diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/acceptance_tests.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/acceptance_tests.yml index 0382f389..f3f84773 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/acceptance_tests.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/acceptance_tests.yml @@ -12,6 +12,5 @@ groups: permissions: admin: groups: [admin] - users: [] allowed_permissions: [create, read, update, delete] uri: /* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml index dbded55b..1b1d161e 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/demo.yml @@ -1,5 +1,3 @@ -default_group: everybody - groups: admin: users: @@ -19,6 +17,5 @@ groups: permissions: admin: groups: [admin, tech_writers] - users: [] allowed_permissions: [create, read, update, delete] uri: /* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example.yml index a11578bd..0684ef55 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example.yml @@ -1,4 +1,3 @@ -default_group: everybody users: admin: @@ -41,52 +40,43 @@ permissions: # Admins have access to everything. admin: groups: [admin] - users: [] allowed_permissions: [create, read, update, delete] uri: /* # Everybody can participate in tasks assigned to them. tasks-crud: groups: [everybody] - users: [] allowed_permissions: [create, read, update, delete] uri: /tasks/* # Everybody can start all intstances create-test-instances: groups: [ everybody ] - users: [ ] allowed_permissions: [ create ] uri: /process-instances/* # Everyone can see everything (all groups, and processes are visible) read-all-process-groups: groups: [ everybody ] - users: [ ] allowed_permissions: [ read ] uri: /process-groups/* read-all-process-models: groups: [ everybody ] - users: [ ] allowed_permissions: [ read ] uri: /process-models/* read-all-process-instance: groups: [ everybody ] - users: [ ] allowed_permissions: [ read ] uri: /process-instances/* read-process-instance-reports: groups: [ everybody ] - users: [ ] allowed_permissions: [ read ] uri: /process-instances/reports/* processes-read: groups: [ everybody ] - users: [ ] allowed_permissions: [ read ] uri: /processes groups-everybody: groups: [everybody] - users: [] allowed_permissions: [create, read] uri: /v1.0/user-groups/for-current-user diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_read_only.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_read_only.yml index d201a555..b6facc64 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_read_only.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/example_read_only.yml @@ -1,4 +1,3 @@ -default_group: everybody groups: admin: @@ -7,78 +6,65 @@ groups: permissions: admin: groups: [admin] - users: [] allowed_permissions: [read] uri: /* tasks-crud: groups: [admin] - users: [] allowed_permissions: [create, update, delete] uri: /tasks/* process-instances-crud: groups: [ admin ] - users: [ ] allowed_permissions: [create, update, delete] uri: /process-instances/* suspend: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/process-instance-suspend terminate: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/process-instance-terminate resume: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/process-instance-resume reset: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/process-instance-reset users-exist: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/users/exists/by-username send-event: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/send-event/* task-complete: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/task-complete/* messages: groups: [admin] - users: [] allowed_permissions: [create] uri: /v1.0/messages/* secrets: groups: [admin] - users: [] allowed_permissions: [create, update, delete] uri: /v1.0/secrets/* task-data: groups: [admin] - users: [] allowed_permissions: [update] uri: /v1.0/task-data/* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml index eb9ce4b7..4b596568 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/local_development.yml @@ -1,4 +1,3 @@ -default_group: everybody groups: admin: @@ -11,6 +10,5 @@ groups: permissions: admin: groups: [admin, group1, group2] - users: [] allowed_permissions: [create, read, update, delete] uri: /* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml index 049c991e..14876bf7 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/terraform_deployed_environment.yml @@ -1,4 +1,3 @@ -default_group: everybody groups: admin: @@ -7,6 +6,5 @@ groups: permissions: admin: groups: [admin] - users: [] allowed_permissions: [create, read, update, delete] uri: /* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/unit_testing.