def setUp(self): super(PolicyTypeControllerRBACTestCase, self).setUp() self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'fake_policy_type_1.yaml' PolicyTypeControllerRBACTestCase.POLICY_TYPE_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name] file_name = 'fake_policy_type_2.yaml' PolicyTypeControllerRBACTestCase.POLICY_TYPE_2 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'policytypes': [file_name]})['policytypes'][file_name] # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='policy_type_list') user_1_db = User.add_or_update(user_1_db) self.users['policy_type_list'] = user_1_db user_2_db = UserDB(name='policy_type_view') user_2_db = User.add_or_update(user_2_db) self.users['policy_type_view'] = user_2_db # Roles # policy_type_list grant_db = PermissionGrantDB(resource_uid=None, resource_type=ResourceType.POLICY_TYPE, permission_types=[PermissionType.POLICY_TYPE_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_type_list', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_type_list'] = role_1_db # policy_type_view on timer 1 policy_type_uid = self.models['policytypes']['fake_policy_type_1.yaml'].get_uid() grant_db = PermissionGrantDB(resource_uid=policy_type_uid, resource_type=ResourceType.POLICY_TYPE, permission_types=[PermissionType.POLICY_TYPE_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_type_view', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_type_view'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_type_list'].name, role=self.roles['policy_type_list'].name, source='assignments/%s.yaml' % self.users['policy_type_list'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_type_view'].name, role=self.roles['policy_type_view'].name, source='assignments/%s.yaml' % self.users['policy_type_view'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(RunnerPermissionsResolverTestCase, self).setUp() # Create some mock users user_1_db = UserDB(name='custom_role_runner_view_grant') user_1_db = User.add_or_update(user_1_db) self.users['custom_role_runner_view_grant'] = user_1_db user_2_db = UserDB(name='custom_role_runner_modify_grant') user_2_db = User.add_or_update(user_2_db) self.users['custom_role_runner_modify_grant'] = user_2_db # Create some mock resources on which permissions can be granted runner_1_db = RunnerTypeDB(name='runner_1') self.resources['runner_1'] = runner_1_db runner_2_db = RunnerTypeDB(name='runner_2') self.resources['runner_2'] = runner_2_db # Create some mock roles with associated permission grants # Custom role - "runner_view" grant on runner_1 grant_db = PermissionGrantDB( resource_uid=self.resources['runner_1'].get_uid(), resource_type=ResourceType.RUNNER, permission_types=[PermissionType.RUNNER_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_runner_view_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_runner_view_grant'] = role_db # Custom role - "runner_modify" grant on runner_2 grant_db = PermissionGrantDB( resource_uid=self.resources['runner_2'].get_uid(), resource_type=ResourceType.RUNNER, permission_types=[PermissionType.RUNNER_MODIFY]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_runner_modify_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_runner_modify_grant'] = role_db # Create some mock role assignments user_db = self.users['custom_role_runner_view_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_runner_view_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_runner_modify_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_runner_modify_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(WebhookControllerRBACTestCase, self).setUp() # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='webhook_list') user_1_db = User.add_or_update(user_1_db) self.users['webhook_list'] = user_1_db user_2_db = UserDB(name='webhook_view') user_2_db = User.add_or_update(user_2_db) self.users['webhook_view'] = user_2_db # Roles # webhook_list grant_db = PermissionGrantDB( resource_uid=None, resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='webhook_list', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['webhook_list'] = role_1_db # webhook_view on webhook 1 (git) name = 'git' webhook_db = WebhookDB(name=name) webhook_uid = webhook_db.get_uid() grant_db = PermissionGrantDB( resource_uid=webhook_uid, resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='webhook_view', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['webhook_view'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['webhook_list'].name, role=self.roles['webhook_list'].name, source='assignments/%s.yaml' % self.users['webhook_list'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['webhook_view'].name, role=self.roles['webhook_view'].name, source='assignments/%s.yaml' % self.users['webhook_view'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(ActionExecutionRBACControllerTestCase, self).setUp() self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='multiple_roles') user_1_db = User.add_or_update(user_1_db) self.users['multiple_roles'] = user_1_db # Roles roles = ['role_1', 'role_2', 'role_3'] for role in roles: role_db = RoleDB(name=role) Role.add_or_update(role_db) # Role assignments user_db = self.users['multiple_roles'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role='admin', source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) for role in roles: role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=role, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(TestRbacController, self).setUp() permissions = [ PermissionType.RULE_CREATE, PermissionType.RULE_VIEW, PermissionType.RULE_MODIFY, PermissionType.RULE_DELETE ] for name in permissions: user_db = UserDB(name=name) user_db = User.add_or_update(user_db) self.users[name] = user_db # Roles # action_create grant on parent pack grant_db = PermissionGrantDB(resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[name]) grant_db = PermissionGrant.add_or_update(grant_db) grant_2_db = PermissionGrantDB( resource_uid='action:wolfpack:action-1', resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_EXECUTE]) grant_2_db = PermissionGrant.add_or_update(grant_2_db) permission_grants = [str(grant_db.id), str(grant_2_db.id)] role_db = RoleDB(name=name, permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles[name] = role_db # Role assignments role_assignment_db = UserRoleAssignmentDB(user=user_db.name, role=role_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(RBACRoleAssignmentsControllerRBACTestCase, self).setUp() # Insert mock users, roles and assignments self.role_assignments = {} # Users user_1_db = UserDB(name='user_foo') user_1_db = User.add_or_update(user_1_db) self.users['user_foo'] = user_1_db # Roles role_1_db = RoleDB(name='user_foo', permission_grants=[]) role_1_db = Role.add_or_update(role_1_db) self.roles['user_foo'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['user_foo'].name, role=self.roles['user_foo'].name, source='assignments/%s.yaml' % self.users['user_foo'].name) UserRoleAssignment.add_or_update(role_assignment_db) self.role_assignments['assignment_one'] = role_assignment_db role_assignment_db = UserRoleAssignmentDB( user='******', role=self.roles['user_foo'].name, source='assignments/user_bar.yaml') UserRoleAssignment.add_or_update(role_assignment_db) self.role_assignments['assignment_two'] = role_assignment_db
def setUp(self): super(ExecutionViewsFiltersControllerRBACTestCase, self).setUp() # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='execution_views_filters_list') user_1_db = User.add_or_update(user_1_db) self.users['execution_views_filters_list'] = user_1_db # Roles # trace_list permission_types = [PermissionType.EXECUTION_VIEWS_FILTERS_LIST] grant_db = PermissionGrantDB(resource_uid=None, resource_type=ResourceType.EXECUTION, permission_types=permission_types) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='execution_views_filters_list', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['execution_views_filters_list'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['execution_views_filters_list'].name, role=self.roles['execution_views_filters_list'].name, source='assignments/%s.yaml' % self.users['execution_views_filters_list'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(WebhookPermissionsResolverTestCase, self).setUp() # Create some mock users user_1_db = UserDB(name='custom_role_webhook_grant') user_1_db = User.add_or_update(user_1_db) self.users['custom_role_webhook_grant'] = user_1_db # Create some mock resources on which permissions can be granted webhook_1_db = WebhookDB(name='st2/') self.resources['webhook_1'] = webhook_1_db # Create some mock roles with associated permission grants # Custom role - "webhook_send" grant on webhook_1 grant_db = PermissionGrantDB( resource_uid=self.resources['webhook_1'].get_uid(), resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_SEND]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_webhook_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_webhook_grant'] = role_db # Create some mock role assignments user_db = self.users['custom_role_webhook_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_webhook_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(ActionControllerRBACTestCase, self).setUp() self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'action1.yaml' ActionControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'actions': [file_name]})['actions'][file_name] # Insert mock users, roles and assignments # Users user_2_db = UserDB(name='action_create') user_2_db = User.add_or_update(user_2_db) self.users['action_create'] = user_2_db # Roles # action_create grant on parent pack grant_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='action_create', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['action_create'] = role_1_db # Role assignments user_db = self.users['action_create'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['action_create'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def create_role(name, description=None): """ Create a new role. """ if name in SystemRole.get_valid_values(): raise ValueError('"%s" role name is blacklisted' % (name)) role_db = RoleDB(name=name, description=description) role_db = Role.add_or_update(role_db) return role_db
