Merge pull request #746 from dod-ccpo/application_roles

Application roles
2019-04-08 14:22:52 -04:00
parent 2ae9f0cab7 b17741acd1
commit d0bf5745e6
17 changed files with 406 additions and 60 deletions
--- a/tests/domain/test_authz.py
+++ b/tests/domain/test_authz.py
@@ -1,6 +1,7 @@
 import pytest

 from tests.factories import (
+    ApplicationRoleFactory,
    TaskOrderFactory,
    UserFactory,
    PortfolioFactory,
@@ -69,6 +70,22 @@ def test_has_portfolio_permission():
    )


+def test_has_application_permission():
+    role_one = PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
+    role_two = PermissionSets.get(PermissionSets.EDIT_APPLICATION_ENVIRONMENTS)
+    app_role = ApplicationRoleFactory.create(permission_sets=[role_one, role_two])
+    different_user = UserFactory.create()
+    assert Authorization.has_application_permission(
+        app_role.user, app_role.application, Permissions.EDIT_ENVIRONMENT
+    )
+    assert not Authorization.has_portfolio_permission(
+        app_role.user, app_role.application, Permissions.DELETE_ENVIRONMENT
+    )
+    assert not Authorization.has_portfolio_permission(
+        different_user, app_role.application, Permissions.DELETE_ENVIRONMENT
+    )
+
+
 def test_user_can_access():
    ccpo = UserFactory.create_ccpo()
    edit_admin = UserFactory.create()
@@ -120,7 +137,23 @@ def set_current_user(request_ctx):
    request_ctx.g.current_user = None


-def test_user_can_access_decorator(set_current_user):
+def test_user_can_access_decorator_atat_level(set_current_user):
+    ccpo = UserFactory.create_ccpo()
+    rando = UserFactory.create()
+
+    @user_can_access_decorator(Permissions.VIEW_AUDIT_LOG)
+    def _access_activity_log(*args, **kwargs):
+        return True
+
+    set_current_user(ccpo)
+    assert _access_activity_log()
+
+    set_current_user(rando)
+    with pytest.raises(UnauthorizedError):
+        _access_activity_log()
+
+
+def test_user_can_access_decorator_portfolio_level(set_current_user):
    ccpo = UserFactory.create_ccpo()
    edit_admin = UserFactory.create()
    view_admin = UserFactory.create()
@@ -144,6 +177,36 @@ def test_user_can_access_decorator(set_current_user):
        _edit_portfolio_name(portfolio_id=portfolio.id)


+def test_user_can_access_decorator_application_level(set_current_user):
+    ccpo = UserFactory.create_ccpo()
+    port_admin = UserFactory.create()
+    app_user = UserFactory.create()
+    rando = UserFactory.create()
+
+    portfolio = PortfolioFactory.create(
+        owner=port_admin, applications=[{"name": "Mos Eisley"}]
+    )
+    app = portfolio.applications[0]
+    ApplicationRoleFactory.create(application=app, user=app_user)
+
+    @user_can_access_decorator(Permissions.VIEW_APPLICATION)
+    def _stroll_into_mos_eisley(*args, **kwargs):
+        return True
+
+    set_current_user(ccpo)
+    assert _stroll_into_mos_eisley(application_id=app.id)
+
+    set_current_user(port_admin)
+    assert _stroll_into_mos_eisley(application_id=app.id)
+
+    set_current_user(app_user)
+    assert _stroll_into_mos_eisley(application_id=app.id)
+
+    set_current_user(rando)
+    with pytest.raises(UnauthorizedError):
+        _stroll_into_mos_eisley(application_id=app.id)
+
+
 def test_user_can_access_decorator_override(set_current_user):
    rando_calrissian = UserFactory.create()
    darth_vader = UserFactory.create()
--- a/tests/factories.py
+++ b/tests/factories.py
@@ -4,22 +4,14 @@ import string
 import factory
 from uuid import uuid4
 import datetime
-from faker import Faker as _Faker

 from atst.forms import data
-from atst.models.attachment import Attachment
-from atst.models.environment import Environment
-from atst.models.application import Application
-from atst.models.task_order import TaskOrder
-from atst.models.user import User
-from atst.models.permission_set import PermissionSet
-from atst.models.portfolio import Portfolio
-from atst.domain.permission_sets import PermissionSets, PORTFOLIO_PERMISSION_SETS
-from atst.models.portfolio_role import PortfolioRole, Status as PortfolioRoleStatus
-from atst.models.environment_role import EnvironmentRole
-from atst.models.invitation import Invitation, Status as InvitationStatus
-from atst.models.dd_254 import DD254
+from atst.models import *
+from atst.models.portfolio_role import Status as PortfolioRoleStatus
+from atst.models.application_role import Status as ApplicationRoleStatus
+from atst.models.invitation import Status as InvitationStatus
 from atst.domain.invitations import Invitations
+from atst.domain.permission_sets import PermissionSets
 from atst.domain.portfolio_roles import PortfolioRoles


@@ -71,6 +63,10 @@ def base_portfolio_permission_sets():
    ]


+def base_application_permission_sets():
+    return [PermissionSets.get(PermissionSets.VIEW_APPLICATION)]
+
+
 def get_all_portfolio_permission_sets():
    return PermissionSets.get_many(PortfolioRoles.PORTFOLIO_PERMISSION_SETS)

@@ -169,6 +165,20 @@ class ApplicationFactory(Base):
        with_environments = kwargs.pop("environments", [])
        application = super()._create(model_class, *args, **kwargs)

