Пример #1
0
    def test_sync_roles_locally_removed_roles_are_removed_from_db(self):
        syncer = RBACDefinitionsDBSyncer()

        # Initial state, DB is empty, we sync with two roles defined on disk
        self.assertEqual(len(Role.get_all()), 0)

        api1 = RoleDefinitionFileFormatAPI(name='test_role_1', description='test description 1',
                                           permission_grants=[])
        api2 = RoleDefinitionFileFormatAPI(name='test_role_2', description='test description 2',
                                           permission_grants=[])
        created_role_dbs, deleted_role_dbs = syncer.sync_roles(role_definition_apis=[api1, api2])
        self.assertEqual(len(created_role_dbs), 2)
        self.assertItemsEqual(deleted_role_dbs, [])

        # Assert role and grants have been created in the DB
        self.assertEqual(len(Role.get_all()), 2)
        self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
        self.assertRoleDBObjectExists(role_db=created_role_dbs[1])

        # We sync again, this time with one role (role 1) removed locally
        created_role_dbs, deleted_role_dbs = syncer.sync_roles(role_definition_apis=[api2])
        self.assertEqual(len(created_role_dbs), 1)
        self.assertEqual(len(deleted_role_dbs), 2)

        # Assert role and grants have been created in the DB
        self.assertEqual(len(Role.get_all()), 1)
        self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
        self.assertEqual(Role.get_all()[0].name, 'test_role_2')
Пример #2
0
    def test_sync_roles_locally_removed_roles_are_removed_from_db(self):
        syncer = RBACDefinitionsDBSyncer()

        # Initial state, DB is empty, we sync with two roles defined on disk
        self.assertEqual(len(Role.get_all()), 0)

        api1 = RoleDefinitionFileFormatAPI(name='test_role_1',
                                           description='test description 1',
                                           permission_grants=[])
        api2 = RoleDefinitionFileFormatAPI(name='test_role_2',
                                           description='test description 2',
                                           permission_grants=[])
        created_role_dbs, deleted_role_dbs = syncer.sync_roles(
            role_definition_apis=[api1, api2])
        self.assertEqual(len(created_role_dbs), 2)
        self.assertItemsEqual(deleted_role_dbs, [])

        # Assert role and grants have been created in the DB
        self.assertEqual(len(Role.get_all()), 2)
        self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
        self.assertRoleDBObjectExists(role_db=created_role_dbs[1])

        # We sync again, this time with one role (role 1) removed locally
        created_role_dbs, deleted_role_dbs = syncer.sync_roles(
            role_definition_apis=[api2])
        self.assertEqual(len(created_role_dbs), 1)
        self.assertEqual(len(deleted_role_dbs), 2)

        # Assert role and grants have been created in the DB
        self.assertEqual(len(Role.get_all()), 1)
        self.assertRoleDBObjectExists(role_db=created_role_dbs[0])
        self.assertEqual(Role.get_all()[0].name, 'test_role_2')
    def setUp(self):
        super(PolicyTypeControllerRBACTestCase, self).setUp()
        self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                               fixtures_dict=TEST_FIXTURES)

        file_name = 'fake_policy_type_1.yaml'
        PolicyTypeControllerRBACTestCase.POLICY_TYPE_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]

        file_name = 'fake_policy_type_2.yaml'
        PolicyTypeControllerRBACTestCase.POLICY_TYPE_2 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='policy_type_list')
        user_1_db = User.add_or_update(user_1_db)
        self.users['policy_type_list'] = user_1_db

        user_2_db = UserDB(name='policy_type_view')
        user_2_db = User.add_or_update(user_2_db)
        self.users['policy_type_view'] = user_2_db

        # Roles
        # policy_type_list
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=ResourceType.POLICY_TYPE,
                                     permission_types=[PermissionType.POLICY_TYPE_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='policy_type_list', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['policy_type_list'] = role_1_db

        # policy_type_view on timer 1
        policy_type_uid = self.models['policytypes']['fake_policy_type_1.yaml'].get_uid()
        grant_db = PermissionGrantDB(resource_uid=policy_type_uid,
                                     resource_type=ResourceType.POLICY_TYPE,
                                     permission_types=[PermissionType.POLICY_TYPE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='policy_type_view', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['policy_type_view'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['policy_type_list'].name,
            role=self.roles['policy_type_list'].name,
            source='assignments/%s.yaml' % self.users['policy_type_list'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['policy_type_view'].name,
            role=self.roles['policy_type_view'].name,
            source='assignments/%s.yaml' % self.users['policy_type_view'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #4
0
    def setUp(self):
        super(ActionExecutionRBACControllerTestCase, self).setUp()

        self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                 fixtures_dict=TEST_FIXTURES)

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='multiple_roles')
        user_1_db = User.add_or_update(user_1_db)
        self.users['multiple_roles'] = user_1_db

        # Roles
        roles = ['role_1', 'role_2', 'role_3']
        for role in roles:
            role_db = RoleDB(name=role)
            Role.add_or_update(role_db)

        # Role assignments
        user_db = self.users['multiple_roles']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role='admin',
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        for role in roles:
            role_assignment_db = UserRoleAssignmentDB(
                user=user_db.name,
                role=role,
                source='assignments/%s.yaml' % user_db.name)
            UserRoleAssignment.add_or_update(role_assignment_db)
Пример #5
0
    def setUp(self):
        super(PolicyTypeControllerRBACTestCase, self).setUp()
        self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                               fixtures_dict=TEST_FIXTURES)

        file_name = 'fake_policy_type_1.yaml'
        PolicyTypeControllerRBACTestCase.POLICY_TYPE_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]

        file_name = 'fake_policy_type_2.yaml'
        PolicyTypeControllerRBACTestCase.POLICY_TYPE_2 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name]

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='policy_type_list')
        user_1_db = User.add_or_update(user_1_db)
        self.users['policy_type_list'] = user_1_db

        user_2_db = UserDB(name='policy_type_view')
        user_2_db = User.add_or_update(user_2_db)
        self.users['policy_type_view'] = user_2_db

        # Roles
        # policy_type_list
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=ResourceType.POLICY_TYPE,
                                     permission_types=[PermissionType.POLICY_TYPE_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='policy_type_list', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['policy_type_list'] = role_1_db

        # policy_type_view on timer 1
        policy_type_uid = self.models['policytypes']['fake_policy_type_1.yaml'].get_uid()
        grant_db = PermissionGrantDB(resource_uid=policy_type_uid,
                                     resource_type=ResourceType.POLICY_TYPE,
                                     permission_types=[PermissionType.POLICY_TYPE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='policy_type_view', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['policy_type_view'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['policy_type_list'].name,
            role=self.roles['policy_type_list'].name,
            source='assignments/%s.yaml' % self.users['policy_type_list'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['policy_type_view'].name,
            role=self.roles['policy_type_view'].name,
            source='assignments/%s.yaml' % self.users['policy_type_view'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #6
0
    def setUp(self):
        super(RunnerPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='custom_role_runner_view_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_runner_view_grant'] = user_1_db

        user_2_db = UserDB(name='custom_role_runner_modify_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_runner_modify_grant'] = user_2_db

        # Create some mock resources on which permissions can be granted
        runner_1_db = RunnerTypeDB(name='runner_1')
        self.resources['runner_1'] = runner_1_db

        runner_2_db = RunnerTypeDB(name='runner_2')
        self.resources['runner_2'] = runner_2_db

        # Create some mock roles with associated permission grants
        # Custom role - "runner_view" grant on runner_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['runner_1'].get_uid(),
            resource_type=ResourceType.RUNNER,
            permission_types=[PermissionType.RUNNER_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_runner_view_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_runner_view_grant'] = role_db

        # Custom role - "runner_modify" grant on runner_2
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['runner_2'].get_uid(),
            resource_type=ResourceType.RUNNER,
            permission_types=[PermissionType.RUNNER_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_runner_modify_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_runner_modify_grant'] = role_db

        # Create some mock role assignments
        user_db = self.users['custom_role_runner_view_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_runner_view_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_runner_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_runner_modify_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #7
0
def delete_role(name):
    """"
    Delete role with the provided name.
    """
    if name in SystemRole.get_valid_values():
        raise ValueError("System roles can't be deleted")

    role_db = Role.get(name=name)
    result = Role.delete(role_db)
    return result
Пример #8
0
def delete_role(name):
    """"
    Delete role with the provided name.
    """
    if name in SystemRole.get_valid_values():
        raise ValueError('System roles can\'t be deleted')

    role_db = Role.get(name=name)
    result = Role.delete(role_db)
    return result
Пример #9
0
    def setUp(self):
        super(RunnerPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='custom_role_runner_view_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_runner_view_grant'] = user_1_db

        user_2_db = UserDB(name='custom_role_runner_modify_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_runner_modify_grant'] = user_2_db

        # Create some mock resources on which permissions can be granted
        runner_1_db = RunnerTypeDB(name='runner_1')
        self.resources['runner_1'] = runner_1_db

        runner_2_db = RunnerTypeDB(name='runner_2')
        self.resources['runner_2'] = runner_2_db

        # Create some mock roles with associated permission grants
        # Custom role - "runner_view" grant on runner_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['runner_1'].get_uid(),
                                     resource_type=ResourceType.RUNNER,
                                     permission_types=[PermissionType.RUNNER_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_runner_view_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_runner_view_grant'] = role_db

        # Custom role - "runner_modify" grant on runner_2
        grant_db = PermissionGrantDB(resource_uid=self.resources['runner_2'].get_uid(),
                                     resource_type=ResourceType.RUNNER,
                                     permission_types=[PermissionType.RUNNER_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_runner_modify_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_runner_modify_grant'] = role_db

        # Create some mock role assignments
        user_db = self.users['custom_role_runner_view_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_runner_view_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_runner_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_runner_modify_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
    def setUp(self):
        super(WebhookControllerRBACTestCase, self).setUp()

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='webhook_list')
        user_1_db = User.add_or_update(user_1_db)
        self.users['webhook_list'] = user_1_db

        user_2_db = UserDB(name='webhook_view')
        user_2_db = User.add_or_update(user_2_db)
        self.users['webhook_view'] = user_2_db

        # Roles
        # webhook_list
        grant_db = PermissionGrantDB(
            resource_uid=None,
            resource_type=ResourceType.WEBHOOK,
            permission_types=[PermissionType.WEBHOOK_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='webhook_list',
                           permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['webhook_list'] = role_1_db

        # webhook_view on webhook 1 (git)
        name = 'git'
        webhook_db = WebhookDB(name=name)
        webhook_uid = webhook_db.get_uid()
        grant_db = PermissionGrantDB(
            resource_uid=webhook_uid,
            resource_type=ResourceType.WEBHOOK,
            permission_types=[PermissionType.WEBHOOK_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='webhook_view',
                           permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['webhook_view'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['webhook_list'].name,
            role=self.roles['webhook_list'].name,
            source='assignments/%s.yaml' % self.users['webhook_list'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['webhook_view'].name,
            role=self.roles['webhook_view'].name,
            source='assignments/%s.yaml' % self.users['webhook_view'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #11
0
    def setUp(self):
        super(WebhookControllerRBACTestCase, self).setUp()

