def init_users_and_permissions(): ds = current_app.extensions['invenio-accounts'].datastore with db.session.begin_nested(): superuser_role = ds.create_role( name='superuser', description='admin with no restrictions') cataloger_role = ds.create_role( name='cataloger', description='users with editing capabilities') ds.create_user(email='*****@*****.**', password=encrypt_password("123456"), active=True, roles=[superuser_role]) ds.create_user(email='*****@*****.**', password=encrypt_password("123456"), active=True, roles=[cataloger_role]) db.session.add( ActionRoles(action='superuser-access', role=superuser_role)) db.session.add(ActionRoles(action='admin-access', role=superuser_role)) db.session.add( ActionRoles(action='workflows-ui-admin-access', role=cataloger_role)) db.session.add( ActionRoles(action='admin-holdingpen-authors', role=cataloger_role)) db.session.commit()
def users(app, db): """Create users.""" with db.session.begin_nested(): datastore = app.extensions['security'].datastore user1 = datastore.create_user(email='*****@*****.**', password='******', active=True) user2 = datastore.create_user(email='*****@*****.**', password='******', active=True) admin = datastore.create_user( email='*****@*****.**', password='******', active=True) superadmin = datastore.create_user( email='*****@*****.**', password='******', active=True) # Give a admin role to admin admin_role = Role(name='admin') db.session.add(ActionRoles( action=action_admin_access.value, role=admin_role)) datastore.add_role_to_user(admin, admin_role) # Give a superadmin role to superadmin superadmin_role = Role(name='superadmin') db.session.add(ActionRoles( action=superuser_access.value, role=superadmin_role)) datastore.add_role_to_user(superadmin, superadmin_role) db.session.commit() id_1 = user1.id id_2 = user2.id id_4 = admin.id return [id_1, id_2, id_4]
def users(app, db): """Create admin, manager and users.""" with db.session.begin_nested(): datastore = app.extensions['security'].datastore # create users user = datastore.create_user(email='*****@*****.**', password='******', active=True) # ID 1 manager = datastore.create_user(email='*****@*****.**', password='******', active=True) admin = datastore.create_user( email='*****@*****.**', # ID 2 password='******', active=True) # ID 3 # Give role to admin admin_role = Role(name='admin') db.session.add( ActionRoles(action=superuser_access.value, role=admin_role)) datastore.add_role_to_user(admin, admin_role) # Give role to librarian manager_role = Role(name='manager') db.session.add( ActionRoles(action=create_records_action.value, role=manager_role)) datastore.add_role_to_user(manager, manager_role) db.session.commit() return { 'admin': admin, 'manager': manager, 'user': user, }
def init_cataloger_permissions(): cataloger = Role.query.filter_by(name=Roles.cataloger.value).one() db.session.add( ActionRoles(action="workflows-ui-admin-access", role=cataloger)) db.session.add( ActionRoles(action="admin-holdingpen-authors", role=cataloger)) db.session.add(ActionRoles(action="update-collection", role=cataloger)) db.session.add(ActionRoles(action="editor-use-api", role=cataloger)) db.session.add(ActionRoles(action="migrator-use-api", role=cataloger))
def init_jlab_permissions(): jlab_curator = Role.query.filter_by(name='jlabcurator').one() db.session.add(ActionRoles( action='workflows-ui-read-access', role=jlab_curator, )) db.session.add(ActionRoles( action='update-collection', role=jlab_curator, ))
def init_superuser_permissions(): superuser = Role.query.filter_by(name='superuser').one() db.session.add(ActionRoles( action='superuser-access', role=superuser, )) db.session.add(ActionRoles( action='admin-access', role=superuser, ))
def init_users_and_permissions(): ds = current_app.extensions['invenio-accounts'].datastore with db.session.begin_nested(): superuser_role = ds.create_role(name='superuser') ds.create_user(email='*****@*****.**', password=encrypt_password("123456"), active=True, roles=[superuser_role]) db.session.add( ActionRoles(action='superuser-access', role=superuser_role)) db.session.add(ActionRoles(action='admin-access', role=superuser_role)) db.session.commit()
def init_hermes_permissions(): hermes_collections = Role.query.filter_by(name='hermescoll').one() db.session.add(ActionRoles( action='view-restricted-collection', argument='HERMES Internal Notes', role=hermes_collections, )) hermes_curator = Role.query.filter_by(name='hermescurator').one() db.session.add(ActionRoles( action='update-collection', argument='HERMES Internal Notes', role=hermes_curator, ))
