Merge branch 'main' into cullerton

2022-07-19 11:47:29 -04:00 · 2022-07-19 11:47:29 -04:00 · deff98386e
parent d4b31efd5a d7fdb618fc
commit deff98386e
11 changed files with 2973 additions and 32 deletions
--- a/bin/get_token
+++ b/bin/get_token
@ -72,16 +72,23 @@ if [[ "$backend_token" != 'null' ]]; then
  echo "backend_token: $backend_token"

  echo "Getting resource set"
-  resource_result=$(curl -s "http://localhost:7002/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${URI_TO_TEST_AGAINST}" -H "Authorization: Bearer $backend_token")
+  # everything_resource_id='446bdcf4-a3bd-41c7-a0f8-67a225ba6b57'
+  resource_result=$(curl -s "http://${HOSTNAME}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${URI_TO_TEST_AGAINST}" -H "Authorization: Bearer $backend_token")
+  # resource_result=$(curl -s "http://${HOSTNAME}/realms/spiffworkflow/authz/protection/resource_set?matchingUri=false&deep=true&max=-1&exactName=false&type=admin" -H "Authorization: Bearer $backend_token")

-  resource_ids=$(jq -r '.[] | ._id' <<<"$resource_result" || echo '')
-  if [[ -z "$resource_ids" || "$resource_ids" == "null" ]]; then
+  resource_id_name_pairs=$(jq -r '.[] | "\(._id):\(.name)"' <<<"$resource_result" || echo '')
+  if [[ -z "$resource_id_name_pairs" || "$resource_id_name_pairs" == "null" ]]; then
    >&2 echo "ERROR: Could not find the resource id from the result: ${resource_result}"
    exit 1
  fi
+  echo $resource_id_name_pairs

