pyl
This commit is contained in:
parent
e3b9e127c1
commit
a56734226d
|
@ -69,7 +69,7 @@ permissions:
|
||||||
users: []
|
users: []
|
||||||
allowed_permissions: [read]
|
allowed_permissions: [read]
|
||||||
uri: /process-models/*
|
uri: /process-models/*
|
||||||
|
|
||||||
# basic perms for everybody
|
# basic perms for everybody
|
||||||
read-all-process-instances-for-me:
|
read-all-process-instances-for-me:
|
||||||
groups: [everybody]
|
groups: [everybody]
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
"""Authorization_service."""
|
"""Authorization_service."""
|
||||||
from dataclasses import dataclass
|
|
||||||
import inspect
|
import inspect
|
||||||
import re
|
import re
|
||||||
|
from dataclasses import dataclass
|
||||||
from hashlib import sha256
|
from hashlib import sha256
|
||||||
from hmac import compare_digest
|
from hmac import compare_digest
|
||||||
from hmac import HMAC
|
from hmac import HMAC
|
||||||
|
@ -48,21 +48,23 @@ class UserDoesNotHaveAccessToTaskError(Exception):
|
||||||
|
|
||||||
|
|
||||||
class InvalidPermissionError(Exception):
|
class InvalidPermissionError(Exception):
|
||||||
pass
|
"""InvalidPermissionError."""
|
||||||
|
|
||||||
|
|
||||||
@dataclass
|
@dataclass
|
||||||
class PermissionToAssign:
|
class PermissionToAssign:
|
||||||
|
"""PermissionToAssign."""
|
||||||
|
|
||||||
permission: str
|
permission: str
|
||||||
target_uri: str
|
target_uri: str
|
||||||
|
|
||||||
|
|
||||||
PATH_SEGMENTS_FOR_PERMISSION_ALL = [
|
PATH_SEGMENTS_FOR_PERMISSION_ALL = [
|
||||||
'/logs',
|
"/logs",
|
||||||
'/process-instances',
|
"/process-instances",
|
||||||
'/process-instance-suspend',
|
"/process-instance-suspend",
|
||||||
'/process-instance-terminate',
|
"/process-instance-terminate",
|
||||||
'/task-data',
|
"/task-data",
|
||||||
]
|
]
|
||||||
|
|
||||||
|
|
||||||
|
@ -535,33 +537,47 @@ class AuthorizationService:
|
||||||
return user_model # type: ignore
|
return user_model # type: ignore
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def get_permissions_to_assign(cls, permission_set: str, process_related_path_segment: str, target_uris: list[str]) -> list[PermissionToAssign]:
|
def get_permissions_to_assign(
|
||||||
permissions = permission_set.split(',')
|
cls,
|
||||||
|
permission_set: str,
|
||||||
|
process_related_path_segment: str,
|
||||||
|
target_uris: list[str],
|
||||||
|
) -> list[PermissionToAssign]:
|
||||||
|
"""Get_permissions_to_assign."""
|
||||||
|
permissions = permission_set.split(",")
|
||||||
if permission_set == "all":
|
if permission_set == "all":
|
||||||
permissions = ['create', 'read', 'update', 'delete']
|
permissions = ["create", "read", "update", "delete"]
|
||||||
|
|
||||||
permissions_to_assign: list[PermissionToAssign] = []
|
permissions_to_assign: list[PermissionToAssign] = []
