def init_users_and_permissions():
ds = current_app.extensions['invenio-accounts'].datastore
with db.session.begin_nested():
superuser_role = ds.create_role(
name='superuser', description='admin with no restrictions')
cataloger_role = ds.create_role(
name='cataloger', description='users with editing capabilities')
ds.create_user(email='*****@*****.**',
password=encrypt_password("123456"),
active=True,
roles=[superuser_role])
ds.create_user(email='*****@*****.**',
password=encrypt_password("123456"),
active=True,
roles=[cataloger_role])
db.session.add(
ActionRoles(action='superuser-access', role=superuser_role))
db.session.add(ActionRoles(action='admin-access', role=superuser_role))
db.session.add(
ActionRoles(action='workflows-ui-admin-access',
role=cataloger_role))
db.session.add(
ActionRoles(action='admin-holdingpen-authors',
role=cataloger_role))
db.session.commit()
def users(app, db):
"""Create users."""
with db.session.begin_nested():
datastore = app.extensions['security'].datastore
user1 = datastore.create_user(email='*****@*****.**',
password='******', active=True)
user2 = datastore.create_user(email='*****@*****.**',
password='******', active=True)
admin = datastore.create_user(
email='*****@*****.**',
password='******', active=True)
superadmin = datastore.create_user(
email='*****@*****.**',
password='******', active=True)
# Give a admin role to admin
admin_role = Role(name='admin')
db.session.add(ActionRoles(
action=action_admin_access.value, role=admin_role))
datastore.add_role_to_user(admin, admin_role)
# Give a superadmin role to superadmin
superadmin_role = Role(name='superadmin')
db.session.add(ActionRoles(
action=superuser_access.value, role=superadmin_role))
datastore.add_role_to_user(superadmin, superadmin_role)
db.session.commit()
id_1 = user1.id
id_2 = user2.id
id_4 = admin.id
return [id_1, id_2, id_4]
def users(app, db):
"""Create admin, manager and users."""
with db.session.begin_nested():
datastore = app.extensions['security'].datastore
# create users
user = datastore.create_user(email='*****@*****.**',
password='******',
active=True) # ID 1
manager = datastore.create_user(email='*****@*****.**',
password='******',
active=True)
admin = datastore.create_user(
email='*****@*****.**', # ID 2
password='******',
active=True) # ID 3
# Give role to admin
admin_role = Role(name='admin')
db.session.add(
ActionRoles(action=superuser_access.value, role=admin_role))
datastore.add_role_to_user(admin, admin_role)
# Give role to librarian
manager_role = Role(name='manager')
db.session.add(
ActionRoles(action=create_records_action.value, role=manager_role))
datastore.add_role_to_user(manager, manager_role)
db.session.commit()
return {
'admin': admin,
'manager': manager,
'user': user,
}
def init_cataloger_permissions():
cataloger = Role.query.filter_by(name=Roles.cataloger.value).one()
db.session.add(
ActionRoles(action="workflows-ui-admin-access", role=cataloger))
db.session.add(
ActionRoles(action="admin-holdingpen-authors", role=cataloger))
db.session.add(ActionRoles(action="update-collection", role=cataloger))
db.session.add(ActionRoles(action="editor-use-api", role=cataloger))
db.session.add(ActionRoles(action="migrator-use-api", role=cataloger))
def init_jlab_permissions():
jlab_curator = Role.query.filter_by(name='jlabcurator').one()
db.session.add(ActionRoles(
action='workflows-ui-read-access',
role=jlab_curator,
))
db.session.add(ActionRoles(
action='update-collection',
role=jlab_curator,
))
def init_superuser_permissions():
superuser = Role.query.filter_by(name='superuser').one()
db.session.add(ActionRoles(
action='superuser-access',
role=superuser,
))
db.session.add(ActionRoles(
action='admin-access',
role=superuser,
))
def init_users_and_permissions():
ds = current_app.extensions['invenio-accounts'].datastore
with db.session.begin_nested():
superuser_role = ds.create_role(name='superuser')
ds.create_user(email='*****@*****.**',
password=encrypt_password("123456"),
active=True,
roles=[superuser_role])
db.session.add(
ActionRoles(action='superuser-access', role=superuser_role))
db.session.add(ActionRoles(action='admin-access', role=superuser_role))
db.session.commit()
def init_hermes_permissions():
hermes_collections = Role.query.filter_by(name='hermescoll').one()
db.session.add(ActionRoles(
action='view-restricted-collection',
argument='HERMES Internal Notes',
role=hermes_collections,
))
hermes_curator = Role.query.filter_by(name='hermescurator').one()
db.session.add(ActionRoles(
action='update-collection',
argument='HERMES Internal Notes',
role=hermes_curator,
))
def users(app, db):
"""Create admin, librarians and patrons."""
