def test_get_valid_permission_for_resource_type(self): valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type( resource_type=ResourceType.ACTION) for name in valid_action_permissions: self.assertTrue(name.startswith(ResourceType.ACTION + '_')) valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type( resource_type=ResourceType.RULE) for name in valid_rule_permissions: self.assertTrue(name.startswith(ResourceType.RULE + '_'))
def test_get_valid_permission_for_resource_type(self): valid_action_permissions = PermissionType.get_valid_permissions_for_resource_type( resource_type=ResourceType.ACTION ) for name in valid_action_permissions: self.assertTrue(name.startswith(ResourceType.ACTION + "_")) valid_rule_permissions = PermissionType.get_valid_permissions_for_resource_type(resource_type=ResourceType.RULE) for name in valid_rule_permissions: self.assertTrue(name.startswith(ResourceType.RULE + "_"))
def main(): lines = [] lines.append(HEADER) lines.append("") for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace("_", " ").title() # pylint: disable=no-member lines.append("%s" % (resource_title)) lines.append("~" * len(resource_title)) lines.append("") permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type=resource_type) rows = [] rows.append(TABLE_HEADER) for permission_type in permission_types: description = PermissionType.get_permission_description(permission_type) rows.append(["**%s**" % (permission_type), description]) table = as_rest_table(rows, full=True) lines.extend(table.split("\n")) lines.append("") result = "\n".join(lines) with open(DESTINATION_PATH, "w") as fp: fp.write(result) print("Generated: %s" % (DESTINATION_PATH)) return result
def main(): lines = [] lines.append(HEADER) lines.append('') for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace('_', ' ').title() # pylint: disable=no-member lines.append('%s' % (resource_title)) lines.append('~' * len(resource_title)) lines.append('') permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) rows = [] rows.append(TABLE_HEADER) for permission_type in permission_types: description = PermissionType.get_permission_description(permission_type) rows.append([permission_type, description]) table = as_rest_table(rows, full=True) lines.extend(table.split('\n')) lines.append('') result = '\n'.join(lines) with open(DESTINATION_PATH, 'w') as fp: fp.write(result) print('Generated: %s' % (DESTINATION_PATH)) return result
def validate(self): # Parent JSON schema validation cleaned = super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ('Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if not permission_type.endswith('_list'): message = ('Invalid permission type "%s". Only "list" permission types ' 'can be used without a resource id' % (permission_type)) raise ValueError(message) return cleaned
def validate(self): # Parent JSON schema validation super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ( 'Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if not permission_type.endswith('_list'): message = ( 'Invalid permission type "%s". Only "list" permission types ' 'can be used without a resource id' % (permission_type)) raise ValueError(message)
def main(): lines = [] lines.append(HEADER) lines.append('') for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace('_', ' ').title() # pylint: disable=no-member lines.append('%s' % (resource_title)) lines.append('~' * len(resource_title)) lines.append('') permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) rows = [] rows.append(TABLE_HEADER) for permission_type in permission_types: description = PermissionType.get_permission_description( permission_type) rows.append(['**%s**' % (permission_type), description]) table = as_rest_table(rows, full=True) lines.extend(table.split('\n')) lines.append('') result = '\n'.join(lines) with open(DESTINATION_PATH, 'w') as fp: fp.write(result) print('Generated: %s' % (DESTINATION_PATH)) return result
def test_user_has_resource_db_permission(self): resolver = WebhookPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.WEBHOOK) # Admin user, should always return true resource_db = self.resources['webhook_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with "webhook_send" grant on webhook_1 user_db = self.users['custom_role_webhook_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.WEBHOOK_SEND) permission_types = [ PermissionType.WEBHOOK_CREATE, PermissionType.WEBHOOK_DELETE, PermissionType.WEBHOOK_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)
def test_user_has_resource_db_permission(self): resolver = RunnerPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RUNNER) # Admin user, should always return true resource_db = self.resources['runner_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with "runner_view" grant on runner_1 resource_db = self.resources['runner_1'] user_db = self.users['custom_role_runner_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RUNNER_VIEW) permission_types = [ PermissionType.RUNNER_MODIFY, PermissionType.RUNNER_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) # Custom role with "runner_modify" grant on runner_2 resource_db = self.resources['runner_2'] user_db = self.users['custom_role_runner_modify_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RUNNER_MODIFY) permission_types = [ PermissionType.RUNNER_VIEW, PermissionType.RUNNER_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)
