custom_roles_for(
"Control").items()
}["Admin"]
self.api = Api()
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Task Group object."""
person = factories.PersonFactory()
return self.api.post(
all_models.TaskGroup, {
"task_group": {
"contact": {
"id": person.id,
"type": "Person",
},
"title": "New Task Group",
"context": None,
"workflow": {
"id": self.workflow_id,
"type": "Workflow",
},
}
})
def read(self):
"""Read existing Task Group object."""
return self.api.get(all_models.TaskGroup, self.task_group_id)
def update(self):
"""Update title of existing Task Group object."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
return self.api.put(task_group, {"title": factories.random_str()})
def delete(self):
"""Delete Task Group object."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
return self.api.delete(task_group)
def read_revisions(self):
"""Read revisions for Task Group object."""
responses = []
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(
all_models.TaskGroup,
query.format("task_group", self.task_group_id)))
return responses
def map_control(self):
"""Map Control on which user don't have any rights to Cycle Task."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
control = factories.ControlFactory()
return self.api.post(
all_models.TaskGroupObject, {
"task_group_object": {
"context": None,
"object": {
"id": control.id,
"type": "Control",
},
"task_group": {
"id": task_group.id,
"type": "TaskGroup",
},
}
})
def map_created_control(self):
"""Map Control that was created by user to Cycle Task."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
with factories.single_commit():
control = factories.ControlFactory()
for acl in control._access_control_list:
if acl.ac_role_id == self.admin_control_id:
factories.AccessControlPersonFactory(
person_id=self.user_id,
ac_list=acl,
)
return self.api.post(
all_models.TaskGroupObject, {
"task_group_object": {
"context": None,
"object": {
"id": control.id,
"type": "Control",
},
"task_group": {
"id": task_group.id,
"type": "TaskGroup",
},
}
})
def read_mapped_control(self):
"""Read Control object mapped to Task Group."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
with factories.single_commit():
control = factories.ControlFactory()
wf_factories.TaskGroupObjectFactory(task_group=task_group,
object=control)
return self.api.get(control, control.id)
def upmap_control(self):
"""Unmap Control from Task Group."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
with factories.single_commit():
control = factories.ControlFactory()
tg_obj = wf_factories.TaskGroupObjectFactory(task_group=task_group,
object=control)
return self.api.delete(tg_obj)
def clone(self):
"""Clone existing Task Group object."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
wf_factories.TaskGroupTaskFactory(task_group=task_group)
return self.api.post(
all_models.TaskGroup, {
"task_group": {
"clone": self.task_group_id,
"clone_objects": True,
"clone_people": True,
"clone_tasks": True,
"context": None,
}
})
class AssessmentRBACFactory(base.BaseRBACFactory):
"""Assessment RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Assessment object."""
return self.api.post(all_models.Assessment, {
"assessment": {
"title": "New Assessment",
"context": None,
"audit": {"id": self.audit_id},
},
})
def generate(self):
"""Generate new Assessment object."""
with factories.single_commit():
control = factories.ControlFactory()
template_id = factories.AssessmentTemplateFactory().id
audit = all_models.Audit.query.get(self.audit_id)
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(audit, [control])[0]
snapshot_id = snapshot.id
factories.RelationshipFactory(source=snapshot, destination=audit)
responses = []
asmnt_data = {
"assessment": {
"_generated": True,
"audit": {
"id": self.audit_id,
"type": "Audit"
},
"object": {
"id": snapshot_id,
"type": "Snapshot"
},
"context": None,
"title": "New assessment",
}
}
responses.append(self.api.post(all_models.Assessment, asmnt_data))
asmnt_data["assessment"]["template"] = {
"id": template_id,
"type": "AssessmentTemplate"
}
responses.append(self.api.post(all_models.Assessment, asmnt_data))
return responses
def read(self):
"""Read existing Assessment object."""
return self.api.get(all_models.Assessment, self.assessment_id)
def update(self):
"""Update title of existing Assessment object."""
asmnt = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(asmnt, {"title": factories.random_str()})
def delete(self):
"""Delete Assessment object."""
asmnt = all_models.Assessment.query.get(self.assessment_id)
return self.api.delete(asmnt)
def read_revisions(self):
"""Read revisions for Assessment object."""
model_class = get_model("Assessment")
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
model_class,
query.format("assessment", self.assessment_id)
)
)
return responses
def map_snapshot(self):
"""Map snapshot to assessment."""
audit = all_models.Audit.query.get(self.audit_id)
assessment = all_models.Assessment.query.get(self.assessment_id)
control = factories.ControlFactory()
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(audit, [control])[0]
factories.RelationshipFactory(source=snapshot, destination=audit)
return self.objgen.generate_relationship(
source=assessment,
destination=snapshot,
)[0]
def deprecate(self):
"""Set status 'Deprecated' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.modify_object(assessment, {"status": "Deprecated"})
def complete(self):
"""Set status 'Completed' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "Completed"})
def in_progress(self):
"""Set status 'In Progress' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "In Progress"})
def not_started(self):
"""Set status 'Not Started' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "Not Started"})
def decline(self):
"""Set status 'Rework Needed' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "Rework Needed"})
def verify(self):
"""Set status 'Verified' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "Completed", "verified": True})
def map_comment(self):
"""Map new comment to assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {
"actions": {
"add_related": [{
"id": None,
"type": "Comment",
"description": factories.random_str(),
"custom_attribute_definition_id": None,
}]
}
})
def map_evidence(self):
"""Map new evidence to assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {
"actions": {
"add_related": [{
"id": None,
"type": "Evidence",
"kind": "URL",
"title": factories.random_str(),
"link": factories.random_str(),
}]
}
})
def related_assessments(self):
"""Get related Assessments for existing object."""
audit = all_models.Audit.query.get(self.audit_id)
assessment = all_models.Assessment.query.get(self.assessment_id)
with factories.single_commit():
control = factories.ControlFactory()
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(audit, [control])[0]
factories.RelationshipFactory(source=audit, destination=snapshot)
factories.RelationshipFactory(source=assessment, destination=snapshot)
assessment2 = factories.AssessmentFactory(
assessment_type=assessment.assessment_type
)
factories.RelationshipFactory(source=assessment2, destination=snapshot)
return self.api.client.get(
"/api/related_assessments?object_id={}&object_type=Assessment".format(
self.assessment_id
)
)
def related_objects(self):
"""Get related objects for existing Assessment."""
return self.api.client.get(
"/api/assessments/{}/related_objects".format(self.assessment_id)
)
class AssessmentRBACFactory(base.BaseRBACFactory):
"""Assessment RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Assessment object."""
return self.api.post(
all_models.Assessment, {
"assessment": {
"title": "New Assessment",
"context": None,
"audit": {
"id": self.audit_id
},
},
})
def generate(self):
"""Generate new Assessment object."""
with factories.single_commit():
control = factories.ControlFactory()
template_id = factories.AssessmentTemplateFactory().id
audit = all_models.Audit.query.get(self.audit_id)
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(audit, [control])[0]
snapshot_id = snapshot.id
factories.RelationshipFactory(source=snapshot, destination=audit)
responses = []
asmnt_data = {
"assessment": {
"_generated": True,
"audit": {
"id": self.audit_id,
"type": "Audit"
},
"object": {
"id": snapshot_id,
"type": "Snapshot"
},
"context": None,
"title": "New assessment",
}
}
responses.append(self.api.post(all_models.Assessment, asmnt_data))
asmnt_data["assessment"]["template"] = {
"id": template_id,
"type": "AssessmentTemplate"
}
responses.append(self.api.post(all_models.Assessment, asmnt_data))
return responses
def read(self):
"""Read existing Assessment object."""
return self.api.get(all_models.Assessment, self.assessment_id)
def update(self):
"""Update title of existing Assessment object."""
asmnt = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(asmnt, {"title": factories.random_str()})
def delete(self):
"""Delete Assessment object."""
asmnt = all_models.Assessment.query.get(self.assessment_id)
return self.api.delete(asmnt)
def read_revisions(self):
"""Read revisions for Assessment object."""
model_class = get_model("Assessment")
responses = []
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(
model_class, query.format("assessment",
self.assessment_id)))
return responses
def map_snapshot(self):
"""Map snapshot to assessment."""
audit = all_models.Audit.query.get(self.audit_id)
assessment = all_models.Assessment.query.get(self.assessment_id)
control = factories.ControlFactory()
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(audit, [control])[0]
factories.RelationshipFactory(source=snapshot, destination=audit)
return self.objgen.generate_relationship(
source=assessment,
destination=snapshot,
)[0]
def deprecate(self):
"""Set status 'Deprecated' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.modify_object(assessment, {"status": "Deprecated"})
def complete(self):
"""Set status 'Completed' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "Completed"})
def in_progress(self):
"""Set status 'In Progress' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "In Progress"})
def not_started(self):
"""Set status 'Not Started' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "Not Started"})
def decline(self):
"""Set status 'Rework Needed' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {"status": "Rework Needed"})
def verify(self):
"""Set status 'Verified' for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(assessment, {
"status": "Completed",
"verified": True
})
def map_comment(self):
"""Map new comment to assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(
assessment, {
"actions": {
"add_related": [{
"id": None,
"type": "Comment",
"description": factories.random_str(),
"custom_attribute_definition_id": None,
}]
}
})
def map_evidence(self):
"""Map new evidence to assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
return self.api.put(
assessment, {
"actions": {
"add_related": [{
"id": None,
"type": "Evidence",
"kind": "URL",
"title": factories.random_str(),
"link": factories.random_str(),
}]
}
})
def related_assessments(self):
"""Get related Assessments for existing object."""
audit = all_models.Audit.query.get(self.audit_id)
assessment = all_models.Assessment.query.get(self.assessment_id)
with factories.single_commit():
control = factories.ControlFactory()
# pylint: disable=protected-access
snapshot = TestCase._create_snapshots(audit, [control])[0]
factories.RelationshipFactory(source=audit, destination=snapshot)
factories.RelationshipFactory(source=assessment,
destination=snapshot)
assessment2 = factories.AssessmentFactory(
assessment_type=assessment.assessment_type)
factories.RelationshipFactory(source=assessment2,
destination=snapshot)
return self.api.client.get(
"/api/related_assessments?object_id={}&object_type=Assessment".
format(self.assessment_id))
def related_objects(self):
"""Get related objects for existing Assessment."""
return self.api.client.get(
"/api/assessments/{}/related_objects".format(self.assessment_id))
class TestFolderField(TestCase):
"""Test class about all folder field activities."""