|
||||||
|
|
||||||
# we were thinking that if you can start an instance, you ought to be able to view your own instances.
|
# we were thinking that if you can start an instance, you ought to be able to view your own instances.
|
||||||
if permission_set == "start":
|
if permission_set == "start":
|
||||||
target_uri = f"/process-instances/{process_related_path_segment}"
|
target_uri = f"/process-instances/{process_related_path_segment}"
|
||||||
permissions_to_assign.append(PermissionToAssign(permission='create', target_uri=target_uri))
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(permission="create", target_uri=target_uri)
|
||||||
|
)
|
||||||
target_uri = f"/process-instances/for-me/{process_related_path_segment}"
|
target_uri = f"/process-instances/for-me/{process_related_path_segment}"
|
||||||
permissions_to_assign.append(PermissionToAssign(permission='read', target_uri=target_uri))
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(permission="read", target_uri=target_uri)
|
||||||
|
)
|
||||||
|
|
||||||
else:
|
else:
|
||||||
if permission_set == 'all':
|
if permission_set == "all":
|
||||||
for path_segment in PATH_SEGMENTS_FOR_PERMISSION_ALL:
|
for path_segment in PATH_SEGMENTS_FOR_PERMISSION_ALL:
|
||||||
target_uris.append(f"{path_segment}/{process_related_path_segment}")
|
target_uris.append(f"{path_segment}/{process_related_path_segment}")
|
||||||
|
|
||||||
for target_uri in target_uris:
|
for target_uri in target_uris:
|
||||||
for permission in permissions:
|
for permission in permissions:
|
||||||
permissions_to_assign.append(PermissionToAssign(permission=permission, target_uri=target_uri))
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(permission=permission, target_uri=target_uri)
|
||||||
|
)
|
||||||
|
|
||||||
return permissions_to_assign
|
return permissions_to_assign
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def explode_permissions(cls, permission_set: str, target: str) -> list[PermissionToAssign]:
|
def explode_permissions(
|
||||||
|
cls, permission_set: str, target: str
|
||||||
|
) -> list[PermissionToAssign]:
|
||||||
"""Explodes given permissions to and returns list of PermissionToAssign objects.
|
"""Explodes given permissions to and returns list of PermissionToAssign objects.
|
||||||
|
|
||||||
These can be used to then iterate through and inserted into the database.
|
These can be used to then iterate through and inserted into the database.
|
||||||
|
@ -583,46 +599,87 @@ class AuthorizationService:
|
||||||
* only works with PG and PM target macros
|
* only works with PG and PM target macros
|
||||||
"""
|
"""
|
||||||
permissions_to_assign: list[PermissionToAssign] = []
|
permissions_to_assign: list[PermissionToAssign] = []
|
||||||
permissions = permission_set.split(',')
|
permissions = permission_set.split(",")
|
||||||
if permission_set == "all":
|
if permission_set == "all":
|
||||||
permissions = ['create', 'read', 'update', 'delete']
|
permissions = ["create", "read", "update", "delete"]
|
||||||
|
|
||||||
if target.startswith("PG:"):
|
if target.startswith("PG:"):
|
||||||
process_group_identifier = target.removeprefix("PG:").replace(":", "/").removeprefix('/')
|
process_group_identifier = (
|
||||||
|
target.removeprefix("PG:").replace(":", "/").removeprefix("/")
|
||||||
|
)
|
||||||
process_related_path_segment = f"{process_group_identifier}/*"
|
process_related_path_segment = f"{process_group_identifier}/*"
|
||||||
if process_group_identifier == "ALL":
|
if process_group_identifier == "ALL":
|
||||||
process_related_path_segment = "*"
|
process_related_path_segment = "*"
|
||||||
target_uris = [f"/process-groups/{process_related_path_segment}", f"/process-models/{process_related_path_segment}"]
|
target_uris = [
|
||||||
permissions_to_assign = permissions_to_assign + cls.get_permissions_to_assign(permission_set, process_related_path_segment, target_uris)
|
f"/process-groups/{process_related_path_segment}",
|
||||||
|
f"/process-models/{process_related_path_segment}",
|
||||||
|
]
|
||||||
|
permissions_to_assign = (
|
||||||
|
permissions_to_assign
|
||||||
|
+ cls.get_permissions_to_assign(
|
||||||
|
permission_set, process_related_path_segment, target_uris
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
elif target.startswith("PM:"):
|
elif target.startswith("PM:"):
|
||||||
process_model_identifier = target.removeprefix("PM:").replace(":", "/").removeprefix('/')
|
process_model_identifier = (
|
||||||
|
target.removeprefix("PM:").replace(":", "/").removeprefix("/")
|
||||||
|
)
|
||||||
process_related_path_segment = f"{process_model_identifier}/*"
|
process_related_path_segment = f"{process_model_identifier}/*"
|
||||||
|
|
||||||
if process_model_identifier == "ALL":
|
if process_model_identifier == "ALL":
|
||||||
process_related_path_segment = "*"
|
process_related_path_segment = "*"
|
||||||
|
|
||||||
target_uris = [f"/process-models/{process_related_path_segment}"]
|
target_uris = [f"/process-models/{process_related_path_segment}"]
|
||||||
permissions_to_assign = permissions_to_assign + cls.get_permissions_to_assign(permission_set, process_related_path_segment, target_uris)
|
permissions_to_assign = (
|
||||||
|
permissions_to_assign
|
||||||
|
+ cls.get_permissions_to_assign(
|
||||||
|
permission_set, process_related_path_segment, target_uris
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
elif permission_set == "start":
|
elif permission_set == "start":
|
||||||
raise InvalidPermissionError("Permission 'start' is only available for macros PM and PG.")
