def setUp(self):
super(APIControllerWithRBACTestCase, self).setUp()
self.users = {}
self.roles = {}
# Run RBAC migrations
run_all_rbac_migrations()
# Insert mock users with default role assignments
role_names = [SystemRole.SYSTEM_ADMIN, SystemRole.ADMIN, SystemRole.OBSERVER]
for role_name in role_names:
user_db = UserDB(name=role_name)
user_db = User.add_or_update(user_db)
self.users[role_name] = user_db
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=role_name)
UserRoleAssignment.add_or_update(role_assignment_db)
# Insert a user with no permissions and role assignments
user_1_db = UserDB(name='no_permissions')
user_1_db = User.add_or_update(user_1_db)
self.users['no_permissions'] = user_1_db
def setUp(self):
super(PolicyTypeControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'fake_policy_type_1.yaml'
PolicyTypeControllerRBACTestCase.POLICY_TYPE_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]
file_name = 'fake_policy_type_2.yaml'
PolicyTypeControllerRBACTestCase.POLICY_TYPE_2 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='policy_type_list')
user_1_db = User.add_or_update(user_1_db)
self.users['policy_type_list'] = user_1_db
user_2_db = UserDB(name='policy_type_view')
user_2_db = User.add_or_update(user_2_db)
self.users['policy_type_view'] = user_2_db
# Roles
# policy_type_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.POLICY_TYPE,
permission_types=[PermissionType.POLICY_TYPE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='policy_type_list', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['policy_type_list'] = role_1_db
# policy_type_view on timer 1
policy_type_uid = self.models['policytypes']['fake_policy_type_1.yaml'].get_uid()
grant_db = PermissionGrantDB(resource_uid=policy_type_uid,
resource_type=ResourceType.POLICY_TYPE,
permission_types=[PermissionType.POLICY_TYPE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='policy_type_view', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['policy_type_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['policy_type_list'].name,
role=self.roles['policy_type_list'].name,
source='assignments/%s.yaml' % self.users['policy_type_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['policy_type_view'].name,
role=self.roles['policy_type_view'].name,
source='assignments/%s.yaml' % self.users['policy_type_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionControllerRBACTestCase, self).setUp()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'action1.yaml'
ActionControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'actions': [file_name]})['actions'][file_name]
# Insert mock users, roles and assignments
# Users
user_2_db = UserDB(name='action_create')
user_2_db = User.add_or_update(user_2_db)
self.users['action_create'] = user_2_db
# Roles
# action_create grant on parent pack
grant_db = PermissionGrantDB(resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='action_create', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['action_create'] = role_1_db
# Role assignments
user_db = self.users['action_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['action_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionExecutionRBACControllerTestCase, self).setUp()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='multiple_roles')
user_1_db = User.add_or_update(user_1_db)
self.users['multiple_roles'] = user_1_db
# Roles
roles = ['role_1', 'role_2', 'role_3']
for role in roles:
role_db = RoleDB(name=role)
Role.add_or_update(role_db)
# Role assignments
user_db = self.users['multiple_roles']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role='admin',
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
for role in roles:
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=role,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ExecutionViewsFiltersControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='execution_views_filters_list')
user_1_db = User.add_or_update(user_1_db)
self.users['execution_views_filters_list'] = user_1_db
# Roles
# trace_list
permission_types = [PermissionType.EXECUTION_VIEWS_FILTERS_LIST]
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.EXECUTION,
permission_types=permission_types)
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='execution_views_filters_list',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['execution_views_filters_list'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['execution_views_filters_list'].name,
role=self.roles['execution_views_filters_list'].name,
source='assignments/%s.yaml' %
self.users['execution_views_filters_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(TestRbacController, self).setUp()
permissions = [
PermissionType.RULE_CREATE, PermissionType.RULE_VIEW,
PermissionType.RULE_MODIFY, PermissionType.RULE_DELETE
]
for name in permissions:
user_db = UserDB(name=name)
user_db = User.add_or_update(user_db)
self.users[name] = user_db
# Roles
# action_create grant on parent pack
grant_db = PermissionGrantDB(resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[name])
grant_db = PermissionGrant.add_or_update(grant_db)
grant_2_db = PermissionGrantDB(
resource_uid='action:wolfpack:action-1',
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
permission_grants = [str(grant_db.id), str(grant_2_db.id)]
role_db = RoleDB(name=name, permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles[name] = role_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=role_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RBACRoleAssignmentsControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
self.role_assignments = {}
# Users
user_1_db = UserDB(name='user_foo')
user_1_db = User.add_or_update(user_1_db)
self.users['user_foo'] = user_1_db
# Roles
role_1_db = RoleDB(name='user_foo', permission_grants=[])
role_1_db = Role.add_or_update(role_1_db)
self.roles['user_foo'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['user_foo'].name,
role=self.roles['user_foo'].name,
source='assignments/%s.yaml' % self.users['user_foo'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
self.role_assignments['assignment_one'] = role_assignment_db
role_assignment_db = UserRoleAssignmentDB(
user='******',
role=self.roles['user_foo'].name,
source='assignments/user_bar.yaml')
UserRoleAssignment.add_or_update(role_assignment_db)
self.role_assignments['assignment_two'] = role_assignment_db
def setUp(self):
super(PolicyTypeControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'fake_policy_type_1.yaml'
PolicyTypeControllerRBACTestCase.POLICY_TYPE_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]
file_name = 'fake_policy_type_2.yaml'
PolicyTypeControllerRBACTestCase.POLICY_TYPE_2 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='policy_type_list')
user_1_db = User.add_or_update(user_1_db)
self.users['policy_type_list'] = user_1_db
user_2_db = UserDB(name='policy_type_view')
user_2_db = User.add_or_update(user_2_db)
self.users['policy_type_view'] = user_2_db
# Roles
# policy_type_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.POLICY_TYPE,
permission_types=[PermissionType.POLICY_TYPE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='policy_type_list', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['policy_type_list'] = role_1_db
# policy_type_view on timer 1
policy_type_uid = self.models['policytypes']['fake_policy_type_1.yaml'].get_uid()
grant_db = PermissionGrantDB(resource_uid=policy_type_uid,
resource_type=ResourceType.POLICY_TYPE,
permission_types=[PermissionType.POLICY_TYPE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='policy_type_view', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['policy_type_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['policy_type_list'].name,
role=self.roles['policy_type_list'].name,
source='assignments/%s.yaml' % self.users['policy_type_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['policy_type_view'].name,
role=self.roles['policy_type_view'].name,
source='assignments/%s.yaml' % self.users['policy_type_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RBACRoleAssignmentsControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
self.role_assignments = {}
# Users
user_1_db = UserDB(name='user_foo')
user_1_db = User.add_or_update(user_1_db)
self.users['user_foo'] = user_1_db
# Roles
role_1_db = RoleDB(name='user_foo', permission_grants=[])
role_1_db = Role.add_or_update(role_1_db)
self.roles['user_foo'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['user_foo'].name,
role=self.roles['user_foo'].name,
source='assignments/%s.yaml' % self.users['user_foo'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
self.role_assignments['assignment_one'] = role_assignment_db
role_assignment_db = UserRoleAssignmentDB(
user='******',
role=self.roles['user_foo'].name,
source='assignments/user_bar.yaml')
UserRoleAssignment.add_or_update(role_assignment_db)
self.role_assignments['assignment_two'] = role_assignment_db
def setUp(self):
super(WebhookPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='custom_role_webhook_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_webhook_grant'] = user_1_db
# Create some mock resources on which permissions can be granted
webhook_1_db = WebhookDB(name='st2/')
self.resources['webhook_1'] = webhook_1_db
# Create some mock roles with associated permission grants
# Custom role - "webhook_send" grant on webhook_1
grant_db = PermissionGrantDB(resource_uid=self.resources['webhook_1'].get_uid(),
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_SEND])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_webhook_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_webhook_grant'] = role_db
# Create some mock role assignments
user_db = self.users['custom_role_webhook_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_webhook_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ExecutionViewsFiltersControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='execution_views_filters_list')
user_1_db = User.add_or_update(user_1_db)
self.users['execution_views_filters_list'] = user_1_db
# Roles
# trace_list
permission_types = [PermissionType.EXECUTION_VIEWS_FILTERS_LIST]
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.EXECUTION,
permission_types=permission_types)
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='execution_views_filters_list',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['execution_views_filters_list'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['execution_views_filters_list'].name,
role=self.roles['execution_views_filters_list'].name,
source='assignments/%s.yaml' % self.users['execution_views_filters_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(WebhookPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='custom_role_webhook_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_webhook_grant'] = user_1_db
# Create some mock resources on which permissions can be granted
webhook_1_db = WebhookDB(name='st2/')
self.resources['webhook_1'] = webhook_1_db
# Create some mock roles with associated permission grants
# Custom role - "webhook_send" grant on webhook_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['webhook_1'].get_uid(),
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_SEND])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_webhook_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_webhook_grant'] = role_db
# Create some mock role assignments
user_db = self.users['custom_role_webhook_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_webhook_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionControllerRBACTestCase, self).setUp()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'action1.yaml'
ActionControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'actions': [file_name]})['actions'][file_name]
# Insert mock users, roles and assignments
# Users
user_2_db = UserDB(name='action_create')
user_2_db = User.add_or_update(user_2_db)
self.users['action_create'] = user_2_db
# Roles
# action_create grant on parent pack
grant_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='action_create',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['action_create'] = role_1_db
# Role assignments
user_db = self.users['action_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(BaseAPIControllerWithRBACTestCase, self).setUp()
self.users = {}
self.roles = {}
# Run RBAC migrations
run_all_rbac_migrations()
# Insert mock users with default role assignments
role_names = [
SystemRole.SYSTEM_ADMIN, SystemRole.ADMIN, SystemRole.OBSERVER
]
for role_name in role_names:
user_db = UserDB(name=role_name)
user_db = User.add_or_update(user_db)
self.users[role_name] = user_db
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=role_name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
# Insert a user with no permissions and role assignments
user_1_db = UserDB(name='no_permissions')
user_1_db = User.add_or_update(user_1_db)
self.users['no_permissions'] = user_1_db
def setUp(self):
super(RunnerPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='custom_role_runner_view_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_runner_view_grant'] = user_1_db
user_2_db = UserDB(name='custom_role_runner_modify_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_runner_modify_grant'] = user_2_db
# Create some mock resources on which permissions can be granted
runner_1_db = RunnerTypeDB(name='runner_1')
