def test_is_alpha_only(self): self.assertFalse(security_manager.is_alpha_only( security_manager.find_permission_view_menu('can_show', 'TableModelView'))) self.assertTrue(security_manager.is_alpha_only( security_manager.find_permission_view_menu('muldelete', 'TableModelView'))) self.assertTrue(security_manager.is_alpha_only( security_manager.find_permission_view_menu( 'all_datasource_access', 'all_datasource_access'))) self.assertTrue(security_manager.is_alpha_only( security_manager.find_permission_view_menu( 'can_edit', 'SqlMetricInlineView'))) self.assertTrue(security_manager.is_alpha_only( security_manager.find_permission_view_menu( 'can_delete', 'DruidMetricInlineView')))
def test_clean_requests_after_db_grant(self): session = db.session # Case 3. Two access requests from gamma and gamma2 # Gamma gets database access, gamma2 access request granted # Check if request by gamma has been deleted gamma_user = security_manager.find_user(username='******') access_request1 = create_access_request( session, 'table', 'energy_usage', TEST_ROLE_1, 'gamma') create_access_request( session, 'table', 'energy_usage', TEST_ROLE_2, 'gamma2') ds_1_id = access_request1.datasource_id # gamma gets granted database access database = session.query(models.Database).first() security_manager.merge_perm('database_access', database.perm) ds_perm_view = security_manager.find_permission_view_menu( 'database_access', database.perm) security_manager.add_permission_role( security_manager.find_role(DB_ACCESS_ROLE), ds_perm_view) gamma_user.roles.append(security_manager.find_role(DB_ACCESS_ROLE)) session.commit() access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertTrue(access_requests) # gamma2 request gets fulfilled self.client.get(EXTEND_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma2', TEST_ROLE_2)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = security_manager.find_user(username='******') gamma_user.roles.remove(security_manager.find_role(DB_ACCESS_ROLE)) session.commit()
def test_filter_druid_datasource(self): CLUSTER_NAME = 'new_druid' cluster = self.get_or_create( DruidCluster, {'cluster_name': CLUSTER_NAME}, db.session) db.session.merge(cluster) gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_for_gamma'}, db.session) gamma_ds.cluster = cluster db.session.merge(gamma_ds) no_gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'}, db.session) no_gamma_ds.cluster = cluster db.session.merge(no_gamma_ds) db.session.commit() security_manager.merge_perm('datasource_access', gamma_ds.perm) security_manager.merge_perm('datasource_access', no_gamma_ds.perm) perm = security_manager.find_permission_view_menu( 'datasource_access', gamma_ds.get_perm()) security_manager.add_permission_role(security_manager.find_role('Gamma'), perm) security_manager.get_session.commit() self.login(username='******') url = '/druiddatasourcemodelview/list/' resp = self.get_resp(url) self.assertIn('datasource_for_gamma', resp) self.assertNotIn('datasource_not_for_gamma', resp)
def test_queryview_filter_owner_only(self) -> None: """ Test queryview api with can_only_access_owned_queries perm added to Admin and make sure only Admin queries show up. """ session = db.session # Add can_only_access_owned_queries perm to Admin user owned_queries_view = security_manager.find_permission_view_menu( 'can_only_access_owned_queries', 'can_only_access_owned_queries', ) security_manager.add_permission_role( security_manager.find_role('Admin'), owned_queries_view, ) session.commit() # Test search_queries for Admin user self.run_some_queries() self.login('admin') url = '/queryview/api/read' data = self.get_json_resp(url) admin = security_manager.find_user('admin') self.assertEquals(2, len(data['result'])) all_admin_user_queries = all([ result.get('username') == admin.username for result in data['result'] ]) assert all_admin_user_queries is True # Remove can_only_access_owned_queries from Admin owned_queries_view = security_manager.find_permission_view_menu( 'can_only_access_owned_queries', 'can_only_access_owned_queries', ) security_manager.del_permission_role( security_manager.find_role('Admin'), owned_queries_view, ) session.commit()
def load_test_users_run(): """ Loads admin, alpha, and gamma user for testing purposes Syncs permissions for those users/roles """ if config.get('TESTING'): security_manager.sync_role_definitions() gamma_sqllab_role = security_manager.add_role('gamma_sqllab') for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = utils.get_main_database(security_manager.get_session).perm security_manager.merge_perm('database_access', db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user('admin') if not admin: security_manager.add_user( 'admin', 'admin', ' user', '*****@*****.**', security_manager.find_role('Admin'), password='******') gamma = security_manager.find_user('gamma') if not gamma: security_manager.add_user( 'gamma', 'gamma', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma2 = security_manager.find_user('gamma2') if not gamma2: security_manager.add_user( 'gamma2', 'gamma2', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma_sqllab_user = security_manager.find_user('gamma_sqllab') if not gamma_sqllab_user: security_manager.add_user( 'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = security_manager.find_user('alpha') if not alpha: security_manager.add_user( 'alpha', 'alpha', 'user', '*****@*****.**', security_manager.find_role('Alpha'), password='******') security_manager.get_session.commit()
def test_search_query_with_owner_only_perms(self) -> None: """ Test a search query with can_only_access_owned_queries perm added to Admin and make sure only Admin queries show up. """ session = db.session # Add can_only_access_owned_queries perm to Admin user owned_queries_view = security_manager.find_permission_view_menu( 'can_only_access_owned_queries', 'can_only_access_owned_queries', ) security_manager.add_permission_role( security_manager.find_role('Admin'), owned_queries_view, ) session.commit() # Test search_queries for Admin user self.run_some_queries() self.login('admin') user_id = security_manager.find_user('admin').id data = self.get_json_resp('/superset/search_queries') self.assertEquals(2, len(data)) user_ids = {k['userId'] for k in data} self.assertEquals(set([user_id]), user_ids) # Remove can_only_access_owned_queries from Admin owned_queries_view = security_manager.find_permission_view_menu( 'can_only_access_owned_queries', 'can_only_access_owned_queries', ) security_manager.del_permission_role( security_manager.find_role('Admin'), owned_queries_view, ) session.commit()