def insert_system_roles(): """ Migration which inserts the default system roles. """ system_roles = SystemRole.get_valid_values() for role_name in system_roles: description = role_name role_db = RoleDB(name=role_name, description=description, system=True) try: Role.insert(role_db, log_not_unique_error_as_debug=True) except (StackStormDBObjectConflictError, NotUniqueError): pass
def insert_system_roles(): """ Migration which inserts the default system roles. """ system_roles = SystemRole.get_valid_values() LOG.debug('Inserting system roles (%s)' % (str(system_roles))) for role_name in system_roles: description = role_name role_db = RoleDB(name=role_name, description=description, system=True) try: role_db.save() except (StackStormDBObjectConflictError, NotUniqueError): # Role already exists error is not fatal pass
def setUp(self): super(ActionViewsControllerRBACTestCase, self).setUp() self.models = self.fixtures_loader.save_fixtures_to_db( fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'a1.yaml' ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'actions': [file_name]})['actions'][file_name] file_name = 'a2.yaml' ActionViewsControllerRBACTestCase.ACTION_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'actions': [file_name]})['actions'][file_name] # Insert mock users, roles and assignments # Users user_2_db = UserDB(name='action_view_a1') user_2_db = User.add_or_update(user_2_db) self.users['action_view_a1'] = user_2_db # Roles # action_view on a1 action_uid = self.models['actions']['a1.yaml'].get_uid() grant_db = PermissionGrantDB( resource_uid=action_uid, resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='action_view_a1', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['action_view_a1'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['action_view_a1'].name, role=self.roles['action_view_a1'].name, source='assignments/%s.yaml' % self.users['action_view_a1'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def _insert_common_mock_roles(self): # Insert common mock roles admin_role_db = rbac_service.get_role_by_name(name=SystemRole.ADMIN) observer_role_db = rbac_service.get_role_by_name(name=SystemRole.OBSERVER) self.roles['admin_role'] = admin_role_db self.roles['observer_role'] = observer_role_db # Custom role 1 - no grants role_1_db = rbac_service.create_role(name='custom_role_1') self.roles['custom_role_1'] = role_1_db # Custom role 2 - one grant on pack_1 # "pack_create" on pack_1 grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.PACK_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_3_db = RoleDB(name='custom_role_pack_grant', permission_grants=permission_grants) role_3_db = Role.add_or_update(role_3_db) self.roles['custom_role_pack_grant'] = role_3_db
def setUp(self): super(ActionPermissionsResolverTestCase, self).setUp() # Create some mock users user_1_db = UserDB(name='1_role_action_pack_grant') user_1_db = User.add_or_update(user_1_db) self.users['custom_role_action_pack_grant'] = user_1_db user_2_db = UserDB(name='1_role_action_grant') user_2_db = User.add_or_update(user_2_db) self.users['custom_role_action_grant'] = user_2_db user_3_db = UserDB(name='custom_role_pack_action_all_grant') user_3_db = User.add_or_update(user_3_db) self.users['custom_role_pack_action_all_grant'] = user_3_db user_4_db = UserDB(name='custom_role_action_all_grant') user_4_db = User.add_or_update(user_4_db) self.users['custom_role_action_all_grant'] = user_4_db user_5_db = UserDB(name='custom_role_action_execute_grant') user_5_db = User.add_or_update(user_5_db) self.users['custom_role_action_execute_grant'] = user_5_db user_6_db = UserDB(name='action_pack_action_create_grant') user_6_db = User.add_or_update(user_6_db) self.users['action_pack_action_create_grant'] = user_6_db user_7_db = UserDB(name='action_pack_action_all_grant') user_7_db = User.add_or_update(user_7_db) self.users['action_pack_action_all_grant'] = user_7_db user_8_db = UserDB(name='action_action_create_grant') user_8_db = User.add_or_update(user_8_db) self.users['action_action_create_grant'] = user_8_db user_9_db = UserDB(name='action_action_all_grant') user_9_db = User.add_or_update(user_9_db) self.users['action_action_all_grant'] = user_9_db user_10_db = UserDB(name='custom_role_action_list_grant') user_10_db = User.add_or_update(user_10_db) self.users['custom_role_action_list_grant'] = user_10_db # Create some mock resources on which permissions can be granted action_1_db = ActionDB(pack='test_pack_1', name='action1', entry_point='', runner_type={'name': 'local-shell-cmd'}) action_1_db = Action.add_or_update(action_1_db) self.resources['action_1'] = action_1_db action_2_db = ActionDB(pack='test_pack_1', name='action2', entry_point='', runner_type={'name': 'local-shell-cmd'}) action_2_db = Action.add_or_update(action_1_db) self.resources['action_2'] = action_2_db action_3_db = ActionDB(pack='test_pack_2', name='action3', entry_point='', runner_type={'name': 'local-shell-cmd'}) action_3_db = Action.add_or_update(action_3_db) self.resources['action_3'] = action_3_db # Create some mock roles with associated permission grants # Custom role 2 - one grant on parent pack # "action_view" on pack_1 grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_3_db = RoleDB(name='custom_role_action_pack_grant', permission_grants=permission_grants) role_3_db = Role.add_or_update(role_3_db) self.roles['custom_role_action_pack_grant'] = role_3_db # Custom role 4 - one grant on action # "action_view" on action_3 grant_db = PermissionGrantDB(resource_uid=self.resources['action_3'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_action_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_action_grant'] = role_4_db # Custom role - "action_all" grant on a parent action pack grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_pack_action_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_pack_action_all_grant'] = role_4_db # Custom role - "action_all" grant on action grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_action_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_action_all_grant'] = role_4_db # Custom role - "action_execute" on action_1 grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_EXECUTE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_5_db = RoleDB(name='custom_role_action_execute_grant', permission_grants=permission_grants) role_5_db = Role.add_or_update(role_5_db) self.roles['custom_role_action_execute_grant'] = role_5_db # Custom role - "action_create" grant on pack_1 grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_6_db = RoleDB(name='action_pack_action_create_grant', permission_grants=permission_grants) role_6_db = Role.add_or_update(role_6_db) self.roles['action_pack_action_create_grant'] = role_6_db # Custom role - "action_all" grant on pack_1 grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_7_db = RoleDB(name='action_pack_action_all_grant', permission_grants=permission_grants) role_7_db = Role.add_or_update(role_7_db) self.roles['action_pack_action_all_grant'] = role_7_db # Custom role - "action_create" grant on action_1 grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_8_db = RoleDB(name='action_action_create_grant', permission_grants=permission_grants) role_8_db = Role.add_or_update(role_8_db) self.roles['action_action_create_grant'] = role_8_db # Custom role - "action_all" grant on action_1 grant_db = PermissionGrantDB(resource_uid=self.resources['action_1'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_9_db = RoleDB(name='action_action_all_grant', permission_grants=permission_grants) role_9_db = Role.add_or_update(role_9_db) self.roles['action_action_all_grant'] = role_9_db # Custom role - "action_list" grant grant_db = PermissionGrantDB(resource_uid=None, resource_type=None, permission_types=[PermissionType.ACTION_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_10_db = RoleDB(name='custom_role_action_list_grant', permission_grants=permission_grants) role_10_db = Role.add_or_update(role_10_db) self.roles['custom_role_action_list_grant'] = role_10_db # Create some mock role assignments user_db = self.users['custom_role_action_pack_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_pack_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_action_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_pack_action_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_pack_action_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_action_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_action_execute_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_execute_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['action_pack_action_create_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['action_pack_action_create_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['action_pack_action_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['action_pack_action_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['action_action_create_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['action_action_create_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['action_action_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['action_action_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_action_list_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_list_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(RulePermissionsResolverTestCase, self).setUp() # Register