self.resources['runner_1'] = runner_1_db
runner_2_db = RunnerTypeDB(name='runner_2')
self.resources['runner_2'] = runner_2_db
# Create some mock roles with associated permission grants
# Custom role - "runner_view" grant on runner_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['runner_1'].get_uid(),
resource_type=ResourceType.RUNNER,
permission_types=[PermissionType.RUNNER_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_runner_view_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_runner_view_grant'] = role_db
# Custom role - "runner_modify" grant on runner_2
grant_db = PermissionGrantDB(
resource_uid=self.resources['runner_2'].get_uid(),
resource_type=ResourceType.RUNNER,
permission_types=[PermissionType.RUNNER_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_runner_modify_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_runner_modify_grant'] = role_db
# Create some mock role assignments
user_db = self.users['custom_role_runner_view_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_runner_view_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_runner_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_runner_modify_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(WebhookControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='webhook_list')
user_1_db = User.add_or_update(user_1_db)
self.users['webhook_list'] = user_1_db
user_2_db = UserDB(name='webhook_view')
user_2_db = User.add_or_update(user_2_db)
self.users['webhook_view'] = user_2_db
# Roles
# webhook_list
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_list',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_list'] = role_1_db
# webhook_view on webhook 1 (git)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_uid = webhook_db.get_uid()
grant_db = PermissionGrantDB(
resource_uid=webhook_uid,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_view',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_list'].name,
role=self.roles['webhook_list'].name,
source='assignments/%s.yaml' % self.users['webhook_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_view'].name,
role=self.roles['webhook_view'].name,
source='assignments/%s.yaml' % self.users['webhook_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RunnerPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='custom_role_runner_view_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_runner_view_grant'] = user_1_db
user_2_db = UserDB(name='custom_role_runner_modify_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_runner_modify_grant'] = user_2_db
# Create some mock resources on which permissions can be granted
runner_1_db = RunnerTypeDB(name='runner_1')
self.resources['runner_1'] = runner_1_db
runner_2_db = RunnerTypeDB(name='runner_2')
self.resources['runner_2'] = runner_2_db
# Create some mock roles with associated permission grants
# Custom role - "runner_view" grant on runner_1
grant_db = PermissionGrantDB(resource_uid=self.resources['runner_1'].get_uid(),
resource_type=ResourceType.RUNNER,
permission_types=[PermissionType.RUNNER_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_runner_view_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_runner_view_grant'] = role_db
# Custom role - "runner_modify" grant on runner_2
grant_db = PermissionGrantDB(resource_uid=self.resources['runner_2'].get_uid(),
resource_type=ResourceType.RUNNER,
permission_types=[PermissionType.RUNNER_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_runner_modify_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_runner_modify_grant'] = role_db
# Create some mock role assignments
user_db = self.users['custom_role_runner_view_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_runner_view_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_runner_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_runner_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(APIControllersRBACTestCase, self).setUp()
# Register packs
if self.register_packs:
self._register_packs()
# Insert mock objects - those objects are used to test get one, edit and delete operations
self.models = self.fixtures_loader.save_fixtures_to_db(
fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES)
self.role_assignment_db_model = UserRoleAssignmentDB(user='******',
role='role')
UserRoleAssignment.add_or_update(self.role_assignment_db_model)
def setUp(self):
super(APIControllersRBACTestCase, self).setUp()
# Register packs
if self.register_packs:
self._register_packs()
# Insert mock objects - those objects are used to test get one, edit and delete operations
self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
self.role_assignment_db_model = UserRoleAssignmentDB(
user='******', role='role', source='assignments/user.yaml')
UserRoleAssignment.add_or_update(self.role_assignment_db_model)
def setUp(self):
super(WebhookControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='webhook_list')
user_1_db = User.add_or_update(user_1_db)
self.users['webhook_list'] = user_1_db
user_2_db = UserDB(name='webhook_view')
user_2_db = User.add_or_update(user_2_db)
self.users['webhook_view'] = user_2_db
# Roles
# webhook_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_list', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_list'] = role_1_db
# webhook_view on webhook 1 (git)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_uid = webhook_db.get_uid()
grant_db = PermissionGrantDB(resource_uid=webhook_uid,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_view', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_list'].name,
role=self.roles['webhook_list'].name,
source='assignments/%s.yaml' % self.users['webhook_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_view'].name,
role=self.roles['webhook_view'].name,
source='assignments/%s.yaml' % self.users['webhook_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def assign_role_to_user(role_db,
user_db,
description=None,
is_remote=False,
source=None):
"""
Assign role to a user.
:param role_db: Role to assign.
:type role_db: :class:`RoleDB`
:param user_db: User to assign the role to.
:type user_db: :class:`UserDB`
:param description: Optional assingment description.
:type description: ``str``
:param include_remote: True if this a remote assignment.
:type include_remote: ``bool``
:param source: Source from where this assignment comes from. For example, path of a file if
it's a local assignment or mapping or "API".
:type source: ``str``
"""
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=role_db.name,
source=source,
description=description,
is_remote=is_remote)
role_assignment_db = UserRoleAssignment.add_or_update(role_assignment_db)
return role_assignment_db
def setUp(self):
super(ActionViewsControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(
fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES)
file_name = 'a1.yaml'
ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'actions': [file_name]})['actions'][file_name]
file_name = 'a2.yaml'
ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'actions': [file_name]})['actions'][file_name]
# Insert mock users, roles and assignments
# Users
user_2_db = UserDB(name='action_view_a1')
user_2_db = User.add_or_update(user_2_db)
self.users['action_view_a1'] = user_2_db
# Roles
# action_view on a1
action_uid = self.models['actions']['a1.yaml'].get_uid()
grant_db = PermissionGrantDB(
resource_uid=action_uid,
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='action_view_a1',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['action_view_a1'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['action_view_a1'].name,
role=self.roles['action_view_a1'].name,
source='assignments/%s.yaml' % self.users['action_view_a1'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionViewsControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'a1.yaml'
ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'actions': [file_name]})['actions'][file_name]
file_name = 'a2.yaml'
ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'actions': [file_name]})['actions'][file_name]
# Insert mock users, roles and assignments
# Users
user_2_db = UserDB(name='action_view_a1')
user_2_db = User.add_or_update(user_2_db)
self.users['action_view_a1'] = user_2_db
# Roles
# action_view on a1
action_uid = self.models['actions']['a1.yaml'].get_uid()
grant_db = PermissionGrantDB(resource_uid=action_uid,
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='action_view_a1', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['action_view_a1'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['action_view_a1'].name,
role=self.roles['action_view_a1'].name,
source='assignments/%s.yaml' % self.users['action_view_a1'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RBACControllerTestCase, self).setUp()
permissions = [PermissionType.RULE_CREATE,
PermissionType.RULE_VIEW,
PermissionType.RULE_MODIFY,
PermissionType.RULE_DELETE]
for name in permissions:
user_db = UserDB(name=name)
user_db = User.add_or_update(user_db)
self.users[name] = user_db
# Roles
# action_create grant on parent pack
grant_db = PermissionGrantDB(resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[name])
grant_db = PermissionGrant.add_or_update(grant_db)
grant_2_db = PermissionGrantDB(resource_uid='action:wolfpack:action-1',
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
permission_grants = [str(grant_db.id), str(grant_2_db.id)]
role_db = RoleDB(name=name, permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles[name] = role_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=role_db.name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user='******',
role='role_two',
source='assignments/user_two.yaml',
is_remote=True)
UserRoleAssignment.add_or_update(role_assignment_db)
def _insert_common_mock_role_assignments(self):
# Insert common mock role assignments
role_assignment_admin = UserRoleAssignmentDB(
user=self.users['admin'].name,
role=self.roles['admin_role'].name,
source='assignments/admin.yaml')
role_assignment_admin = UserRoleAssignment.add_or_update(
role_assignment_admin)
role_assignment_observer = UserRoleAssignmentDB(
user=self.users['observer'].name,
role=self.roles['observer_role'].name,
source='assignments/observer.yaml')
role_assignment_observer = UserRoleAssignment.add_or_update(
role_assignment_observer)
user_db = self.users['1_custom_role_no_permissions']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_1'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def _insert_common_mock_role_assignments(self):
# Insert common mock role assignments
role_assignment_admin = UserRoleAssignmentDB(
user=self.users['admin'].name, role=self.roles['admin_role'].name,
source='assignments/admin.yaml')
role_assignment_admin = UserRoleAssignment.add_or_update(role_assignment_admin)
role_assignment_observer = UserRoleAssignmentDB(
user=self.users['observer'].name, role=self.roles['observer_role'].name,
source='assignments/observer.yaml')
role_assignment_observer = UserRoleAssignment.add_or_update(role_assignment_observer)
user_db = self.users['1_custom_role_no_permissions']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_1'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def assign_role_to_user(
role_db,
user_db,
description=None,
is_remote=False,
source=None,
ignore_already_exists_error=False,
):
"""
Assign role to a user.
:param role_db: Role to assign.
:type role_db: :class:`RoleDB`
:param user_db: User to assign the role to.
:type user_db: :class:`UserDB`
:param description: Optional assingment description.
:type description: ``str``
:param include_remote: True if this a remote assignment.
:type include_remote: ``bool``
:param source: Source from where this assignment comes from. For example, path of a file if
it's a local assignment or mapping or "API".
:type source: ``str``
:param: ignore_already_exists_error: True to ignore error if an assignment already exists.
:type ignore_already_exists_error: ``bool``
"""
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=role_db.name,
source=source,
description=description,
is_remote=is_remote,
)
try:
role_assignment_db = UserRoleAssignment.add_or_update(
role_assignment_db)
except (NotUniqueError, StackStormDBObjectConflictError) as e:
if not ignore_already_exists_error:
raise e
role_assignment_db = UserRoleAssignment.query(
user=user_db.name,
role=role_db.name,
source=source,
description=description).first()
return role_assignment_db
def assign_role_to_user(role_db, user_db):
"""
Assign role to a user.
:param role_db: Role to assign.
:type role_db: :class:`RoleDB`
:param user_db: User to assign the role to.
:type user_db: :class:`UserDB`
"""
role_assignment_db = UserRoleAssignmentDB(user=user_db.name, role=role_db.name)
role_assignment_db = UserRoleAssignment.add_or_update(role_assignment_db)
return role_assignment_db
def assign_role_to_user(role_db, user_db, description=None):
"""
Assign role to a user.
:param role_db: Role to assign.
:type role_db: :class:`RoleDB`
:param user_db: User to assign the role to.
:type user_db: :class:`UserDB`
:param description: Optional assingment description.
:type description: ``str``
"""
role_assignment_db = UserRoleAssignmentDB(user=user_db.name, role=role_db.name, description=description)
role_assignment_db = UserRoleAssignment.add_or_update(role_assignment_db)
return role_assignment_db
def assign_role_to_user(role_db, user_db, description=None):
"""
Assign role to a user.