def users(app, db): """Create admin, librarians and patrons.""" with db.session.begin_nested(): datastore = app.extensions['security'].datastore # create users patron1 = datastore.create_user(email='*****@*****.**', password='******', active=True) patron2 = datastore.create_user(email='*****@*****.**', password='******', active=True) patron3 = datastore.create_user(email='*****@*****.**', password='******', active=True) librarian = datastore.create_user(email='*****@*****.**', password='******', active=True) librarian2 = datastore.create_user(email='*****@*****.**', password='******', active=True) admin = datastore.create_user(email='*****@*****.**', password='******', active=True) # Give role to admin admin_role = Role(name='admin') db.session.add( ActionRoles(action=superuser_access.value, role=admin_role)) datastore.add_role_to_user(admin, admin_role) # Give role to librarian librarian_role = Role(name='librarian') db.session.add( ActionRoles(action=backoffice_access_action.value, role=librarian_role)) datastore.add_role_to_user(librarian, librarian_role) # Give role to librarian2 db.session.add( ActionRoles(action=backoffice_access_action.value, role=librarian_role)) datastore.add_role_to_user(librarian2, librarian_role) db.session.commit() return { 'admin': admin, 'librarian': librarian, 'librarian2': librarian2, 'patron1': patron1, 'patron2': patron2, 'patron3': patron3, }
def init_hermes_permissions(): hermes_collections = Role.query.filter_by( name=Roles.hermescoll.value).one() db.session.add( ActionRoles( action="view-restricted-collection", argument="HERMES Internal Notes", role=hermes_collections, )) hermes_curator = Role.query.filter_by(name=Roles.hermescurator.value).one() db.session.add( ActionRoles( action="update-collection", argument="HERMES Internal Notes", role=hermes_curator, ))
def test_invenio_access_permission_for_roles(app): """User with a role can access to an action allowed to the role""" InvenioAccess(app) with app.test_request_context(): superuser_role = Role(name='superuser') admin_role = Role(name='admin') reader_role = Role(name='reader') opener_role = Role(name='opener') db.session.add(superuser_role) db.session.add(admin_role) db.session.add(reader_role) db.session.add(opener_role) db.session.add( ActionRoles(action='superuser-access', role=superuser_role)) db.session.add(ActionRoles(action='open', role=admin_role)) db.session.add(ActionRoles(action='open', role=opener_role)) db.session.add(ActionRoles(action='read', role=admin_role)) db.session.add(ActionRoles(action='read', role=reader_role)) db.session.commit() with app.app_context(): permission_open = DynamicPermission(ActionNeed('open')) permission_read = DynamicPermission(ActionNeed('read')) identity_superuser = FakeIdentity(RoleNeed('superuser')) identity_all = FakeIdentity(RoleNeed('admin')) identity_read = FakeIdentity(RoleNeed('reader')) identity_open = FakeIdentity(RoleNeed('opener')) assert permission_open.allows(identity_superuser) assert permission_read.allows(identity_superuser) assert permission_open.allows(identity_all) assert permission_read.allows(identity_all) assert permission_open.allows(identity_open) assert not permission_read.allows(identity_open) assert not permission_open.allows(identity_read) assert permission_read.allows(identity_read)
def init_cataloger_permissions(): cataloger = Role.query.filter_by(name='cataloger').one() db.session.add(ActionRoles( action='workflows-ui-admin-access', role=cataloger, )) db.session.add(ActionRoles( action='admin-holdingpen-authors', role=cataloger, )) db.session.add(ActionRoles( action='update-collection', role=cataloger, )) db.session.add(ActionRoles( action='editor-use-api', role=cataloger, )) db.session.add(ActionRoles( action='migrator-use-api', role=cataloger, ))
def admin(app, db): """Create admin, librarians and patrons.""" with db.session.begin_nested(): datastore = app.extensions["security"].datastore admin = datastore.create_user(email="*****@*****.**", password="******", active=True) # Give role to admin admin_role = Role(name="admin") db.session.add( ActionRoles(action=superuser_access.value, role=admin_role)) datastore.add_role_to_user(admin, admin_role) db.session.commit() return admin
