def test_user_has_permission_for_object_supports_brewtils_models( self, test_garden, test_system_1_0_0, user_with_role_assignments, ): """user_has_permission_for_object returns the appropriate results for brewtils model objects""" brewtils_garden = to_brewtils(test_garden) brewtils_system = to_brewtils(test_system_1_0_0) assert user_has_permission_for_object( user_with_role_assignments, "garden:read", brewtils_garden ) assert user_has_permission_for_object( user_with_role_assignments, "request:create", brewtils_system ) user_with_role_assignments.role_assignments = [] user_with_role_assignments.clear_permissions_cache() assert not user_has_permission_for_object( user_with_role_assignments, "garden:read", brewtils_garden ) assert not user_has_permission_for_object( user_with_role_assignments, "system:read", brewtils_system )
def test_user_has_permission_for_object_raises_error_for_unsupported_type( self, user_with_role_assignments ): """user_has_permission_for_object raises TypeError if an unsupported object type is passed in""" with pytest.raises(TypeError): user_has_permission_for_object( user_with_role_assignments, "garden:read", [] )
def test_user_has_permission_for_object_returns_true_when_permitted( self, test_garden, test_system_1_0_0, user_with_role_assignments ): """user_has_permission_for_object should return true for a permission and object for which they have a corresponding role_assignment """ assert user_has_permission_for_object( user_with_role_assignments, "garden:read", test_garden ) assert user_has_permission_for_object( user_with_role_assignments, "request:read", test_system_1_0_0 )
def test_user_has_permission_for_object_request_through_user( self, test_request, ): """user_has_permission_for_object returns true for a System in which the user has Garden level access for the required permission """ # Set the requester of the request to be our "owner" test user owner = User(username="******") test_request.requester = owner.username test_request.save() assert user_has_permission_for_object( owner, OBJECT_OWNER_PERMISSIONS[0], test_request ) assert not user_has_permission_for_object(owner, "noaccess", test_request)
def test_user_has_permission_for_object_when_lacking_specified_permission( self, test_garden, test_system_1_0_0, user_with_role_assignments, ): """user_has_permission_for_object should return false for a permission and object for which they have no role_assignment granting the specified permission """ assert not user_has_permission_for_object( user_with_role_assignments, "unassigned_permission", test_garden ) assert not user_has_permission_for_object( user_with_role_assignments, "unassigned_permission", test_system_1_0_0 )
async def get(self, garden_name): """ --- summary: Retrieve a specific Garden parameters: - name: garden_name in: path required: true description: Read specific Garden Information type: string responses: 200: description: Garden with the given garden_name schema: $ref: '#/definitions/Garden' 404: $ref: '#/definitions/404Error' 50x: $ref: '#/definitions/50xError' tags: - Garden """ garden = self.get_or_raise(Garden, GARDEN_READ, name=garden_name) if user_has_permission_for_object(self.current_user, GARDEN_UPDATE, garden): response = MongoParser.serialize(garden) else: response = GardenReadSchema().dumps(garden).data self.set_header("Content-Type", "application/json; charset=UTF-8") self.write(response)
async def get(self): """ --- summary: Retrieve a list of Gardens responses: 200: description: Garden with the given garden_name schema: type: array items: $ref: '#/definitions/Garden' 404: $ref: '#/definitions/404Error' 50x: $ref: '#/definitions/50xError' tags: - Garden """ permitted_gardens = self.permissioned_queryset(Garden, GARDEN_READ) response_gardens = [] for garden in permitted_gardens.no_cache(): if user_has_permission_for_object(self.current_user, GARDEN_UPDATE, garden): response_gardens.append(MongoParser.serialize(garden)) else: response_gardens.append(GardenReadSchema().dump(garden).data) response = json.dumps(response_gardens) self.set_header("Content-Type", "application/json; charset=UTF-8") self.write(response)
def test_user_has_permission_for_object_returns_true_when_permitted_via_global( self, test_garden, test_system_1_0_0, user_with_role_assignments ): """user_has_permission_for_object should return true for a permission and object for which they have a corresponding role_assignment for the "Global" scope """ assert user_has_permission_for_object( user_with_role_assignments, "garden:create", test_garden )
def test_user_has_permission_for_object_when_having_no_permissions( self, test_garden, test_system_1_0_0, user_with_role_assignments, ): """user_has_permission_for_object should return false for a permission and object for which they have no role_assignment granting any permission to the object, not just the specified one """ user_with_role_assignments.role_assignments = [] user_with_role_assignments.clear_permissions_cache() assert not user_has_permission_for_object( user_with_role_assignments, "request:read", test_system_1_0_0 )
def _user_can_receive_messages_for_event(user: "******", event: "Event"): """Check a that a user has access to view the supplied event""" user_permitted = True # Event types that won't have a payload, but still require a permission check # TODO: Really every event type ought to be included here event_permission_map = {Events.USERS_IMPORTED.name: Permissions.GARDEN_UPDATE.value} if event.payload and event.payload_type: user_permitted = user_has_permission_for_object( user, f"{event.payload_type.lower()}:read", event.payload ) elif event.name in event_permission_map: user_permitted = event_permission_map[event.name] in user.global_permissions return user_permitted
def test_user_has_permission_for_object_request_through_system( self, role_assignment_for_system_scope, test_request, test_system_1_0_0, user_with_role_assignments, ): """user_has_permission_for_object returns true for a System in which the user has Garden level access for the required permission """ # Set the user's role assignments to be just the System scoped one user_with_role_assignments.role_assignments = [role_assignment_for_system_scope] user_with_role_assignments.clear_permissions_cache() assert user_has_permission_for_object( user_with_role_assignments, "request:create", test_request )
def test_user_has_permission_for_object_system_through_garden( self, role_assignment_for_garden_scope, test_garden, test_system_1_0_0, user_with_role_assignments, ): """user_has_permission_for_object returns true for a System in which the user has Garden level access for the required permission """ # Set the user's role assignments to be just the Garden scoped one (i.e. no # System scoped role assignments) user_with_role_assignments.role_assignments = [role_assignment_for_garden_scope] user_with_role_assignments.clear_permissions_cache() assert user_has_permission_for_object( user_with_role_assignments, "system:read", test_system_1_0_0 )
def verify_user_permission_for_object( self, permission: str, obj: Union[Document, BrewtilsModel]) -> None: """Verifies that the requesting user has the specified permission for the given object. Args: permission: The permission to check against obj: The object to check against. This can be either a brewtils model or a mongoengine Document model. Raises: RequestForbidden: The user does not have the required object permissions Returns: None """ if not user_has_permission_for_object(self.current_user, permission, obj): raise RequestForbidden