add crud perms, allow getting principal from user, start actual permissions test

migrations/versions/99ea062e142f_.py

@@ -1,8 +1,8 @@
 """empty message
 
-Revision ID: e4099855709a
+Revision ID: 99ea062e142f
 Revises: 
-Create Date: 2022-10-07 15:17:50.681999
+Create Date: 2022-10-07 15:46:35.144987
 
 """
 from alembic import op
@@ -10,7 +10,7 @@ import sqlalchemy as sa
 
 
 # revision identifiers, used by Alembic.
-revision = 'e4099855709a'
+revision = '99ea062e142f'
 down_revision = None
 branch_labels = None
 depends_on = None
@@ -227,7 +227,7 @@ def upgrade():
     sa.Column('principal_id', sa.Integer(), nullable=False),
     sa.Column('permission_target_id', sa.Integer(), nullable=False),
     sa.Column('grant_type', sa.Enum('grant', 'deny', name='grantdeny'), nullable=True),
-    sa.Column('permission', sa.Enum('instantiate', 'administer', 'view_instance', name='permission'), nullable=True),
+    sa.Column('permission', sa.Enum('create', 'read', 'update', 'delete', 'list', 'instantiate', name='permission'), nullable=True),
     sa.ForeignKeyConstraint(['permission_target_id'], ['permission_target.id'], ),
     sa.ForeignKeyConstraint(['principal_id'], ['principal.id'], ),
     sa.PrimaryKeyConstraint('id')

src/spiffworkflow_backend/models/permission_assignment.py

@@ -20,9 +20,17 @@ class GrantDeny(enum.Enum):
 class Permission(enum.Enum):
     """Permission."""
 
-    instantiate = 1
-    administer = 2
-    view_instance = 3
+    # from original requirements
+    # instantiate = 1
+    # administer = 2
+    # view_instance = 3
+
+    create = 1
+    read = 2
+    update = 3
+    delete = 4
+    list = 5
+    instantiate = 6  # this is something you do to a process model
 
 
 class PermissionAssignmentModel(SpiffworkflowBaseDBModel):

src/spiffworkflow_backend/models/user.py

@@ -37,6 +37,7 @@ class UserModel(SpiffworkflowBaseDBModel):
         secondary="user_group_assignment",
         overlaps="user_group_assignments,users",
     )
+    principal = relationship("PrincipalModel", uselist=False)  # type: ignore
 
     @validates("service")
     def validate_service(self, key: str, value: Any) -> str:

tests/spiffworkflow_backend/unit/test_permissions.py

@@ -1,26 +1,71 @@
 """Test Permissions."""
 from flask.app import Flask
+from flask_bpmn.models.db import db
 from tests.spiffworkflow_backend.helpers.base_test import BaseTest
+from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
 
-# from tests.spiffworkflow_backend.helpers.test_data import find_or_create_process_group
-# from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
-# from spiffworkflow_backend.models.permission_target import PermissionTargetModel
+from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
+from spiffworkflow_backend.models.permission_target import PermissionTargetModel
 
 
-def test_user_can_be_given_permission_to_administer_process_group(app: Flask) -> None:
-    """Test_user_can_be_given_permission_to_administer_process_group."""
-    BaseTest.find_or_create_user()
+# we think we can get the list of roles for a user.
+# spiff needs a way to determine what each role allows.
 
-    # process_group = find_or_create_process_group()
-    # permission_target = PermissionTargetModel(process_group_id=process_group.id)
-    # db.session.add(permission_target)
-    # db.session.commit()
-    #
-    # permission_assignment = PermissionAssignmentModel(
-    #     permission_target_id=permission_target.id,
-    #     principal_id=principal.id,
-    #     permission="administer",
-    #     grant_type="grant",
-    # )
-    # db.session.add(permission_assignment)
-    # db.session.commit()
+# user role allows list and read of all process groups/models
+# super-admin role allows create, update, and delete of all process groups/models
+#  * super-admins users maybe conventionally get the user role as well
+# finance-admin role allows create, update, and delete of all models under the finance group
+class TestPermissions(BaseTest):
+    """TestPermissions."""
+
+    def test_user_can_be_given_permission_to_administer_process_group(
+        self, app: Flask, with_db_and_bpmn_file_cleanup: None
+    ) -> None:
+        """Test_user_can_be_given_permission_to_administer_process_group."""
+        process_group_id = "group-a"
+        load_test_spec(
+            "timers_intermediate_catch_event",
+            process_group_id=process_group_id,
+        )
+        dan = self.find_or_create_user()
+        principal = dan.principal
+
+        permission_target = PermissionTargetModel(uri=f"/{process_group_id}")
+        db.session.add(permission_target)
+        db.session.commit()
+
+        permission_assignment = PermissionAssignmentModel(
+            permission_target_id=permission_target.id,
+            principal_id=principal.id,
+            permission="delete",
+            grant_type="grant",
+        )
+        db.session.add(permission_assignment)
+        db.session.commit()
+
+    def test_group_a_admin_needs_to_stay_away_from_group_b(
+        self, app: Flask, with_db_and_bpmn_file_cleanup: None
+    ) -> None:
+        """Test_group_a_admin_needs_to_stay_away_from_group_b."""
+        process_group_ids = ["group-a", "group-b"]
+        process_group_a_id = process_group_ids[0]
+        for process_group_id in process_group_ids:
+            load_test_spec(
+                "timers_intermediate_catch_event",
+                process_group_id=process_group_id,
+            )
+        group_a_admin = self.find_or_create_user()
+        principal = group_a_admin.principal
+
+        permission_target = PermissionTargetModel(uri=f"/{process_group_a_id}")
+        db.session.add(permission_target)
+        db.session.commit()
+
+        permission_assignment = PermissionAssignmentModel(
+            permission_target_id=permission_target.id,
+            principal_id=principal.id,
+            permission="update",
+            grant_type="grant",
+        )
+        db.session.add(permission_assignment)
+        db.session.commit()