def _validate_permission_types(resource_db, permission_types): """ Validate that the permission_types list only contains valid values for the provided resource. """ resource_db = _validate_resource_type(resource_db=resource_db) resource_type = resource_db.get_resource_type() valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: raise ValueError("Invalid permission type: %s" % (permission_type)) return permission_types
def _validate_permission_types(resource_db, permission_types): """ Validate that the permission_types list only contains valid values for the provided resource. """ resource_db = _validate_resource_type(resource_db=resource_db) resource_type = resource_db.get_resource_type() valid_permission_types = PermissionType.get_valid_permissions_for_resource_type(resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: raise ValueError('Invalid permission type: %s' % (permission_type)) return permission_types
def setUpClass(cls): super(KeyValuePermissionsResolverTestCase, cls).setUpClass() cls.all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.KEY_VALUE_PAIR) cls.read_permission_types = [ PermissionType.KEY_VALUE_PAIR_LIST, PermissionType.KEY_VALUE_PAIR_VIEW, ] cls.write_permission_types = [ PermissionType.KEY_VALUE_PAIR_SET, PermissionType.KEY_VALUE_PAIR_DELETE, ]
def test_user_has_resource_db_permissions(self): # Note: Right now we don't support granting permissions on key value items so we just check # that the method always returns True resolver = KeyValuePermissionsResolver() # No roles user_db = self.users['no_roles'] resource_db = self.resources['kvp_1'] permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.KEY_VALUE_PAIR) for permission_type in permission_types: self.assertTrue(resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=permission_type))
def validate(self): # Parent JSON schema validation cleaned = super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, "permission_grants", []) for permission_grant in permission_grants: resource_uid = permission_grant.get("resource_uid", None) permission_types = permission_grant.get("permission_types", []) if resource_uid: # Permission types which apply to a resource resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = ( PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type)) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ( 'Invalid permission type "%s" for resource type "%s"' % ( permission_type, resource_type, )) raise ValueError(message) else: # Right now we only support single permission type (list) which is global and # doesn't apply to a resource for permission_type in permission_types: if permission_type not in GLOBAL_PERMISSION_TYPES: valid_global_permission_types = ", ".join( GLOBAL_PERMISSION_TYPES) message = ( 'Invalid permission type "%s". Valid global permission types ' "which can be used without a resource id are: %s" % (permission_type, valid_global_permission_types)) raise ValueError(message) return cleaned
def main(): lines = [] lines.append(HEADER) lines.append("") add_lines_for_permission_set("Global", GLOBAL_PERMISSION_TYPES, lines) for resource_type in RESOURCE_DISPLAY_ORDER: resource_title = resource_type.replace("_", " ").title() # pylint: disable=no-member permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) add_lines_for_permission_set(resource_title, permission_types, lines) result = "\n".join(lines) with open(DESTINATION_PATH, "w") as fp: fp.write(result) print("Generated: %s" % (DESTINATION_PATH)) return result
def validate(self): # Parent JSON schema validation super(RoleDefinitionFileFormatAPI, self).validate() # Custom validation # Validate that only the correct permission types are used permission_grants = getattr(self, 'permission_grants', []) for permission_grant in permission_grants: resource_uid = permission_grant.get('resource_uid', None) permission_types = permission_grant.get('permission_types', []) if resource_uid: resource_type, _ = parse_uid(uid=resource_uid) valid_permission_types = PermissionType.get_valid_permissions_for_resource_type( resource_type=resource_type) for permission_type in permission_types: if permission_type not in valid_permission_types: message = ('Invalid permission type "%s" for resource type "%s"' % (permission_type, resource_type)) raise ValueError(message)
def test_user_has_resource_db_permission(self): resolver = ActionPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.ACTION) # Admin user, should always return true resource_db = self.resources['action_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_MODIFY) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_DELETE) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_EXECUTE) # Custom role with with grant on the parent pack user_db = self.users['custom_role_action_pack_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_1'], permission_type=PermissionType.ACTION_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_EXECUTE) # Custom role with a direct grant on action user_db = self.users['custom_role_action_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_3'], permission_type=PermissionType.ACTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_2'], permission_type=PermissionType.ACTION_EXECUTE) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['action_3'], permission_type=PermissionType.ACTION_EXECUTE) # Custom role - "action_all" grant on the action parent pack user_db = self.users['custom_role_pack_action_all_grant'] resource_db = self.resources['action_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "action_all" grant on the action user_db = self.users['custom_role_action_all_grant'] resource_db = self.resources['action_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "action_execute" grant on action_1 user_db = self.users['custom_role_action_execute_grant'] resource_db = self.resources['action_1'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.ACTION_EXECUTE) # "execute" also grants "view" self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.ACTION_VIEW) permission_types = [ PermissionType.ACTION_CREATE, PermissionType.ACTION_MODIFY, PermissionType.ACTION_DELETE ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)