def test_get_or_create_db(self): get_or_create_db("test_db", "sqlite:///superset.db") database = db.session.query(Database).filter_by( database_name="test_db").one() self.assertIsNotNone(database) self.assertEqual(database.sqlalchemy_uri, "sqlite:///superset.db") self.assertIsNotNone( security_manager.find_permission_view_menu("database_access", database.perm)) # Test change URI get_or_create_db("test_db", "sqlite:///changed.db") database = db.session.query(Database).filter_by( database_name="test_db").one() self.assertEqual(database.sqlalchemy_uri, "sqlite:///changed.db") db.session.delete(database) db.session.commit()
def roles_with_datasource(self): action_list = '' perm = self.datasource.perm # pylint: disable=no-member pv = security_manager.find_permission_view_menu('datasource_access', perm) for r in pv.role: if r.name in self.ROLES_BLACKLIST: continue url = ( '/superset/approve?datasource_type={self.datasource_type}&' 'datasource_id={self.datasource_id}&' 'created_by={self.created_by.username}&role_to_grant={r.name}' .format(**locals()) ) href = '<a href="{}">Grant {} Role</a>'.format(url, r.name) action_list = action_list + '<li>' + href + '</li>' return '<ul>' + action_list + '</ul>'
def roles_with_datasource(self): action_list = '' perm = self.datasource.perm # pylint: disable=no-member pv = security_manager.find_permission_view_menu('datasource_access', perm) for r in pv.role: if r.name in self.ROLES_BLACKLIST: continue # pylint: disable=no-member url = ( f'/superset/approve?datasource_type={self.datasource_type}&' f'datasource_id={self.datasource_id}&' f'created_by={self.created_by.username}&role_to_grant={r.name}' ) href = '<a href="{}">Grant {} Role</a>'.format(url, r.name) action_list = action_list + '<li>' + href + '</li>' return '<ul>' + action_list + '</ul>'
def roles_with_datasource(self): action_list = "" perm = self.datasource.perm # pylint: disable=no-member pv = security_manager.find_permission_view_menu("datasource_access", perm) for r in pv.role: if r.name in self.ROLES_BLACKLIST: continue # pylint: disable=no-member url = ( f"/superset/approve?datasource_type={self.datasource_type}&" f"datasource_id={self.datasource_id}&" f"created_by={self.created_by.username}&role_to_grant={r.name}" ) href = '<a href="{}">Grant {} Role</a>'.format(url, r.name) action_list = action_list + "<li>" + href + "</li>" return "<ul>" + action_list + "</ul>"
def test_filter_druid_datasource(self): CLUSTER_NAME = "new_druid" cluster = self.get_or_create(DruidCluster, {"cluster_name": CLUSTER_NAME}, db.session) db.session.merge(cluster) gamma_ds = self.get_or_create( DruidDatasource, { "datasource_name": "datasource_for_gamma", "cluster": cluster }, db.session, ) gamma_ds.cluster = cluster db.session.merge(gamma_ds) no_gamma_ds = self.get_or_create( DruidDatasource, { "datasource_name": "datasource_not_for_gamma", "cluster": cluster }, db.session, ) no_gamma_ds.cluster = cluster db.session.merge(no_gamma_ds) db.session.commit() security_manager.add_permission_view_menu("datasource_access", gamma_ds.perm) security_manager.add_permission_view_menu("datasource_access", no_gamma_ds.perm) perm = security_manager.find_permission_view_menu( "datasource_access", gamma_ds.get_perm()) security_manager.add_permission_role( security_manager.find_role("Gamma"), perm) security_manager.get_session.commit() self.login(username="******") url = "/druiddatasourcemodelview/list/" resp = self.get_resp(url) self.assertIn("datasource_for_gamma", resp) self.assertNotIn("datasource_not_for_gamma", resp)
def roles_with_datasource(self) -> str: action_list = "" perm = self.datasource.perm # pylint: disable=no-member pv = security_manager.find_permission_view_menu( "datasource_access", perm) for role in pv.role: if role.name in self.ROLES_DENYLIST: continue # pylint: disable=no-member href = ( f"/metrix/approve?datasource_type={self.datasource_type}&" f"datasource_id={self.datasource_id}&" f"created_by={self.created_by.username}&role_to_grant={role.name}" ) link = '<a href="{}">Grant {} Role</a>'.format(href, role.name) action_list = action_list + "<li>" + link + "</li>" return "<ul>" + action_list + "</ul>"
def test_create_table_alpha(self) -> None: """Table API: Test create table with alpha.""" tbl_name = "ab_permission" rv = self._create_table(user="******", tbl_name=tbl_name) self.assertEqual(rv.status_code, 201) # Verify the table is created. model = self.get_table_by_name(tbl_name) self.assertEqual(model.table_name, tbl_name) self.assertIsNotNone(model.get_col("id")) self.assertIsNotNone(model.get_col("name")) self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", model.perm) ) # Clean up. db.session.delete(model) db.session.commit()
def test_override_role_permissions_drops_absent_perms(self): override_me = security_manager.find_role('override_me') override_me.permissions.append( security_manager.find_permission_view_menu( view_menu_name=self.get_table_by_name('long_lat').perm, permission_name='datasource_access'), ) db.session.flush() response = self.client.post('/superset/override_role_permissions/', data=json.dumps(ROLE_TABLES_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_override_me = security_manager.find_role('override_me') self.assertEquals(1, len(updated_override_me.permissions)) birth_names = self.get_table_by_name('birth_names') self.assertEquals(birth_names.perm, updated_override_me.permissions[0].view_menu.name) self.assertEquals('datasource_access', updated_override_me.permissions[0].permission.name)
def create_access_request(session, ds_type, ds_name, role_name, username): # TODO: generalize datasource names if ds_type == "table": ds = session.query(SqlaTable).filter( SqlaTable.table_name == ds_name).first() else: # This function will only work for ds_type == "table" raise NotImplementedError() ds_perm_view = security_manager.find_permission_view_menu( "datasource_access", ds.perm) security_manager.add_permission_role(security_manager.find_role(role_name), ds_perm_view) access_request = DatasourceAccessRequest( datasource_id=ds.id, datasource_type=ds_type, created_by_fk=security_manager.find_user(username=username).id, ) session.add(access_request) session.commit() return access_request
def setUpClass(cls): role = security_manager.role_model(name=TEST_ROLE) perm = security_manager.find_permission_view_menu( 'can_add', 'SliceModelView') role.permissions.append(perm) appbuilder.sm.add_user(TEST_USER, 'datasource', 'user', '*****@*****.**', role, 'general') database = Database(database_name=TEST_DB) table1 = SqlaTable(table_name='table_for_test_role', database=database) table2 = SqlaTable(table_name='table_not_for_test_role', database=database) db.session.add_all([table1, table2]) db.session.commit()