|
raise InvalidPermissionError(
|
||||||
|
"Permission 'start' is only available for macros PM and PG."
|
||||||
|
)
|
||||||
|
|
||||||
elif target.startswith("BASIC"):
|
elif target.startswith("BASIC"):
|
||||||
permissions_to_assign.append(PermissionToAssign(permission='read', target_uri="/process-instances/for-me"))
|
permissions_to_assign.append(
|
||||||
permissions_to_assign.append(PermissionToAssign(permission='read', target_uri="/processes"))
|
PermissionToAssign(
|
||||||
permissions_to_assign.append(PermissionToAssign(permission='read', target_uri="/service-tasks"))
|
permission="read", target_uri="/process-instances/for-me"
|
||||||
permissions_to_assign.append(PermissionToAssign(permission='read', target_uri="/user-groups/for-current-user"))
|
)
|
||||||
|
)
|
||||||
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(permission="read", target_uri="/processes")
|
||||||
|
)
|
||||||
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(permission="read", target_uri="/service-tasks")
|
||||||
|
)
|
||||||
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(
|
||||||
|
permission="read", target_uri="/user-groups/for-current-user"
|
||||||
|
)
|
||||||
|
)
|
||||||
|
|
||||||
for permission in ['create', 'read', 'update', 'delete']:
|
for permission in ["create", "read", "update", "delete"]:
|
||||||
permissions_to_assign.append(PermissionToAssign(permission=permission, target_uri="/process-instances/reports/*"))
|
permissions_to_assign.append(
|
||||||
permissions_to_assign.append(PermissionToAssign(permission=permission, target_uri="/tasks/*"))
|
PermissionToAssign(
|
||||||
|
permission=permission, target_uri="/process-instances/reports/*"
|
||||||
|
)
|
||||||
|
)
|
||||||
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(permission=permission, target_uri="/tasks/*")
|
||||||
|
)
|
||||||
elif target == "ALL":
|
elif target == "ALL":
|
||||||
for permission in permissions:
|
for permission in permissions:
|
||||||
permissions_to_assign.append(PermissionToAssign(permission=permission, target_uri='/*'))
|
permissions_to_assign.append(
|
||||||
elif target.startswith('/'):
|
PermissionToAssign(permission=permission, target_uri="/*")
|
||||||
|
)
|
||||||
|
elif target.startswith("/"):
|
||||||
for permission in permissions:
|
for permission in permissions:
|
||||||
permissions_to_assign.append(PermissionToAssign(permission=permission, target_uri=target))
|
permissions_to_assign.append(
|
||||||
|
PermissionToAssign(permission=permission, target_uri=target)
|
||||||
|
)
|
||||||
else:
|
else:
|
||||||
raise InvalidPermissionError(
|
raise InvalidPermissionError(
|
||||||
f"Target uri '{target}' with permission set '{permission_set}' is invalid. "
|
f"Target uri '{target}' with permission set '{permission_set}' is invalid. "
|
||||||
|
@ -632,12 +689,16 @@ class AuthorizationService:
|
||||||
return permissions_to_assign
|
return permissions_to_assign
|
||||||
|
|
||||||
@classmethod
|
@classmethod
|
||||||
def add_permission_from_uri_or_macro(cls, group_identifier: str, permission: str, target: str) -> None:
|
def add_permission_from_uri_or_macro(
|
||||||
|
cls, group_identifier: str, permission: str, target: str
|
||||||
|
) -> None:
|
||||||
"""Add_permission_from_uri_or_macro."""