FOLDERABLE_FACTORIES = [
factories.AccessGroupFactory,
factories.AccountBalanceFactory,
factories.ContractFactory,
factories.ControlFactory,
factories.DataAssetFactory,
factories.DirectiveFactory,
factories.FacilityFactory,
factories.IssueFactory,
factories.KeyReportFactory,
factories.MarketFactory,
factories.MetricFactory,
factories.ObjectiveFactory,
factories.OrgGroupFactory,
factories.PolicyFactory,
factories.ProcessFactory,
factories.ProductFactory,
factories.ProductGroupFactory,
factories.ProgramFactory,
factories.ProjectFactory,
factories.RegulationFactory,
factories.RequirementFactory,
factories.RiskFactory,
factories.StandardFactory,
factories.SystemFactory,
factories.TechnologyEnvironmentFactory,
factories.ThreatFactory,
factories.VendorFactory,
]
def setUp(self):
super(TestFolderField, self).setUp()
self.api = Api()
self.api.login_as_normal()
@ddt.data(*FOLDERABLE_FACTORIES)
def test_create_object(self, factory):
"""Test create folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_create_name"
self.assertEqual(
test_folder_name,
factory(folder=test_folder_name).folder
)
@ddt.data(*FOLDERABLE_FACTORIES)
def test_get_object(self, factory):
"""Test get folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_get_name"
obj = factory(folder=test_folder_name)
data = self.api.get(obj, obj.id).json
self.assertEqual(
test_folder_name,
data[obj._inflector.table_singular.lower()]["folder"]
)
NOT_PUTABLE_FACTORIES = NOT_POSTABLE_FACTORIES = [
factories.DirectiveFactory,
]
@ddt.data(*FOLDERABLE_FACTORIES)
def test_put_object(self, factory):
"""Test put folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_put_name"
obj = factory(folder=test_folder_name)
update_test_folder_name = "upd_tmp_folder_put_name"
obj_id = obj.id
if factory in self.NOT_PUTABLE_FACTORIES:
with self.assertRaises(NotImplementedError):
self.api.put(obj, {"folder": update_test_folder_name})
else:
if isinstance(obj, Synchronizable):
# Currently external user can't modify folder field
# because of WithProtectedAttributes mixin
return
self.api.put(obj, {"folder": update_test_folder_name})
self.assertEqual(
update_test_folder_name,
obj.__class__.query.get(obj_id).folder
)
@ddt.data(*FOLDERABLE_FACTORIES)
def test_post_object(self, factory):
"""Test post folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_put_name"
obj = factory(folder=test_folder_name)
obj_id = obj.id
key = obj._inflector.table_singular.lower()
post_data = self.api.get(obj, obj.id).json
model = obj.__class__
db.session.delete(obj)
db.session.commit()
del post_data[key]["id"]
if factory in self.NOT_POSTABLE_FACTORIES:
with self.assertRaises(NotImplementedError):
self.api.post(model, post_data)
else:
if isinstance(obj, Synchronizable):
self.api.login_as_external()
resp = self.api.post(model, post_data)
new_obj_id = resp.json[key]["id"]
self.assertNotEqual(obj_id, new_obj_id)
self.assertEqual(
test_folder_name,
model.query.get(new_obj_id).folder
)
class ProgramRBACFactory(base.BaseRBACFactory):
"""Program RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Program permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_program_scope(user_id, acr, "Program")
self.admin_control_id = {
name: id for id, name
in access_control.role.get_custom_roles_for("Control").items()
}["Admin"]
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Program object."""
return self.api.post(all_models.Program, {
"program": {
"title": "New program",
"program": {"id": self.program_id},
"context": None,
"access_control_list": [],
}
})
def read(self):
"""Read existing Audit object."""
return self.api.get(all_models.Program, self.program_id)
def update(self):
"""Update title of existing Audit object."""
program = all_models.Program.query.get(self.program_id)
return self.api.put(program, {"title": factories.random_str()})
def delete(self):
"""Delete Audit object."""
program = all_models.Program.query.get(self.program_id)
return self.api.delete(program)
def read_revisions(self):
"""Read revisions for Assessment object."""
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
all_models.Program, query.format("program", self.program_id)
)
)
return responses
def map_control(self):
"""Map new Control to Program."""
with factories.single_commit():
control = factories.ControlFactory()
factories.AccessControlListFactory(
ac_role_id=self.admin_control_id,
object_id=control.id,
object_type="Control",
person_id=self.user_id
)
program = all_models.Program.query.get(self.program_id)
return self.objgen.generate_relationship(
source=program,
destination=control,
)[0]
def unmap_control(self):
"""Unmap Control from Program."""
control = factories.ControlFactory()
program = all_models.Program.query.get(self.program_id)
rel = factories.RelationshipFactory(source=control, destination=program)
return self.api.delete(rel)
def read_mapped(self):
"""Read control mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
control = factories.ControlFactory()
factories.RelationshipFactory(source=control, destination=program)
return self.api.get(control, control.id)
def update_mapped(self):
"""Update control mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
control = factories.ControlFactory()
factories.RelationshipFactory(source=control, destination=program)
return self.api.put(control, {"title": factories.random_str()})
def delete_mapped(self):
"""Delete control mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
control = factories.ControlFactory()
factories.RelationshipFactory(source=control, destination=program)
return self.api.delete(control)
class TestAudit(TestCase):
""" Test Audit class. """
def setUp(self):
super(TestAudit, self).setUp()
self.api = Api()
self.gen = generator.ObjectGenerator()
def generate_control_mappings(self, control):
"""Map Control to several Assessments"""
with factories.single_commit():
person = factories.PersonFactory()
asmnt_ids = []
for _ in range(2):
asmnt = factories.AssessmentFactory()
asmnt_ids.append(asmnt.id)
asmnt.add_person_with_role_name(person, "Creators")
for asmnt_id in asmnt_ids:
asmnt = all_models.Assessment.query.get(asmnt_id)
self.gen.generate_relationship(source=asmnt, destination=control)
def test_creation_mapped_control(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
control = factories.ControlFactory()
# Map original of control to several assessments to get propagated roles
self.generate_control_mappings(control)
# Existing control should be updated to create new revision with ACL
self.api.put(control, {"title": "Test Control"})
program = factories.ProgramFactory()
factories.RelationshipFactory(source=program, destination=control)
response = self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id
},
"status": "Planned",
"context": None
}
}])
self.assert200(response)
def test_program_mapping(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
program = factories.ProgramFactory()
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
program = all_models.Program.query.first()
relationships = all_models.Relationship.find_related(audit, program)
self.assertIsNotNone(audit)
self.assertIsNotNone(program)
self.assertIsNotNone(relationships)
def test_delete_audit(self):
"""Check inability to delete audit in relation with assessment template."""
with factories.single_commit():
audit = factories.AuditFactory()
assessment_template = factories.AssessmentTemplateFactory(
audit=audit)
factories.RelationshipFactory(source=audit,
destination=assessment_template)
response = self.api.delete(audit)
self.assert400(response)
self.assertEqual(
response.json["message"],
"This request will break a mandatory relationship from "
"assessment_templates to audits.")
def test_delete_audit_proper(self):
"""Check delete audit with assessment template. Remove template first"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
assessment_template = factories.AssessmentTemplateFactory(
audit=audit)
assessment_template_id = assessment_template.id
factories.RelationshipFactory(source=audit,
destination=assessment_template)
assessment_template = \
all_models.AssessmentTemplate.query.get(assessment_template_id)
response = self.api.delete(assessment_template)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
response = self.api.delete(audit)
self.assert200(response)
def test_new_audit_snapshots(self):
"""Test audit snapshot relationships on new audit creation."""
