mirror of
https://github.com/sartography/spiff-arena.git
synced 2025-01-17 04:51:28 +00:00
3c12e8ad35
Main change is in the ErrorDisplay.tsx to assure all error information is provided. and index.css to make it "pretty"
193 lines
7.7 KiB
Python
193 lines
7.7 KiB
Python
"""Test Permissions."""
|
|
from flask.app import Flask
|
|
from flask.testing import FlaskClient
|
|
from tests.spiffworkflow_backend.helpers.base_test import BaseTest
|
|
from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
|
|
|
|
from spiffworkflow_backend.models.db import db
|
|
from spiffworkflow_backend.models.group import GroupModel
|
|
from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
|
|
from spiffworkflow_backend.models.permission_target import PermissionTargetModel
|
|
from spiffworkflow_backend.models.principal import PrincipalModel
|
|
from spiffworkflow_backend.models.user import UserModel
|
|
from spiffworkflow_backend.services.user_service import UserService
|
|
|
|
|
|
# we think we can get the list of roles for a user.
|
|
# spiff needs a way to determine what each role allows.
|
|
|
|
|
|
# user role allows list and read of all process groups/models
|
|
# super-admin role allows create, update, and delete of all process groups/models
|
|
# * super-admins users maybe conventionally get the user role as well
|
|
# finance-admin role allows create, update, and delete of all models under the finance group
|
|
class TestPermissions(BaseTest):
|
|
"""TestPermissions."""
|
|
|
|
def test_user_can_be_given_permission_to_administer_process_group(
|
|
self,
|
|
app: Flask,
|
|
client: FlaskClient,
|
|
with_db_and_bpmn_file_cleanup: None,
|
|
with_super_admin_user: UserModel,
|
|
) -> None:
|
|
"""Test_user_can_be_given_permission_to_administer_process_group."""
|
|
process_group_id = "group-a"
|
|
self.create_process_group(
|
|
client, with_super_admin_user, process_group_id, process_group_id
|
|
)
|
|
load_test_spec(
|
|
"group-a/timers_intermediate_catch_event",
|
|
bpmn_file_name="timers_intermediate_catch_event.bpmn",
|
|
process_model_source_directory="timers_intermediate_catch_event",
|
|
)
|
|
dan = self.find_or_create_user()
|
|
principal = dan.principal
|
|
|
|
permission_target = PermissionTargetModel(uri=f"/{process_group_id}")
|
|
db.session.add(permission_target)
|
|
db.session.commit()
|
|
|
|
permission_assignment = PermissionAssignmentModel(
|
|
permission_target_id=permission_target.id,
|
|
principal_id=principal.id,
|
|
permission="delete",
|
|
grant_type="permit",
|
|
)
|
|
db.session.add(permission_assignment)
|
|
db.session.commit()
|
|
|
|
def test_group_a_admin_needs_to_stay_away_from_group_b(
|
|
self, app: Flask, with_db_and_bpmn_file_cleanup: None
|
|
) -> None:
|
|
"""Test_group_a_admin_needs_to_stay_away_from_group_b."""
|
|
process_group_ids = ["group-a", "group-b"]
|
|
process_group_a_id = process_group_ids[0]
|
|
process_group_b_id = process_group_ids[1]
|
|
for process_group_id in process_group_ids:
|
|
load_test_spec(
|
|
f"{process_group_id}/timers_intermediate_catch_event",
|
|
bpmn_file_name="timers_intermediate_catch_event",
|
|
process_model_source_directory="timers_intermediate_catch_event",
|
|
)
|
|
group_a_admin = self.find_or_create_user()
|
|
|
|
permission_target = PermissionTargetModel(uri=f"/{process_group_a_id}")
|
|
db.session.add(permission_target)
|
|
db.session.commit()
|
|
|
|
permission_assignment = PermissionAssignmentModel(
|
|
permission_target_id=permission_target.id,
|
|
principal_id=group_a_admin.principal.id,
|
|
permission="update",
|
|
grant_type="permit",
|
|
)
|
|
db.session.add(permission_assignment)
|
|
db.session.commit()
|
|
|
|
self.assert_user_has_permission(
|
|
group_a_admin, "update", f"/{process_group_a_id}"
|
|
)
|
|
self.assert_user_has_permission(
|
|
group_a_admin, "update", f"/{process_group_b_id}", expected_result=False
|
|
)
|
|
|
|
def test_user_can_be_granted_access_through_a_group(
|
|
self, app: Flask, with_db_and_bpmn_file_cleanup: None
|
|
) -> None:
|
|
"""Test_user_can_be_granted_access_through_a_group."""