|
"""Add_permission_from_uri_or_macro."""
|
||||||
group = GroupService.find_or_create_group(group_identifier)
|
group = GroupService.find_or_create_group(group_identifier)
|
||||||
permissions_to_assign = cls.explode_permissions(permission, target)
|
permissions_to_assign = cls.explode_permissions(permission, target)
|
||||||
for permission_to_assign in permissions_to_assign:
|
for permission_to_assign in permissions_to_assign:
|
||||||
permission_target = AuthorizationService.find_or_create_permission_target(permission_to_assign.target_uri)
|
permission_target = AuthorizationService.find_or_create_permission_target(
|
||||||
|
permission_to_assign.target_uri
|
||||||
|
)
|
||||||
AuthorizationService.create_permission_for_principal(
|
AuthorizationService.create_permission_for_principal(
|
||||||
group.principal, permission_target, permission_to_assign.permission
|
group.principal, permission_target, permission_to_assign.permission
|
||||||
)
|
)
|
||||||
|
|
|
@ -6,7 +6,8 @@ from tests.spiffworkflow_backend.helpers.base_test import BaseTest
|
||||||
|
|
||||||
from spiffworkflow_backend.models.user import UserModel
|
from spiffworkflow_backend.models.user import UserModel
|
||||||
from spiffworkflow_backend.models.user import UserNotFoundError
|
from spiffworkflow_backend.models.user import UserNotFoundError
|
||||||
from spiffworkflow_backend.services.authorization_service import AuthorizationService, InvalidPermissionError
|
from spiffworkflow_backend.services.authorization_service import AuthorizationService
|
||||||
|
from spiffworkflow_backend.services.authorization_service import InvalidPermissionError
|
||||||
from spiffworkflow_backend.services.process_instance_processor import (
|
from spiffworkflow_backend.services.process_instance_processor import (
|
||||||
ProcessInstanceProcessor,
|
ProcessInstanceProcessor,
|
||||||
)
|
)
|
||||||
|
@ -151,38 +152,67 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_all_on_process_group."""
|
||||||
expected_permissions = [
|
expected_permissions = [
|
||||||
('/logs/some-process-group/some-process-model/*', 'create'),
|
("/logs/some-process-group/some-process-model/*", "create"),
|
||||||
('/logs/some-process-group/some-process-model/*', 'delete'),
|
("/logs/some-process-group/some-process-model/*", "delete"),
|
||||||
('/logs/some-process-group/some-process-model/*', 'read'),
|
("/logs/some-process-group/some-process-model/*", "read"),
|
||||||
('/logs/some-process-group/some-process-model/*', 'update'),
|
("/logs/some-process-group/some-process-model/*", "update"),
|
||||||
('/process-groups/some-process-group/some-process-model/*', 'create'),
|
("/process-groups/some-process-group/some-process-model/*", "create"),
|
||||||
('/process-groups/some-process-group/some-process-model/*', 'delete'),
|
("/process-groups/some-process-group/some-process-model/*", "delete"),
|
||||||
('/process-groups/some-process-group/some-process-model/*', 'read'),
|
("/process-groups/some-process-group/some-process-model/*", "read"),
|
||||||
('/process-groups/some-process-group/some-process-model/*', 'update'),
|
("/process-groups/some-process-group/some-process-model/*", "update"),
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'read'),
|
"create",
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'read'),
|
"delete",
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'read'),
|
"read",
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/process-models/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-models/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-models/some-process-group/some-process-model/*', 'read'),
|
"update",
|
||||||
('/process-models/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/task-data/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/task-data/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
('/task-data/some-process-group/some-process-model/*', 'read'),
|
"create",
|
||||||
('/task-data/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
|
(
|
||||||
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
|
"delete",
|
||||||
|
),
|
||||||
|
(
|
||||||
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
|
"read",
|
||||||
|
),
|
||||||
|
(
|
||||||
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
|
"update",
|
||||||
|
),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "create"),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "delete"),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "read"),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "update"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "create"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "delete"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "read"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "update"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "create"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "delete"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "read"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "update"),
|
||||||
]
|
]
|
||||||
permissions_to_assign = AuthorizationService.explode_permissions('all', 'PG:/some-process-group/some-process-model')
|
permissions_to_assign = AuthorizationService.explode_permissions(
|
||||||
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])
|
"all", "PG:/some-process-group/some-process-model"
|
||||||
|
)
|
||||||
|
permissions_to_assign_tuples = sorted(
|
||||||
|
[(p.target_uri, p.permission) for p in permissions_to_assign]
|
||||||
|
)
|
||||||
assert permissions_to_assign_tuples == expected_permissions
|
assert permissions_to_assign_tuples == expected_permissions
|
||||||
|
|
||||||
def test_explode_permissions_start_on_process_group(
|
def test_explode_permissions_start_on_process_group(
|
||||||
|
@ -191,12 +221,20 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_start_on_process_group."""
|
||||||
expected_permissions = [
|
expected_permissions = [
|
||||||
('/process-instances/for-me/some-process-group/some-process-model/*', 'read'),
|
(
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'create'),
|
"/process-instances/for-me/some-process-group/some-process-model/*",
|
||||||
|
"read",
|
||||||
|
),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "create"),
|
||||||
]
|
]
|
||||||
permissions_to_assign = AuthorizationService.explode_permissions('start', 'PG:/some-process-group/some-process-model')
|
permissions_to_assign = AuthorizationService.explode_permissions(
|
||||||
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])
|
"start", "PG:/some-process-group/some-process-model"
|
||||||
|
)
|
||||||
|
permissions_to_assign_tuples = sorted(
|
||||||
|
[(p.target_uri, p.permission) for p in permissions_to_assign]
|
||||||
|
)
|
||||||
assert permissions_to_assign_tuples == expected_permissions
|
assert permissions_to_assign_tuples == expected_permissions
|
||||||
|
|
||||||
def test_explode_permissions_all_on_process_model(
|
def test_explode_permissions_all_on_process_model(
|
||||||
|
@ -205,34 +243,63 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_all_on_process_model."""
|
||||||
expected_permissions = [
|
expected_permissions = [
|
||||||
('/logs/some-process-group/some-process-model/*', 'create'),
|
("/logs/some-process-group/some-process-model/*", "create"),
|
||||||
('/logs/some-process-group/some-process-model/*', 'delete'),
|
("/logs/some-process-group/some-process-model/*", "delete"),
|
||||||
('/logs/some-process-group/some-process-model/*', 'read'),
|
("/logs/some-process-group/some-process-model/*", "read"),
|
||||||
('/logs/some-process-group/some-process-model/*', 'update'),
|
("/logs/some-process-group/some-process-model/*", "update"),
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'read'),
|
"create",
|
||||||
('/process-instance-suspend/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'read'),
|
"delete",
|
||||||
('/process-instance-terminate/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'read'),
|
"read",
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/process-models/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/process-models/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-suspend/some-process-group/some-process-model/*",
|
||||||
('/process-models/some-process-group/some-process-model/*', 'read'),
|
"update",
|
||||||
('/process-models/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
('/task-data/some-process-group/some-process-model/*', 'create'),
|
(
|
||||||
('/task-data/some-process-group/some-process-model/*', 'delete'),
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
('/task-data/some-process-group/some-process-model/*', 'read'),
|
"create",
|
||||||
('/task-data/some-process-group/some-process-model/*', 'update'),
|
),
|
||||||
|
(
|
||||||
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
|
"delete",
|
||||||
|
),
|
||||||
|
(
|
||||||
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
|
"read",
|
||||||
|
),
|
||||||
|
(
|
||||||
|
"/process-instance-terminate/some-process-group/some-process-model/*",
|
||||||
|
"update",