def create_access_request(session, ds_type, ds_name, role_name, user_name): ds_class = ConnectorRegistry.sources[ds_type] # TODO: generalize datasource names if ds_type == 'table': ds = session.query(ds_class).filter( ds_class.table_name == ds_name).first() else: ds = session.query(ds_class).filter( ds_class.datasource_name == ds_name).first() ds_perm_view = security_manager.find_permission_view_menu( 'datasource_access', ds.perm) security_manager.add_permission_role( security_manager.find_role(role_name), ds_perm_view) access_request = models.DatasourceAccessRequest( datasource_id=ds.id, datasource_type=ds_type, created_by_fk=security_manager.find_user(username=user_name).id, ) session.add(access_request) session.commit() return access_request
def create_access_request(session, ds_type, ds_name, role_name, user_name): ds_class = ConnectorRegistry.sources[ds_type] # TODO: generalize datasource names if ds_type == "table": ds = session.query(ds_class).filter(ds_class.table_name == ds_name).first() else: ds = session.query(ds_class).filter(ds_class.datasource_name == ds_name).first() ds_perm_view = security_manager.find_permission_view_menu( "datasource_access", ds.perm ) security_manager.add_permission_role( security_manager.find_role(role_name), ds_perm_view ) access_request = models.DatasourceAccessRequest( datasource_id=ds.id, datasource_type=ds_type, created_by_fk=security_manager.find_user(username=user_name).id, ) session.add(access_request) session.commit() return access_request
def test_clean_requests_after_schema_grant(self): session = db.session # Case 4. Two access requests from gamma and gamma2 # Gamma gets schema access, gamma2 access request granted # Check if request by gamma has been deleted gamma_user = security_manager.find_user(username="******") access_request1 = create_access_request(session, "table", "wb_health_population", TEST_ROLE_1, "gamma") create_access_request(session, "table", "wb_health_population", TEST_ROLE_2, "gamma2") ds_1_id = access_request1.datasource_id ds = (session.query(SqlaTable).filter_by( table_name="wb_health_population").first()) ds.schema = "temp_schema" security_manager.add_permission_view_menu("schema_access", ds.schema_perm) schema_perm_view = security_manager.find_permission_view_menu( "schema_access", ds.schema_perm) security_manager.add_permission_role( security_manager.find_role(SCHEMA_ACCESS_ROLE), schema_perm_view) gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE)) session.commit() # gamma2 request gets fulfilled self.client.get( EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2)) access_requests = self.get_access_requests("gamma", "table", ds_1_id) self.assertFalse(access_requests) gamma_user = security_manager.find_user(username="******") gamma_user.roles.remove(security_manager.find_role(SCHEMA_ACCESS_ROLE)) ds = (session.query(SqlaTable).filter_by( table_name="wb_health_population").first()) ds.schema = None session.commit()
def test_override_role_permissions_drops_absent_perms(self): override_me = security_manager.find_role("override_me") override_me.permissions.append( security_manager.find_permission_view_menu( view_menu_name=self.get_table_by_name("energy_usage").perm, permission_name="datasource_access", )) db.session.flush() response = self.client.post( "/superset/override_role_permissions/", data=json.dumps(ROLE_TABLES_PERM_DATA), content_type="application/json", ) self.assertEquals(201, response.status_code) updated_override_me = security_manager.find_role("override_me") self.assertEquals(1, len(updated_override_me.permissions)) birth_names = self.get_table_by_name("birth_names") self.assertEquals(birth_names.perm, updated_override_me.permissions[0].view_menu.name) self.assertEquals("datasource_access", updated_override_me.permissions[0].permission.name)
def test_override_role_permissions_drops_absent_perms(self): override_me = security_manager.find_role('override_me') override_me.permissions.append( security_manager.find_permission_view_menu( view_menu_name=self.get_table_by_name('energy_usage').perm, permission_name='datasource_access'), ) db.session.flush() response = self.client.post( '/superset/override_role_permissions/', data=json.dumps(ROLE_TABLES_PERM_DATA), content_type='application/json') self.assertEquals(201, response.status_code) updated_override_me = security_manager.find_role('override_me') self.assertEquals(1, len(updated_override_me.permissions)) birth_names = self.get_table_by_name('birth_names') self.assertEquals( birth_names.perm, updated_override_me.permissions[0].view_menu.name) self.assertEquals( 'datasource_access', updated_override_me.permissions[0].permission.name)
def test_clean_requests_after_schema_grant(self): session = db.session # Case 4. Two access requests from gamma and gamma2 # Gamma gets schema access, gamma2 access request granted # Check if request by gamma has been deleted gamma_user = security_manager.find_user(username='******') access_request1 = create_access_request( session, 'table', 'wb_health_population', TEST_ROLE_1, 'gamma') create_access_request( session, 'table', 'wb_health_population', TEST_ROLE_2, 'gamma2') ds_1_id = access_request1.datasource_id ds = session.query(SqlaTable).filter_by( table_name='wb_health_population').first() ds.schema = 'temp_schema' security_manager.merge_perm('schema_access', ds.schema_perm) schema_perm_view = security_manager.find_permission_view_menu( 'schema_access', ds.schema_perm) security_manager.add_permission_role( security_manager.find_role(SCHEMA_ACCESS_ROLE), schema_perm_view) gamma_user.roles.append(security_manager.find_role(SCHEMA_ACCESS_ROLE)) session.commit() # gamma2 request gets fulfilled self.client.get(EXTEND_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma2', TEST_ROLE_2)) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) self.assertFalse(access_requests) gamma_user = security_manager.find_user(username='******') gamma_user.roles.remove(security_manager.find_role(SCHEMA_ACCESS_ROLE)) ds = session.query(SqlaTable).filter_by( table_name='wb_health_population').first() ds.schema = None session.commit()
