sartography
/
spiff-arena
mirror of https://github.com/sartography/spiff-arena.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

trim down granted permissions to just the ones that exist in the API, improve output of permissions

This commit is contained in:
burnettk 2022-12-23 16:49:15 -05:00
parent 5f14a3cbbb
commit 804d3c1052
4 changed files with 40 additions and 71 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py
View File

@ -50,7 +50,22 @@ class GetAllPermissions(Script):
pa.permission pa.permission
) )
def replace_suffix(string: str, old: str, new: str) -> str:
"""Replace_suffix."""
if string.endswith(old):
return string[: -len(old)] + new
return string
# sort list of strings based on a specific order
def sort_by_order(string_list: list, order: list) -> list:
"""Sort_by_order."""
return sorted(string_list, key=lambda x: order.index(x))
return [ return [
{"group_identifier": k[0], "uri": k[1], "permissions": sorted(v)} {
"group_identifier": k[0],
"uri": replace_suffix(k[1], "%", "*"),
"permissions": sort_by_order(v, ["create", "read", "update", "delete"]),
}
for k, v in permissions.items() for k, v in permissions.items()
] ]

28
spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py
View File

@ -62,12 +62,17 @@ class PermissionToAssign:
target_uri: str target_uri: str
# the relevant permissions are the only API methods that are currently available for each path prefix.
# if we add further API methods, we'll need to evaluate whether they should be added here.
PATH_SEGMENTS_FOR_PERMISSION_ALL = [ PATH_SEGMENTS_FOR_PERMISSION_ALL = [
"/logs", {"path": "/logs", "relevant_permissions": ["read"]},
"/process-instances", {
"/process-instance-suspend", "path": "/process-instances",
"/process-instance-terminate", "relevant_permissions": ["create", "read", "delete"],
"/task-data", },
{"path": "/process-instance-suspend", "relevant_permissions": ["create"]},
{"path": "/process-instance-terminate", "relevant_permissions": ["create"]},
{"path": "/task-data", "relevant_permissions": ["read", "update"]},
] ]
@ -589,8 +594,17 @@ class AuthorizationService:
else: else:
if permission_set == "all": if permission_set == "all":
for path_segment in PATH_SEGMENTS_FOR_PERMISSION_ALL: for path_segment_dict in PATH_SEGMENTS_FOR_PERMISSION_ALL:
target_uris.append(f"{path_segment}/{process_related_path_segment}") target_uri = (
f"{path_segment_dict['path']}/{process_related_path_segment}"
)
relevant_permissions = path_segment_dict["relevant_permissions"]
for permission in relevant_permissions:
permissions_to_assign.append(
PermissionToAssign(
permission=permission, target_uri=target_uri
)
)
for target_uri in target_uris: for target_uri in target_uris:
for permission in permissions: for permission in permissions:

6
spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py
View File

@ -41,18 +41,18 @@ class TestGetAllPermissions(BaseTest):
expected_permissions = [ expected_permissions = [
{ {
"group_identifier": "my_test_group", "group_identifier": "my_test_group",
"uri": "/process-instances/hey:group:%", "uri": "/process-instances/hey:group:*",
"permissions": ["create"], "permissions": ["create"],
}, },
{ {
"group_identifier": "my_test_group", "group_identifier": "my_test_group",
"uri": "/process-instances/for-me/hey:group:%", "uri": "/process-instances/for-me/hey:group:*",
"permissions": ["read"], "permissions": ["read"],
}, },
{ {
"group_identifier": "my_test_group", "group_identifier": "my_test_group",
"uri": "/tasks", "uri": "/tasks",
"permissions": ["create", "delete", "read", "update"], "permissions": ["create", "read", "update", "delete"],
}, },
] ]

