root/galaxy-central/test/functional/test_data_security.py

from base.twilltestcase import *
from base.test_db_util import *

class TestDataSecurity( TwillTestCase ):
    def test_000_initiate_users( self ):
        """Ensuring all required user accounts exist"""
        self.logout()
        self.login( email='test1@bx.psu.edu', username='regular-user1' )
        global regular_user1
        regular_user1 = get_user( 'test1@bx.psu.edu' )
        assert regular_user1 is not None, 'Problem retrieving user with email "test1@bx.psu.edu" from the database'
        global regular_user1_private_role
        regular_user1_private_role = get_private_role( regular_user1 )
        self.logout()
        self.login( email='test2@bx.psu.edu', username='regular-user2' )
        global regular_user2
        regular_user2 = get_user( 'test2@bx.psu.edu' )
        assert regular_user2 is not None, 'Problem retrieving user with email "test2@bx.psu.edu" from the database'
        global regular_user2_private_role
        regular_user2_private_role = get_private_role( regular_user2 )
        self.logout()
        self.login( email='test3@bx.psu.edu', username='regular-user3' )
        global regular_user3
        regular_user3 = get_user( 'test3@bx.psu.edu' )
        assert regular_user3 is not None, 'Problem retrieving user with email "test3@bx.psu.edu" from the database'
        global regular_user3_private_role
        regular_user3_private_role = get_private_role( regular_user3 )
        self.logout()
        self.login( email='test@bx.psu.edu', username='admin-user' )
        global admin_user
        admin_user = get_user( 'test@bx.psu.edu' )
        assert admin_user is not None, 'Problem retrieving user with email "test@bx.psu.edu" from the database'
        global admin_user_private_role
        admin_user_private_role = get_private_role( admin_user )
    def test_005_default_permissions( self ):
        """Testing initial settings for DefaultUserPermissions and DefaultHistoryPermissions"""
        # Logged in as admin_user
        # Make sure DefaultUserPermissions are correct
        dups = get_default_user_permissions_by_user( admin_user )
        if len( dups ) > 1:
            raise AssertionError( '%d DefaultUserPermissions associated with user %s ( should be 1 )' \
                                  % ( len( admin_user.default_permissions ), admin_user.email ) )
        dup = dups[0]
        if not dup.action == galaxy.model.Dataset.permitted_actions.DATASET_MANAGE_PERMISSIONS.action:
            raise AssertionError( 'The DefaultUserPermission.action for user "%s" is "%s", but it should be "%s"' \
                                  % ( admin_user.email, dup.action, galaxy.model.Dataset.permitted_actions.DATASET_MANAGE_PERMISSIONS.action ) )
        # Make sure DefaultHistoryPermissions are correct
        latest_history = get_latest_history_for_user( admin_user )
        dhps = get_default_history_permissions_by_history( latest_history )
        if len( dhps ) > 1:
            raise AssertionError( '%d DefaultHistoryPermissions were created for history id %d when it was created ( should have been 1 )' \
                                  % ( len( latest_history.default_permissions ), latest_history.id ) )
        dhp = dhps[0]
        if not dhp.action == galaxy.model.Dataset.permitted_actions.DATASET_MANAGE_PERMISSIONS.action:
            raise AssertionError( 'The DefaultHistoryPermission.action for history id %d is "%s", but it should be "%s"' \
                                  % ( latest_history.id, dhp.action, galaxy.model.Dataset.permitted_actions.DATASET_MANAGE_PERMISSIONS.action ) )
        self.manage_roles_and_groups_for_user( self.security.encode_id( admin_user.id ),
                                               strings_displayed=[ admin_user.email ] )
        # Try deleting the admin_user's private role
        self.manage_roles_and_groups_for_user( self.security.encode_id( admin_user.id ),
                                               out_role_ids=str( admin_user_private_role.id ),
                                               strings_displayed = [ "You cannot eliminate a user's private role association." ] )
    def test_010_private_role_creation_and_default_history_permissions( self ):
        """Testing private role creation and changing DefaultHistoryPermissions for new histories"""
        # Logged in as admin_user
        self.logout()