program = factories.ProgramFactory()
control = factories.ControlFactory()
factories.RelationshipFactory(
source=program,
destination=control,
)
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshot_mapping(self):
"""Test audit snapshot relationships on new snapshot creation."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit, control)
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshots_on_update(self):
"""Test relationships for snapshots created by update audit scope."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit.program, control)
self.api.put(audit, data={"snapshots": {"operation": "upsert"}})
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_slug_validation_create(self):
"""Test post slug with leading space"""
with factories.single_commit():
program = factories.ProgramFactory()
audit_data = {
"slug": " SLUG",
"program": {
"id": program.id
},
}
response, audit = self.gen.generate_object(all_models.Audit,
audit_data)
self.assertEqual(response.status_code, 201)
current_slug = audit.slug
expected_slug = "SLUG"
self.assertEqual(current_slug, expected_slug)
def test_slug_validation_update(self):
"""Test put slug with trailing space"""
with factories.single_commit():
audit = factories.AuditFactory(slug="SLUG-01")
response = self.api.put(audit, {"slug": "SLUG "})
self.assert200(response)
audit = db.session.query(all_models.Audit).get(audit.id)
current_slug = audit.slug
expected_slug = "SLUG"
self.assertEqual(current_slug, expected_slug)
def test_audit_manual_snapshots(self):
"""Test creation audit without snapshot and adding manual snapshot"""
program = factories.ProgramFactory()
control = factories.ControlFactory()
factories.RelationshipFactory(
source=program,
destination=control,
)
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None,
"manual_snapshots": True,
}
}])
audit = all_models.Audit.query.first()
self.assertIsNotNone(audit)
snapshot_count = all_models.Snapshot.query.count()
self.assertEqual(snapshot_count, 0)
control = all_models.Control.query.first()
self.gen.generate_relationship(audit.program, control)
audit = all_models.Audit.query.first()
self.api.put(audit, data={"snapshots": {"operation": "upsert"}})
snapshot_count = all_models.Snapshot.query.count()
self.assertEqual(snapshot_count, 1)
class TestSnapshot(TestCase):
"""Basic tests snapshots"""
def setUp(self):
super(TestSnapshot, self).setUp()
self.api = Api()
def test_search_by_reference_url(self):
"""Test search audit related snapshots of control type by reference_url"""
expected_ref_url = "xxx"
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
doc1 = factories.DocumentReferenceUrlFactory(link=expected_ref_url,
title=expected_ref_url)
doc_id1 = doc1.id
doc2 = factories.DocumentReferenceUrlFactory(link="yyy", title="yyy")
doc_id2 = doc2.id
control = factories.ControlFactory()
control_id = control.id
response = self.api.post(all_models.Relationship, {
"relationship": {
"source": {"id": control_id, "type": control.type},
"destination": {"id": doc_id1, "type": doc1.type},
"context": None
},
})
self.assertStatus(response, 201)
response = self.api.post(all_models.Relationship, {
"relationship": {
"source": {"id": control_id, "type": control.type},
"destination": {"id": doc_id2, "type": doc2.type},
"context": None
},
})
self.assertStatus(response, 201)
response = self.api.post(all_models.Relationship, {
"relationship": {
"source": {"id": control_id, "type": control.type},
"destination": {"id": audit_id, "type": audit.type},
"context": None
},
})
self.assertStatus(response, 201)
query_request_data = [{
"object_name": "Snapshot",
"filters": {
"expression": {
"left": {
"left": "child_type",
"op": {"name": "="},
"right": "Control"
},
"op": {"name": "AND"},
"right": {
"left": {
"object_name": "Audit",
"op": {"name": "relevant"},
"ids": [audit_id]
},
"op": {"name": "AND"},
"right": {
"left": {
"left": "Reference URL",
"op": {"name": "~"},
"right": expected_ref_url
},
"op": {"name": "AND"},
"right": {
"left": "Status",
"op": {"name": "IN"},
"right": ["Active", "Draft", "Deprecated"]
}
}
}
}
},
}]
response = self.api.send_request(
self.api.client.post,
data=query_request_data,
api_link="/query"
)
self.assert200(response)
self.assertEquals(1, response.json[0]["Snapshot"]["count"])
class AuditRBACFactory(base.BaseRBACFactory):
"""Audit RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Audit permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_program_scope(user_id, acr, "Audit")
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.admin_control_id = {
name: id for id, name
in access_control.role.get_custom_roles_for("Control").items()
}["Admin"]
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Audit object."""
return self.api.post(all_models.Audit, {
"audit": {
"title": "New audit",
"program": {"id": self.program_id},
"context": None,
"access_control_list": [],
}
})
def read(self):
"""Read existing Audit object."""
return self.api.get(all_models.Audit, self.audit_id)
def update(self):
"""Update title of existing Audit object."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.put(audit, {"title": factories.random_str()})
def delete(self):
"""Delete Audit object."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.delete(audit)
def clone(self):
"""Clone existing Audit with Assessment Templates."""
return self.api.post(all_models.Audit, {
"audit": {
"program": {"id": self.program_id, "type": "Program"},
# workaround - title is required for validation
"title": "",
"context": None,
"operation": "clone",
"cloneOptions": {
"sourceObjectId": self.audit_id,
"mappedObjects": "AssessmentTemplate"
}
}
})
def read_revisions(self):
"""Read revisions for Audit object."""
model_class = get_model("Audit")
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(model_class, query.format("audit", self.audit_id))
)
return responses
def map_external_control(self):
"""Map Control (on which current user don't have any rights) to Audit."""
control = factories.ControlFactory()
audit = all_models.Audit.query.get(self.audit_id)
return self.objgen.generate_relationship(
source=audit,
destination=control,
)[0]
def map_control(self):
"""Map new snapshot of Control to Audit."""
with factories.single_commit():
control = factories.ControlFactory()
acl = [
acl
for acl in control._access_control_list
if acl.ac_role_id == self.admin_control_id
][0]
factories.AccessControlPersonFactory(
person_id=self.user_id,
ac_list=acl
)
audit = all_models.Audit.query.get(self.audit_id)
return self.objgen.generate_relationship(
source=audit,
destination=control,
)[0]
def deprecate(self):
"""Set status 'Deprecated' for Audit."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.modify_object(audit, {
"status": "Deprecated"
})
def archive(self):
"""Move Audit into archived state."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.modify_object(audit, {
"archived": True
})
def unarchive(self):
"""Move Audit into unarchived state."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.modify_object(audit, {
"archived": False
})
def summary(self):
"""Get Audit summary information."""
return self.api.client.get(
"api/audits/{}/{}".format(self.audit_id, "summary")
)
class TaskGroupTaskRBACFactory(base.BaseRBACFactory):
"""Task Group Task RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Task Group Task permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Task Group Task object."""
person = factories.PersonFactory()
return self.api.post(all_models.TaskGroupTask, {
"task_group_task": {
"title": "New Task Group Task",
"start_date": datetime.now().strftime("%Y-%m-%d"),
"end_date": datetime.now().strftime("%Y-%m-%d"),
"contact": person,
"context": None,
"task_group": {
"id": self.task_group_id,
"type": "Task Group",
},
}
})
def read(self):
"""Read existing Task Group Task object."""
return self.api.get(all_models.TaskGroupTask, self.task_id)
def update(self):
"""Update title of existing Task Group Task object."""
task = all_models.TaskGroupTask.query.get(self.task_id)
return self.api.put(task, {"title": factories.random_str()})
def delete(self):
"""Delete Task Group Task object."""
task = all_models.TaskGroupTask.query.get(self.task_id)
return self.api.delete(task)
def read_revisions(self):
"""Read revisions for Task Group Task object."""
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
all_models.TaskGroupTask,
query.format("task_group_task", self.task_id)
)
)
return responses
class AssessmentTemplateRBACFactory(base.BaseRBACFactory):
"""Assessment Template RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment Template permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
with factories.single_commit():
template = factories.AssessmentTemplateFactory(audit=self.audit)
factories.RelationshipFactory(source=self.audit,
destination=template)
self.template_id = template.id
self.default_assignees = "Admin"
self.default_verifiers = "Admin"
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Assessment Template object."""
return self.api.post(
all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {
"id": self.audit_id,
"type": "Audit"
},
"context": None,
"default_people": {
"assignees": self.default_assignees,
"verifiers": self.default_verifiers,
},
"title": "New Assessment Template"
}
})
def read(self):
"""Read existing Assessment Template object."""
return self.api.get(all_models.AssessmentTemplate, self.template_id)
def update(self):
"""Update title of existing Assessment Template object."""
template = all_models.AssessmentTemplate.query.get(self.template_id)
return self.api.put(template, {"title": factories.random_str()})
def delete(self):
"""Delete Assessment Template object."""
template = all_models.AssessmentTemplate.query.get(self.template_id)
return self.api.delete(template)
def read_revisions(self):
"""Read revisions for Assessment Template object."""
model_class = get_model("AssessmentTemplate")
responses = []
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(
model_class,
query.format("assessment_template", self.template_id)))
return responses
class TestAudit(TestCase):
""" Test Audit class. """
def setUp(self):
super(TestAudit, self).setUp()
self.api = Api()
self.gen = generator.ObjectGenerator()
def generate_control_mappings(self, control):
"""Map Control to several Assessments"""
acr_creator = all_models.AccessControlRole.query.filter_by(
name="Creators", object_type="Assessment"
).first()
with factories.single_commit():
person = factories.PersonFactory()
asmnt_ids = []
for _ in range(2):
asmnt = factories.AssessmentFactory()
asmnt_ids.append(asmnt.id)
factories.AccessControlListFactory(
object=asmnt, person=person, ac_role=acr_creator
)
for asmnt_id in asmnt_ids:
asmnt = all_models.Assessment.query.get(asmnt_id)
self.gen.generate_relationship(source=asmnt, destination=control)
def test_creation_mapped_control(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
control = factories.ControlFactory()
# Map original of control to several assessments to get propagated roles
self.generate_control_mappings(control)
# Existing control should be updated to create new revision with ACL
self.api.put(control, {"title": "Test Control"})
program = factories.ProgramFactory()
factories.RelationshipFactory(source=program, destination=control)
response = self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {"id": program.id},
"status": "Planned",
"context": None
}
}])
self.assert200(response)
def test_program_mapping(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
program = factories.ProgramFactory()
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {"id": program.id, "type": program.type},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
program = all_models.Program.query.first()
relationships = all_models.Relationship.find_related(audit, program)
self.assertIsNotNone(audit)
self.assertIsNotNone(program)
self.assertIsNotNone(relationships)
def test_delete_audit(self):
"""Check inability to delete audit in relation with assessment template."""
