support macros in perm yml and pyl
This commit is contained in:
jasquat
parent
84f3847c50
commit
40b3246eb7
|
|
@ -12,6 +12,5 @@ groups:
|
|||
permissions:
|
||||
admin:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /*
|
||||
|
|
|
|||
|
|
@ -1,5 +1,3 @@
|
|||
default_group: everybody
|
||||
|
||||
groups:
|
||||
admin:
|
||||
users:
|
||||
|
|
@ -19,6 +17,5 @@ groups:
|
|||
permissions:
|
||||
admin:
|
||||
groups: [admin, tech_writers]
|
||||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /*
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
default_group: everybody
|
||||
|
||||
users:
|
||||
admin:
|
||||
|
|
@ -41,52 +40,43 @@ permissions:
|
|||
# Admins have access to everything.
|
||||
admin:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /*
|
||||
|
||||
# Everybody can participate in tasks assigned to them.
|
||||
tasks-crud:
|
||||
groups: [everybody]
|
||||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /tasks/*
|
||||
|
||||
# Everybody can start all intstances
|
||||
create-test-instances:
|
||||
groups: [ everybody ]
|
||||
users: [ ]
|
||||
allowed_permissions: [ create ]
|
||||
uri: /process-instances/*
|
||||
|
||||
# Everyone can see everything (all groups, and processes are visible)
|
||||
read-all-process-groups:
|
||||
groups: [ everybody ]
|
||||
users: [ ]
|
||||
allowed_permissions: [ read ]
|
||||
uri: /process-groups/*
|
||||
read-all-process-models:
|
||||
groups: [ everybody ]
|
||||
users: [ ]
|
||||
allowed_permissions: [ read ]
|
||||
uri: /process-models/*
|
||||
read-all-process-instance:
|
||||
groups: [ everybody ]
|
||||
users: [ ]
|
||||
allowed_permissions: [ read ]
|
||||
uri: /process-instances/*
|
||||
read-process-instance-reports:
|
||||
groups: [ everybody ]
|
||||
users: [ ]
|
||||
allowed_permissions: [ read ]
|
||||
uri: /process-instances/reports/*
|
||||
processes-read:
|
||||
groups: [ everybody ]
|
||||
users: [ ]
|
||||
allowed_permissions: [ read ]
|
||||
uri: /processes
|
||||
groups-everybody:
|
||||
groups: [everybody]
|
||||
users: []
|
||||
allowed_permissions: [create, read]
|
||||
uri: /v1.0/user-groups/for-current-user
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
default_group: everybody
|
||||
|
||||
groups:
|
||||
admin:
|
||||
|
|
@ -7,78 +6,65 @@ groups:
|
|||
permissions:
|
||||
admin:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [read]
|
||||
uri: /*
|
||||
|
||||
tasks-crud:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create, update, delete]
|
||||
uri: /tasks/*
|
||||
|
||||
process-instances-crud:
|
||||
groups: [ admin ]
|
||||
users: [ ]
|
||||
allowed_permissions: [create, update, delete]
|
||||
uri: /process-instances/*
|
||||
|
||||
suspend:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instance-suspend
|
||||
|
||||
terminate:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instance-terminate
|
||||
|
||||
resume:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instance-resume
|
||||
|
||||
reset:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/process-instance-reset
|
||||
|
||||
users-exist:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/users/exists/by-username
|
||||
|
||||
send-event:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/send-event/*
|
||||
|
||||
task-complete:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/task-complete/*
|
||||
|
||||
messages:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create]
|
||||
uri: /v1.0/messages/*
|
||||
|
||||
secrets:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create, update, delete]
|
||||
uri: /v1.0/secrets/*
|
||||
|
||||
task-data:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [update]
|
||||
uri: /v1.0/task-data/*
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
default_group: everybody
|
||||
|
||||
groups:
|
||||
admin:
|
||||
|
|
@ -11,6 +10,5 @@ groups:
|
|||
permissions:
|
||||
admin:
|
||||
groups: [admin, group1, group2]
|
||||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /*
|
||||
|
|
|
|||
|
|
@ -1,4 +1,3 @@
|
|||
default_group: everybody
|
||||
|
||||
groups:
|
||||
admin:
|
||||
|
|
@ -7,6 +6,5 @@ groups:
|
|||
permissions:
|
||||
admin:
|
||||
groups: [admin]
|
||||
users: []
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /*
|
||||
|
|
|
|||
|
|
@ -36,16 +36,15 @@ permissions:
|
|||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /tasks/*
|
||||
|
||||
# TODO: all uris should really have the same structure
|
||||
finance-admin-group:
|
||||
groups: ["Finance Team"]
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /process-groups/finance/*
|
||||
allowed_permissions: [all]
|
||||
uri: PG:finance
|
||||
|
||||
finance-admin-model:
|
||||
groups: ["Finance Team"]
|
||||
allowed_permissions: [create, read, update, delete]
|
||||
uri: /process-models/finance/*
|
||||
finance-hr-start:
|
||||
groups: ["hr"]
|
||||
allowed_permissions: [start]
|
||||
uri: PG:finance
|
||||
|
||||
finance-admin-model-lanes:
|
||||
groups: ["Finance Team"]
|
||||
|
|
|
|||
|
|
