diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml index d192a7de..f5052ff6 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/development.yml @@ -74,98 +74,98 @@ permissions: users: [] allowed_permissions: [create, read, update, delete] uri: /* - admin-readonly: - groups: [admin-ro] - users: [] - allowed_permissions: [read] - uri: /* - admin-process-instances-for-readonly: - groups: [admin-ro] - users: [] - allowed_permissions: [create, read, update, delete] - uri: /process-instances/* - - tasks-crud: - groups: [everybody] - users: [] - allowed_permissions: [create, read, update, delete] - uri: /tasks/* - service-tasks: - groups: [everybody] - users: [] - allowed_permissions: [read] - uri: /service-tasks - user-groups-for-current-user: - groups: [everybody] - users: [] - allowed_permissions: [read] - uri: /user-groups/for-current-user - - # read all for everybody - read-all-process-groups: - groups: [everybody] - users: [] - allowed_permissions: [read] - uri: /process-groups/* - read-all-process-models: - groups: [everybody] - users: [] - allowed_permissions: [read] - uri: /process-models/* - read-all-process-instances-for-me: - groups: [everybody] - users: [] - allowed_permissions: [read] - uri: /process-instances/for-me/* - read-process-instance-reports: - groups: [everybody] - users: [] - allowed_permissions: [create, read, update, delete] - uri: /process-instances/reports/* - processes-read: - groups: [everybody] - users: [] - allowed_permissions: [read] - uri: /processes - - - finance-admin: - groups: ["Finance Team"] - users: [] - allowed_permissions: [create, read, update, delete] - uri: /process-groups/manage-procurement:procurement:* - - manage-revenue-streams-instances: - groups: ["core-contributor", "demo"] - users: [] - allowed_permissions: [create, read] - uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/* - - manage-procurement-invoice-instances: - groups: ["core-contributor", "demo"] - users: [] - allowed_permissions: [create, read] - uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:* - - manage-procurement-instances: - groups: ["core-contributor", "demo"] - users: [] - allowed_permissions: [create, read] - uri: /process-instances/manage-procurement:vendor-lifecycle-management:* - - create-test-instances: - groups: ["test"] - users: [] - allowed_permissions: [create, read] - uri: /process-instances/misc:test:* - - core1-admin-instances: - groups: ["core-contributor", "Finance Team"] - users: [] - allowed_permissions: [create, read] - uri: /process-instances/misc:category_number_one:process-model-with-form:* - core1-admin-instances-slash: - groups: ["core-contributor", "Finance Team"] - users: [] - allowed_permissions: [create, read] - uri: /process-instances/misc:category_number_one:process-model-with-form/* + # admin-readonly: + # groups: [admin-ro] + # users: [] + # allowed_permissions: [read] + # uri: /* + # admin-process-instances-for-readonly: + # groups: [admin-ro] + # users: [] + # allowed_permissions: [create, read, update, delete] + # uri: /process-instances/* + # + # tasks-crud: + # groups: [everybody] + # users: [] + # allowed_permissions: [create, read, update, delete] + # uri: /tasks/* + # service-tasks: + # groups: [everybody] + # users: [] + # allowed_permissions: [read] + # uri: /service-tasks + # user-groups-for-current-user: + # groups: [everybody] + # users: [] + # allowed_permissions: [read] + # uri: /user-groups/for-current-user + # + # # read all for everybody + # read-all-process-groups: + # groups: [everybody] + # users: [] + # allowed_permissions: [read] + # uri: /process-groups/* + # read-all-process-models: + # groups: [everybody] + # users: [] + # allowed_permissions: [read] + # uri: /process-models/* + # read-all-process-instances-for-me: + # groups: [everybody] + # users: [] + # allowed_permissions: [read] + # uri: /process-instances/for-me/* + # read-process-instance-reports: + # groups: [everybody] + # users: [] + # allowed_permissions: [create, read, update, delete] + # uri: /process-instances/reports/* + # processes-read: + # groups: [everybody] + # users: [] + # allowed_permissions: [read] + # uri: /processes + # + # + # finance-admin: + # groups: ["Finance Team"] + # users: [] + # allowed_permissions: [create, read, update, delete] + # uri: /process-groups/manage-procurement:procurement:* + # + # manage-revenue-streams-instances: + # groups: ["core-contributor", "demo"] + # users: [] + # allowed_permissions: [create, read] + # uri: /process-instances/manage-revenue-streams:product-revenue-streams:customer-contracts-trade-terms/* + # + # manage-procurement-invoice-instances: + # groups: ["core-contributor", "demo"] + # users: [] + # allowed_permissions: [create, read] + # uri: /process-instances/manage-procurement:procurement:core-contributor-invoice-management:* + # + # manage-procurement-instances: + # groups: ["core-contributor", "demo"] + # users: [] + # allowed_permissions: [create, read] + # uri: /process-instances/manage-procurement:vendor-lifecycle-management:* + # + # create-test-instances: + # groups: ["test"] + # users: [] + # allowed_permissions: [create, read] + # uri: /process-instances/misc:test:* + # + # core1-admin-instances: + # groups: ["core-contributor", "Finance Team"] + # users: [] + # allowed_permissions: [create, read] + # uri: /process-instances/misc:category_number_one:process-model-with-form:* + # core1-admin-instances-slash: + # groups: ["core-contributor", "Finance Team"] + # users: [] + # allowed_permissions: [create, read] + # uri: /process-instances/misc:category_number_one:process-model-with-form/* diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/testing.yml b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/testing.yml index 31724599..79a13710 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/testing.yml +++ b/spiffworkflow-backend/src/spiffworkflow_backend/config/permissions/testing.yml @@ -21,7 +21,7 @@ permissions: admin: groups: [admin] users: [] - allowed_permissions: [create, read, update, delete, list, instantiate] + allowed_permissions: [create, read, update, delete] uri: /* read-all: diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py index 63295f74..04dfb5fa 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/models/permission_assignment.py @@ -32,14 +32,6 @@ class Permission(enum.Enum): update = "update" delete = "delete" - # maybe read to GET process_model/process-instances instead? - list = "list" - - # maybe use create instead on - # POST http://localhost:7000/v1.0/process-models/category_number_one/call-activity/process-instances/* - # POST http://localhost:7000/v1.0/process-models/category_number_one/call-activity/process-instances/332/run - instantiate = "instantiate" # this is something you do to a process model - class PermissionAssignmentModel(SpiffworkflowBaseDBModel): """PermissionAssignmentModel.""" diff --git a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py index 94c07d4c..4ebba797 100644 --- a/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py +++ b/spiffworkflow-backend/src/spiffworkflow_backend/services/authorization_service.py @@ -112,7 +112,7 @@ class AuthorizationService: # to check for exact matches as well # see test_user_can_access_base_path_when_given_wildcard_permission unit test text( - f"'{target_uri_normalized}' = replace(permission_target.uri, '/%', '')" + f"'{target_uri_normalized}' = replace(replace(permission_target.uri, '/%', ''), ':%', '')" ), ) ) @@ -605,9 +605,9 @@ class AuthorizationService: if target.startswith("PG:"): process_group_identifier = ( - target.removeprefix("PG:").replace(":", "/").removeprefix("/") + target.removeprefix("PG:").replace("/", ":").removeprefix(":") ) - process_related_path_segment = f"{process_group_identifier}/*" + process_related_path_segment = f"{process_group_identifier}:*" if process_group_identifier == "ALL": process_related_path_segment = "*" target_uris = [ @@ -623,7 +623,7 @@ class AuthorizationService: elif target.startswith("PM:"): process_model_identifier = ( - target.removeprefix("PM:").replace(":", "/").removeprefix("/") + target.removeprefix("PM:").replace("/", ":").removeprefix(":") ) process_related_path_segment = f"{process_model_identifier}/*" diff --git a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py index 300b99ad..d03f2637 100644 --- a/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py +++ b/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_authorization_service.py @@ -154,58 +154,58 @@ class TestAuthorizationService(BaseTest): ) -> None: """Test_explode_permissions_all_on_process_group.""" expected_permissions = [ - ("/logs/some-process-group/some-process-model/*", "create"), - ("/logs/some-process-group/some-process-model/*", "delete"), - ("/logs/some-process-group/some-process-model/*", "read"), - ("/logs/some-process-group/some-process-model/*", "update"), - ("/process-groups/some-process-group/some-process-model/*", "create"), - ("/process-groups/some-process-group/some-process-model/*", "delete"), - ("/process-groups/some-process-group/some-process-model/*", "read"), - ("/process-groups/some-process-group/some-process-model/*", "update"), + ("/logs/some-process-group:some-process-model:*", "create"), + ("/logs/some-process-group:some-process-model:*", "delete"), + ("/logs/some-process-group:some-process-model:*", "read"), + ("/logs/some-process-group:some-process-model:*", "update"), + ("/process-groups/some-process-group:some-process-model:*", "create"), + ("/process-groups/some-process-group:some-process-model:*", "delete"), + ("/process-groups/some-process-group:some-process-model:*", "read"), + ("/process-groups/some-process-group:some-process-model:*", "update"), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model:*", "create", ), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model:*", "delete", ), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model:*", "read", ), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model:*", "update", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model:*", "create", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model:*", "delete", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model:*", "read", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model:*", "update", ), - ("/process-instances/some-process-group/some-process-model/*", "create"), - ("/process-instances/some-process-group/some-process-model/*", "delete"), - ("/process-instances/some-process-group/some-process-model/*", "read"), - ("/process-instances/some-process-group/some-process-model/*", "update"), - ("/process-models/some-process-group/some-process-model/*", "create"), - ("/process-models/some-process-group/some-process-model/*", "delete"), - ("/process-models/some-process-group/some-process-model/*", "read"), - ("/process-models/some-process-group/some-process-model/*", "update"), - ("/task-data/some-process-group/some-process-model/*", "create"), - ("/task-data/some-process-group/some-process-model/*", "delete"