with factories.single_commit():
audit = factories.AuditFactory()
assessment_template = factories.AssessmentTemplateFactory(audit=audit)
factories.RelationshipFactory(
source=audit,
destination=assessment_template
)
response = self.api.delete(audit)
self.assert400(response)
self.assertEqual(response.json["message"],
"This request will break a mandatory relationship from "
"assessment_templates to audits.")
def test_delete_audit_proper(self):
"""Check delete audit with assessment template. Remove template first"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
assessment_template = factories.AssessmentTemplateFactory(audit=audit)
assessment_template_id = assessment_template.id
factories.RelationshipFactory(
source=audit,
destination=assessment_template
)
assessment_template = \
all_models.AssessmentTemplate.query.get(assessment_template_id)
response = self.api.delete(assessment_template)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
response = self.api.delete(audit)
self.assert200(response)
def test_new_audit_snapshots(self):
"""Test audit snapshot relationships on new audit creation."""
program = factories.ProgramFactory()
control = factories.ControlFactory()
factories.RelationshipFactory(
source=program,
destination=control,
)
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {"id": program.id, "type": program.type},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshot_mapping(self):
"""Test audit snapshot relationships on new snapshot creation."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit, control)
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshots_on_update(self):
"""Test relationships for snapshots created by update audit scope."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit.program, control)
self.api.put(audit, data={
"snapshots": {"operation": "upsert"}
})
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_slug_validation_create(self):
"""Test post slug with leading space"""
with factories.single_commit():
program = factories.ProgramFactory()
audit_data = {
"slug": " SLUG",
"program": {"id": program.id},
}
response, audit = self.gen.generate_object(all_models.Audit, audit_data)
self.assertEqual(response.status_code, 201)
current_slug = audit.slug
expected_slug = "SLUG"
self.assertEqual(current_slug, expected_slug)
def test_slug_validation_update(self):
"""Test put slug with trailing space"""
with factories.single_commit():
audit = factories.AuditFactory(slug="SLUG-01")
response = self.api.put(audit, {"slug": "SLUG "})
self.assert200(response)
audit = db.session.query(all_models.Audit).get(audit.id)
current_slug = audit.slug
expected_slug = "SLUG"
self.assertEqual(current_slug, expected_slug)
class CycleTaskRBACFactory(base.BaseRBACFactory):
"""Cycle Task RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Cycle Task permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.admin_control_id = {
name: id
for id, name in access_control.role.get_custom_roles_for(
"Control").items()
}["Admin"]
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Cycle Task object."""
cycle_tg = all_models.CycleTaskGroup.query.first()
return self.api.post(
all_models.CycleTaskGroupObjectTask, {
"cycle_task_group_object_task": {
"title": "New Cycle Task",
"start_date": datetime.now().strftime("%Y-%m-%d"),
"end_date": datetime.now().strftime("%Y-%m-%d"),
"context": None,
"task_type": "text",
"cycle_task_group": {
"id": cycle_tg.id,
"type": "Task Group",
},
"cycle": {
"id": cycle_tg.cycle.id,
"type": "Cycle",
},
}
})
def read(self):
"""Read existing Cycle Task object."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.get(cycle_task, cycle_task.id)
def update(self):
"""Update title of existing Cycle Task object."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.put(cycle_task, {"title": factories.random_str()})
def delete(self):
"""Delete Cycle Task object."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.delete(cycle_task)
def read_revisions(self):
"""Read revisions for Cycle Task object."""
responses = []
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(
all_models.CycleTaskGroupObjectTask,
query.format("cycle_task_group_object_task",
cycle_task.id)))
return responses
def add_comment(self):
"""Map new comment to cycle task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.get(
self.cycle_task_id)
_, comment = self.objgen.generate_object(
all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=cycle_task,
destination=comment)[0]
def read_comment(self):
"""Read comments mapped to cycle task"""
cycle_task = all_models.CycleTaskGroupObjectTask.query.get(
self.cycle_task_id)
with factories.single_commit():
comment = factories.CommentFactory(
description=factories.random_str())
factories.RelationshipFactory(source=cycle_task,
destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "CycleTaskGroupObjectTask",
"op": {
"name": "relevant"
},
"ids": [cycle_task.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
return response
def map_control(self):
"""Map Control on which user don't have any rights to Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
control = factories.ControlFactory()
return self.objgen.generate_relationship(
source=cycle_task,
destination=control,
)[0]
def map_created_control(self):
"""Map Control that was created by user to Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
control = factories.ControlFactory()
# pylint: disable=protected-access
for acl in control._access_control_list:
if acl.ac_role_id == self.admin_control_id:
factories.AccessControlPersonFactory(
person_id=self.user_id,
ac_list=acl,
)
return self.objgen.generate_relationship(
source=cycle_task,
destination=control,
)[0]
def read_mapped_control(self):
"""Read Control object mapped to Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
with factories.single_commit():
control = factories.ControlFactory()
factories.RelationshipFactory(source=cycle_task,
destination=control)
return self.api.get(control, control.id)
def upmap_control(self):
"""Unmap Control from Task Group."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
with factories.single_commit():
control = factories.ControlFactory()
rel = factories.RelationshipFactory(source=cycle_task,
destination=control)
return self.api.delete(rel)
def start(self):
"""Start Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.put(cycle_task, {"status": "InProgress"})
def end(self):
"""End Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.put(cycle_task, {"status": "Finished"})
def verify(self):
"""Verify Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.put(cycle_task, {"status": "Verified"})
def decline(self):
"""Decline Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.put(cycle_task, {"status": "Declined"})
def deprecate(self):
"""Deprecate Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.put(cycle_task, {"status": "Deprecated"})
def restore(self):
"""Restore Cycle Task."""
cycle_task = all_models.CycleTaskGroupObjectTask.query.first()
return self.api.put(cycle_task, {"status": "Assigned"})
class TestFolderField(TestCase):
"""Test class about all folder field activities."""
FOLDERABLE_FACTORIES = [
factories.AccessGroupFactory,
factories.ClauseFactory,
factories.ContractFactory,
factories.ControlFactory,
factories.DataAssetFactory,
factories.DirectiveFactory,
factories.FacilityFactory,
factories.IssueFactory,
factories.MarketFactory,
factories.MetricFactory,
factories.ObjectiveFactory,
factories.OrgGroupFactory,
factories.PolicyFactory,
factories.ProcessFactory,
factories.ProductFactory,
factories.ProductGroupFactory,
factories.ProgramFactory,
factories.ProjectFactory,
factories.RegulationFactory,
factories.RequirementFactory,
factories.RiskFactory,
factories.StandardFactory,
factories.SystemFactory,
factories.TechnologyEnvironmentFactory,
factories.ThreatFactory,
factories.VendorFactory,
]
def setUp(self):
super(TestFolderField, self).setUp()
self.api = Api()
self.client.get("/login")
@ddt.data(*FOLDERABLE_FACTORIES)
def test_create_object(self, factory):
"""Test create folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_create_name"
self.assertEqual(test_folder_name,
factory(folder=test_folder_name).folder)
@ddt.data(*FOLDERABLE_FACTORIES)
def test_get_object(self, factory):
"""Test get folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_get_name"
obj = factory(folder=test_folder_name)
data = self.api.get(obj, obj.id).json
self.assertEqual(test_folder_name,
data[obj._inflector.table_singular.lower()]["folder"])
NOT_PUTABLE_FACTORIES = NOT_POSTABLE_FACTORIES = [
factories.DirectiveFactory,
]
@ddt.data(*FOLDERABLE_FACTORIES)
def test_put_object(self, factory):
"""Test put folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_put_name"
obj = factory(folder=test_folder_name)
update_test_folder_name = "upd_tmp_folder_put_name"
obj_id = obj.id
if factory in self.NOT_PUTABLE_FACTORIES:
with self.assertRaises(NotImplementedError):
self.api.put(obj, {"folder": update_test_folder_name})
else:
self.api.put(obj, {"folder": update_test_folder_name})
self.assertEqual(update_test_folder_name,
obj.__class__.query.get(obj_id).folder)
@ddt.data(*FOLDERABLE_FACTORIES)
def test_post_object(self, factory):
"""Test post folder field for {0._meta.model.__name__}."""
test_folder_name = "tmp_folder_put_name"
obj = factory(folder=test_folder_name)
obj_id = obj.id
key = obj._inflector.table_singular.lower()
post_data = self.api.get(obj, obj.id).json
model = obj.__class__
db.session.delete(obj)
db.session.commit()
del post_data[key]["id"]
if factory in self.NOT_POSTABLE_FACTORIES:
with self.assertRaises(NotImplementedError):
self.api.post(model, post_data)
else:
resp = self.api.post(model, post_data)
new_obj_id = resp.json[key]["id"]
self.assertNotEqual(obj_id, new_obj_id)
self.assertEqual(test_folder_name,
model.query.get(new_obj_id).folder)
class EvidenceRBACFactory(base.BaseRBACFactory):
"""Evidence RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Evidence permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
evidence = factories.EvidenceUrlFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=evidence
).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=evidence
).id
self.evidence_id = evidence.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Evidence",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Evidence object."""
result = self.api.post(all_models.Evidence, {
"evidence": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"link": factories.random_str(),
"title": factories.random_str(),
"context": None,
}
})
return result
def read(self):
"""Read existing Evidence object."""
res = self.api.get(all_models.Evidence, self.evidence_id)
return res
def update(self):
"""Update title of existing Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.put(evidence, {"title": factories.random_str()})
def delete(self):
"""Delete Evidence object."""
evidence = all_models.Evidence.query.get(self.evidence_id)
return self.api.delete(evidence)
def map(self, evidence=None):
"""Map Evidence to parent object."""