with db.session.begin_nested():
datastore = app.extensions['security'].datastore
# create users
patron1 = datastore.create_user(email='*****@*****.**',
password='******',
active=True)
patron2 = datastore.create_user(email='*****@*****.**',
password='******',
active=True)
patron3 = datastore.create_user(email='*****@*****.**',
password='******',
active=True)
librarian = datastore.create_user(email='*****@*****.**',
password='******',
active=True)
librarian2 = datastore.create_user(email='*****@*****.**',
password='******',
active=True)
admin = datastore.create_user(email='*****@*****.**',
password='******',
active=True)
# Give role to admin
admin_role = Role(name='admin')
db.session.add(
ActionRoles(action=superuser_access.value, role=admin_role))
datastore.add_role_to_user(admin, admin_role)
# Give role to librarian
librarian_role = Role(name='librarian')
db.session.add(
ActionRoles(action=backoffice_access_action.value,
role=librarian_role))
datastore.add_role_to_user(librarian, librarian_role)
# Give role to librarian2
db.session.add(
ActionRoles(action=backoffice_access_action.value,
role=librarian_role))
datastore.add_role_to_user(librarian2, librarian_role)
db.session.commit()
return {
'admin': admin,
'librarian': librarian,
'librarian2': librarian2,
'patron1': patron1,
'patron2': patron2,
'patron3': patron3,
}
def init_hermes_permissions():
hermes_collections = Role.query.filter_by(
name=Roles.hermescoll.value).one()
db.session.add(
ActionRoles(
action="view-restricted-collection",
argument="HERMES Internal Notes",
role=hermes_collections,
))
hermes_curator = Role.query.filter_by(name=Roles.hermescurator.value).one()
db.session.add(
ActionRoles(
action="update-collection",
argument="HERMES Internal Notes",
role=hermes_curator,
))
def test_invenio_access_permission_for_roles(app):
"""User with a role can access to an action allowed to the role"""
InvenioAccess(app)
with app.test_request_context():
superuser_role = Role(name='superuser')
admin_role = Role(name='admin')
reader_role = Role(name='reader')
opener_role = Role(name='opener')
db.session.add(superuser_role)
db.session.add(admin_role)
db.session.add(reader_role)
db.session.add(opener_role)
db.session.add(
ActionRoles(action='superuser-access', role=superuser_role))
db.session.add(ActionRoles(action='open', role=admin_role))
db.session.add(ActionRoles(action='open', role=opener_role))
db.session.add(ActionRoles(action='read', role=admin_role))
db.session.add(ActionRoles(action='read', role=reader_role))
db.session.commit()
with app.app_context():
permission_open = DynamicPermission(ActionNeed('open'))
permission_read = DynamicPermission(ActionNeed('read'))
identity_superuser = FakeIdentity(RoleNeed('superuser'))
identity_all = FakeIdentity(RoleNeed('admin'))
identity_read = FakeIdentity(RoleNeed('reader'))
identity_open = FakeIdentity(RoleNeed('opener'))
assert permission_open.allows(identity_superuser)
assert permission_read.allows(identity_superuser)
assert permission_open.allows(identity_all)
assert permission_read.allows(identity_all)
assert permission_open.allows(identity_open)
assert not permission_read.allows(identity_open)
assert not permission_open.allows(identity_read)
assert permission_read.allows(identity_read)
def init_cataloger_permissions():
cataloger = Role.query.filter_by(name='cataloger').one()
db.session.add(ActionRoles(
action='workflows-ui-admin-access',
role=cataloger,
))
db.session.add(ActionRoles(
action='admin-holdingpen-authors',
role=cataloger,
))
db.session.add(ActionRoles(
action='update-collection',
role=cataloger,
))
db.session.add(ActionRoles(
action='editor-use-api',
role=cataloger,
))
db.session.add(ActionRoles(
action='migrator-use-api',
role=cataloger,
))
def admin(app, db):
"""Create admin, librarians and patrons."""
