sartography
/
spiff-arena
mirror of https://github.com/sartography/spiff-arena.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support macros in perm yml and pyl

This commit is contained in:
jasquat 2023-05-18 12:11:40 -04:00
parent 84f3847c50
commit 40b3246eb7
11 changed files with 28 additions and 69 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/acceptance_tests.yml
View File

@ -12,6 +12,5 @@ groups:
permissions: permissions:
admin: admin:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create, read, update, delete] allowed_permissions: [create, read, update, delete]
uri: /* uri: /*

3
spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml
View File

@ -1,5 +1,3 @@
default_group: everybody
groups: groups:
admin: admin:
users: users:
@ -19,6 +17,5 @@ groups:
permissions: permissions:
admin: admin:
groups: [admin, tech_writers] groups: [admin, tech_writers]
users: []
allowed_permissions: [create, read, update, delete] allowed_permissions: [create, read, update, delete]
uri: /* uri: /*

10
spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example.yml
View File

@ -1,4 +1,3 @@
default_group: everybody
users: users:
admin: admin:
@ -41,52 +40,43 @@ permissions:
# Admins have access to everything. # Admins have access to everything.
admin: admin:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create, read, update, delete] allowed_permissions: [create, read, update, delete]
uri: /* uri: /*
# Everybody can participate in tasks assigned to them. # Everybody can participate in tasks assigned to them.
tasks-crud: tasks-crud:
groups: [everybody] groups: [everybody]
users: []
allowed_permissions: [create, read, update, delete] allowed_permissions: [create, read, update, delete]
uri: /tasks/* uri: /tasks/*
# Everybody can start all intstances # Everybody can start all intstances
create-test-instances: create-test-instances:
groups: [ everybody ] groups: [ everybody ]
users: [ ]
allowed_permissions: [ create ] allowed_permissions: [ create ]
uri: /process-instances/* uri: /process-instances/*
# Everyone can see everything (all groups, and processes are visible) # Everyone can see everything (all groups, and processes are visible)
read-all-process-groups: read-all-process-groups:
groups: [ everybody ] groups: [ everybody ]
users: [ ]
allowed_permissions: [ read ] allowed_permissions: [ read ]
uri: /process-groups/* uri: /process-groups/*
read-all-process-models: read-all-process-models:
groups: [ everybody ] groups: [ everybody ]
users: [ ]
allowed_permissions: [ read ] allowed_permissions: [ read ]
uri: /process-models/* uri: /process-models/*
read-all-process-instance: read-all-process-instance:
groups: [ everybody ] groups: [ everybody ]
users: [ ]
allowed_permissions: [ read ] allowed_permissions: [ read ]
uri: /process-instances/* uri: /process-instances/*
read-process-instance-reports: read-process-instance-reports:
groups: [ everybody ] groups: [ everybody ]
users: [ ]
allowed_permissions: [ read ] allowed_permissions: [ read ]
uri: /process-instances/reports/* uri: /process-instances/reports/*
processes-read: processes-read:
groups: [ everybody ] groups: [ everybody ]
users: [ ]
allowed_permissions: [ read ] allowed_permissions: [ read ]
uri: /processes uri: /processes
groups-everybody: groups-everybody:
groups: [everybody] groups: [everybody]
users: []
allowed_permissions: [create, read] allowed_permissions: [create, read]
uri: /v1.0/user-groups/for-current-user uri: /v1.0/user-groups/for-current-user

14
spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_read_only.yml
View File