def test_clean_requests_after_db_grant(self): session = db.session # Case 3. Two access requests from gamma and gamma2 # Gamma gets database access, gamma2 access request granted # Check if request by gamma has been deleted gamma_user = security_manager.find_user(username="******") access_request1 = create_access_request( session, "table", "energy_usage", TEST_ROLE_1, "gamma" ) create_access_request(session, "table", "energy_usage", TEST_ROLE_2, "gamma2") ds_1_id = access_request1.datasource_id # gamma gets granted database access database = session.query(models.Database).first() security_manager.add_permission_view_menu("database_access", database.perm) ds_perm_view = security_manager.find_permission_view_menu( "database_access", database.perm ) security_manager.add_permission_role( security_manager.find_role(DB_ACCESS_ROLE), ds_perm_view ) gamma_user.roles.append(security_manager.find_role(DB_ACCESS_ROLE)) session.commit() access_requests = self.get_access_requests("gamma", "table", ds_1_id) self.assertTrue(access_requests) # gamma2 request gets fulfilled self.client.get( EXTEND_ROLE_REQUEST.format("table", ds_1_id, "gamma2", TEST_ROLE_2) ) access_requests = self.get_access_requests("gamma", "table", ds_1_id) self.assertFalse(access_requests) gamma_user = security_manager.find_user(username="******") gamma_user.roles.remove(security_manager.find_role(DB_ACCESS_ROLE)) session.commit()
def test_is_admin_only(self): self.assertFalse(security_manager.is_admin_only( security_manager.find_permission_view_menu('can_show', 'TableModelView'))) self.assertFalse(security_manager.is_admin_only( security_manager.find_permission_view_menu( 'all_datasource_access', 'all_datasource_access'))) self.assertTrue(security_manager.is_admin_only( security_manager.find_permission_view_menu('can_delete', 'DatabaseView'))) if app.config.get('ENABLE_ACCESS_REQUEST'): self.assertTrue(security_manager.is_admin_only( security_manager.find_permission_view_menu( 'can_show', 'AccessRequestsModelView'))) self.assertTrue(security_manager.is_admin_only( security_manager.find_permission_view_menu( 'can_edit', 'UserDBModelView'))) self.assertTrue(security_manager.is_admin_only( security_manager.find_permission_view_menu( 'can_approve', 'Superset'))) self.assertTrue(security_manager.is_admin_only( security_manager.find_permission_view_menu( 'all_database_access', 'all_database_access')))
def test_is_admin_only(self): self.assertFalse( security_manager._is_admin_only( security_manager.find_permission_view_menu("can_list", "TableModelView") ) ) self.assertFalse( security_manager._is_admin_only( security_manager.find_permission_view_menu( "all_datasource_access", "all_datasource_access" ) ) ) log_permissions = ["can_list", "can_show"] for log_permission in log_permissions: self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu( log_permission, "LogModelView" ) ) ) if app.config["ENABLE_ACCESS_REQUEST"]: self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu( "can_list", "AccessRequestsModelView" ) ) ) self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu( "can_edit", "UserDBModelView" ) ) ) self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu("can_approve", "Superset") ) )
def test_filter_druid_datasource(self): CLUSTER_NAME = 'new_druid' cluster = self.get_or_create(DruidCluster, {'cluster_name': CLUSTER_NAME}, db.session) db.session.merge(cluster) gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_for_gamma'}, db.session) gamma_ds.cluster = cluster db.session.merge(gamma_ds) no_gamma_ds = self.get_or_create( DruidDatasource, {'datasource_name': 'datasource_not_for_gamma'}, db.session) no_gamma_ds.cluster = cluster db.session.merge(no_gamma_ds) db.session.commit() security_manager.add_permission_view_menu('datasource_access', gamma_ds.perm) security_manager.add_permission_view_menu('datasource_access', no_gamma_ds.perm) perm = security_manager.find_permission_view_menu( 'datasource_access', gamma_ds.get_perm()) security_manager.add_permission_role( security_manager.find_role('Gamma'), perm) security_manager.get_session.commit() self.login(username='******') url = '/druiddatasourcemodelview/list/' resp = self.get_resp(url) self.assertIn('datasource_for_gamma', resp) self.assertNotIn('datasource_not_for_gamma', resp)
def test_is_alpha_only(self): self.assertFalse( security_manager._is_alpha_only( security_manager.find_permission_view_menu("can_show", "TableModelView") ) ) self.assertTrue( security_manager._is_alpha_only( security_manager.find_permission_view_menu( "muldelete", "TableModelView" ) ) ) self.assertTrue( security_manager._is_alpha_only( security_manager.find_permission_view_menu( "all_datasource_access", "all_datasource_access" ) ) ) self.assertTrue( security_manager._is_alpha_only( security_manager.find_permission_view_menu( "can_edit", "SqlMetricInlineView" ) ) ) self.assertTrue( security_manager._is_alpha_only( security_manager.find_permission_view_menu( "can_delete", "DruidMetricInlineView" ) ) ) self.assertTrue( security_manager._is_alpha_only( security_manager.find_permission_view_menu( "all_database_access", "all_database_access" ) ) )
def test_is_admin_only(self): self.assertFalse( security_manager._is_admin_only( security_manager.find_permission_view_menu("can_show", "TableModelView") ) ) self.assertFalse( security_manager._is_admin_only( security_manager.find_permission_view_menu( "all_datasource_access", "all_datasource_access" ) ) ) self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu("can_delete", "DatabaseView") ) ) if app.config.get("ENABLE_ACCESS_REQUEST"): self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu( "can_show", "AccessRequestsModelView" ) ) ) self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu( "can_edit", "UserDBModelView" ) ) ) self.assertTrue( security_manager._is_admin_only( security_manager.find_permission_view_menu("can_approve", "Superset") ) )
def test_is_gamma_pvm(self): self.assertTrue( security_manager._is_gamma_pvm( security_manager.find_permission_view_menu( "can_show", "TableModelView")))