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='webhook_list')
        user_1_db = User.add_or_update(user_1_db)
        self.users['webhook_list'] = user_1_db

        user_2_db = UserDB(name='webhook_view')
        user_2_db = User.add_or_update(user_2_db)
        self.users['webhook_view'] = user_2_db

        # Roles
        # webhook_list
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=ResourceType.WEBHOOK,
                                     permission_types=[PermissionType.WEBHOOK_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='webhook_list', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['webhook_list'] = role_1_db

        # webhook_view on webhook 1 (git)
        name = 'git'
        webhook_db = WebhookDB(name=name)
        webhook_uid = webhook_db.get_uid()
        grant_db = PermissionGrantDB(resource_uid=webhook_uid,
                                     resource_type=ResourceType.WEBHOOK,
                                     permission_types=[PermissionType.WEBHOOK_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='webhook_view', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['webhook_view'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['webhook_list'].name,
            role=self.roles['webhook_list'].name,
            source='assignments/%s.yaml' % self.users['webhook_list'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['webhook_view'].name,
            role=self.roles['webhook_view'].name,
            source='assignments/%s.yaml' % self.users['webhook_view'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #12
0
def insert_system_roles():
    """
    Migration which inserts the default system roles.
    """
    system_roles = SystemRole.get_valid_values()

    for role_name in system_roles:
        description = role_name
        role_db = RoleDB(name=role_name, description=description, system=True)

        try:
            Role.insert(role_db, log_not_unique_error_as_debug=True)
        except (StackStormDBObjectConflictError, NotUniqueError):
            pass
Пример #13
0
def insert_system_roles():
    """
    Migration which inserts the default system roles.
    """
    system_roles = SystemRole.get_valid_values()

    for role_name in system_roles:
        description = role_name
        role_db = RoleDB(name=role_name, description=description, system=True)

        try:
            Role.insert(role_db, log_not_unique_error_as_debug=True)
        except (StackStormDBObjectConflictError, NotUniqueError):
            pass
Пример #14
0
def get_all_roles(exclude_system=False):
    """
    Retrieve all the available roles.

    :param exclude_system: True to exclude system roles.
    :type exclude_system: ``bool``

    :rtype: ``list`` of :class:`RoleDB`
    """
    if exclude_system:
        result = Role.query(system=False)
    else:
        result = Role.get_all()

    return result
Пример #15
0
def get_all_roles(exclude_system=False):
    """
    Retrieve all the available roles.

    :param exclude_system: True to exclude system roles.
    :type exclude_system: ``bool``

    :rtype: ``list`` of :class:`RoleDB`
    """
    if exclude_system:
        result = Role.query(system=False)
    else:
        result = Role.get_all()

    return result
Пример #16
0
    def setUp(self):
        super(TestRbacController, self).setUp()

        permissions = [
            PermissionType.RULE_CREATE, PermissionType.RULE_VIEW,
            PermissionType.RULE_MODIFY, PermissionType.RULE_DELETE
        ]

        for name in permissions:
            user_db = UserDB(name=name)
            user_db = User.add_or_update(user_db)
            self.users[name] = user_db

            # Roles
            # action_create grant on parent pack
            grant_db = PermissionGrantDB(resource_uid='pack:examples',
                                         resource_type=ResourceType.PACK,
                                         permission_types=[name])
            grant_db = PermissionGrant.add_or_update(grant_db)
            grant_2_db = PermissionGrantDB(
                resource_uid='action:wolfpack:action-1',
                resource_type=ResourceType.ACTION,
                permission_types=[PermissionType.ACTION_EXECUTE])
            grant_2_db = PermissionGrant.add_or_update(grant_2_db)
            permission_grants = [str(grant_db.id), str(grant_2_db.id)]
            role_db = RoleDB(name=name, permission_grants=permission_grants)
            role_db = Role.add_or_update(role_db)
            self.roles[name] = role_db

            # Role assignments
            role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
                                                      role=role_db.name)
            UserRoleAssignment.add_or_update(role_assignment_db)
Пример #17
0
    def get_roles_for_user(user_db, include_remote=True):
        """
        Retrieve all the roles assigned to the provided user.

        :param user_db: User to retrieve the roles for.
        :type user_db: :class:`UserDB`

        :param include_remote: True to also include remote role assignments.
        :type include_remote: ``bool``

        :rtype: ``list`` of :class:`RoleDB`
        """
        if include_remote:
            queryset = UserRoleAssignment.query(user=user_db.name)
        else:
            # when upgrading from pre v2.3.0 when this field didn't exist yet
            # Note: We also include None for pre v2.3 when this field didn't exist yet
            queryset_filter = (
                Q(user=user_db.name) &
                (Q(is_remote=False) | Q(is_remote__exists=False)))
            queryset = UserRoleAssignmentDB.objects(queryset_filter)

        role_names = queryset.only('role').scalar('role')
        result = Role.query(name__in=role_names)
        return result
Пример #18
0
    def setUp(self):
        super(ActionControllerRBACTestCase, self).setUp()
        self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                 fixtures_dict=TEST_FIXTURES)

        file_name = 'action1.yaml'
        ActionControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'actions': [file_name]})['actions'][file_name]

        # Insert mock users, roles and assignments

        # Users
        user_2_db = UserDB(name='action_create')
        user_2_db = User.add_or_update(user_2_db)
        self.users['action_create'] = user_2_db

        # Roles
        # action_create grant on parent pack
        grant_db = PermissionGrantDB(
            resource_uid='pack:examples',
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.ACTION_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='action_create',
                           permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['action_create'] = role_1_db

        # Role assignments
        user_db = self.users['action_create']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_create'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #19
0
    def setUp(self):
        super(WebhookPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='custom_role_webhook_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_webhook_grant'] = user_1_db

        # Create some mock resources on which permissions can be granted
        webhook_1_db = WebhookDB(name='st2/')
        self.resources['webhook_1'] = webhook_1_db

        # Create some mock roles with associated permission grants
        # Custom role - "webhook_send" grant on webhook_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['webhook_1'].get_uid(),
                                     resource_type=ResourceType.WEBHOOK,
                                     permission_types=[PermissionType.WEBHOOK_SEND])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_webhook_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_webhook_grant'] = role_db

        # Create some mock role assignments
        user_db = self.users['custom_role_webhook_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_webhook_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #20
0
    def setUp(self):
        super(RBACRoleAssignmentsControllerRBACTestCase, self).setUp()

        # Insert mock users, roles and assignments
        self.role_assignments = {}

        # Users
        user_1_db = UserDB(name='user_foo')
        user_1_db = User.add_or_update(user_1_db)
        self.users['user_foo'] = user_1_db

        # Roles
        role_1_db = RoleDB(name='user_foo', permission_grants=[])
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['user_foo'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['user_foo'].name,
            role=self.roles['user_foo'].name,
            source='assignments/%s.yaml' % self.users['user_foo'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
        self.role_assignments['assignment_one'] = role_assignment_db

        role_assignment_db = UserRoleAssignmentDB(
            user='******',
            role=self.roles['user_foo'].name,
            source='assignments/user_bar.yaml')
        UserRoleAssignment.add_or_update(role_assignment_db)
        self.role_assignments['assignment_two'] = role_assignment_db
Пример #21
0
def get_all_permission_grants_for_user(user_db, resource_uid=None, resource_types=None,
                                       permission_types=None):
    """
    Retrieve all the permission grants for a particular user optionally filtering on:

    - Resource uid
    - Resource types
    - Permission types

    The result is a union of all the permission grants assigned to the roles which are assigned to
    the user.

    :rtype: ``list`` or :class:`PermissionGrantDB`
    """
    role_names = UserRoleAssignment.query(user=user_db.name).only('role').scalar('role')
    permission_grant_ids = Role.query(name__in=role_names).scalar('permission_grants')
    permission_grant_ids = sum(permission_grant_ids, [])

    permission_grants_filters = {}
    permission_grants_filters['id__in'] = permission_grant_ids

    if resource_uid:
        permission_grants_filters['resource_uid'] = resource_uid

    if resource_types:
        permission_grants_filters['resource_type__in'] = resource_types

    if permission_types:
        permission_grants_filters['permission_types__in'] = permission_types

    permission_grant_dbs = PermissionGrant.query(**permission_grants_filters)
    return permission_grant_dbs
Пример #22
0
    def setUp(self):
        super(RBACRoleAssignmentsControllerRBACTestCase, self).setUp()

        # Insert mock users, roles and assignments
        self.role_assignments = {}

        # Users
        user_1_db = UserDB(name='user_foo')
        user_1_db = User.add_or_update(user_1_db)
        self.users['user_foo'] = user_1_db

        # Roles
        role_1_db = RoleDB(name='user_foo', permission_grants=[])
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['user_foo'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['user_foo'].name,
            role=self.roles['user_foo'].name,
            source='assignments/%s.yaml' % self.users['user_foo'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
        self.role_assignments['assignment_one'] = role_assignment_db

        role_assignment_db = UserRoleAssignmentDB(
            user='******',
            role=self.roles['user_foo'].name,
            source='assignments/user_bar.yaml')
        UserRoleAssignment.add_or_update(role_assignment_db)
        self.role_assignments['assignment_two'] = role_assignment_db
Пример #23
0
    def setUp(self):
        super(WebhookPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='custom_role_webhook_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_webhook_grant'] = user_1_db

        # Create some mock resources on which permissions can be granted
        webhook_1_db = WebhookDB(name='st2/')
        self.resources['webhook_1'] = webhook_1_db

        # Create some mock roles with associated permission grants
        # Custom role - "webhook_send" grant on webhook_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['webhook_1'].get_uid(),
            resource_type=ResourceType.WEBHOOK,
            permission_types=[PermissionType.WEBHOOK_SEND])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_webhook_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_webhook_grant'] = role_db

        # Create some mock role assignments
        user_db = self.users['custom_role_webhook_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_webhook_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #24
0
def get_all_permission_grants_for_user(user_db, resource_uid=None, resource_types=None, permission_types=None):
    """
    Retrieve all the permission grants for a particular user optionally filtering on:

    - Resource uid
    - Resource types
    - Permission types

    The result is a union of all the permission grants assigned to the roles which are assigned to
    the user.

