spiff-arena/spiffworkflow-backend/tests/spiffworkflow_backend/unit/test_permissions.py

from flask.app import Flask
from flask.testing import FlaskClient
from spiffworkflow_backend.models.db import db
from spiffworkflow_backend.models.group import GroupModel
from spiffworkflow_backend.models.permission_assignment import PermissionAssignmentModel
from spiffworkflow_backend.models.permission_target import PermissionTargetModel
from spiffworkflow_backend.models.principal import PrincipalModel
from spiffworkflow_backend.services.user_service import UserService

from tests.spiffworkflow_backend.helpers.base_test import BaseTest
from tests.spiffworkflow_backend.helpers.test_data import load_test_spec

# we think we can get the list of roles for a user.
# spiff needs a way to determine what each role allows.


# user role allows list and read of all process groups/models
# super-admin role allows create, update, and delete of all process groups/models
#  * super-admins users maybe conventionally get the user role as well
# finance-admin role allows create, update, and delete of all models under the finance group
class TestPermissions(BaseTest):
    def test_user_can_be_given_permission_to_administer_process_group(
        self,
        app: Flask,
        client: FlaskClient,
        with_db_and_bpmn_file_cleanup: None,
    ) -> None:
        process_group_id = "group-a"
        load_test_spec(
            "group-a/timer_intermediate_catch_event",
            bpmn_file_name="timer_intermediate_catch_event.bpmn",
            process_model_source_directory="timer_intermediate_catch_event",
        )
        dan = self.find_or_create_user()
        principal = dan.principal

        permission_target = PermissionTargetModel(uri=f"/{process_group_id}")
        db.session.add(permission_target)
        db.session.commit()

        permission_assignment = PermissionAssignmentModel(
            permission_target_id=permission_target.id,
            principal_id=principal.id,
            permission="delete",
            grant_type="permit",
        )
        db.session.add(permission_assignment)
        db.session.commit()

    def test_group_a_admin_needs_to_stay_away_from_group_b(self, app: Flask, with_db_and_bpmn_file_cleanup: None) -> None:
        process_group_ids = ["group-a", "group-b"]
        process_group_a_id = process_group_ids[0]
        process_group_b_id = process_group_ids[1]
        load_test_spec(
            f"{process_group_a_id}/timer_intermediate_catch_event",
            bpmn_file_name="timer_intermediate_catch_event",
            process_model_source_directory="timer_intermediate_catch_event",
        )
        load_test_spec(
            f"{process_group_b_id}/hello_world",
            process_model_source_directory="hello_world",
        )
        group_a_admin = self.find_or_create_user()

        permission_target = PermissionTargetModel(uri=f"/{process_group_a_id}")
        db.session.add(permission_target)
        db.session.commit()

        permission_assignment = PermissionAssignmentModel(
            permission_target_id=permission_target.id,
            principal_id=group_a_admin.principal.id,
            permission="update",
            grant_type="permit",
        )
        db.session.add(permission_assignment)
        db.session.commit()

        self.assert_user_has_permission(group_a_admin, "update", f"/{process_group_a_id}")
        self.assert_user_has_permission(group_a_admin, "update", f"/{process_group_b_id}", expected_result=False)

    def test_user_can_be_granted_access_through_a_group(self, app: Flask, with_db_and_bpmn_file_cleanup: None) -> None:
        process_group_ids = ["group-a", "group-b"]
        process_group_a_id = process_group_ids[0]
        load_test_spec(
            f"{process_group_a_id}/timer_intermediate_catch_event",
            bpmn_file_name="timer_intermediate_catch_event",
            process_model_source_directory="timer_intermediate_catch_event",
        )
        load_test_spec(
            f"{process_group_ids[1]}/hello_world",
            process_model_source_directory="hello_world",
        )
        user = self.find_or_create_user()
        group = GroupModel(identifier="groupA")
        db.session.add(group)
        db.session.commit()

        UserService.add_user_to_group(user, group)

        permission_target = PermissionTargetModel(uri=f"/{process_group_a_id}")
        db.session.add(permission_target)
        db.session.commit()

        principal = PrincipalModel(group_id=group.id)
        db.session.add(principal)
        db.session.commit()

        permission_assignment = PermissionAssignmentModel(
            permission_target_id=permission_target.id,
            principal_id=group.principal.id,
            permission="update",
            grant_type="permit",
        )
        db.session.add(permission_assignment)
        db.session.commit()

        self.assert_user_has_permission(user, "update", f"/{process_group_a_id}")

    def test_user_can_be_read_models_with_global_permission(self, app: Flask, with_db_and_bpmn_file_cleanup: None) -> None:
        process_group_ids = ["group-a", "group-b"]
        process_group_a_id = process_group_ids[0]
        process_group_b_id = process_group_ids[1]
        load_test_spec(
            f"{process_group_a_id}/timer_intermediate_catch_event",
            bpmn_file_name="timer_intermediate_catch_event",
            process_model_source_directory="timer_intermediate_catch_event",
        )
        load_test_spec(
            f"{process_group_b_id}/hello_world",
            process_model_source_directory="hello_world",
        )
        group_a_admin = self.find_or_create_user()

        permission_target = PermissionTargetModel(uri="/%")
        db.session.add(permission_target)
        db.session.commit()

        permission_assignment = PermissionAssignmentModel(
            permission_target_id=permission_target.id,
            principal_id=group_a_admin.principal.id,
            permission="update",
            grant_type="permit",
        )
        db.session.add(permission_assignment)
        db.session.commit()

        self.assert_user_has_permission(group_a_admin, "update", f"/{process_group_a_id}")
        self.assert_user_has_permission(group_a_admin, "update", f"/{process_group_b_id}")

    def test_user_can_access_base_path_when_given_wildcard_permission(
        self, app: Flask, with_db_and_bpmn_file_cleanup: None
    ) -> None:
        group_a_admin = self.find_or_create_user()

        permission_target = PermissionTargetModel(uri="/process-models/%")
        db.session.add(permission_target)
        db.session.commit()

        permission_assignment = PermissionAssignmentModel(
            permission_target_id=permission_target.id,
            principal_id=group_a_admin.principal.id,
            permission="update",
            grant_type="permit",
        )
        db.session.add(permission_assignment)
        db.session.commit()

        self.assert_user_has_permission(group_a_admin, "update", "/process-models/hey")
        self.assert_user_has_permission(group_a_admin, "update", "/process-models/")
        self.assert_user_has_permission(group_a_admin, "update", "/process-models")
        self.assert_user_has_permission(group_a_admin, "update", "/process-modelshey", expected_result=False)