added script to get all permissions for the confirmation page when adding permissions from a process model w/ burnettk

spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml

@@ -74,98 +74,98 @@ permissions:
     users: []
     allowed_permissions: [create, read, update, delete]
     uri: /*
-  # admin-readonly:
+  admin-readonly:
-  #   groups: [admin-ro]
+    groups: [admin-ro]
-  #   users: []
+    users: []
-  #   allowed_permissions: [read]
+    allowed_permissions: [read]
-  #   uri: /*
+    uri: /*
-  # admin-process-instances-for-readonly:
+  admin-process-instances-for-readonly:
-  #   groups: [admin-ro]
+    groups: [admin-ro]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read, update, delete]
+    allowed_permissions: [create, read, update, delete]
-  #   uri: /process-instances/*
+    uri: /process-instances/*
-  #
+
-  # tasks-crud:
+  tasks-crud:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read, update, delete]
+    allowed_permissions: [create, read, update, delete]
-  #   uri: /tasks/*
+    uri: /tasks/*
-  # service-tasks:
+  service-tasks:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [read]
+    allowed_permissions: [read]
-  #   uri: /service-tasks
+    uri: /service-tasks
-  # user-groups-for-current-user:
+  user-groups-for-current-user:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [read]
+    allowed_permissions: [read]
-  #   uri: /user-groups/for-current-user
+    uri: /user-groups/for-current-user
-  #
+
-  # # read all for everybody
+  # read all for everybody
-  # read-all-process-groups:
+  read-all-process-groups:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [read]
+    allowed_permissions: [read]
-  #   uri: /process-groups/*
+    uri: /process-groups/*
-  # read-all-process-models:
+  read-all-process-models:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [read]
+    allowed_permissions: [read]
-  #   uri: /process-models/*
+    uri: /process-models/*
-  # read-all-process-instances-for-me:
+  read-all-process-instances-for-me:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [read]
+    allowed_permissions: [read]
-  #   uri: /process-instances/for-me/*
+    uri: /process-instances/for-me/*
-  # read-process-instance-reports:
+  read-process-instance-reports:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read, update, delete]
+    allowed_permissions: [create, read, update, delete]
-  #   uri: /process-instances/reports/*
+    uri: /process-instances/reports/*
-  # processes-read:
+  processes-read:
-  #   groups: [everybody]
+    groups: [everybody]
-  #   users: []
+    users: []
-  #   allowed_permissions: [read]
+    allowed_permissions: [read]
-  #   uri: /processes
+    uri: /processes
-  #
+
-  #
+
-  # finance-admin:
+  finance-admin:
-  #   groups: ["Finance Team"]
+    groups: ["Finance Team"]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read, update, delete]
+    allowed_permissions: [create, read, update, delete]
-  #   uri: /process-groups/manage-procurement:procurement:*
+    uri: /process-groups/manage-procurement:procurement:*
-  #
+
-  # manage-revenue-streams-instances:
+  manage-revenue-streams-instances:
-  #   groups: ["core-contributor", "demo"]
+    groups: ["core-contributor", "demo"]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read]
+    allowed_permissions: [create, read]
-  #   uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
+    uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/*
-  #
+
-  # manage-procurement-invoice-instances:
+  manage-procurement-invoice-instances:
-  #   groups: ["core-contributor", "demo"]
+    groups: ["core-contributor", "demo"]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read]
+    allowed_permissions: [create, read]
-  #   uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
+    uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:*
-  #
+
-  # manage-procurement-instances:
+  manage-procurement-instances:
-  #   groups: ["core-contributor", "demo"]
+    groups: ["core-contributor", "demo"]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read]
+    allowed_permissions: [create, read]
-  #   uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
+    uri: /process-instances/manage-procurement:vendor-lifecycle-management:*
-  #
+
-  # create-test-instances:
+  create-test-instances:
-  #   groups: ["test"]
+    groups: ["test"]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read]
+    allowed_permissions: [create, read]
-  #   uri: /process-instances/misc:test:*
+    uri: /process-instances/misc:test:*
-  #
+
-  # core1-admin-instances:
+  core1-admin-instances:
-  #   groups: ["core-contributor", "Finance Team"]
+    groups: ["core-contributor", "Finance Team"]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read]
+    allowed_permissions: [create, read]
-  #   uri: /process-instances/misc:category_number_one:process-model-with-form:*
+    uri: /process-instances/misc:category_number_one:process-model-with-form:*
-  # core1-admin-instances-slash:
+  core1-admin-instances-slash:
-  #   groups: ["core-contributor", "Finance Team"]
+    groups: ["core-contributor", "Finance Team"]
-  #   users: []
+    users: []
-  #   allowed_permissions: [create, read]
+    allowed_permissions: [create, read]
-  #   uri: /process-instances/misc:category_number_one:process-model-with-form/*
+    uri: /process-instances/misc:category_number_one:process-model-with-form/*