def test_user_has_resource_db_permissions(self): resolver = RulePermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RULE) # Admin user, should always return true resource_db = self.resources['rule_1'] user_db = self.users['admin'] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_DELETE)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role with with grant on the parent pack user_db = self.users['custom_role_rule_pack_grant'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_DELETE)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_MODIFY)) # Custom role with a direct grant on rule user_db = self.users['custom_role_rule_grant'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_ALL)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role - "rule_all" grant on the rule parent pack user_db = self.users['custom_role_pack_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "rule_all" grant on the rule user_db = self.users['custom_role_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "rule_modify" grant on rule_1 user_db = self.users['custom_role_rule_modify_grant'] resource_db = self.resources['rule_1'] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_MODIFY)) # "modify" also grants "view" self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_VIEW)) permission_types = [ PermissionType.RULE_CREATE, PermissionType.RULE_DELETE ] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types))
def test_user_has_resource_db_permission(self): resolver = InquiryPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.INQUIRY) all_permission_types.remove(PermissionType.INQUIRY_LIST) # Admin user, should always return true user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_RESPOND) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_ALL) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_types=all_permission_types) # View user should be able to view user_db = self.users['custom_role_inquiry_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_VIEW) # Respond user should be able to respond user_db = self.users['custom_role_inquiry_respond_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_RESPOND) # ALL user should have all db perms user_db = self.users['custom_role_inquiry_all_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_1'], permission_type=PermissionType.INQUIRY_ALL) # Now to test inheritance from action_execution for parent workflow. # We still have to pass in INQUIRY_RESPOND to permission_type here to keep the resolver # enum assert happy, but we haven't granted INQUIRY_RESPOND to this role, proving # that the effective permission is inherited. user_db = self.users['custom_role_inquiry_inherit'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['inquiry_2'], permission_type=PermissionType.INQUIRY_RESPOND)
def test_user_has_resource_db_permission(self): resolver = SensorPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.SENSOR) # Admin user, should always return true resource_db = self.resources['sensor_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_ALL) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW) # Custom role with with grant on the parent pack user_db = self.users['custom_role_sensor_pack_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW) # Custom role with a direct grant on sensor user_db = self.users['custom_role_sensor_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_ALL) # Custom role - "sensor_all" grant on the sensor parent pack user_db = self.users['custom_role_pack_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "sensor_all" grant on the sensor user_db = self.users['custom_role_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)
def test_user_has_resource_permissions(self): resolver = ExecutionPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.EXECUTION) # Admin user, should always return true resource_db = self.resources['exec_1'] user_db = self.users['admin'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_STOP)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_ALL)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with an action_view grant on unrelated pack, should return false for # everything user_db = self.users['custom_role_unrelated_pack_action_grant'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack, should return false for # everything user_db = self.users['custom_role_pack_action_grant_unrelated_permission'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with "action_view" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_view_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW )) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN )) # Custom role with "action_view" grant on the action the resource belongs to user_db = self.users['custom_role_action_view_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW )) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN )) # Custom role with "action_execute" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_execute_grant'] permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) # Custom role with "action_execute" grant on the action resource belongs to user_db = self.users['custom_role_action_execute_grant'] permission_types = [PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) permission_types = [PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types)) # Custom role - "action_all" grant on the action parent pack the execution belongs to user_db = self.users['custom_role_pack_action_all_grant'] resource_db = self.resources['exec_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "action_all" grant on the action the execution belongs to user_db = self.users['custom_role_action_all_grant'] resource_db = self.resources['exec_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types))