@ -1,4 +1,3 @@
default_group: everybody
groups: groups:
admin: admin:
@ -7,78 +6,65 @@ groups:
permissions: permissions:
admin: admin:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [read] allowed_permissions: [read]
uri: /* uri: /*
tasks-crud: tasks-crud:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create, update, delete] allowed_permissions: [create, update, delete]
uri: /tasks/* uri: /tasks/*
process-instances-crud: process-instances-crud:
groups: [ admin ] groups: [ admin ]
users: [ ]
allowed_permissions: [create, update, delete] allowed_permissions: [create, update, delete]
uri: /process-instances/* uri: /process-instances/*
suspend: suspend:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/process-instance-suspend uri: /v1.0/process-instance-suspend
terminate: terminate:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/process-instance-terminate uri: /v1.0/process-instance-terminate
resume: resume:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/process-instance-resume uri: /v1.0/process-instance-resume
reset: reset:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/process-instance-reset uri: /v1.0/process-instance-reset
users-exist: users-exist:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/users/exists/by-username uri: /v1.0/users/exists/by-username
send-event: send-event:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/send-event/* uri: /v1.0/send-event/*
task-complete: task-complete:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/task-complete/* uri: /v1.0/task-complete/*
messages: messages:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create] allowed_permissions: [create]
uri: /v1.0/messages/* uri: /v1.0/messages/*
secrets: secrets:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create, update, delete] allowed_permissions: [create, update, delete]
uri: /v1.0/secrets/* uri: /v1.0/secrets/*
task-data: task-data:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [update] allowed_permissions: [update]
uri: /v1.0/task-data/* uri: /v1.0/task-data/*

2
spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml
View File

@ -1,4 +1,3 @@
default_group: everybody
groups: groups:
admin: admin:
@ -11,6 +10,5 @@ groups:
permissions: permissions:
admin: admin:
groups: [admin, group1, group2] groups: [admin, group1, group2]
users: []
allowed_permissions: [create, read, update, delete] allowed_permissions: [create, read, update, delete]
uri: /* uri: /*

2
spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml
View File

@ -1,4 +1,3 @@
default_group: everybody
groups: groups:
admin: admin:
@ -7,6 +6,5 @@ groups:
permissions: permissions:
admin: admin:
groups: [admin] groups: [admin]
users: []
allowed_permissions: [create, read, update, delete] allowed_permissions: [create, read, update, delete]
uri: /* uri: /*

13
spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/unit_testing.yml
View File

@ -36,16 +36,15 @@ permissions:
allowed_permissions: [create, read, update, delete] allowed_permissions: [create, read, update, delete]
uri: /tasks/* uri: /tasks/*
# TODO: all uris should really have the same structure
finance-admin-group: finance-admin-group:
groups: ["Finance Team"] groups: ["Finance Team"]
allowed_permissions: [create, read, update, delete] allowed_permissions: [all]
uri: /process-groups/finance/* uri: PG:finance
finance-admin-model: finance-hr-start:
groups: ["Finance Team"] groups: ["hr"]
allowed_permissions: [create, read, update, delete] allowed_permissions: [start]
uri: /process-models/finance/* uri: PG:finance
finance-admin-model-lanes: finance-admin-model-lanes:
groups: ["Finance Team"] groups: ["Finance Team"]

1
spiffworkflow-backend/src/spiffworkflow_backend/scripts/refresh_permissions.py
View File

@ -35,5 +35,4 @@ class RefreshPermissions(Script):
**kwargs: Any, **kwargs: Any,
) -> Any: ) -> Any:
group_info = args[0] group_info = args[0]
import pdb; pdb.set_trace()
AuthorizationService.refresh_permissions(group_info) AuthorizationService.refresh_permissions(group_info)