def test_approve(self, mock_send_mime): if app.config.get("ENABLE_ACCESS_REQUEST"): session = db.session TEST_ROLE_NAME = "table_role" security_manager.add_role(TEST_ROLE_NAME) # Case 1. Grant new role to the user. access_request1 = create_access_request( session, "table", "unicode_test", TEST_ROLE_NAME, "gamma" ) ds_1_id = access_request1.datasource_id self.get_resp( GRANT_ROLE_REQUEST.format("table", ds_1_id, "gamma", TEST_ROLE_NAME) ) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual( [ security_manager.find_user(username="******").email, security_manager.find_user(username="******").email, ], call_args[1], ) self.assertEqual( "[Superset] Access to the datasource {} was granted".format( self.get_table(ds_1_id).full_name ), call_args[2]["Subject"], ) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn("unicode_test", call_args[2].as_string()) access_requests = self.get_access_requests("gamma", "table", ds_1_id) # request was removed self.assertFalse(access_requests) # user was granted table_role user_roles = [r.name for r in security_manager.find_user("gamma").roles] self.assertIn(TEST_ROLE_NAME, user_roles) # Case 2. Extend the role to have access to the table access_request2 = create_access_request( session, "table", "energy_usage", TEST_ROLE_NAME, "gamma" ) ds_2_id = access_request2.datasource_id energy_usage_perm = access_request2.datasource.perm self.client.get( EXTEND_ROLE_REQUEST.format( "table", access_request2.datasource_id, "gamma", TEST_ROLE_NAME ) ) access_requests = self.get_access_requests("gamma", "table", ds_2_id) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual( [ security_manager.find_user(username="******").email, security_manager.find_user(username="******").email, ], call_args[1], ) self.assertEqual( "[Superset] Access to the datasource {} was granted".format( self.get_table(ds_2_id).full_name ), call_args[2]["Subject"], ) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn("energy_usage", call_args[2].as_string()) # request was removed self.assertFalse(access_requests) # table_role was extended to grant access to the energy_usage table/ perm_view = security_manager.find_permission_view_menu( "datasource_access", energy_usage_perm ) TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME) self.assertIn(perm_view, TEST_ROLE.permissions) # Case 3. Grant new role to the user to access the druid datasource. security_manager.add_role("druid_role") access_request3 = create_access_request( session, "druid", "druid_ds_1", "druid_role", "gamma" ) self.get_resp( GRANT_ROLE_REQUEST.format( "druid", access_request3.datasource_id, "gamma", "druid_role" ) ) # user was granted table_role user_roles = [r.name for r in security_manager.find_user("gamma").roles] self.assertIn("druid_role", user_roles) # Case 4. Extend the role to have access to the druid datasource access_request4 = create_access_request( session, "druid", "druid_ds_2", "druid_role", "gamma" ) druid_ds_2_perm = access_request4.datasource.perm self.client.get( EXTEND_ROLE_REQUEST.format( "druid", access_request4.datasource_id, "gamma", "druid_role" ) ) # druid_role was extended to grant access to the druid_access_ds_2 druid_role = security_manager.find_role("druid_role") perm_view = security_manager.find_permission_view_menu( "datasource_access", druid_ds_2_perm ) self.assertIn(perm_view, druid_role.permissions) # cleanup gamma_user = security_manager.find_user(username="******") gamma_user.roles.remove(security_manager.find_role("druid_role")) gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME)) session.delete(security_manager.find_role("druid_role")) session.delete(security_manager.find_role(TEST_ROLE_NAME)) session.commit()
def test_set_perm_sqla_table(self): session = db.session table = SqlaTable( schema="tmp_schema", table_name="tmp_perm_table", database=get_example_database(), ) session.add(table) session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table").one()) self.assertEqual(stored_table.perm, f"[examples].[tmp_perm_table](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]") self.assertIsNotNone( security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm)) # table name change stored_table.table_name = "tmp_perm_table_v2" session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[examples].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) # no changes in schema self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]") self.assertIsNotNone( security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm)) # schema name change stored_table.schema = "tmp_schema_v2" session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[examples].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) # no changes in schema self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema_v2]") self.assertIsNotNone( security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm)) # database change new_db = Database(sqlalchemy_uri="some_uri", database_name="tmp_db") session.add(new_db) stored_table.database = (session.query(Database).filter_by( database_name="tmp_db").one()) session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) # no changes in schema self.assertEqual(stored_table.schema_perm, "[tmp_db].[tmp_schema_v2]") self.assertIsNotNone( security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm)) # no schema stored_table.schema = None session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) self.assertIsNone(stored_table.schema_perm) session.delete(new_db) session.delete(stored_table) session.commit()
def test_is_gamma_pvm(self): self.assertTrue( security_manager._is_gamma_pvm( security_manager.find_permission_view_menu( "can_read", "Dataset")))
def test_request_access(self): if app.config.get('ENABLE_ACCESS_REQUEST'): session = db.session self.logout() self.login(username='******') gamma_user = security_manager.find_user(username='******') security_manager.add_role('dummy_role') gamma_user.roles.append(security_manager.find_role('dummy_role')) session.commit() ACCESS_REQUEST = ( '/superset/request_access?' 'datasource_type={}&' 'datasource_id={}&' 'action={}&') ROLE_GRANT_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_grant={}">Grant {} Role</a>') # Request table access, there are no roles have this table. table1 = session.query(SqlaTable).filter_by( table_name='random_time_series').first() table_1_id = table1.id # request access to the table resp = self.get_resp( ACCESS_REQUEST.format('table', table_1_id, 'go')) assert 'Access was requested' in resp access_request1 = self.get_access_requests('gamma', 'table', table_1_id) assert access_request1 is not None # Request access, roles exist that contains the table. # add table to the existing roles table3 = session.query(SqlaTable).filter_by( table_name='energy_usage').first() table_3_id = table3.id table3_perm = table3.perm security_manager.add_role('energy_usage_role') alpha_role = security_manager.find_role('Alpha') security_manager.add_permission_role( alpha_role, security_manager.find_permission_view_menu( 'datasource_access', table3_perm)) security_manager.add_permission_role( security_manager.find_role('energy_usage_role'), security_manager.find_permission_view_menu( 'datasource_access', table3_perm)) session.commit() self.get_resp( ACCESS_REQUEST.format('table', table_3_id, 'go')) access_request3 = self.get_access_requests('gamma', 'table', table_3_id) approve_link_3 = ROLE_GRANT_LINK.format( 'table', table_3_id, 'gamma', 'energy_usage_role', 'energy_usage_role') self.assertEqual(access_request3.