def test_create_record_check_acl_priority(app, db, es, es_acl_prepare, test_users): with app.test_client() as client: with db.session.begin_nested(): acl1 = DefaultACL(name='default', schemas=[RECORD_SCHEMA], priority=0, originator=test_users.u1, operation='get') actor1 = SystemRoleActor(name='auth', system_role='any_user', acl=acl1, originator=test_users.u1) acl2 = DefaultACL(name='default', schemas=[RECORD_SCHEMA], priority=1, originator=test_users.u1, operation='get') actor2 = SystemRoleActor(name='auth', system_role='authenticated_user', acl=acl2, originator=test_users.u1) db.session.add(acl1) db.session.add(actor1) db.session.add(acl2) db.session.add(actor2) login(client, test_users.u1) response = client.post(records_url(), data=json.dumps({ 'title': 'blah', 'contributors': [] }), content_type='application/json') assert response.status_code == 201 rest_metadata = get_json(response)['metadata'] assert 'control_number' in rest_metadata index, doctype = schema_to_index(RECORD_SCHEMA) rec_md = current_search_client.get( index=index, doc_type=doctype, id=str( PersistentIdentifier.get( 'recid', rest_metadata['control_number']).object_uuid)) clear_timestamp(rec_md) assert rec_md['_source']['_invenio_explicit_acls'] == [{ 'operation': 'get', 'id': acl2.id, 'timestamp': 'cleared', 'system_role': ['authenticated_user'] }]
def test_create_record_no_acls_anonymous(app, db, es, es_acl_prepare): with app.test_client() as client: response = client.post(records_url(), data=json.dumps({ 'title': 'blah', 'contributors': [] }), content_type='application/json') # print("Response", response.get_data(as_text=True)) assert response.status_code == 401
def test_create_record_without_enabled_acl(app, db, es): with app.test_client() as client: response = client.post(records_url(), data=json.dumps({ 'title': 'blah', 'contributors': [] }), content_type='application/json') # print("Response", response.get_data(as_text=True)) assert response.status_code == 201 assert 'control_number' in get_json(response)['metadata']
def test_create_record_no_acls_authenticated(app, db, es, es_acl_prepare, test_users): with app.test_client() as client: with db.session.begin_nested(): # create an empty ACL in order to get the _invenio_explicit_acls filled acl = DefaultACL(name='test', schemas=[RECORD_SCHEMA], priority=0, operation='get', originator=test_users.u1) db.session.add(acl) actor = UserActor(name='test', acl=acl, users=[], originator=test_users.u1) db.session.add(actor) login(client, test_users.u1) response = client.post(records_url(), data=json.dumps({ 'title': 'blah', 'contributors': [] }), content_type='application/json') # print("Response", response.get_data(as_text=True)) assert response.status_code == 201 created_record_metadata = get_json(response)['metadata'] # check that ACLs are not leaking assert 'invenio_explicit_acls' not in created_record_metadata pid = PersistentIdentifier.get( 'recid', created_record_metadata['control_number']) res = get_from_es(pid)['_source'] assert res['control_number'] == pid.pid_value assert res['$schema'] == 'https://localhost/schemas/' + RECORD_SCHEMA assert '_invenio_explicit_acls' in res # still can not get it res = client.get(record_url(pid)) assert res.status_code == 403 # Forbidden
def test_aclrecordsearch_returnall(app, db, es, es_acl_prepare, test_users): with db.session.begin_nested(): acl1 = ElasticsearchACL(name='test', schemas=[RECORD_SCHEMA], priority=0, operation='get', originator=test_users.u1, record_selector={'term': { 'keywords': 'test' }}) actor1 = SystemRoleActor(name='auth', system_role='any_user', acl=acl1, originator=test_users.u1) db.session.add(acl1) db.session.add(actor1) current_explicit_acls.reindex_acl(acl1, delayed=False) with app.test_client() as client: login(client, test_users.u1) response = client.post(records_url(), data=json.dumps({'title': 'blah', 'contributors': [], 'keywords': ['blah']}), content_type='application/json') assert response.status_code == 201 rest_metadata = get_json(response)['metadata'] assert 'control_number' in rest_metadata # make sure indices are flushed current_search_client.indices.refresh() current_search_client.indices.flush() index, doc_type = schema_to_index(RECORD_SCHEMA) record_uuid = PersistentIdentifier.get('recid', rest_metadata['control_number']).object_uuid with app.test_request_context(): login_user(test_users.u1) set_identity(test_users.u1) assert current_user == test_users.u1 # acl1 does not apply to the resource so the search must return no data assert not len( ACLRecordsSearch(index=index, doc_type=doc_type, operation='get').get_record(record_uuid).execute()) # when acl_return_all is specified, return all matching records regardless of ACL with_all = ACLRecordsSearch(index=index, doc_type=doc_type).acl_return_all().get_record( record_uuid).execute().hits assert len(with_all) == 1 assert with_all[0]['_invenio_explicit_acls'] == [] # add another acl, this one maps to the record with db.session.begin_nested(): acl2 = ElasticsearchACL(name='test', schemas=[RECORD_SCHEMA], priority=0, operation='get', originator=test_users.u1, record_selector={'term': { 'keywords': 'blah' }}) actor2 = UserActor(name='u2', users=[test_users.u2], acl=acl2, originator=test_users.u1) db.session.add(acl2) db.session.add(actor2) current_explicit_acls.reindex_acl(acl2, delayed=False) # make sure indices are flushed current_search_client.indices.refresh() current_search_client.indices.flush() # for the same user acl_return_all() must return the record and effective acls with app.test_request_context(): login_user(test_users.u1) set_identity(test_users.u1) # when acl_return_all is specified, return all matching records regardless of ACL with_all = ACLRecordsSearch(index=index, doc_type=doc_type).acl_return_all().get_record( record_uuid).execute().hits assert len(with_all) == 1 assert clear_timestamp(with_all[0].to_dict()['_invenio_explicit_acls']) == [ { 'operation': 'get', 'id': acl2.id, 'timestamp': 'cleared', 'user': [2] } ] # for user2 plain ACLRecordsSearch must return the record and effective acls with app.test_request_context(): login_user(test_users.u2) set_identity(test_users.u2) # when acl_return_all is specified, return all matching records regardless of ACL with_all = ACLRecordsSearch(index=index, doc_type=doc_type).get_record(record_uuid).execute().hits assert len(with_all) == 1 assert clear_timestamp(with_all[0].to_dict()['_invenio_explicit_acls']) == [ { 'operation': 'get', 'id': acl2.id, 'timestamp': 'cleared', 'user': [2] } ]
def test_create_acl_after_record(app, db, es, es_acl_prepare, test_users): with app.test_client() as client: login(client, test_users.u1) response = client.post(records_url(), data=json.dumps({ 'title': 'blah', 'contributors': [] }), content_type='application/json') assert response.status_code == 201 rest_metadata = get_json(response)['metadata'] assert 'control_number' in rest_metadata current_search_client.indices.refresh() current_search_client.indices.flush() with db.session.begin_nested(): acl1 = DefaultACL(name='default', schemas=[RECORD_SCHEMA], priority=0, originator=test_users.u1, operation='get') actor1 = SystemRoleActor(name='auth', system_role='any_user', acl=acl1, originator=test_users.u1) db.session.add(acl1) db.session.add(actor1) # reindex all resources that might be affected by the ACL change current_explicit_acls.reindex_acl(acl1, delayed=False) index, doctype = schema_to_index(RECORD_SCHEMA) rec_md = current_search_client.get( index=index, doc_type=doctype, id=str( PersistentIdentifier.get( 'recid', rest_metadata['control_number']).object_uuid)) clear_timestamp(rec_md) assert rec_md['_source']['_invenio_explicit_acls'] == [{ 'operation': 'get', 'id': acl1.id, 'timestamp': 'cleared', 'system_role': ['any_user'] }] # remove the ACL from the database with db.session.begin_nested(): db.session.delete(acl1) # reindex records affected by the removal of ACL current_explicit_acls.reindex_acl_removed(acl1, delayed=False) # make sure all changes had time to propagate and test current_search_client.indices.refresh() current_search_client.indices.flush() rec_md = current_search_client.get( index=index, doc_type=doctype, id=str( PersistentIdentifier.get( 'recid', rest_metadata['control_number']).object_uuid)) # there is no ACL in the database => no acls are defined nor enforced on the record print(json.dumps(rec_md, indent=4)) assert '_invenio_explicit_acls' not in rec_md['_source']