    :rtype: ``list`` or :class:`PermissionGrantDB`
    """
    role_names = UserRoleAssignment.query(user=user_db.name).only("role").scalar("role")
    permission_grant_ids = Role.query(name__in=role_names).scalar("permission_grants")
    permission_grant_ids = sum(permission_grant_ids, [])

    permission_grants_filters = {}
    permission_grants_filters["id__in"] = permission_grant_ids

    if resource_uid:
        permission_grants_filters["resource_uid"] = resource_uid

    if resource_types:
        permission_grants_filters["resource_type__in"] = resource_types

    if permission_types:
        permission_grants_filters["permission_types__in"] = permission_types

    permission_grant_dbs = PermissionGrant.query(**permission_grants_filters)
    return permission_grant_dbs
Пример #25
0
    def _sync_user_role_assignments(self, user_db, role_assignment_dbs, role_assignment_api):
        """
        Synchronize role assignments for a particular user.

        :param user_db: User to synchronize the assignments for.
        :type user_db: :class:`UserDB`

        :param role_assignment_dbs: Existing user role assignments.
        :type role_assignment_dbs: ``list`` of :class:`UserRoleAssignmentDB`

        :param role_assignment_api: Role assignment API for a particular user.
        :param role_assignment_api: :class:`UserRoleAssignmentFileFormatAPI`

        :rtype: ``tuple``
        """
        db_role_names = [role_assignment_db.role for role_assignment_db in role_assignment_dbs]
        db_role_names = set(db_role_names)
        api_role_names = role_assignment_api.roles if role_assignment_api else []
        api_role_names = set(api_role_names)

        # A list of new assignments which should be added to the database
        new_role_names = api_role_names.difference(db_role_names)

        # A list of assgignments which need to be updated in the database
        updated_role_names = db_role_names.intersection(api_role_names)

        # A list of assignments which should be removed from the database
        removed_role_names = db_role_names - api_role_names

        LOG.debug('New assignments for user "%s": %r' % (user_db.name, new_role_names))
        LOG.debug('Updated assignments for user "%s": %r' % (user_db.name, updated_role_names))
        LOG.debug('Removed assignments for user "%s": %r' % (user_db.name, removed_role_names))

        # Build a list of role assignments to delete
        role_names_to_delete = updated_role_names.union(removed_role_names)
        role_assignment_dbs_to_delete = [
            role_assignment_db
            for role_assignment_db in role_assignment_dbs
            if role_assignment_db.role in role_names_to_delete
        ]

        UserRoleAssignment.query(user=user_db.name, role__in=role_names_to_delete).delete()
        LOG.debug('Removed %s assignments for user "%s"' % (len(role_assignment_dbs_to_delete), user_db.name))

        # Build a list of roles assignments to create
        role_names_to_create = new_role_names.union(updated_role_names)
        role_dbs_to_assign = Role.query(name__in=role_names_to_create)

        created_role_assignment_dbs = []
        for role_db in role_dbs_to_assign:
            if role_db.name in role_assignment_api.roles:
                description = getattr(role_assignment_api, "description", None)
            else:
                description = None
            assignment_db = rbac_services.assign_role_to_user(role_db=role_db, user_db=user_db, description=description)
            created_role_assignment_dbs.append(assignment_db)

        LOG.debug('Created %s new assignments for user "%s"' % (len(role_dbs_to_assign), user_db.name))

        return (created_role_assignment_dbs, role_assignment_dbs_to_delete)
Пример #26
0
    def setUp(self):
        super(ExecutionViewsFiltersControllerRBACTestCase, self).setUp()

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='execution_views_filters_list')
        user_1_db = User.add_or_update(user_1_db)
        self.users['execution_views_filters_list'] = user_1_db

        # Roles
        # trace_list
        permission_types = [PermissionType.EXECUTION_VIEWS_FILTERS_LIST]
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=ResourceType.EXECUTION,
                                     permission_types=permission_types)
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='execution_views_filters_list',
                           permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['execution_views_filters_list'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['execution_views_filters_list'].name,
            role=self.roles['execution_views_filters_list'].name,
            source='assignments/%s.yaml' %
            self.users['execution_views_filters_list'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #27
0
    def setUp(self):
        super(ActionControllerRBACTestCase, self).setUp()
        self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                 fixtures_dict=TEST_FIXTURES)

        file_name = 'action1.yaml'
        ActionControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'actions': [file_name]})['actions'][file_name]

        # Insert mock users, roles and assignments

        # Users
        user_2_db = UserDB(name='action_create')
        user_2_db = User.add_or_update(user_2_db)
        self.users['action_create'] = user_2_db

        # Roles
        # action_create grant on parent pack
        grant_db = PermissionGrantDB(resource_uid='pack:examples',
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='action_create', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['action_create'] = role_1_db

        # Role assignments
        user_db = self.users['action_create']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['action_create'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #28
0
    def setUp(self):
        super(ExecutionViewsFiltersControllerRBACTestCase, self).setUp()

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='execution_views_filters_list')
        user_1_db = User.add_or_update(user_1_db)
        self.users['execution_views_filters_list'] = user_1_db

        # Roles
        # trace_list
        permission_types = [PermissionType.EXECUTION_VIEWS_FILTERS_LIST]
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=ResourceType.EXECUTION,
                                     permission_types=permission_types)
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='execution_views_filters_list',
                           permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['execution_views_filters_list'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['execution_views_filters_list'].name,
            role=self.roles['execution_views_filters_list'].name,
            source='assignments/%s.yaml' % self.users['execution_views_filters_list'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #29
0
def get_system_roles():
    """
    Retrieve all the available system roles.

    :rtype: ``list`` of :class:`RoleDB`
    """
    result = Role.query(system=True)
    return result
Пример #30
0
def get_role_by_name(name):
    """
    Retrieve role by name.

    :rtype: ``list`` of :class:`RoleDB`
    """
    result = Role.get(name=name)
    return result
Пример #31
0
def get_role_by_name(name):
    """
    Retrieve role by name.

    :rtype: ``list`` of :class:`RoleDB`
    """
    result = Role.get(name=name)
    return result
Пример #32
0
def get_system_roles():
    """
    Retrieve all the available system roles.

    :rtype: ``list`` of :class:`RoleDB`
    """
    result = Role.query(system=True)
    return result
Пример #33
0
def get_key_uids_for_user(user):
    role_names = UserRoleAssignment.query(user=user).only("role").scalar("role")
    permission_grant_ids = Role.query(name__in=role_names).scalar("permission_grants")
    permission_grant_ids = sum(permission_grant_ids, [])
    permission_grants_filters = {}
    permission_grants_filters["id__in"] = permission_grant_ids
    permission_grants_filters["resource_type"] = ResourceType.KEY_VALUE_PAIR
    return PermissionGrant.query(**permission_grants_filters).scalar("resource_uid")
Пример #34
0
def create_role(name, description=None):
    """
    Create a new role.
    """
    if name in SystemRole.get_valid_values():
        raise ValueError('"%s" role name is blacklisted' % (name))

    role_db = RoleDB(name=name, description=description)
    role_db = Role.add_or_update(role_db)
    return role_db
Пример #35
0
def create_role(name, description=None):
    """
    Create a new role.
    """
    if name in SystemRole.get_valid_values():
        raise ValueError('"%s" role name is blacklisted' % (name))

    role_db = RoleDB(name=name, description=description)
    role_db = Role.add_or_update(role_db)
    return role_db
def delete_mistyped_role():
    """
    Delete " system_admin" role which was fat fingered.
    """
    # Note: Space is significant here since we want to remove a bad role
    role_name = ' system_admin'
    assert (role_name.startswith(' '))

    try:
        role_db = Role.get_by_name(role_name)
    except:
        return

    if not role_db:
        return

    try:
        Role.delete(role_db)
    except:
        return
Пример #37
0
def delete_mistyped_role():
    """
    Delete " system_admin" role which was fat fingered.
    """
    # Note: Space is significant here since we want to remove a bad role
    role_name = ' system_admin'
    assert(role_name.startswith(' '))

    try:
        role_db = Role.get_by_name(role_name)
    except:
        return

    if not role_db:
        return

    try:
        Role.delete(role_db)
    except:
        return
Пример #38
0
def get_roles_for_user(user_db):
    """
    Retrieve all the roles assigned to the provided user.

    :param user_db: User to retrieve the roles for.
    :type user_db: :class:`UserDB`

    :rtype: ``list`` of :class:`RoleDB`
    """
    role_names = UserRoleAssignment.query(user=user_db.name).only("role").scalar("role")
    result = Role.query(name__in=role_names)
    return result
Пример #39
0
def get_roles_for_user(user_db):
    """
    Retrieve all the roles assigned to the provided user.

    :param user_db: User to retrieve the roles for.
    :type user_db: :class:`UserDB`

    :rtype: ``list`` of :class:`RoleDB`
    """
    role_names = UserRoleAssignment.query(
        user=user_db.name).only('role').scalar('role')
    result = Role.query(name__in=role_names)
    return result
Пример #40
0
    def setUp(self):
        super(ActionViewsControllerRBACTestCase, self).setUp()
        self.models = self.fixtures_loader.save_fixtures_to_db(
            fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES)

        file_name = 'a1.yaml'
        ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'actions': [file_name]})['actions'][file_name]

        file_name = 'a2.yaml'
        ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'actions': [file_name]})['actions'][file_name]

        # Insert mock users, roles and assignments

        # Users
        user_2_db = UserDB(name='action_view_a1')
        user_2_db = User.add_or_update(user_2_db)
        self.users['action_view_a1'] = user_2_db

        # Roles

        # action_view on a1
        action_uid = self.models['actions']['a1.yaml'].get_uid()
        grant_db = PermissionGrantDB(
            resource_uid=action_uid,
            resource_type=ResourceType.ACTION,
            permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='action_view_a1',
                           permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['action_view_a1'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['action_view_a1'].name,
            role=self.roles['action_view_a1'].name,
            source='assignments/%s.yaml' % self.users['action_view_a1'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #41
0
def get_roles_for_user(user_db, include_remote=True):
    """
    Retrieve all the roles assigned to the provided user.