60
spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py
View File

@ -157,10 +157,7 @@ class TestAuthorizationService(BaseTest):
) -> None: ) -> None:
"""Test_explode_permissions_all_on_process_group.""" """Test_explode_permissions_all_on_process_group."""
expected_permissions = [ expected_permissions = [
("/logs/some-process-group:some-process-model:*", "create"),
("/logs/some-process-group:some-process-model:*", "delete"),
("/logs/some-process-group:some-process-model:*", "read"), ("/logs/some-process-group:some-process-model:*", "read"),
("/logs/some-process-group:some-process-model:*", "update"),
("/process-groups/some-process-group:some-process-model:*", "create"), ("/process-groups/some-process-group:some-process-model:*", "create"),
("/process-groups/some-process-group:some-process-model:*", "delete"), ("/process-groups/some-process-group:some-process-model:*", "delete"),
("/process-groups/some-process-group:some-process-model:*", "read"), ("/process-groups/some-process-group:some-process-model:*", "read"),
@ -169,44 +166,17 @@ class TestAuthorizationService(BaseTest):
"/process-instance-suspend/some-process-group:some-process-model:*", "/process-instance-suspend/some-process-group:some-process-model:*",
"create", "create",
), ),
(
"/process-instance-suspend/some-process-group:some-process-model:*",
"delete",
),
(
"/process-instance-suspend/some-process-group:some-process-model:*",
"read",
),
(
"/process-instance-suspend/some-process-group:some-process-model:*",
"update",
),
( (
"/process-instance-terminate/some-process-group:some-process-model:*", "/process-instance-terminate/some-process-group:some-process-model:*",
"create", "create",
), ),
(
"/process-instance-terminate/some-process-group:some-process-model:*",
"delete",
),
(
"/process-instance-terminate/some-process-group:some-process-model:*",
"read",
),
(
"/process-instance-terminate/some-process-group:some-process-model:*",
"update",
),
("/process-instances/some-process-group:some-process-model:*", "create"), ("/process-instances/some-process-group:some-process-model:*", "create"),
("/process-instances/some-process-group:some-process-model:*", "delete"), ("/process-instances/some-process-group:some-process-model:*", "delete"),
("/process-instances/some-process-group:some-process-model:*", "read"), ("/process-instances/some-process-group:some-process-model:*", "read"),
("/process-instances/some-process-group:some-process-model:*", "update"),
("/process-models/some-process-group:some-process-model:*", "create"), ("/process-models/some-process-group:some-process-model:*", "create"),
("/process-models/some-process-group:some-process-model:*", "delete"), ("/process-models/some-process-group:some-process-model:*", "delete"),
("/process-models/some-process-group:some-process-model:*", "read"), ("/process-models/some-process-group:some-process-model:*", "read"),
("/process-models/some-process-group:some-process-model:*", "update"), ("/process-models/some-process-group:some-process-model:*", "update"),
("/task-data/some-process-group:some-process-model:*", "create"),
("/task-data/some-process-group:some-process-model:*", "delete"),
("/task-data/some-process-group:some-process-model:*", "read"), ("/task-data/some-process-group:some-process-model:*", "read"),
("/task-data/some-process-group:some-process-model:*", "update"), ("/task-data/some-process-group:some-process-model:*", "update"),
] ]
@ -248,52 +218,22 @@ class TestAuthorizationService(BaseTest):
) -> None: ) -> None:
"""Test_explode_permissions_all_on_process_model.""" """Test_explode_permissions_all_on_process_model."""
expected_permissions = [ expected_permissions = [
("/logs/some-process-group:some-process-model/*", "create"),
("/logs/some-process-group:some-process-model/*", "delete"),
("/logs/some-process-group:some-process-model/*", "read"), ("/logs/some-process-group:some-process-model/*", "read"),
("/logs/some-process-group:some-process-model/*", "update"),
( (
"/process-instance-suspend/some-process-group:some-process-model/*", "/process-instance-suspend/some-process-group:some-process-model/*",
"create", "create",
), ),
(
"/process-instance-suspend/some-process-group:some-process-model/*",
"delete",
),
(
"/process-instance-suspend/some-process-group:some-process-model/*",
"read",
),
(
"/process-instance-suspend/some-process-group:some-process-model/*",
"update",
),
( (
"/process-instance-terminate/some-process-group:some-process-model/*", "/process-instance-terminate/some-process-group:some-process-model/*",
"create", "create",
), ),
(
"/process-instance-terminate/some-process-group:some-process-model/*",
"delete",
),
(
"/process-instance-terminate/some-process-group:some-process-model/*",
"read",
),
(
"/process-instance-terminate/some-process-group:some-process-model/*",
"update",
),
("/process-instances/some-process-group:some-process-model/*", "create"), ("/process-instances/some-process-group:some-process-model/*", "create"),
("/process-instances/some-process-group:some-process-model/*", "delete"), ("/process-instances/some-process-group:some-process-model/*", "delete"),
("/process-instances/some-process-group:some-process-model/*", "read"), ("/process-instances/some-process-group:some-process-model/*", "read"),
("/process-instances/some-process-group:some-process-model/*", "update"),
("/process-models/some-process-group:some-process-model/*", "create"), ("/process-models/some-process-group:some-process-model/*", "create"),
("/process-models/some-process-group:some-process-model/*", "delete"), ("/process-models/some-process-group:some-process-model/*", "delete"),
("/process-models/some-process-group:some-process-model/*", "read"), ("/process-models/some-process-group:some-process-model/*", "read"),
("/process-models/some-process-group:some-process-model/*", "update"), ("/process-models/some-process-group:some-process-model/*", "update"),
("/task-data/some-process-group:some-process-model/*", "create"),
("/task-data/some-process-group:some-process-model/*", "delete"),
("/task-data/some-process-group:some-process-model/*", "read"), ("/task-data/some-process-group:some-process-model/*", "read"),
("/task-data/some-process-group:some-process-model/*", "update"), ("/task-data/some-process-group:some-process-model/*", "update"),
] ]