def init_permissions(): superuser = Role.query.filter_by(name='superuser').one() cataloger = Role.query.filter_by(name='cataloger').one() hermes_collections = Role.query.filter_by(name='hermescoll').one() hermes_curator = Role.query.filter_by(name='hermescurator').one() db.session.add(ActionRoles(action='superuser-access', role=superuser)) db.session.add(ActionRoles(action='admin-access', role=superuser)) db.session.add( ActionRoles(action='workflows-ui-admin-access', role=cataloger)) db.session.add( ActionRoles(action='admin-holdingpen-authors', role=cataloger)) db.session.add( ActionRoles(action='view-restricted-collection', argument='HERMES Internal Notes', role=hermes_collections)) db.session.add(ActionRoles(action='update-collection', role=cataloger)) db.session.add(ActionRoles(action='editor-use-api', role=cataloger)) db.session.add( ActionRoles(action='update-collection', argument='HERMES Internal Notes', role=hermes_curator)) db.session.commit()
def users(app, db): """Create admin, librarians and patrons.""" # with Postgresql, when dropping the User table, the sequence is not # automatically reset to 1, causing issues with the tests demo data. db.session.execute("ALTER SEQUENCE IF EXISTS accounts_user_id_seq RESTART") db.session.commit() with db.session.begin_nested(): datastore = app.extensions["security"].datastore # create users patron1 = datastore.create_user(email="*****@*****.**", password="******", active=True) patron2 = datastore.create_user(email="*****@*****.**", password="******", active=True) patron3 = datastore.create_user(email="*****@*****.**", password="******", active=True) librarian = datastore.create_user(email="*****@*****.**", password="******", active=True) librarian2 = datastore.create_user(email="*****@*****.**", password="******", active=True) admin = datastore.create_user(email="*****@*****.**", password="******", active=True) # Give role to admin admin_role = Role(name="admin") db.session.add( ActionRoles(action=superuser_access.value, role=admin_role)) datastore.add_role_to_user(admin, admin_role) # Give role to librarian librarian_role = Role(name="librarian") db.session.add( ActionRoles(action=backoffice_access_action.value, role=librarian_role)) datastore.add_role_to_user(librarian, librarian_role) # Give role to librarian2 db.session.add( ActionRoles(action=backoffice_access_action.value, role=librarian_role)) datastore.add_role_to_user(librarian2, librarian_role) db.session.commit() for patron, name in [ (admin, "Admin User"), (librarian, "Librarian One"), (librarian2, "Librarian Two"), (patron1, "Patron One"), (patron2, "Patron Two"), (patron3, "Patron Three"), ]: profile = UserProfile(**dict( user_id=patron.id, _displayname="id_" + str(patron.id), full_name=name, )) db.session.add(profile) db.session.commit() return { "admin": admin, "librarian": librarian, "librarian2": librarian2, "patron1": patron1, "patron2": patron2, "patron3": patron3, }
def init_jlab_permissions(): jlab_curator = Role.query.filter_by(name=Roles.jlabcurator.value).one() db.session.add( ActionRoles(action="workflows-ui-read-access", role=jlab_curator)) db.session.add(ActionRoles(action="update-collection", role=jlab_curator))
def test_intenio_access_cache_performance(app): """Performance test simulating 1000 users.""" InvenioAccess(app, cache=None) with app.test_request_context(): # CDS has (2015-11-19) 74 actions with 414 possible arguments with # 49259 users and 307 roles. In this test we are going to divide # into 50 and use the next prime number. users_number = 991 actions_users_number = 11 actions_roles_number = 7 roles = [] actions = [] for i in range(actions_roles_number): role = Role(name='role{0}'.format(i)) roles.append(role) db.session.add(role) db.session.flush() action_role = ActionRoles( action='action{0}'.format( str(i % actions_roles_number)), role=role) actions.append(action_role) db.session.add(action_role) db.session.flush() users = [] for i in range(users_number): user = User( email='invenio{0}@inveniosoftware.org'.format(str(i)), roles=[roles[i % actions_roles_number]]) users.append(user) db.session.add(user) db.session.flush() action_user = ActionUsers(action='action{0}'.format( str((i % actions_users_number) + actions_roles_number)), user=user) actions.append(action_user) db.session.add(action_user) db.session.flush() def test_permissions(): """Iterates over all users checking its permissions.""" for i in range(users_number): identity = FakeIdentity(UserNeed(users[i].id)) # Allowed permission permission_allowed_both = DynamicPermission( ActionNeed('action{0}'.format( (i % actions_users_number) + actions_roles_number)), ActionNeed('action{0}'.format(i % actions_roles_number)) ) assert permission_allowed_both.allows(identity) # Not allowed action user permission_not_allowed_user = DynamicPermission( ActionNeed('action{0}'.format( (i + 1) % actions_users_number + actions_roles_number)) ) assert not permission_not_allowed_user.allows(identity) # Not allowed action role permission_not_allowed_role = DynamicPermission( ActionNeed('action{0}'.format( (i + 1) % actions_roles_number)) ) assert not permission_not_allowed_role.allows(identity) app.extensions['invenio-access'].cache = None start_time_wo_cache = time.time() test_permissions() end_time_wo_cache = time.time() time_wo_cache = end_time_wo_cache - start_time_wo_cache app.extensions['invenio-access'].cache = SimpleCache() start_time_w_cache = time.time() test_permissions() end_time_w_cache = time.time() time_w_cache = end_time_w_cache - start_time_w_cache assert time_wo_cache / time_w_cache > 10
def init_superuser_permissions(): superuser = Role.query.filter_by(name=Roles.superuser.value).one() db.session.add(ActionRoles(action="superuser-access", role=superuser)) db.session.add(ActionRoles(action="admin-access", role=superuser))
def test_invenio_access_permission_cache_roles_updates(app): """Testing ActionRoles cache with inserts/updates/deletes.""" # This test case is doing the same of user test case but using roles. cache = SimpleCache() InvenioAccess(app, cache=cache) with app.test_request_context(): # Creation of some data to test. role_1 = Role(name='role_1') role_2 = Role(name='role_2') role_3 = Role(name='role_3') role_4 = Role(name='role_4') role_5 = Role(name='role_5') role_6 = Role(name='role_6') db.session.add(role_1) db.session.add(role_2) db.session.add(role_3) db.session.add(role_4) db.session.add(role_5) db.session.add(role_6) db.session.add(ActionRoles(action='open', role=role_1)) db.session.add(ActionRoles(action='write', role=role_4)) db.session.flush() # Creation of identities to test. identity_fake_role_1 = FakeIdentity(RoleNeed(role_1.name)) identity_fake_role_2 = FakeIdentity(RoleNeed(role_2.name)) identity_fake_role_3 = FakeIdentity(RoleNeed(role_3.name)) identity_fake_role_4 = FakeIdentity(RoleNeed(role_4.name)) identity_fake_role_5 = FakeIdentity(RoleNeed(role_5.name)) identity_fake_role_6 = FakeIdentity(RoleNeed(role_6.name)) # Test if role 1 can open. In this case, the cache should store only # this object. permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_1) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name)]), set([]) ) # Test if role 4 can write. In this case, the cache should have this # new object and the previous one (Open is allowed to role_1) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_4) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name)]), set([]) ) # If we add a new role to the action open, the open action in cache # should be removed but it should still containing the write entry. db.session.add(ActionRoles(action='open', role=role_2)) db.session.flush() assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_2) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) # Test if the new role is added to the action 'open' permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_4) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) # If we update an action swapping a role, the cache containing the # action, should be removed. role_4_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_4).first() role_4_action_write.role = role_3 db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is not None assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # Test if the role_3 can write now. permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_4) permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_3.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # If we remove a role from an action, the cache should clear the # action item. role_3_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_3).first() db.session.delete(role_3_action_write) db.session.flush() assert current_access.get_action_cache('write') is None # If no one is allowed to perform an action then everybody is allowed. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([]), set([]) ) db.session.add(ActionRoles(action='write', role=role_5)) db.session.flush() permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_5) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_3) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_5.