diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py index 7cdcf3601..e2ab07637 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py @@ -50,7 +50,22 @@ class GetAllPermissions(Script): pa.permission ) + def replace_suffix(string: str, old: str, new: str) -> str: + """Replace_suffix.""" + if string.endswith(old): + return string[: -len(old)] + new + return string + + # sort list of strings based on a specific order + def sort_by_order(string_list: list, order: list) -> list: + """Sort_by_order.""" + return sorted(string_list, key=lambda x: order.index(x)) + return [ - {"group_identifier": k[0], "uri": k[1], "permissions": sorted(v)} + { + "group_identifier": k[0], + "uri": replace_suffix(k[1], "%", "*"), + "permissions": sort_by_order(v, ["create", "read", "update", "delete"]), + } for k, v in permissions.items() ] diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py index cd125ee53..fc6c31428 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py @@ -62,12 +62,17 @@ class PermissionToAssign: target_uri: str +# the relevant permissions are the only API methods that are currently available for each path prefix. +# if we add further API methods, we'll need to evaluate whether they should be added here. PATH_SEGMENTS_FOR_PERMISSION_ALL = [ - "/logs", - "/process-instances", - "/process-instance-suspend", - "/process-instance-terminate", - "/task-data", + {"path": "/logs", "relevant_permissions": ["read"]}, + { + "path": "/process-instances", + "relevant_permissions": ["create", "read", "delete"], + }, + {"path": "/process-instance-suspend", "relevant_permissions": ["create"]}, + {"path": "/process-instance-terminate", "relevant_permissions": ["create"]}, + {"path": "/task-data", "relevant_permissions": ["read", "update"]}, ] @@ -589,8 +594,17 @@ class AuthorizationService: else: if permission_set == "all": - for path_segment in PATH_SEGMENTS_FOR_PERMISSION_ALL: - target_uris.append(f"{path_segment}/{process_related_path_segment}") + for path_segment_dict in PATH_SEGMENTS_FOR_PERMISSION_ALL: + target_uri = ( + f"{path_segment_dict['path']}/{process_related_path_segment}" + ) + relevant_permissions = path_segment_dict["relevant_permissions"] + for permission in relevant_permissions: + permissions_to_assign.append( + PermissionToAssign( + permission=permission, target_uri=target_uri + ) + ) for target_uri in target_uris: for permission in permissions: diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py index 3c3bce506..cbf625168 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py @@ -41,18 +41,18 @@ class TestGetAllPermissions(BaseTest): expected_permissions = [ { "group_identifier": "my_test_group", - "uri": "/process-instances/hey:group:%", + "uri": "/process-instances/hey:group:*", "permissions": ["create"], }, { "group_identifier": "my_test_group", - "uri": "/process-instances/for-me/hey:group:%", + "uri": "/process-instances/for-me/hey:group:*", "permissions": ["read"], }, { "group_identifier": "my_test_group", "uri": "/tasks", - "permissions": ["create", "delete", "read", "update"], + "permissions": ["create", "read", "update", "delete"], }, ] diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py index a0c140f14..adceeee80 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py @@ -157,10 +157,7 @@ class TestAuthorizationService(BaseTest): ) -> None: """Test_explode_permissions_all_on_process_group.""" expected_permissions = [ - ("/logs/some-process-group:some-process-model:*", "create"), - ("/logs/some-process-group:some-process-model:*", "delete"), ("/logs/some-process-group:some-process-model:*", "read"), - ("/logs/some-process-group:some-process-model:*", "update"), ("/process-groups/some-process-group:some-process-model:*", "create"), ("/process-groups/some-process-group:some-process-model:*", "delete"), ("/process-groups/some-process-group:some-process-model:*", "read"), @@ -169,44 +166,17 @@ class TestAuthorizationService(BaseTest): "/process-instance-suspend/some-process-group:some-process-model:*", "create", ), - ( - "/process-instance-suspend/some-process-group:some-process-model:*", - "delete", - ), - ( - "/process-instance-suspend/some-process-group:some-process-model:*", - "read", - ), - ( - "/process-instance-suspend/some-process-group:some-process-model:*", - "update", - ), ( "/process-instance-terminate/some-process-group:some-process-model:*", "create", ), - ( - "/process-instance-terminate/some-process-group:some-process-model:*", - "delete", - ), - ( - "/process-instance-terminate/some-process-group:some-process-model:*", - "read", - ), - ( - "/process-instance-terminate/some-process-group:some-process-model:*", - "update", - ), ("/process-instances/some-process-group:some-process-model:*", "create"), ("/process-instances/some-process-group:some-process-model:*", "delete"), ("/process-instances/some-process-group:some-process-model:*", "read"), - ("/process-instances/some-process-group:some-process-model:*", "update"), ("/process-models/some-process-group:some-process-model:*", "create"), ("/process-models/some-process-group:some-process-model:*", "delete"), ("/process-models/some-process-group:some-process-model:*", "read"), ("/process-models/some-process-group:some-process-model:*", "update"), - ("/task-data/some-process-group:some-process-model:*", "create"), - ("/task-data/some-process-group:some-process-model:*", "delete"), ("/task-data/some-process-group:some-process-model:*", "read"), ("/task-data/some-process-group:some-process-model:*", "update"), ] @@ -248,52 +218,22 @@ class TestAuthorizationService(BaseTest): ) -> None: """Test_explode_permissions_all_on_process_model.""" expected_permissions = [ - ("/logs/some-process-group:some-process-model/*", "create"), - ("/logs/some-process-group:some-process-model/*", "delete"), ("/logs/some-process-group:some-process-model/*", "read"), - ("/logs/some-process-group:some-process-model/*", "update"), ( "/process-instance-suspend/some-process-group:some-process-model/*", "create", ), - ( - "/process-instance-suspend/some-process-group:some-process-model/*", - "delete", - ), - ( - "/process-instance-suspend/some-process-group:some-process-model/*", - "read", - ), - ( - "/process-instance-suspend/some-process-group:some-process-model/*", - "update", - ), ( "/process-instance-terminate/some-process-group:some-process-model/*", "create", ), - ( - "/process-instance-terminate/some-process-group:some-process-model/*", - "delete", - ), - ( - "/process-instance-terminate/some-process-group:some-process-model/*", - "read", - ), - ( - "/process-instance-terminate/some-process-group:some-process-model/*", - "update", - ), ("/process-instances/some-process-group:some-process-model/*", "create"), ("/process-instances/some-process-group:some-process-model/*", "delete"), ("/process-instances/some-process-group:some-process-model/*", "read"), - ("/process-instances/some-process-group:some-process-model/*", "update"), ("/process-models/some-process-group:some-process-model/*", "create"), ("/process-models/some-process-group:some-process-model/*", "delete"), ("/process-models/some-process-group:some-process-model/*", "read"), ("/process-models/some-process-group:some-process-model/*", "update"), - ("/task-data/some-process-group:some-process-model/*", "create"), - ("/task-data/some-process-group:some-process-model/*", "delete"), ("/task-data/some-process-group:some-process-model/*", "read"), ("/task-data/some-process-group:some-process-model/*", "update"), ]