From c1c24d55ccd206828401f8dd1d9ddccaa1c7c470 Mon Sep 17 00:00:00 2001
From: Jiri Kozel <jirik@users.noreply.github.com>
Date: Tue, 28 Nov 2023 15:30:43 +0100
Subject: [PATCH] Role names in access_rights are passing check_rights_axioms

---
 .../common/prime_db_schema/publications.py    | 22 +++++---
 .../prime_db_schema/publications_test.py      | 55 +++++++++++++------
 .../publications/access_rights/__init__.py    |  0
 .../publications/access_rights/test_role.py   | 40 ++++++++++++++
 4 files changed, 92 insertions(+), 25 deletions(-)
 create mode 100644 tests/dynamic_data/publications/access_rights/__init__.py
 create mode 100644 tests/dynamic_data/publications/access_rights/test_role.py

diff --git a/src/layman/common/prime_db_schema/publications.py b/src/layman/common/prime_db_schema/publications.py
index 0c67b717d..2ff2e3193 100644
--- a/src/layman/common/prime_db_schema/publications.py
+++ b/src/layman/common/prime_db_schema/publications.py
@@ -339,17 +339,21 @@ def secure_bbox_transform(bbox_crs):
     return bbox_sql
 
 
-def only_valid_names(users_list):
+def only_valid_user_names(users_list):
     usernames_for_check = set(users_list)
-    usernames_for_check.discard(ROLE_EVERYONE)
     for username in usernames_for_check:
         info = users.get_user_infos(username)
         if not info:
             raise LaymanError(43, f'Not existing user. Username={username}')
 
 
-def at_least_one_can_write(can_write):
-    if not can_write:
+# pylint: disable=unused-argument
+def only_valid_role_names(roles_list):
+    pass
+
+
+def at_least_one_can_write(user_names, role_names):
+    if not user_names and ROLE_EVERYONE not in role_names:
         raise LaymanError(43, f'At least one user have to have write rights.')
 
 
@@ -383,11 +387,15 @@ def check_rights_axioms(can_read,
                         can_read_old=None,
                         can_write_old=None):
     if can_read:
-        only_valid_names(can_read)
+        read_users, read_roles = split_user_and_role_names(can_read)
+        only_valid_user_names(read_users)
+        only_valid_role_names(read_roles)
     if can_write:
-        only_valid_names(can_write)
+        write_users, write_roles = split_user_and_role_names(can_write)
+        only_valid_user_names(write_users)
+        only_valid_role_names(write_roles)
         owner_can_still_write(owner, can_write)
-        at_least_one_can_write(can_write)
+        at_least_one_can_write(write_users, write_roles)
         i_can_still_write(actor_name, can_write)
     if can_read or can_write:
         can_read_check = can_read or can_read_old
diff --git a/src/layman/common/prime_db_schema/publications_test.py b/src/layman/common/prime_db_schema/publications_test.py
index 893b6f0ce..6f42f2eb6 100644
--- a/src/layman/common/prime_db_schema/publications_test.py
+++ b/src/layman/common/prime_db_schema/publications_test.py
@@ -29,26 +29,19 @@ def test_only_valid_names():
         userinfo['sub'] = '10'
         users.ensure_user(id_workspace_user, userinfo)
 
-        publications.only_valid_names(set())
-        publications.only_valid_names({username, })
-        publications.only_valid_names({settings.RIGHTS_EVERYONE_ROLE, })
-        publications.only_valid_names({settings.RIGHTS_EVERYONE_ROLE, username, })
-        publications.only_valid_names({username, settings.RIGHTS_EVERYONE_ROLE, })
+        publications.only_valid_user_names(set())
+        publications.only_valid_user_names({username, })
 
         with pytest.raises(LaymanError) as exc_info:
-            publications.only_valid_names({username, workspace_name})
+            publications.only_valid_user_names({username, workspace_name})
         assert exc_info.value.code == 43
 
         with pytest.raises(LaymanError) as exc_info:
-            publications.only_valid_names({workspace_name, username})
+            publications.only_valid_user_names({workspace_name, username})
         assert exc_info.value.code == 43
 
         with pytest.raises(LaymanError) as exc_info:
-            publications.only_valid_names({workspace_name, settings.RIGHTS_EVERYONE_ROLE, })
-        assert exc_info.value.code == 43
-
-        with pytest.raises(LaymanError) as exc_info:
-            publications.only_valid_names({settings.RIGHTS_EVERYONE_ROLE, 'skaljgdalskfglshfgd', })
+            publications.only_valid_user_names({'skaljgdalskfglshfgd', })
         assert exc_info.value.code == 43
 
         users.delete_user(username)
@@ -59,14 +52,18 @@ def test_at_least_one_can_write():
     workspace_name = 'test_at_least_one_can_write_workspace'
     username = 'test_at_least_one_can_write_user'
 
