def test_can_manage_private_dataset(self):
security_agent = GalaxyRBACAgent(self.model)
u_from, _, u_other = self._three_users("can_manage_dataset_ps")
h = self.model.History(name="History for Prevent Sharing", user=u_from)
d1 = self.model.HistoryDatasetAssociation(extension="txt", history=h, create_dataset=True, sa_session=self.model.session)
self.persist(h, d1)
self._make_private(security_agent, u_from, d1)
assert security_agent.can_manage_dataset(u_from.all_roles(), d1.dataset)
assert not security_agent.can_manage_dataset(u_other.all_roles(), d1.dataset)
def test_role_creation(self):
security_agent = GalaxyRBACAgent(self.model)
def check_private_role(private_role, email):
assert private_role.type == self.model.Role.types.PRIVATE
assert len(private_role.users) == 1
assert private_role.name == email
assert private_role.description == "Private Role for " + email
email = "*****@*****.**"
u = self.model.User(email=email, password="******")
self.persist(u)
role = security_agent.get_private_user_role(u)
assert role is None
role = security_agent.create_private_user_role(u)
assert role is not None
check_private_role(role, email)
email = "*****@*****.**"
u = self.model.User(email=email, password="******")
self.persist(u)
role = security_agent.get_private_user_role(u)
assert role is None
role = security_agent.get_private_user_role(u, auto_create=True)
assert role is not None
check_private_role(role, email)
# make sure re-running auto_create doesn't break things
role = security_agent.get_private_user_role(u, auto_create=True)
assert role is not None
check_private_role(role, email)
def init(file_path,
url,
engine_options=None,
create_tables=False,
map_install_models=False,
database_query_profiling_proxy=False,
object_store=None,
trace_logger=None,
use_pbkdf2=True,
slow_query_log_threshold=0,
thread_local_log: Optional[local] = None,
log_query_counts=False) -> GalaxyModelMapping:
"""Connect mappings to the database"""
if engine_options is None:
engine_options = {}
# Connect dataset to the file path
model.Dataset.file_path = file_path
# Connect dataset to object store
model.Dataset.object_store = object_store
# Use PBKDF2 password hashing?
model.User.use_pbkdf2 = use_pbkdf2
# Load the appropriate db module
engine = build_engine(url,
engine_options,
database_query_profiling_proxy,
trace_logger,
slow_query_log_threshold,
thread_local_log=thread_local_log,
log_query_counts=log_query_counts)
# Connect the metadata to the database.
metadata.bind = engine
model_modules = [model]
if map_install_models:
import galaxy.model.tool_shed_install.mapping # noqa: F401
from galaxy.model import tool_shed_install
galaxy.model.tool_shed_install.mapping.init(
url=url,
engine_options=engine_options,
create_tables=create_tables)
model_modules.append(tool_shed_install)
result = GalaxyModelMapping(model_modules, engine=engine)
# Create tables if needed
if create_tables:
metadata.create_all()
install_timestamp_triggers(engine)
install_views(engine)
result.create_tables = create_tables
# load local galaxy security policy
result.security_agent = GalaxyRBACAgent(result)
result.thread_local_log = thread_local_log
return result
def test_make_dataset_public(self):
security_agent = GalaxyRBACAgent(self.model)
u_from, u_to, u_other = self._three_users("make_dataset_public")
h = self.model.History(name="History for Annotation", user=u_from)
d1 = self.model.HistoryDatasetAssociation(extension="txt", history=h, create_dataset=True, sa_session=self.model.session)
self.persist(h, d1)
security_agent.privately_share_dataset(d1.dataset, [u_to])
security_agent.make_dataset_public(d1.dataset)
assert security_agent.can_access_dataset(u_to.all_roles(), d1.dataset)
assert security_agent.can_access_dataset(u_other.all_roles(), d1.dataset)
def test_set_all_dataset_permissions(self):
security_agent = GalaxyRBACAgent(self.model)
u_from, _, u_other = self._three_users("set_all_perms")
h = self.model.History(name="History for Annotation", user=u_from)
d1 = self.model.HistoryDatasetAssociation(extension="txt", history=h, create_dataset=True, sa_session=self.model.session)
self.persist(h, d1)
role = security_agent.get_private_user_role(u_from, auto_create=True)
access_action = security_agent.permitted_actions.DATASET_ACCESS.action
manage_action = security_agent.permitted_actions.DATASET_MANAGE_PERMISSIONS.action
permissions = {access_action: [role], manage_action: [role]}
assert security_agent.can_access_dataset(u_other.all_roles(), d1.dataset)
security_agent.set_all_dataset_permissions(d1.dataset, permissions)
assert not security_agent.allow_action(u_other.all_roles(), security_agent.permitted_actions.DATASET_ACCESS, d1.dataset)
assert not security_agent.can_access_dataset(u_other.all_roles(), d1.dataset)