  echo "Getting permissions"
-  for resource_id in $resource_ids ; do
+  for resource_id_name_pair in $resource_id_name_pairs ; do
+    resource_id=$(awk -F ':' '{print $1}' <<<"$resource_id_name_pair")
+    resource_name=$(awk -F ':' '{print $2}' <<<"$resource_id_name_pair")
+
+    echo "Checking $resource_name"
    curl -s -X POST "$KEYCLOAK_URL" "$INSECURE" \
      -H "Content-Type: application/x-www-form-urlencoded" \
      -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
--- a/bin/replicate_resource_set_denied_based_on_uri_with_keycloak/replicate_resource_set_denied_based_on_uri
+++ b/bin/replicate_resource_set_denied_based_on_uri_with_keycloak/replicate_resource_set_denied_based_on_uri
@ -0,0 +1,111 @@
+#!/usr/bin/env bash
+
+function error_handler() {
+  >&2 echo "Exited with BAD EXIT CODE '${2}' in ${0} script at line: ${1}."
+  exit "$2"
+}
+trap 'error_handler ${LINENO} $?' ERR
+set -o errtrace -o errexit -o nounset -o pipefail
+
+script_dir="$( cd -- "$(dirname "$0")" >/dev/null 2>&1 ; pwd -P )"
+
+docker stop keycloak || echo 'no keycloak container found'
+docker rm keycloak 2>/dev/null || echo 'no keycloak container found'
+docker run -p 8080:8080 -d  --name keycloak -e KEYCLOAK_LOGLEVEL=ALL -e ROOT_LOGLEVEL=ALL -e KEYCLOAK_ADMIN=admin -e KEYCLOAK_ADMIN_PASSWORD=admin quay.io/keycloak/keycloak:18.0.2 start-dev -Dkeycloak.profile.feature.token_exchange=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled
+
+docker cp "${script_dir}/testing-realm.json" keycloak:/tmp
+
+sleep 10
+docker exec keycloak /opt/keycloak/bin/kc.sh import --file /tmp/testing-realm.json || echo ''
+
+docker stop keycloak
+docker start keycloak
+sleep 10
+
+HOSTNAME=localhost:8080
+REALM_NAME=testing
+USERS=(
+  ciadmin1
+  repeat_form_user_1
+)
+URIS_TO_TEST_AGAINST=(
+  /blog/post/1
+  /blog
+)
+
+FRONTEND_CLIENT_ID=testing-frontend
+BACKEND_CLIENT_ID=testing-backend
+BACKEND_CLIENT_SECRET="JXeQExm0JhQPLumgHtIIqf52bDalHz0q"  # noqa: S105
+
+BACKEND_BASIC_AUTH=$(echo -n "${BACKEND_CLIENT_ID}:${BACKEND_CLIENT_SECRET}" | base64)
+KEYCLOAK_URL=http://$HOSTNAME/realms/$REALM_NAME/protocol/openid-connect/token
+
+result_array=()
+for user in "${USERS[@]}" ; do
+  result=$(curl -s -X POST "$KEYCLOAK_URL" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    -d "username=$user" \
+    -d "password=$user" \
+    -d 'grant_type=password' \
+    -d "client_id=$FRONTEND_CLIENT_ID" \
+  )
+  frontend_token=$(jq -r '.access_token' <<< "$result")
+
+  result=$(curl -s -X POST "$KEYCLOAK_URL" \
+    -H "Content-Type: application/x-www-form-urlencoded" \
+    --data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
+    -d "client_id=$BACKEND_CLIENT_ID" \
+    -d "subject_token=${frontend_token}" \
+    -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
+    -d "audience=${BACKEND_CLIENT_ID}" \
+  )
+  backend_token=$(jq -r '.access_token' <<< "$result")
+
+  if [[ "$backend_token" != 'null' ]]; then
+    echo "Getting resource set"
+
+    for uri in "${URIS_TO_TEST_AGAINST[@]}" ; do
+      escaped_uri=$(sed 's|/|%2F|g' <<<"$uri")
+      resource_result=$(curl -s "http://${HOSTNAME}/realms/testing/authz/protection/resource_set?matchingUri=true&deep=true&max=-1&exactName=false&uri=${escaped_uri}" -H "Authorization: Bearer $backend_token")
+
+      resource_id_name_pairs=$(jq -r '.[] | "\(._id):\(.name)"' <<<"$resource_result" || echo '')
+      if [[ -z "$resource_id_name_pairs" || "$resource_id_name_pairs" == "null" ]]; then
+        >&2 echo "ERROR: Could not find the resource id from the result: ${resource_result}"
+        exit 1
+      fi
+
+      echo "Getting permissions"
+      for resource_id_name_pair in $resource_id_name_pairs ; do
+        resource_id=$(awk -F ':' '{print $1}' <<<"$resource_id_name_pair")
+        resource_name=$(awk -F ':' '{print $2}' <<<"$resource_id_name_pair")
+
+        echo "Checking $resource_name"
+        auth_result=$(curl -s -X POST "$KEYCLOAK_URL" \
+          -H "Content-Type: application/x-www-form-urlencoded" \
+          -H "Authorization: Basic $BACKEND_BASIC_AUTH" \
+          -d "audience=${BACKEND_CLIENT_ID}" \
+          --data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:uma-ticket" \
+          -d "permission=${resource_id}" \
+          -d "subject_token=${backend_token}" \
+        )
+
+        error_message=$(jq -r '.error' <<<"$auth_result" || echo -n '')
+        if [[ -n "$error_message" && "$error_message" != "null" ]]; then
+          result_array+=("${user}, ${uri}, DENY")
+        fi
+        access_token=$(jq -r '.access_token' <<<"$auth_result" || echo -n '')
+        if [[ -n "$access_token"&& "$access_token" != "null" ]]; then
+          result_array+=("${user}, ${uri}, APPROVED")
+        fi
+      done
+    done
+
+  else
+    echo "Failed auth result: $result"
+  fi
+done
+
+echo -e "\n\nRESULTS:\n"
+for final_result in "${result_array[@]}" ; do
+  echo "$final_result"
+done
--- a/bin/replicate_resource_set_denied_based_on_uri_with_keycloak/testing-realm.json
+++ b/bin/replicate_resource_set_denied_based_on_uri_with_keycloak/testing-realm.json
--- a/conftest.py
+++ b/conftest.py
@ -1,12 +1,12 @@
 """Conftest."""
 import os
 import shutil
+from tests.spiffworkflow_backend.helpers.test_data import load_test_spec