    :param user_db: User to retrieve the roles for.
    :type user_db: :class:`UserDB`

    :param include_remote: True to also include remote role assignments.
    :type include_remote: ``bool``

    :rtype: ``list`` of :class:`RoleDB`
    """
    if include_remote:
        queryset = UserRoleAssignment.query(user=user_db.name)
    else:
        queryset = UserRoleAssignment.query(user=user_db.name, is_remote=False)

    role_names = queryset.only('role').scalar('role')
    result = Role.query(name__in=role_names)
    return result
Пример #42
0
    def setUp(self):
        super(RBACControllerTestCase, self).setUp()

        permissions = [PermissionType.RULE_CREATE,
                       PermissionType.RULE_VIEW,
                       PermissionType.RULE_MODIFY,
                       PermissionType.RULE_DELETE]

        for name in permissions:
            user_db = UserDB(name=name)
            user_db = User.add_or_update(user_db)
            self.users[name] = user_db

            # Roles
            # action_create grant on parent pack
            grant_db = PermissionGrantDB(resource_uid='pack:examples',
                                         resource_type=ResourceType.PACK,
                                         permission_types=[name])
            grant_db = PermissionGrant.add_or_update(grant_db)
            grant_2_db = PermissionGrantDB(resource_uid='action:wolfpack:action-1',
                                           resource_type=ResourceType.ACTION,
                                           permission_types=[PermissionType.ACTION_EXECUTE])
            grant_2_db = PermissionGrant.add_or_update(grant_2_db)
            permission_grants = [str(grant_db.id), str(grant_2_db.id)]
            role_db = RoleDB(name=name, permission_grants=permission_grants)
            role_db = Role.add_or_update(role_db)
            self.roles[name] = role_db

            # Role assignments
            role_assignment_db = UserRoleAssignmentDB(
                user=user_db.name,
                role=role_db.name,
                source='assignments/%s.yaml' % user_db.name)
            UserRoleAssignment.add_or_update(role_assignment_db)

        role_assignment_db = UserRoleAssignmentDB(
            user='******',
            role='role_two',
            source='assignments/user_two.yaml',
            is_remote=True)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #43
0
    def setUp(self):
        super(ActionViewsControllerRBACTestCase, self).setUp()
        self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                               fixtures_dict=TEST_FIXTURES)

        file_name = 'a1.yaml'
        ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'actions': [file_name]})['actions'][file_name]

        file_name = 'a2.yaml'
        ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'actions': [file_name]})['actions'][file_name]

        # Insert mock users, roles and assignments

        # Users
        user_2_db = UserDB(name='action_view_a1')
        user_2_db = User.add_or_update(user_2_db)
        self.users['action_view_a1'] = user_2_db

        # Roles

        # action_view on a1
        action_uid = self.models['actions']['a1.yaml'].get_uid()
        grant_db = PermissionGrantDB(resource_uid=action_uid,
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='action_view_a1', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['action_view_a1'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['action_view_a1'].name,
            role=self.roles['action_view_a1'].name,
            source='assignments/%s.yaml' % self.users['action_view_a1'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #44
0
    def _insert_common_mock_roles(self):
        # Insert common mock roles
        admin_role_db = rbac_services.get_role_by_name(name=SystemRole.ADMIN)
        observer_role_db = rbac_services.get_role_by_name(name=SystemRole.OBSERVER)
        self.roles['admin_role'] = admin_role_db
        self.roles['observer_role'] = observer_role_db

        # Custom role 1 - no grants
        role_1_db = rbac_services.create_role(name='custom_role_1')
        self.roles['custom_role_1'] = role_1_db

        # Custom role 2 - one grant on pack_1
        # "pack_create" on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.PACK_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_pack_grant', permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_pack_grant'] = role_3_db
    def _insert_common_mock_roles(self):
        # Insert common mock roles
        admin_role_db = rbac_service.get_role_by_name(name=SystemRole.ADMIN)
        observer_role_db = rbac_service.get_role_by_name(name=SystemRole.OBSERVER)
        self.roles['admin_role'] = admin_role_db
        self.roles['observer_role'] = observer_role_db

        # Custom role 1 - no grants
        role_1_db = rbac_service.create_role(name='custom_role_1')
        self.roles['custom_role_1'] = role_1_db

        # Custom role 2 - one grant on pack_1
        # "pack_create" on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.PACK_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_pack_grant', permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_pack_grant'] = role_3_db
Пример #46
0
def get_roles_for_user(user_db, include_remote=True):
    """
    Retrieve all the roles assigned to the provided user.

    :param user_db: User to retrieve the roles for.
    :type user_db: :class:`UserDB`

    :param include_remote: True to also include remote role assignments.
    :type include_remote: ``bool``

    :rtype: ``list`` of :class:`RoleDB`
    """
    if include_remote:
        queryset = UserRoleAssignment.query(user=user_db.name)
    else:
        # when upgrading from pre v2.3.0 when this field didn't exist yet
        # Note: We also include None for pre v2.3 when this field didn't exist yet
        queryset_filter = (Q(user=user_db.name) &
                           (Q(is_remote=False) | Q(is_remote__exists=False)))
        queryset = UserRoleAssignmentDB.objects(queryset_filter)

    role_names = queryset.only('role').scalar('role')
    result = Role.query(name__in=role_names)
    return result
Пример #47
0
    def sync_roles(self, role_definition_apis):
        """
        Synchronize all the role definitions in the database.

        :param role_dbs: RoleDB objects for the roles which are currently in the database.
        :type role_dbs: ``list`` of :class:`RoleDB`

        :param role_definition_apis: RoleDefinition API objects for the definitions loaded from
                                     the files.
        :type role_definition_apis: ``list`` of :class:RoleDefinitionFileFormatAPI`

        :rtype: ``tuple``
        """
        LOG.info('Synchronizing roles...')

        # Retrieve all the roles currently in the DB
        role_dbs = rbac_services.get_all_roles(exclude_system=True)

        role_db_names = [role_db.name for role_db in role_dbs]
        role_db_names = set(role_db_names)
        role_api_names = [
            role_definition_api.name
            for role_definition_api in role_definition_apis
        ]
        role_api_names = set(role_api_names)

        # A list of new roles which should be added to the database
        new_role_names = role_api_names.difference(role_db_names)

        # A list of roles which need to be updated in the database
        updated_role_names = role_db_names.intersection(role_api_names)

        # A list of roles which should be removed from the database
        removed_role_names = (role_db_names - role_api_names)

        LOG.debug('New roles: %r' % (new_role_names))
        LOG.debug('Updated roles: %r' % (updated_role_names))
        LOG.debug('Removed roles: %r' % (removed_role_names))

        # Build a list of roles to delete
        role_names_to_delete = updated_role_names.union(removed_role_names)
        role_dbs_to_delete = [
            role_db for role_db in role_dbs
            if role_db.name in role_names_to_delete
        ]

        # Build a list of roles to create
        role_names_to_create = new_role_names.union(updated_role_names)
        role_apis_to_create = [
            role_definition_api for role_definition_api in role_definition_apis
            if role_definition_api.name in role_names_to_create
        ]

        ########
        # 1. Remove obsolete roles and associated permission grants from the DB
        ########

        # Remove roles
        role_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            role_ids_to_delete.append(role_db.id)

        LOG.debug('Deleting %s stale roles' % (len(role_ids_to_delete)))
        Role.query(id__in=role_ids_to_delete, system=False).delete()
        LOG.debug('Deleted %s stale roles' % (len(role_ids_to_delete)))

        # Remove associated permission grants
        permission_grant_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            permission_grant_ids_to_delete.extend(role_db.permission_grants)

        LOG.debug('Deleting %s stale permission grants' %
                  (len(permission_grant_ids_to_delete)))
        PermissionGrant.query(id__in=permission_grant_ids_to_delete).delete()
        LOG.debug('Deleted %s stale permission grants' %
                  (len(permission_grant_ids_to_delete)))

        ########
        # 2. Add new / updated roles to the DB
        ########

        LOG.debug('Creating %s new roles' % (len(role_apis_to_create)))

        # Create new roles
        created_role_dbs = []
        for role_api in role_apis_to_create:
            role_db = rbac_services.create_role(
                name=role_api.name, description=role_api.description)

            # Create associated permission grants
            permission_grants = getattr(role_api, 'permission_grants', [])
            for permission_grant in permission_grants:
                resource_uid = permission_grant.get('resource_uid', None)

                if resource_uid:
                    resource_type, _ = parse_uid(resource_uid)
                else:
                    resource_type = None

                permission_types = permission_grant['permission_types']
                assignment_db = rbac_services.create_permission_grant(
                    role_db=role_db,
                    resource_uid=resource_uid,
                    resource_type=resource_type,
                    permission_types=permission_types)

                role_db.permission_grants.append(str(assignment_db.id))
            created_role_dbs.append(role_db)

        LOG.debug('Created %s new roles' % (len(created_role_dbs)))
        LOG.info('Roles synchronized (%s created, %s updated, %s removed)' %
                 (len(new_role_names), len(updated_role_names),
                  len(removed_role_names)))

        return [created_role_dbs, role_dbs_to_delete]
Пример #48
0
    def setUp(self):
        super(ExecutionPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='custom_role_unrelated_pack_action_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_unrelated_pack_action_grant'] = user_1_db

        user_2_db = UserDB(
            name='custom_role_pack_action_grant_unrelated_permission')
        user_2_db = User.add_or_update(user_2_db)
        self.users[
            'custom_role_pack_action_grant_unrelated_permission'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_action_view_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_action_view_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_action_view_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_action_view_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_pack_action_execute_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_pack_action_execute_grant'] = user_5_db

        user_6_db = UserDB(name='custom_role_action_execute_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['custom_role_action_execute_grant'] = user_6_db

        user_7_db = UserDB(name='custom_role_pack_action_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['custom_role_pack_action_all_grant'] = user_7_db

        user_8_db = UserDB(name='custom_role_action_all_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['custom_role_action_all_grant'] = user_8_db

        user_9_db = UserDB(name='custom_role_execution_list_grant')
        user_9_db = User.add_or_update(user_5_db)
        self.users['custom_role_execution_list_grant'] = user_9_db

        # Create some mock resources on which permissions can be granted
        action_1_db = ActionDB(pack='test_pack_2',
                               name='action1',
                               entry_point='',
                               runner_type={'name': 'run-local'})
        action_1_db = Action.add_or_update(action_1_db)
        self.resources['action_1'] = action_1_db

        runner = {'name': 'run-python'}
        liveaction = {'action': 'test_pack_2.action1'}
        status = action_constants.LIVEACTION_STATUS_REQUESTED

        action = {'uid': action_1_db.get_uid(), 'pack': 'test_pack_2'}
        exec_1_db = ActionExecutionDB(action=action,
                                      runner=runner,
                                      liveaction=liveaction,
                                      status=status)
        exec_1_db = ActionExecution.add_or_update(exec_1_db)
        self.resources['exec_1'] = exec_1_db

        # Create some mock roles with associated permission grants
        # Custom role - one grant to an unrelated pack
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_unrelated_pack_action_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_unrelated_pack_action_grant'] = role_db

        # Custom role - one grant of unrelated permission type to parent action pack
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_2'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(
            name='custom_role_pack_action_grant_unrelated_permission',
            permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles[
            'custom_role_pack_action_grant_unrelated_permission'] = role_db

        # Custom role - one grant of "action_view" to the parent pack of the action the execution
        # belongs to
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_2'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_pack_action_view_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_pack_action_view_grant'] = role_db

        # Custom role - one grant of "action_view" to the action the execution belongs to
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['action_1'].get_uid(),
            resource_type=ResourceType.ACTION,
            permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_action_view_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_action_view_grant'] = role_db

        # Custom role - one grant of "action_execute" to the parent pack of the action the
        # execution belongs to
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_2'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.ACTION_EXECUTE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_pack_action_execute_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_pack_action_execute_grant'] = role_db

        # Custom role - one grant of "action_execute" to the the action the execution belongs to
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['action_1'].get_uid(),
            resource_type=ResourceType.ACTION,
            permission_types=[PermissionType.ACTION_EXECUTE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_action_execute_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_action_execute_grant'] = role_db

        # Custom role - "action_all" grant on a parent action pack the execution belongs to
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_2'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_action_all_grant'] = role_4_db

        # Custom role - "action_all" grant on action the execution belongs to
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['action_1'].get_uid(),
            resource_type=ResourceType.ACTION,
            permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_action_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_action_all_grant'] = role_4_db

        # Custom role - "execution_list" grant
        grant_db = PermissionGrantDB(
            resource_uid=None,
            resource_type=None,
            permission_types=[PermissionType.EXECUTION_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_execution_list_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_execution_list_grant'] = role_5_db

        # Create some mock role assignments
        user_db = self.users['custom_role_unrelated_pack_action_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_unrelated_pack_action_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users[
            'custom_role_pack_action_grant_unrelated_permission']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.
            roles['custom_role_pack_action_grant_unrelated_permission'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_view_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_action_view_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_view_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_action_view_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_execute_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_action_execute_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_execute_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_action_execute_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_execution_list_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_execution_list_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #49
0
    def _sync_user_role_assignments(self, user_db, role_assignment_dbs,
                                    role_assignment_apis):
        """
        Synchronize role assignments for a particular user.