26
spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
View File

@ -5,7 +5,6 @@ from dataclasses import dataclass
from hashlib import sha256 from hashlib import sha256
from hmac import compare_digest from hmac import compare_digest
from hmac import HMAC from hmac import HMAC
from typing import Any
from typing import Optional from typing import Optional
from typing import Set from typing import Set
from typing import TypedDict from typing import TypedDict
@ -21,7 +20,6 @@ from sqlalchemy import or_
from sqlalchemy import text from sqlalchemy import text
from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX
from spiffworkflow_backend.models import permission_assignment
from spiffworkflow_backend.models.db import db from spiffworkflow_backend.models.db import db
from spiffworkflow_backend.models.group import GroupModel from spiffworkflow_backend.models.group import GroupModel
from spiffworkflow_backend.models.human_task import HumanTaskModel from spiffworkflow_backend.models.human_task import HumanTaskModel
@ -30,7 +28,6 @@ from spiffworkflow_backend.models.permission_target import PermissionTargetModel
from spiffworkflow_backend.models.principal import MissingPrincipalError from spiffworkflow_backend.models.principal import MissingPrincipalError
from spiffworkflow_backend.models.principal import PrincipalModel from spiffworkflow_backend.models.principal import PrincipalModel
from spiffworkflow_backend.models.user import UserModel from spiffworkflow_backend.models.user import UserModel
from spiffworkflow_backend.models.user import UserNotFoundError
from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel
from spiffworkflow_backend.routes.openid_blueprint import openid_blueprint from spiffworkflow_backend.routes.openid_blueprint import openid_blueprint
from spiffworkflow_backend.services.authentication_service import NotAuthorizedError from spiffworkflow_backend.services.authentication_service import NotAuthorizedError
@ -617,7 +614,6 @@ class AuthorizationService:
def add_permission_from_uri_or_macro( def add_permission_from_uri_or_macro(
cls, group_identifier: str, permission: str, target: str cls, group_identifier: str, permission: str, target: str
) -> list[PermissionAssignmentModel]: ) -> list[PermissionAssignmentModel]:
"""Add_permission_from_uri_or_macro."""
group = GroupService.find_or_create_group(group_identifier) group = GroupService.find_or_create_group(group_identifier)
permissions_to_assign = cls.explode_permissions(permission, target) permissions_to_assign = cls.explode_permissions(permission, target)
permission_assignments = [] permission_assignments = []
@ -644,35 +640,41 @@ class AuthorizationService:
permission_configs = yaml.safe_load(file) permission_configs = yaml.safe_load(file)
group_permissions_by_group: dict[str, GroupPermissionsDict] = {} group_permissions_by_group: dict[str, GroupPermissionsDict] = {}
if current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP']: if current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"]:
default_group_identifier = current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP'] default_group_identifier = current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"]
group_permissions_by_group[default_group_identifier] = {"name": default_group_identifier, "users": [], "permissions": []} group_permissions_by_group[default_group_identifier] = {
"name": default_group_identifier,
"users": [],
"permissions": [],
}
if "groups" in permission_configs: if "groups" in permission_configs:
for group_identifier, group_config in permission_configs["groups"].items(): for group_identifier, group_config in permission_configs["groups"].items():
group_info: GroupPermissionsDict = {"name": group_identifier, "users": [], "permissions": []} group_info: GroupPermissionsDict = {"name": group_identifier, "users": [], "permissions": []}
for username in group_config["users"]: for username in group_config["users"]:
group_info['users'].append(username) group_info["users"].append(username)
group_permissions_by_group[group_identifier] = group_info group_permissions_by_group[group_identifier] = group_info
if "permissions" in permission_configs: if "permissions" in permission_configs:
for _permission_identifier, permission_config in permission_configs["permissions"].items(): for _permission_identifier, permission_config in permission_configs["permissions"].items():
uri = permission_config["uri"] uri = permission_config["uri"]
for group_identifier in permission_config["groups"]: for group_identifier in permission_config["groups"]:
group_permissions_by_group[group_identifier]['permissions'].append( group_permissions_by_group[group_identifier]["permissions"].append(
{'actions': permission_config["allowed_permissions"], "uri": uri} {"actions": permission_config["allowed_permissions"], "uri": uri}
) )
return list(group_permissions_by_group.values()) return list(group_permissions_by_group.values())
@classmethod @classmethod
def add_permissions_from_group_permissions(cls, group_permissions: list[GroupPermissionsDict], user_model: Optional[UserModel] = None) -> DesiredPermissionDict: def add_permissions_from_group_permissions(
cls, group_permissions: list[GroupPermissionsDict], user_model: Optional[UserModel] = None
) -> DesiredPermissionDict:
unique_user_group_identifiers: Set[str] = set() unique_user_group_identifiers: Set[str] = set()
user_to_group_identifiers: list[UserToGroupDict] = [] user_to_group_identifiers: list[UserToGroupDict] = []
permission_assignments = [] permission_assignments = []
default_group = None default_group = None
default_group_identifier = current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP'] default_group_identifier = current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"]
if default_group_identifier: if default_group_identifier:
default_group = GroupService.find_or_create_group(default_group_identifier) default_group = GroupService.find_or_create_group(default_group_identifier)
unique_user_group_identifiers.add(default_group_identifier) unique_user_group_identifiers.add(default_group_identifier)