internal triggers - this is needed so we can reference an internal trigger # inside a mock rule register_internal_trigger_types() # Create some mock users user_1_db = UserDB(name='1_role_rule_pack_grant') user_1_db = User.add_or_update(user_1_db) self.users['custom_role_rule_pack_grant'] = user_1_db user_2_db = UserDB(name='1_role_rule_grant') user_2_db = User.add_or_update(user_2_db) self.users['custom_role_rule_grant'] = user_2_db user_3_db = UserDB(name='custom_role_pack_rule_all_grant') user_3_db = User.add_or_update(user_3_db) self.users['custom_role_pack_rule_all_grant'] = user_3_db user_4_db = UserDB(name='custom_role_rule_all_grant') user_4_db = User.add_or_update(user_4_db) self.users['custom_role_rule_all_grant'] = user_4_db user_5_db = UserDB(name='custom_role_rule_modify_grant') user_5_db = User.add_or_update(user_5_db) self.users['custom_role_rule_modify_grant'] = user_5_db user_6_db = UserDB(name='rule_pack_rule_create_grant') user_6_db = User.add_or_update(user_6_db) self.users['rule_pack_rule_create_grant'] = user_6_db user_7_db = UserDB(name='rule_pack_rule_all_grant') user_7_db = User.add_or_update(user_7_db) self.users['rule_pack_rule_all_grant'] = user_7_db user_8_db = UserDB(name='rule_rule_create_grant') user_8_db = User.add_or_update(user_8_db) self.users['rule_rule_create_grant'] = user_8_db user_9_db = UserDB(name='rule_rule_all_grant') user_9_db = User.add_or_update(user_9_db) self.users['rule_rule_all_grant'] = user_9_db # Create some mock resources on which permissions can be granted rule_1_db = RuleDB(pack='test_pack_1', name='rule1', action={'ref': 'core.local'}, trigger='core.st2.key_value_pair.create') rule_1_db = Rule.add_or_update(rule_1_db) self.resources['rule_1'] = rule_1_db rule_2_db = RuleDB(pack='test_pack_1', name='rule2') rule_2_db = Rule.add_or_update(rule_2_db) self.resources['rule_2'] = rule_2_db rule_3_db = RuleDB(pack='test_pack_2', name='rule3') rule_3_db = Rule.add_or_update(rule_3_db) self.resources['rule_3'] = rule_3_db # Create some mock roles with associated permission grants # Custom role 2 - one grant on parent pack # "rule_view" on pack_1 grant_db = PermissionGrantDB( resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_3_db = RoleDB(name='custom_role_rule_pack_grant', permission_grants=permission_grants) role_3_db = Role.add_or_update(role_3_db) self.roles['custom_role_rule_pack_grant'] = role_3_db # Custom role 4 - one grant on rule # "rule_view on rule_3 grant_db = PermissionGrantDB( resource_uid=self.resources['rule_3'].get_uid(), resource_type=ResourceType.RULE, permission_types=[PermissionType.RULE_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_rule_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_rule_grant'] = role_4_db # Custom role - "rule_all" grant on a parent rule pack grant_db = PermissionGrantDB( resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_pack_rule_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_pack_rule_all_grant'] = role_4_db # Custom role - "rule_all" grant on a rule grant_db = PermissionGrantDB( resource_uid=self.resources['rule_1'].get_uid(), resource_type=ResourceType.RULE, permission_types=[PermissionType.RULE_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_rule_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_rule_all_grant'] = role_4_db # Custom role - "rule_modify" on role_1 grant_db = PermissionGrantDB( resource_uid=self.resources['rule_1'].get_uid(), resource_type=ResourceType.RULE, permission_types=[PermissionType.RULE_MODIFY]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_5_db = RoleDB(name='custom_role_rule_modify_grant', permission_grants=permission_grants) role_5_db = Role.add_or_update(role_5_db) self.roles['custom_role_rule_modify_grant'] = role_5_db # Custom role - "rule_create" grant on pack_1 grant_db = PermissionGrantDB( resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_6_db = RoleDB(name='rule_pack_rule_create_grant', permission_grants=permission_grants) role_6_db = Role.add_or_update(role_6_db) self.roles['rule_pack_rule_create_grant'] = role_6_db # Custom role - "rule_all" grant on pack_1 grant_db = PermissionGrantDB( resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_7_db = RoleDB(name='rule_pack_rule_all_grant', permission_grants=permission_grants) role_7_db = Role.add_or_update(role_7_db) self.roles['rule_pack_rule_all_grant'] = role_7_db # Custom role - "rule_create" grant on rule_1 grant_db = PermissionGrantDB( resource_uid=self.resources['rule_1'].get_uid(), resource_type=ResourceType.RULE, permission_types=[PermissionType.RULE_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_8_db = RoleDB(name='rule_rule_create_grant', permission_grants=permission_grants) role_8_db = Role.add_or_update(role_8_db) self.roles['rule_rule_create_grant'] = role_8_db # Custom role - "rule_all" grant on rule_1 grant_db = PermissionGrantDB( resource_uid=self.resources['rule_1'].get_uid(), resource_type=ResourceType.RULE, permission_types=[PermissionType.RULE_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_9_db = RoleDB(name='rule_rule_all_grant', permission_grants=permission_grants) role_9_db = Role.add_or_update(role_9_db) self.roles['rule_rule_all_grant'] = role_9_db # Create some mock role assignments user_db = self.users['custom_role_rule_pack_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_rule_pack_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_rule_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_rule_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_pack_rule_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_pack_rule_all_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_rule_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_rule_all_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_rule_modify_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_rule_modify_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_pack_rule_create_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_pack_rule_create_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_pack_rule_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_pack_rule_all_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_rule_create_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_rule_create_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_rule_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_rule_all_grant'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(ActionAliasPermissionsResolverTestCase, self).setUp() # Create some mock users user_1_db = UserDB(name='alias_pack_grant') user_1_db = User.add_or_update(user_1_db) self.users['alias_pack_grant'] = user_1_db user_2_db = UserDB(name='alias_grant') user_2_db = User.add_or_update(user_2_db) self.users['alias_grant'] = user_2_db user_3_db = UserDB(name='pack_alias_all_grant') user_3_db = User.add_or_update(user_3_db) self.users['pack_alias_all_grant'] = user_3_db user_4_db = UserDB(name='alias_all_grant') user_4_db = User.add_or_update(user_4_db) self.users['alias_all_grant'] = user_4_db user_5_db = UserDB(name='alias_modify_grant') user_5_db = User.add_or_update(user_5_db) self.users['alias_modify_grant'] = user_5_db user_6_db = UserDB(name='alias_pack_alias_create_grant') user_6_db = User.add_or_update(user_6_db) self.users['alias_pack_alias_create_grant'] = user_6_db user_7_db = UserDB(name='alias_pack_alias_all_grant') user_7_db = User.add_or_update(user_7_db) self.users['alias_pack_alias_all_grant'] = user_7_db user_8_db = UserDB(name='alias_alias_create_grant') user_8_db = User.add_or_update(user_8_db) self.users['alias_alias_create_grant'] = user_8_db user_10_db = UserDB(name='alias_list_grant') user_10_db = User.add_or_update(user_10_db) self.users['alias_list_grant'] = user_10_db # Create some mock resources on which permissions can be granted alias_1_db = ActionAliasDB(pack='test_pack_1', name='alias1', formats=['a'], action_ref='core.local') self.resources['alias_1'] = alias_1_db alias_2_db = ActionAliasDB(pack='test_pack_1', name='alias2', formats=['a'], action_ref='core.local') self.resources['alias_2'] = alias_2_db alias_3_db = ActionAliasDB(pack='test_pack_2', name='alias3', formats=['a'], action_ref='core.local') self.resources['alias_3'] = alias_3_db # Create some mock roles with associated permission grants # One grant on parent pack, action_alias_view on pack1 grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALIAS_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_3_db = RoleDB(name='alias_pack_grant', permission_grants=permission_grants) role_3_db = Role.add_or_update(role_3_db) self.roles['alias_pack_grant'] = role_3_db # "action_alias_view" on alias_3 grant_db = PermissionGrantDB(resource_uid=self.resources['alias_3'].get_uid(), resource_type=ResourceType.ACTION_ALIAS, permission_types=[PermissionType.ACTION_ALIAS_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='alias_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['alias_grant'] = role_4_db # Custom role - "action_alias_all" grant on a parent pack grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALIAS_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='pack_alias_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['pack_alias_all_grant'] = role_4_db # Custom role - "action_alias_all" grant on alias grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(), resource_type=ResourceType.ACTION_ALIAS, permission_types=[PermissionType.ACTION_ALIAS_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='alias_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['alias_all_grant'] = role_4_db # Custom role - "alias_modify" on alias_1 grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(), resource_type=ResourceType.ACTION_ALIAS, permission_types=[PermissionType.ACTION_ALIAS_MODIFY]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_5_db = RoleDB(name='alias_modify_grant', permission_grants=permission_grants) role_5_db = Role.add_or_update(role_5_db) self.roles['alias_modify_grant'] = role_5_db # Custom role - "action_alias_create" grant on pack_1 grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALIAS_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_6_db = RoleDB(name='alias_pack_alias_create_grant', permission_grants=permission_grants) role_6_db = Role.add_or_update(role_6_db) self.roles['alias_pack_alias_create_grant'] = role_6_db # Custom role - "action_alias_all" grant on pack_1 grant_db = PermissionGrantDB(resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALIAS_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_7_db = RoleDB(name='alias_pack_alias_all_grant', permission_grants=permission_grants) role_7_db = Role.add_or_update(role_7_db) self.roles['alias_pack_alias_all_grant'] = role_7_db # Custom role - "action_alias_create" grant on alias_1 grant_db = PermissionGrantDB(resource_uid=self.resources['alias_1'].get_uid(), resource_type=ResourceType.ACTION_ALIAS, permission_types=[PermissionType.ACTION_ALIAS_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_8_db = RoleDB(name='alias_alias_create_grant', permission_grants=permission_grants) role_8_db = Role.add_or_update(role_8_db) self.roles['alias_alias_create_grant'] = role_8_db # Custom role - "alias_list" grant grant_db = PermissionGrantDB(resource_uid=None, resource_type=None, permission_types=[PermissionType.ACTION_ALIAS_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_10_db = RoleDB(name='alias_list_grant', permission_grants=permission_grants) role_10_db = Role.add_or_update(role_10_db) self.roles['alias_list_grant'] = role_10_db # Create some mock role assignments user_db = self.users['alias_pack_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_pack_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['alias_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['pack_alias_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['pack_alias_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['alias_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['alias_modify_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_modify_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['alias_pack_alias_create_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_pack_alias_create_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['alias_pack_alias_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_pack_alias_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['alias_alias_create_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_alias_create_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['alias_list_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['alias_list_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(BaseRuleControllerRBACTestCase, self).setUp() self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'rule_with_webhook_trigger.yaml' self.RULE_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'rules': [file_name]})['rules'][file_name] file_name = 'rule_example_pack.yaml' self.RULE_2 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'rules': [file_name]})['rules'][file_name] file_name = 'rule_action_doesnt_exist.yaml' self.RULE_3 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'rules': [file_name]})['rules'][file_name] # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='rule_create') user_1_db = User.add_or_update(user_1_db) self.users['rule_create'] = user_1_db user_2_db = UserDB(name='rule_create_webhook_create') user_2_db = User.add_or_update(user_2_db) self.users['rule_create_webhook_create'] = user_2_db user_3_db = UserDB( name='rule_create_webhook_create_core_local_execute') user_3_db = User.add_or_update(user_3_db) self.users['rule_create_webhook_create_core_local_execute'] = user_3_db user_4_db = UserDB(name='rule_create_1') user_4_db = User.add_or_update(user_4_db) self.users['rule_create_1'] = user_4_db user_5_db = UserDB(name='user_two') user_5_db = User.add_or_update(user_5_db) self.users['user_two'] = user_5_db user_6_db = UserDB(name='user_three') user_6_db = User.add_or_update(user_6_db) self.users['user_three'] = user_6_db # Roles # rule_create grant on parent pack grant_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='rule_create', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['rule_create'] = role_1_db # rule_create grant on parent pack, webhook_create on webhook "sample" grant_1_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_1_db = PermissionGrant.add_or_update(grant_1_db) grant_2_db = PermissionGrantDB( resource_uid='webhook:sample', resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_CREATE]) grant_2_db = PermissionGrant.add_or_update(grant_2_db) permission_grants = [str(grant_1_db.id), str(grant_2_db.id)] role_2_db = RoleDB(name='rule_create_webhook_create', permission_grants=permission_grants) role_2_db = Role.add_or_update(role_2_db) self.roles['rule_create_webhook_create'] = role_2_db # rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on # core.local grant_1_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_1_db = PermissionGrant.add_or_update(grant_1_db) grant_2_db = PermissionGrantDB( resource_uid='webhook:sample', resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_CREATE]) grant_2_db = PermissionGrant.add_or_update(grant_2_db) grant_3_db = PermissionGrantDB( resource_uid='action:core:local', resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_EXECUTE]) grant_3_db = PermissionGrant.add_or_update(grant_3_db) permission_grants = [ str(grant_1_db.id), str(grant_2_db.id), str(grant_3_db.id) ] role_3_db = RoleDB( name='rule_create_webhook_create_core_local_execute', permission_grants=permission_grants) role_3_db = Role.add_or_update(role_3_db) self.roles['rule_create_webhook_create_core_local_execute'] = role_3_db # rule_create, rule_list, webhook_create, action_execute on parent pack grant_6_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.RULE, permission_types=[PermissionType.RULE_LIST]) grant_6_db = PermissionGrant.add_or_update(grant_6_db) permission_grants = [ str(grant_1_db.id), str(grant_2_db.id), str(grant_3_db.id), str(grant_6_db.id) ] role_5_db = RoleDB( name='rule_create_list_webhook_create_core_local_execute', permission_grants=permission_grants) role_5_db = Role.add_or_update(role_5_db) self.roles[ 'rule_create_list_webhook_create_core_local_execute'] = role_5_db # rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on # examples and wolfpack grant_1_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_1_db = PermissionGrant.add_or_update(grant_1_db) grant_2_db = PermissionGrantDB( resource_uid='webhook:sample', resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_CREATE]) grant_2_db = PermissionGrant.add_or_update(grant_2_db) grant_3_db = PermissionGrantDB( resource_uid='pack:wolfpack', resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALL]) grant_3_db = PermissionGrant.add_or_update(grant_3_db) grant_4_db = PermissionGrantDB( resource_uid=None, resource_type=ResourceType.RULE, permission_types=[PermissionType.RULE_LIST]) grant_4_db = PermissionGrant.add_or_update(grant_4_db) grant_5_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALL]) grant_5_db = PermissionGrant.add_or_update(grant_5_db) permission_grants = [ str(grant_1_db.id), str(grant_2_db.id), str(grant_3_db.id), str(grant_4_db.id), str(grant_5_db.id) ] role_4_db = RoleDB(name='rule_create_webhook_create_action_execute', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['rule_create_webhook_create_action_execute'] = role_4_db # Role assignments user_db = self.users['rule_create'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_create'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_create_webhook_create'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_create_webhook_create'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_create_webhook_create_core_local_execute'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_create_webhook_create_core_local_execute']. name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_create_1'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_create_webhook_create_action_execute'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['user_two'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role='rule_create_list_webhook_create_core_local_execute', source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['user_three'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role='rule_create_list_webhook_create_core_local_execute', source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def test_insert(self): role_db = RoleDB(name='role-1', description='test role', system=True) created = Role.insert(role_db) retrieved = Role.get_by_id(created.id) self.assertEqual(retrieved.name, role_db.name, 'Failed to save RoleDB object.')