if self.parent == "Audit":
parent = all_models.Audit.query.get(self.audit_id)
else:
parent = all_models.Assessment.query.get(self.assessment_id)
map_evidence = evidence if evidence else factories.EvidenceUrlFactory()
return self.api.put(parent, {
"actions": {
"add_related": [{
"id": map_evidence.id,
"type": "Evidence",
}]
}
})
def create_and_map(self):
"""Create new Evidence and map it to parent."""
response = self.create()
evidence_id = None
if response.json and response.json.get("evidence"):
evidence_id = response.json.get("evidence", {}).get("id")
if not evidence_id:
return response
evidence = all_models.Evidence.query.get(evidence_id)
return self.map(evidence)
def add_comment(self):
"""Map new comment to evidence."""
evidence = all_models.Evidence.query.get(self.evidence_id)
_, comment = self.objgen.generate_object(all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=evidence,
destination=comment)[0]
def read_comments(self):
"""Read comments mapped to evidence"""
evidence = all_models.Evidence.query.get(self.evidence_id)
with factories.single_commit():
comment = factories.CommentFactory(description=factories.random_str())
factories.RelationshipFactory(source=evidence, destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "Evidence",
"op": {
"name": "relevant"
},
"ids": [evidence.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(
self.api.client.post,
data=query_request_data,
api_link="/query"
)
return response
class TaskGroupRBACFactory(base.BaseRBACFactory):
"""Task Group RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Task Group permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.admin_control_id = {
name: id_ for id_, name
in access_control.role.get_custom_roles_for("Control").items()
}["Admin"]
self.api = Api()
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Task Group object."""
person = factories.PersonFactory()
return self.api.post(all_models.TaskGroup, {
"task_group": {
"contact": {
"id": person.id,
"type": "Person",
},
"title": "New Task Group",
"context": None,
"workflow": {
"id": self.workflow_id,
"type": "Workflow",
},
}
})
def read(self):
"""Read existing Task Group object."""
return self.api.get(all_models.TaskGroup, self.task_group_id)
def update(self):
"""Update title of existing Task Group object."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
return self.api.put(task_group, {"title": factories.random_str()})
def delete(self):
"""Delete Task Group object."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
return self.api.delete(task_group)
def read_revisions(self):
"""Read revisions for Task Group object."""
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
all_models.TaskGroup,
query.format("task_group", self.task_group_id)
)
)
return responses
def map_control(self):
"""Map Control on which user don't have any rights to Cycle Task."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
control = factories.ControlFactory()
return self.api.post(all_models.TaskGroupObject, {
"task_group_object": {
"context": None,
"object": {
"id": control.id,
"type": "Control",
},
"task_group": {
"id": task_group.id,
"type": "TaskGroup",
},
}
})
def map_created_control(self):
"""Map Control that was created by user to Cycle Task."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
with factories.single_commit():
control = factories.ControlFactory()
factories.AccessControlListFactory(
ac_role_id=self.admin_control_id,
object_id=control.id,
object_type="Control",
person_id=self.user_id
)
return self.api.post(all_models.TaskGroupObject, {
"task_group_object": {
"context": None,
"object": {
"id": control.id,
"type": "Control",
},
"task_group": {
"id": task_group.id,
"type": "TaskGroup",
},
}
})
def read_mapped_control(self):
"""Read Control object mapped to Task Group."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
with factories.single_commit():
control = factories.ControlFactory()
wf_factories.TaskGroupObjectFactory(
task_group=task_group, object=control
)
return self.api.get(control, control.id)
def upmap_control(self):
"""Unmap Control from Task Group."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
with factories.single_commit():
control = factories.ControlFactory()
tg_obj = wf_factories.TaskGroupObjectFactory(
task_group=task_group, object=control
)
return self.api.delete(tg_obj)
def clone(self):
"""Clone existing Task Group object."""
task_group = all_models.TaskGroup.query.get(self.task_group_id)
wf_factories.TaskGroupTaskFactory(task_group=task_group)
return self.api.post(all_models.TaskGroup, {
"task_group": {
"clone": self.task_group_id,
"clone_objects": True,
"clone_people": True,
"clone_tasks": True,
"context": None,
}
})
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {"id": audit.id},
"context": {"id": audit.context.id},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some component id",
hotlist_id="some host id",
title="some title",
issue_id="some issue id"
)
template_id = factories.AssessmentTemplateFactory(
audit=audit,
context=audit.context
).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
default_issue_type = constants.DEFAULT_ISSUETRACKER_VALUES['issue_type']
self.assertEqual(
response.json["assessment_template"]["audit"],
{
u"type": u"Audit",
u"id": long(audit.id),
u'title': unicode(audit.title),
u"href": u"/api/audits/{}".format(long(audit.id)),
u"context_id": long(audit.context.id),
u"issue_tracker": {
u'_warnings': [],
u"component_id": u"some component id",
u"enabled": False,
u"issue_severity": None,
u"hotlist_id": u"some host id",
u"issue_id": u"some issue id",
u"issue_priority": None,
u"issue_type": default_issue_type,
u"issue_url": None,
u"title": "some title",
u"people_sync_enabled": True,
}
}
)
class AssessmentTemplateRBACFactory(base.BaseRBACFactory):
"""Assessment Template RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Assessment Template permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr, parent)
with factories.single_commit():
template = factories.AssessmentTemplateFactory(audit=self.audit)
factories.RelationshipFactory(source=self.audit, destination=template)
self.template_id = template.id
self.default_assignees = "Admin"
self.default_verifiers = "Admin"
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Assessment Template object."""
return self.api.post(all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {"id": self.audit_id, "type": "Audit"},
"context": None,
"default_people": {
"assignees": self.default_assignees,
"verifiers": self.default_verifiers,
},
"title": "New Assessment Template"
}
})
def read(self):
"""Read existing Assessment Template object."""
return self.api.get(all_models.AssessmentTemplate, self.template_id)
def update(self):
"""Update title of existing Assessment Template object."""
template = all_models.AssessmentTemplate.query.get(self.template_id)
return self.api.put(template, {"title": factories.random_str()})
def delete(self):
"""Delete Assessment Template object."""
template = all_models.AssessmentTemplate.query.get(self.template_id)
return self.api.delete(template)
def read_revisions(self):
"""Read revisions for Assessment Template object."""
model_class = get_model("AssessmentTemplate")
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
model_class,
query.format("assessment_template", self.template_id)
)
)
return responses
class DocumentReferenceUrlRBACFactory(base.BaseRBACFactory):
"""Document Reference Url RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Document permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Document",
).one().id
self.setup_models(self.parent_name)
self.set_user(user_id)
def set_user(self, user_id):
"""Set user to send requests"""
if self.user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def setup_models(self, parent_name):
"""Setup document, parent, relationship"""
with factories.single_commit():
document = factories.DocumentReferenceUrlFactory()
self.document_id = document.id
self.parent = self.build_parent(parent_name)
self.parent_id = self.parent.id
factories.RelationshipFactory(source=self.parent, destination=document)
self.assign_person(self.parent, self.acr, self.user_id)
@staticmethod
def build_parent(parent_name):
"""Create parent based on Name"""
try:
parent = FACTORIES_MAPPING[parent_name]()
except KeyError():
raise ValueError("Unknown parent {}".format(parent_name))
return parent
def create(self):
"""Create new Document object."""
result = self.api.post(all_models.Document, {
"document": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"link": factories.random_str(),
"title": factories.random_str(),
"context": None,
}
})
return result
def read(self):
"""Read existing Document object."""
res = self.api.get(all_models.Document, self.document_id)
return res
def update(self):
"""Update title of existing Document object."""
document = all_models.Document.query.get(self.document_id)
return self.api.put(document, {"title": factories.random_str()})
def delete(self):
"""Delete Document object."""
document = all_models.Document.query.get(self.document_id)
return self.api.delete(document)
def map(self, document=None):
"""Map Document to parent object."""
parent = self.parent.__class__.query.get(self.parent_id)
map_document = document if document \
else factories.DocumentReferenceUrlFactory()
return self.objgen.generate_relationship(
source=parent,
destination=map_document
)[0]
def create_and_map(self):
"""Create new Document and map it to parent."""
response = self.create()
document_id = None
if response.json and response.json.get("document"):
document_id = response.json.get("document", {}).get("id")
if not document_id:
return response
document = all_models.Document.query.get(document_id)
return self.map(document)
def add_comment(self):
"""Map new comment to document."""
document = all_models.Document.query.get(self.document_id)
_, comment = self.objgen.generate_object(all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=document,
destination=comment)[0]
def read_comments(self):
"""Read comments mapped to document"""
document = all_models.Document.query.get(self.document_id)
with factories.single_commit():
comment = factories.CommentFactory(description=factories.random_str())
factories.RelationshipFactory(source=document, destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "Document",
"op": {
"name": "relevant"
},
"ids": [document.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(
self.api.client.post,
data=query_request_data,
api_link="/query"
)
return response
class TestAccessControlListValidation(TestCase):
"""Test AccessControlList validation."""
def setUp(self):
super(TestAccessControlListValidation, self).setUp()
self.api = Api()
self.client.get("/login")
role_ids = db.session.query(all_models.AccessControlRole.id).filter(
all_models.AccessControlRole.object_type.in_(
("Control", "Objective")),
all_models.AccessControlRole.name == "Admin").order_by(
all_models.AccessControlRole.object_type)
role_ids = [id_[0] for id_ in role_ids]
self.control_admin_acr_id, self.objective_admin_acr_id = role_ids
def test_create_with_wrong_acl(self):
"""Test creation of object with wrong ACR in ACL."""