:param role_db: Role to assign.
:type role_db: :class:`RoleDB`
:param user_db: User to assign the role to.
:type user_db: :class:`UserDB`
:param description: Optional assingment description.
:type description: ``str``
"""
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=role_db.name,
description=description)
role_assignment_db = UserRoleAssignment.add_or_update(role_assignment_db)
return role_assignment_db
def setUp(self):
super(RBACServicesTestCase, self).setUp()
# TODO: Share mocks
self.users = {}
self.roles = {}
self.resources = {}
# Create some mock users
user_1_db = UserDB(name='admin')
user_1_db = User.add_or_update(user_1_db)
self.users['admin'] = user_1_db
user_2_db = UserDB(name='observer')
user_2_db = User.add_or_update(user_2_db)
self.users['observer'] = user_2_db
user_3_db = UserDB(name='no_roles')
user_3_db = User.add_or_update(user_3_db)
self.users['no_roles'] = user_3_db
user_4_db = UserDB(name='custom_role')
user_4_db = User.add_or_update(user_4_db)
self.users['1_custom_role'] = user_4_db
# Create some mock roles
role_1_db = rbac_services.create_role(name='custom_role_1')
role_2_db = rbac_services.create_role(name='custom_role_2',
description='custom role 2')
self.roles['custom_role_1'] = role_1_db
self.roles['custom_role_2'] = role_2_db
# Create some mock role assignments
role_assignment_1 = UserRoleAssignmentDB(
user=self.users['1_custom_role'].name,
role=self.roles['custom_role_1'].name)
role_assignment_1 = UserRoleAssignment.add_or_update(role_assignment_1)
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test1', name='rule1', ref='test1.rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
def setUp(self):
super(RBACServicesTestCase, self).setUp()
# TODO: Share mocks
self.users = {}
self.roles = {}
self.resources = {}
# Create some mock users
user_1_db = UserDB(name='admin')
user_1_db = User.add_or_update(user_1_db)
self.users['admin'] = user_1_db
user_2_db = UserDB(name='observer')
user_2_db = User.add_or_update(user_2_db)
self.users['observer'] = user_2_db
user_3_db = UserDB(name='no_roles')
user_3_db = User.add_or_update(user_3_db)
self.users['no_roles'] = user_3_db
user_4_db = UserDB(name='custom_role')
user_4_db = User.add_or_update(user_4_db)
self.users['1_custom_role'] = user_4_db
# Create some mock roles
role_1_db = rbac_services.create_role(name='custom_role_1')
role_2_db = rbac_services.create_role(name='custom_role_2',
description='custom role 2')
self.roles['custom_role_1'] = role_1_db
self.roles['custom_role_2'] = role_2_db
# Create some mock role assignments
role_assignment_1 = UserRoleAssignmentDB(user=self.users['1_custom_role'].name,
role=self.roles['custom_role_1'].name)
role_assignment_1 = UserRoleAssignment.add_or_update(role_assignment_1)
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test1', name='rule1', ref='test1.rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
def assign_role_to_user(role_db, user_db, description=None, is_remote=False):
"""
Assign role to a user.
:param role_db: Role to assign.
:type role_db: :class:`RoleDB`
:param user_db: User to assign the role to.
:type user_db: :class:`UserDB`
:param description: Optional assingment description.
:type description: ``str``
:param include_remote: True if this a remote assignment.
:type include_remote: ``bool``
"""
role_assignment_db = UserRoleAssignmentDB(user=user_db.name, role=role_db.name,
description=description,
is_remote=is_remote)
role_assignment_db = UserRoleAssignment.add_or_update(role_assignment_db)
return role_assignment_db
def _insert_common_mock_role_assignments(self):
# Insert common mock role assignments
role_assignment_admin = UserRoleAssignmentDB(user=self.users["admin"].name, role=self.roles["admin_role"].name)
role_assignment_admin = UserRoleAssignment.add_or_update(role_assignment_admin)
role_assignment_observer = UserRoleAssignmentDB(
user=self.users["observer"].name, role=self.roles["observer_role"].name
)
role_assignment_observer = UserRoleAssignment.add_or_update(role_assignment_observer)
user_db = self.users["1_custom_role_no_permissions"]
role_assignment_db = UserRoleAssignmentDB(user=user_db.name, role=self.roles["custom_role_1"].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users["custom_role_pack_grant"]
role_assignment_db = UserRoleAssignmentDB(user=user_db.name, role=self.roles["custom_role_pack_grant"].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def assign_role_to_user(role_db, user_db, description=None, is_remote=False, source=None,
ignore_already_exists_error=False):
"""
Assign role to a user.
:param role_db: Role to assign.
:type role_db: :class:`RoleDB`
:param user_db: User to assign the role to.
:type user_db: :class:`UserDB`
:param description: Optional assingment description.
:type description: ``str``
:param include_remote: True if this a remote assignment.
:type include_remote: ``bool``
:param source: Source from where this assignment comes from. For example, path of a file if
it's a local assignment or mapping or "API".
:type source: ``str``
:param: ignore_already_exists_error: True to ignore error if an assignment already exists.
:type ignore_already_exists_error: ``bool``
"""
role_assignment_db = UserRoleAssignmentDB(user=user_db.name, role=role_db.name, source=source,
description=description, is_remote=is_remote)
try:
role_assignment_db = UserRoleAssignment.add_or_update(role_assignment_db)
except (NotUniqueError, StackStormDBObjectConflictError) as e:
if not ignore_already_exists_error:
raise e
role_assignment_db = UserRoleAssignment.query(user=user_db.name, role=role_db.name,
source=source,
description=description).first()
return role_assignment_db
def setUp(self):
super(RuleControllerRBACTestCase, self).setUp()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'rule_with_webhook_trigger.yaml'
RuleControllerRBACTestCase.RULE_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'rules': [file_name]})['rules'][file_name]
file_name = 'rule_example_pack.yaml'
RuleControllerRBACTestCase.RULE_2 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'rules': [file_name]})['rules'][file_name]
# Insert mock users, roles and assignments
self = self
self.users = {}
self.roles = {}
# Users
user_1_db = UserDB(name='rule_create')
user_1_db = User.add_or_update(user_1_db)
self.users['rule_create'] = user_1_db
user_2_db = UserDB(name='rule_create_webhook_create')
user_2_db = User.add_or_update(user_2_db)
self.users['rule_create_webhook_create'] = user_2_db
user_3_db = UserDB(name='rule_create_webhook_create_core_local_execute')
user_3_db = User.add_or_update(user_3_db)
self.users['rule_create_webhook_create_core_local_execute'] = user_3_db
# Roles
# rule_create grant on parent pack
grant_db = PermissionGrantDB(resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='rule_create', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['rule_create'] = role_1_db
# rule_create grant on parent pack, webhook_create on webhook "sample"
grant_1_db = PermissionGrantDB(resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(resource_uid='webhook:sample',
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_CREATE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
permission_grants = [str(grant_1_db.id), str(grant_2_db.id)]
role_2_db = RoleDB(name='rule_create_webhook_create', permission_grants=permission_grants)
role_2_db = Role.add_or_update(role_2_db)
self.roles['rule_create_webhook_create'] = role_2_db
# rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on
# core.local
grant_1_db = PermissionGrantDB(resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(resource_uid='webhook:sample',
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_CREATE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
grant_3_db = PermissionGrantDB(resource_uid='action:core:local',
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_3_db = PermissionGrant.add_or_update(grant_3_db)
permission_grants = [str(grant_1_db.id), str(grant_2_db.id), str(grant_3_db.id)]
role_3_db = RoleDB(name='rule_create_webhook_create_core_local_execute',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['rule_create_webhook_create_core_local_execute'] = role_3_db
# Role assignments
user_db = self.users['rule_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_create_webhook_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create_webhook_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_create_webhook_create_core_local_execute']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create_webhook_create_core_local_execute'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='1_role_action_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_action_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_action_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_action_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_action_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_action_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_action_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_action_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_action_execute_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_action_execute_grant'] = user_5_db
user_6_db = UserDB(name='action_pack_action_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['action_pack_action_create_grant'] = user_6_db
user_7_db = UserDB(name='action_pack_action_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['action_pack_action_all_grant'] = user_7_db
user_8_db = UserDB(name='action_action_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['action_action_create_grant'] = user_8_db
user_9_db = UserDB(name='action_action_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['action_action_all_grant'] = user_9_db
user_10_db = UserDB(name='custom_role_action_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['custom_role_action_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
action_1_db = ActionDB(pack='test_pack_1', name='action1', entry_point='',
runner_type={'name': 'local-shell-cmd'})
action_1_db = Action.add_or_update(action_1_db)
self.resources['action_1'] = action_1_db
action_2_db = ActionDB(pack='test_pack_1', name='action2', entry_point='',
runner_type={'name': 'local-shell-cmd'})
action_2_db = Action.add_or_update(action_1_db)
self.resources['action_2'] = action_2_db
action_3_db = ActionDB(pack='test_pack_2', name='action3', entry_point='',
runner_type={'name': 'local-shell-cmd'})
action_3_db = Action.add_or_update(action_3_db)
self.resources['action_3'] = action_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "action_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_action_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_action_pack_grant'] = role_3_db
# Custom role 4 - one grant on action
# "action_view" on action_3
grant_db = PermissionGrantDB(resource_uid=self.resources['action_3'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_action_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_action_grant'] = role_4_db
# Custom role - "action_all" grant on a parent action pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_action_all_grant'] = role_4_db
# Custom role - "action_all" grant on action
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_action_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_action_all_grant'] = role_4_db
# Custom role - "action_execute" on action_1
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_action_execute_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_action_execute_grant'] = role_5_db
# Custom role - "action_create" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='action_pack_action_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['action_pack_action_create_grant'] = role_6_db
# Custom role - "action_all" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='action_pack_action_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['action_pack_action_all_grant'] = role_7_db
# Custom role - "action_create" grant on action_1
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='action_action_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['action_action_create_grant'] = role_8_db
# Custom role - "action_all" grant on action_1
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='action_action_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['action_action_all_grant'] = role_9_db
# Custom role - "action_list" grant
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=None,
permission_types=[PermissionType.ACTION_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='custom_role_action_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['custom_role_action_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['custom_role_action_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_pack_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_execute_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_execute_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_pack_action_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_pack_action_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_pack_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_pack_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_action_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_action_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(InquiryRBACControllerTestCase, self).setUp()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
# Insert mock users, roles and assignments
assignments = {
"user_get_db": {
"roles": ["role_get"],
"permissions": [PermissionType.INQUIRY_VIEW],
"resource_type": ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_list_db": {
"roles": ["role_list"],
"permissions": [PermissionType.INQUIRY_LIST],
"resource_type": ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_respond_db": {
"roles": ["role_respond"],
"permissions": [PermissionType.INQUIRY_RESPOND],
"resource_type": ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_respond_paramtest": {
"roles": ["role_respond_2"],
"permissions": [PermissionType.INQUIRY_RESPOND],
"resource_type": ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_respond_inherit": {