with db.session.begin_nested():
datastore = app.extensions["security"].datastore
admin = datastore.create_user(email="*****@*****.**",
password="******",
active=True)
# Give role to admin
admin_role = Role(name="admin")
db.session.add(
ActionRoles(action=superuser_access.value, role=admin_role))
datastore.add_role_to_user(admin, admin_role)
db.session.commit()
return admin
def init_permissions():
superuser = Role.query.filter_by(name='superuser').one()
cataloger = Role.query.filter_by(name='cataloger').one()
hermes_collections = Role.query.filter_by(name='hermescoll').one()
hermes_curator = Role.query.filter_by(name='hermescurator').one()
db.session.add(ActionRoles(action='superuser-access', role=superuser))
db.session.add(ActionRoles(action='admin-access', role=superuser))
db.session.add(
ActionRoles(action='workflows-ui-admin-access', role=cataloger))
db.session.add(
ActionRoles(action='admin-holdingpen-authors', role=cataloger))
db.session.add(
ActionRoles(action='view-restricted-collection',
argument='HERMES Internal Notes',
role=hermes_collections))
db.session.add(ActionRoles(action='update-collection', role=cataloger))
db.session.add(ActionRoles(action='editor-use-api', role=cataloger))
db.session.add(
ActionRoles(action='update-collection',
argument='HERMES Internal Notes',
role=hermes_curator))
db.session.commit()
def users(app, db):
"""Create admin, librarians and patrons."""
# with Postgresql, when dropping the User table, the sequence is not
# automatically reset to 1, causing issues with the tests demo data.
db.session.execute("ALTER SEQUENCE IF EXISTS accounts_user_id_seq RESTART")
db.session.commit()
with db.session.begin_nested():
datastore = app.extensions["security"].datastore
# create users
patron1 = datastore.create_user(email="*****@*****.**",
password="******",
active=True)
patron2 = datastore.create_user(email="*****@*****.**",
password="******",
active=True)
patron3 = datastore.create_user(email="*****@*****.**",
password="******",
active=True)
librarian = datastore.create_user(email="*****@*****.**",
password="******",
active=True)
librarian2 = datastore.create_user(email="*****@*****.**",
password="******",
active=True)
admin = datastore.create_user(email="*****@*****.**",
password="******",
active=True)
# Give role to admin
admin_role = Role(name="admin")
db.session.add(
ActionRoles(action=superuser_access.value, role=admin_role))
datastore.add_role_to_user(admin, admin_role)
# Give role to librarian
librarian_role = Role(name="librarian")
db.session.add(
ActionRoles(action=backoffice_access_action.value,
role=librarian_role))
datastore.add_role_to_user(librarian, librarian_role)
# Give role to librarian2
db.session.add(
ActionRoles(action=backoffice_access_action.value,
role=librarian_role))
datastore.add_role_to_user(librarian2, librarian_role)
db.session.commit()
for patron, name in [
(admin, "Admin User"),
(librarian, "Librarian One"),
(librarian2, "Librarian Two"),
(patron1, "Patron One"),
(patron2, "Patron Two"),
(patron3, "Patron Three"),
]:
profile = UserProfile(**dict(
user_id=patron.id,
_displayname="id_" + str(patron.id),
full_name=name,
))
db.session.add(profile)
db.session.commit()
return {
"admin": admin,
"librarian": librarian,
"librarian2": librarian2,
"patron1": patron1,
"patron2": patron2,
"patron3": patron3,
}
def init_jlab_permissions():
jlab_curator = Role.query.filter_by(name=Roles.jlabcurator.value).one()
db.session.add(
ActionRoles(action="workflows-ui-read-access", role=jlab_curator))
db.session.add(ActionRoles(action="update-collection", role=jlab_curator))
def test_intenio_access_cache_performance(app):
"""Performance test simulating 1000 users."""