spiffworkflow-backend/src/spiffworkflow_backend/scripts/add_permission.py

@@ -28,8 +28,6 @@ class AddPermission(Script):
         allowed_permission = args[0]
         uri = args[1]
         group_identifier = args[2]
-        group = GroupService.find_or_create_group(group_identifier)
+        AuthorizationService.add_permission_from_uri_or_macro(
-        target = AuthorizationService.find_or_create_permission_target(uri)
+            group_identifier=group_identifier, target=uri, permission=allowed_permission
-        AuthorizationService.create_permission_for_principal(
-            group.principal, target, allowed_permission
         )

spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_all_permissions.py

@@ -0,0 +1,52 @@
+"""Get_env."""
+from typing import Any, Set
+from typing import Union
+from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.permission_target import PermissionTargetModel
+from spiffworkflow_backend.models.principal import PrincipalModel
+from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
+
+from spiffworkflow_backend.models.script_attributes_context import (
+    ScriptAttributesContext,
+)
+from spiffworkflow_backend.scripts.script import Script
+from spiffworkflow_backend.services.authorization_service import AuthorizationService
+from spiffworkflow_backend.services.group_service import GroupService
+
+from collections import OrderedDict
+
+
+# add_permission("read", "test/*", "Editors")
+
+
+class GetAllPermissions(Script):
+
+    def get_description(self) -> str:
+        """Get_description."""
+        return """Get all permissions currently in the system."""
+
+    def run(
+        self,
+        script_attributes_context: ScriptAttributesContext,
+        *args: Any,
+        **kwargs: Any,
+    ) -> Any:
+        """Run."""
+        permission_assignments = (
+            PermissionAssignmentModel.query
+            .join(PrincipalModel, PrincipalModel.id == PermissionAssignmentModel.principal_id)
+            .join(GroupModel, GroupModel.id == PrincipalModel.group_id)
+            .join(PermissionTargetModel, PermissionTargetModel.id == PermissionAssignmentModel.permission_target_id)
+            .add_columns(
+                PermissionAssignmentModel.permission,
+                PermissionTargetModel.uri,
+                GroupModel.identifier.label('group_identifier')
+            )
+        )
+
+        permissions: OrderedDict[tuple[str, str], list[str]] = OrderedDict()
+        for pa in permission_assignments:
+            permissions.setdefault((pa.group_identifier, pa.uri), []).append(pa.permission)
+
+        return [{'group_identifier': k[0], 'uri': k[1], 'permissions': sorted(v)}
+                for k, v in permissions.items()]

spiffworkflow-backend/tests/spiffworkflow_backend/scripts/test_get_all_permissions.py

@@ -0,0 +1,55 @@
+"""Test_get_localtime."""
+import pytest
+from flask.app import Flask
+from flask.testing import FlaskClient
+from flask_bpmn.api.api_error import ApiError
+from spiffworkflow_backend.scripts.get_all_permissions import GetAllPermissions
+from tests.spiffworkflow_backend.helpers.base_test import BaseTest
+from tests.spiffworkflow_backend.helpers.test_data import load_test_spec
+
+from spiffworkflow_backend.models.group import GroupModel
+from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
+from spiffworkflow_backend.models.permission_target import PermissionTargetModel
+from spiffworkflow_backend.models.script_attributes_context import (
+    ScriptAttributesContext,
+)
+from spiffworkflow_backend.models.user import UserModel
+from spiffworkflow_backend.scripts.add_permission import AddPermission
+from spiffworkflow_backend.services.process_instance_processor import (
+    ProcessInstanceProcessor,
+)
+
+
+class TestGetAllPermissions(BaseTest):
+
+    def test_can_get_all_permissions(
+        self,
+        app: Flask,
+        client: FlaskClient,
+        with_db_and_bpmn_file_cleanup: None,
+        with_super_admin_user: UserModel,
+    ) -> None:
+        self.find_or_create_user("test_user")
+
+        # now that we have everything, try to clear it out...
+        script_attributes_context = ScriptAttributesContext(
+            task=None,
+            environment_identifier="testing",
+            process_instance_id=1,
+            process_model_identifier="my_test_user",
+        )
+        AddPermission().run(
+            script_attributes_context, "start", "PG:hey:group", "my_test_group"
+        )
+        AddPermission().run(
+            script_attributes_context, "all", "/tasks", "my_test_group"
+        )
+
+        expected_permissions = [
+            {'group_identifier': 'my_test_group', 'uri': '/process-instances/hey:group:%', 'permissions': ['create']},
+            {'group_identifier': 'my_test_group', 'uri': '/process-instances/for-me/hey:group:%', 'permissions': ['read']},
+            {'group_identifier': 'my_test_group', 'uri': '/tasks', 'permissions': ['create', 'delete', 'read', 'update']}
+        ]
+
+        permissions = GetAllPermissions().run(script_attributes_context)
+        assert permissions == expected_permissions