"roles": ["role_inherit"],
"permissions": [PermissionType.ACTION_EXECUTE],
"resource_type": ResourceType.ACTION,
"resource_uid": 'action:wolfpack:inquiry-workflow'
}
}
# Create users
for user in assignments.keys():
user_db = UserDB(name=user)
user_db = User.add_or_update(user_db)
self.users[user] = user_db
# Create grants and assign to roles
for assignment_details in assignments.values():
grant_db = PermissionGrantDB(
permission_types=assignment_details["permissions"],
resource_uid=assignment_details["resource_uid"],
resource_type=assignment_details["resource_type"]
)
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
for role in assignment_details["roles"]:
role_db = RoleDB(name=role, permission_grants=permission_grants)
Role.add_or_update(role_db)
# Assign users to roles
for user_name, assignment_details in assignments.items():
user_db = self.users[user_name]
for role in assignment_details['roles']:
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=role,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
# Create Inquiry
data = {
'action': 'wolfpack.ask',
'parameters': {
"roles": [
'role_respond'
]
}
}
result = {
"schema": SCHEMA_DEFAULT,
"roles": ['role_respond'],
"users": [],
"route": "",
"ttl": 1440
}
result_default = {
"schema": SCHEMA_DEFAULT,
"roles": [],
"users": [],
"route": "",
"ttl": 1440
}
# Use admin user for creating test objects
user_db = self.users['admin']
self.use_user(user_db)
# Create workflow
wf_data = {
'action': 'wolfpack.inquiry-workflow'
}
post_resp = self.app.post_json('/v1/executions', wf_data)
wf_id = str(post_resp.json.get('id'))
inquiry_with_parent = {
'action': 'wolfpack.ask',
# 'parameters': {},
'context': {
"parent": {
'execution_id': wf_id
}
}
}
resp = self._do_create_inquiry(data, result)
self.assertEqual(resp.status_int, http_client.OK)
self.inquiry_id = resp.json.get('id')
# Validated expected context for inquiries under RBAC
expected_context = {
'pack': 'wolfpack',
'user': '******',
'rbac': {
'user': '******',
'roles': ['admin']
}
}
self.assertEqual(resp.json['context'], expected_context)
# Create inquiry in workflow
resp = self._do_create_inquiry(inquiry_with_parent, result_default)
self.assertEqual(resp.status_int, http_client.OK)
self.inquiry_inherit_id = resp.json.get('id')
# Validated expected context for inquiries under RBAC
expected_context = {
'pack': 'wolfpack',
'parent': {
'execution_id': wf_id
},
'user': '******',
'rbac': {
'user': '******',
'roles': ['admin']
}
}
self.assertEqual(resp.json['context'], expected_context)
def setUp(self):
super(ActionAliasPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='alias_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['alias_pack_grant'] = user_1_db
user_2_db = UserDB(name='alias_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['alias_grant'] = user_2_db
user_3_db = UserDB(name='pack_alias_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['pack_alias_all_grant'] = user_3_db
user_4_db = UserDB(name='alias_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['alias_all_grant'] = user_4_db
user_5_db = UserDB(name='alias_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['alias_modify_grant'] = user_5_db
user_6_db = UserDB(name='alias_pack_alias_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['alias_pack_alias_create_grant'] = user_6_db
user_7_db = UserDB(name='alias_pack_alias_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['alias_pack_alias_all_grant'] = user_7_db
user_8_db = UserDB(name='alias_alias_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['alias_alias_create_grant'] = user_8_db
user_10_db = UserDB(name='alias_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['alias_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
alias_1_db = ActionAliasDB(pack='test_pack_1', name='alias1', formats=['a'],
action_ref='core.local')
self.resources['alias_1'] = alias_1_db
alias_2_db = ActionAliasDB(pack='test_pack_1', name='alias2', formats=['a'],
action_ref='core.local')
self.resources['alias_2'] = alias_2_db
alias_3_db = ActionAliasDB(pack='test_pack_2', name='alias3', formats=['a'],
action_ref='core.local')
self.resources['alias_3'] = alias_3_db
# Create some mock roles with associated permission grants
# One grant on parent pack, action_alias_view on pack1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='alias_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['alias_pack_grant'] = role_3_db
# "action_alias_view" on alias_3
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_3'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='alias_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['alias_grant'] = role_4_db
# Custom role - "action_alias_all" grant on a parent pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='pack_alias_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['pack_alias_all_grant'] = role_4_db
# Custom role - "action_alias_all" grant on alias
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='alias_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['alias_all_grant'] = role_4_db
# Custom role - "alias_modify" on alias_1
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='alias_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['alias_modify_grant'] = role_5_db
# Custom role - "action_alias_create" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='alias_pack_alias_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['alias_pack_alias_create_grant'] = role_6_db
# Custom role - "action_alias_all" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='alias_pack_alias_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['alias_pack_alias_all_grant'] = role_7_db
# Custom role - "action_alias_create" grant on alias_1
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='alias_alias_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['alias_alias_create_grant'] = role_8_db
# Custom role - "alias_list" grant
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=None,
permission_types=[PermissionType.ACTION_ALIAS_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='alias_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['alias_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['alias_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['pack_alias_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['pack_alias_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_modify_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_pack_alias_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_pack_alias_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_pack_alias_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_pack_alias_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_alias_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_alias_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionExecutionRBACControllerTestCase, self).setUp()
runners_registrar.register_runners()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='multiple_roles')
user_1_db = User.add_or_update(user_1_db)
self.users['multiple_roles'] = user_1_db
user_2_db = UserDB(name='user_two')
user_2_db = User.add_or_update(user_2_db)
self.users['user_two'] = user_2_db
user_3_db = UserDB(name='user_three')
user_3_db = User.add_or_update(user_3_db)
self.users['user_three'] = user_3_db
# Roles
roles = ['role_1', 'role_2', 'role_3']
for role in roles:
role_db = RoleDB(name=role)
Role.add_or_update(role_db)
# action_execute, execution_list on parent pack
# action_view on parent pack
grant_1_db = PermissionGrantDB(resource_uid='pack:wolfpack',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_EXECUTE,
PermissionType.ACTION_VIEW])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.EXECUTION,
permission_types=[PermissionType.EXECUTION_LIST])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
permission_grants = [str(grant_1_db.id), str(grant_2_db.id)]
role_1_db = RoleDB(name='role_4', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['role_4'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=user_1_db.name,
role='admin',
source='assignments/%s.yaml' % user_1_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
for role in roles:
role_assignment_db = UserRoleAssignmentDB(
user=user_1_db.name,
role=role,
source='assignments/%s.yaml' % user_1_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=user_2_db.name,
role='role_4',
source='assignments/%s.yaml' % user_2_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=user_3_db.name,
role='role_4',
source='assignments/%s.yaml' % user_2_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ApiKeyControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(
fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES)
file_name = 'apikey1.yaml'
ApiKeyControllerRBACTestCase.API_KEY_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'apikeys': [file_name]})['apikeys'][file_name]
file_name = 'apikey2.yaml'
ApiKeyControllerRBACTestCase.API_KEY_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'apikeys': [file_name]})['apikeys'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='api_key_list')
user_1_db = User.add_or_update(user_1_db)
self.users['api_key_list'] = user_1_db
user_2_db = UserDB(name='api_key_view')
user_2_db = User.add_or_update(user_2_db)
self.users['api_key_view'] = user_2_db
user_3_db = UserDB(name='api_key_create')
user_3_db = User.add_or_update(user_3_db)
self.users['api_key_create'] = user_3_db
# Roles
# api_key_list
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=ResourceType.API_KEY,
permission_types=[PermissionType.API_KEY_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='api_key_list',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['api_key_list'] = role_1_db
# api_key_view on apikey1
api_key_uid = self.models['apikeys']['apikey1.yaml'].get_uid()
grant_db = PermissionGrantDB(
resource_uid=api_key_uid,
resource_type=ResourceType.API_KEY,
permission_types=[PermissionType.API_KEY_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='api_key_view',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['api_key_view'] = role_1_db
# api_key_list
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=ResourceType.API_KEY,
permission_types=[PermissionType.API_KEY_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='api_key_create',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['api_key_create'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['api_key_list'].name,
role=self.roles['api_key_list'].name,
source='assignments/%s.yaml' % self.users['api_key_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['api_key_view'].name,
role=self.roles['api_key_view'].name,
source='assignments/%s.yaml' % self.users['api_key_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['api_key_create'].name,
role=self.roles['api_key_create'].name,
source='assignments/%s.yaml' % self.users['api_key_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ExecutionPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='custom_role_unrelated_pack_action_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_unrelated_pack_action_grant'] = user_1_db
user_2_db = UserDB(name='custom_role_pack_action_grant_unrelated_permission')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_pack_action_grant_unrelated_permission'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_action_view_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_action_view_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_action_view_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_action_view_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_pack_action_execute_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_pack_action_execute_grant'] = user_5_db
user_6_db = UserDB(name='custom_role_action_execute_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['custom_role_action_execute_grant'] = user_6_db
user_7_db = UserDB(name='custom_role_pack_action_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['custom_role_pack_action_all_grant'] = user_7_db
user_8_db = UserDB(name='custom_role_action_all_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['custom_role_action_all_grant'] = user_8_db
# Create some mock resources on which permissions can be granted
action_1_db = ActionDB(pack='test_pack_2', name='action1', entry_point='',
runner_type={'name': 'run-local'})
action_1_db = Action.add_or_update(action_1_db)
self.resources['action_1'] = action_1_db
runner = {'name': 'run-python'}
liveaction = {'action': 'test_pack_2.action1'}
status = action_constants.LIVEACTION_STATUS_REQUESTED
action = {'uid': action_1_db.get_uid(), 'pack': 'test_pack_2'}
exec_1_db = ActionExecutionDB(action=action, runner=runner, liveaction=liveaction,
status=status)
exec_1_db = ActionExecution.add_or_update(exec_1_db)
self.resources['exec_1'] = exec_1_db
# Create some mock roles with associated permission grants
# Custom role - one grant to an unrelated pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_unrelated_pack_action_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_unrelated_pack_action_grant'] = role_db
# Custom role - one grant of unrelated permission type to parent action pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_pack_action_grant_unrelated_permission',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_pack_action_grant_unrelated_permission'] = role_db
# Custom role - one grant of "action_view" to the parent pack of the action the execution
# belongs to
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_pack_action_view_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_pack_action_view_grant'] = role_db
# Custom role - one grant of "action_view" to the action the execution belongs to
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_action_view_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_action_view_grant'] = role_db
# Custom role - one grant of "action_execute" to the parent pack of the action the
# execution belongs to
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_pack_action_execute_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_pack_action_execute_grant'] = role_db