InvenioAccess(app, cache=None)
with app.test_request_context():
# CDS has (2015-11-19) 74 actions with 414 possible arguments with
# 49259 users and 307 roles. In this test we are going to divide
# into 50 and use the next prime number.
users_number = 991
actions_users_number = 11
actions_roles_number = 7
roles = []
actions = []
for i in range(actions_roles_number):
role = Role(name='role{0}'.format(i))
roles.append(role)
db.session.add(role)
db.session.flush()
action_role = ActionRoles(
action='action{0}'.format(
str(i % actions_roles_number)),
role=role)
actions.append(action_role)
db.session.add(action_role)
db.session.flush()
users = []
for i in range(users_number):
user = User(
email='invenio{0}@inveniosoftware.org'.format(str(i)),
roles=[roles[i % actions_roles_number]])
users.append(user)
db.session.add(user)
db.session.flush()
action_user = ActionUsers(action='action{0}'.format(
str((i % actions_users_number) + actions_roles_number)),
user=user)
actions.append(action_user)
db.session.add(action_user)
db.session.flush()
def test_permissions():
"""Iterates over all users checking its permissions."""
for i in range(users_number):
identity = FakeIdentity(UserNeed(users[i].id))
# Allowed permission
permission_allowed_both = DynamicPermission(
ActionNeed('action{0}'.format(
(i % actions_users_number) +
actions_roles_number)),
ActionNeed('action{0}'.format(i % actions_roles_number))
)
assert permission_allowed_both.allows(identity)
# Not allowed action user
permission_not_allowed_user = DynamicPermission(
ActionNeed('action{0}'.format(
(i + 1) % actions_users_number +
actions_roles_number))
)
assert not permission_not_allowed_user.allows(identity)
# Not allowed action role
permission_not_allowed_role = DynamicPermission(
ActionNeed('action{0}'.format(
(i + 1) % actions_roles_number))
)
assert not permission_not_allowed_role.allows(identity)
app.extensions['invenio-access'].cache = None
start_time_wo_cache = time.time()
test_permissions()
end_time_wo_cache = time.time()
time_wo_cache = end_time_wo_cache - start_time_wo_cache
app.extensions['invenio-access'].cache = SimpleCache()
start_time_w_cache = time.time()
test_permissions()
end_time_w_cache = time.time()
time_w_cache = end_time_w_cache - start_time_w_cache
assert time_wo_cache / time_w_cache > 10
def init_superuser_permissions():
superuser = Role.query.filter_by(name=Roles.superuser.value).one()
db.session.add(ActionRoles(action="superuser-access", role=superuser))
db.session.add(ActionRoles(action="admin-access", role=superuser))
def test_invenio_access_permission_cache_roles_updates(app):
"""Testing ActionRoles cache with inserts/updates/deletes."""
# This test case is doing the same of user test case but using roles.
cache = SimpleCache()
InvenioAccess(app, cache=cache)
with app.test_request_context():
# Creation of some data to test.
role_1 = Role(name='role_1')
role_2 = Role(name='role_2')
role_3 = Role(name='role_3')
role_4 = Role(name='role_4')
role_5 = Role(name='role_5')
role_6 = Role(name='role_6')
db.session.add(role_1)
db.session.add(role_2)
db.session.add(role_3)
db.session.add(role_4)
db.session.add(role_5)
db.session.add(role_6)
db.session.add(ActionRoles(action='open', role=role_1))
db.session.add(ActionRoles(action='write', role=role_4))
db.session.flush()
# Creation of identities to test.
identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name))
identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name))
identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name))
identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name))
identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name))
identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name))
# Test if role 1 can open. In this case, the cache should store only
# this object.
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_1)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name)]),
set([])
)
# Test if role 4 can write. In this case, the cache should have this
# new object and the previous one (Open is allowed to role_1)
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_4)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name)]),
set([])
)
# If we add a new role to the action open, the open action in cache
# should be removed but it should still containing the write entry.
db.session.add(ActionRoles(action='open', role=role_2))
db.session.flush()
assert current_access.get_action_cache('open') is None
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_2)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
# Test if the new role is added to the action 'open'
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_4)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
# If we update an action swapping a role, the cache containing the
# action, should be removed.
role_4_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_4).first()
role_4_action_write.role = role_3
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') is not None
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# Test if the role_3 can write now.