+        # need to create application roles for environment users
+        app_members_from_envs = set()
+        for env in with_environments:
+            with_members = env.get("members", [])
+            for member_data in with_members:
+                member = member_data.get("user", UserFactory.create())
+                app_members_from_envs.add(member)
+                # set for environments in case we just created the
+                # user for the application
+                member_data["user"] = member
+
+        for member in app_members_from_envs:
+            ApplicationRoleFactory.create(application=application, user=member)
+
        environments = [
            EnvironmentFactory.create(application=application, **e)
            for e in with_environments
@@ -207,6 +217,16 @@ class PortfolioRoleFactory(Base):
    permission_sets = factory.LazyFunction(base_portfolio_permission_sets)


+class ApplicationRoleFactory(Base):
+    class Meta:
+        model = ApplicationRole
+
+    application = factory.SubFactory(ApplicationFactory)
+    user = factory.SubFactory(UserFactory)
+    status = ApplicationRoleStatus.PENDING
+    permission_sets = factory.LazyFunction(base_application_permission_sets)
+
+
 class EnvironmentRoleFactory(Base):
    class Meta:
        model = EnvironmentRole
--- a/tests/models/test_application.py
+++ b/tests/models/test_application.py
@@ -1,5 +1,4 @@
-from atst.domain.environments import Environments
-from tests.factories import ApplicationFactory, UserFactory
+from tests.factories import ApplicationFactory, ApplicationRoleFactory


 def test_application_num_users():
@@ -8,15 +7,5 @@ def test_application_num_users():
    )
    assert application.num_users == 0

-    first_env = application.environments[0]
-    user1 = UserFactory()
-    Environments.add_member(first_env, user1, "developer")
+    ApplicationRoleFactory.create(application=application)
    assert application.num_users == 1
-
-    second_env = application.environments[-1]
-    Environments.add_member(second_env, user1, "developer")
-    assert application.num_users == 1
-
-    user2 = UserFactory()
-    Environments.add_member(second_env, user2, "developer")
-    assert application.num_users == 2
--- a/tests/models/test_application_role.py
+++ b/tests/models/test_application_role.py
@@ -0,0 +1,40 @@
+from atst.domain.permission_sets import PermissionSets
+from atst.models.audit_event import AuditEvent
+
+from tests.factories import PortfolioFactory, UserFactory
+
+
+def test_has_application_role_history(session):
+    owner = UserFactory.create()
+    user = UserFactory.create()
+
+    PortfolioFactory.create(
+        owner=owner,
+        applications=[
+            {
+                "name": "starkiller",
+                "environments": [
+                    {
+                        "name": "bridge",
+                        "members": [{"user": user, "role_name": "developer"}],
+                    }
+                ],
+            }
+        ],
+    )
+
+    app_role = user.application_roles[0]
+    app_role.permission_sets = [
+        PermissionSets.get(PermissionSets.EDIT_APPLICATION_TEAM)
+    ]
+    session.add(app_role)
+    session.commit()
+
+    changed_event = (
+        session.query(AuditEvent)
+        .filter(AuditEvent.resource_id == app_role.id, AuditEvent.action == "update")
+        .one()
+    )
+    old_state, new_state = changed_event.changed_state["permission_sets"]
+    assert old_state == [PermissionSets.VIEW_APPLICATION]
+    assert new_state == [PermissionSets.EDIT_APPLICATION_TEAM]
--- a/tests/test_access.py
+++ b/tests/test_access.py
@@ -12,6 +12,7 @@ from atst.models.portfolio_role import Status as PortfolioRoleStatus

 from tests.factories import (
    AttachmentFactory,
+    ApplicationRoleFactory,
    InvitationFactory,
    PortfolioFactory,
    PortfolioRoleFactory,
@@ -156,12 +157,14 @@ def test_portfolios_access_environment_access(get_url_assert_status):
 def test_portfolios_application_members_access(get_url_assert_status):
    ccpo = user_with(PermissionSets.VIEW_PORTFOLIO_APPLICATION_MANAGEMENT)
    owner = user_with()
+    app_dev = user_with()
    rando = user_with()
    portfolio = PortfolioFactory.create(
        owner=owner,
        applications=[{"name": "Mos Eisley", "description": "Where Han shot first"}],
    )
    app = portfolio.applications[0]
+    ApplicationRoleFactory.create(application=app, user=app_dev)

    url = url_for(
        "portfolios.application_members",
@@ -170,6 +173,7 @@ def test_portfolios_application_members_access(get_url_assert_status):
    )
    get_url_assert_status(ccpo, url, 200)
    get_url_assert_status(owner, url, 200)
+    get_url_assert_status(app_dev, url, 200)
    get_url_assert_status(rando, url, 404)


@@ -570,7 +574,7 @@ def test_portfolios_update_member_access(post_url_assert_status):
    prt_member = user_with()

    portfolio = PortfolioFactory.create(owner=owner)
-    prr = PortfolioRoleFactory.create(user=prt_member, portfolio=portfolio)
+    PortfolioRoleFactory.create(user=prt_member, portfolio=portfolio)

    url = url_for(
        "portfolios.update_member", portfolio_id=portfolio.id, member_id=prt_member.id
@@ -588,7 +592,7 @@ def test_portfolios_view_member_access(get_url_assert_status):
    prt_member = user_with()

    portfolio = PortfolioFactory.create(owner=owner)
-    prr = PortfolioRoleFactory.create(user=prt_member, portfolio=portfolio)
+    PortfolioRoleFactory.create(user=prt_member, portfolio=portfolio)

    url = url_for(
        "portfolios.view_member", portfolio_id=portfolio.id, member_id=prt_member.id