@ -35,5 +35,4 @@ class RefreshPermissions(Script):
|
|||
**kwargs: Any,
|
||||
) -> Any:
|
||||
group_info = args[0]
|
||||
import pdb; pdb.set_trace()
|
||||
AuthorizationService.refresh_permissions(group_info)
|
||||
|
|
|
|||
|
|
@ -5,7 +5,6 @@ from dataclasses import dataclass
|
|||
from hashlib import sha256
|
||||
from hmac import compare_digest
|
||||
from hmac import HMAC
|
||||
from typing import Any
|
||||
from typing import Optional
|
||||
from typing import Set
|
||||
from typing import TypedDict
|
||||
|
|
@ -21,7 +20,6 @@ from sqlalchemy import or_
|
|||
from sqlalchemy import text
|
||||
|
||||
from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX
|
||||
from spiffworkflow_backend.models import permission_assignment
|
||||
from spiffworkflow_backend.models.db import db
|
||||
from spiffworkflow_backend.models.group import GroupModel
|
||||
from spiffworkflow_backend.models.human_task import HumanTaskModel
|
||||
|
|
@ -30,7 +28,6 @@ from spiffworkflow_backend.models.permission_target import PermissionTargetModel
|
|||
from spiffworkflow_backend.models.principal import MissingPrincipalError
|
||||
from spiffworkflow_backend.models.principal import PrincipalModel
|
||||
from spiffworkflow_backend.models.user import UserModel
|
||||
from spiffworkflow_backend.models.user import UserNotFoundError
|
||||
from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
|
||||
from spiffworkflow_backend.routes.openid_blueprint import openid_blueprint
|
||||
from spiffworkflow_backend.services.authentication_service import NotAuthorizedError
|
||||
|
|
@ -617,7 +614,6 @@ class AuthorizationService:
|
|||
def add_permission_from_uri_or_macro(
|
||||
cls, group_identifier: str, permission: str, target: str
|
||||
) -> list[PermissionAssignmentModel]:
|
||||
"""Add_permission_from_uri_or_macro."""
|
||||
group = GroupService.find_or_create_group(group_identifier)
|
||||
permissions_to_assign = cls.explode_permissions(permission, target)
|
||||
permission_assignments = []
|
||||
|
|
@ -644,35 +640,41 @@ class AuthorizationService:
|
|||
permission_configs = yaml.safe_load(file)
|
||||
|
||||
group_permissions_by_group: dict[str, GroupPermissionsDict] = {}
|
||||
if current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP']:
|
||||
default_group_identifier = current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP']
|
||||
group_permissions_by_group[default_group_identifier] = {"name": default_group_identifier, "users": [], "permissions": []}
|
||||
if current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"]:
|
||||
default_group_identifier = current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"]
|
||||
group_permissions_by_group[default_group_identifier] = {
|
||||
"name": default_group_identifier,
|
||||
"users": [],
|
||||
"permissions": [],
|
||||
}
|
||||
|
||||
if "groups" in permission_configs:
|
||||
for group_identifier, group_config in permission_configs["groups"].items():
|
||||
group_info: GroupPermissionsDict = {"name": group_identifier, "users": [], "permissions": []}
|
||||
for username in group_config["users"]:
|
||||
group_info['users'].append(username)
|
||||
group_info["users"].append(username)
|
||||
group_permissions_by_group[group_identifier] = group_info
|
||||
|
||||
if "permissions" in permission_configs:
|
||||
for _permission_identifier, permission_config in permission_configs["permissions"].items():
|
||||
uri = permission_config["uri"]
|
||||
for group_identifier in permission_config["groups"]:
|
||||
group_permissions_by_group[group_identifier]['permissions'].append(
|
||||
{'actions': permission_config["allowed_permissions"], "uri": uri}
|
||||
group_permissions_by_group[group_identifier]["permissions"].append(
|
||||
{"actions": permission_config["allowed_permissions"], "uri": uri}
|
||||
)
|
||||
|
||||
return list(group_permissions_by_group.values())
|
||||
|
||||
@classmethod
|
||||
def add_permissions_from_group_permissions(cls, group_permissions: list[GroupPermissionsDict], user_model: Optional[UserModel] = None) -> DesiredPermissionDict:
|
||||
def add_permissions_from_group_permissions(
|
||||
cls, group_permissions: list[GroupPermissionsDict], user_model: Optional[UserModel] = None
|
||||
) -> DesiredPermissionDict:
|
||||
unique_user_group_identifiers: Set[str] = set()
|
||||
user_to_group_identifiers: list[UserToGroupDict] = []
|
||||
permission_assignments = []
|
||||
|
||||
default_group = None
|
||||
default_group_identifier = current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP']
|
||||
default_group_identifier = current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"]
|
||||
if default_group_identifier:
|
||||
default_group = GroupService.find_or_create_group(default_group_identifier)
|
||||
unique_user_group_identifiers.add(default_group_identifier)
|
||||
|
|
|
|||
|
|
@ -2349,7 +2349,6 @@ class TestProcessApi(BaseTest):
|
|||
with_db_and_bpmn_file_cleanup: None,
|
||||
with_super_admin_user: UserModel,
|
||||
) -> None:
|
||||
"""Test_correct_user_can_get_and_update_a_task."""