-    publications.at_least_one_can_write({username, })
-    publications.at_least_one_can_write({settings.RIGHTS_EVERYONE_ROLE, })
-    publications.at_least_one_can_write({username, settings.RIGHTS_EVERYONE_ROLE, })
-    publications.at_least_one_can_write({workspace_name, })
-    publications.at_least_one_can_write({'lusfjdiaurghalskug', })
+    publications.at_least_one_can_write({username}, set())
+    publications.at_least_one_can_write(set(), {settings.RIGHTS_EVERYONE_ROLE})
+    publications.at_least_one_can_write({username}, set())
+    publications.at_least_one_can_write({workspace_name}, set())
+    publications.at_least_one_can_write({'lusfjdiaurghalskug'}, set())
+
+    with pytest.raises(LaymanError) as exc_info:
+        publications.at_least_one_can_write(set(), set())
+    assert exc_info.value.code == 43
 
     with pytest.raises(LaymanError) as exc_info:
-        publications.at_least_one_can_write(set())
+        publications.at_least_one_can_write(set(), {'ROLE1'})
     assert exc_info.value.code == 43
 
 
@@ -85,6 +82,8 @@ def test_who_can_write_can_read():
     publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE, username, }, {settings.RIGHTS_EVERYONE_ROLE, })
     publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE, username, }, set())
     publications.who_can_write_can_read({workspace_name, }, {workspace_name, })
+    publications.who_can_write_can_read({'ROLE1'}, {'ROLE1'})
+    publications.who_can_write_can_read({settings.RIGHTS_EVERYONE_ROLE}, {'ROLE1'})
 
     with pytest.raises(LaymanError) as exc_info:
         publications.who_can_write_can_read(set(), {workspace_name, })
@@ -106,6 +105,18 @@ def test_who_can_write_can_read():
         publications.who_can_write_can_read({username}, {workspace_name, })
     assert exc_info.value.code == 43
 
+    with pytest.raises(LaymanError) as exc_info:
+        publications.who_can_write_can_read({username}, {'ROLE1'})
+    assert exc_info.value.code == 43
+
+    with pytest.raises(LaymanError) as exc_info:
+        publications.who_can_write_can_read({'ROLE2'}, {'ROLE1'})
+    assert exc_info.value.code == 43
+
+    with pytest.raises(LaymanError) as exc_info:
+        publications.who_can_write_can_read({'ROLE2'}, {settings.RIGHTS_EVERYONE_ROLE})
+    assert exc_info.value.code == 43
+
 
 def test_i_can_still_write():
     workspace_name = 'test_i_can_still_write_workspace'
@@ -133,6 +144,10 @@ def test_i_can_still_write():
         publications.i_can_still_write(username, {workspace_name, })
     assert exc_info.value.code == 43
 
+    with pytest.raises(LaymanError) as exc_info:
+        publications.i_can_still_write(username, {'ROLE1'})
+    assert exc_info.value.code == 43
+
 
 def test_owner_can_still_write():
     workspace_name = 'test_owner_can_still_write_workspace'
@@ -153,6 +168,10 @@ def test_owner_can_still_write():
         publications.owner_can_still_write(username, {workspace_name, })
     assert exc_info.value.code == 43
 
+    with pytest.raises(LaymanError) as exc_info:
+        publications.owner_can_still_write(username, {'ROLE1'})
+    assert exc_info.value.code == 43
+
 
 def test_clear_roles():
     workspace_name = 'test_clear_roles_workspace'
diff --git a/tests/dynamic_data/publications/access_rights/__init__.py b/tests/dynamic_data/publications/access_rights/__init__.py
new file mode 100644
index 000000000..e69de29bb
diff --git a/tests/dynamic_data/publications/access_rights/test_role.py b/tests/dynamic_data/publications/access_rights/test_role.py
new file mode 100644
index 000000000..d64585254
--- /dev/null
+++ b/tests/dynamic_data/publications/access_rights/test_role.py
@@ -0,0 +1,40 @@
+from tests import EnumTestTypes, Publication
+from tests.asserts.final.publication import util as assert_util
+from tests.dynamic_data import base_test, base_test_classes
+from tests.dynamic_data.publications import common_publications
+
+pytest_generate_tests = base_test.pytest_generate_tests
+
+
+class PublicationTypes(base_test_classes.PublicationByDefinitionBase):
+    LAYER = (common_publications.LAYER_VECTOR_SLD, 'layer')
+    MAP = (common_publications.MAP_EMPTY, 'map')
+
+
+class TestPublication(base_test.TestSingleRestPublication):
+    workspace = 'test_access_rights_role'
+    publication_type = None
+
+    rest_parametrization = [
+        base_test_classes.RestMethod,
+        PublicationTypes,
+    ]
+
+    test_cases = [base_test.TestCaseType(key='role_test',
+                                         publication=lambda publ_def, cls: Publication(cls.workspace,
+                                                                                       publ_def.type,
+                                                                                       None),
+                                         rest_args={
+                                             'access_rights': {
+                                                 'read': 'EVERYONE,ROLE1'
+                                             }
+                                         },
+                                         type=EnumTestTypes.OPTIONAL,
+                                         specific_types={
+                                             (base_test_classes.RestMethod.POST, PublicationTypes.LAYER): EnumTestTypes.MANDATORY
+                                         },
+                                         )]
+
+    def test_publication(self, publication, rest_method, rest_args):
+        rest_method.fn(publication, args=rest_args)
+        assert_util.is_publication_valid_and_complete(publication)