response = self.api.post(
all_models.Control, {
"control": {
"title":
"Control title",
"context":
None,
"access_control_list": [{
"ac_role_id": self.objective_admin_acr_id,
"person": {
"type": "Person",
"id": factories.PersonFactory().id,
}
}],
},
})
self.assert400(response)
self.assertEqual(all_models.Control.query.count(), 0)
def test_update_with_wrong_acl(self):
"""Test update of object with wrong ACR in ACL."""
with factories.single_commit():
control = factories.ControlFactory()
control_id = control.id
person = factories.PersonFactory()
person_id = person.id
factories.AccessControlPersonFactory(
ac_list=control.acr_name_acl_map["Admin"],
person=person,
)
response = self.api.put(
control, {
"access_control_list": [{
"ac_role_id": self.objective_admin_acr_id,
"person": {
"type": "Person",
"id": person_id,
}
}]
})
self.assert400(response)
acls = all_models.AccessControlList.query.filter_by(
object_type="Control", object_id=control_id)
for acl in acls:
acl_obj_type = acl.object_type
acr_obj_type = acl.ac_role.object_type
self.assertEqual(acl_obj_type, acr_obj_type)
class TestAudit(TestCase):
""" Test Audit class. """
def setUp(self):
super(TestAudit, self).setUp()
self.api = Api()
self.gen = generator.ObjectGenerator()
def generate_control_mappings(self, control):
"""Map Control to several Assessments"""
acr_creator = all_models.AccessControlRole.query.filter_by(
name="Creators", object_type="Assessment").first()
with factories.single_commit():
person = factories.PersonFactory()
asmnt_ids = []
for _ in range(2):
asmnt = factories.AssessmentFactory()
asmnt_ids.append(asmnt.id)
factories.AccessControlListFactory(object=asmnt,
person=person,
ac_role=acr_creator)
for asmnt_id in asmnt_ids:
asmnt = all_models.Assessment.query.get(asmnt_id)
self.gen.generate_relationship(source=asmnt, destination=control)
def test_creation_mapped_control(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
control = factories.ControlFactory()
# Map original of control to several assessments to get propagated roles
self.generate_control_mappings(control)
# Existing control should be updated to create new revision with ACL
self.api.put(control, {"title": "Test Control"})
program = factories.ProgramFactory()
factories.RelationshipFactory(source=program, destination=control)
response = self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id
},
"status": "Planned",
"context": None
}
}])
self.assert200(response)
def test_program_mapping(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
program = factories.ProgramFactory()
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
program = all_models.Program.query.first()
relationships = all_models.Relationship.find_related(audit, program)
self.assertIsNotNone(audit)
self.assertIsNotNone(program)
self.assertIsNotNone(relationships)
def test_delete_audit(self):
"""Check inability to delete audit in relation with assessment template."""
with factories.single_commit():
audit = factories.AuditFactory()
assessment_template = factories.AssessmentTemplateFactory(
audit=audit)
factories.RelationshipFactory(source=audit,
destination=assessment_template)
response = self.api.delete(audit)
self.assert400(response)
self.assertEqual(
response.json["message"],
"This request will break a mandatory relationship from "
"assessment_templates to audits.")
def test_delete_audit_proper(self):
"""Check delete audit with assessment template. Remove template first"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
assessment_template = factories.AssessmentTemplateFactory(
audit=audit)
assessment_template_id = assessment_template.id
factories.RelationshipFactory(source=audit,
destination=assessment_template)
assessment_template = \
all_models.AssessmentTemplate.query.get(assessment_template_id)
response = self.api.delete(assessment_template)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
response = self.api.delete(audit)
self.assert200(response)
def test_new_audit_snapshots(self):
"""Test audit snapshot relationships on new audit creation."""
program = factories.ProgramFactory()
control = factories.ControlFactory()
factories.RelationshipFactory(
source=program,
destination=control,
)
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshot_mapping(self):
"""Test audit snapshot relationships on new snapshot creation."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit, control)
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshots_on_update(self):
"""Test relationships for snapshots created by update audit scope."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit.program, control)
self.api.put(audit, data={"snapshots": {"operation": "upsert"}})
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
class DocumentReferenceUrlRBACFactory(base.BaseRBACFactory):
"""Document Reference Url RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Document permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.acr = acr
self.user_id = user_id
self.parent_name = parent
self.document_id = None
self.parent = None
self.parent_id = None
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Document",
).one().id
self.setup_models(self.parent_name)
self.set_user(user_id)
def set_user(self, user_id):
"""Set user to send requests"""
if self.user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def setup_models(self, parent_name):
"""Setup document, parent, relationship"""
with factories.single_commit():
document = factories.DocumentReferenceUrlFactory()
self.document_id = document.id
self.parent = self.build_parent(parent_name)
self.parent_id = self.parent.id
factories.RelationshipFactory(source=self.parent,
destination=document)
self.assign_person(self.parent, self.acr, self.user_id)
@staticmethod
def build_parent(parent_name):
"""Create parent based on Name"""
try:
parent = FACTORIES_MAPPING[parent_name]()
except KeyError():
raise ValueError("Unknown parent {}".format(parent_name))
return parent
def create(self):
"""Create new Document object."""
result = self.api.post(
all_models.Document, {
"document": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"link":
factories.random_str(),
"title":
factories.random_str(),
"context":
None,
}
})
return result
def read(self):
"""Read existing Document object."""
res = self.api.get(all_models.Document, self.document_id)
return res
def update(self):
"""Update title of existing Document object."""
document = all_models.Document.query.get(self.document_id)
return self.api.put(document, {"title": factories.random_str()})
def delete(self):
"""Delete Document object."""
document = all_models.Document.query.get(self.document_id)
return self.api.delete(document)
def map(self, document=None):
"""Map Document to parent object."""
parent = self.parent.__class__.query.get(self.parent_id)
map_document = document if document \
else factories.DocumentReferenceUrlFactory()
return self.objgen.generate_relationship(source=parent,
destination=map_document)[0]
def create_and_map(self):
"""Create new Document and map it to parent."""
response = self.create()
document_id = None
if response.json and response.json.get("document"):
document_id = response.json.get("document", {}).get("id")
if not document_id:
return response
document = all_models.Document.query.get(document_id)
return self.map(document)
def add_comment(self):
"""Map new comment to document."""
document = all_models.Document.query.get(self.document_id)
_, comment = self.objgen.generate_object(
all_models.Comment, {
"description": factories.random_str(),
"context": None,
})
return self.objgen.generate_relationship(source=document,
destination=comment)[0]
def read_comments(self):
"""Read comments mapped to document"""
document = all_models.Document.query.get(self.document_id)
with factories.single_commit():
comment = factories.CommentFactory(
description=factories.random_str())
factories.RelationshipFactory(source=document, destination=comment)
query_request_data = [{
"fields": [],
"filters": {
"expression": {
"object_name": "Document",
"op": {
"name": "relevant"
},
"ids": [document.id]
}
},
"object_name": "Comment",
}]
response = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
return response
class WorkflowRBACFactory(base.BaseRBACFactory):
"""Workflow RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Workflow permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Workflow object."""
return self.api.post(all_models.Workflow, {
"workflow": {
"title": "New workflow",
"context": None,
}
})
def read(self):
"""Read existing Workflow object."""
return self.api.get(all_models.Workflow, self.workflow_id)
def update(self):
"""Update title of existing Workflow object."""
workflow = all_models.Workflow.query.get(self.workflow_id)
return self.api.put(workflow, {"title": factories.random_str()})
def delete(self):
"""Delete Workflow object."""
workflow = all_models.Workflow.query.get(self.workflow_id)
return self.api.delete(workflow)
def read_revisions(self):
"""Read revisions for Workflow object."""
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
all_models.Workflow, query.format("workflow", self.workflow_id)
)
)
return responses
def clone(self):
"""Clone existing Workflow object."""
with factories.single_commit():
task_group = wf_factories.TaskGroupFactory(workflow_id=self.workflow_id)
wf_factories.TaskGroupTaskFactory(task_group=task_group)
return self.api.post(all_models.Workflow, {
"workflow": {
# workaround - title is required for validation
"title": "",
"clone": self.workflow_id,
"clone_objects": True,
"clone_people": True,
"clone_tasks": True,
"context": None,
}
})
class WorkflowRBACFactory(base.BaseRBACFactory):
"""Workflow RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Workflow permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_workflow_scope(user_id, acr)
self.api = Api()
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Workflow object."""
return self.api.post(all_models.Workflow, {
"workflow": {
"title": "New workflow",
"context": None,
}
})
def read(self):
"""Read existing Workflow object."""
return self.api.get(all_models.Workflow, self.workflow_id)
def update(self):
"""Update title of existing Workflow object."""
workflow = all_models.Workflow.query.get(self.workflow_id)
return self.api.put(workflow, {"title": factories.random_str()})
def delete(self):
"""Delete Workflow object."""
workflow = all_models.Workflow.query.get(self.workflow_id)
return self.api.delete(workflow)
def read_revisions(self):
"""Read revisions for Workflow object."""