        # Some of the history related tests here are similar to some tests in the
        # test_history_functions.py script, so we could potentially eliminate 1 or 2 of them.
        self.login( email='test1@bx.psu.edu' )
        global regular_user1
        regular_user1 = get_user( 'test1@bx.psu.edu' )
        assert regular_user1 is not None, 'Problem retrieving user with email "test1@bx.psu.edu" from the database'
        # Add a dataset to the history
        self.upload_file( '1.bed' )
        latest_dataset = get_latest_dataset()
        # Make sure DatasetPermissions are correct - default is 'manage permissions'
        dps = get_dataset_permissions_by_dataset( latest_dataset )
        if len( dps ) > 1:
            raise AssertionError( '%d DatasetPermissions were created for dataset id %d when it was created ( should have been 1 )' \
                                  % ( len( dps ), latest_dataset.id ) )
        dp = dps[0]
        if not dp.action == galaxy.model.Dataset.permitted_actions.DATASET_MANAGE_PERMISSIONS.action:
            raise AssertionError( 'The DatasetPermissions.action for dataset id %d is "%s", but it should be "manage permissions"' \
                                  % ( latest_dataset.id, dp.action ) )
        # Change DefaultHistoryPermissions for regular_user1
        permissions_in = []
        actions_in = []
        for key, value in galaxy.model.Dataset.permitted_actions.items():
            # Setting the 'access' permission with the private role makes this dataset private
            permissions_in.append( key )
            actions_in.append( value.action )
        # Sort actions for later comparison
        actions_in.sort()
        self.user_set_default_permissions( permissions_in=permissions_in, role_id=str( regular_user1_private_role.id ) )
        # Make sure the default permissions are changed for new histories
        self.new_history()
        # logged in as regular_user1
        latest_history = get_latest_history_for_user( regular_user1 )
        if len( latest_history.default_permissions ) != len( actions_in ):
            raise AssertionError( '%d DefaultHistoryPermissions were created for history id %d, should have been %d' % \
                                  ( len( latest_history.default_permissions ), latest_history.id, len( actions_in ) ) )
        dhps = []
        for dhp in latest_history.default_permissions:
            dhps.append( dhp.action )
        # Sort permissions for later comparison
        dhps.sort()
        for key, value in galaxy.model.Dataset.permitted_actions.items():
            if value.action not in dhps:
                raise AssertionError( '%s not in history id %d default_permissions after they were changed' % ( value.action, latest_history.id ) )
        # Add a dataset to the history
        self.upload_file( '1.bed' )
        latest_dataset = get_latest_dataset()
        # Make sure DatasetPermissions are correct
        if len( latest_dataset.actions ) != len( latest_history.default_permissions ):
            raise AssertionError( '%d DatasetPermissions were created for dataset id %d when it was created ( should have been %d )' % \
                                  ( len( latest_dataset.actions ), latest_dataset.id, len( latest_history.default_permissions ) ) )
        dps = []
        for dp in latest_dataset.actions:
            dps.append( dp.action )
        # Sort actions for later comparison
        dps.sort()
        # Compare DatasetPermissions with permissions_in - should be the same
        if dps != actions_in:
            raise AssertionError( 'DatasetPermissions "%s" for dataset id %d differ from changed default permissions "%s"' \
                % ( str( dps ), latest_dataset.id, str( actions_in ) ) )
        # Compare DefaultHistoryPermissions and DatasetPermissions - should be the same
        if dps != dhps:
                raise AssertionError( 'DatasetPermissions "%s" for dataset id %d differ from DefaultHistoryPermissions "%s" for history id %d' \
                                      % ( str( dps ), latest_dataset.id, str( dhps ), latest_history.id ) )
    def test_015_change_default_permissions_for_current_history( self ):
        """Testing changing DefaultHistoryPermissions for the current history"""
        # logged in a regular_user1
        self.logout()
        self.login( email=regular_user2.email )
        latest_history = get_latest_history_for_user( regular_user2 )
        self.upload_file( '1.bed' )
        latest_dataset = get_latest_dataset()
        permissions_in = [ 'DATASET_MANAGE_PERMISSIONS' ]
        # Make sure these are in sorted order for later comparison
        actions_in = [ 'manage permissions' ]
        permissions_out = [ 'DATASET_ACCESS' ]
        actions_out = [ 'access' ]
        # Change DefaultHistoryPermissions for the current history
        self.history_set_default_permissions( permissions_out=permissions_out, permissions_in=permissions_in, role_id=str( regular_user2_private_role.id ) )
        if len( latest_history.default_permissions ) != len( actions_in ):
            raise AssertionError( '%d DefaultHistoryPermissions were created for history id %d, should have been %d' \
                                  % ( len( latest_history.default_permissions ), latest_history.id, len( permissions_in ) ) )
        # Make sure DefaultHistoryPermissions were correctly changed for the current history
        dhps = []
        for dhp in latest_history.default_permissions:
            dhps.append( dhp.action )
        # Sort permissions for later comparison
        dhps.sort()
        # Compare DefaultHistoryPermissions and actions_in - should be the same
        if dhps != actions_in:
            raise AssertionError( 'DefaultHistoryPermissions "%s" for history id %d differ from actions "%s" passed for changing' \
                                      % ( str( dhps ), latest_history.id, str( actions_in ) ) )
        # Make sure DatasetPermissionss are correct
        if len( latest_dataset.actions ) != len( latest_history.default_permissions ):
            raise AssertionError( '%d DatasetPermissionss were created for dataset id %d when it was created ( should have been %d )' \
                                  % ( len( latest_dataset.actions ), latest_dataset.id, len( latest_history.default_permissions ) ) )
        dps = []
        for dp in latest_dataset.actions:
            dps.append( dp.action )
        # Sort actions for comparison
        dps.sort()
        # Compare DatasetPermissionss and DefaultHistoryPermissions - should be the same
        if dps != dhps:
            raise AssertionError( 'DatasetPermissionss "%s" for dataset id %d differ from DefaultHistoryPermissions "%s"' \
                                      % ( str( dps ), latest_dataset.id, str( dhps ) ) )
    def test_999_reset_data_for_later_test_runs( self ):
        """Reseting data to enable later test runs to pass"""
        # Logged in as regular_user2
        self.logout()
        self.login( email=admin_user.email )
        ##################
        # Make sure all users are associated only with their private roles
        ##################
        for user in [ admin_user, regular_user1, regular_user2, regular_user3 ]:
            refresh( user )
            if len( user.roles) != 1:
                raise AssertionError( '%d UserRoleAssociations are associated with %s ( should be 1 )' % ( len( user.roles ), user.email ) )
        #####################
        # Reset DefaultHistoryPermissions for regular_user1
        #####################
        self.logout()
        self.login( email=regular_user1.email )
        # Change DefaultHistoryPermissions for regular_user1 back to the default
        permissions_in = [ 'DATASET_MANAGE_PERMISSIONS' ]
        permissions_out = [ 'DATASET_ACCESS' ]
        self.user_set_default_permissions( permissions_in=permissions_in,
                                           permissions_out=permissions_out,
                                           role_id=str( regular_user1_private_role.id ) )
        self.logout()
        self.login( email=admin_user.email )