Commit 92a8e38a authored by Paul Graydon's avatar Paul Graydon

ors_wendelin_test: Update tests

parent e9ab7062
...@@ -68,11 +68,11 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -68,11 +68,11 @@ class ORSWendelinTest(SecurityTestCase):
module.manage_delObjects(ids=test_object_ids) module.manage_delObjects(ids=test_object_ids)
self.tic() self.tic()
def _createOrsWendelinUser(self, reference, project, role): def _createOrsWendelinUser(self, reference, project, function):
# Create and validate a new Person with an assignment associated to the given project and the given role # Create and validate a new Person with an assignment associated to the given project and the given function
user = self.portal.person_module.newContent(portal_type='Person', user = self.portal.person_module.newContent(portal_type='Person',
reference=reference) reference=reference)
user.newContent(portal_type='Assignment', destination_project=project, role=role).open() user.newContent(portal_type='Assignment', destination_project=project, function=function).open()
user.newContent(portal_type='ERP5 Login', reference=reference, password=reference).validate() user.newContent(portal_type='ERP5 Login', reference=reference, password=reference).validate()
user.validate() user.validate()
self.tic() self.tic()
...@@ -94,7 +94,7 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -94,7 +94,7 @@ class ORSWendelinTest(SecurityTestCase):
} }
# Call the script responsible for creating the project and all associated items and store the JSON response # Call the script responsible for creating the project and all associated items and store the JSON response
response = self.portal.ERP5Site_registerOrsClientProject( response = self.portal.Base_registerOrsClientProject(
references_dict['project'], references_dict['project'],
references_dict['project'], references_dict['project'],
references_dict['client_user'], references_dict['client_user'],
...@@ -219,44 +219,61 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -219,44 +219,61 @@ class ORSWendelinTest(SecurityTestCase):
else: else:
self.failIfUserCanAddDocument(user_id, document) self.failIfUserCanAddDocument(user_id, document)
def _checkIngestionDocumentsPermissions(self, user, ingestion_objects, user_is_manager, same_project): def _checkIngestionDocumentsPermissions(self, user, ingestion_objects, user_is_admin, same_project):
# A client can only view a Data Acquisition Unit (ORS) if it is associated to their project # A client can only view a Data Acquisition Unit (ORS) if it is associated to their project
# A manager can view and edit all of them, as well as add one # An administrator can view and edit all of them, as well as add one
self._checkDocumentPermissions(user, ingestion_objects['data_acquisition_unit'], user_is_manager or same_project, user_is_manager, user_is_manager) self._checkDocumentPermissions(user, ingestion_objects['data_acquisition_unit'], user_is_admin or same_project, user_is_admin, user_is_admin)
# Same as above for a Data Supply (required for scoping clients to their projects) # Same as above for a Data Supply (required for scoping clients to their projects)
self._checkDocumentPermissions(user, ingestion_objects['data_supply'], user_is_manager or same_project, user_is_manager, user_is_manager) self._checkDocumentPermissions(user, ingestion_objects['data_supply'], user_is_admin or same_project, user_is_admin, user_is_admin)
# Only a manager can view a Data Stream, and nothing else # Only an administrator can view a Data Stream, and nothing else
self._checkDocumentPermissions(user, ingestion_objects['data_stream'], user_is_manager, False, False) self._checkDocumentPermissions(user, ingestion_objects['data_stream'], user_is_admin, False, False)
# A client can view a Data Array if it is associated to their project # A client can view a Data Array if it is associated to their project
# A manager can view all of them # An administrator can view all of them
for data_array in ingestion_objects['data_arrays']: for data_array in ingestion_objects['data_arrays']:
self._checkDocumentPermissions(user, data_array, user_is_manager or same_project, False, False) self._checkDocumentPermissions(user, data_array, user_is_admin or same_project, False, False)
def _checkModulePermissions(self, user, user_is_manager): def _checkModulePermissions(self, user, user_is_admin):
# Everyone can view the Data Acquisition Unit and Data Supply modules # Everyone can view the Data Acquisition Unit and Data Supply modules
# Only managers can add documents to them # Only administrators can add documents to them
self._checkDocumentPermissions(user, self.portal.data_acquisition_unit_module, True, False, user_is_manager) self._checkDocumentPermissions(user, self.portal.data_acquisition_unit_module, True, False, user_is_admin)
self._checkDocumentPermissions(user, self.portal.data_supply_module, True, False, user_is_manager) self._checkDocumentPermissions(user, self.portal.data_supply_module, True, False, user_is_admin)