def setUp(self): super(ApiKeyControllerRBACTestCase, self).setUp() self.models = self.fixtures_loader.save_fixtures_to_db( fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'apikey1.yaml' ApiKeyControllerRBACTestCase.API_KEY_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'apikeys': [file_name]})['apikeys'][file_name] file_name = 'apikey2.yaml' ApiKeyControllerRBACTestCase.API_KEY_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'apikeys': [file_name]})['apikeys'][file_name] # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='api_key_list') user_1_db = User.add_or_update(user_1_db) self.users['api_key_list'] = user_1_db user_2_db = UserDB(name='api_key_view') user_2_db = User.add_or_update(user_2_db) self.users['api_key_view'] = user_2_db user_3_db = UserDB(name='api_key_create') user_3_db = User.add_or_update(user_3_db) self.users['api_key_create'] = user_3_db # Roles # api_key_list grant_db = PermissionGrantDB( resource_uid=None, resource_type=ResourceType.API_KEY, permission_types=[PermissionType.API_KEY_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='api_key_list', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['api_key_list'] = role_1_db # api_key_view on apikey1 api_key_uid = self.models['apikeys']['apikey1.yaml'].get_uid() grant_db = PermissionGrantDB( resource_uid=api_key_uid, resource_type=ResourceType.API_KEY, permission_types=[PermissionType.API_KEY_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='api_key_view', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['api_key_view'] = role_1_db # api_key_list grant_db = PermissionGrantDB( resource_uid=None, resource_type=ResourceType.API_KEY, permission_types=[PermissionType.API_KEY_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='api_key_create', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['api_key_create'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['api_key_list'].name, role=self.roles['api_key_list'].name, source='assignments/%s.yaml' % self.users['api_key_list'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['api_key_view'].name, role=self.roles['api_key_view'].name, source='assignments/%s.yaml' % self.users['api_key_view'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['api_key_create'].name, role=self.roles['api_key_create'].name, source='assignments/%s.yaml' % self.users['api_key_create'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def test_user_custom_all_permissions_for_system_scope_kvps(self): resolver = KeyValuePermissionsResolver() kvp_1_uid = "%s:%s:key1" % (ResourceType.KEY_VALUE_PAIR, FULL_SYSTEM_SCOPE) kvp_1_db = self.resources[kvp_1_uid] kvp_2_uid = "%s:%s:key2" % (ResourceType.KEY_VALUE_PAIR, FULL_SYSTEM_SCOPE) kvp_2_db = self.resources[kvp_2_uid] # Setup user, grant, role, and assignment records user_db = UserDB(name="system_key1_all") user_db = User.add_or_update(user_db) self.users[user_db.name] = user_db grant_db = PermissionGrantDB( resource_uid=kvp_1_db.get_uid(), resource_type=ResourceType.KEY_VALUE_PAIR, permission_types=[PermissionType.KEY_VALUE_PAIR_ALL], ) grant_db = PermissionGrant.add_or_update(grant_db) role_db = RoleDB( name="custom_role_system_key1_all_grant", permission_grants=[str(grant_db.id)], ) role_db = Role.add_or_update(role_db) self.roles[role_db.name] = role_db role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=role_db.name, source="assignments/%s.yaml" % user_db.name, ) UserRoleAssignment.add_or_update(role_assignment_db) # User should not have general list permissions on system kvps. self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=KeyValuePairDB(scope=FULL_SYSTEM_SCOPE), permission_type=PermissionType.KEY_VALUE_PAIR_LIST, ) # User should have read and write permissions on system kvp key1. self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=kvp_1_db, permission_types=self.read_permission_types, ) self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=kvp_1_db, permission_types=self.write_permission_types, ) # User should have no read and no write permissions on system kvp key2. self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=kvp_2_db, permission_types=self.read_permission_types, ) self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=kvp_2_db, permission_types=self.write_permission_types, )
def setUp(self): super(SensorPermissionsResolverTestCase, self).setUp() # Create some mock users user_1_db = UserDB(name='1_role_sensor_pack_grant') user_1_db = User.add_or_update(user_1_db) self.users['custom_role_sensor_pack_grant'] = user_1_db user_2_db = UserDB(name='1_role_sensor_grant') user_2_db = User.add_or_update(user_2_db) self.users['custom_role_sensor_grant'] = user_2_db user_3_db = UserDB(name='custom_role_pack_sensor_all_grant') user_3_db = User.add_or_update(user_3_db) self.users['custom_role_pack_sensor_all_grant'] = user_3_db user_4_db = UserDB(name='custom_role_sensor_all_grant') user_4_db = User.add_or_update(user_4_db) self.users['custom_role_sensor_all_grant'] = user_4_db user_5_db = UserDB(name='custom_role_sensor_list_grant') user_5_db = User.add_or_update(user_5_db) self.users['custom_role_sensor_list_grant'] = user_5_db # Create some mock resources on which permissions can be granted sensor_1_db = SensorTypeDB(pack='test_pack_1', name='sensor1') sensor_1_db = SensorType.add_or_update(sensor_1_db) self.resources['sensor_1'] = sensor_1_db sensor_2_db = SensorTypeDB(pack='test_pack_1', name='sensor2') sensor_2_db = SensorType.add_or_update(sensor_2_db) self.resources['sensor_2'] = sensor_2_db sensor_3_db = SensorTypeDB(pack='test_pack_2', name='sensor3') sensor_3_db = SensorType.add_or_update(sensor_3_db) self.resources['sensor_3'] = sensor_3_db # Create some mock roles with associated permission grants # Custom role 2 - one grant on parent pack # "sensor_view" on pack_1 grant_db = PermissionGrantDB( resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.SENSOR_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_3_db = RoleDB(name='custom_role_sensor_pack_grant', permission_grants=permission_grants) role_3_db = Role.add_or_update(role_3_db) self.roles['custom_role_sensor_pack_grant'] = role_3_db # Custom role 4 - one grant on pack # "sensor_view on sensor_3 grant_db = PermissionGrantDB( resource_uid=self.resources['sensor_3'].get_uid(), resource_type=ResourceType.SENSOR, permission_types=[PermissionType.SENSOR_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_sensor_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_sensor_grant'] = role_4_db # Custom role - "sensor_all" grant on a parent sensor pack grant_db = PermissionGrantDB( resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.SENSOR_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_pack_sensor_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_pack_sensor_all_grant'] = role_4_db # Custom role - "sensor_all" grant on a sensor grant_db = PermissionGrantDB( resource_uid=self.resources['sensor_1'].get_uid(), resource_type=ResourceType.SENSOR, permission_types=[PermissionType.SENSOR_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_sensor_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_sensor_all_grant'] = role_4_db # Custom role - "sensor_list" grant grant_db = PermissionGrantDB( resource_uid=None, resource_type=None, permission_types=[PermissionType.SENSOR_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_5_db = RoleDB(name='custom_role_sensor_list_grant', permission_grants=permission_grants) role_5_db = Role.add_or_update(role_5_db) self.roles['custom_role_sensor_list_grant'] = role_5_db # Create some mock role assignments user_db = self.users['custom_role_sensor_pack_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_sensor_pack_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_sensor_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_sensor_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_pack_sensor_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_pack_sensor_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_sensor_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_sensor_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_sensor_list_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_sensor_list_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def test_user_permissions_for_another_user_kvps(self): resolver = KeyValuePermissionsResolver() # Setup users. No explicit grant, role, and assignment records should be # required for user to access their KVPs user_1_db = UserDB(name="user103") user_1_db = User.add_or_update(user_1_db) self.users[user_1_db.name] = user_1_db user_2_db = UserDB(name="user104") user_2_db = User.add_or_update(user_2_db) self.users[user_2_db.name] = user_2_db # Insert user scoped key value pairs for user1. key_1_name = "mykey3" key_1_ref = get_key_reference(FULL_USER_SCOPE, key_1_name, user_1_db.name) kvp_1_db = KeyValuePairDB( uid="%s:%s:%s" % (ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, key_1_ref), scope=FULL_USER_SCOPE, name=key_1_ref, value="myval3", ) kvp_1_db = KeyValuePair.add_or_update(kvp_1_db) self.resources[kvp_1_db.uid] = kvp_1_db # Setup bad grant, role, and assignment records where administrator # accidentally or intentionally try to grant a user's kvps to another user. grant_db = PermissionGrantDB( resource_uid=kvp_1_db.get_uid(), resource_type=ResourceType.KEY_VALUE_PAIR, permission_types=[PermissionType.KEY_VALUE_PAIR_ALL], ) grant_db = PermissionGrant.add_or_update(grant_db) role_db = RoleDB( name="custom_role_user_key3_all_grant", permission_grants=[str(grant_db.id)], ) role_db = Role.add_or_update(role_db) self.roles[role_db.name] = role_db role_assignment_db = UserRoleAssignmentDB( user=user_2_db.name, role=role_db.name, source="assignments/%s.yaml" % user_2_db.name, ) UserRoleAssignment.add_or_update(role_assignment_db) # User2 should not have general list permissions on user1's kvps. self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_2_db, resource_db=KeyValuePairDB(scope="%s:%s" % (FULL_USER_SCOPE, user_1_db.name)), permission_type=PermissionType.KEY_VALUE_PAIR_LIST, ) # User2 should not have any permissions on another user1's kvp. self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_2_db, resource_db=kvp_1_db, permission_type=PermissionType.KEY_VALUE_PAIR_ALL, ) self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_2_db, resource_db=kvp_1_db, permission_types=self.read_permission_types, ) self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_2_db, resource_db=kvp_1_db, permission_types=self.write_permission_types, )
def setUp(self): super(ActionExecutionRBACControllerTestCase, self).setUp() runners_registrar.register_runners() self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='multiple_roles') user_1_db = User.add_or_update(user_1_db) self.users['multiple_roles'] = user_1_db user_2_db = UserDB(name='user_two') user_2_db = User.add_or_update(user_2_db) self.users['user_two'] = user_2_db user_3_db = UserDB(name='user_three') user_3_db = User.add_or_update(user_3_db) self.users['user_three'] = user_3_db # Roles roles = ['role_1', 'role_2', 'role_3'] for role in roles: role_db = RoleDB(name=role) Role.add_or_update(role_db) # action_execute, execution_list on parent pack # action_view on parent pack grant_1_db = PermissionGrantDB(resource_uid='pack:wolfpack', resource_type=ResourceType.PACK, permission_types=[ PermissionType.ACTION_EXECUTE, PermissionType.ACTION_VIEW ]) grant_1_db = PermissionGrant.add_or_update(grant_1_db) grant_2_db = PermissionGrantDB( resource_uid=None, resource_type=ResourceType.EXECUTION, permission_types=[PermissionType.EXECUTION_LIST]) grant_2_db = PermissionGrant.add_or_update(grant_2_db) permission_grants = [str(grant_1_db.id), str(grant_2_db.id)] role_1_db = RoleDB(name='role_4', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['role_4'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=user_1_db.name, role='admin', source='assignments/%s.yaml' % user_1_db.name) UserRoleAssignment.add_or_update(role_assignment_db) for role in roles: role_assignment_db = UserRoleAssignmentDB( user=user_1_db.name, role=role, source='assignments/%s.yaml' % user_1_db.name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=user_2_db.name, role='role_4', source='assignments/%s.yaml' % user_2_db.name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=user_3_db.name, role='role_4', source='assignments/%s.yaml' % user_2_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def test_get_all_system_kvp_names_for_user(self): user1, user2 = "user1", "user2" kvp_1_uid = "%s:%s:s101" % (ResourceType.KEY_VALUE_PAIR, FULL_SYSTEM_SCOPE) kvp_2_uid = "%s:%s:s102" % (ResourceType.KEY_VALUE_PAIR, FULL_SYSTEM_SCOPE) kvp_3_uid = "%s:%s:%s:u101" % ( ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, user1, ) kvp_4_uid = "%s:%s:echo" % (ResourceType.ACTION, "core") kvp_5_uid = "%s:%s:new_action" % (ResourceType.ACTION, "dummy") kvp_6_uid = "%s:%s:s103" % (ResourceType.KEY_VALUE_PAIR, FULL_SYSTEM_SCOPE) # Setup user1, grant, role, and assignment records user_1_db = UserDB(name=user1) user_1_db = User.add_or_update(user_1_db) grant_1_db = PermissionGrantDB( resource_uid=kvp_1_uid, resource_type=ResourceType.KEY_VALUE_PAIR, permission_types=[PermissionType.KEY_VALUE_PAIR_LIST], ) grant_1_db = PermissionGrant.add_or_update(grant_1_db) grant_2_db = PermissionGrantDB( resource_uid=kvp_2_uid, resource_type=ResourceType.KEY_VALUE_PAIR, permission_types=[PermissionType.KEY_VALUE_PAIR_VIEW], ) grant_2_db = PermissionGrant.add_or_update(grant_2_db) grant_3_db = PermissionGrantDB( resource_uid=kvp_3_uid, resource_type=ResourceType.KEY_VALUE_PAIR, permission_types=[PermissionType.KEY_VALUE_PAIR_ALL], ) grant_3_db = PermissionGrant.add_or_update(grant_3_db) grant_4_db = PermissionGrantDB( resource_uid=kvp_4_uid, resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_VIEW], ) grant_4_db = PermissionGrant.add_or_update(grant_4_db) grant_5_db = PermissionGrantDB( resource_uid=kvp_5_uid, resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_LIST], ) grant_5_db = PermissionGrant.add_or_update(grant_5_db) role_1_db = RoleDB( name="user1_custom_role_grant", permission_grants=[ str(grant_1_db.id), str(grant_2_db.id), str(grant_3_db.id), str(grant_4_db.id), ], ) role_1_db = Role.add_or_update(role_1_db) role_1_assignment_db = UserRoleAssignmentDB( user=user_1_db.name, role=role_1_db.name, source="assignments/%s.yaml" % user_1_db.name, ) UserRoleAssignment.add_or_update(role_1_assignment_db) # Setup user2, grant, role, and assignment records user_2_db = UserDB(name=user2) user_2_db = User.add_or_update(user_2_db) grant_6_db = PermissionGrantDB( resource_uid=kvp_6_uid, resource_type=ResourceType.KEY_VALUE_PAIR, permission_types=[PermissionType.KEY_VALUE_PAIR_ALL], ) grant_6_db = PermissionGrant.add_or_update(grant_6_db) role_2_db = RoleDB( name="user2_custom_role_grant", permission_grants=[ str(grant_5_db.id), str(grant_6_db.id), ], ) role_2_db = Role.add_or_update(role_2_db) role_2_assignment_db = UserRoleAssignmentDB( user=user_2_db.name, role=role_2_db.name, source="assignments/%s.yaml" % user_2_db.name, ) UserRoleAssignment.add_or_update(role_2_assignment_db) # Assert result of get_all_system_kvp_names_for_user for user1 # The uids for non key value pair resource type should not be included in the result. # The user scoped key should not be included in the result. actual_result = get_all_system_kvp_names_for_user(user=user_1_db.name) expected_result = ["s101", "s102"] self.assertListEqual(actual_result, expected_result) # Assert result of get_all_system_kvp_names_for_user for user2 # The uids for non key value pair resource type should not be included in the result. # The user scoped key should not be included in the result. actual_result = get_all_system_kvp_names_for_user(user=user_2_db.name) expected_result = ["s103"] self.assertListEqual(actual_result, expected_result)
def setUp(self): super(PolicyControllerRBACTestCase, self).setUp() self.models = self.fixtures_loader.save_fixtures_to_db( fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'policy_1.yaml' PolicyControllerRBACTestCase.POLICY_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'policies': [file_name]})['policies'][file_name] file_name = 'policy_2.yaml' PolicyControllerRBACTestCase.POLICY_2 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'policies': [file_name]})['policies'][file_name] file_name = 'policy_8.yaml' PolicyControllerRBACTestCase.POLICY_8 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'policies': [file_name]})['policies'][file_name] # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='policy_list') user_1_db = User.add_or_update(user_1_db) self.users['policy_list'] = user_1_db user_2_db = UserDB(name='policy_view_direct_policy1') user_2_db = User.add_or_update(user_2_db) self.users['policy_view_direct_policy1'] = user_2_db user_3_db = UserDB(name='policy_view_policy8_parent_pack') user_3_db = User.add_or_update(user_3_db) self.users['policy_view_policy8_parent_pack'] = user_3_db user_4_db = UserDB(name='policy_create_policy8_parent_pack') user_4_db = User.add_or_update(user_4_db) self.users['policy_create_policy8_parent_pack'] = user_4_db user_5_db = UserDB(name='policy_update_direct_policy2') user_5_db = User.add_or_update(user_5_db) self.users['policy_update_direct_policy2'] = user_5_db user_6_db = UserDB(name='policy_delete_policy8_parent_pack') user_6_db = User.add_or_update(user_6_db) self.users['policy_delete_policy8_parent_pack'] = user_6_db # Roles # policy_list grant_db = PermissionGrantDB( resource_uid=None, resource_type=ResourceType.POLICY, permission_types=[PermissionType.POLICY_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_list', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_list'] = role_1_db # policy_view directly on policy1 policy_type_uid = self.models['policies']['policy_1.yaml'].get_uid() grant_db = PermissionGrantDB( resource_uid=policy_type_uid, resource_type=ResourceType.POLICY, permission_types=[PermissionType.POLICY_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_view_direct_policy1', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_view_direct_policy1'] = role_1_db # policy_view on a parent pack of policy 8 policy_pack_uid = self.models['policies'][ 'policy_8.yaml'].get_pack_uid() grant_db = PermissionGrantDB( resource_uid=policy_pack_uid, resource_type=ResourceType.PACK, permission_types=[PermissionType.POLICY_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_view_policy8_parent_pack', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_view_policy8_parent_pack'] = role_1_db # policy_create on a parent pack of policy 8 policy_pack_uid = self.models['policies'][ 'policy_8.yaml'].get_pack_uid() grant_db = PermissionGrantDB( resource_uid=policy_pack_uid, resource_type=ResourceType.PACK, permission_types=[PermissionType.POLICY_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_create_policy8_parent_pack', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_create_policy8_parent_pack'] = role_1_db # policy_view directly on policy1 policy_uid = self.models['policies']['policy_2.yaml'].get_uid() grant_db = PermissionGrantDB( resource_uid=policy_uid, resource_type=ResourceType.POLICY, permission_types=[PermissionType.POLICY_MODIFY]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_update_direct_policy2', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_update_direct_policy2'] = role_1_db # policy_delete on a parent pack of policy 8 policy_pack_uid = self.models['policies'][ 'policy_8.yaml'].get_pack_uid() grant_db = PermissionGrantDB( resource_uid=policy_pack_uid, resource_type=ResourceType.PACK, permission_types=[PermissionType.POLICY_DELETE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='policy_delete_policy8_parent_pack', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['policy_delete_policy8_parent_pack'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_list'].name, role=self.roles['policy_list'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_view_direct_policy1'].name, role=self.roles['policy_view_direct_policy1'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_view_policy8_parent_pack'].name, role=self.roles['policy_view_policy8_parent_pack'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_create_policy8_parent_pack'].name, role=self.roles['policy_create_policy8_parent_pack'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_update_direct_policy2'].name, role=self.roles['policy_update_direct_policy2'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['policy_delete_policy8_parent_pack'].name, role=self.roles['policy_delete_policy8_parent_pack'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(TraceControllerRBACTestCase, self).setUp() self.models = self.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'trace_for_test_enforce.yaml' TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'traces': [file_name]})['traces'][file_name] file_name = 'trace_for_test_enforce_2.yaml' TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'traces': [file_name]})['traces'][file_name] file_name = 'trace_for_test_enforce_3.yaml' TraceControllerRBACTestCase.TRACE_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'traces': [file_name]})['traces'][file_name] # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='trace_list') user_1_db = User.add_or_update(user_1_db) self.users['trace_list'] = user_1_db user_2_db = UserDB(name='trace_view') user_2_db = User.add_or_update(user_2_db) self.users['trace_view'] = user_2_db # Roles # trace_list grant_db = PermissionGrantDB(resource_uid=None, resource_type=ResourceType.TRACE, permission_types=[PermissionType.TRACE_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='trace_list', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['trace_list'] = role_1_db # trace_view on trace 1 trace_uid = self.models['traces']['trace_for_test_enforce.yaml'].get_uid() grant_db = PermissionGrantDB(resource_uid=trace_uid, resource_type=ResourceType.TRACE, permission_types=[PermissionType.TRACE_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='trace_view', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['trace_view'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['trace_list'].name, role=self.roles['trace_list'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['trace_view'].name, role=self.roles['trace_view'].name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUpClass(cls): super(RuleControllerRBACTestCase, cls).setUpClass() cls.fixtures_loader.save_fixtures_to_db(fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'rule_with_webhook_trigger.yaml' RuleControllerRBACTestCase.RULE_1 = cls.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'rules': [file_name]})['rules'][file_name] file_name = 'rule1.yaml' RuleControllerRBACTestCase.RULE_2 = cls.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'rules': [file_name]})['rules'][file_name] # Insert mock users, roles and assignments self = cls cls.users = {} cls.roles = {} # Users user_1_db = UserDB(name='rule_create') user_1_db = User.add_or_update(user_1_db) self.users['rule_create'] = user_1_db user_2_db = UserDB(name='rule_create_webhook_create') user_2_db = User.add_or_update(user_2_db) self.users['rule_create_webhook_create'] = user_2_db user_3_db = UserDB( name='rule_create_webhook_create_core_local_execute') user_3_db = User.add_or_update(user_3_db) self.users['rule_create_webhook_create_core_local_execute'] = user_3_db # Roles # rule_create grant on parent pack grant_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='rule_create', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['rule_create'] = role_1_db # rule_create grant on parent pack, webhook_create on webhook "sample" grant_1_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_1_db = PermissionGrant.add_or_update(grant_1_db) grant_2_db = PermissionGrantDB( resource_uid='webhook:sample', resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_CREATE]) grant_2_db = PermissionGrant.add_or_update(grant_2_db) permission_grants = [str(grant_1_db.id), str(grant_2_db.id)] role_2_db = RoleDB(name='rule_create_webhook_create', permission_grants=permission_grants) role_2_db = Role.add_or_update(role_2_db) self.roles['rule_create_webhook_create'] = role_2_db # rule_create grant on parent pack, webhook_create on webhook "sample", action_execute on # core.local grant_1_db = PermissionGrantDB( resource_uid='pack:examples', resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_CREATE]) grant_1_db = PermissionGrant.add_or_update(grant_1_db) grant_2_db = PermissionGrantDB( resource_uid='webhook:sample', resource_type=ResourceType.WEBHOOK, permission_types=[PermissionType.WEBHOOK_CREATE]) grant_2_db = PermissionGrant.add_or_update(grant_2_db) grant_3_db = PermissionGrantDB( resource_uid='action:core:local', resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_EXECUTE]) grant_3_db = PermissionGrant.add_or_update(grant_3_db) permission_grants = [ str(grant_1_db.id), str(grant_2_db.id), str(grant_3_db.id) ] role_3_db = RoleDB( name='rule_create_webhook_create_core_local_execute', permission_grants=permission_grants) role_3_db = Role.add_or_update(role_3_db) self.roles['rule_create_webhook_create_core_local_execute'] = role_3_db # Role assignments user_db = self.users['rule_create'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_create'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_create_webhook_create'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_create_webhook_create'].name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['rule_create_webhook_create_core_local_execute'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['rule_create_webhook_create_core_local_execute']. name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(ExecutionPermissionsResolverTestCase, self).setUp() # Create some mock users user_1_db = UserDB(name='custom_role_unrelated_pack_action_grant') user_1_db = User.add_or_update(user_1_db) self.users['custom_role_unrelated_pack_action_grant'] = user_1_db user_2_db = UserDB( name='custom_role_pack_action_grant_unrelated_permission') user_2_db = User.add_or_update(user_2_db) self.users[ 'custom_role_pack_action_grant_unrelated_permission'] = user_2_db user_3_db = UserDB(name='custom_role_pack_action_view_grant') user_3_db = User.add_or_update(user_3_db) self.users['custom_role_pack_action_view_grant'] = user_3_db user_4_db = UserDB(name='custom_role_action_view_grant') user_4_db = User.add_or_update(user_4_db) self.users['custom_role_action_view_grant'] = user_4_db user_5_db = UserDB(name='custom_role_pack_action_execute_grant') user_5_db = User.add_or_update(user_5_db) self.users['custom_role_pack_action_execute_grant'] = user_5_db user_6_db = UserDB(name='custom_role_action_execute_grant') user_6_db = User.add_or_update(user_6_db) self.users['custom_role_action_execute_grant'] = user_6_db user_7_db = UserDB(name='custom_role_pack_action_all_grant') user_7_db = User.add_or_update(user_7_db) self.users['custom_role_pack_action_all_grant'] = user_7_db user_8_db = UserDB(name='custom_role_action_all_grant') user_8_db = User.add_or_update(user_8_db) self.users['custom_role_action_all_grant'] = user_8_db user_9_db = UserDB(name='custom_role_execution_list_grant') user_9_db = User.add_or_update(user_5_db) self.users['custom_role_execution_list_grant'] = user_9_db # Create some mock resources on which permissions can be granted action_1_db = ActionDB(pack='test_pack_2', name='action1', entry_point='', runner_type={'name': 'run-local'}) action_1_db = Action.add_or_update(action_1_db) self.resources['action_1'] = action_1_db runner = {'name': 'run-python'} liveaction = {'action': 'test_pack_2.action1'} status = action_constants.LIVEACTION_STATUS_REQUESTED action = {'uid': action_1_db.get_uid(), 'pack': 'test_pack_2'} exec_1_db = ActionExecutionDB(action=action, runner=runner, liveaction=liveaction, status=status) exec_1_db = ActionExecution.add_or_update(exec_1_db) self.resources['exec_1'] = exec_1_db # Create some mock roles with associated permission grants # Custom role - one grant to an unrelated pack grant_db = PermissionGrantDB( resource_uid=self.resources['pack_1'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_unrelated_pack_action_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_unrelated_pack_action_grant'] = role_db # Custom role - one grant of unrelated permission type to parent action pack grant_db = PermissionGrantDB( resource_uid=self.resources['pack_2'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.RULE_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB( name='custom_role_pack_action_grant_unrelated_permission', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles[ 'custom_role_pack_action_grant_unrelated_permission'] = role_db # Custom role - one grant of "action_view" to the parent pack of the action the execution # belongs to grant_db = PermissionGrantDB( resource_uid=self.resources['pack_2'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_pack_action_view_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_pack_action_view_grant'] = role_db # Custom role - one grant of "action_view" to the action the execution belongs to grant_db = PermissionGrantDB( resource_uid=self.resources['action_1'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_action_view_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_action_view_grant'] = role_db # Custom role - one grant of "action_execute" to the parent pack of the action the # execution belongs to grant_db = PermissionGrantDB( resource_uid=self.resources['pack_2'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_EXECUTE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_pack_action_execute_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_pack_action_execute_grant'] = role_db # Custom role - one grant of "action_execute" to the the action the execution belongs to grant_db = PermissionGrantDB( resource_uid=self.resources['action_1'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_EXECUTE]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_db = RoleDB(name='custom_role_action_execute_grant', permission_grants=permission_grants) role_db = Role.add_or_update(role_db) self.roles['custom_role_action_execute_grant'] = role_db # Custom role - "action_all" grant on a parent action pack the execution belongs to grant_db = PermissionGrantDB( resource_uid=self.resources['pack_2'].get_uid(), resource_type=ResourceType.PACK, permission_types=[PermissionType.ACTION_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_pack_action_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_pack_action_all_grant'] = role_4_db # Custom role - "action_all" grant on action the execution belongs to grant_db = PermissionGrantDB( resource_uid=self.resources['action_1'].get_uid(), resource_type=ResourceType.ACTION, permission_types=[PermissionType.ACTION_ALL]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_4_db = RoleDB(name='custom_role_action_all_grant', permission_grants=permission_grants) role_4_db = Role.add_or_update(role_4_db) self.roles['custom_role_action_all_grant'] = role_4_db # Custom role - "execution_list" grant grant_db = PermissionGrantDB( resource_uid=None, resource_type=None, permission_types=[PermissionType.EXECUTION_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_5_db = RoleDB(name='custom_role_execution_list_grant', permission_grants=permission_grants) role_5_db = Role.add_or_update(role_5_db) self.roles['custom_role_execution_list_grant'] = role_5_db # Create some mock role assignments user_db = self.users['custom_role_unrelated_pack_action_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_unrelated_pack_action_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users[ 'custom_role_pack_action_grant_unrelated_permission'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self. roles['custom_role_pack_action_grant_unrelated_permission'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_pack_action_view_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_pack_action_view_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_action_view_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_view_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_pack_action_execute_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_pack_action_execute_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_action_execute_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_execute_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_pack_action_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_pack_action_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_action_all_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_action_all_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db) user_db = self.users['custom_role_execution_list_grant'] role_assignment_db = UserRoleAssignmentDB( user=user_db.name, role=self.roles['custom_role_execution_list_grant'].name, source='assignments/%s.yaml' % user_db.name) UserRoleAssignment.add_or_update(role_assignment_db)
def setUp(self): super(TimerControllerRBACTestCase, self).setUp() self.models = self.fixtures_loader.save_fixtures_to_db( fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) file_name = 'cron1.yaml' TimerControllerRBACTestCase.TRIGGER_1 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'triggers': [file_name]})['triggers'][file_name] file_name = 'date1.yaml' TimerControllerRBACTestCase.TRIGGER_2 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'triggers': [file_name]})['triggers'][file_name] file_name = 'interval1.yaml' TimerControllerRBACTestCase.TRIGGER_3 = self.fixtures_loader.load_fixtures( fixtures_pack=FIXTURES_PACK, fixtures_dict={'triggers': [file_name]})['triggers'][file_name] # Insert mock users, roles and assignments # Users user_1_db = UserDB(name='timer_list') user_1_db = User.add_or_update(user_1_db) self.users['timer_list'] = user_1_db user_2_db = UserDB(name='timer_view') user_2_db = User.add_or_update(user_2_db) self.users['timer_view'] = user_2_db # Roles # timer_list grant_db = PermissionGrantDB( resource_uid=None, resource_type=ResourceType.TIMER, permission_types=[PermissionType.TIMER_LIST]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='timer_list', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['timer_list'] = role_1_db # timer_View on timer 1 trigger_db = self.models['triggers']['cron1.yaml'] timer_uid = TimerDB(name=trigger_db.name, pack=trigger_db.pack).get_uid() grant_db = PermissionGrantDB( resource_uid=timer_uid, resource_type=ResourceType.TIMER, permission_types=[PermissionType.TIMER_VIEW]) grant_db = PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] role_1_db = RoleDB(name='timer_view', permission_grants=permission_grants) role_1_db = Role.add_or_update(role_1_db) self.roles['timer_view'] = role_1_db # Role assignments role_assignment_db = UserRoleAssignmentDB( user=self.users['timer_list'].name, role=self.roles['timer_list'].name) UserRoleAssignment.add_or_update(role_assignment_db) role_assignment_db = UserRoleAssignmentDB( user=self.users['timer_view'].name, role=self.roles['timer_view'].name) UserRoleAssignment.add_or_update(role_assignment_db)