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_3)) # Request druid access, there are no roles have this table. druid_ds_4 = session.query(DruidDatasource).filter_by( datasource_name='druid_ds_1').first() druid_ds_4_id = druid_ds_4.id # request access to the table self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_4_id, 'go')) access_request4 = self.get_access_requests('gamma', 'druid', druid_ds_4_id) self.assertEqual( access_request4.roles_with_datasource, '<ul></ul>'.format(access_request4.id)) # Case 5. Roles exist that contains the druid datasource. # add druid ds to the existing roles druid_ds_5 = session.query(DruidDatasource).filter_by( datasource_name='druid_ds_2').first() druid_ds_5_id = druid_ds_5.id druid_ds_5_perm = druid_ds_5.perm druid_ds_2_role = security_manager.add_role('druid_ds_2_role') admin_role = security_manager.find_role('Admin') security_manager.add_permission_role( admin_role, security_manager.find_permission_view_menu( 'datasource_access', druid_ds_5_perm)) security_manager.add_permission_role( druid_ds_2_role, security_manager.find_permission_view_menu( 'datasource_access', druid_ds_5_perm)) session.commit() self.get_resp(ACCESS_REQUEST.format('druid', druid_ds_5_id, 'go')) access_request5 = self.get_access_requests( 'gamma', 'druid', druid_ds_5_id) approve_link_5 = ROLE_GRANT_LINK.format( 'druid', druid_ds_5_id, 'gamma', 'druid_ds_2_role', 'druid_ds_2_role') self.assertEqual(access_request5.roles_with_datasource, '<ul><li>{}</li></ul>'.format(approve_link_5)) # cleanup gamma_user = security_manager.find_user(username='******') gamma_user.roles.remove(security_manager.find_role('dummy_role')) session.commit()
def load_test_users_run(): """ Loads admin, alpha, and gamma user for testing purposes Syncs permissions for those users/roles """ if config.get("TESTING"): security_manager.sync_role_definitions() gamma_sqllab_role = security_manager.add_role("gamma_sqllab") for perm in security_manager.find_role("Gamma").permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = utils.get_main_database().perm security_manager.add_permission_view_menu("database_access", db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name="database_access" ) gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role("sql_lab").permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user("admin") if not admin: security_manager.add_user( "admin", "admin", " user", "*****@*****.**", security_manager.find_role("Admin"), password="******", ) gamma = security_manager.find_user("gamma") if not gamma: security_manager.add_user( "gamma", "gamma", "user", "*****@*****.**", security_manager.find_role("Gamma"), password="******", ) gamma2 = security_manager.find_user("gamma2") if not gamma2: security_manager.add_user( "gamma2", "gamma2", "user", "*****@*****.**", security_manager.find_role("Gamma"), password="******", ) gamma_sqllab_user = security_manager.find_user("gamma_sqllab") if not gamma_sqllab_user: security_manager.add_user( "gamma_sqllab", "gamma_sqllab", "user", "*****@*****.**", gamma_sqllab_role, password="******", ) alpha = security_manager.find_user("alpha") if not alpha: security_manager.add_user( "alpha", "alpha", "user", "*****@*****.**", security_manager.find_role("Alpha"), password="******", ) security_manager.get_session.commit()
def test_approve(self, mock_send_mime): if app.config.get('ENABLE_ACCESS_REQUEST'): session = db.session TEST_ROLE_NAME = 'table_role' security_manager.add_role(TEST_ROLE_NAME) # Case 1. Grant new role to the user. access_request1 = create_access_request( session, 'table', 'unicode_test', TEST_ROLE_NAME, 'gamma') ds_1_id = access_request1.datasource_id self.get_resp(GRANT_ROLE_REQUEST.format( 'table', ds_1_id, 'gamma', TEST_ROLE_NAME)) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([security_manager.find_user(username='******').email, security_manager.find_user(username='******').email], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_1_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('unicode_test', call_args[2].as_string()) access_requests = self.get_access_requests('gamma', 'table', ds_1_id) # request was removed self.assertFalse(access_requests) # user was granted table_role user_roles = [r.name for r in security_manager.find_user('gamma').roles] self.assertIn(TEST_ROLE_NAME, user_roles) # Case 2. Extend the role to have access to the table access_request2 = create_access_request( session, 'table', 'energy_usage', TEST_ROLE_NAME, 'gamma') ds_2_id = access_request2.datasource_id energy_usage_perm = access_request2.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'table', access_request2.datasource_id, 'gamma', TEST_ROLE_NAME)) access_requests = self.get_access_requests('gamma', 'table', ds_2_id) # Test email content. self.assertTrue(mock_send_mime.called) call_args = mock_send_mime.call_args[0] self.assertEqual([security_manager.find_user(username='******').email, security_manager.find_user(username='******').email], call_args[1]) self.assertEqual( '[Superset] Access to the datasource {} was granted'.format( self.get_table(ds_2_id).full_name), call_args[2]['Subject']) self.assertIn(TEST_ROLE_NAME, call_args[2].as_string()) self.assertIn('energy_usage', call_args[2].as_string()) # request was removed self.assertFalse(access_requests) # table_role was extended to grant access to the energy_usage table/ perm_view = security_manager.find_permission_view_menu( 'datasource_access', energy_usage_perm) TEST_ROLE = security_manager.find_role(TEST_ROLE_NAME) self.assertIn(perm_view, TEST_ROLE.permissions) # Case 3. Grant new role to the user to access the druid datasource. security_manager.add_role('druid_role') access_request3 = create_access_request( session, 'druid', 'druid_ds_1', 'druid_role', 'gamma') self.get_resp(GRANT_ROLE_REQUEST.format( 'druid', access_request3.datasource_id, 'gamma', 'druid_role')) # user was granted table_role user_roles = [r.name for r in security_manager.find_user('gamma').roles] self.assertIn('druid_role', user_roles) # Case 4. Extend the role to have access to the druid datasource access_request4 = create_access_request( session, 'druid', 'druid_ds_2', 'druid_role', 'gamma') druid_ds_2_perm = access_request4.datasource.perm self.client.get(EXTEND_ROLE_REQUEST.format( 'druid', access_request4.datasource_id, 'gamma', 'druid_role')) # druid_role was extended to grant access to the druid_access_ds_2 druid_role = security_manager.find_role('druid_role') perm_view = security_manager.find_permission_view_menu( 'datasource_access', druid_ds_2_perm) self.assertIn(perm_view, druid_role.permissions) # cleanup gamma_user = security_manager.find_user(username='******') gamma_user.roles.remove(security_manager.find_role('druid_role')) gamma_user.roles.remove(security_manager.find_role(TEST_ROLE_NAME)) session.delete(security_manager.find_role('druid_role')) session.delete(security_manager.find_role(TEST_ROLE_NAME)) session.commit()