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/unit_testing.yml index 6cabb4b0..10980462 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/unit_testing.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/unit_testing.yml @@ -36,16 +36,15 @@ permissions: allowed_permissions: [create, read, update, delete] uri: /tasks/* - # TODO: all uris should really have the same structure finance-admin-group: groups: ["Finance Team"] - allowed_permissions: [create, read, update, delete] - uri: /process-groups/finance/* + allowed_permissions: [all] + uri: PG:finance - finance-admin-model: - groups: ["Finance Team"] - allowed_permissions: [create, read, update, delete] - uri: /process-models/finance/* + finance-hr-start: + groups: ["hr"] + allowed_permissions: [start] + uri: PG:finance finance-admin-model-lanes: groups: ["Finance Team"] diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/refresh_permissions.py b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/refresh_permissions.py index c8192574..4a49d7b5 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/scripts/refresh_permissions.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/scripts/refresh_permissions.py @@ -35,5 +35,4 @@ class RefreshPermissions(Script): **kwargs: Any, ) -> Any: group_info = args[0] - import pdb; pdb.set_trace() AuthorizationService.refresh_permissions(group_info) diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py index 61e4d25c..32efe6d8 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py @@ -5,7 +5,6 @@ from dataclasses import dataclass from hashlib import sha256 from hmac import compare_digest from hmac import HMAC -from typing import Any from typing import Optional from typing import Set from typing import TypedDict @@ -21,7 +20,6 @@ from sqlalchemy import or_ from sqlalchemy import text from spiffworkflow_backend.helpers.api_version import V1_API_PATH_PREFIX -from spiffworkflow_backend.models import permission_assignment from spiffworkflow_backend.models.db import db from spiffworkflow_backend.models.group import GroupModel from spiffworkflow_backend.models.human_task import HumanTaskModel @@ -30,7 +28,6 @@ from spiffworkflow_backend.models.permission_target import PermissionTargetModel from spiffworkflow_backend.models.principal import MissingPrincipalError from spiffworkflow_backend.models.principal import PrincipalModel from spiffworkflow_backend.models.user import UserModel -from spiffworkflow_backend.models.user import UserNotFoundError from spiffworkflow_backend.models.user_group_assignment import UserGroupAssignmentModel from spiffworkflow_backend.routes.openid_blueprint import openid_blueprint from spiffworkflow_backend.services.authentication_service import NotAuthorizedError @@ -617,7 +614,6 @@ class AuthorizationService: def add_permission_from_uri_or_macro( cls, group_identifier: str, permission: str, target: str ) -> list[PermissionAssignmentModel]: - """Add_permission_from_uri_or_macro.""" group = GroupService.find_or_create_group(group_identifier) permissions_to_assign = cls.explode_permissions(permission, target) permission_assignments = [] @@ -644,35 +640,41 @@ class AuthorizationService: permission_configs = yaml.safe_load(file) group_permissions_by_group: dict[str, GroupPermissionsDict] = {} - if current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP']: - default_group_identifier = current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP'] - group_permissions_by_group[default_group_identifier] = {"name": default_group_identifier, "users": [], "permissions": []} + if current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"]: + default_group_identifier = current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"] + group_permissions_by_group[default_group_identifier] = { + "name": default_group_identifier, + "users": [], + "permissions": [], + } if "groups" in permission_configs: for group_identifier, group_config in permission_configs["groups"].items(): group_info: GroupPermissionsDict = {"name": group_identifier, "users": [], "permissions": []} for username in group_config["users"]: - group_info['users'].append(username) + group_info["users"].append(username) group_permissions_by_group[group_identifier] = group_info if "permissions" in permission_configs: for _permission_identifier, permission_config in permission_configs["permissions"].items(): uri = permission_config["uri"] for group_identifier in permission_config["groups"]: - group_permissions_by_group[group_identifier]['permissions'].append( - {'actions': permission_config["allowed_permissions"], "uri": uri} + group_permissions_by_group[group_identifier]["permissions"].append( + {"actions": permission_config["allowed_permissions"], "uri": uri} ) return list(group_permissions_by_group.values()) @classmethod - def add_permissions_from_group_permissions(cls, group_permissions: list[GroupPermissionsDict], user_model: Optional[UserModel] = None) -> DesiredPermissionDict: + def add_permissions_from_group_permissions( + cls, group_permissions: list[GroupPermissionsDict], user_model: Optional[UserModel] = None + ) -> DesiredPermissionDict: unique_user_group_identifiers: Set[str] = set() user_to_group_identifiers: list[UserToGroupDict] = [] permission_assignments = [] default_group = None - default_group_identifier = current_app.config['SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP'] + default_group_identifier = current_app.config["SPIFFWORKFLOW_BACKEND_DEFAULT_USER_GROUP"] if default_group_identifier: default_group = GroupService.find_or_create_group(default_group_identifier) unique_user_group_identifiers.add(default_group_identifier) diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py index 2cd16063..54d67848 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/integration/test_process_api.py @@ -2349,7 +2349,6 @@ class TestProcessApi(BaseTest): with_db_and_bpmn_file_cleanup: None, with_super_admin_user: UserModel, ) -> None: - """Test_correct_user_can_get_and_update_a_task.""" initiator_user = self.find_or_create_user("testuser4") finance_user = self.find_or_create_user("testuser2") assert initiator_user.principal is not None @@ -2372,15 +2371,8 @@ class TestProcessApi(BaseTest): bpmn_file_location=bpmn_file_location, ) - # process_model = load_test_spec( - # process_model_id="model_with_lanes", - # bpmn_file_name="lanes.bpmn", - # process_group_id="finance", - # ) - response = self.create_process_instance_from_process_model_id_with_api( client, - # process_model.process_group_id, process_model_identifier, headers=self.logged_in_headers(initiator_user), ) diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py index 380677ae..a1f41d3e 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py @@ -6,8 +6,8 @@ from tests.spiffworkflow_backend.helpers.base_test import BaseTest from spiffworkflow_backend.models.group import GroupModel from spiffworkflow_backend.models.user import UserModel -from spiffworkflow_backend.models.user import UserNotFoundError -from spiffworkflow_backend.services.authorization_service import AuthorizationService, GroupPermissionsDict +from spiffworkflow_backend.services.authorization_service import AuthorizationService +from spiffworkflow_backend.services.authorization_service import GroupPermissionsDict from spiffworkflow_backend.services.authorization_service import InvalidPermissionError from spiffworkflow_backend.services.group_service import GroupService from spiffworkflow_backend.services.process_instance_processor import ( @@ -47,13 +47,13 @@ class TestAuthorizationService(BaseTest): assert testuser1_group_identifiers == ["Finance Team", "everybody"] assert len(users["testuser2"].groups) == 3 - self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance/model1") - self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance/") + self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance:model1") + self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/finance") self.assert_user_has_permission(users["testuser1"], "update", "/v1.0/process-groups/", expected_result=False) - self.assert_user_has_permission(users["testuser4"], "read", "/v1.0/process-groups/finance/model1") - self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/finance/model1") - self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/", expected_result=False) - self.assert_user_has_permission(users["testuser2"], "read", "/v1.0/process-groups/") + self.assert_user_has_permission(users["testuser4"], "read", "/v1.0/process-groups/finance:model1") + self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups/finance:model1") + self.assert_user_has_permission(users["testuser2"], "update", "/v1.0/process-groups", expected_result=False) + self.assert_user_has_permission(users["testuser2"], "read", "/v1.0/process-groups") def test_user_can_be_added_to_human_task_on_first_login( self, @@ -110,7 +110,6 @@ class TestAuthorizationService(BaseTest): client: FlaskClient, with_db_and_bpmn_file_cleanup: None, ) -> None: - """Test_explode_permissions_all_on_process_group.""" expected_permissions = sorted( [ ("/event-error-details/some-process-group:some-process-model:*", "read"),