# Custom role - one grant of "action_execute" to the the action the execution belongs to
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_action_execute_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_action_execute_grant'] = role_db
# Custom role - "action_all" grant on a parent action pack the execution belongs to
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_action_all_grant'] = role_4_db
# Custom role - "action_all" grant on action the execution belongs to
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_action_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_action_all_grant'] = role_4_db
# Create some mock role assignments
user_db = self.users['custom_role_unrelated_pack_action_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_unrelated_pack_action_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_grant_unrelated_permission']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_action_grant_unrelated_permission'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_view_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_action_view_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_view_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_action_view_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_execute_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_action_execute_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_execute_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_action_execute_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_action_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_action_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(SensorPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='1_role_sensor_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_sensor_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_sensor_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_sensor_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_sensor_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_sensor_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_sensor_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_sensor_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_sensor_list_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_sensor_list_grant'] = user_5_db
# Create some mock resources on which permissions can be granted
sensor_1_db = SensorTypeDB(pack='test_pack_1', name='sensor1')
sensor_1_db = SensorType.add_or_update(sensor_1_db)
self.resources['sensor_1'] = sensor_1_db
sensor_2_db = SensorTypeDB(pack='test_pack_1', name='sensor2')
sensor_2_db = SensorType.add_or_update(sensor_2_db)
self.resources['sensor_2'] = sensor_2_db
sensor_3_db = SensorTypeDB(pack='test_pack_2', name='sensor3')
sensor_3_db = SensorType.add_or_update(sensor_3_db)
self.resources['sensor_3'] = sensor_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "sensor_view" on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.SENSOR_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_sensor_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_sensor_pack_grant'] = role_3_db
# Custom role 4 - one grant on pack
# "sensor_view on sensor_3
grant_db = PermissionGrantDB(
resource_uid=self.resources['sensor_3'].get_uid(),
resource_type=ResourceType.SENSOR,
permission_types=[PermissionType.SENSOR_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_sensor_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_sensor_grant'] = role_4_db
# Custom role - "sensor_all" grant on a parent sensor pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.SENSOR_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_sensor_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_sensor_all_grant'] = role_4_db
# Custom role - "sensor_all" grant on a sensor
grant_db = PermissionGrantDB(
resource_uid=self.resources['sensor_1'].get_uid(),
resource_type=ResourceType.SENSOR,
permission_types=[PermissionType.SENSOR_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_sensor_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_sensor_all_grant'] = role_4_db
# Custom role - "sensor_list" grant
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=None,
permission_types=[PermissionType.SENSOR_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_sensor_list_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_sensor_list_grant'] = role_5_db
# Create some mock role assignments
user_db = self.users['custom_role_sensor_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_sensor_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_sensor_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_sensor_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_sensor_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_sensor_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_sensor_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_sensor_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_sensor_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_sensor_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionAliasPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='alias_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['alias_pack_grant'] = user_1_db
user_2_db = UserDB(name='alias_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['alias_grant'] = user_2_db
user_3_db = UserDB(name='pack_alias_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['pack_alias_all_grant'] = user_3_db
user_4_db = UserDB(name='alias_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['alias_all_grant'] = user_4_db
user_5_db = UserDB(name='alias_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['alias_modify_grant'] = user_5_db
user_6_db = UserDB(name='alias_pack_alias_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['alias_pack_alias_create_grant'] = user_6_db
user_7_db = UserDB(name='alias_pack_alias_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['alias_pack_alias_all_grant'] = user_7_db
user_8_db = UserDB(name='alias_alias_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['alias_alias_create_grant'] = user_8_db
user_10_db = UserDB(name='alias_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['alias_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
alias_1_db = ActionAliasDB(pack='test_pack_1', name='alias1', formats=['a'],
action_ref='core.local')
self.resources['alias_1'] = alias_1_db
alias_2_db = ActionAliasDB(pack='test_pack_1', name='alias2', formats=['a'],
action_ref='core.local')
self.resources['alias_2'] = alias_2_db
alias_3_db = ActionAliasDB(pack='test_pack_2', name='alias3', formats=['a'],
action_ref='core.local')
self.resources['alias_3'] = alias_3_db
# Create some mock roles with associated permission grants
# One grant on parent pack, action_alias_view on pack1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='alias_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['alias_pack_grant'] = role_3_db
# "action_alias_view" on alias_3
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_3'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='alias_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['alias_grant'] = role_4_db
# Custom role - "action_alias_all" grant on a parent pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='pack_alias_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['pack_alias_all_grant'] = role_4_db
# Custom role - "action_alias_all" grant on alias
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='alias_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['alias_all_grant'] = role_4_db
# Custom role - "alias_modify" on alias_1
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='alias_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['alias_modify_grant'] = role_5_db
# Custom role - "action_alias_create" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='alias_pack_alias_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['alias_pack_alias_create_grant'] = role_6_db
# Custom role - "action_alias_all" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALIAS_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='alias_pack_alias_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['alias_pack_alias_all_grant'] = role_7_db
# Custom role - "action_alias_create" grant on alias_1
grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
resource_type=ResourceType.ACTION_ALIAS,
permission_types=[PermissionType.ACTION_ALIAS_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='alias_alias_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['alias_alias_create_grant'] = role_8_db
# Custom role - "alias_list" grant
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=None,
permission_types=[PermissionType.ACTION_ALIAS_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='alias_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['alias_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['alias_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['pack_alias_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['pack_alias_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_modify_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_pack_alias_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_pack_alias_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_pack_alias_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_pack_alias_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_alias_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_alias_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['alias_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['alias_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(InquiryPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='custom_role_inquiry_list_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_inquiry_list_grant'] = user_1_db
user_2_db = UserDB(name='custom_role_inquiry_view_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_inquiry_view_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_inquiry_respond_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_inquiry_respond_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_inquiry_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_inquiry_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_inquiry_inherit')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_inquiry_inherit'] = user_5_db
# Create a workflow for testing inheritance of action_execute permission
# to inquiry_respond permission
wf_db = ActionDB(pack='examples', name='mistral-ask-basic', entry_point='',
runner_type={'name': 'mistral-v2'})
wf_db = Action.add_or_update(wf_db)
self.resources['wf'] = wf_db
runner = {'name': 'mistral-v2'}
liveaction = {'action': 'examples.mistral-ask-basic'}
status = action_constants.LIVEACTION_STATUS_PAUSED
# Spawn workflow
action = {'uid': wf_db.get_uid(), 'pack': 'examples'}
wf_exc_db = ActionExecutionDB(action=action, runner=runner, liveaction=liveaction,
status=status)
wf_exc_db = ActionExecution.add_or_update(wf_exc_db)
# Create an Inquiry on which permissions can be granted
action_1_db = ActionDB(pack='core', name='ask', entry_point='',
runner_type={'name': 'inquirer'})
action_1_db = Action.add_or_update(action_1_db)
self.resources['action_1'] = action_1_db
runner = {'name': 'inquirer'}
liveaction = {'action': 'core.ask'}
status = action_constants.LIVEACTION_STATUS_PENDING
# For now, Inquiries are "borrowing" the ActionExecutionDB model,
# so we have to test with that model
action = {'uid': action_1_db.get_uid(), 'pack': 'core'}
inquiry_1_db = ActionExecutionDB(action=action, runner=runner, liveaction=liveaction,
status=status)
# A separate inquiry that has a parent (so we can test workflow permission inheritance)
inquiry_2_db = ActionExecutionDB(action=action, runner=runner, liveaction=liveaction,
status=status, parent=str(wf_exc_db.id))
# A bit gross, but it's what we have to do since Inquiries
# don't yet have their own data model
def get_uid():
return "inquiry"
inquiry_1_db.get_uid = get_uid
inquiry_2_db.get_uid = get_uid
inquiry_1_db = ActionExecution.add_or_update(inquiry_1_db)
inquiry_2_db = ActionExecution.add_or_update(inquiry_2_db)
self.resources['inquiry_1'] = inquiry_1_db
self.resources['inquiry_2'] = inquiry_2_db
############################################################
# Create some mock roles with associated permission grants #
############################################################
# Custom role - "inquiry_list" grant
grant_db = PermissionGrantDB(resource_uid=self.resources['inquiry_1'].get_uid(),
resource_type=ResourceType.INQUIRY,
permission_types=[PermissionType.INQUIRY_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_inquiry_list_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_inquiry_list_grant'] = role_db
# Custom role - "inquiry_view" grant
grant_db = PermissionGrantDB(resource_uid=self.resources['inquiry_1'].get_uid(),
resource_type=ResourceType.INQUIRY,
permission_types=[PermissionType.INQUIRY_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_inquiry_view_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_inquiry_view_grant'] = role_db
# Custom role - "inquiry_respond" grant
grant_db = PermissionGrantDB(resource_uid=self.resources['inquiry_1'].get_uid(),
resource_type=ResourceType.INQUIRY,
permission_types=[PermissionType.INQUIRY_RESPOND])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_inquiry_respond_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_inquiry_respond_grant'] = role_db
# Custom role - "inquiry_all" grant
grant_db = PermissionGrantDB(resource_uid=self.resources['inquiry_1'].get_uid(),
resource_type=ResourceType.INQUIRY,
permission_types=[PermissionType.INQUIRY_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_inquiry_all_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_inquiry_all_grant'] = role_db
# Custom role - inheritance grant
grant_db = PermissionGrantDB(resource_uid=self.resources['wf'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_inquiry_inherit',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_inquiry_inherit'] = role_db