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) # If you update the name of an existing action, the previous action # and the new action should be remove from cache. permission_write = DynamicPermission(ActionNeed('write')) assert permission_write.allows(identity_fake_role_5) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_5.name)]), set([]) ) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name)]), set([]) ) role_5_action_write = ActionRoles.query.filter( ActionRoles.action == 'write' and ActionRoles.role == role_5).first() role_5_action_write.action = 'open' db.session.flush() assert current_access.get_action_cache('write') is None assert current_access.get_action_cache('open') is None permission_open = DynamicPermission(ActionNeed('open')) assert permission_open.allows(identity_fake_role_1) assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name)]), set([]) ) db.session.add(ActionRoles(action='write', role=role_4)) permission_write = DynamicPermission(ActionNeed('write')) assert not permission_write.allows(identity_fake_role_5) assert current_access.get_action_cache('write') == ( set([Need(method='role', value=role_4.name)]), set([]) ) db.session.add(ActionRoles(action='open', argument='1', role=role_6)) db.session.flush() permission_open_1 = DynamicPermission( ParameterizedActionNeed('open', '1')) assert not permission_open.allows(identity_fake_role_6) assert permission_open_1.allows(identity_fake_role_6) assert current_access.get_action_cache('open::1') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name), Need(method='role', value=role_6.name)]), set([]) ) user_6_action_open_1 = ActionRoles.query.filter_by( action='open', argument='1', role_id=role_6.id).first() user_6_action_open_1.argument = '2' db.session.flush() assert current_access.get_action_cache('open::1') is None assert current_access.get_action_cache('open::2') is None permission_open_2 = DynamicPermission( ParameterizedActionNeed('open', '2')) assert permission_open_2.allows(identity_fake_role_6) assert current_access.get_action_cache('open::2') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name), Need(method='role', value=role_6.name)]), set([]) ) # open action cache should remain as before assert current_access.get_action_cache('open') == ( set([Need(method='role', value=role_1.name), Need(method='role', value=role_2.name), Need(method='role', value=role_5.name)]), set([]) )
def users(app): # Create test users hashed_password = hash_password('123456') user = User(email='*****@*****.**', password=hashed_password, active=True) user_partially_allowed = User( email='*****@*****.**', password=hashed_password, active=True, ) user_allowed = User( email='*****@*****.**', password=hashed_password, active=True, ) collection_restricted_role = Role(name='restrictedcollmaintainer') user_allowed_with_role = User(email='*****@*****.**', password=hashed_password, active=True, roles=[collection_restricted_role]) db.session.add_all([ user, user_partially_allowed, user_allowed, user_allowed_with_role, collection_restricted_role ]) db.session.commit() # Create actions for the allowed user restricted_collection_action = ActionUsers( action='view-restricted-collection', argument='Restricted Collection', user_id=user_allowed.id) another_restricted_collection_action = ActionUsers( action='view-restricted-collection', argument='Another Restricted Collection', user_id=user_allowed.id) # Create actions for the partially allowed user partial_restricted_collection_action = ActionUsers( action='view-restricted-collection', argument='Restricted Collection', user_id=user_partially_allowed.id) # Create actions for the allowed role partial_restricted_collection_role_action = ActionRoles( action='view-restricted-collection', argument='Restricted Collection', role_id=collection_restricted_role.id) role_only_collection_action = ActionRoles( action='view-restricted-collection', argument='Role only collection', role_id=collection_restricted_role.id) db.session.add_all([ restricted_collection_action, another_restricted_collection_action, partial_restricted_collection_action, partial_restricted_collection_role_action, role_only_collection_action ]) db.session.commit() yield current_cache.clear() SessionActivity.query.delete() ActionRoles.query.filter_by(action='view-restricted-collection').delete() ActionUsers.query.filter_by(action='view-restricted-collection').delete() User.query.filter_by(email='*****@*****.**').delete() User.query.filter_by(email='*****@*****.**').delete() User.query.filter_by(email='*****@*****.**').delete() db.session.delete( Role.query.filter_by(name='restrictedcollmaintainer').one()) db.session.delete( User.query.filter_by(email='*****@*****.**').one()) db.session.commit()