8
spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py
View File

@ -2349,7 +2349,6 @@ class TestProcessApi(BaseTest):
with_db_and_bpmn_file_cleanup: None, with_db_and_bpmn_file_cleanup: None,
with_super_admin_user: UserModel, with_super_admin_user: UserModel,
) -> None: ) -> None:
"""Test_correct_user_can_get_and_update_a_task."""
initiator_user = self.find_or_create_user("testuser4") initiator_user = self.find_or_create_user("testuser4")
finance_user = self.find_or_create_user("testuser2") finance_user = self.find_or_create_user("testuser2")
assert initiator_user.principal is not None assert initiator_user.principal is not None
@ -2372,15 +2371,8 @@ class TestProcessApi(BaseTest):
bpmn_file_location=bpmn_file_location, bpmn_file_location=bpmn_file_location,
) )
# process_model = load_test_spec(
# process_model_id="model_with_lanes",
# bpmn_file_name="lanes.bpmn",
# process_group_id="finance",
# )
response = self.create_process_instance_from_process_model_id_with_api( response = self.create_process_instance_from_process_model_id_with_api(
client, client,
# process_model.process_group_id,
process_model_identifier, process_model_identifier,
headers=self.logged_in_headers(initiator_user), headers=self.logged_in_headers(initiator_user),
) )

17
spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py
View File

@ -6,8 +6,8 @@ from tests.spiffworkflow_backend.helpers.base_test import BaseTest
from spiffworkflow_backend.models.group import GroupModel from spiffworkflow_backend.models.group import GroupModel
from spiffworkflow_backend.models.user import UserModel from spiffworkflow_backend.models.user import UserModel
from spiffworkflow_backend.models.user import UserNotFoundError from spiffworkflow_backend.services.authorization_service import AuthorizationService
from spiffworkflow_backend.services.authorization_service import AuthorizationService, GroupPermissionsDict from spiffworkflow_backend.services.authorization_service import GroupPermissionsDict
from spiffworkflow_backend.services.authorization_service import InvalidPermissionError from spiffworkflow_backend.services.authorization_service import InvalidPermissionError
from spiffworkflow_backend.services.group_service import GroupService from spiffworkflow_backend.services.group_service import GroupService
from spiffworkflow_backend.services.process_instance_processor import ( from spiffworkflow_backend.services.process_instance_processor import (
@ -47,13 +47,13 @@ class TestAuthorizationService(BaseTest):
assert testuser1_group_identifiers == ["Finance Team", "everybody"] assert testuser1_group_identifiers == ["Finance Team", "everybody"]
assert len(users["testuser2"].groups) == 3 assert len(users["testuser2"].groups) == 3
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance/model1") self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance:model1")
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance/") self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance")
self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/", expected_result=False) self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/", expected_result=False)
self.assert_user_has_permission(users["testuser4"], "read", "/v1.0/process-groups/finance/model1") self.assert_user_has_permission(users["testuser4"], "read", "/v1.0/process-groups/finance:model1")
self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/finance/model1") self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/finance:model1")
self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/", expected_result=False) self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups", expected_result=False)
self.assert_user_has_permission(users["testuser2"], "read", "/v1.0/process-groups/") self.assert_user_has_permission(users["testuser2"], "read", "/v1.0/process-groups")
def test_user_can_be_added_to_human_task_on_first_login( def test_user_can_be_added_to_human_task_on_first_login(
self, self,
@ -110,7 +110,6 @@ class TestAuthorizationService(BaseTest):
client: FlaskClient, client: FlaskClient,
with_db_and_bpmn_file_cleanup: None, with_db_and_bpmn_file_cleanup: None,
) -> None: ) -> None:
"""Test_explode_permissions_all_on_process_group."""
expected_permissions = sorted( expected_permissions = sorted(
[ [
("/event-error-details/some-process-group:some-process-model:*", "read"), ("/event-error-details/some-process-group:some-process-model:*", "read"),