#####################################
# Create some mock role assignments #
#####################################
user_db = self.users['custom_role_inquiry_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_inquiry_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_inquiry_view_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_inquiry_view_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_inquiry_respond_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_inquiry_respond_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_inquiry_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_inquiry_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_inquiry_inherit']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_inquiry_inherit'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(BaseRuleControllerRBACTestCase, self).setUp()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'rule_with_webhook_trigger.yaml'
self.RULE_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'rules': [file_name]})['rules'][file_name]
file_name = 'rule_example_pack.yaml'
self.RULE_2 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'rules': [file_name]})['rules'][file_name]
file_name = 'rule_action_doesnt_exist.yaml'
self.RULE_3 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'rules': [file_name]})['rules'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='rule_create')
user_1_db = User.add_or_update(user_1_db)
self.users['rule_create'] = user_1_db
user_2_db = UserDB(name='rule_create_webhook_create')
user_2_db = User.add_or_update(user_2_db)
self.users['rule_create_webhook_create'] = user_2_db
user_3_db = UserDB(
name='rule_create_webhook_create_core_local_execute')
user_3_db = User.add_or_update(user_3_db)
self.users['rule_create_webhook_create_core_local_execute'] = user_3_db
user_4_db = UserDB(name='rule_create_1')
user_4_db = User.add_or_update(user_4_db)
self.users['rule_create_1'] = user_4_db
user_5_db = UserDB(name='user_two')
user_5_db = User.add_or_update(user_5_db)
self.users['user_two'] = user_5_db
user_6_db = UserDB(name='user_three')
user_6_db = User.add_or_update(user_6_db)
self.users['user_three'] = user_6_db
# Roles
# rule_create grant on parent pack
grant_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='rule_create',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['rule_create'] = role_1_db
# rule_create grant on parent pack, webhook_create on webhook "sample"
grant_1_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(
resource_uid='webhook:sample',
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_CREATE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
permission_grants = [str(grant_1_db.id), str(grant_2_db.id)]
role_2_db = RoleDB(name='rule_create_webhook_create',
permission_grants=permission_grants)
role_2_db = Role.add_or_update(role_2_db)
self.roles['rule_create_webhook_create'] = role_2_db
# rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on
# core.local
grant_1_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(
resource_uid='webhook:sample',
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_CREATE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
grant_3_db = PermissionGrantDB(
resource_uid='action:core:local',
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_3_db = PermissionGrant.add_or_update(grant_3_db)
permission_grants = [
str(grant_1_db.id),
str(grant_2_db.id),
str(grant_3_db.id)
]
role_3_db = RoleDB(
name='rule_create_webhook_create_core_local_execute',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['rule_create_webhook_create_core_local_execute'] = role_3_db
# rule_create, rule_list, webhook_create, action_execute on parent pack
grant_6_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_LIST])
grant_6_db = PermissionGrant.add_or_update(grant_6_db)
permission_grants = [
str(grant_1_db.id),
str(grant_2_db.id),
str(grant_3_db.id),
str(grant_6_db.id)
]
role_5_db = RoleDB(
name='rule_create_list_webhook_create_core_local_execute',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles[
'rule_create_list_webhook_create_core_local_execute'] = role_5_db
# rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on
# examples and wolfpack
grant_1_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(
resource_uid='webhook:sample',
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_CREATE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
grant_3_db = PermissionGrantDB(
resource_uid='pack:wolfpack',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_3_db = PermissionGrant.add_or_update(grant_3_db)
grant_4_db = PermissionGrantDB(
resource_uid=None,
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_LIST])
grant_4_db = PermissionGrant.add_or_update(grant_4_db)
grant_5_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_5_db = PermissionGrant.add_or_update(grant_5_db)
permission_grants = [
str(grant_1_db.id),
str(grant_2_db.id),
str(grant_3_db.id),
str(grant_4_db.id),
str(grant_5_db.id)
]
role_4_db = RoleDB(name='rule_create_webhook_create_action_execute',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['rule_create_webhook_create_action_execute'] = role_4_db
# Role assignments
user_db = self.users['rule_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_create_webhook_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create_webhook_create'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_create_webhook_create_core_local_execute']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create_webhook_create_core_local_execute'].
name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_create_1']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create_webhook_create_action_execute'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['user_two']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role='rule_create_list_webhook_create_core_local_execute',
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['user_three']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role='rule_create_list_webhook_create_core_local_execute',
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionExecutionRBACControllerTestCase, self).setUp()
runners_registrar.register_runners()
self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='multiple_roles')
user_1_db = User.add_or_update(user_1_db)
self.users['multiple_roles'] = user_1_db
user_2_db = UserDB(name='user_two')
user_2_db = User.add_or_update(user_2_db)
self.users['user_two'] = user_2_db
user_3_db = UserDB(name='user_three')
user_3_db = User.add_or_update(user_3_db)
self.users['user_three'] = user_3_db
# Roles
roles = ['role_1', 'role_2', 'role_3']
for role in roles:
role_db = RoleDB(name=role)
Role.add_or_update(role_db)
# action_execute, execution_list on parent pack
# action_view on parent pack
grant_1_db = PermissionGrantDB(resource_uid='pack:wolfpack',
resource_type=ResourceType.PACK,
permission_types=[
PermissionType.ACTION_EXECUTE,
PermissionType.ACTION_VIEW
])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(
resource_uid=None,
resource_type=ResourceType.EXECUTION,
permission_types=[PermissionType.EXECUTION_LIST])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
permission_grants = [str(grant_1_db.id), str(grant_2_db.id)]
role_1_db = RoleDB(name='role_4', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['role_4'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=user_1_db.name,
role='admin',
source='assignments/%s.yaml' % user_1_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
for role in roles:
role_assignment_db = UserRoleAssignmentDB(
user=user_1_db.name,
role=role,
source='assignments/%s.yaml' % user_1_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=user_2_db.name,
role='role_4',
source='assignments/%s.yaml' % user_2_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=user_3_db.name,
role='role_4',
source='assignments/%s.yaml' % user_2_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RuleEnforcementPermissionsResolverTestCase, self).setUp()
register_internal_trigger_types()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
user_6_db = UserDB(name='rule_pack_rule_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['rule_pack_rule_create_grant'] = user_6_db
user_7_db = UserDB(name='rule_pack_rule_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['rule_pack_rule_all_grant'] = user_7_db
user_8_db = UserDB(name='rule_rule_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['rule_rule_create_grant'] = user_8_db
user_9_db = UserDB(name='rule_rule_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['rule_rule_all_grant'] = user_9_db
user_10_db = UserDB(name='custom_role_rule_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['custom_role_rule_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1', name='rule1', action={'ref': 'core.local'},
trigger='core.st2.key_value_pair.create')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_enforcement_1_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_1_db.ref,
'uid': rule_1_db.uid,
'id': str(rule_1_db.id)})
rule_enforcement_1_db = RuleEnforcement.add_or_update(rule_enforcement_1_db)
self.resources['rule_enforcement_1'] = rule_enforcement_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_enforcement_2_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_2_db.ref,
'uid': rule_2_db.uid,
'id': str(rule_2_db.id)})
rule_enforcement_2_db = RuleEnforcement.add_or_update(rule_enforcement_2_db)
self.resources['rule_enforcement_2'] = rule_enforcement_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
rule_enforcement_3_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
execution_id=str(bson.ObjectId()),
rule={'ref': rule_3_db.ref,
'uid': rule_3_db.uid,
'id': str(rule_3_db.id)})
rule_enforcement_3_db = RuleEnforcement.add_or_update(rule_enforcement_3_db)
self.resources['rule_enforcement_3'] = rule_enforcement_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Custom role - "rule_create" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='rule_pack_rule_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['rule_pack_rule_create_grant'] = role_6_db
# Custom role - "rule_all" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='rule_pack_rule_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['rule_pack_rule_all_grant'] = role_7_db
# Custom role - "rule_create" grant on rule_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='rule_rule_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['rule_rule_create_grant'] = role_8_db
# Custom role - "rule_all" grant on rule_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='rule_rule_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['rule_rule_all_grant'] = role_9_db
# Custom role - "rule_list" grant
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=None,
permission_types=[PermissionType.RULE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='custom_role_rule_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['custom_role_rule_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_list_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUpClass(cls):
super(RuleControllerRBACTestCase, cls).setUpClass()
cls.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'rule_with_webhook_trigger.yaml'
RuleControllerRBACTestCase.RULE_1 = cls.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'rules': [file_name]})['rules'][file_name]
file_name = 'rule1.yaml'
RuleControllerRBACTestCase.RULE_2 = cls.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'rules': [file_name]})['rules'][file_name]
# Insert mock users, roles and assignments
self = cls
cls.users = {}
cls.roles = {}
# Users
user_1_db = UserDB(name='rule_create')
user_1_db = User.add_or_update(user_1_db)
self.users['rule_create'] = user_1_db
user_2_db = UserDB(name='rule_create_webhook_create')
user_2_db = User.add_or_update(user_2_db)
self.users['rule_create_webhook_create'] = user_2_db
user_3_db = UserDB(
name='rule_create_webhook_create_core_local_execute')
user_3_db = User.add_or_update(user_3_db)
self.users['rule_create_webhook_create_core_local_execute'] = user_3_db
# Roles
# rule_create grant on parent pack
grant_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='rule_create',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['rule_create'] = role_1_db
# rule_create grant on parent pack, webhook_create on webhook "sample"
grant_1_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(
resource_uid='webhook:sample',
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_CREATE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
permission_grants = [str(grant_1_db.id), str(grant_2_db.id)]
role_2_db = RoleDB(name='rule_create_webhook_create',
permission_grants=permission_grants)
role_2_db = Role.add_or_update(role_2_db)
self.roles['rule_create_webhook_create'] = role_2_db
# rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on
# core.local
grant_1_db = PermissionGrantDB(
resource_uid='pack:examples',
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_1_db = PermissionGrant.add_or_update(grant_1_db)
grant_2_db = PermissionGrantDB(
resource_uid='webhook:sample',
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_CREATE])
grant_2_db = PermissionGrant.add_or_update(grant_2_db)
grant_3_db = PermissionGrantDB(
resource_uid='action:core:local',
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_3_db = PermissionGrant.add_or_update(grant_3_db)
permission_grants = [
str(grant_1_db.id),
str(grant_2_db.id),
str(grant_3_db.id)
]
role_3_db = RoleDB(
name='rule_create_webhook_create_core_local_execute',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['rule_create_webhook_create_core_local_execute'] = role_3_db
# Role assignments
user_db = self.users['rule_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['rule_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_create_webhook_create']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create_webhook_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_create_webhook_create_core_local_execute']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_create_webhook_create_core_local_execute'].