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
all_models.Workflow, query.format("workflow", self.workflow_id)
)
)
return responses
def clone(self):
"""Clone existing Workflow object."""
with factories.single_commit():
task_group = wf_factories.TaskGroupFactory(workflow_id=self.workflow_id)
wf_factories.TaskGroupTaskFactory(task_group=task_group)
return self.api.post(all_models.Workflow, {
"workflow": {
"clone": self.workflow_id,
"clone_objects": True,
"clone_people": True,
"clone_tasks": True,
"context": None,
}
})
class IssueRBACFactory(base.BaseRBACFactory):
"""Issue RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Issue permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
issue = factories.IssueFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=issue
).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=issue
).id
self.issue_id = issue.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Issue",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Issue object."""
return self.api.post(all_models.Issue, {
"issue": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"title": factories.random_str(),
"context": None,
}
})
def read(self):
"""Read existing Issue object."""
return self.api.get(all_models.Issue, self.issue_id)
def update(self):
"""Update title of existing Issue object."""
issue = all_models.Issue.query.get(self.issue_id)
return self.api.put(issue, {"title": factories.random_str()})
def delete(self):
"""Delete Issue object."""
issue = all_models.Issue.query.get(self.issue_id)
return self.api.delete(issue)
def read_revisions(self):
"""Read revisions of Issue object."""
model_class = get_model("Issue")
responses = []
for query in ["source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"]:
responses.append(
self.api.get_query(
model_class,
query.format("issue", self.issue_id)
)
)
return responses
def map(self, issue=None):
"""Map Issue to parent object."""
if self.parent == "Audit":
parent = all_models.Audit.query.get(self.audit_id)
else:
parent = all_models.Assessment.query.get(self.assessment_id)
map_issue = issue if issue else factories.IssueFactory()
return self.objgen.generate_relationship(
source=parent,
destination=map_issue
)[0]
def create_and_map(self):
"""Create new Issue and map it to parent."""
response = self.create()
issue_id = None
if response.json and response.json.get("issue"):
issue_id = response.json.get("issue", {}).get("id")
if not issue_id:
return response
issue = all_models.Issue.query.get(issue_id)
return self.map(issue)
def unmap(self):
"""Unmap Issue from parent object."""
mapping = all_models.Relationship.query.get(self.mapping_id)
return self.api.delete(mapping)
def raise_issue(self):
"""Raise issue for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
data = [{
"issue": {
"assessment": {
"id": assessment.id,
"type": assessment.type,
},
"title": factories.random_str(),
"context": None
}
}]
return self.api.post(all_models.Issue, data)
class TestSnapshot(TestCase):
"""Basic tests snapshots"""
def setUp(self):
super(TestSnapshot, self).setUp()
self.api = Api()
def test_search_by_reference_url(self):
"""Test search audit related snapshots of control type by reference_url"""
expected_ref_url = "xxx"
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
doc1 = factories.DocumentReferenceUrlFactory(
link=expected_ref_url, title=expected_ref_url)
doc_id1 = doc1.id
doc2 = factories.DocumentReferenceUrlFactory(link="yyy",
title="yyy")
doc_id2 = doc2.id
control = factories.ControlFactory()
control_id = control.id
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": control_id,
"type": control.type
},
"destination": {
"id": doc_id1,
"type": doc1.type
},
"context": None
},
})
self.assertStatus(response, 201)
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": control_id,
"type": control.type
},
"destination": {
"id": doc_id2,
"type": doc2.type
},
"context": None
},
})
self.assertStatus(response, 201)
response = self.api.post(
all_models.Relationship, {
"relationship": {
"source": {
"id": control_id,
"type": control.type
},
"destination": {
"id": audit_id,
"type": audit.type
},
"context": None
},
})
self.assertStatus(response, 201)
query_request_data = [{
"object_name": "Snapshot",
"filters": {
"expression": {
"left": {
"left": "child_type",
"op": {
"name": "="
},
"right": "Control"
},
"op": {
"name": "AND"
},
"right": {
"left": {
"object_name": "Audit",
"op": {
"name": "relevant"
},
"ids": [audit_id]
},
"op": {
"name": "AND"
},
"right": {
"left": {
"left": "Reference URL",
"op": {
"name": "~"
},
"right": expected_ref_url
},
"op": {
"name": "AND"
},
"right": {
"left": "Status",
"op": {
"name": "IN"
},
"right": ["Active", "Draft", "Deprecated"]
}
}
}
}
},
}]
response = self.api.send_request(self.api.client.post,
data=query_request_data,
api_link="/query")
self.assert200(response)
self.assertEquals(1, response.json[0]["Snapshot"]["count"])
class AuditRBACFactory(base.BaseRBACFactory):
"""Audit RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Audit permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_program_scope(user_id, acr, "Audit")
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
self.admin_control_id = {
name: id
for id, name in access_control.role.get_custom_roles_for(
"Control").items()
}["Admin"]
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Audit object."""
return self.api.post(
all_models.Audit, {
"audit": {
"title": "New audit",
"program": {
"id": self.program_id
},
"context": None,
"access_control_list": [],
}
})
def read(self):
"""Read existing Audit object."""
return self.api.get(all_models.Audit, self.audit_id)
def update(self):
"""Update title of existing Audit object."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.put(audit, {"title": factories.random_str()})
def delete(self):
"""Delete Audit object."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.delete(audit)
def clone(self):
"""Clone existing Audit with Assessment Templates."""
return self.api.post(
all_models.Audit, {
"audit": {
"program": {
"id": self.program_id,
"type": "Program"
},
"context": None,
"operation": "clone",
"cloneOptions": {
"sourceObjectId": self.audit_id,
"mappedObjects": "AssessmentTemplate"
}
}
})
def read_revisions(self):
"""Read revisions for Audit object."""
model_class = get_model("Audit")
responses = []
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(model_class,
query.format("audit", self.audit_id)))
return responses
def map_external_control(self):
"""Map Control (on which current user don't have any rights) to Audit."""
control = factories.ControlFactory()
audit = all_models.Audit.query.get(self.audit_id)
return self.objgen.generate_relationship(
source=audit,
destination=control,
)[0]
def map_control(self):
"""Map new snapshot of Control to Audit."""
with factories.single_commit():
control = factories.ControlFactory()
acl = [
acl for acl in control._access_control_list
if acl.ac_role_id == self.admin_control_id
][0]
factories.AccessControlPersonFactory(person_id=self.user_id,
ac_list=acl)
audit = all_models.Audit.query.get(self.audit_id)
return self.objgen.generate_relationship(
source=audit,
destination=control,
)[0]
def deprecate(self):
"""Set status 'Deprecated' for Audit."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.modify_object(audit, {"status": "Deprecated"})
def archive(self):
"""Move Audit into archived state."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.modify_object(audit, {"archived": True})
def unarchive(self):
"""Move Audit into unarchived state."""
audit = all_models.Audit.query.get(self.audit_id)
return self.api.modify_object(audit, {"archived": False})
def summary(self):
"""Get Audit summary information."""
return self.api.client.get("api/audits/{}/{}".format(
self.audit_id, "summary"))
class ProgramRBACFactory(base.BaseRBACFactory):
"""Program RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Program permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
# pylint: disable=unused-argument
self.setup_program_scope(user_id, acr, "Program")
self.admin_control_id = {
name: id
for id, name in access_control.role.get_custom_roles_for(
"Control").items()
}["Admin"]
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
self.user_id = user_id
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Program object."""
return self.api.post(
all_models.Program, {
"program": {
"title": "New program",
"program": {
"id": self.program_id
},
"context": None,
"access_control_list": [],
}
})
def read(self):
"""Read existing Audit object."""
return self.api.get(all_models.Program, self.program_id)
def update(self):
"""Update title of existing Audit object."""
program = all_models.Program.query.get(self.program_id)
return self.api.put(program, {"title": factories.random_str()})
def delete(self):
"""Delete Audit object."""
program = all_models.Program.query.get(self.program_id)
return self.api.delete(program)
def read_revisions(self):
"""Read revisions for Assessment object."""
responses = []
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(all_models.Program,
query.format("program", self.program_id)))
return responses
def map_control(self):
"""Map new Control to Program."""
with factories.single_commit():
control = factories.ControlFactory()
for acl in control._access_control_list:
if acl.ac_role_id == self.admin_control_id:
factories.AccessControlPersonFactory(
person_id=self.user_id,
ac_list=acl,
)
program = all_models.Program.query.get(self.program_id)
return self.objgen.generate_relationship(
source=program,
destination=control,
)[0]
def unmap_control(self):
"""Unmap Control from Program."""
control = factories.ControlFactory()
program = all_models.Program.query.get(self.program_id)
rel = factories.RelationshipFactory(source=control,
destination=program)
return self.api.delete(rel)
def read_mapped(self):
"""Read project mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
project = factories.ProjectFactory()
factories.RelationshipFactory(source=project, destination=program)
return self.api.get(project, project.id)
def update_mapped(self):
"""Update project mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
project = factories.ProjectFactory()
factories.RelationshipFactory(source=project, destination=program)
return self.api.put(project, {"title": factories.random_str()})
def delete_mapped(self):
"""Delete project mapped to Program."""