), - ("/task-data/some-process-group/some-process-model/*", "read"), - ("/task-data/some-process-group/some-process-model/*", "update"), + ("/process-instances/some-process-group:some-process-model:*", "create"), + ("/process-instances/some-process-group:some-process-model:*", "delete"), + ("/process-instances/some-process-group:some-process-model:*", "read"), + ("/process-instances/some-process-group:some-process-model:*", "update"), + ("/process-models/some-process-group:some-process-model:*", "create"), + ("/process-models/some-process-group:some-process-model:*", "delete"), + ("/process-models/some-process-group:some-process-model:*", "read"), + ("/process-models/some-process-group:some-process-model:*", "update"), + ("/task-data/some-process-group:some-process-model:*", "create"), + ("/task-data/some-process-group:some-process-model:*", "delete"), + ("/task-data/some-process-group:some-process-model:*", "read"), + ("/task-data/some-process-group:some-process-model:*", "update"), ] permissions_to_assign = AuthorizationService.explode_permissions( "all", "PG:/some-process-group/some-process-model" @@ -224,10 +224,10 @@ class TestAuthorizationService(BaseTest): """Test_explode_permissions_start_on_process_group.""" expected_permissions = [ ( - "/process-instances/for-me/some-process-group/some-process-model/*", + "/process-instances/for-me/some-process-group:some-process-model:*", "read", ), - ("/process-instances/some-process-group/some-process-model/*", "create"), + ("/process-instances/some-process-group:some-process-model:*", "create"), ] permissions_to_assign = AuthorizationService.explode_permissions( "start", "PG:/some-process-group/some-process-model" @@ -245,54 +245,54 @@ class TestAuthorizationService(BaseTest): ) -> None: """Test_explode_permissions_all_on_process_model.""" expected_permissions = [ - ("/logs/some-process-group/some-process-model/*", "create"), - ("/logs/some-process-group/some-process-model/*", "delete"), - ("/logs/some-process-group/some-process-model/*", "read"), - ("/logs/some-process-group/some-process-model/*", "update"), + ("/logs/some-process-group:some-process-model/*", "create"), + ("/logs/some-process-group:some-process-model/*", "delete"), + ("/logs/some-process-group:some-process-model/*", "read"), + ("/logs/some-process-group:some-process-model/*", "update"), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model/*", "create", ), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model/*", "delete", ), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model/*", "read", ), ( - "/process-instance-suspend/some-process-group/some-process-model/*", + "/process-instance-suspend/some-process-group:some-process-model/*", "update", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model/*", "create", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model/*", "delete", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model/*", "read", ), ( - "/process-instance-terminate/some-process-group/some-process-model/*", + "/process-instance-terminate/some-process-group:some-process-model/*", "update", ), - ("/process-instances/some-process-group/some-process-model/*", "create"), - ("/process-instances/some-process-group/some-process-model/*", "delete"), - ("/process-instances/some-process-group/some-process-model/*", "read"), - ("/process-instances/some-process-group/some-process-model/*", "update"), - ("/process-models/some-process-group/some-process-model/*", "create"), - ("/process-models/some-process-group/some-process-model/*", "delete"), - ("/process-models/some-process-group/some-process-model/*", "read"), - ("/process-models/some-process-group/some-process-model/*", "update"), - ("/task-data/some-process-group/some-process-model/*", "create"), - ("/task-data/some-process-group/some-process-model/*", "delete"), - ("/task-data/some-process-group/some-process-model/*", "read"), - ("/task-data/some-process-group/some-process-model/*", "update"), + ("/process-instances/some-process-group:some-process-model/*", "create"), + ("/process-instances/some-process-group:some-process-model/*", "delete"), + ("/process-instances/some-process-group:some-process-model/*", "read"), + ("/process-instances/some-process-group:some-process-model/*", "update"), + ("/process-models/some-process-group:some-process-model/*", "create"), + ("/process-models/some-process-group:some-process-model/*", "delete"), + ("/process-models/some-process-group:some-process-model/*", "read"), + ("/process-models/some-process-group:some-process-model/*", "update"), + ("/task-data/some-process-group:some-process-model/*", "create"), + ("/task-data/some-process-group:some-process-model/*", "delete"), + ("/task-data/some-process-group:some-process-model/*", "read"), + ("/task-data/some-process-group:some-process-model/*", "update"), ] permissions_to_assign = AuthorizationService.explode_permissions( "all", "PM:/some-process-group/some-process-model" @@ -311,10 +311,10 @@ class TestAuthorizationService(BaseTest): """Test_explode_permissions_start_on_process_model.""" expected_permissions = [ ( - "/process-instances/for-me/some-process-group/some-process-model/*", + "/process-instances/for-me/some-process-group:some-process-model/*", "read", ), - ("/process-instances/some-process-group/some-process-model/*", "create"), + ("/process-instances/some-process-group:some-process-model/*", "create"), ] permissions_to_assign = AuthorizationService.explode_permissions( "start", "PM:/some-process-group/some-process-model"