|
|
process_group_ids = ["group-a", "group-b"]
|
|
process_group_a_id = process_group_ids[0]
|
|
for process_group_id in process_group_ids:
|
|
load_test_spec(
|
|
f"{process_group_id}/timers_intermediate_catch_event",
|
|
bpmn_file_name="timers_intermediate_catch_event.bpmn",
|
|
process_model_source_directory="timers_intermediate_catch_event",
|
|
)
|
|
user = self.find_or_create_user()
|
|
group = GroupModel(identifier="groupA")
|
|
db.session.add(group)
|
|
db.session.commit()
|
|
|
|
UserService.add_user_to_group(user, group)
|
|
|
|
permission_target = PermissionTargetModel(uri=f"/{process_group_a_id}")
|
|
db.session.add(permission_target)
|
|
db.session.commit()
|
|
|
|
principal = PrincipalModel(group_id=group.id)
|
|
db.session.add(principal)
|
|
db.session.commit()
|
|
|
|
permission_assignment = PermissionAssignmentModel(
|
|
permission_target_id=permission_target.id,
|
|
principal_id=group.principal.id,
|
|
permission="update",
|
|
grant_type="permit",
|
|
)
|
|
db.session.add(permission_assignment)
|
|
db.session.commit()
|
|
|
|
self.assert_user_has_permission(user, "update", f"/{process_group_a_id}")
|
|
|
|
def test_user_can_be_read_models_with_global_permission(
|
|
self, app: Flask, with_db_and_bpmn_file_cleanup: None
|
|
) -> None:
|
|
"""Test_user_can_be_read_models_with_global_permission."""
|
|
process_group_ids = ["group-a", "group-b"]
|
|
process_group_a_id = process_group_ids[0]
|
|
process_group_b_id = process_group_ids[1]
|
|
for process_group_id in process_group_ids:
|
|
load_test_spec(
|
|
f"{process_group_id}/timers_intermediate_catch_event",
|
|
bpmn_file_name="timers_intermediate_catch_event.bpmn",
|
|
process_model_source_directory="timers_intermediate_catch_event",
|
|
)
|
|
group_a_admin = self.find_or_create_user()
|
|
|
|
permission_target = PermissionTargetModel(uri="/%")
|
|
db.session.add(permission_target)
|
|
db.session.commit()
|
|
|
|
permission_assignment = PermissionAssignmentModel(
|
|
permission_target_id=permission_target.id,
|
|
principal_id=group_a_admin.principal.id,
|
|
permission="update",
|
|
grant_type="permit",
|
|
)
|
|
db.session.add(permission_assignment)
|
|
db.session.commit()
|
|
|
|
self.assert_user_has_permission(
|
|
group_a_admin, "update", f"/{process_group_a_id}"
|
|
)
|
|
self.assert_user_has_permission(
|
|
group_a_admin, "update", f"/{process_group_b_id}"
|
|
)
|
|
|
|
def test_user_can_access_base_path_when_given_wildcard_permission(
|
|
self, app: Flask, with_db_and_bpmn_file_cleanup: None
|
|
) -> None:
|
|
"""Test_user_can_access_base_path_when_given_wildcard_permission."""
|
|
group_a_admin = self.find_or_create_user()
|
|
|
|
permission_target = PermissionTargetModel(uri="/process-models/%")
|
|
db.session.add(permission_target)
|
|
db.session.commit()
|
|
|
|
permission_assignment = PermissionAssignmentModel(
|
|
permission_target_id=permission_target.id,
|
|
principal_id=group_a_admin.principal.id,
|
|
permission="update",
|
|
grant_type="permit",
|
|
)
|
|
db.session.add(permission_assignment)
|
|
db.session.commit()
|
|
|
|
self.assert_user_has_permission(group_a_admin, "update", "/process-models/hey")
|
|
self.assert_user_has_permission(group_a_admin, "update", "/process-models/")
|
|
self.assert_user_has_permission(group_a_admin, "update", "/process-models")
|
|
self.assert_user_has_permission(
|
|
group_a_admin, "update", "/process-modelshey", expected_result=False
|
|
)
|