diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml index f5052ff65..d192a7dea 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml @@ -74,98 +74,98 @@ permissions: users: [] allowed_permissions: [create, read, update, delete] uri: /* - # admin-readonly: - # groups: [admin-ro] - # users: [] - # allowed_permissions: [read] - # uri: /* - # admin-process-instances-for-readonly: - # groups: [admin-ro] - # users: [] - # allowed_permissions: [create, read, update, delete] - # uri: /process-instances/* - # - # tasks-crud: - # groups: [everybody] - # users: [] - # allowed_permissions: [create, read, update, delete] - # uri: /tasks/* - # service-tasks: - # groups: [everybody] - # users: [] - # allowed_permissions: [read] - # uri: /service-tasks - # user-groups-for-current-user: - # groups: [everybody] - # users: [] - # allowed_permissions: [read] - # uri: /user-groups/for-current-user - # - # # read all for everybody - # read-all-process-groups: - # groups: [everybody] - # users: [] - # allowed_permissions: [read] - # uri: /process-groups/* - # read-all-process-models: - # groups: [everybody] - # users: [] - # allowed_permissions: [read] - # uri: /process-models/* - # read-all-process-instances-for-me: - # groups: [everybody] - # users: [] - # allowed_permissions: [read] - # uri: /process-instances/for-me/* - # read-process-instance-reports: - # groups: [everybody] - # users: [] - # allowed_permissions: [create, read, update, delete] - # uri: /process-instances/reports/* - # processes-read: - # groups: [everybody] - # users: [] - # allowed_permissions: [read] - # uri: /processes - # - # - # finance-admin: - # groups: ["Finance Team"] - # users: [] - # allowed_permissions: [create, read, update, delete] - # uri: /process-groups/manage-procurement:procurement:* - # - # manage-revenue-streams-instances: - # groups: ["core-contributor", "demo"] - # users: [] - # allowed_permissions: [create, read] - # uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/* - # - # manage-procurement-invoice-instances: - # groups: ["core-contributor", "demo"] - # users: [] - # allowed_permissions: [create, read] - # uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:* - # - # manage-procurement-instances: - # groups: ["core-contributor", "demo"] - # users: [] - # allowed_permissions: [create, read] - # uri: /process-instances/manage-procurement:vendor-lifecycle-management:* - # - # create-test-instances: - # groups: ["test"] - # users: [] - # allowed_permissions: [create, read] - # uri: /process-instances/misc:test:* - # - # core1-admin-instances: - # groups: ["core-contributor", "Finance Team"] - # users: [] - # allowed_permissions: [create, read] - # uri: /process-instances/misc:category_number_one:process-model-with-form:* - # core1-admin-instances-slash: - # groups: ["core-contributor", "Finance Team"] - # users: [] - # allowed_permissions: [create, read] - # uri: /process-instances/misc:category_number_one:process-model-with-form/* + admin-readonly: + groups: [admin-ro] + users: [] + allowed_permissions: [read] + uri: /* + admin-process-instances-for-readonly: + groups: [admin-ro] + users: [] + allowed_permissions: [create, read, update, delete] + uri: /process-instances/* + + tasks-crud: + groups: [everybody] + users: [] + allowed_permissions: [create, read, update, delete] + uri: /tasks/* + service-tasks: + groups: [everybody] + users: [] + allowed_permissions: [read] + uri: /service-tasks + user-groups-for-current-user: + groups: [everybody] + users: [] + allowed_permissions: [read] + uri: /user-groups/for-current-user + + # read all for everybody + read-all-process-groups: + groups: [everybody] + users: [] + allowed_permissions: [read] + uri: /process-groups/* + read-all-process-models: + groups: [everybody] + users: [] + allowed_permissions: [read] + uri: /process-models/* + read-all-process-instances-for-me: + groups: [everybody] + users: [] + allowed_permissions: [read] + uri: /process-instances/for-me/* + read-process-instance-reports: + groups: [everybody] + users: [] + allowed_permissions: [create, read, update, delete] + uri: /process-instances/reports/* + processes-read: + groups: [everybody] + users: [] + allowed_permissions: [read] + uri: /processes + + + finance-admin: + groups: ["Finance Team"] + users: [] + allowed_permissions: [create, read, update, delete] + uri: /process-groups/manage-procurement:procurement:* + + manage-revenue-streams-instances: + groups: ["core-contributor", "demo"] + users: [] + allowed_permissions: [create, read] + uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/* + + manage-procurement-invoice-instances: + groups: ["core-contributor", "demo"] + users: [] + allowed_permissions: [create, read] + uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:* + + manage-procurement-instances: + groups: ["core-contributor", "demo"] + users: [] + allowed_permissions: [create, read] + uri: /process-instances/manage-procurement:vendor-lifecycle-management:* + + create-test-instances: + groups: ["test"] + users: [] + allowed_permissions: [create, read] + uri: /process-instances/misc:test:* + + core1-admin-instances: + groups: ["core-contributor", "Finance Team"] + users: [] + allowed_permissions: [create, read] + uri: /process-instances/misc:category_number_one:process-model-with-form:* + core1-admin-instances-slash: + groups: ["core-contributor", "Finance Team"] + users: [] + allowed_permissions: [create, read] + uri: /process-instances/misc:category_number_one:process-model-with-form/* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/add_permission.