def load_test_users_run(): """ Loads admin, alpha, and gamma user for testing purposes Syncs permissions for those users/roles """ if config.get('TESTING'): security_manager.sync_role_definitions() gamma_sqllab_role = security_manager.add_role('gamma_sqllab') for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = utils.get_main_database(security_manager.get_session).perm security_manager.merge_perm('database_access', db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user('admin') if not admin: security_manager.add_user('admin', 'admin', ' user', '*****@*****.**', security_manager.find_role('Admin'), password='******') gamma = security_manager.find_user('gamma') if not gamma: security_manager.add_user('gamma', 'gamma', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma2 = security_manager.find_user('gamma2') if not gamma2: security_manager.add_user('gamma2', 'gamma2', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma_sqllab_user = security_manager.find_user('gamma_sqllab') if not gamma_sqllab_user: security_manager.add_user('gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = security_manager.find_user('alpha') if not alpha: security_manager.add_user('alpha', 'alpha', 'user', '*****@*****.**', security_manager.find_role('Alpha'), password='******') security_manager.get_session.commit()
def test_request_access(self): if app.config.get("ENABLE_ACCESS_REQUEST"): session = db.session self.logout() self.login(username="******") gamma_user = security_manager.find_user(username="******") security_manager.add_role("dummy_role") gamma_user.roles.append(security_manager.find_role("dummy_role")) session.commit() ACCESS_REQUEST = ( "/superset/request_access?" "datasource_type={}&" "datasource_id={}&" "action={}&" ) ROLE_GRANT_LINK = ( '<a href="/superset/approve?datasource_type={}&datasource_id={}&' 'created_by={}&role_to_grant={}">Grant {} Role</a>' ) # Request table access, there are no roles have this table. table1 = ( session.query(SqlaTable) .filter_by(table_name="random_time_series") .first() ) table_1_id = table1.id # request access to the table resp = self.get_resp(ACCESS_REQUEST.format("table", table_1_id, "go")) assert "Access was requested" in resp access_request1 = self.get_access_requests("gamma", "table", table_1_id) assert access_request1 is not None # Request access, roles exist that contains the table. # add table to the existing roles table3 = ( session.query(SqlaTable).filter_by(table_name="energy_usage").first() ) table_3_id = table3.id table3_perm = table3.perm security_manager.add_role("energy_usage_role") alpha_role = security_manager.find_role("Alpha") security_manager.add_permission_role( alpha_role, security_manager.find_permission_view_menu( "datasource_access", table3_perm ), ) security_manager.add_permission_role( security_manager.find_role("energy_usage_role"), security_manager.find_permission_view_menu( "datasource_access", table3_perm ), ) session.commit() self.get_resp(ACCESS_REQUEST.format("table", table_3_id, "go")) access_request3 = self.get_access_requests("gamma", "table", table_3_id) approve_link_3 = ROLE_GRANT_LINK.format( "table", table_3_id, "gamma", "energy_usage_role", "energy_usage_role" ) self.assertEqual( access_request3.roles_with_datasource, "<ul><li>{}</li></ul>".format(approve_link_3), ) # Request druid access, there are no roles have this table. druid_ds_4 = ( session.query(DruidDatasource) .filter_by(datasource_name="druid_ds_1") .first() ) druid_ds_4_id = druid_ds_4.id # request access to the table self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_4_id, "go")) access_request4 = self.get_access_requests("gamma", "druid", druid_ds_4_id) self.assertEqual( access_request4.roles_with_datasource, "<ul></ul>".format(access_request4.id), ) # Case 5. Roles exist that contains the druid datasource. # add druid ds to the existing roles druid_ds_5 = ( session.query(DruidDatasource) .filter_by(datasource_name="druid_ds_2") .first() ) druid_ds_5_id = druid_ds_5.id druid_ds_5_perm = druid_ds_5.perm druid_ds_2_role = security_manager.add_role("druid_ds_2_role") admin_role = security_manager.find_role("Admin") security_manager.add_permission_role( admin_role, security_manager.find_permission_view_menu( "datasource_access", druid_ds_5_perm ), ) security_manager.add_permission_role( druid_ds_2_role, security_manager.find_permission_view_menu( "datasource_access", druid_ds_5_perm ), ) session.commit() self.get_resp(ACCESS_REQUEST.format("druid", druid_ds_5_id, "go")) access_request5 = self.get_access_requests("gamma", "druid", druid_ds_5_id) approve_link_5 = ROLE_GRANT_LINK.format( "druid", druid_ds_5_id, "gamma", "druid_ds_2_role", "druid_ds_2_role" ) self.assertEqual( access_request5.roles_with_datasource, "<ul><li>{}</li></ul>".format(approve_link_5), ) # cleanup gamma_user = security_manager.find_user(username="******") gamma_user.roles.remove(security_manager.find_role("dummy_role")) session.commit()
def __init__(self, *args, **kwargs): if ( self.requires_examples and not os.environ.get('examples_loaded') ): logging.info('Loading examples') cli.load_examples(load_test_data=True) logging.info('Done loading examples') security_manager.sync_role_definitions() os.environ['examples_loaded'] = '1' else: security_manager.sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab_role = security_manager.add_role('gamma_sqllab') for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = self.get_main_database(security_manager.get_session).perm security_manager.merge_perm('database_access', db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user('admin') if not admin: security_manager.add_user( 'admin', 'admin', ' user', '*****@*****.**', security_manager.find_role('Admin'), password='******') gamma = security_manager.find_user('gamma') if not gamma: security_manager.add_user( 'gamma', 'gamma', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma2 = security_manager.find_user('gamma2') if not gamma2: security_manager.add_user( 'gamma2', 'gamma2', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma_sqllab_user = security_manager.find_user('gamma_sqllab') if not gamma_sqllab_user: security_manager.add_user( 'gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = security_manager.find_user('alpha') if not alpha: security_manager.add_user( 'alpha', 'alpha', 'user', '*****@*****.**', security_manager.find_role('Alpha'), password='******') security_manager.get_session.commit() # create druid cluster and druid datasources session = db.session cluster = ( session.query(DruidCluster) .filter_by(cluster_name='druid_test') .first() ) if not cluster: cluster = DruidCluster(cluster_name='druid_test') session.add(cluster) session.commit() druid_datasource1 = DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test', ) session.add(druid_datasource1) druid_datasource2 = DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test', ) session.add(druid_datasource2) session.commit()