name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(TimerControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(
fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES)
file_name = 'cron1.yaml'
TimerControllerRBACTestCase.TRIGGER_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'triggers': [file_name]})['triggers'][file_name]
file_name = 'date1.yaml'
TimerControllerRBACTestCase.TRIGGER_2 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'triggers': [file_name]})['triggers'][file_name]
file_name = 'interval1.yaml'
TimerControllerRBACTestCase.TRIGGER_3 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'triggers': [file_name]})['triggers'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='timer_list')
user_1_db = User.add_or_update(user_1_db)
self.users['timer_list'] = user_1_db
user_2_db = UserDB(name='timer_view')
user_2_db = User.add_or_update(user_2_db)
self.users['timer_view'] = user_2_db
# Roles
# timer_list
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=ResourceType.TIMER,
permission_types=[PermissionType.TIMER_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='timer_list',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['timer_list'] = role_1_db
# timer_View on timer 1
trigger_db = self.models['triggers']['cron1.yaml']
timer_uid = TimerDB(name=trigger_db.name,
pack=trigger_db.pack).get_uid()
grant_db = PermissionGrantDB(
resource_uid=timer_uid,
resource_type=ResourceType.TIMER,
permission_types=[PermissionType.TIMER_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='timer_view',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['timer_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['timer_list'].name,
role=self.roles['timer_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['timer_view'].name,
role=self.roles['timer_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ActionPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='1_role_action_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_action_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_action_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_action_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_action_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_action_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_action_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_action_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_action_execute_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_action_execute_grant'] = user_5_db
user_6_db = UserDB(name='action_pack_action_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['action_pack_action_create_grant'] = user_6_db
user_7_db = UserDB(name='action_pack_action_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['action_pack_action_all_grant'] = user_7_db
user_8_db = UserDB(name='action_action_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['action_action_create_grant'] = user_8_db
user_9_db = UserDB(name='action_action_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['action_action_all_grant'] = user_9_db
user_10_db = UserDB(name='custom_role_action_list_grant')
user_10_db = User.add_or_update(user_10_db)
self.users['custom_role_action_list_grant'] = user_10_db
# Create some mock resources on which permissions can be granted
action_1_db = ActionDB(pack='test_pack_1', name='action1', entry_point='',
runner_type={'name': 'run-local'})
action_1_db = Action.add_or_update(action_1_db)
self.resources['action_1'] = action_1_db
action_2_db = ActionDB(pack='test_pack_1', name='action2', entry_point='',
runner_type={'name': 'run-local'})
action_2_db = Action.add_or_update(action_1_db)
self.resources['action_2'] = action_2_db
action_3_db = ActionDB(pack='test_pack_2', name='action3', entry_point='',
runner_type={'name': 'run-local'})
action_3_db = Action.add_or_update(action_3_db)
self.resources['action_3'] = action_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "action_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_action_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_action_pack_grant'] = role_3_db
# Custom role 4 - one grant on action
# "action_view" on action_3
grant_db = PermissionGrantDB(resource_uid=self.resources['action_3'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_action_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_action_grant'] = role_4_db
# Custom role - "action_all" grant on a parent action pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_action_all_grant'] = role_4_db
# Custom role - "action_all" grant on action
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_action_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_action_all_grant'] = role_4_db
# Custom role - "action_execute" on action_1
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_action_execute_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_action_execute_grant'] = role_5_db
# Custom role - "action_create" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='action_pack_action_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['action_pack_action_create_grant'] = role_6_db
# Custom role - "action_all" grant on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='action_pack_action_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['action_pack_action_all_grant'] = role_7_db
# Custom role - "action_create" grant on action_1
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='action_action_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['action_action_create_grant'] = role_8_db
# Custom role - "action_all" grant on action_1
grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='action_action_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['action_action_all_grant'] = role_9_db
# Custom role - "action_list" grant
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=None,
permission_types=[PermissionType.ACTION_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_10_db = RoleDB(name='custom_role_action_list_grant',
permission_grants=permission_grants)
role_10_db = Role.add_or_update(role_10_db)
self.roles['custom_role_action_list_grant'] = role_10_db
# Create some mock role assignments
user_db = self.users['custom_role_action_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_pack_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_pack_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_execute_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_execute_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_pack_action_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_pack_action_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_pack_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_pack_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_action_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_action_create_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['action_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['action_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_action_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(TimerControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'cron1.yaml'
TimerControllerRBACTestCase.TRIGGER_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'triggers': [file_name]})['triggers'][file_name]
file_name = 'date1.yaml'
TimerControllerRBACTestCase.TRIGGER_2 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'triggers': [file_name]})['triggers'][file_name]
file_name = 'interval1.yaml'
TimerControllerRBACTestCase.TRIGGER_3 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'triggers': [file_name]})['triggers'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='timer_list')
user_1_db = User.add_or_update(user_1_db)
self.users['timer_list'] = user_1_db
user_2_db = UserDB(name='timer_view')
user_2_db = User.add_or_update(user_2_db)
self.users['timer_view'] = user_2_db
# Roles
# timer_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.TIMER,
permission_types=[PermissionType.TIMER_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='timer_list', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['timer_list'] = role_1_db
# timer_View on timer 1
trigger_db = self.models['triggers']['cron1.yaml']
timer_uid = TimerDB(name=trigger_db.name, pack=trigger_db.pack).get_uid()
grant_db = PermissionGrantDB(resource_uid=timer_uid,
resource_type=ResourceType.TIMER,
permission_types=[PermissionType.TIMER_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='timer_view', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['timer_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['timer_list'].name,
role=self.roles['timer_list'].name,
source='assignments/%s.yaml' % self.users['timer_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['timer_view'].name,
role=self.roles['timer_view'].name,
source='assignments/%s.yaml' % self.users['timer_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RulePermissionsResolverTestCase, self).setUp()
# Register internal triggers - this is needed so we can reference an internal trigger
# inside a mock rule
register_internal_trigger_types()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
user_6_db = UserDB(name='rule_pack_rule_create_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['rule_pack_rule_create_grant'] = user_6_db
user_7_db = UserDB(name='rule_pack_rule_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['rule_pack_rule_all_grant'] = user_7_db
user_8_db = UserDB(name='rule_rule_create_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['rule_rule_create_grant'] = user_8_db
user_9_db = UserDB(name='rule_rule_all_grant')
user_9_db = User.add_or_update(user_9_db)
self.users['rule_rule_all_grant'] = user_9_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1',
name='rule1',
action={'ref': 'core.local'},
trigger='core.st2.key_value_pair.create')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Custom role - "rule_create" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_6_db = RoleDB(name='rule_pack_rule_create_grant',
permission_grants=permission_grants)
role_6_db = Role.add_or_update(role_6_db)
self.roles['rule_pack_rule_create_grant'] = role_6_db
# Custom role - "rule_all" grant on pack_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_7_db = RoleDB(name='rule_pack_rule_all_grant',
permission_grants=permission_grants)
role_7_db = Role.add_or_update(role_7_db)
self.roles['rule_pack_rule_all_grant'] = role_7_db
# Custom role - "rule_create" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_8_db = RoleDB(name='rule_rule_create_grant',
permission_grants=permission_grants)
role_8_db = Role.add_or_update(role_8_db)
self.roles['rule_rule_create_grant'] = role_8_db
# Custom role - "rule_all" grant on rule_1
grant_db = PermissionGrantDB(
resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_9_db = RoleDB(name='rule_rule_all_grant',
permission_grants=permission_grants)
role_9_db = Role.add_or_update(role_9_db)
self.roles['rule_rule_all_grant'] = role_9_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['rule_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_create_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['rule_rule_create_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['rule_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name, role=self.roles['rule_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RulePermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='1_role_rule_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_rule_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_rule_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_rule_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_rule_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_rule_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_rule_all_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_rule_modify_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_rule_modify_grant'] = user_5_db
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test_pack_1', name='rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
rule_2_db = Rule.add_or_update(rule_2_db)
self.resources['rule_2'] = rule_2_db
rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
rule_3_db = Rule.add_or_update(rule_3_db)
self.resources['rule_3'] = rule_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "rule_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_rule_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_rule_pack_grant'] = role_3_db
# Custom role 4 - one grant on rule
# "rule_view on rule_3
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_grant'] = role_4_db
# Custom role - "rule_all" grant on a parent rule pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_rule_all_grant'] = role_4_db
# Custom role - "rule_all" grant on a rule
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_rule_all_grant'] = role_4_db
# Custom role - "rule_modify" on role_1
grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
resource_type=ResourceType.RULE,
permission_types=[PermissionType.RULE_MODIFY])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_rule_modify_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_rule_modify_grant'] = role_5_db
# Create some mock role assignments
user_db = self.users['custom_role_rule_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_grant']
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=self.roles['custom_role_rule_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_rule_modify_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_rule_modify_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(RBACServicesTestCase, self).setUp()
# TODO: Share mocks
self.users = {}
self.roles = {}
self.resources = {}
# Create some mock users
user_1_db = UserDB(name='admin')
user_1_db = User.add_or_update(user_1_db)
self.users['admin'] = user_1_db
user_2_db = UserDB(name='observer')
user_2_db = User.add_or_update(user_2_db)
self.users['observer'] = user_2_db
user_3_db = UserDB(name='no_roles')
user_3_db = User.add_or_update(user_3_db)
self.users['no_roles'] = user_3_db
user_5_db = UserDB(name='user_5')
user_5_db = User.add_or_update(user_5_db)
self.users['user_5'] = user_5_db
user_4_db = UserDB(name='custom_role')
user_4_db = User.add_or_update(user_4_db)
self.users['1_custom_role'] = user_4_db
# Create some mock roles
role_1_db = rbac_services.create_role(name='custom_role_1')
role_2_db = rbac_services.create_role(name='custom_role_2',
description='custom role 2')
self.roles['custom_role_1'] = role_1_db
self.roles['custom_role_2'] = role_2_db
rbac_services.create_role(name='role_1')
rbac_services.create_role(name='role_2')
rbac_services.create_role(name='role_3')
rbac_services.create_role(name='role_4')
# Create some mock role assignments
role_assignment_1 = UserRoleAssignmentDB(
user=self.users['1_custom_role'].name,