|
||||
initiator_user = self.find_or_create_user("testuser4")
|
||||
finance_user = self.find_or_create_user("testuser2")
|
||||
assert initiator_user.principal is not None
|
||||
|
|
@ -2372,15 +2371,8 @@ class TestProcessApi(BaseTest):
|
|||
bpmn_file_location=bpmn_file_location,
|
||||
)
|
||||
|
||||
# process_model = load_test_spec(
|
||||
# process_model_id="model_with_lanes",
|
||||
# bpmn_file_name="lanes.bpmn",
|
||||
# process_group_id="finance",
|
||||
# )
|
||||
|
||||
response = self.create_process_instance_from_process_model_id_with_api(
|
||||
client,
|
||||
# process_model.process_group_id,
|
||||
process_model_identifier,
|
||||
headers=self.logged_in_headers(initiator_user),
|
||||
)
|
||||
|
|
|
|||
|
|
@ -6,8 +6,8 @@ from tests.spiffworkflow_backend.helpers.base_test import BaseTest
|
|||
|
||||
from spiffworkflow_backend.models.group import GroupModel
|
||||
from spiffworkflow_backend.models.user import UserModel
|
||||
from spiffworkflow_backend.models.user import UserNotFoundError
|
||||
from spiffworkflow_backend.services.authorization_service import AuthorizationService, GroupPermissionsDict
|
||||
from spiffworkflow_backend.services.authorization_service import AuthorizationService
|
||||
from spiffworkflow_backend.services.authorization_service import GroupPermissionsDict
|
||||
from spiffworkflow_backend.services.authorization_service import InvalidPermissionError
|
||||
from spiffworkflow_backend.services.group_service import GroupService
|
||||
from spiffworkflow_backend.services.process_instance_processor import (
|
||||
|
|
@ -47,13 +47,13 @@ class TestAuthorizationService(BaseTest):
|
|||
assert testuser1_group_identifiers == ["Finance Team", "everybody"]
|
||||
assert len(users["testuser2"].groups) == 3
|
||||
|
||||
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance/model1")
|
||||
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance/")
|
||||
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance:model1")
|
||||
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance")
|
||||
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/", expected_result=False)
|
||||
self.assert_user_has_permission(users["testuser4"], "read", "/v1.0/process-groups/finance/model1")
|
||||
self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/finance/model1")
|
||||
self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/", expected_result=False)
|
||||
self.assert_user_has_permission(users["testuser2"], "read", "/v1.0/process-groups/")
|
||||
self.assert_user_has_permission(users["testuser4"], "read", "/v1.0/process-groups/finance:model1")
|
||||
self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/finance:model1")
|
||||
self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups", expected_result=False)
|
||||
self.assert_user_has_permission(users["testuser2"], "read", "/v1.0/process-groups")
|
||||
|
||||
def test_user_can_be_added_to_human_task_on_first_login(
|
||||
self,
|
||||
|
|
@ -110,7 +110,6 @@ class TestAuthorizationService(BaseTest):
|
|||
client: FlaskClient,
|
||||
with_db_and_bpmn_file_cleanup: None,
|
||||
) -> None:
|
||||
"""Test_explode_permissions_all_on_process_group."""
|
||||
expected_permissions = sorted(
|
||||
[
|
||||
("/event-error-details/some-process-group:some-process-model:*", "read"),
|
||||
|
|
|
|||
Loading…
Reference in New Issue