def test_is_gamma_pvm(self): self.assertTrue(security_manager.is_gamma_pvm( security_manager.find_permission_view_menu('can_show', 'TableModelView')))
def test_set_perm_sqla_table(self): security_manager.on_view_menu_after_insert = Mock() security_manager.on_permission_view_after_insert = Mock() session = db.session table = SqlaTable( schema="tmp_schema", table_name="tmp_perm_table", database=get_example_database(), ) session.add(table) session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table").one()) self.assertEqual(stored_table.perm, f"[examples].[tmp_perm_table](id:{stored_table.id})") pvm_dataset = security_manager.find_permission_view_menu( "datasource_access", stored_table.perm) pvm_schema = security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm) self.assertIsNotNone(pvm_dataset) self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]") self.assertIsNotNone(pvm_schema) # assert on permission hooks view_menu_dataset = security_manager.find_view_menu( f"[examples].[tmp_perm_table](id:{stored_table.id})") view_menu_schema = security_manager.find_view_menu( f"[examples].[tmp_schema]") security_manager.on_view_menu_after_insert.assert_has_calls([ call(ANY, ANY, view_menu_dataset), call(ANY, ANY, view_menu_schema), ]) security_manager.on_permission_view_after_insert.assert_has_calls([ call(ANY, ANY, pvm_dataset), call(ANY, ANY, pvm_schema), ]) # table name change stored_table.table_name = "tmp_perm_table_v2" session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[examples].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) # no changes in schema self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema]") self.assertIsNotNone( security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm)) # schema name change stored_table.schema = "tmp_schema_v2" session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[examples].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) # no changes in schema self.assertEqual(stored_table.schema_perm, "[examples].[tmp_schema_v2]") self.assertIsNotNone( security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm)) # database change new_db = Database(sqlalchemy_uri="sqlite://", database_name="tmp_db") session.add(new_db) stored_table.database = (session.query(Database).filter_by( database_name="tmp_db").one()) session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) # no changes in schema self.assertEqual(stored_table.schema_perm, "[tmp_db].[tmp_schema_v2]") self.assertIsNotNone( security_manager.find_permission_view_menu( "schema_access", stored_table.schema_perm)) # no schema stored_table.schema = None session.commit() stored_table = (session.query(SqlaTable).filter_by( table_name="tmp_perm_table_v2").one()) self.assertEqual( stored_table.perm, f"[tmp_db].[tmp_perm_table_v2](id:{stored_table.id})") self.assertIsNotNone( security_manager.find_permission_view_menu("datasource_access", stored_table.perm)) self.assertIsNone(stored_table.schema_perm) session.delete(new_db) session.delete(stored_table) session.commit()
def __init__(self, *args, **kwargs): if (self.requires_examples and not os.environ.get('examples_loaded')): logging.info('Loading examples') cli.load_examples_run(load_test_data=True) logging.info('Done loading examples') security_manager.sync_role_definitions() os.environ['examples_loaded'] = '1' else: security_manager.sync_role_definitions() super(SupersetTestCase, self).__init__(*args, **kwargs) self.client = app.test_client() self.maxDiff = None gamma_sqllab_role = security_manager.add_role('gamma_sqllab') for perm in security_manager.find_role('Gamma').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) utils.get_or_create_main_db() db_perm = self.get_main_database(security_manager.get_session).perm security_manager.merge_perm('database_access', db_perm) db_pvm = security_manager.find_permission_view_menu( view_menu_name=db_perm, permission_name='database_access') gamma_sqllab_role.permissions.append(db_pvm) for perm in security_manager.find_role('sql_lab').permissions: security_manager.add_permission_role(gamma_sqllab_role, perm) admin = security_manager.find_user('admin') if not admin: security_manager.add_user('admin', 'admin', ' user', '*****@*****.**', security_manager.find_role('Admin'), password='******') gamma = security_manager.find_user('gamma') if not gamma: security_manager.add_user('gamma', 'gamma', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma2 = security_manager.find_user('gamma2') if not gamma2: security_manager.add_user('gamma2', 'gamma2', 'user', '*****@*****.**', security_manager.find_role('Gamma'), password='******') gamma_sqllab_user = security_manager.find_user('gamma_sqllab') if not gamma_sqllab_user: security_manager.add_user('gamma_sqllab', 'gamma_sqllab', 'user', '*****@*****.**', gamma_sqllab_role, password='******') alpha = security_manager.find_user('alpha') if not alpha: security_manager.add_user('alpha', 'alpha', 'user', '*****@*****.**', security_manager.find_role('Alpha'), password='******') security_manager.get_session.commit() # create druid cluster and druid datasources session = db.session cluster = (session.query(DruidCluster).filter_by( cluster_name='druid_test').first()) if not cluster: cluster = DruidCluster(cluster_name='druid_test') session.add(cluster) session.commit() druid_datasource1 = DruidDatasource( datasource_name='druid_ds_1', cluster_name='druid_test', ) session.add(druid_datasource1) druid_datasource2 = DruidDatasource( datasource_name='druid_ds_2', cluster_name='druid_test', ) session.add(druid_datasource2) session.commit()