def test_user_has_resource_db_permission(self): resolver = RuleEnforcementPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RULE_ENFORCEMENT) # Admin user, should always return true resource_db = self.resources['rule_enforcement_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_1'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_2'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_1'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_2'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # Custom role with with grant on the parent pack user_db = self.users['custom_role_rule_pack_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_1'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_2'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # Custom role with a direct grant on rule user_db = self.users['custom_role_rule_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['rule_enforcement_3'], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW) # Custom role - "rule_all" grant on the rule parent pack user_db = self.users['custom_role_pack_rule_all_grant'] resource_db = self.resources['rule_enforcement_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "rule_all" grant on the rule user_db = self.users['custom_role_rule_all_grant'] resource_db = self.resources['rule_enforcement_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "rule_modify" grant on rule_1 user_db = self.users['custom_role_rule_modify_grant'] resource_db = self.resources['rule_enforcement_1'] # "modify" also grants "view" self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_ENFORCEMENT_VIEW)
def test_user_has_resource_permissions(self): resolver = SensorPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.SENSOR) # Admin user, should always return true resource_db = self.resources['sensor_1'] user_db = self.users['admin'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_ALL)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW)) # Custom role with with grant on the parent pack user_db = self.users['custom_role_sensor_pack_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_1'], permission_type=PermissionType.SENSOR_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_2'], permission_type=PermissionType.SENSOR_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW)) # Custom role with a direct grant on sensor user_db = self.users['custom_role_sensor_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['sensor_3'], permission_type=PermissionType.SENSOR_ALL)) # Custom role - "sensor_all" grant on the sensor parent pack user_db = self.users['custom_role_pack_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "sensor_all" grant on the sensor user_db = self.users['custom_role_sensor_all_grant'] resource_db = self.resources['sensor_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types))
def test_user_has_resource_permissions(self): resolver = RulePermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.RULE) # Admin user, should always return true resource_db = self.resources['rule_1'] user_db = self.users['admin'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_DELETE)) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role with unrelated permission grant to parent pack user_db = self.users['custom_role_pack_grant'] self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role with with grant on the parent pack user_db = self.users['custom_role_rule_pack_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_VIEW)) self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_1'], permission_type=PermissionType.RULE_DELETE)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_2'], permission_type=PermissionType.RULE_MODIFY)) # Custom role with a direct grant on rule user_db = self.users['custom_role_rule_grant'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_VIEW)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_ALL)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_MODIFY)) self.assertFalse(resolver.user_has_resource_permission( user_db=user_db, resource_db=self.resources['rule_3'], permission_type=PermissionType.RULE_DELETE)) # Custom role - "rule_all" grant on the action parent pack user_db = self.users['custom_role_pack_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "action_all" grant on the action user_db = self.users['custom_role_rule_all_grant'] resource_db = self.resources['rule_1'] self.assertTrue(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)) # Custom role - "rule_modify" grant on rule_1 user_db = self.users['custom_role_rule_modify_grant'] resource_db = self.resources['rule_1'] self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_MODIFY)) # "modify" also grants "view" self.assertTrue(resolver.user_has_resource_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_VIEW)) permission_types = [ PermissionType.RULE_CREATE, PermissionType.RULE_DELETE ] self.assertFalse(self._user_has_resource_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types))