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_4)
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_3.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# If we remove a role from an action, the cache should clear the
# action item.
role_3_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_3).first()
db.session.delete(role_3_action_write)
db.session.flush()
assert current_access.get_action_cache('write') is None
# If no one is allowed to perform an action then everybody is allowed.
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([]),
set([])
)
db.session.add(ActionRoles(action='write', role=role_5))
db.session.flush()
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_5)
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_3)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_5.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
# If you update the name of an existing action, the previous action
# and the new action should be remove from cache.
permission_write = DynamicPermission(ActionNeed('write'))
assert permission_write.allows(identity_fake_role_5)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_5.name)]),
set([])
)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name)]),
set([])
)
role_5_action_write = ActionRoles.query.filter(
ActionRoles.action == 'write' and
ActionRoles.role == role_5).first()
role_5_action_write.action = 'open'
db.session.flush()
assert current_access.get_action_cache('write') is None
assert current_access.get_action_cache('open') is None
permission_open = DynamicPermission(ActionNeed('open'))
assert permission_open.allows(identity_fake_role_1)
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name)]),
set([])
)
db.session.add(ActionRoles(action='write', role=role_4))
permission_write = DynamicPermission(ActionNeed('write'))
assert not permission_write.allows(identity_fake_role_5)
assert current_access.get_action_cache('write') == (
set([Need(method='role', value=role_4.name)]),
set([])
)
db.session.add(ActionRoles(action='open', argument='1', role=role_6))
db.session.flush()
permission_open_1 = DynamicPermission(
ParameterizedActionNeed('open', '1'))
assert not permission_open.allows(identity_fake_role_6)
assert permission_open_1.allows(identity_fake_role_6)
assert current_access.get_action_cache('open::1') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name),
Need(method='role', value=role_6.name)]),
set([])
)
user_6_action_open_1 = ActionRoles.query.filter_by(
action='open', argument='1', role_id=role_6.id).first()
user_6_action_open_1.argument = '2'
db.session.flush()
assert current_access.get_action_cache('open::1') is None
assert current_access.get_action_cache('open::2') is None
permission_open_2 = DynamicPermission(
ParameterizedActionNeed('open', '2'))
assert permission_open_2.allows(identity_fake_role_6)
assert current_access.get_action_cache('open::2') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name),
Need(method='role', value=role_6.name)]),
set([])
)
# open action cache should remain as before
assert current_access.get_action_cache('open') == (
set([Need(method='role', value=role_1.name),
Need(method='role', value=role_2.name),
Need(method='role', value=role_5.name)]),
set([])
)
def users(app):
# Create test users
hashed_password = hash_password('123456')
user = User(email='*****@*****.**',
password=hashed_password,
active=True)
user_partially_allowed = User(
email='*****@*****.**',
password=hashed_password,
active=True,
)
user_allowed = User(
email='*****@*****.**',
password=hashed_password,
active=True,
)
collection_restricted_role = Role(name='restrictedcollmaintainer')
user_allowed_with_role = User(email='*****@*****.**',
password=hashed_password,
active=True,
roles=[collection_restricted_role])
db.session.add_all([
user, user_partially_allowed, user_allowed, user_allowed_with_role,
collection_restricted_role
])
db.session.commit()
# Create actions for the allowed user
restricted_collection_action = ActionUsers(
action='view-restricted-collection',
argument='Restricted Collection',
user_id=user_allowed.id)
another_restricted_collection_action = ActionUsers(
action='view-restricted-collection',
argument='Another Restricted Collection',
user_id=user_allowed.id)
# Create actions for the partially allowed user
partial_restricted_collection_action = ActionUsers(
action='view-restricted-collection',
argument='Restricted Collection',
user_id=user_partially_allowed.id)
# Create actions for the allowed role
partial_restricted_collection_role_action = ActionRoles(
action='view-restricted-collection',
argument='Restricted Collection',
role_id=collection_restricted_role.id)
role_only_collection_action = ActionRoles(
action='view-restricted-collection',
argument='Role only collection',
role_id=collection_restricted_role.id)
db.session.add_all([
restricted_collection_action, another_restricted_collection_action,
partial_restricted_collection_action,
partial_restricted_collection_role_action, role_only_collection_action
])
db.session.commit()
yield
current_cache.clear()
SessionActivity.query.delete()
ActionRoles.query.filter_by(action='view-restricted-collection').delete()
ActionUsers.query.filter_by(action='view-restricted-collection').delete()
User.query.filter_by(email='*****@*****.**').delete()
User.query.filter_by(email='*****@*****.**').delete()
User.query.filter_by(email='*****@*****.**').delete()
db.session.delete(
Role.query.filter_by(name='restrictedcollmaintainer').one())
db.session.delete(
User.query.filter_by(email='*****@*****.**').one())
db.session.commit()
