From 604a425de188b3927942e6b350ca86d86b4d2d7c Mon Sep 17 00:00:00 2001 From: Keith Walsh Date: Tue, 23 Nov 2021 10:26:58 -0500 Subject: [PATCH 1/3] Add `tenant_id` db constraints Adds a fk constraint to any model using inheriting from `TenantAwareModel` for `tenant_id` --- .../migrations/0036_auto_20211118_1956.py | 47 +++++++++++++++++++ 1 file changed, 47 insertions(+) create mode 100644 rbac/management/migrations/0036_auto_20211118_1956.py diff --git a/rbac/management/migrations/0036_auto_20211118_1956.py b/rbac/management/migrations/0036_auto_20211118_1956.py new file mode 100644 index 000000000..7294c21d9 --- /dev/null +++ b/rbac/management/migrations/0036_auto_20211118_1956.py @@ -0,0 +1,47 @@ +# Generated by Django 2.2.24 on 2021-11-18 19:56 + +from django.db import migrations, models +import django.db.models.deletion + + +class Migration(migrations.Migration): + + dependencies = [("management", "0035_auto_20211014_1736")] + + operations = [ + migrations.AlterField( + model_name="access", + name="tenant", + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="api.Tenant"), + ), + migrations.AlterField( + model_name="group", + name="tenant", + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="api.Tenant"), + ), + migrations.AlterField( + model_name="permission", + name="tenant", + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="api.Tenant"), + ), + migrations.AlterField( + model_name="policy", + name="tenant", + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="api.Tenant"), + ), + migrations.AlterField( + model_name="principal", + name="tenant", + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="api.Tenant"), + ), + migrations.AlterField( + model_name="resourcedefinition", + name="tenant", + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="api.Tenant"), + ), + migrations.AlterField( + model_name="role", + name="tenant", + field=models.ForeignKey(on_delete=django.db.models.deletion.CASCADE, to="api.Tenant"), + ), + ] From a347ef7fcfe4036b33f4a828bd23f5dcd4d0f072 Mon Sep 17 00:00:00 2001 From: Keith Walsh Date: Wed, 8 Dec 2021 16:08:12 -0500 Subject: [PATCH 2/3] Ensure tenant associations exist in all tests --- tests/api/cross_access/test_model.py | 4 +- tests/api/cross_access/test_view.py | 8 +-- tests/internal/test_views.py | 25 ++++---- tests/management/access/test_model.py | 4 +- tests/management/access/test_view.py | 48 +++++++++------- tests/management/group/test_model.py | 8 +-- tests/management/group/test_view.py | 50 ++++++++-------- tests/management/permission/test_model.py | 4 +- tests/management/permission/test_view.py | 22 ++++---- tests/management/policy/test_view.py | 11 ++-- tests/management/principal/test_cleaner.py | 14 ++--- tests/management/principal/test_model.py | 4 +- tests/management/principal/test_view.py | 12 ++-- tests/management/role/test_model.py | 6 +- tests/management/role/test_view.py | 32 +++++------ tests/management/test_querysets.py | 40 ++++++------- tests/management/test_utils.py | 34 ++++++----- tests/rbac/test_cache.py | 22 ++++---- tests/rbac/test_middleware.py | 66 +++++++++++----------- 19 files changed, 222 insertions(+), 192 deletions(-) diff --git a/tests/api/cross_access/test_model.py b/tests/api/cross_access/test_model.py index 6635cc5ad..f8b196f70 100644 --- a/tests/api/cross_access/test_model.py +++ b/tests/api/cross_access/test_model.py @@ -20,6 +20,7 @@ from django.test import TestCase from django.utils import timezone from management.models import Role +from api.models import Tenant from rest_framework.serializers import ValidationError from tenant_schemas.utils import tenant_context @@ -33,6 +34,7 @@ class CrossAccountRequestModelTests(TestCase): def setUp(self): """Set up the cross account request model tests.""" super().setUp() + self.tenant = Tenant.objects.create(schema_name="foo") self.ref_time = timezone.now() self.request = CrossAccountRequest.objects.create( @@ -115,7 +117,7 @@ def test_request_with_same_start_and_end_date(self): def test_the_request_could_be_associated_with_role(self): ROLE_NAME = "Test Role" - role = Role.objects.create(name=ROLE_NAME) + role = Role.objects.create(name=ROLE_NAME, tenant=self.tenant) self.assertEqual(self.request.roles.count(), 0) self.assertEqual(role.cross_account_requests.count(), 0) diff --git a/tests/api/cross_access/test_view.py b/tests/api/cross_access/test_view.py index dcd8eb1f2..1c5927848 100644 --- a/tests/api/cross_access/test_view.py +++ b/tests/api/cross_access/test_view.py @@ -83,10 +83,10 @@ def setUp(self): t.create_schema() t.ready = True t.save() - self.role_1 = Role.objects.create(name="role_1", system=True) - self.role_2 = Role.objects.create(name="role_2", system=True) - self.role_9 = Role.objects.create(name="role_9", system=True) - self.role_8 = Role.objects.create(name="role_8", system=True) + self.role_1 = Role.objects.create(name="role_1", system=True, tenant=t) + self.role_2 = Role.objects.create(name="role_2", system=True, tenant=t) + self.role_9 = Role.objects.create(name="role_9", system=True, tenant=t) + self.role_8 = Role.objects.create(name="role_8", system=True, tenant=t) self.request_1 = CrossAccountRequest.objects.create( target_account=self.account, diff --git a/tests/internal/test_views.py b/tests/internal/test_views.py index 7f89dcd52..59565cf6b 100644 --- a/tests/internal/test_views.py +++ b/tests/internal/test_views.py @@ -57,10 +57,12 @@ def setUp(self): self.request.user = user with tenant_context(self.tenant): - self.group = Group(name="System Group", system=True) + self.group = Group(name="System Group", system=True, tenant=self.tenant) self.group.save() - self.role = Role.objects.create(name="System Role", description="A role for a group.", system=True) - self.policy = Policy.objects.create(name="System Policy", group=self.group) + self.role = Role.objects.create( + name="System Role", description="A role for a group.", system=True, tenant=self.tenant + ) + self.policy = Policy.objects.create(name="System Policy", group=self.group, tenant=self.tenant) self.policy.roles.add(self.role) self.policy.save() self.group.policies.add(self.policy) @@ -97,8 +99,9 @@ def test_delete_tenant_allowed_and_unmodified(self, mock): @patch.object(Tenant, "delete") def test_delete_tenant_no_schema(self, mock): """Test that we can delete a tenant when allowed and unmodified.""" - with tenant_context(Tenant.objects.get(schema_name="public")): - Group.objects.create(name="Custom Group") + public_tenant = Tenant.objects.get(schema_name="public") + with tenant_context(public_tenant): + Group.objects.create(name="Custom Group", tenant=public_tenant) tenant_no_schema = Tenant.objects.create(schema_name="no_schema") response = self.client.delete(f"/_private/api/tenant/{tenant_no_schema.schema_name}/", **self.request.META) @@ -108,7 +111,7 @@ def test_delete_tenant_no_schema(self, mock): def test_delete_tenant_allowed_but_multiple_groups(self): """Test that we cannot delete a tenant when allowed but modified.""" with tenant_context(self.tenant): - Group.objects.create(name="Custom Group") + Group.objects.create(name="Custom Group", tenant=self.tenant) response = self.client.delete(f"/_private/api/tenant/{self.tenant.schema_name}/", **self.request.META) self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) @@ -140,7 +143,7 @@ def test_delete_tenant_allowed_but_role_is_not_system(self): def test_delete_tenant_allowed_but_custom_one_role_is_not_system(self): """Test that we cannot delete a tenant when allowed but modified.""" with tenant_context(self.tenant): - Role.objects.create(name="Custom Role") + Role.objects.create(name="Custom Role", tenant=self.tenant) response = self.client.delete(f"/_private/api/tenant/{self.tenant.schema_name}/", **self.request.META) self.assertEqual(response.status_code, status.HTTP_400_BAD_REQUEST) @@ -170,14 +173,14 @@ def test_list_unmodified_tenants(self): t.save() with tenant_context(modified_tenant_groups): - Group.objects.create(name="Custom Group") + Group.objects.create(name="Custom Group", tenant=modified_tenant_groups) with tenant_context(modified_tenant_roles): - Role.objects.create(name="Custom Role") + Role.objects.create(name="Custom Role", tenant=modified_tenant_roles) with tenant_context(unmodified_tenant_2): - Group.objects.create(name="System Group", system=True) - Role.objects.create(name="System Role", system=True) + Group.objects.create(name="System Group", system=True, tenant=unmodified_tenant_2) + Role.objects.create(name="System Role", system=True, tenant=unmodified_tenant_2) response = self.client.get(f"/_private/api/tenant/unmodified/", **self.request.META) response_data = json.loads(response.content) diff --git a/tests/management/access/test_model.py b/tests/management/access/test_model.py index 88ff579f4..4fc5df75d 100644 --- a/tests/management/access/test_model.py +++ b/tests/management/access/test_model.py @@ -32,8 +32,8 @@ def setUp(self): super().setUp() with tenant_context(self.tenant): - self.permission = Permission.objects.create(permission="app:*:*") - self.access = Access.objects.create(permission=self.permission) + self.permission = Permission.objects.create(permission="app:*:*", tenant=self.tenant) + self.access = Access.objects.create(permission=self.permission, tenant=self.tenant) def tearDown(self): """Tear down access model tests.""" diff --git a/tests/management/access/test_view.py b/tests/management/access/test_view.py index f95fcf1f7..154baaa17 100644 --- a/tests/management/access/test_view.py +++ b/tests/management/access/test_view.py @@ -47,25 +47,27 @@ def setUp(self): user.username = self.user_data["username"] user.account = self.customer_data["account_id"] request.user = user + public_tenant = Tenant.objects.get(schema_name="public") self.access_data = { "permission": "app:*:*", "resourceDefinitions": [{"attributeFilter": {"key": "key1", "operation": "equal", "value": "value1"}}], } with tenant_context(self.tenant): - self.principal = Principal(username=self.user_data["username"]) + self.principal = Principal(username=self.user_data["username"], tenant=self.tenant) self.principal.save() - self.admin_principal = Principal(username="user_admin") + self.admin_principal = Principal(username="user_admin", tenant=self.tenant) self.admin_principal.save() - self.group = Group(name="groupA") + self.group = Group(name="groupA", tenant=self.tenant) self.group.save() self.group.principals.add(self.principal) self.group.save() - self.permission = Permission.objects.create(permission="app:*:*") - Permission.objects.create(permission="app:foo:bar") - with tenant_context(Tenant.objects.get(schema_name="public")): - Permission.objects.create(permission="app:foo:bar") - Permission.objects.create(permission="app:*:*") + self.permission = Permission.objects.create(permission="app:*:*", tenant=self.tenant) + Permission.objects.create(permission="app:foo:bar", tenant=self.tenant) + + with tenant_context(public_tenant): + Permission.objects.create(permission="app:foo:bar", tenant=public_tenant) + Permission.objects.create(permission="app:*:*", tenant=public_tenant) def tearDown(self): """Tear down access view tests.""" @@ -102,18 +104,24 @@ def create_policy(self, policy_name, group, roles, status=status.HTTP_201_CREATE def create_platform_default_resource(self): """Setup default group and role.""" with tenant_context(self.tenant): - default_permission = Permission.objects.create(permission="default:*:*") - default_role = Role.objects.create(name="default role", platform_default=True, system=True) - default_access = Access.objects.create(permission=default_permission, role=default_role) - default_policy = Policy.objects.create(name="default policy", system=True) + default_permission = Permission.objects.create(permission="default:*:*", tenant=self.tenant) + default_role = Role.objects.create( + name="default role", platform_default=True, system=True, tenant=self.tenant + ) + default_access = Access.objects.create( + permission=default_permission, role=default_role, tenant=self.tenant + ) + default_policy = Policy.objects.create(name="default policy", system=True, tenant=self.tenant) default_policy.roles.add(default_role) - default_group = Group.objects.create(name="default group", system=True, platform_default=True) + default_group = Group.objects.create( + name="default group", system=True, platform_default=True, tenant=self.tenant + ) default_group.policies.add(default_policy) def create_role_and_permission(self, role_name, permission): - role = Role.objects.create(name=role_name) - assigned_permission = Permission.objects.create(permission=permission) - access = Access.objects.create(role=role, permission=assigned_permission) + role = Role.objects.create(name=role_name, tenant=self.tenant) + assigned_permission = Permission.objects.create(permission=permission, tenant=self.tenant) + access = Access.objects.create(role=role, permission=assigned_permission, tenant=self.tenant) return role def test_get_access_success(self): @@ -123,7 +131,7 @@ def test_get_access_success(self): self.assertEqual(response.status_code, status.HTTP_201_CREATED) role_uuid = response.data.get("uuid") role = Role.objects.get(uuid=role_uuid) - access = Access.objects.create(role=role, permission=self.permission) + access = Access.objects.create(role=role, permission=self.permission, tenant=self.tenant) policy_name = "policyA" response = self.create_policy(policy_name, self.group.uuid, [role_uuid]) # Create platform default group, and add roles to it. @@ -176,7 +184,7 @@ def test_access_for_cross_account_principal_return_permissions_based_on_assigned headers = request.META with tenant_context(self.tenant): - Principal.objects.create(username=user_name, cross_account=True) + Principal.objects.create(username=user_name, cross_account=True, tenant=self.tenant) self.create_role_and_permission("Test Role one", "test:assigned:permission1") self.create_role_and_permission("Test Role two", "test:assigned:permission2") response = client.get(url, **headers) @@ -198,7 +206,7 @@ def test_get_access_no_app_supplied(self): response = self.create_role(role_name, access_data) role_uuid = response.data.get("uuid") role = Role.objects.get(uuid=role_uuid) - access = Access.objects.create(role=role, permission=self.permission) + access = Access.objects.create(role=role, permission=self.permission, tenant=self.tenant) self.create_policy(policy_name, self.group.uuid, [role_uuid]) url = "{}?application=&username={}".format(reverse("access"), self.principal.username) @@ -221,7 +229,7 @@ def test_get_access_multiple_apps_supplied(self): response = self.create_role(role_name, access_data) role_uuid = response.data.get("uuid") role = Role.objects.get(uuid=role_uuid) - access = Access.objects.create(role=role, permission=self.permission) + access = Access.objects.create(role=role, permission=self.permission, tenant=self.tenant) self.create_policy(policy_name, self.group.uuid, [role_uuid]) url = "{}?application={}&username={}".format(reverse("access"), "app,app2", self.principal.username) diff --git a/tests/management/group/test_model.py b/tests/management/group/test_model.py index fb58fedb4..edd26db42 100644 --- a/tests/management/group/test_model.py +++ b/tests/management/group/test_model.py @@ -31,10 +31,10 @@ def setUp(self): super().setUp() with tenant_context(self.tenant): - self.group = Group.objects.create(name="groupA") - self.roleA = Role.objects.create(name="roleA") - self.roleB = Role.objects.create(name="roleB") - self.policy = Policy(name="policyA", group=self.group) + self.group = Group.objects.create(name="groupA", tenant=self.tenant) + self.roleA = Role.objects.create(name="roleA", tenant=self.tenant) + self.roleB = Role.objects.create(name="roleB", tenant=self.tenant) + self.policy = Policy(name="policyA", group=self.group, tenant=self.tenant) self.policy.save() self.policy.roles.add(self.roleA) self.policy.save() diff --git a/tests/management/group/test_view.py b/tests/management/group/test_view.py index f93885d86..cc84d6102 100644 --- a/tests/management/group/test_view.py +++ b/tests/management/group/test_view.py @@ -47,13 +47,14 @@ def setUp(self): request.user = user self.dummy_role_id = uuid4() + public_tenant = Tenant.objects.get(schema_name="public") with tenant_context(self.tenant): - self.principal = Principal(username=self.user_data["username"]) + self.principal = Principal(username=self.user_data["username"], tenant=self.tenant) self.principal.save() - self.principalB = Principal(username="mock_user") + self.principalB = Principal(username="mock_user", tenant=self.tenant) self.principalB.save() - self.principalC = Principal(username="user_not_attaced_to_group_explicitly") + self.principalC = Principal(username="user_not_attaced_to_group_explicitly", tenant=self.tenant) self.principalC.save() self.group = Group(name="groupA", tenant=self.tenant) self.group.save() @@ -74,35 +75,35 @@ def setUp(self): self.defPolicy = Policy(name="defPolicy", system=True, tenant=self.tenant, group=self.defGroup) self.defPolicy.save() - self.emptyGroup = Group(name="groupE") + self.emptyGroup = Group(name="groupE", tenant=self.tenant) self.emptyGroup.save() self.groupB = Group.objects.create(name="groupB", tenant=self.tenant) self.groupB.principals.add(self.principal) - self.policyB = Policy.objects.create(name="policyB", group=self.groupB) + self.policyB = Policy.objects.create(name="policyB", group=self.groupB, tenant=self.tenant) self.roleB = Role.objects.create(name="roleB", system=False, tenant=self.tenant) self.policyB.roles.add(self.roleB) self.policyB.save() # role that's not assigned to principal - self.roleOrphan = Role.objects.create(name="roleOrphan") + self.roleOrphan = Role.objects.create(name="roleOrphan", tenant=self.tenant) # group that associates with multipal roles - self.groupMultiRole = Group.objects.create(name="groupMultiRole") - self.policyMultiRole = Policy.objects.create(name="policyMultiRole") + self.groupMultiRole = Group.objects.create(name="groupMultiRole", tenant=self.tenant) + self.policyMultiRole = Policy.objects.create(name="policyMultiRole", tenant=self.tenant) self.policyMultiRole.roles.add(self.role) self.policyMultiRole.roles.add(self.roleB) self.groupMultiRole.policies.add(self.policyMultiRole) - with tenant_context(Tenant.objects.get(schema_name="public")): + with tenant_context(public_tenant): Group.objects.create(name="groupA", tenant=self.tenant) Group.objects.create(name="groupB", tenant=self.tenant) - Group.objects.create(name="groupDef", tenant=self.tenant) + defPubGroup = Group.objects.create(name="groupDef", tenant=public_tenant, platform_default=True) + Policy.objects.create(name="defPolicy", tenant=public_tenant, system=True, group=defPubGroup) @classmethod def setUpClass(self): super().setUpClass() - call_command("seeds") def tearDown(self): """Tear down group viewset tests.""" @@ -487,8 +488,10 @@ def test_add_group_principals_success(self, mock_request): """Test that adding a principal to a group returns successfully.""" # Create a group and a cross account user. with tenant_context(self.tenant): - test_group = Group.objects.create(name="test") - cross_account_user = Principal.objects.create(username="cross_account_user", cross_account=True) + test_group = Group.objects.create(name="test", tenant=self.tenant) + cross_account_user = Principal.objects.create( + username="cross_account_user", cross_account=True, tenant=self.tenant + ) # Create same group in public schema. with tenant_context(Tenant.objects.get(schema_name="public")): test_group_in_public = Group.objects.create(name="test", tenant=self.tenant) @@ -573,12 +576,13 @@ def test_get_group_principals_nonempty(self, mock_request): ) def test_remove_group_principals_success(self, mock_request): """Test that removing a principal to a group returns successfully.""" + public_tenant = Tenant.objects.get(schema_name="public") with tenant_context(self.tenant): - test_user = Principal.objects.create(username="test_user") + test_user = Principal.objects.create(username="test_user", tenant=self.tenant) self.group.principals.add(test_user) - with tenant_context(Tenant.objects.get(schema_name="public")): - test_user = Principal.objects.create(username="test_user") + with tenant_context(public_tenant): + test_user = Principal.objects.create(username="test_user", tenant=public_tenant) Group.objects.get(name=self.group.name, tenant=self.tenant).principals.add(test_user) url = reverse("group-principals", kwargs={"uuid": self.group.uuid}) @@ -1098,7 +1102,7 @@ def test_add_group_multiple_roles_success(self): def test_add_group_multiple_roles_invalid(self): """Test that adding invalid roles to a group fails the request and does not add any.""" with tenant_context(self.tenant): - groupC = Group.objects.create(name="groupC") + groupC = Group.objects.create(name="groupC", tenant=self.tenant) url = reverse("group-roles", kwargs={"uuid": groupC.uuid}) client = APIClient() test_data = {"roles": ["abc123", self.roleB.uuid]} @@ -1248,17 +1252,19 @@ def setUp(self): "resourceDefinitions": [{"attributeFilter": {"key": "key1", "operation": "equal", "value": "value1"}}], } with tenant_context(self.tenant): - self.principal = Principal(username=self.user_data["username"]) + self.principal = Principal(username=self.user_data["username"], tenant=self.tenant) self.principal.save() - self.admin_principal = Principal(username="user_admin") + self.admin_principal = Principal(username="user_admin", tenant=self.tenant) self.admin_principal.save() - self.group = Group(name="groupA") + self.group = Group(name="groupA", tenant=self.tenant) self.group.save() self.group.principals.add(self.principal) self.group.save() - self.roleB = Role.objects.create(name="roleB", system=False) + self.roleB = Role.objects.create(name="roleB", system=False, tenant=self.tenant) self.roleB.save() - self.role = Role.objects.create(name="roleA", description="A role for a group.", system=False) + self.role = Role.objects.create( + name="roleA", description="A role for a group.", system=False, tenant=self.tenant + ) self.role.save() def tearDown(self): diff --git a/tests/management/permission/test_model.py b/tests/management/permission/test_model.py index 9c7b00e9b..0246f3c69 100644 --- a/tests/management/permission/test_model.py +++ b/tests/management/permission/test_model.py @@ -32,8 +32,8 @@ def setUp(self): super().setUp() with tenant_context(self.tenant): - self.dependency_permission = Permission.objects.create(permission="rbac:roles:read") - self.permission = Permission.objects.create(permission="rbac:roles:write") + self.dependency_permission = Permission.objects.create(permission="rbac:roles:read", tenant=self.tenant) + self.permission = Permission.objects.create(permission="rbac:roles:write", tenant=self.tenant) self.permission.save() self.permission.permissions.add(self.dependency_permission) diff --git a/tests/management/permission/test_view.py b/tests/management/permission/test_view.py index 367e96edc..f61a0dee4 100644 --- a/tests/management/permission/test_view.py +++ b/tests/management/permission/test_view.py @@ -46,15 +46,17 @@ def setUp(self): self.display_fields = {"application", "resource_type", "verb", "permission"} with tenant_context(self.tenant): - self.permissionA = Permission.objects.create(permission="rbac:roles:read") - self.permissionB = Permission.objects.create(permission="rbac:*:*") - self.permissionC = Permission.objects.create(permission="acme:*:*") - self.permissionD = Permission.objects.create(permission="acme:*:write") - self.permissionE = Permission.objects.create(permission="*:*:*") - self.permissionF = Permission.objects.create(permission="*:bar:*") - self.permissionG = Permission.objects.create(permission="*:*:baz") - self.permissionH = Permission.objects.create(permission="*:bar:baz") - self.permissionI = Permission.objects.create(permission="foo:bar:*", description="Description test.") + self.permissionA = Permission.objects.create(permission="rbac:roles:read", tenant=self.tenant) + self.permissionB = Permission.objects.create(permission="rbac:*:*", tenant=self.tenant) + self.permissionC = Permission.objects.create(permission="acme:*:*", tenant=self.tenant) + self.permissionD = Permission.objects.create(permission="acme:*:write", tenant=self.tenant) + self.permissionE = Permission.objects.create(permission="*:*:*", tenant=self.tenant) + self.permissionF = Permission.objects.create(permission="*:bar:*", tenant=self.tenant) + self.permissionG = Permission.objects.create(permission="*:*:baz", tenant=self.tenant) + self.permissionH = Permission.objects.create(permission="*:bar:baz", tenant=self.tenant) + self.permissionI = Permission.objects.create( + permission="foo:bar:*", description="Description test.", tenant=self.tenant + ) self.permissionI.permissions.add(self.permissionA) self.roleA = Role.objects.create(name="roleA", tenant=self.tenant) @@ -422,7 +424,7 @@ def setUp(self): self.headers = request.META with tenant_context(self.tenant): - self.permission = Permission.objects.create(permission="rbac:roles:read") + self.permission = Permission.objects.create(permission="rbac:roles:read", tenant=self.tenant) self.permission.save() def tearDown(self): diff --git a/tests/management/policy/test_view.py b/tests/management/policy/test_view.py index ecb67e603..7dfb2019b 100644 --- a/tests/management/policy/test_view.py +++ b/tests/management/policy/test_view.py @@ -41,17 +41,18 @@ def setUp(self): user.username = self.user_data["username"] user.account = self.customer_data["account_id"] request.user = user + public_tenant = Tenant.objects.get(schema_name="public") with tenant_context(self.tenant): - self.principal = Principal(username=self.user_data["username"]) + self.principal = Principal(username=self.user_data["username"], tenant=self.tenant) self.principal.save() - self.group = Group(name="groupA") + self.group = Group(name="groupA", tenant=self.tenant) self.group.save() self.group.principals.add(self.principal) self.group.save() - Permission.objects.create(permission="app:*:*") - with tenant_context(Tenant.objects.get(schema_name="public")): - Permission.objects.create(permission="app:*:*") + Permission.objects.create(permission="app:*:*", tenant=self.tenant) + with tenant_context(public_tenant): + Permission.objects.create(permission="app:*:*", tenant=public_tenant) def tearDown(self): """Tear down policy viewset tests.""" diff --git a/tests/management/principal/test_cleaner.py b/tests/management/principal/test_cleaner.py index 1bd4eae7e..79fba2213 100644 --- a/tests/management/principal/test_cleaner.py +++ b/tests/management/principal/test_cleaner.py @@ -35,7 +35,7 @@ def setUp(self): """Set up the principal cleaner tests.""" super().setUp() with tenant_context(self.tenant): - self.group = Group(name="groupA") + self.group = Group(name="groupA", tenant=self.tenant) self.group.save() def test_principal_cleanup_none(self): @@ -54,8 +54,8 @@ def test_principal_cleanup_none(self): def test_principal_cleanup_skip_cross_account_principals(self, mock_request): """Test that principal clean up on a tenant will skip cross account principals.""" with tenant_context(self.tenant): - Principal.objects.create(username="user1") - Principal.objects.create(username="CAR", cross_account=True) + Principal.objects.create(username="user1", tenant=self.tenant) + Principal.objects.create(username="CAR", cross_account=True, tenant=self.tenant) self.assertEqual(Principal.objects.count(), 2) try: @@ -72,7 +72,7 @@ def test_principal_cleanup_skip_cross_account_principals(self, mock_request): def test_principal_cleanup_principal_in_group(self, mock_request): """Test that we can run a principal clean up on a tenant with a principal in a group.""" with tenant_context(self.tenant): - self.principal = Principal(username="user1") + self.principal = Principal(username="user1", tenant=self.tenant) self.principal.save() self.group.principals.add(self.principal) self.group.save() @@ -90,7 +90,7 @@ def test_principal_cleanup_principal_in_group(self, mock_request): def test_principal_cleanup_principal_not_in_group(self, mock_request): """Test that we can run a principal clean up on a tenant with a principal not in a group.""" with tenant_context(self.tenant): - self.principal = Principal(username="user1") + self.principal = Principal(username="user1", tenant=self.tenant) self.principal.save() try: clean_tenant_principals(self.tenant) @@ -106,7 +106,7 @@ def test_principal_cleanup_principal_not_in_group(self, mock_request): def test_principal_cleanup_principal_exists(self, mock_request): """Test that we can run a principal clean up on a tenant with an existing principal.""" with tenant_context(self.tenant): - self.principal = Principal(username="user1") + self.principal = Principal(username="user1", tenant=self.tenant) self.principal.save() try: clean_tenant_principals(self.tenant) @@ -122,7 +122,7 @@ def test_principal_cleanup_principal_exists(self, mock_request): def test_principal_cleanup_principal_error(self, mock_request): """Test that we can handle a principal clean up with an unexpected error from proxy.""" with tenant_context(self.tenant): - self.principal = Principal(username="user1") + self.principal = Principal(username="user1", tenant=self.tenant) self.principal.save() try: clean_tenant_principals(self.tenant) diff --git a/tests/management/principal/test_model.py b/tests/management/principal/test_model.py index 85129a367..efe22a793 100644 --- a/tests/management/principal/test_model.py +++ b/tests/management/principal/test_model.py @@ -35,11 +35,11 @@ def test_principal_creation(self): """Test that we can create principal correctly.""" with tenant_context(self.tenant): # Default value for cross_account is False. - principalA = Principal.objects.create(username="principalA") + principalA = Principal.objects.create(username="principalA", tenant=self.tenant) self.assertEqual(principalA.username, "principalA") self.assertEqual(principalA.cross_account, False) # Explicitly set cross_account. - principalB = Principal.objects.create(username="principalB", cross_account=True) + principalB = Principal.objects.create(username="principalB", cross_account=True, tenant=self.tenant) self.assertEqual(principalB.username, "principalB") self.assertEqual(principalB.cross_account, True) diff --git a/tests/management/principal/test_view.py b/tests/management/principal/test_view.py index 57bc1a1f6..a2596f0cf 100644 --- a/tests/management/principal/test_view.py +++ b/tests/management/principal/test_view.py @@ -51,7 +51,7 @@ def setUp(self): self.headers = request.META with tenant_context(self.tenant): - self.principal = Principal(username="test_user") + self.principal = Principal(username="test_user", tenant=self.tenant) self.principal.save() def tearDown(self): @@ -121,7 +121,7 @@ def setUp(self): request.user = user with tenant_context(self.tenant): - self.principal = Principal(username="test_user") + self.principal = Principal(username="test_user", tenant=self.tenant) self.principal.save() def tearDown(self): @@ -137,7 +137,9 @@ def test_read_principal_list_success(self, mock_request): """Test that we can read a list of principals.""" # Create a cross_account user in rbac. with tenant_context(self.tenant): - cross_account_principal = Principal.objects.create(username="cross_account_user", cross_account=True) + cross_account_principal = Principal.objects.create( + username="cross_account_user", cross_account=True, tenant=self.tenant + ) url = reverse("principals") client = APIClient() @@ -203,7 +205,9 @@ def test_read_principal_filtered_list_success_without_cross_account_user(self, m """Test that we can read a filtered list of principals.""" # Create a cross_account user in rbac. with tenant_context(self.tenant): - cross_account_principal = Principal.objects.create(username="cross_account_user", cross_account=True) + cross_account_principal = Principal.objects.create( + username="cross_account_user", cross_account=True, tenant=self.tenant + ) url = f'{reverse("principals")}?usernames=test_user,cross_account_user&offset=30' client = APIClient() diff --git a/tests/management/role/test_model.py b/tests/management/role/test_model.py index f4d9ae94b..916c5d323 100644 --- a/tests/management/role/test_model.py +++ b/tests/management/role/test_model.py @@ -31,10 +31,8 @@ def setUp(self): super().setUp() with tenant_context(self.tenant): - self.roleA = Role.objects.create(name="roleA") - self.roleB = Role.objects.create(name="roleB", system=True) - self.roleA.save() - self.roleB.save() + self.roleA = Role.objects.create(name="roleA", tenant=self.tenant) + self.roleB = Role.objects.create(name="roleB", system=True, tenant=self.tenant) def tearDown(self): """Tear down group model tests.""" diff --git a/tests/management/role/test_view.py b/tests/management/role/test_view.py index bdb83fb30..f1682a581 100644 --- a/tests/management/role/test_view.py +++ b/tests/management/role/test_view.py @@ -65,41 +65,41 @@ def setUp(self): } with tenant_context(self.tenant): - self.principal = Principal(username=self.user_data["username"]) + self.principal = Principal(username=self.user_data["username"], tenant=self.tenant) self.principal.save() - self.policy = Policy.objects.create(name="policyA") - self.group = Group(name="groupA", description="groupA description") + self.policy = Policy.objects.create(name="policyA", tenant=self.tenant) + self.group = Group(name="groupA", description="groupA description", tenant=self.tenant) self.group.save() self.group.principals.add(self.principal) self.group.policies.add(self.policy) self.group.save() - self.sysRole = Role(**sys_role_config) + self.sysRole = Role(**sys_role_config, tenant=self.tenant) self.sysRole.save() - self.defRole = Role(**def_role_config) + self.defRole = Role(**def_role_config, tenant=self.tenant) self.defRole.save() self.defRole.save() self.policy.roles.add(self.defRole, self.sysRole) self.policy.save() - self.permission = Permission.objects.create(permission="app:*:*") - self.permission2 = Permission.objects.create(permission="app2:*:*") - self.permission3 = Permission.objects.create(permission="app:*:read") + self.permission = Permission.objects.create(permission="app:*:*", tenant=self.tenant) + self.permission2 = Permission.objects.create(permission="app2:*:*", tenant=self.tenant) + self.permission3 = Permission.objects.create(permission="app:*:read", tenant=self.tenant) self.permission.permissions.add(self.permission3) - self.access = Access.objects.create(permission=self.permission, role=self.defRole) - self.access2 = Access.objects.create(permission=self.permission2, role=self.defRole) + self.access = Access.objects.create(permission=self.permission, role=self.defRole, tenant=self.tenant) + self.access2 = Access.objects.create(permission=self.permission2, role=self.defRole, tenant=self.tenant) - self.access3 = Access.objects.create(permission=self.permission2, role=self.sysRole) - Permission.objects.create(permission="cost-management:*:*") + self.access3 = Access.objects.create(permission=self.permission2, role=self.sysRole, tenant=self.tenant) + Permission.objects.create(permission="cost-management:*:*", tenant=self.tenant) # Create permission in public schema with tenant_context(Tenant.objects.get(schema_name="public")): - Permission.objects.get_or_create(permission="cost-management:*:*") - Permission.objects.get_or_create(permission="app:*:*") - Permission.objects.get_or_create(permission="app2:*:*") - Permission.objects.get_or_create(permission="app:*:read") + Permission.objects.get_or_create(permission="cost-management:*:*", tenant=self.tenant) + Permission.objects.get_or_create(permission="app:*:*", tenant=self.tenant) + Permission.objects.get_or_create(permission="app2:*:*", tenant=self.tenant) + Permission.objects.get_or_create(permission="app:*:read", tenant=self.tenant) def create_role(self, role_name, role_display="", in_access_data=None): """Create a role.""" diff --git a/tests/management/test_querysets.py b/tests/management/test_querysets.py index b45100328..3dc9117a5 100644 --- a/tests/management/test_querysets.py +++ b/tests/management/test_querysets.py @@ -53,27 +53,27 @@ def tearDownClass(cls): def _create_groups(self): """Setup groups for tests.""" - Group.objects.create(name="group1") - Group.objects.create(name="group2") - Group.objects.create(name="group3") - Group.objects.create(name="group4") - Group.objects.create(name="group5") + Group.objects.create(name="group1", tenant=self.tenant) + Group.objects.create(name="group2", tenant=self.tenant) + Group.objects.create(name="group3", tenant=self.tenant) + Group.objects.create(name="group4", tenant=self.tenant) + Group.objects.create(name="group5", tenant=self.tenant) def _create_roles(self): """Setup roles for tests.""" - Role.objects.create(name="role1") - Role.objects.create(name="role2") - Role.objects.create(name="role3") - Role.objects.create(name="role4") - Role.objects.create(name="role5") + Role.objects.create(name="role1", tenant=self.tenant) + Role.objects.create(name="role2", tenant=self.tenant) + Role.objects.create(name="role3", tenant=self.tenant) + Role.objects.create(name="role4", tenant=self.tenant) + Role.objects.create(name="role5", tenant=self.tenant) def _create_policies(self): """Setup policies for tests.""" - Policy.objects.create(name="policy1") - Policy.objects.create(name="policy2") - Policy.objects.create(name="policy3") - Policy.objects.create(name="policy4") - Policy.objects.create(name="policy5") + Policy.objects.create(name="policy1", tenant=self.tenant) + Policy.objects.create(name="policy2", tenant=self.tenant) + Policy.objects.create(name="policy3", tenant=self.tenant) + Policy.objects.create(name="policy4", tenant=self.tenant) + Policy.objects.create(name="policy5", tenant=self.tenant) def test_get_group_queryset_admin(self): """Test get_group_queryset as an admin.""" @@ -86,7 +86,7 @@ def test_get_group_queryset_admin(self): def test_get_user_group_queryset_admin(self): """Test get_group_queryset as an admin.""" self._create_groups() - principal = Principal.objects.create(username="test_user") + principal = Principal.objects.create(username="test_user", tenant=self.tenant) group = Group.objects.first() group.principals.add(principal) user = Mock(spec=User, admin=True, account="00001", username="test_user") @@ -97,7 +97,7 @@ def test_get_user_group_queryset_admin(self): def test_get_group_queryset_get_users_own_groups(self): """Test get_group_queryset to get a users own groups.""" self._create_groups() - principal = Principal.objects.create(username="test_user") + principal = Principal.objects.create(username="test_user", tenant=self.tenant) group = Group.objects.first() group.principals.add(principal) user = Mock(spec=User, admin=False, account="00001", username="test_user") @@ -108,8 +108,8 @@ def test_get_group_queryset_get_users_own_groups(self): def test_get_group_queryset_get_users_other_users_groups(self): """Test get_group_queryset to get a users other users groups.""" self._create_groups() - principal = Principal.objects.create(username="test_user") - principal2 = Principal.objects.create(username="test_user2") + principal = Principal.objects.create(username="test_user", tenant=self.tenant) + principal2 = Principal.objects.create(username="test_user2", tenant=self.tenant) group = Group.objects.first() group.principals.add(principal) user = Mock(spec=User, admin=False, account="00001", username="test_user") @@ -319,7 +319,7 @@ def _setup_roles_for_role_username_queryset_tests(self): self._create_policies() self._create_roles() - principal = Principal.objects.create(username="test_user2") + principal = Principal.objects.create(username="test_user2", tenant=self.tenant) group = Group.objects.first() policy = Policy.objects.first() roles = Role.objects.all() diff --git a/tests/management/test_utils.py b/tests/management/test_utils.py index 897ac9454..6b80e85fb 100644 --- a/tests/management/test_utils.py +++ b/tests/management/test_utils.py @@ -31,33 +31,39 @@ def setUp(self): with tenant_context(self.tenant): # setup principal - self.principal = Principal.objects.create(username="principalA") + self.principal = Principal.objects.create(username="principalA", tenant=self.tenant) # setup data for the principal - self.roleA = Role.objects.create(name="roleA") - self.permission = Permission.objects.create(permission="app:*:*") - self.accessA = Access.objects.create(permission=self.permission, role=self.roleA) - self.policyA = Policy.objects.create(name="policyA") + self.roleA = Role.objects.create(name="roleA", tenant=self.tenant) + self.permission = Permission.objects.create(permission="app:*:*", tenant=self.tenant) + self.accessA = Access.objects.create(permission=self.permission, role=self.roleA, tenant=self.tenant) + self.policyA = Policy.objects.create(name="policyA", tenant=self.tenant) self.policyA.roles.add(self.roleA) - self.groupA = Group.objects.create(name="groupA") + self.groupA = Group.objects.create(name="groupA", tenant=self.tenant) self.groupA.policies.add(self.policyA) self.groupA.principals.add(self.principal) # setup data the principal does not have access to - self.roleB = Role.objects.create(name="roleB") - self.accessB = Access.objects.create(permission=self.permission, role=self.roleB) - self.policyB = Policy.objects.create(name="policyB") + self.roleB = Role.objects.create(name="roleB", tenant=self.tenant) + self.accessB = Access.objects.create(permission=self.permission, role=self.roleB, tenant=self.tenant) + self.policyB = Policy.objects.create(name="policyB", tenant=self.tenant) self.policyB.roles.add(self.roleB) - self.groupB = Group.objects.create(name="groupB") + self.groupB = Group.objects.create(name="groupB", tenant=self.tenant) self.groupB.policies.add(self.policyB) # setup default group/role which all tenant users # should inherit without explicit association - self.default_role = Role.objects.create(name="default role", platform_default=True, system=True) - self.default_access = Access.objects.create(permission=self.permission, role=self.default_role) - self.default_policy = Policy.objects.create(name="default policy", system=True) + self.default_role = Role.objects.create( + name="default role", platform_default=True, system=True, tenant=self.tenant + ) + self.default_access = Access.objects.create( + permission=self.permission, role=self.default_role, tenant=self.tenant + ) + self.default_policy = Policy.objects.create(name="default policy", system=True, tenant=self.tenant) self.default_policy.roles.add(self.default_role) - self.default_group = Group.objects.create(name="default group", system=True, platform_default=True) + self.default_group = Group.objects.create( + name="default group", system=True, platform_default=True, tenant=self.tenant + ) self.default_group.policies.add(self.default_policy) def tearDown(self): diff --git a/tests/rbac/test_cache.py b/tests/rbac/test_cache.py index c39ca80da..e81924362 100644 --- a/tests/rbac/test_cache.py +++ b/tests/rbac/test_cache.py @@ -44,14 +44,14 @@ def setUpClass(self): def setUp(self): """Set up AccessCache tests.""" super().setUp() - self.principal_a = Principal.objects.create(username="principal_a") - self.principal_b = Principal.objects.create(username="principal_b") - self.group_a = Group.objects.create(name="group_a", platform_default=True) - self.group_b = Group.objects.create(name="group_b") - self.policy_a = Policy.objects.create(name="policy_a") - self.policy_b = Policy.objects.create(name="policy_b") - self.role_a = Role.objects.create(name="role_a") - self.role_b = Role.objects.create(name="role_b") + self.principal_a = Principal.objects.create(username="principal_a", tenant=self.tenant) + self.principal_b = Principal.objects.create(username="principal_b", tenant=self.tenant) + self.group_a = Group.objects.create(name="group_a", platform_default=True, tenant=self.tenant) + self.group_b = Group.objects.create(name="group_b", tenant=self.tenant) + self.policy_a = Policy.objects.create(name="policy_a", tenant=self.tenant) + self.policy_b = Policy.objects.create(name="policy_b", tenant=self.tenant) + self.role_a = Role.objects.create(name="role_a", tenant=self.tenant) + self.role_b = Role.objects.create(name="role_b", tenant=self.tenant) @classmethod def tearDownClass(self): @@ -220,14 +220,14 @@ def test_policy_cache_change_delete_roles_signals(self, cache): cache.reset_mock() # If Access is added - self.permission = Permission.objects.create(permission="foo:*:*") - self.access_a = Access.objects.create(permission=self.permission, role=self.role_a) + self.permission = Permission.objects.create(permission="foo:*:*", tenant=self.tenant) + self.access_a = Access.objects.create(permission=self.permission, role=self.role_a, tenant=self.tenant) cache.assert_called_once() cache.assert_called_once_with(self.principal_a.uuid) cache.reset_mock() # If ResourceDefinition is added - self.rd_a = ResourceDefinition.objects.create(access=self.access_a) + self.rd_a = ResourceDefinition.objects.create(access=self.access_a, tenant=self.tenant) cache.assert_called_once() cache.assert_called_once_with(self.principal_a.uuid) diff --git a/tests/rbac/test_middleware.py b/tests/rbac/test_middleware.py index 5a7eb38d7..a3f0282c2 100644 --- a/tests/rbac/test_middleware.py +++ b/tests/rbac/test_middleware.py @@ -353,7 +353,7 @@ def test_no_principal_found(self): def test_principal_no_access(self): """Test access for existing principal with no access definitions.""" - Principal.objects.create(username="test_user") + Principal.objects.create(username="test_user", tenant=self.tenant) expected = { "group": {"read": [], "write": []}, "role": {"read": [], "write": []}, @@ -365,14 +365,14 @@ def test_principal_no_access(self): def test_principal_with_access_no_res_defs(self): """Test a user with defined access without any resource definitions.""" - principal = Principal.objects.create(username="test_user") - group = Group.objects.create(name="group1") + principal = Principal.objects.create(username="test_user", tenant=self.tenant) + group = Group.objects.create(name="group1", tenant=self.tenant) group.principals.add(principal) group.save() - role = Role.objects.create(name="role1") - perm = Permission.objects.create(permission="rbac:group:write") - access = Access.objects.create(permission=perm, role=role) - policy = Policy.objects.create(name="policy1", group=group) + role = Role.objects.create(name="role1", tenant=self.tenant) + perm = Permission.objects.create(permission="rbac:group:write", tenant=self.tenant) + access = Access.objects.create(permission=perm, role=role, tenant=self.tenant) + policy = Policy.objects.create(name="policy1", group=group, tenant=self.tenant) policy.roles.add(role) policy.save() access = IdentityHeaderMiddleware._get_access_for_user("test_user", self.tenant) @@ -386,25 +386,25 @@ def test_principal_with_access_no_res_defs(self): def test_principal_with_access_with_res_defs(self): """Test a user with defined access with any resource definitions.""" - principal = Principal.objects.create(username="test_user") - group = Group.objects.create(name="group1") + principal = Principal.objects.create(username="test_user", tenant=self.tenant) + group = Group.objects.create(name="group1", tenant=self.tenant) group.principals.add(principal) group.save() - role = Role.objects.create(name="role1") - perm = Permission.objects.create(permission="rbac:group:foo:bar") - Access.objects.create(permission=perm, role=role) - perm2 = Permission.objects.create(permission="rbac:group:write") - access = Access.objects.create(permission=perm2, role=role) + role = Role.objects.create(name="role1", tenant=self.tenant) + perm = Permission.objects.create(permission="rbac:group:foo:bar", tenant=self.tenant) + Access.objects.create(permission=perm, role=role, tenant=self.tenant) + perm2 = Permission.objects.create(permission="rbac:group:write", tenant=self.tenant) + access = Access.objects.create(permission=perm2, role=role, tenant=self.tenant) ResourceDefinition.objects.create( - access=access, attributeFilter={"key": "group", "operation": "equal", "value": "1"} + access=access, attributeFilter={"key": "group", "operation": "equal", "value": "1"}, tenant=self.tenant ) ResourceDefinition.objects.create( - access=access, attributeFilter={"key": "group", "operation": "in", "value": "3,5"} + access=access, attributeFilter={"key": "group", "operation": "in", "value": "3,5"}, tenant=self.tenant ) ResourceDefinition.objects.create( - access=access, attributeFilter={"key": "group", "operation": "equal", "value": "*"} + access=access, attributeFilter={"key": "group", "operation": "equal", "value": "*"}, tenant=self.tenant ) - policy = Policy.objects.create(name="policy1", group=group) + policy = Policy.objects.create(name="policy1", group=group, tenant=self.tenant) policy.roles.add(role) policy.save() access = IdentityHeaderMiddleware._get_access_for_user("test_user", self.tenant) @@ -418,23 +418,23 @@ def test_principal_with_access_with_res_defs(self): def test_principal_with_access_with_wildcard_op(self): """Test a user with defined access with wildcard operation.""" - principal = Principal.objects.create(username="test_user") - group = Group.objects.create(name="group1") + principal = Principal.objects.create(username="test_user", tenant=self.tenant) + group = Group.objects.create(name="group1", tenant=self.tenant) group.principals.add(principal) group.save() - role = Role.objects.create(name="role1") - perm = Permission.objects.create(permission="rbac:group:*") - access = Access.objects.create(permission=perm, role=role) + role = Role.objects.create(name="role1", tenant=self.tenant) + perm = Permission.objects.create(permission="rbac:group:*", tenant=self.tenant) + access = Access.objects.create(permission=perm, role=role, tenant=self.tenant) ResourceDefinition.objects.create( - access=access, attributeFilter={"key": "group", "operation": "equal", "value": "1"} + access=access, attributeFilter={"key": "group", "operation": "equal", "value": "1"}, tenant=self.tenant ) ResourceDefinition.objects.create( - access=access, attributeFilter={"key": "group", "operation": "in", "value": "3,5"} + access=access, attributeFilter={"key": "group", "operation": "in", "value": "3,5"}, tenant=self.tenant ) ResourceDefinition.objects.create( - access=access, attributeFilter={"key": "group", "operation": "equal", "value": "*"} + access=access, attributeFilter={"key": "group", "operation": "equal", "value": "*"}, tenant=self.tenant ) - policy = Policy.objects.create(name="policy1", group=group) + policy = Policy.objects.create(name="policy1", group=group, tenant=self.tenant) policy.roles.add(role) policy.save() access = IdentityHeaderMiddleware._get_access_for_user("test_user", self.tenant) @@ -448,14 +448,14 @@ def test_principal_with_access_with_wildcard_op(self): def test_principal_with_access_with_wildcard_access(self): """Test a user with defined access with wildcard access.""" - principal = Principal.objects.create(username="test_user") - group = Group.objects.create(name="group1") + principal = Principal.objects.create(username="test_user", tenant=self.tenant) + group = Group.objects.create(name="group1", tenant=self.tenant) group.principals.add(principal) group.save() - role = Role.objects.create(name="role1") - perm = Permission.objects.create(permission="rbac:*:*") - access = Access.objects.create(permission=perm, role=role) - policy = Policy.objects.create(name="policy1", group=group) + role = Role.objects.create(name="role1", tenant=self.tenant) + perm = Permission.objects.create(permission="rbac:*:*", tenant=self.tenant) + access = Access.objects.create(permission=perm, role=role, tenant=self.tenant) + policy = Policy.objects.create(name="policy1", group=group, tenant=self.tenant) policy.roles.add(role) policy.save() access = IdentityHeaderMiddleware._get_access_for_user("test_user", self.tenant) From bef2f4dbb495ba1981388781a24ccefbde5c1a28 Mon Sep 17 00:00:00 2001 From: Keith Walsh Date: Thu, 9 Dec 2021 07:12:07 -0500 Subject: [PATCH 3/3] Fix permission spec after rebase --- tests/management/permission/test_view.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/management/permission/test_view.py b/tests/management/permission/test_view.py index a774ee76b..2ac0e40b9 100644 --- a/tests/management/permission/test_view.py +++ b/tests/management/permission/test_view.py @@ -58,7 +58,7 @@ def setUp(self): permission="foo:bar:*", description="Description test.", tenant=self.tenant ) self.permissionI.permissions.add(self.permissionA) - self.permissionJ = Permission.objects.create(permission="cost-management:*:baz") + self.permissionJ = Permission.objects.create(permission="cost-management:*:baz", tenant=self.tenant) self.roleA = Role.objects.create(name="roleA", tenant=self.tenant) self.roleB = Role.objects.create(name="roleB", tenant=self.tenant)