def test_user_has_permission_for_object_supports_brewtils_models(
self,
test_garden,
test_system_1_0_0,
user_with_role_assignments,
):
"""user_has_permission_for_object returns the appropriate results for brewtils
model objects"""
brewtils_garden = to_brewtils(test_garden)
brewtils_system = to_brewtils(test_system_1_0_0)
assert user_has_permission_for_object(
user_with_role_assignments, "garden:read", brewtils_garden
)
assert user_has_permission_for_object(
user_with_role_assignments, "request:create", brewtils_system
)
user_with_role_assignments.role_assignments = []
user_with_role_assignments.clear_permissions_cache()
assert not user_has_permission_for_object(
user_with_role_assignments, "garden:read", brewtils_garden
)
assert not user_has_permission_for_object(
user_with_role_assignments, "system:read", brewtils_system
)
def test_user_has_permission_for_object_raises_error_for_unsupported_type(
self, user_with_role_assignments
):
"""user_has_permission_for_object raises TypeError if an unsupported object
type is passed in"""
with pytest.raises(TypeError):
user_has_permission_for_object(
user_with_role_assignments, "garden:read", []
)
def test_user_has_permission_for_object_returns_true_when_permitted(
self, test_garden, test_system_1_0_0, user_with_role_assignments
):
"""user_has_permission_for_object should return true for a permission and object
for which they have a corresponding role_assignment
"""
assert user_has_permission_for_object(
user_with_role_assignments, "garden:read", test_garden
)
assert user_has_permission_for_object(
user_with_role_assignments, "request:read", test_system_1_0_0
)
def test_user_has_permission_for_object_request_through_user(
self,
test_request,
):
"""user_has_permission_for_object returns true for a System in which the
user has Garden level access for the required permission
"""
# Set the requester of the request to be our "owner" test user
owner = User(username="******")
test_request.requester = owner.username
test_request.save()
assert user_has_permission_for_object(
owner, OBJECT_OWNER_PERMISSIONS[0], test_request
)
assert not user_has_permission_for_object(owner, "noaccess", test_request)
def test_user_has_permission_for_object_when_lacking_specified_permission(
self,
test_garden,
test_system_1_0_0,
user_with_role_assignments,
):
"""user_has_permission_for_object should return false for a permission and
object for which they have no role_assignment granting the specified permission
"""
assert not user_has_permission_for_object(
user_with_role_assignments, "unassigned_permission", test_garden
)
assert not user_has_permission_for_object(
user_with_role_assignments, "unassigned_permission", test_system_1_0_0
)
async def get(self, garden_name):
"""
---
summary: Retrieve a specific Garden
parameters:
- name: garden_name
in: path
required: true
description: Read specific Garden Information
type: string
responses:
200:
description: Garden with the given garden_name
schema:
$ref: '#/definitions/Garden'
404:
$ref: '#/definitions/404Error'
50x:
$ref: '#/definitions/50xError'
tags:
- Garden
"""
garden = self.get_or_raise(Garden, GARDEN_READ, name=garden_name)
if user_has_permission_for_object(self.current_user, GARDEN_UPDATE,
garden):
response = MongoParser.serialize(garden)
else:
response = GardenReadSchema().dumps(garden).data
self.set_header("Content-Type", "application/json; charset=UTF-8")
self.write(response)
async def get(self):
"""
---
summary: Retrieve a list of Gardens
responses:
200:
description: Garden with the given garden_name
schema:
type: array
items:
$ref: '#/definitions/Garden'
404:
$ref: '#/definitions/404Error'
50x:
$ref: '#/definitions/50xError'
tags:
- Garden
"""
permitted_gardens = self.permissioned_queryset(Garden, GARDEN_READ)
response_gardens = []
for garden in permitted_gardens.no_cache():
if user_has_permission_for_object(self.current_user, GARDEN_UPDATE,
garden):
response_gardens.append(MongoParser.serialize(garden))
else:
response_gardens.append(GardenReadSchema().dump(garden).data)
response = json.dumps(response_gardens)
self.set_header("Content-Type", "application/json; charset=UTF-8")
self.write(response)
def test_user_has_permission_for_object_returns_true_when_permitted_via_global(
self, test_garden, test_system_1_0_0, user_with_role_assignments
):
"""user_has_permission_for_object should return true for a permission and object
for which they have a corresponding role_assignment for the "Global" scope
"""
assert user_has_permission_for_object(
user_with_role_assignments, "garden:create", test_garden
)
def test_user_has_permission_for_object_when_having_no_permissions(
self,
test_garden,
test_system_1_0_0,
user_with_role_assignments,
):
"""user_has_permission_for_object should return false for a permission and
object for which they have no role_assignment granting any permission to the
object, not just the specified one
"""
user_with_role_assignments.role_assignments = []
user_with_role_assignments.clear_permissions_cache()
assert not user_has_permission_for_object(
user_with_role_assignments, "request:read", test_system_1_0_0
)
def _user_can_receive_messages_for_event(user: "******", event: "Event"):
"""Check a that a user has access to view the supplied event"""
user_permitted = True
# Event types that won't have a payload, but still require a permission check
# TODO: Really every event type ought to be included here
event_permission_map = {Events.USERS_IMPORTED.name: Permissions.GARDEN_UPDATE.value}
if event.payload and event.payload_type:
user_permitted = user_has_permission_for_object(
user, f"{event.payload_type.lower()}:read", event.payload
)
elif event.name in event_permission_map:
user_permitted = event_permission_map[event.name] in user.global_permissions
return user_permitted
def test_user_has_permission_for_object_request_through_system(
self,
role_assignment_for_system_scope,
test_request,
test_system_1_0_0,
user_with_role_assignments,
):
"""user_has_permission_for_object returns true for a System in which the
user has Garden level access for the required permission
"""
# Set the user's role assignments to be just the System scoped one
user_with_role_assignments.role_assignments = [role_assignment_for_system_scope]
user_with_role_assignments.clear_permissions_cache()
assert user_has_permission_for_object(
user_with_role_assignments, "request:create", test_request
)
def test_user_has_permission_for_object_system_through_garden(
self,
role_assignment_for_garden_scope,
test_garden,
test_system_1_0_0,
user_with_role_assignments,
):
"""user_has_permission_for_object returns true for a System in which the
user has Garden level access for the required permission
"""
# Set the user's role assignments to be just the Garden scoped one (i.e. no
# System scoped role assignments)
user_with_role_assignments.role_assignments = [role_assignment_for_garden_scope]
user_with_role_assignments.clear_permissions_cache()
assert user_has_permission_for_object(
user_with_role_assignments, "system:read", test_system_1_0_0
)
def verify_user_permission_for_object(
self, permission: str, obj: Union[Document,
BrewtilsModel]) -> None:
"""Verifies that the requesting user has the specified permission for the
given object.
Args:
permission: The permission to check against
obj: The object to check against. This can be either a brewtils model
or a mongoengine Document model.
Raises:
RequestForbidden: The user does not have the required object permissions
Returns:
None
"""
if not user_has_permission_for_object(self.current_user, permission,
obj):
raise RequestForbidden