def test_user_has_resource_db_permission(self): resolver = ExecutionPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type( ResourceType.EXECUTION) all_permission_types.remove(PermissionType.EXECUTION_LIST) # Admin user, should always return true resource_db = self.resources['exec_1'] user_db = self.users['admin'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Observer, should always return true for VIEW permission user_db = self.users['observer'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_STOP) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=self.resources['exec_1'], permission_type=PermissionType.EXECUTION_ALL) # No roles, should return false for everything user_db = self.users['no_roles'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with no permission grants, should return false for everything user_db = self.users['1_custom_role_no_permissions'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with an action_view grant on unrelated pack, should return false for # everything user_db = self.users['custom_role_unrelated_pack_action_grant'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with unrelated permission grant to parent pack, should return false for # everything user_db = self.users[ 'custom_role_pack_action_grant_unrelated_permission'] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role with "action_view" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN) # Custom role with "action_view" grant on the action the resource belongs to user_db = self.users['custom_role_action_view_grant'] self.assertUserHasResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_VIEW) self.assertUserDoesntHaveResourceDbPermission( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_type=PermissionType.EXECUTION_RE_RUN) # Custom role with "action_execute" grant on the pack of the action resource belongs to user_db = self.users['custom_role_pack_action_execute_grant'] permission_types = [ PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP ] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) permission_types = [ PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) # Custom role with "action_execute" grant on the action resource belongs to user_db = self.users['custom_role_action_execute_grant'] permission_types = [ PermissionType.EXECUTION_RE_RUN, PermissionType.EXECUTION_STOP ] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) permission_types = [ PermissionType.EXECUTION_VIEW, PermissionType.EXECUTION_ALL ] self.assertUserDoesntHaveResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=permission_types) # Custom role - "action_all" grant on the action parent pack the execution belongs to user_db = self.users['custom_role_pack_action_all_grant'] resource_db = self.resources['exec_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types) # Custom role - "action_all" grant on the action the execution belongs to user_db = self.users['custom_role_action_all_grant'] resource_db = self.resources['exec_1'] self.assertUserHasResourceDbPermissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types)
def test_user_has_resource_db_permission(self): resolver = RuleEnforcementPermissionsResolver() all_permission_types = PermissionType.get_valid_permissions_for_resource_type(ResourceType.RULE_ENFORCEMENT) # Admin user, should always return true resource_db = self.resources["rule_enforcement_1"] user_db = self.users["admin"] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Observer, should always return true for VIEW permission user_db = self.users["observer"] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_1"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_2"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # No roles, should return false for everything user_db = self.users["no_roles"] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role with no permission grants, should return false for everything user_db = self.users["1_custom_role_no_permissions"] self.assertFalse( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role with unrelated permission grant to parent pack user_db = self.users["custom_role_pack_grant"] self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_1"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) self.assertFalse( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_2"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # Custom role with with grant on the parent pack user_db = self.users["custom_role_rule_pack_grant"] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_1"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_2"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # Custom role with a direct grant on rule user_db = self.users["custom_role_rule_grant"] self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=self.resources["rule_enforcement_3"], permission_type=PermissionType.RULE_ENFORCEMENT_VIEW, ) ) # Custom role - "rule_all" grant on the rule parent pack user_db = self.users["custom_role_pack_rule_all_grant"] resource_db = self.resources["rule_enforcement_1"] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role - "rule_all" grant on the rule user_db = self.users["custom_role_rule_all_grant"] resource_db = self.resources["rule_enforcement_1"] self.assertTrue( self._user_has_resource_db_permissions( resolver=resolver, user_db=user_db, resource_db=resource_db, permission_types=all_permission_types ) ) # Custom role - "rule_modify" grant on rule_1 user_db = self.users["custom_role_rule_modify_grant"] resource_db = self.resources["rule_enforcement_1"] # "modify" also grants "view" self.assertTrue( resolver.user_has_resource_db_permission( user_db=user_db, resource_db=resource_db, permission_type=PermissionType.RULE_ENFORCEMENT_VIEW ) )