program = all_models.Program.query.get(self.program_id)
with factories.single_commit():
project = factories.ProjectFactory()
factories.RelationshipFactory(source=project, destination=program)
return self.api.delete(project)
class TestAudit(TestCase):
""" Test Audit class. """
# pylint: disable=invalid-name
def setUp(self):
super(TestAudit, self).setUp()
self.api = Api()
self.gen = generator.ObjectGenerator()
def generate_control_mappings(self, control):
"""Map Control to several Assessments"""
with factories.single_commit():
person = factories.PersonFactory()
asmnt_ids = []
for _ in range(2):
asmnt = factories.AssessmentFactory()
asmnt_ids.append(asmnt.id)
asmnt.add_person_with_role_name(person, "Creators")
for asmnt_id in asmnt_ids:
asmnt = all_models.Assessment.query.get(asmnt_id)
self.gen.generate_relationship(source=asmnt, destination=control)
def test_creation_mapped_control(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
control = factories.ControlFactory()
# Map original of control to several assessments to get propagated roles
self.generate_control_mappings(control)
# Existing control should be updated to create new revision with ACL
self.api.put(control, {"title": "Test Control"})
program = factories.ProgramFactory()
factories.RelationshipFactory(source=program, destination=control)
response = self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id
},
"status": "Planned",
"context": None
}
}])
self.assert200(response)
def test_program_mapping(self):
"""Check creation of new Audit if Program has Control with mapped roles"""
program = factories.ProgramFactory()
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
program = all_models.Program.query.first()
relationships = all_models.Relationship.find_related(audit, program)
self.assertIsNotNone(audit)
self.assertIsNotNone(program)
self.assertIsNotNone(relationships)
def test_control_mapping_missing_revision(self):
"""Test mapping control with missing revision to audit"""
audit = factories.AuditFactory()
control = factories.ControlFactory()
all_models.Revision.query.filter_by(
resource_id=control.id, resource_type=control.type).delete()
db.session.commit()
response, _ = self.gen.generate_relationship(audit, control)
self.assert500(response)
self.assertEqual(response.json, errors.MISSING_REVISION)
def test_delete_audit_asmnt_tmpl(self):
"""Check inability to delete audit in relation with assessment template."""
with factories.single_commit():
audit = factories.AuditFactory()
assessment_template = factories.AssessmentTemplateFactory(
audit=audit)
factories.RelationshipFactory(source=audit,
destination=assessment_template)
response = self.api.delete(audit)
self.assertStatus(response, 409)
self.assertEqual(response.json["message"], errors.MAPPED_ASSESSMENT)
def test_delete_audit_asmnt(self):
"""Check inability to delete audit in relation with assessment."""
with factories.single_commit():
audit = factories.AuditFactory()
assessment = factories.AssessmentFactory(audit=audit)
factories.RelationshipFactory(
source=audit,
destination=assessment,
)
response = self.api.delete(audit)
self.assertStatus(response, 409)
self.assertEqual(response.json["message"], errors.MAPPED_ASSESSMENT)
def test_delete_audit_proper(self):
"""Check delete audit with assessment template. Remove template first"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
assessment_template = factories.AssessmentTemplateFactory(
audit=audit)
assessment_template_id = assessment_template.id
factories.RelationshipFactory(source=audit,
destination=assessment_template)
assessment_template = \
all_models.AssessmentTemplate.query.get(assessment_template_id)
response = self.api.delete(assessment_template)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
response = self.api.delete(audit)
self.assert200(response)
def test_new_audit_snapshots(self):
"""Test audit snapshot relationships on new audit creation."""
program = factories.ProgramFactory()
control = factories.ControlFactory()
factories.RelationshipFactory(
source=program,
destination=control,
)
self.api.post(all_models.Audit, [{
"audit": {
"title": "New Audit",
"program": {
"id": program.id,
"type": program.type
},
"status": "Planned",
"context": None
}
}])
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshot_mapping(self):
"""Test audit snapshot relationships on new snapshot creation."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit, control)
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_new_snapshots_on_update(self):
"""Test relationships for snapshots created by update audit scope."""
audit = factories.AuditFactory()
control = factories.ControlFactory()
self.gen.generate_relationship(audit.program, control)
self.api.put(audit, data={"snapshots": {"operation": "upsert"}})
audit = all_models.Audit.query.first()
snapshot = all_models.Snapshot.query.first()
relationships = all_models.Relationship.find_related(audit, snapshot)
self.assertIsNotNone(audit)
self.assertIsNotNone(snapshot)
self.assertIsNotNone(relationships)
def test_slug_validation_create(self):
"""Test post slug with leading space"""
with factories.single_commit():
program = factories.ProgramFactory()
audit_data = {
"slug": " SLUG",
"program": {
"id": program.id
},
}
response, audit = self.gen.generate_object(all_models.Audit,
audit_data)
self.assertEqual(response.status_code, 201)
current_slug = audit.slug
expected_slug = "SLUG"
self.assertEqual(current_slug, expected_slug)
def test_slug_no_update(self):
"""Test put slug has no effect since slug became
not updatable API attribute"""
with factories.single_commit():
audit = factories.AuditFactory(slug="SLUG-01")
response = self.api.put(audit, {"slug": "NEW SLUG"})
self.assert200(response)
audit = db.session.query(all_models.Audit).get(audit.id)
current_slug = audit.slug
expected_slug = "SLUG-01"
self.assertEqual(current_slug, expected_slug)
class TestAssessmentTemplate(TestCase):
""" Test AssessmentTemplate class. """
def setUp(self):
super(TestAssessmentTemplate, self).setUp()
self.api = Api()
def test_audit_setup(self):
"""Test audit setup for assessment_template"""
audit = factories.AuditFactory()
response = self.api.post(
all_models.AssessmentTemplate, {
"assessment_template": {
"audit": {
"id": audit.id
},
"context": {
"id": audit.context.id
},
"default_people": {
"assignees": "Admin",
"verifiers": "Admin",
},
"title": "Some title"
}
})
self.assertStatus(response, 201)
template_id = response.json["assessment_template"]["id"]
template = all_models.AssessmentTemplate.query.get(template_id)
self.assertEqual(template.audit.id, audit.id)
def test_audit_issue_tracker(self):
"""Test existing audit issue_tracker info in template response"""
with factories.single_commit():
audit = factories.AuditFactory()
audit_id = audit.id
factories.IssueTrackerIssueFactory(
issue_tracked_obj=audit,
component_id="some component id",
hotlist_id="some host id",
title="some title",
issue_id="some issue id")
template_id = factories.AssessmentTemplateFactory(
audit=audit, context=audit.context).id
response = self.api.get(all_models.AssessmentTemplate, template_id)
self.assert200(response)
audit = all_models.Audit.query.get(audit_id)
default_issue_type = constants.DEFAULT_ISSUETRACKER_VALUES[
'issue_type']
self.assertEqual(
response.json["assessment_template"]["audit"], {
u"type": u"Audit",
u"id": long(audit.id),
u'title': unicode(audit.title),
u"href": u"/api/audits/{}".format(long(audit.id)),
u"context_id": long(audit.context.id),
u"issue_tracker": {
u'_warnings': [],
u"component_id": u"some component id",
u"enabled": False,
u"issue_severity": None,
u"hotlist_id": u"some host id",
u"issue_id": u"some issue id",
u"issue_priority": None,
u"issue_type": default_issue_type,
u"issue_url": None,
u"title": "some title",
u"people_sync_enabled": True,
}
})
class IssueRBACFactory(base.BaseRBACFactory):
"""Issue RBAC factory class."""
def __init__(self, user_id, acr, parent=None):
"""Set up objects for Issue permission tests.
Args:
user_id: Id of user under which all operations will be run.
acr: Instance of ACR that should be assigned for tested user.
parent: Model name in scope of which objects should be set up.
"""
self.setup_program_scope(user_id, acr)
with factories.single_commit():
issue = factories.IssueFactory()
if parent == "Audit":
self.mapping_id = factories.RelationshipFactory(
source=self.audit, destination=issue).id
elif parent == "Assessment":
self.mapping_id = factories.RelationshipFactory(
source=self.assessment, destination=issue).id
self.issue_id = issue.id
self.parent = parent
self.admin_acr_id = all_models.AccessControlRole.query.filter_by(
name="Admin",
object_type="Issue",
).one().id
self.user_id = user_id
self.api = Api()
self.objgen = generator.ObjectGenerator()
self.objgen.api = self.api
if user_id:
user = all_models.Person.query.get(user_id)
self.api.set_user(user)
def create(self):
"""Create new Issue object."""
return self.api.post(
all_models.Issue, {
"issue": {
"access_control_list": [{
"ac_role_id": self.admin_acr_id,
"person": {
"id": self.user_id,
"type": "Person",
}
}],
"title":
factories.random_str(),
"context":
None,
}
})
def read(self):
"""Read existing Issue object."""
return self.api.get(all_models.Issue, self.issue_id)
def update(self):
"""Update title of existing Issue object."""
issue = all_models.Issue.query.get(self.issue_id)
return self.api.put(issue, {"title": factories.random_str()})
def delete(self):
"""Delete Issue object."""
issue = all_models.Issue.query.get(self.issue_id)
return self.api.delete(issue)
def read_revisions(self):
"""Read revisions of Issue object."""
model_class = get_model("Issue")
responses = []
for query in [
"source_type={}&source_id={}",
"destination_type={}&destination_id={}",
"resource_type={}&resource_id={}"
]:
responses.append(
self.api.get_query(model_class,
query.format("issue", self.issue_id)))
return responses
def map(self, issue=None):
"""Map Issue to parent object."""
if self.parent == "Audit":
parent = all_models.Audit.query.get(self.audit_id)
else:
parent = all_models.Assessment.query.get(self.assessment_id)
map_issue = issue if issue else factories.IssueFactory()
return self.objgen.generate_relationship(source=parent,
destination=map_issue)[0]
def create_and_map(self):
"""Create new Issue and map it to parent."""
response = self.create()
issue_id = None
if response.json and response.json.get("issue"):
issue_id = response.json.get("issue", {}).get("id")
if not issue_id:
return response
issue = all_models.Issue.query.get(issue_id)
return self.map(issue)
def unmap(self):
"""Unmap Issue from parent object."""
mapping = all_models.Relationship.query.get(self.mapping_id)
return self.api.delete(mapping)
def raise_issue(self):
"""Raise issue for Assessment."""
assessment = all_models.Assessment.query.get(self.assessment_id)
data = [{
"issue": {
"assessment": {
"id": assessment.id,
"type": assessment.type,
},
"title": factories.random_str(),
"context": None
}
}]
return self.api.post(all_models.Issue, data)