|
||||||
|
),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "create"),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "delete"),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "read"),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "update"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "create"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "delete"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "read"),
|
||||||
|
("/process-models/some-process-group/some-process-model/*", "update"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "create"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "delete"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "read"),
|
||||||
|
("/task-data/some-process-group/some-process-model/*", "update"),
|
||||||
]
|
]
|
||||||
permissions_to_assign = AuthorizationService.explode_permissions('all', 'PM:/some-process-group/some-process-model')
|
permissions_to_assign = AuthorizationService.explode_permissions(
|
||||||
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])
|
"all", "PM:/some-process-group/some-process-model"
|
||||||
|
)
|
||||||
|
permissions_to_assign_tuples = sorted(
|
||||||
|
[(p.target_uri, p.permission) for p in permissions_to_assign]
|
||||||
|
)
|
||||||
assert permissions_to_assign_tuples == expected_permissions
|
assert permissions_to_assign_tuples == expected_permissions
|
||||||
|
|
||||||
def test_explode_permissions_start_on_process_model(
|
def test_explode_permissions_start_on_process_model(
|
||||||
|
@ -241,12 +308,20 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_start_on_process_model."""
|
||||||
expected_permissions = [
|
expected_permissions = [
|
||||||
('/process-instances/for-me/some-process-group/some-process-model/*', 'read'),
|
(
|
||||||
('/process-instances/some-process-group/some-process-model/*', 'create'),
|
"/process-instances/for-me/some-process-group/some-process-model/*",
|
||||||
|
"read",
|
||||||
|
),
|
||||||
|
("/process-instances/some-process-group/some-process-model/*", "create"),
|
||||||
]
|
]
|
||||||
permissions_to_assign = AuthorizationService.explode_permissions('start', 'PM:/some-process-group/some-process-model')
|
permissions_to_assign = AuthorizationService.explode_permissions(
|
||||||
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])
|
"start", "PM:/some-process-group/some-process-model"
|
||||||
|
)
|
||||||
|
permissions_to_assign_tuples = sorted(
|
||||||
|
[(p.target_uri, p.permission) for p in permissions_to_assign]
|
||||||
|
)
|
||||||
assert permissions_to_assign_tuples == expected_permissions
|
assert permissions_to_assign_tuples == expected_permissions
|
||||||
|
|
||||||
def test_explode_permissions_basic(
|
def test_explode_permissions_basic(
|
||||||
|
@ -255,22 +330,25 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_basic."""
|
||||||
expected_permissions = [
|
expected_permissions = [
|
||||||
('/process-instances/for-me', 'read'),
|
("/process-instances/for-me", "read"),
|
||||||
('/process-instances/reports/*', 'create'),
|
("/process-instances/reports/*", "create"),
|
||||||
('/process-instances/reports/*', 'delete'),
|
("/process-instances/reports/*", "delete"),
|
||||||
('/process-instances/reports/*', 'read'),
|
("/process-instances/reports/*", "read"),
|
||||||
('/process-instances/reports/*', 'update'),
|
("/process-instances/reports/*", "update"),
|
||||||
('/processes', 'read'),
|
("/processes", "read"),
|
||||||
('/service-tasks', 'read'),
|
("/service-tasks", "read"),
|
||||||
('/tasks/*', 'create'),
|
("/tasks/*", "create"),
|
||||||
('/tasks/*', 'delete'),
|
("/tasks/*", "delete"),
|
||||||
('/tasks/*', 'read'),
|
("/tasks/*", "read"),
|
||||||
('/tasks/*', 'update'),
|
("/tasks/*", "update"),
|
||||||
('/user-groups/for-current-user', 'read'),
|
("/user-groups/for-current-user", "read"),
|
||||||
]
|
]
|
||||||
permissions_to_assign = AuthorizationService.explode_permissions('all', 'BASIC')
|
permissions_to_assign = AuthorizationService.explode_permissions("all", "BASIC")
|
||||||
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])
|
permissions_to_assign_tuples = sorted(
|
||||||
|
[(p.target_uri, p.permission) for p in permissions_to_assign]
|
||||||
|
)
|
||||||
assert permissions_to_assign_tuples == expected_permissions
|
assert permissions_to_assign_tuples == expected_permissions
|
||||||
|
|
||||||
def test_explode_permissions_all(
|
def test_explode_permissions_all(
|
||||||
|
@ -279,14 +357,17 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_all."""