        :param user_db: User to synchronize the assignments for.
        :type user_db: :class:`UserDB`

        :param role_assignment_dbs: Existing user role assignments.
        :type role_assignment_dbs: ``list`` of :class:`UserRoleAssignmentDB`

        :param role_assignment_apis: List of user role assignments to apply.
        :param role_assignment_apis: ``list`` of :class:`UserRoleAssignmentFileFormatAPI`

        :rtype: ``tuple``
        """
        db_roles = set([(entry.role, entry.source)
                        for entry in role_assignment_dbs])

        api_roles = [
            list(izip_longest(entry.roles, [], fillvalue=entry.file_path))
            for entry in role_assignment_apis
        ]

        api_roles = set(list(chain.from_iterable(api_roles)))

        # A list of new assignments which should be added to the database
        new_roles = api_roles.difference(db_roles)

        # A list of assignments which need to be updated in the database
        updated_roles = db_roles.intersection(api_roles)

        # A list of assignments which should be removed from the database
        removed_roles = (db_roles - api_roles)

        LOG.debug('New assignments for user "%s": %r' %
                  (user_db.name, new_roles))
        LOG.debug('Updated assignments for user "%s": %r' %
                  (user_db.name, updated_roles))
        LOG.debug('Removed assignments for user "%s": %r' %
                  (user_db.name, removed_roles))

        # Build a list of role assignments to delete
        roles_to_delete = updated_roles.union(removed_roles)

        role_assignment_dbs_to_delete = [
            role_assignment_db for role_assignment_db in role_assignment_dbs
            if (role_assignment_db.role,
                role_assignment_db.source) in roles_to_delete
        ]

        for role_name, assignment_source in roles_to_delete:
            queryset_filter = (
                Q(user=user_db.name) & Q(role=role_name)
                & Q(source=assignment_source) &
                (Q(is_remote=False) | Q(is_remote__exists=False)))

            UserRoleAssignmentDB.objects(queryset_filter).delete()

            LOG.debug('Removed role "%s" from "%s" for user "%s".' %
                      (role_name, assignment_source, user_db.name))

        # Build a list of roles assignments to create
        roles_to_create = new_roles.union(updated_roles)
        created_role_assignment_dbs = []

        for role_name, assignment_source in roles_to_create:
            role_db = Role.get(name=role_name)
            if not role_db:
                msg = 'Role "%s" referenced in assignment file "%s" doesn\'t exist'
                raise ValueError(msg % (role_name, assignment_source))

            role_assignment_api = [
                r for r in role_assignment_apis
                if r.file_path == assignment_source
            ][0]
            description = getattr(role_assignment_api, 'description', None)

            assignment_db = rbac_services.assign_role_to_user(
                role_db=role_db,
                user_db=user_db,
                source=assignment_source,
                description=description)

            created_role_assignment_dbs.append(assignment_db)

            LOG.debug('Assigned role "%s" from "%s" for user "%s".' %
                      (role_name, assignment_source, user_db.name))

        return (created_role_assignment_dbs, role_assignment_dbs_to_delete)
Пример #50
0
    def setUp(self):
        super(TraceControllerRBACTestCase, self).setUp()
        self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                               fixtures_dict=TEST_FIXTURES)

        file_name = 'trace_for_test_enforce.yaml'
        TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'traces': [file_name]})['traces'][file_name]

        file_name = 'trace_for_test_enforce_2.yaml'
        TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'traces': [file_name]})['traces'][file_name]

        file_name = 'trace_for_test_enforce_3.yaml'
        TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'traces': [file_name]})['traces'][file_name]

        # Insert mock users, roles and assignments

        # Users
        user_1_db = UserDB(name='trace_list')
        user_1_db = User.add_or_update(user_1_db)
        self.users['trace_list'] = user_1_db

        user_2_db = UserDB(name='trace_view')
        user_2_db = User.add_or_update(user_2_db)
        self.users['trace_view'] = user_2_db

        # Roles
        # trace_list
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=ResourceType.TRACE,
                                     permission_types=[PermissionType.TRACE_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='trace_list', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['trace_list'] = role_1_db

        # trace_view on trace 1
        trace_uid = self.models['traces']['trace_for_test_enforce.yaml'].get_uid()
        grant_db = PermissionGrantDB(resource_uid=trace_uid,
                                     resource_type=ResourceType.TRACE,
                                     permission_types=[PermissionType.TRACE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='trace_view', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['trace_view'] = role_1_db

        # Role assignments
        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['trace_list'].name,
            role=self.roles['trace_list'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        role_assignment_db = UserRoleAssignmentDB(
            user=self.users['trace_view'].name,
            role=self.roles['trace_view'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #51
0
    def setUp(self):
        super(InquiryRBACControllerTestCase, self).setUp()

        self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                 fixtures_dict=TEST_FIXTURES)

        # Insert mock users, roles and assignments
        assignments = {
            "user_get_db": {
                "roles": ["role_get"],
                "permissions": [PermissionType.INQUIRY_VIEW],
                "resource_type": ResourceType.INQUIRY,
                "resource_uid": 'inquiry'
            },
            "user_list_db": {
                "roles": ["role_list"],
                "permissions": [PermissionType.INQUIRY_LIST],
                "resource_type": ResourceType.INQUIRY,
                "resource_uid": 'inquiry'
            },
            "user_respond_db": {
                "roles": ["role_respond"],
                "permissions": [PermissionType.INQUIRY_RESPOND],
                "resource_type": ResourceType.INQUIRY,
                "resource_uid": 'inquiry'
            },
            "user_respond_paramtest": {
                "roles": ["role_respond_2"],
                "permissions": [PermissionType.INQUIRY_RESPOND],
                "resource_type": ResourceType.INQUIRY,
                "resource_uid": 'inquiry'
            },
            "user_respond_inherit": {
                "roles": ["role_inherit"],
                "permissions": [PermissionType.ACTION_EXECUTE],
                "resource_type": ResourceType.ACTION,
                "resource_uid": 'action:wolfpack:inquiry-workflow'
            }

        }

        # Create users
        for user in assignments.keys():
            user_db = UserDB(name=user)
            user_db = User.add_or_update(user_db)
            self.users[user] = user_db

        # Create grants and assign to roles
        for assignment_details in assignments.values():

            grant_db = PermissionGrantDB(
                permission_types=assignment_details["permissions"],
                resource_uid=assignment_details["resource_uid"],
                resource_type=assignment_details["resource_type"]
            )
            grant_db = PermissionGrant.add_or_update(grant_db)
            permission_grants = [str(grant_db.id)]

            for role in assignment_details["roles"]:
                role_db = RoleDB(name=role, permission_grants=permission_grants)
                Role.add_or_update(role_db)

        # Assign users to roles
        for user_name, assignment_details in assignments.items():
            user_db = self.users[user_name]

            for role in assignment_details['roles']:
                role_assignment_db = UserRoleAssignmentDB(
                    user=user_db.name,
                    role=role,
                    source='assignments/%s.yaml' % user_db.name)
                UserRoleAssignment.add_or_update(role_assignment_db)

        # Create Inquiry
        data = {
            'action': 'wolfpack.ask',
            'parameters': {
                "roles": [
                    'role_respond'
                ]
            }
        }

        result = {
            "schema": SCHEMA_DEFAULT,
            "roles": ['role_respond'],
            "users": [],
            "route": "",
            "ttl": 1440
        }

        result_default = {
            "schema": SCHEMA_DEFAULT,
            "roles": [],
            "users": [],
            "route": "",
            "ttl": 1440
        }

        # Use admin user for creating test objects
        user_db = self.users['admin']
        self.use_user(user_db)

        # Create workflow
        wf_data = {
            'action': 'wolfpack.inquiry-workflow'
        }
        post_resp = self.app.post_json('/v1/executions', wf_data)
        wf_id = str(post_resp.json.get('id'))

        inquiry_with_parent = {
            'action': 'wolfpack.ask',
            # 'parameters': {},
            'context': {
                "parent": {
                    'execution_id': wf_id
                }
            }
        }

        resp = self._do_create_inquiry(data, result)
        self.assertEqual(resp.status_int, http_client.OK)
        self.inquiry_id = resp.json.get('id')
        # Validated expected context for inquiries under RBAC
        expected_context = {
            'pack': 'wolfpack',
            'user': '******',
            'rbac': {
                'user': '******',
                'roles': ['admin']
            }
        }
        self.assertEqual(resp.json['context'], expected_context)

        # Create inquiry in workflow
        resp = self._do_create_inquiry(inquiry_with_parent, result_default)
        self.assertEqual(resp.status_int, http_client.OK)
        self.inquiry_inherit_id = resp.json.get('id')
        # Validated expected context for inquiries under RBAC
        expected_context = {
            'pack': 'wolfpack',
            'parent': {
                'execution_id': wf_id
            },
            'user': '******',
            'rbac': {
                'user': '******',
                'roles': ['admin']
            }
        }
        self.assertEqual(resp.json['context'], expected_context)
Пример #52
0
    def sync_roles(self, role_definition_apis):
        """
        Synchronize all the role definitions in the database.

        :param role_dbs: RoleDB objects for the roles which are currently in the database.
        :type role_dbs: ``list`` of :class:`RoleDB`

        :param role_definition_apis: RoleDefinition API objects for the definitions loaded from
                                     the files.
        :type role_definition_apis: ``list`` of :class:RoleDefinitionFileFormatAPI`

        :rtype: ``tuple``
        """
        LOG.info("Synchronizing roles...")

        # Retrieve all the roles currently in the DB
        role_dbs = rbac_services.get_all_roles(exclude_system=True)

        role_db_names = [role_db.name for role_db in role_dbs]
        role_db_names = set(role_db_names)
        role_api_names = [role_definition_api.name for role_definition_api in role_definition_apis]
        role_api_names = set(role_api_names)

        # A list of new roles which should be added to the database
        new_role_names = role_api_names.difference(role_db_names)

        # A list of roles which need to be updated in the database
        updated_role_names = role_db_names.intersection(role_api_names)

        # A list of roles which should be removed from the database
        removed_role_names = role_db_names - role_api_names

        LOG.debug("New roles: %r" % (new_role_names))
        LOG.debug("Updated roles: %r" % (updated_role_names))
        LOG.debug("Removed roles: %r" % (removed_role_names))

        # Build a list of roles to delete
        role_names_to_delete = updated_role_names.union(removed_role_names)
        role_dbs_to_delete = [role_db for role_db in role_dbs if role_db.name in role_names_to_delete]

        # Build a list of roles to create
        role_names_to_create = new_role_names.union(updated_role_names)
        role_apis_to_create = [
            role_definition_api
            for role_definition_api in role_definition_apis
            if role_definition_api.name in role_names_to_create
        ]

        ########
        # 1. Remove obsolete roles and associated permission grants from the DB
        ########

        # Remove roles
        role_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            role_ids_to_delete.append(role_db.id)

        LOG.debug("Deleting %s stale roles" % (len(role_ids_to_delete)))
        Role.query(id__in=role_ids_to_delete, system=False).delete()
        LOG.debug("Deleted %s stale roles" % (len(role_ids_to_delete)))

        # Remove associated permission grants
        permission_grant_ids_to_delete = []
        for role_db in role_dbs_to_delete:
            permission_grant_ids_to_delete.extend(role_db.permission_grants)

        LOG.debug("Deleting %s stale permission grants" % (len(permission_grant_ids_to_delete)))
        PermissionGrant.query(id__in=permission_grant_ids_to_delete).delete()
        LOG.debug("Deleted %s stale permission grants" % (len(permission_grant_ids_to_delete)))

        ########
        # 2. Add new / updated roles to the DB
        ########

        LOG.debug("Creating %s new roles" % (len(role_apis_to_create)))

        # Create new roles
        created_role_dbs = []
        for role_api in role_apis_to_create:
            role_db = rbac_services.create_role(name=role_api.name, description=role_api.description)

            # Create associated permission grants
            for permission_grant in role_api.permission_grants:
                resource_uid = permission_grant["resource_uid"]
                resource_type, _ = parse_uid(resource_uid)
                permission_types = permission_grant["permission_types"]
                assignment_db = rbac_services.create_permission_grant(
                    role_db=role_db,
                    resource_uid=resource_uid,
                    resource_type=resource_type,
                    permission_types=permission_types,
                )

                role_db.permission_grants.append(str(assignment_db.id))
            created_role_dbs.append(role_db)

        LOG.debug("Created %s new roles" % (len(created_role_dbs)))
        LOG.info(
            "Roles synchronized (%s created, %s updated, %s removed)"
            % (len(new_role_names), len(updated_role_names), len(removed_role_names))
        )

        return [created_role_dbs, role_dbs_to_delete]
Пример #53
0
    def setUp(self):
        super(RulePermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='1_role_rule_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_rule_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_rule_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_rule_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_rule_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_rule_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_rule_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_rule_modify_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_rule_modify_grant'] = user_5_db

        # Create some mock resources on which permissions can be granted
        rule_1_db = RuleDB(pack='test_pack_1', name='rule1')
        rule_1_db = Rule.add_or_update(rule_1_db)
        self.resources['rule_1'] = rule_1_db

        rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
        rule_2_db = Rule.add_or_update(rule_2_db)
        self.resources['rule_2'] = rule_2_db

        rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
        rule_3_db = Rule.add_or_update(rule_3_db)
        self.resources['rule_3'] = rule_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "rule_view" on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_rule_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_rule_pack_grant'] = role_3_db

        # Custom role 4 - one grant on rule
        # "rule_view on rule_3
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_grant'] = role_4_db

        # Custom role - "rule_all" grant on a parent rule pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_rule_all_grant'] = role_4_db

        # Custom role - "rule_all" grant on a rule
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_all_grant'] = role_4_db

        # Custom role - "rule_modify" on role_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_rule_modify_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_rule_modify_grant'] = role_5_db

        # Create some mock role assignments
        user_db = self.users['custom_role_rule_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_pack_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_grant']
        role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
                                                  role=self.roles['custom_role_rule_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_modify_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #54
0
    def setUp(self):
        super(RulePermissionsResolverTestCase, self).setUp()

        # Register internal triggers - this is needed so we can reference an internal trigger
        # inside a mock rule
        register_internal_trigger_types()

        # Create some mock users
        user_1_db = UserDB(name='1_role_rule_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_rule_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_rule_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_rule_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_rule_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_rule_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_rule_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_rule_modify_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_rule_modify_grant'] = user_5_db

        user_6_db = UserDB(name='rule_pack_rule_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['rule_pack_rule_create_grant'] = user_6_db

        user_7_db = UserDB(name='rule_pack_rule_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['rule_pack_rule_all_grant'] = user_7_db

        user_8_db = UserDB(name='rule_rule_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['rule_rule_create_grant'] = user_8_db

        user_9_db = UserDB(name='rule_rule_all_grant')
        user_9_db = User.add_or_update(user_9_db)
        self.users['rule_rule_all_grant'] = user_9_db

        # Create some mock resources on which permissions can be granted
        rule_1_db = RuleDB(pack='test_pack_1',
                           name='rule1',
                           action={'ref': 'core.local'},
                           trigger='core.st2.key_value_pair.create')
        rule_1_db = Rule.add_or_update(rule_1_db)
        self.resources['rule_1'] = rule_1_db

        rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
        rule_2_db = Rule.add_or_update(rule_2_db)
        self.resources['rule_2'] = rule_2_db

        rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
        rule_3_db = Rule.add_or_update(rule_3_db)
        self.resources['rule_3'] = rule_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "rule_view" on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_rule_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_rule_pack_grant'] = role_3_db

        # Custom role 4 - one grant on rule
        # "rule_view on rule_3
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_3'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_grant'] = role_4_db

        # Custom role - "rule_all" grant on a parent rule pack
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_rule_all_grant'] = role_4_db

        # Custom role - "rule_all" grant on a rule
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_all_grant'] = role_4_db

        # Custom role - "rule_modify" on role_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_rule_modify_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_rule_modify_grant'] = role_5_db

        # Custom role - "rule_create" grant on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='rule_pack_rule_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['rule_pack_rule_create_grant'] = role_6_db

        # Custom role - "rule_all" grant on pack_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['pack_1'].get_uid(),
            resource_type=ResourceType.PACK,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='rule_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['rule_pack_rule_all_grant'] = role_7_db

        # Custom role - "rule_create" grant on rule_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='rule_rule_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['rule_rule_create_grant'] = role_8_db

        # Custom role - "rule_all" grant on rule_1
        grant_db = PermissionGrantDB(
            resource_uid=self.resources['rule_1'].get_uid(),
            resource_type=ResourceType.RULE,
            permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_9_db = RoleDB(name='rule_rule_all_grant',
                           permission_grants=permission_grants)
        role_9_db = Role.add_or_update(role_9_db)
        self.roles['rule_rule_all_grant'] = role_9_db

        # Create some mock role assignments
        user_db = self.users['custom_role_rule_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_pack_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_rule_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_modify_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['rule_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['rule_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #55
0
    def setUp(self):
        super(ActionPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='1_role_action_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_action_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_action_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_action_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_action_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_action_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_action_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_action_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_action_execute_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_action_execute_grant'] = user_5_db

        user_6_db = UserDB(name='action_pack_action_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['action_pack_action_create_grant'] = user_6_db

        user_7_db = UserDB(name='action_pack_action_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['action_pack_action_all_grant'] = user_7_db

        user_8_db = UserDB(name='action_action_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['action_action_create_grant'] = user_8_db

        user_9_db = UserDB(name='action_action_all_grant')
        user_9_db = User.add_or_update(user_9_db)
        self.users['action_action_all_grant'] = user_9_db

        user_10_db = UserDB(name='custom_role_action_list_grant')
        user_10_db = User.add_or_update(user_10_db)
        self.users['custom_role_action_list_grant'] = user_10_db

        # Create some mock resources on which permissions can be granted
        action_1_db = ActionDB(pack='test_pack_1', name='action1', entry_point='',
                               runner_type={'name': 'local-shell-cmd'})
        action_1_db = Action.add_or_update(action_1_db)
        self.resources['action_1'] = action_1_db

        action_2_db = ActionDB(pack='test_pack_1', name='action2', entry_point='',
                               runner_type={'name': 'local-shell-cmd'})
        action_2_db = Action.add_or_update(action_1_db)
        self.resources['action_2'] = action_2_db

        action_3_db = ActionDB(pack='test_pack_2', name='action3', entry_point='',
                               runner_type={'name': 'local-shell-cmd'})
        action_3_db = Action.add_or_update(action_3_db)
        self.resources['action_3'] = action_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "action_view" on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_action_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_action_pack_grant'] = role_3_db

        # Custom role 4 - one grant on action
        # "action_view" on action_3
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_3'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_action_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_action_grant'] = role_4_db

        # Custom role - "action_all" grant on a parent action pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_action_all_grant'] = role_4_db

        # Custom role - "action_all" grant on action
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_action_all_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_action_all_grant'] = role_4_db

        # Custom role - "action_execute" on action_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_EXECUTE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_action_execute_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_action_execute_grant'] = role_5_db

        # Custom role - "action_create" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='action_pack_action_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['action_pack_action_create_grant'] = role_6_db

        # Custom role - "action_all" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='action_pack_action_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['action_pack_action_all_grant'] = role_7_db

        # Custom role - "action_create" grant on action_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='action_action_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['action_action_create_grant'] = role_8_db

        # Custom role - "action_all" grant on action_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_9_db = RoleDB(name='action_action_all_grant',
                           permission_grants=permission_grants)
        role_9_db = Role.add_or_update(role_9_db)
        self.roles['action_action_all_grant'] = role_9_db

        # Custom role - "action_list" grant
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=None,
                                     permission_types=[PermissionType.ACTION_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_10_db = RoleDB(name='custom_role_action_list_grant',
                           permission_grants=permission_grants)
        role_10_db = Role.add_or_update(role_10_db)
        self.roles['custom_role_action_list_grant'] = role_10_db

        # Create some mock role assignments
        user_db = self.users['custom_role_action_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_pack_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_pack_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_execute_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_execute_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_pack_action_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_pack_action_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_pack_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_pack_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_action_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_action_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_list_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_list_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #56
0
    def setUp(self):
        super(ExecutionPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='custom_role_unrelated_pack_action_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_unrelated_pack_action_grant'] = user_1_db

        user_2_db = UserDB(name='custom_role_pack_action_grant_unrelated_permission')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_pack_action_grant_unrelated_permission'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_action_view_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_action_view_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_action_view_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_action_view_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_pack_action_execute_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_pack_action_execute_grant'] = user_5_db

        user_6_db = UserDB(name='custom_role_action_execute_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['custom_role_action_execute_grant'] = user_6_db

        user_7_db = UserDB(name='custom_role_pack_action_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['custom_role_pack_action_all_grant'] = user_7_db

        user_8_db = UserDB(name='custom_role_action_all_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['custom_role_action_all_grant'] = user_8_db

        # Create some mock resources on which permissions can be granted
        action_1_db = ActionDB(pack='test_pack_2', name='action1', entry_point='',
                               runner_type={'name': 'run-local'})
        action_1_db = Action.add_or_update(action_1_db)
        self.resources['action_1'] = action_1_db

        runner = {'name': 'run-python'}
        liveaction = {'action': 'test_pack_2.action1'}
        status = action_constants.LIVEACTION_STATUS_REQUESTED

        action = {'uid': action_1_db.get_uid(), 'pack': 'test_pack_2'}
        exec_1_db = ActionExecutionDB(action=action, runner=runner, liveaction=liveaction,
                                      status=status)
        exec_1_db = ActionExecution.add_or_update(exec_1_db)
        self.resources['exec_1'] = exec_1_db

        # Create some mock roles with associated permission grants
        # Custom role - one grant to an unrelated pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_unrelated_pack_action_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_unrelated_pack_action_grant'] = role_db

        # Custom role - one grant of unrelated permission type to parent action pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_pack_action_grant_unrelated_permission',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_pack_action_grant_unrelated_permission'] = role_db

        # Custom role - one grant of "action_view" to the parent pack of the action the execution
        # belongs to
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_pack_action_view_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_pack_action_view_grant'] = role_db

        # Custom role - one grant of "action_view" to the action the execution belongs to
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_action_view_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_action_view_grant'] = role_db

        # Custom role - one grant of "action_execute" to the parent pack of the action the
        # execution belongs to
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_EXECUTE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_pack_action_execute_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_pack_action_execute_grant'] = role_db

        # Custom role - one grant of "action_execute" to the the action the execution belongs to
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_EXECUTE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_db = RoleDB(name='custom_role_action_execute_grant',
                         permission_grants=permission_grants)
        role_db = Role.add_or_update(role_db)
        self.roles['custom_role_action_execute_grant'] = role_db

        # Custom role - "action_all" grant on a parent action pack the execution belongs to
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_2'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_action_all_grant'] = role_4_db

        # Custom role - "action_all" grant on action the execution belongs to
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_action_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_action_all_grant'] = role_4_db

        # Create some mock role assignments
        user_db = self.users['custom_role_unrelated_pack_action_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_unrelated_pack_action_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_grant_unrelated_permission']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_action_grant_unrelated_permission'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_view_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_action_view_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_view_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_action_view_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_execute_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_action_execute_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_execute_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_action_execute_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_action_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_action_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #57
0
    def setUp(self):
        super(ActionPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='1_role_action_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_action_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_action_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_action_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_action_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_action_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_action_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_action_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_action_execute_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_action_execute_grant'] = user_5_db

        user_6_db = UserDB(name='action_pack_action_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['action_pack_action_create_grant'] = user_6_db

        user_7_db = UserDB(name='action_pack_action_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['action_pack_action_all_grant'] = user_7_db

        user_8_db = UserDB(name='action_action_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['action_action_create_grant'] = user_8_db

        user_9_db = UserDB(name='action_action_all_grant')
        user_9_db = User.add_or_update(user_9_db)
        self.users['action_action_all_grant'] = user_9_db

        user_10_db = UserDB(name='custom_role_action_list_grant')
        user_10_db = User.add_or_update(user_10_db)
        self.users['custom_role_action_list_grant'] = user_10_db

        # Create some mock resources on which permissions can be granted
        action_1_db = ActionDB(pack='test_pack_1', name='action1', entry_point='',
                               runner_type={'name': 'run-local'})
        action_1_db = Action.add_or_update(action_1_db)
        self.resources['action_1'] = action_1_db

        action_2_db = ActionDB(pack='test_pack_1', name='action2', entry_point='',
                               runner_type={'name': 'run-local'})
        action_2_db = Action.add_or_update(action_1_db)
        self.resources['action_2'] = action_2_db

        action_3_db = ActionDB(pack='test_pack_2', name='action3', entry_point='',
                               runner_type={'name': 'run-local'})
        action_3_db = Action.add_or_update(action_3_db)
        self.resources['action_3'] = action_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "action_view" on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_action_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_action_pack_grant'] = role_3_db

        # Custom role 4 - one grant on action
        # "action_view" on action_3
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_3'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_action_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_action_grant'] = role_4_db

        # Custom role - "action_all" grant on a parent action pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_action_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_action_all_grant'] = role_4_db

        # Custom role - "action_all" grant on action
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_action_all_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_action_all_grant'] = role_4_db

        # Custom role - "action_execute" on action_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_EXECUTE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_action_execute_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_action_execute_grant'] = role_5_db

        # Custom role - "action_create" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='action_pack_action_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['action_pack_action_create_grant'] = role_6_db

        # Custom role - "action_all" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='action_pack_action_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['action_pack_action_all_grant'] = role_7_db

        # Custom role - "action_create" grant on action_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='action_action_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['action_action_create_grant'] = role_8_db

        # Custom role - "action_all" grant on action_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(),
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_9_db = RoleDB(name='action_action_all_grant',
                           permission_grants=permission_grants)
        role_9_db = Role.add_or_update(role_9_db)
        self.roles['action_action_all_grant'] = role_9_db

        # Custom role - "action_list" grant
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=None,
                                     permission_types=[PermissionType.ACTION_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_10_db = RoleDB(name='custom_role_action_list_grant',
                           permission_grants=permission_grants)
        role_10_db = Role.add_or_update(role_10_db)
        self.roles['custom_role_action_list_grant'] = role_10_db

        # Create some mock role assignments
        user_db = self.users['custom_role_action_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_pack_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_pack_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_execute_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_execute_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_pack_action_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_pack_action_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_pack_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_pack_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_action_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_action_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['action_action_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['action_action_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_action_list_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['custom_role_action_list_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)
Пример #58
0
    def setUp(self):
        super(RuleControllerRBACTestCase, self).setUp()
        self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK,
                                                fixtures_dict=TEST_FIXTURES)

        file_name = 'rule_with_webhook_trigger.yaml'
        RuleControllerRBACTestCase.RULE_1 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'rules': [file_name]})['rules'][file_name]

        file_name = 'rule_example_pack.yaml'
        RuleControllerRBACTestCase.RULE_2 = self.fixtures_loader.load_fixtures(
            fixtures_pack=FIXTURES_PACK,
            fixtures_dict={'rules': [file_name]})['rules'][file_name]

        # Insert mock users, roles and assignments
        self = self
        self.users = {}
        self.roles = {}

        # Users
        user_1_db = UserDB(name='rule_create')
        user_1_db = User.add_or_update(user_1_db)
        self.users['rule_create'] = user_1_db

        user_2_db = UserDB(name='rule_create_webhook_create')
        user_2_db = User.add_or_update(user_2_db)
        self.users['rule_create_webhook_create'] = user_2_db

        user_3_db = UserDB(name='rule_create_webhook_create_core_local_execute')
        user_3_db = User.add_or_update(user_3_db)
        self.users['rule_create_webhook_create_core_local_execute'] = user_3_db

        # Roles
        # rule_create grant on parent pack
        grant_db = PermissionGrantDB(resource_uid='pack:examples',
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_1_db = RoleDB(name='rule_create', permission_grants=permission_grants)
        role_1_db = Role.add_or_update(role_1_db)
        self.roles['rule_create'] = role_1_db

        # rule_create grant on parent pack, webhook_create on webhook "sample"
        grant_1_db = PermissionGrantDB(resource_uid='pack:examples',
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_CREATE])
        grant_1_db = PermissionGrant.add_or_update(grant_1_db)
        grant_2_db = PermissionGrantDB(resource_uid='webhook:sample',
                                     resource_type=ResourceType.WEBHOOK,
                                     permission_types=[PermissionType.WEBHOOK_CREATE])
        grant_2_db = PermissionGrant.add_or_update(grant_2_db)
        permission_grants = [str(grant_1_db.id), str(grant_2_db.id)]
        role_2_db = RoleDB(name='rule_create_webhook_create', permission_grants=permission_grants)
        role_2_db = Role.add_or_update(role_2_db)
        self.roles['rule_create_webhook_create'] = role_2_db

        # rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on
        # core.local
        grant_1_db = PermissionGrantDB(resource_uid='pack:examples',
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_CREATE])
        grant_1_db = PermissionGrant.add_or_update(grant_1_db)
        grant_2_db = PermissionGrantDB(resource_uid='webhook:sample',
                                     resource_type=ResourceType.WEBHOOK,
                                     permission_types=[PermissionType.WEBHOOK_CREATE])
        grant_2_db = PermissionGrant.add_or_update(grant_2_db)
        grant_3_db = PermissionGrantDB(resource_uid='action:core:local',
                                     resource_type=ResourceType.ACTION,
                                     permission_types=[PermissionType.ACTION_EXECUTE])
        grant_3_db = PermissionGrant.add_or_update(grant_3_db)
        permission_grants = [str(grant_1_db.id), str(grant_2_db.id), str(grant_3_db.id)]
        role_3_db = RoleDB(name='rule_create_webhook_create_core_local_execute',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['rule_create_webhook_create_core_local_execute'] = role_3_db

        # Role assignments
        user_db = self.users['rule_create']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_create'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_create_webhook_create']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_create_webhook_create'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_create_webhook_create_core_local_execute']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_create_webhook_create_core_local_execute'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)
    def setUp(self):
        super(ActionAliasPermissionsResolverTestCase, self).setUp()

        # Create some mock users
        user_1_db = UserDB(name='alias_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['alias_pack_grant'] = user_1_db

        user_2_db = UserDB(name='alias_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['alias_grant'] = user_2_db

        user_3_db = UserDB(name='pack_alias_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['pack_alias_all_grant'] = user_3_db

        user_4_db = UserDB(name='alias_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['alias_all_grant'] = user_4_db

        user_5_db = UserDB(name='alias_modify_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['alias_modify_grant'] = user_5_db

        user_6_db = UserDB(name='alias_pack_alias_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['alias_pack_alias_create_grant'] = user_6_db

        user_7_db = UserDB(name='alias_pack_alias_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['alias_pack_alias_all_grant'] = user_7_db

        user_8_db = UserDB(name='alias_alias_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['alias_alias_create_grant'] = user_8_db

        user_10_db = UserDB(name='alias_list_grant')
        user_10_db = User.add_or_update(user_10_db)
        self.users['alias_list_grant'] = user_10_db