role=self.roles['custom_role_1'].name,
source='assignments/%s.yaml' % self.users['1_custom_role'].name)
role_assignment_1 = UserRoleAssignment.add_or_update(role_assignment_1)
# Note: User use pymongo to insert mock data because we want to insert a
# raw document and skip mongoengine to leave is_remote field unpopulated
client = MongoClient()
db = client['st2-test']
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_1'
})
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_2'
})
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_3',
'is_remote': False
})
db.user_role_assignment_d_b.insert_one({
'user': '******',
'role': 'role_4',
'is_remote': True
})
# Create some mock resources on which permissions can be granted
rule_1_db = RuleDB(pack='test1', name='rule1', ref='test1.rule1')
rule_1_db = Rule.add_or_update(rule_1_db)
self.resources['rule_1'] = rule_1_db
def setUp(self):
super(APIControllersRBACTestCase, self).setUp()
self.role_assignment_db_model = UserRoleAssignmentDB(
user='******', role='role', source='assignments/user.yaml')
UserRoleAssignment.add_or_update(self.role_assignment_db_model)
def setUp(self):
super(TraceControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'trace_for_test_enforce.yaml'
TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'traces': [file_name]})['traces'][file_name]
file_name = 'trace_for_test_enforce_2.yaml'
TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'traces': [file_name]})['traces'][file_name]
file_name = 'trace_for_test_enforce_3.yaml'
TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'traces': [file_name]})['traces'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='trace_list')
user_1_db = User.add_or_update(user_1_db)
self.users['trace_list'] = user_1_db
user_2_db = UserDB(name='trace_view')
user_2_db = User.add_or_update(user_2_db)
self.users['trace_view'] = user_2_db
# Roles
# trace_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.TRACE,
permission_types=[PermissionType.TRACE_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='trace_list', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['trace_list'] = role_1_db
# trace_view on trace 1
trace_uid = self.models['traces']['trace_for_test_enforce.yaml'].get_uid()
grant_db = PermissionGrantDB(resource_uid=trace_uid,
resource_type=ResourceType.TRACE,
permission_types=[PermissionType.TRACE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='trace_view', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['trace_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['trace_list'].name,
role=self.roles['trace_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['trace_view'].name,
role=self.roles['trace_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ApiKeyControllerRBACTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
fixtures_dict=TEST_FIXTURES)
file_name = 'apikey1.yaml'
ApiKeyControllerRBACTestCase.API_KEY_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'apikeys': [file_name]})['apikeys'][file_name]
file_name = 'apikey2.yaml'
ApiKeyControllerRBACTestCase.API_KEY_1 = self.fixtures_loader.load_fixtures(
fixtures_pack=FIXTURES_PACK,
fixtures_dict={'apikeys': [file_name]})['apikeys'][file_name]
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='api_key_list')
user_1_db = User.add_or_update(user_1_db)
self.users['api_key_list'] = user_1_db
user_2_db = UserDB(name='api_key_view')
user_2_db = User.add_or_update(user_2_db)
self.users['api_key_view'] = user_2_db
user_3_db = UserDB(name='api_key_create')
user_3_db = User.add_or_update(user_3_db)
self.users['api_key_create'] = user_3_db
# Roles
# api_key_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.API_KEY,
permission_types=[PermissionType.API_KEY_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='api_key_list', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['api_key_list'] = role_1_db
# api_key_view on apikey1
api_key_uid = self.models['apikeys']['apikey1.yaml'].get_uid()
grant_db = PermissionGrantDB(resource_uid=api_key_uid,
resource_type=ResourceType.API_KEY,
permission_types=[PermissionType.API_KEY_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='api_key_view', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['api_key_view'] = role_1_db
# api_key_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.API_KEY,
permission_types=[PermissionType.API_KEY_CREATE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='api_key_create', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['api_key_create'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['api_key_list'].name,
role=self.roles['api_key_list'].name,
source='assignments/%s.yaml' % self.users['api_key_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['api_key_view'].name,
role=self.roles['api_key_view'].name,
source='assignments/%s.yaml' % self.users['api_key_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['api_key_create'].name,
role=self.roles['api_key_create'].name,
source='assignments/%s.yaml' % self.users['api_key_create'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(ExecutionPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='custom_role_unrelated_pack_action_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_unrelated_pack_action_grant'] = user_1_db
user_2_db = UserDB(
name='custom_role_pack_action_grant_unrelated_permission')
user_2_db = User.add_or_update(user_2_db)
self.users[
'custom_role_pack_action_grant_unrelated_permission'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_action_view_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_action_view_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_action_view_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_action_view_grant'] = user_4_db
user_5_db = UserDB(name='custom_role_pack_action_execute_grant')
user_5_db = User.add_or_update(user_5_db)
self.users['custom_role_pack_action_execute_grant'] = user_5_db
user_6_db = UserDB(name='custom_role_action_execute_grant')
user_6_db = User.add_or_update(user_6_db)
self.users['custom_role_action_execute_grant'] = user_6_db
user_7_db = UserDB(name='custom_role_pack_action_all_grant')
user_7_db = User.add_or_update(user_7_db)
self.users['custom_role_pack_action_all_grant'] = user_7_db
user_8_db = UserDB(name='custom_role_action_all_grant')
user_8_db = User.add_or_update(user_8_db)
self.users['custom_role_action_all_grant'] = user_8_db
user_9_db = UserDB(name='custom_role_execution_list_grant')
user_9_db = User.add_or_update(user_5_db)
self.users['custom_role_execution_list_grant'] = user_9_db
# Create some mock resources on which permissions can be granted
action_1_db = ActionDB(pack='test_pack_2',
name='action1',
entry_point='',
runner_type={'name': 'run-local'})
action_1_db = Action.add_or_update(action_1_db)
self.resources['action_1'] = action_1_db
runner = {'name': 'run-python'}
liveaction = {'action': 'test_pack_2.action1'}
status = action_constants.LIVEACTION_STATUS_REQUESTED
action = {'uid': action_1_db.get_uid(), 'pack': 'test_pack_2'}
exec_1_db = ActionExecutionDB(action=action,
runner=runner,
liveaction=liveaction,
status=status)
exec_1_db = ActionExecution.add_or_update(exec_1_db)
self.resources['exec_1'] = exec_1_db
# Create some mock roles with associated permission grants
# Custom role - one grant to an unrelated pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_unrelated_pack_action_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_unrelated_pack_action_grant'] = role_db
# Custom role - one grant of unrelated permission type to parent action pack
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.RULE_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(
name='custom_role_pack_action_grant_unrelated_permission',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles[
'custom_role_pack_action_grant_unrelated_permission'] = role_db
# Custom role - one grant of "action_view" to the parent pack of the action the execution
# belongs to
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_pack_action_view_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_pack_action_view_grant'] = role_db
# Custom role - one grant of "action_view" to the action the execution belongs to
grant_db = PermissionGrantDB(
resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_action_view_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_action_view_grant'] = role_db
# Custom role - one grant of "action_execute" to the parent pack of the action the
# execution belongs to
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_pack_action_execute_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_pack_action_execute_grant'] = role_db
# Custom role - one grant of "action_execute" to the the action the execution belongs to
grant_db = PermissionGrantDB(
resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_EXECUTE])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_db = RoleDB(name='custom_role_action_execute_grant',
permission_grants=permission_grants)
role_db = Role.add_or_update(role_db)
self.roles['custom_role_action_execute_grant'] = role_db
# Custom role - "action_all" grant on a parent action pack the execution belongs to
grant_db = PermissionGrantDB(
resource_uid=self.resources['pack_2'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_action_all_grant'] = role_4_db
# Custom role - "action_all" grant on action the execution belongs to
grant_db = PermissionGrantDB(
resource_uid=self.resources['action_1'].get_uid(),
resource_type=ResourceType.ACTION,
permission_types=[PermissionType.ACTION_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_action_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_action_all_grant'] = role_4_db
# Custom role - "execution_list" grant
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=None,
permission_types=[PermissionType.EXECUTION_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_5_db = RoleDB(name='custom_role_execution_list_grant',
permission_grants=permission_grants)
role_5_db = Role.add_or_update(role_5_db)
self.roles['custom_role_execution_list_grant'] = role_5_db
# Create some mock role assignments
user_db = self.users['custom_role_unrelated_pack_action_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_unrelated_pack_action_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users[
'custom_role_pack_action_grant_unrelated_permission']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.
roles['custom_role_pack_action_grant_unrelated_permission'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_view_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_action_view_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_view_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_action_view_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_execute_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_action_execute_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_execute_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_action_execute_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_action_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_action_all_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_execution_list_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_execution_list_grant'].name,
source='assignments/%s.yaml' % user_db.name)
UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self):
super(SensorPermissionsResolverTestCase, self).setUp()
# Create some mock users
user_1_db = UserDB(name='1_role_sensor_pack_grant')
user_1_db = User.add_or_update(user_1_db)
self.users['custom_role_sensor_pack_grant'] = user_1_db
user_2_db = UserDB(name='1_role_sensor_grant')
user_2_db = User.add_or_update(user_2_db)
self.users['custom_role_sensor_grant'] = user_2_db
user_3_db = UserDB(name='custom_role_pack_sensor_all_grant')
user_3_db = User.add_or_update(user_3_db)
self.users['custom_role_pack_sensor_all_grant'] = user_3_db
user_4_db = UserDB(name='custom_role_sensor_all_grant')
user_4_db = User.add_or_update(user_4_db)
self.users['custom_role_sensor_all_grant'] = user_4_db
# Create some mock resources on which permissions can be granted
sensor_1_db = SensorTypeDB(pack='test_pack_1', name='sensor1')
sensor_1_db = SensorType.add_or_update(sensor_1_db)
self.resources['sensor_1'] = sensor_1_db
sensor_2_db = SensorTypeDB(pack='test_pack_1', name='sensor2')
sensor_2_db = SensorType.add_or_update(sensor_2_db)
self.resources['sensor_2'] = sensor_2_db
sensor_3_db = SensorTypeDB(pack='test_pack_2', name='sensor3')
sensor_3_db = SensorType.add_or_update(sensor_3_db)
self.resources['sensor_3'] = sensor_3_db
# Create some mock roles with associated permission grants
# Custom role 2 - one grant on parent pack
# "sensor_view" on pack_1
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.SENSOR_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_3_db = RoleDB(name='custom_role_sensor_pack_grant',
permission_grants=permission_grants)
role_3_db = Role.add_or_update(role_3_db)
self.roles['custom_role_sensor_pack_grant'] = role_3_db
# Custom role 4 - one grant on pack
# "sensor_view on sensor_3
grant_db = PermissionGrantDB(resource_uid=self.resources['sensor_3'].get_uid(),
resource_type=ResourceType.SENSOR,
permission_types=[PermissionType.SENSOR_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_sensor_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_sensor_grant'] = role_4_db
# Custom role - "sensor_all" grant on a parent sensor pack
grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
resource_type=ResourceType.PACK,
permission_types=[PermissionType.SENSOR_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_pack_sensor_all_grant',
permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_pack_sensor_all_grant'] = role_4_db
# Custom role - "sensor_all" grant on a sensor
grant_db = PermissionGrantDB(resource_uid=self.resources['sensor_1'].get_uid(),
resource_type=ResourceType.SENSOR,
permission_types=[PermissionType.SENSOR_ALL])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_4_db = RoleDB(name='custom_role_sensor_all_grant', permission_grants=permission_grants)
role_4_db = Role.add_or_update(role_4_db)
self.roles['custom_role_sensor_all_grant'] = role_4_db
# Create some mock role assignments
user_db = self.users['custom_role_sensor_pack_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_sensor_pack_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_sensor_grant']
role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
role=self.roles['custom_role_sensor_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_pack_sensor_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_pack_sensor_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
user_db = self.users['custom_role_sensor_all_grant']
role_assignment_db = UserRoleAssignmentDB(
user=user_db.name,
role=self.roles['custom_role_sensor_all_grant'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