# Only managers can view the Data Ingestion and Data Stream modules # Everyone can view the Data Product module (required for KPI graphing)
self._checkDocumentPermissions(user, self.portal.data_ingestion_module, user_is_manager, False, False) # Everyone can also view the two data products used in the KPI calculation process (required for KPI graphing)
self._checkDocumentPermissions(user, self.portal.data_stream_module, user_is_manager, False, False) self._checkDocumentPermissions(user, self.portal.data_product_module, True, False, False)
ors_kpi = self.portal.portal_catalog.getResultValue(portal_type='Data Product',
reference='ors_kpi',
validation_state='validated')
self._checkDocumentPermissions(user, ors_kpi, True, False, False)
ors_enb_log_data = self.portal.portal_catalog.getResultValue(portal_type='Data Product',
reference='ors_enb_log_data',
validation_state='validated')
self._checkDocumentPermissions(user, ors_enb_log_data, True, False, False)
# Everyone can view the Data Transformation module (required for KPI graphing) # Everyone can view the Data Transformation module (required for KPI graphing)
# Everyone can also view the data transformation used to produce the KPIs (required for KPI graphing)
self._checkDocumentPermissions(user, self.portal.data_transformation_module, True, False, False) self._checkDocumentPermissions(user, self.portal.data_transformation_module, True, False, False)
data_transformation = self.portal.portal_catalog.getResultValue(portal_type='Data Transformation',
reference='ors_enb_log_data_transformation',
validation_state='validated')
self._checkDocumentPermissions(user, data_transformation, True, False, False)
# Only managers can view the Data Analysis module # Only administrators can view the Data Ingestion and Data Stream modules
self._checkDocumentPermissions(user, self.portal.data_analysis_module, user_is_manager, False, False) self._checkDocumentPermissions(user, self.portal.data_ingestion_module, user_is_admin, False, False)
self._checkDocumentPermissions(user, self.portal.data_stream_module, user_is_admin, False, False)
# Only administrators can view the Data Analysis module
self._checkDocumentPermissions(user, self.portal.data_analysis_module, user_is_admin, False, False)
# Everyone can view the Data Array module (required for KPI graphing) # Everyone can view the Data Array module (required for KPI graphing)
self._checkDocumentPermissions(user, self.portal.data_array_module, True, False, False) self._checkDocumentPermissions(user, self.portal.data_array_module, True, False, False)
# Only managers have access to the Person and Project modules and can add items to them for client management purposes # Only administrators have access to the Person and Project modules and can add items to them for client management purposes
self._checkDocumentPermissions(user, self.portal.project_module, user_is_manager, False, user_is_manager) self._checkDocumentPermissions(user, self.portal.project_module, user_is_admin, False, user_is_admin)
self._checkDocumentPermissions(user, self.portal.person_module, user_is_manager, False, user_is_manager) self._checkDocumentPermissions(user, self.portal.person_module, user_is_admin, False, user_is_admin)
def test_01_createOrsDataSupply(self): def test_01_createOrsDataSupply(self):
''' '''
...@@ -274,6 +291,7 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -274,6 +291,7 @@ class ORSWendelinTest(SecurityTestCase):
self.tic() self.tic()
# Call the tested script which creates a related Data Supply # Call the tested script which creates a related Data Supply
# No need to assign a project to it here
data_supply = data_acquisition_unit.DataAcquisitionUnit_createOrsDataSupply(batch=1) data_supply = data_acquisition_unit.DataAcquisitionUnit_createOrsDataSupply(batch=1)
self.tic() self.tic()
...@@ -281,6 +299,8 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -281,6 +299,8 @@ class ORSWendelinTest(SecurityTestCase):
self.assertTrue(data_supply is not None) self.assertTrue(data_supply is not None)
self.assertTrue(data_supply.getValidationState() == 'validated') self.assertTrue(data_supply.getValidationState() == 'validated')
# TODO: Redo this with a destination_project
def test_02_registerOrsClientProject(self): def test_02_registerOrsClientProject(self):
''' '''
Test the script called during slave instantiation in SlapOS to register a new client project. Test the script called during slave instantiation in SlapOS to register a new client project.
...@@ -477,7 +497,7 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -477,7 +497,7 @@ class ORSWendelinTest(SecurityTestCase):
def test_05_orsWendelinSecurityModel(self): def test_05_orsWendelinSecurityModel(self):
''' '''
Test ORS Wendelin's custom security model: check that different users can only access the ingestion documents relative to their role and project. Test ORS Wendelin's custom security model: check that different users can only access the ingestion documents relative to their function and project.