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/add_permission.py index 806fd991f..ce365fe95 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/add_permission.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/add_permission.py @@ -28,8 +28,6 @@ class AddPermission(Script): allowed_permission = args[0] uri = args[1] group_identifier = args[2] - group = GroupService.find_or_create_group(group_identifier) - target = AuthorizationService.find_or_create_permission_target(uri) - AuthorizationService.create_permission_for_principal( - group.principal, target, allowed_permission + AuthorizationService.add_permission_from_uri_or_macro( + group_identifier=group_identifier, target=uri, permission=allowed_permission ) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py new file mode 100644 index 000000000..5a7d87f9b --- /dev/null +++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py @@ -0,0 +1,52 @@ +"""Get_env.""" +from typing import Any, Set +from typing import Union +from spiffworkflow_backend.models.group import GroupModel +from spiffworkflow_backend.models.permission_target import PermissionTargetModel +from spiffworkflow_backend.models.principal import PrincipalModel +from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel + +from spiffworkflow_backend.models.script_attributes_context import ( + ScriptAttributesContext, +) +from spiffworkflow_backend.scripts.script import Script +from spiffworkflow_backend.services.authorization_service import AuthorizationService +from spiffworkflow_backend.services.group_service import GroupService + +from collections import OrderedDict + + +# add_permission("read", "test/*", "Editors") + + +class GetAllPermissions(Script): + + def get_description(self) -> str: + """Get_description.""" + return """Get all permissions currently in the system.""" + + def run( + self, + script_attributes_context: ScriptAttributesContext, + *args: Any, + **kwargs: Any, + ) -> Any: + """Run.""" + permission_assignments = ( + PermissionAssignmentModel.query + .join(PrincipalModel, PrincipalModel.id == PermissionAssignmentModel.principal_id) + .join(GroupModel, GroupModel.id == PrincipalModel.group_id) + .join(PermissionTargetModel, PermissionTargetModel.id == PermissionAssignmentModel.permission_target_id) + .add_columns( + PermissionAssignmentModel.permission, + PermissionTargetModel.uri, + GroupModel.identifier.label('group_identifier') + ) + ) + + permissions: OrderedDict[tuple[str, str], list[str]] = OrderedDict() + for pa in permission_assignments: + permissions.setdefault((pa.group_identifier, pa.uri), []).append(pa.permission) + + return [{'group_identifier': k[0], 'uri': k[1], 'permissions': sorted(v)} + for k, v in permissions.items()] diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py new file mode 100644 index 000000000..d6a5a178c --- /dev/null +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py @@ -0,0 +1,55 @@ +"""Test_get_localtime.""" +import pytest +from flask.app import Flask +from flask.testing import FlaskClient +from flask_bpmn.api.api_error import ApiError +from spiffworkflow_backend.scripts.get_all_permissions import GetAllPermissions +from tests.spiffworkflow_backend.helpers.base_test import BaseTest +from tests.spiffworkflow_backend.helpers.test_data import load_test_spec + +from spiffworkflow_backend.models.group import GroupModel +from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel +from spiffworkflow_backend.models.permission_target import PermissionTargetModel +from spiffworkflow_backend.models.script_attributes_context import ( + ScriptAttributesContext, +) +from spiffworkflow_backend.models.user import UserModel +from spiffworkflow_backend.scripts.add_permission import AddPermission +from spiffworkflow_backend.services.process_instance_processor import ( + ProcessInstanceProcessor, +) + + +class TestGetAllPermissions(BaseTest): + + def test_can_get_all_permissions( + self, + app: Flask, + client: FlaskClient, + with_db_and_bpmn_file_cleanup: None, + with_super_admin_user: UserModel, + ) -> None: + self.find_or_create_user("test_user") + + # now that we have everything, try to clear it out... + script_attributes_context = ScriptAttributesContext( + task=None, + environment_identifier="testing", + process_instance_id=1, + process_model_identifier="my_test_user", + ) + AddPermission().run( + script_attributes_context, "start", "PG:hey:group", "my_test_group" + ) + AddPermission().run( + script_attributes_context, "all", "/tasks", "my_test_group" + ) + + expected_permissions = [ + {'group_identifier': 'my_test_group', 'uri': '/process-instances/hey:group:%', 'permissions': ['create']}, + {'group_identifier': 'my_test_group', 'uri': '/process-instances/for-me/hey:group:%', 'permissions': ['read']}, + {'group_identifier': 'my_test_group', 'uri': '/tasks', 'permissions': ['create', 'delete', 'read', 'update']} + ] + + permissions = GetAllPermissions().run(script_attributes_context) + assert permissions == expected_permissions