 import pytest
 from flask.app import Flask
 from flask_bpmn.models.db import db
 from flask_bpmn.models.db import SpiffworkflowBaseDBModel
-from tests.spiffworkflow_backend.helpers.test_data import load_test_spec

 from spiffworkflow_backend.helpers.fixture_data import find_or_create_user
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
--- a/src/spiffworkflow_backend/models/process_instance.py
+++ b/src/spiffworkflow_backend/models/process_instance.py
@ -2,6 +2,8 @@
 from __future__ import annotations

 from dataclasses import dataclass
+from SpiffWorkflow.navigation import NavItem  # type: ignore
+from SpiffWorkflow.util.deep_merge import DeepMerge  # type: ignore
 from typing import Any
 from typing import cast

@ -11,8 +13,6 @@ from flask_bpmn.models.db import SpiffworkflowBaseDBModel
 from marshmallow import INCLUDE
 from marshmallow import Schema
 from marshmallow_enum import EnumField  # type: ignore
-from SpiffWorkflow.navigation import NavItem  # type: ignore
-from SpiffWorkflow.util.deep_merge import DeepMerge  # type: ignore
 from sqlalchemy import ForeignKey
 from sqlalchemy.orm import deferred
 from sqlalchemy.orm import relationship
--- a/src/spiffworkflow_backend/routes/process_api_blueprint.py
+++ b/src/spiffworkflow_backend/routes/process_api_blueprint.py
@ -1,6 +1,7 @@
 """APIs for dealing with process groups, process models, and process instances."""
 import json
 import uuid
+from SpiffWorkflow import TaskState  # type: ignore
 from typing import Any
 from typing import Dict
 from typing import Optional
@ -16,7 +17,6 @@ from flask import request
 from flask.wrappers import Response
 from flask_bpmn.api.api_error import ApiError
 from flask_bpmn.models.db import db
-from SpiffWorkflow import TaskState  # type: ignore
 from sqlalchemy import desc

 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
@ -112,7 +112,16 @@ def process_group_show(
    process_group_id: str,
 ) -> Any:
    """Process_group_show."""
-    process_group = ProcessModelService().get_process_group(process_group_id)
+    try:
+        process_group = ProcessModelService().get_process_group(process_group_id)
+    except ProcessEntityNotFoundError as exception:
+        raise (
+            ApiError(
+                code="process_group_cannot_be_found",
+                message=f"Process group cannot be found: {process_group_id}",
+                status_code=400,
+            )
+        ) from exception
    return ProcessGroupSchema().dump(process_group)


--- a/src/spiffworkflow_backend/services/process_instance_processor.py
+++ b/src/spiffworkflow_backend/services/process_instance_processor.py
@ -1,16 +1,6 @@
 """Process_instance_processor."""
 import json
 import time
-from typing import Any
-from typing import Dict
-from typing import List
-from typing import Optional
-from typing import Union
-
-from flask import current_app
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
-from lxml import etree  # type: ignore
 from SpiffWorkflow import Task as SpiffTask  # type: ignore
 from SpiffWorkflow import TaskState
 from SpiffWorkflow import WorkflowException
@ -31,6 +21,16 @@ from SpiffWorkflow.specs import WorkflowSpec  # type: ignore
 from SpiffWorkflow.spiff.parser.process import SpiffBpmnParser  # type: ignore
 from SpiffWorkflow.spiff.serializer import UserTaskConverter  # type: ignore
 from SpiffWorkflow.util.deep_merge import DeepMerge  # type: ignore
+from typing import Any
+from typing import Dict
+from typing import List
+from typing import Optional
+from typing import Union
+
+from flask import current_app
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db
+from lxml import etree  # type: ignore

 from spiffworkflow_backend.models.active_task import ActiveTaskModel
 from spiffworkflow_backend.models.file import File
--- a/src/spiffworkflow_backend/services/process_instance_service.py
+++ b/src/spiffworkflow_backend/services/process_instance_service.py
@ -1,13 +1,5 @@
 """Process_instance_service."""
 import time
-from typing import Any
-from typing import Dict
-from typing import List
-from typing import Optional
-
-from flask import current_app
-from flask_bpmn.api.api_error import ApiError
-from flask_bpmn.models.db import db
 from SpiffWorkflow.bpmn.specs.events import EndEvent  # type: ignore
 from SpiffWorkflow.bpmn.specs.events import StartEvent
 from SpiffWorkflow.bpmn.specs.ManualTask import ManualTask  # type: ignore
@ -19,6 +11,14 @@ from SpiffWorkflow.specs import CancelTask  # type: ignore
 from SpiffWorkflow.specs import StartTask
 from SpiffWorkflow.task import Task as SpiffTask  # type: ignore
 from SpiffWorkflow.util.deep_merge import DeepMerge  # type: ignore
+from typing import Any
+from typing import Dict
+from typing import List
+from typing import Optional
+
+from flask import current_app
+from flask_bpmn.api.api_error import ApiError
+from flask_bpmn.models.db import db

 from spiffworkflow_backend.models.process_instance import ProcessInstanceApi
 from spiffworkflow_backend.models.process_instance import ProcessInstanceModel
--- a/src/spiffworkflow_backend/services/spec_file_service.py
+++ b/src/spiffworkflow_backend/services/spec_file_service.py
@ -2,6 +2,7 @@
 import os
 import shutil
 from datetime import datetime
+from SpiffWorkflow.bpmn.parser.ValidationException import ValidationException  # type: ignore
 from typing import List
 from typing import Optional
 from typing import Union
@ -10,7 +11,6 @@ from flask_bpmn.api.api_error import ApiError
 from lxml import etree  # type: ignore
 from lxml.etree import _Element  # type: ignore
 from lxml.etree import Element as EtreeElement
-from SpiffWorkflow.bpmn.parser.ValidationException import ValidationException  # type: ignore

 from spiffworkflow_backend.models.file import File
 from spiffworkflow_backend.models.file import FileType
--- a/tests/spiffworkflow_backend/helpers/test_data.py
+++ b/tests/spiffworkflow_backend/helpers/test_data.py
@ -1,9 +1,8 @@
 """User."""
+from tests.spiffworkflow_backend.helpers.example_data import ExampleDataLoader
 from typing import Dict
 from typing import Optional

-from tests.spiffworkflow_backend.helpers.example_data import ExampleDataLoader
-
 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (
    ProcessEntityNotFoundError,
 )
--- a/tests/spiffworkflow_backend/integration/test_process_api.py
+++ b/tests/spiffworkflow_backend/integration/test_process_api.py
@ -2,6 +2,8 @@
 import io
 import json
 import time
+from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
+from tests.spiffworkflow_backend.helpers.test_data import logged_in_headers
 from typing import Any
 from typing import Dict
 from typing import Optional
@ -10,8 +12,6 @@ import pytest
 from flask.app import Flask
 from flask.testing import FlaskClient
 from flask_bpmn.models.db import db
-from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
-from tests.spiffworkflow_backend.helpers.test_data import logged_in_headers
 from werkzeug.test import TestResponse

 from spiffworkflow_backend.exceptions.process_entity_not_found_error import (