''' '''
# Create two distinct projects # Create two distinct projects
...@@ -491,11 +511,11 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -491,11 +511,11 @@ class ORSWendelinTest(SecurityTestCase):
ingestion_B_objects = self._getOrsIngestionObjects(self.test_ors_example_log_valid, ors_B_reference, stop_data_analysis=True) ingestion_B_objects = self._getOrsIngestionObjects(self.test_ors_example_log_valid, ors_B_reference, stop_data_analysis=True)
# Create a client user not associated to a project (should not happen in practice) # Create a client user not associated to a project (should not happen in practice)
client_user_N = self._createOrsWendelinUser('test_user_%s' % generateRandomString(), None, 'ors/client') client_user_N = self._createOrsWendelinUser('test_user_%s' % generateRandomString(), None, 'user')
# Create two manager users: one associated to project_A and the second not associated to a project # Create two administrator users: one associated to project_A and the second not associated to a project
manager_user_A = self._createOrsWendelinUser('test_user_%s' % generateRandomString(), project_A_objects['project'].getRelativeUrl(), 'ors/manager') admin_user_A = self._createOrsWendelinUser('test_user_%s' % generateRandomString(), project_A_objects['project'].getRelativeUrl(), 'administrator')
manager_user_N = self._createOrsWendelinUser('test_user_%s' % generateRandomString(), None, 'ors/manager') admin_user_N = self._createOrsWendelinUser('test_user_%s' % generateRandomString(), None, 'administrator')
ors_N_reference = 'ors.test_%s' % generateRandomString() ors_N_reference = 'ors.test_%s' % generateRandomString()
...@@ -506,13 +526,9 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -506,13 +526,9 @@ class ORSWendelinTest(SecurityTestCase):
) )
data_acquisition_unit.validate() data_acquisition_unit.validate()
self.tic() self.tic()
data_supply = data_acquisition_unit.DataAcquisitionUnit_createOrsDataSupply(batch=1) data_acquisition_unit.DataAcquisitionUnit_createOrsDataSupply(batch=1)
self.tic() self.tic()
# Force update on local roles to ensure proper permissions
data_acquisition_unit.updateLocalRolesOnSecurityGroups()
data_supply.updateLocalRolesOnSecurityGroups()
# Perform an ingestion for the ORS not associated to a project # Perform an ingestion for the ORS not associated to a project
ingestion_N_objects = self._getOrsIngestionObjects(self.test_ors_example_log_valid, ors_N_reference, stop_data_analysis=True) ingestion_N_objects = self._getOrsIngestionObjects(self.test_ors_example_log_valid, ors_N_reference, stop_data_analysis=True)
...@@ -536,13 +552,13 @@ class ORSWendelinTest(SecurityTestCase): ...@@ -536,13 +552,13 @@ class ORSWendelinTest(SecurityTestCase):
self._checkIngestionDocumentsPermissions(client_user_N, ingestion_B_objects, False, False) self._checkIngestionDocumentsPermissions(client_user_N, ingestion_B_objects, False, False)
self._checkIngestionDocumentsPermissions(client_user_N, ingestion_N_objects, False, False) self._checkIngestionDocumentsPermissions(client_user_N, ingestion_N_objects, False, False)
# Check that both managers, whether assigned to a project, have access to all documents # Check that both administrators, whether assigned to a project, have access to all documents
self._checkModulePermissions(manager_user_A, True) self._checkModulePermissions(admin_user_A, True)
self._checkIngestionDocumentsPermissions(manager_user_A, ingestion_A_objects, True, True) self._checkIngestionDocumentsPermissions(admin_user_A, ingestion_A_objects, True, True)
self._checkIngestionDocumentsPermissions(manager_user_A, ingestion_B_objects, True, False) self._checkIngestionDocumentsPermissions(admin_user_A, ingestion_B_objects, True, False)
self._checkIngestionDocumentsPermissions(manager_user_A, ingestion_N_objects, True, False) self._checkIngestionDocumentsPermissions(admin_user_A, ingestion_N_objects, True, False)
self._checkModulePermissions(manager_user_N, True) self._checkModulePermissions(admin_user_N, True)
self._checkIngestionDocumentsPermissions(manager_user_N, ingestion_A_objects, True, False) self._checkIngestionDocumentsPermissions(admin_user_N, ingestion_A_objects, True, False)
self._checkIngestionDocumentsPermissions(manager_user_N, ingestion_B_objects, True, False) self._checkIngestionDocumentsPermissions(admin_user_N, ingestion_B_objects, True, False)
self._checkIngestionDocumentsPermissions(manager_user_N, ingestion_N_objects, True, False) self._checkIngestionDocumentsPermissions(admin_user_N, ingestion_N_objects, True, False)
\ No newline at end of file \ No newline at end of file
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment