2023-03-14 18:18:18 -04:00
|
|
|
# Licensed to the Apache Software Foundation (ASF) under one
|
|
|
|
# or more contributor license agreements. See the NOTICE file
|
|
|
|
# distributed with this work for additional information
|
|
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
|
|
# to you under the Apache License, Version 2.0 (the
|
|
|
|
# "License"); you may not use this file except in compliance
|
|
|
|
# with the License. You may obtain a copy of the License at
|
|
|
|
#
|
|
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
#
|
|
|
|
# Unless required by applicable law or agreed to in writing,
|
|
|
|
# software distributed under the License is distributed on an
|
|
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
|
|
# KIND, either express or implied. See the License for the
|
|
|
|
# specific language governing permissions and limitations
|
|
|
|
# under the License.
|
|
|
|
|
|
|
|
import pytest
|
|
|
|
from pytest_mock import MockFixture
|
|
|
|
|
|
|
|
from superset.exceptions import SupersetSecurityException
|
|
|
|
from superset.extensions import appbuilder
|
|
|
|
from superset.security.manager import SupersetSecurityManager
|
|
|
|
|
|
|
|
|
|
|
|
def test_security_manager(app_context: None) -> None:
|
|
|
|
"""
|
|
|
|
Test that the security manager can be built.
|
|
|
|
"""
|
|
|
|
sm = SupersetSecurityManager(appbuilder)
|
|
|
|
assert sm
|
|
|
|
|
|
|
|
|
|
|
|
def test_raise_for_access_query_default_schema(
|
|
|
|
mocker: MockFixture,
|
|
|
|
app_context: None,
|
|
|
|
) -> None:
|
|
|
|
"""
|
|
|
|
Test that the DB default schema is used in non-qualified table names.
|
|
|
|
|
|
|
|
For example, in Postgres, for the following query:
|
|
|
|
|
|
|
|
> SELECT * FROM foo;
|
|
|
|
|
|
|
|
We should check that the user has access to the `public` schema, regardless of the
|
|
|
|
schema set in the query.
|
|
|
|
"""
|
|
|
|
sm = SupersetSecurityManager(appbuilder)
|
|
|
|
mocker.patch.object(sm, "can_access_database", return_value=False)
|
|
|
|
mocker.patch.object(sm, "get_schema_perm", return_value="[PostgreSQL].[public]")
|
|
|
|
SqlaTable = mocker.patch("superset.connectors.sqla.models.SqlaTable")
|
|
|
|
SqlaTable.query_datasources_by_name.return_value = []
|
|
|
|
|
|
|
|
database = mocker.MagicMock()
|
2023-03-17 11:05:50 -04:00
|
|
|
database.get_default_schema_for_query.return_value = "public"
|
2023-03-14 18:18:18 -04:00
|
|
|
query = mocker.MagicMock()
|
|
|
|
query.database = database
|
|
|
|
query.sql = "SELECT * FROM ab_user"
|
|
|
|
|
|
|
|
# user has access to `public` schema
|
|
|
|
mocker.patch.object(sm, "can_access", return_value=True)
|
|
|
|
assert (
|
|
|
|
sm.raise_for_access( # type: ignore
|
|
|
|
database=None,
|
|
|
|
datasource=None,
|
|
|
|
query=query,
|
|
|
|
query_context=None,
|
|
|
|
table=None,
|
|
|
|
viz=None,
|
|
|
|
)
|
|
|
|
is None
|
|
|
|
)
|
|
|
|
sm.can_access.assert_called_with("schema_access", "[PostgreSQL].[public]") # type: ignore
|
|
|
|
|
|
|
|
# user has only access to `secret` schema
|
|
|
|
mocker.patch.object(sm, "can_access", return_value=False)
|
|
|
|
with pytest.raises(SupersetSecurityException) as excinfo:
|
|
|
|
sm.raise_for_access(
|
|
|
|
database=None,
|
|
|
|
datasource=None,
|
|
|
|
query=query,
|
|
|
|
query_context=None,
|
|
|
|
table=None,
|
|
|
|
viz=None,
|
|
|
|
)
|
|
|
|
assert (
|
|
|
|
str(excinfo.value)
|
|
|
|
== """You need access to the following tables: `public.ab_user`,
|
|
|
|
`all_database_access` or `all_datasource_access` permission"""
|
|
|
|
)
|