        # Create some mock resources on which permissions can be granted
        alias_1_db = ActionAliasDB(pack='test_pack_1', name='alias1', formats=['a'],
                                   action_ref='core.local')
        self.resources['alias_1'] = alias_1_db

        alias_2_db = ActionAliasDB(pack='test_pack_1', name='alias2', formats=['a'],
                                   action_ref='core.local')
        self.resources['alias_2'] = alias_2_db

        alias_3_db = ActionAliasDB(pack='test_pack_2', name='alias3', formats=['a'],
                                   action_ref='core.local')
        self.resources['alias_3'] = alias_3_db

        # Create some mock roles with associated permission grants
        # One grant on parent pack, action_alias_view on pack1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALIAS_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='alias_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['alias_pack_grant'] = role_3_db

        # "action_alias_view" on alias_3
        grant_db = PermissionGrantDB(resource_uid=self.resources['alias_3'].get_uid(),
                                     resource_type=ResourceType.ACTION_ALIAS,
                                     permission_types=[PermissionType.ACTION_ALIAS_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='alias_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['alias_grant'] = role_4_db

        # Custom role - "action_alias_all" grant on a parent pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALIAS_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='pack_alias_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['pack_alias_all_grant'] = role_4_db

        # Custom role - "action_alias_all" grant on alias
        grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
                                     resource_type=ResourceType.ACTION_ALIAS,
                                     permission_types=[PermissionType.ACTION_ALIAS_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='alias_all_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['alias_all_grant'] = role_4_db

        # Custom role - "alias_modify" on alias_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
                                     resource_type=ResourceType.ACTION_ALIAS,
                                     permission_types=[PermissionType.ACTION_ALIAS_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='alias_modify_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['alias_modify_grant'] = role_5_db

        # Custom role - "action_alias_create" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALIAS_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='alias_pack_alias_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['alias_pack_alias_create_grant'] = role_6_db

        # Custom role - "action_alias_all" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.ACTION_ALIAS_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='alias_pack_alias_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['alias_pack_alias_all_grant'] = role_7_db

        # Custom role - "action_alias_create" grant on alias_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(),
                                     resource_type=ResourceType.ACTION_ALIAS,
                                     permission_types=[PermissionType.ACTION_ALIAS_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='alias_alias_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['alias_alias_create_grant'] = role_8_db

        # Custom role - "alias_list" grant
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=None,
                                     permission_types=[PermissionType.ACTION_ALIAS_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_10_db = RoleDB(name='alias_list_grant',
                           permission_grants=permission_grants)
        role_10_db = Role.add_or_update(role_10_db)
        self.roles['alias_list_grant'] = role_10_db

        # Create some mock role assignments
        user_db = self.users['alias_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_pack_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['alias_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['pack_alias_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['pack_alias_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['alias_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['alias_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_modify_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['alias_pack_alias_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_pack_alias_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['alias_pack_alias_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_pack_alias_all_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['alias_alias_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_alias_create_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['alias_list_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name, role=self.roles['alias_list_grant'].name,
            source='assignments/%s.yaml' % user_db.name)
        UserRoleAssignment.add_or_update(role_assignment_db)
    def setUp(self):
        super(RuleEnforcementPermissionsResolverTestCase, self).setUp()

        register_internal_trigger_types()

        # Create some mock users
        user_1_db = UserDB(name='1_role_rule_pack_grant')
        user_1_db = User.add_or_update(user_1_db)
        self.users['custom_role_rule_pack_grant'] = user_1_db

        user_2_db = UserDB(name='1_role_rule_grant')
        user_2_db = User.add_or_update(user_2_db)
        self.users['custom_role_rule_grant'] = user_2_db

        user_3_db = UserDB(name='custom_role_pack_rule_all_grant')
        user_3_db = User.add_or_update(user_3_db)
        self.users['custom_role_pack_rule_all_grant'] = user_3_db

        user_4_db = UserDB(name='custom_role_rule_all_grant')
        user_4_db = User.add_or_update(user_4_db)
        self.users['custom_role_rule_all_grant'] = user_4_db

        user_5_db = UserDB(name='custom_role_rule_modify_grant')
        user_5_db = User.add_or_update(user_5_db)
        self.users['custom_role_rule_modify_grant'] = user_5_db

        user_6_db = UserDB(name='rule_pack_rule_create_grant')
        user_6_db = User.add_or_update(user_6_db)
        self.users['rule_pack_rule_create_grant'] = user_6_db

        user_7_db = UserDB(name='rule_pack_rule_all_grant')
        user_7_db = User.add_or_update(user_7_db)
        self.users['rule_pack_rule_all_grant'] = user_7_db

        user_8_db = UserDB(name='rule_rule_create_grant')
        user_8_db = User.add_or_update(user_8_db)
        self.users['rule_rule_create_grant'] = user_8_db

        user_9_db = UserDB(name='rule_rule_all_grant')
        user_9_db = User.add_or_update(user_9_db)
        self.users['rule_rule_all_grant'] = user_9_db

        user_10_db = UserDB(name='custom_role_rule_list_grant')
        user_10_db = User.add_or_update(user_10_db)
        self.users['custom_role_rule_list_grant'] = user_10_db

        # Create some mock resources on which permissions can be granted
        rule_1_db = RuleDB(pack='test_pack_1', name='rule1', action={'ref': 'core.local'},
                           trigger='core.st2.key_value_pair.create')
        rule_1_db = Rule.add_or_update(rule_1_db)
        self.resources['rule_1'] = rule_1_db

        rule_enforcement_1_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
                                                  execution_id=str(bson.ObjectId()),
                                                  rule={'ref': rule_1_db.ref,
                                                        'uid': rule_1_db.uid,
                                                        'id': str(rule_1_db.id)})
        rule_enforcement_1_db = RuleEnforcement.add_or_update(rule_enforcement_1_db)
        self.resources['rule_enforcement_1'] = rule_enforcement_1_db

        rule_2_db = RuleDB(pack='test_pack_1', name='rule2')
        rule_2_db = Rule.add_or_update(rule_2_db)
        self.resources['rule_2'] = rule_2_db

        rule_enforcement_2_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
                                                  execution_id=str(bson.ObjectId()),
                                                  rule={'ref': rule_2_db.ref,
                                                        'uid': rule_2_db.uid,
                                                        'id': str(rule_2_db.id)})
        rule_enforcement_2_db = RuleEnforcement.add_or_update(rule_enforcement_2_db)
        self.resources['rule_enforcement_2'] = rule_enforcement_2_db

        rule_3_db = RuleDB(pack='test_pack_2', name='rule3')
        rule_3_db = Rule.add_or_update(rule_3_db)
        self.resources['rule_3'] = rule_3_db

        rule_enforcement_3_db = RuleEnforcementDB(trigger_instance_id=str(bson.ObjectId()),
                                                  execution_id=str(bson.ObjectId()),
                                                  rule={'ref': rule_3_db.ref,
                                                        'uid': rule_3_db.uid,
                                                        'id': str(rule_3_db.id)})
        rule_enforcement_3_db = RuleEnforcement.add_or_update(rule_enforcement_3_db)
        self.resources['rule_enforcement_3'] = rule_enforcement_3_db

        # Create some mock roles with associated permission grants
        # Custom role 2 - one grant on parent pack
        # "rule_view" on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_3_db = RoleDB(name='custom_role_rule_pack_grant',
                           permission_grants=permission_grants)
        role_3_db = Role.add_or_update(role_3_db)
        self.roles['custom_role_rule_pack_grant'] = role_3_db

        # Custom role 4 - one grant on rule
        # "rule_view on rule_3
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_3'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_VIEW])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_grant'] = role_4_db

        # Custom role - "rule_all" grant on a parent rule pack
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_pack_rule_all_grant'] = role_4_db

        # Custom role - "rule_all" grant on a rule
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants)
        role_4_db = Role.add_or_update(role_4_db)
        self.roles['custom_role_rule_all_grant'] = role_4_db

        # Custom role - "rule_modify" on role_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_MODIFY])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_5_db = RoleDB(name='custom_role_rule_modify_grant',
                           permission_grants=permission_grants)
        role_5_db = Role.add_or_update(role_5_db)
        self.roles['custom_role_rule_modify_grant'] = role_5_db

        # Custom role - "rule_create" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_6_db = RoleDB(name='rule_pack_rule_create_grant',
                           permission_grants=permission_grants)
        role_6_db = Role.add_or_update(role_6_db)
        self.roles['rule_pack_rule_create_grant'] = role_6_db

        # Custom role - "rule_all" grant on pack_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(),
                                     resource_type=ResourceType.PACK,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_7_db = RoleDB(name='rule_pack_rule_all_grant',
                           permission_grants=permission_grants)
        role_7_db = Role.add_or_update(role_7_db)
        self.roles['rule_pack_rule_all_grant'] = role_7_db

        # Custom role - "rule_create" grant on rule_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_CREATE])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_8_db = RoleDB(name='rule_rule_create_grant',
                           permission_grants=permission_grants)
        role_8_db = Role.add_or_update(role_8_db)
        self.roles['rule_rule_create_grant'] = role_8_db

        # Custom role - "rule_all" grant on rule_1
        grant_db = PermissionGrantDB(resource_uid=self.resources['rule_1'].get_uid(),
                                     resource_type=ResourceType.RULE,
                                     permission_types=[PermissionType.RULE_ALL])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_9_db = RoleDB(name='rule_rule_all_grant',
                           permission_grants=permission_grants)
        role_9_db = Role.add_or_update(role_9_db)
        self.roles['rule_rule_all_grant'] = role_9_db

        # Custom role - "rule_list" grant
        grant_db = PermissionGrantDB(resource_uid=None,
                                     resource_type=None,
                                     permission_types=[PermissionType.RULE_LIST])
        grant_db = PermissionGrant.add_or_update(grant_db)
        permission_grants = [str(grant_db.id)]
        role_10_db = RoleDB(name='custom_role_rule_list_grant',
                            permission_grants=permission_grants)
        role_10_db = Role.add_or_update(role_10_db)
        self.roles['custom_role_rule_list_grant'] = role_10_db

        # Create some mock role assignments
        user_db = self.users['custom_role_rule_pack_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_pack_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_grant']
        role_assignment_db = UserRoleAssignmentDB(user=user_db.name,
                                                  role=self.roles['custom_role_rule_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_modify_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_modify_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_pack_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_pack_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_create_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_rule_create_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['rule_rule_all_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['rule_rule_all_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)

        user_db = self.users['custom_role_rule_list_grant']
        role_assignment_db = UserRoleAssignmentDB(
            user=user_db.name,
            role=self.roles['custom_role_rule_list_grant'].name)
        UserRoleAssignment.add_or_update(role_assignment_db)