|
||||||
expected_permissions = [
|
expected_permissions = [
|
||||||
('/*', 'create'),
|
("/*", "create"),
|
||||||
('/*', 'delete'),
|
("/*", "delete"),
|
||||||
('/*', 'read'),
|
("/*", "read"),
|
||||||
('/*', 'update'),
|
("/*", "update"),
|
||||||
]
|
]
|
||||||
permissions_to_assign = AuthorizationService.explode_permissions('all', 'ALL')
|
permissions_to_assign = AuthorizationService.explode_permissions("all", "ALL")
|
||||||
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])
|
permissions_to_assign_tuples = sorted(
|
||||||
|
[(p.target_uri, p.permission) for p in permissions_to_assign]
|
||||||
|
)
|
||||||
assert permissions_to_assign_tuples == expected_permissions
|
assert permissions_to_assign_tuples == expected_permissions
|
||||||
|
|
||||||
def test_explode_permissions_with_target_uri(
|
def test_explode_permissions_with_target_uri(
|
||||||
|
@ -295,14 +376,19 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_with_target_uri."""
|
||||||
expected_permissions = [
|
expected_permissions = [
|
||||||
('/hey/model', 'create'),
|
("/hey/model", "create"),
|
||||||
('/hey/model', 'delete'),
|
("/hey/model", "delete"),
|
||||||
('/hey/model', 'read'),
|
("/hey/model", "read"),
|
||||||
('/hey/model', 'update'),
|
("/hey/model", "update"),
|
||||||
]
|
]
|
||||||
permissions_to_assign = AuthorizationService.explode_permissions('all', '/hey/model')
|
permissions_to_assign = AuthorizationService.explode_permissions(
|
||||||
permissions_to_assign_tuples = sorted([(p.target_uri, p.permission) for p in permissions_to_assign])
|
"all", "/hey/model"
|
||||||
|
)
|
||||||
|
permissions_to_assign_tuples = sorted(
|
||||||
|
[(p.target_uri, p.permission) for p in permissions_to_assign]
|
||||||
|
)
|
||||||
assert permissions_to_assign_tuples == expected_permissions
|
assert permissions_to_assign_tuples == expected_permissions
|
||||||
|
|
||||||
def test_explode_permissions_with_invalid_target_uri(
|
def test_explode_permissions_with_invalid_target_uri(
|
||||||
|
@ -311,8 +397,9 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_with_invalid_target_uri."""
|
||||||
with pytest.raises(InvalidPermissionError):
|
with pytest.raises(InvalidPermissionError):
|
||||||
AuthorizationService.explode_permissions('all', 'BAD_MACRO')
|
AuthorizationService.explode_permissions("all", "BAD_MACRO")
|
||||||
|
|
||||||
def test_explode_permissions_with_start_to_incorrect_target(
|
def test_explode_permissions_with_start_to_incorrect_target(
|
||||||
self,
|
self,
|
||||||
|
@ -320,5 +407,6 @@ class TestAuthorizationService(BaseTest):
|
||||||
client: FlaskClient,
|
client: FlaskClient,
|
||||||
with_db_and_bpmn_file_cleanup: None,
|
with_db_and_bpmn_file_cleanup: None,
|
||||||
) -> None:
|
) -> None:
|
||||||
|
"""Test_explode_permissions_with_start_to_incorrect_target."""
|
||||||
with pytest.raises(InvalidPermissionError):
|
with pytest.raises(InvalidPermissionError):
|
||||||
AuthorizationService.explode_permissions('start', '/hey/model')
|
AuthorizationService.explode_permissions("start", "/hey/model")
|
||||||
|
|
Loading…
Reference in New Issue