Fix functional permission tests - modify custom logic permissions tables

data-dot-all · Dec 26, 2024 · 0aed0ec · 0aed0ec
1 parent 827bea8
commit 0aed0ec
Show file tree

Hide file tree

Showing 8 changed files with 18 additions and 313 deletions.
diff --git a/backend/dataall/modules/dashboards/api/mutations.py b/backend/dataall/modules/dashboards/api/mutations.py
@@ -35,17 +35,6 @@
     resolver=delete_dashboard,
 )
 
-
-shareDashboard = gql.MutationField(
-    name='shareDashboard',
-    type=gql.Ref('DashboardShare'),
-    args=[
-        gql.Argument(name='principalId', type=gql.NonNullableType(gql.String)),
-        gql.Argument(name='dashboardUri', type=gql.NonNullableType(gql.String)),
-    ],
-    resolver=share_dashboard,
-)
-
 requestDashboardShare = gql.MutationField(
     name='requestDashboardShare',
     type=gql.Ref('DashboardShare'),

diff --git a/backend/dataall/modules/s3_datasets/services/dataset_column_service.py b/backend/dataall/modules/s3_datasets/services/dataset_column_service.py
@@ -3,6 +3,7 @@
 from dataall.core.tasks.service_handlers import Worker
 from dataall.base.aws.sts import SessionHelper
 from dataall.base.context import get_context
+from dataall.base.db import exceptions
 from dataall.core.tasks.db.task_models import Task
 from dataall.modules.s3_datasets.aws.glue_table_client import GlueTableClient
 from dataall.modules.s3_datasets.db.dataset_column_repositories import DatasetColumnRepository
@@ -33,13 +34,10 @@ def paginate_active_columns_for_table(uri: str, filter=None):
             if (
                 ConfidentialityClassification.get_confidentiality_level(dataset.confidentiality)
                 != ConfidentialityClassification.Unclassified.value
-            ):
-                ResourcePolicyService.check_user_resource_permission(
-                    session=session,
-                    username=context.username,
-                    groups=context.groups,
-                    resource_uri=table.tableUri,
-                    permission_name=PREVIEW_DATASET_TABLE,
+            ) and (dataset.SamlAdminGroupName not in context.groups and dataset.stewards not in context.groups):
+                raise exceptions.UnauthorizedOperation(
+                    action='LIST_DATASET_TABLE_COLUMNS',
+                    message='User is not authorized to view Columns for Confidential datasets',
                 )
             return DatasetColumnRepository.paginate_active_columns_for_table(session, uri, filter)
 

diff --git a/backend/dataall/modules/s3_datasets/services/dataset_profiling_service.py b/backend/dataall/modules/s3_datasets/services/dataset_profiling_service.py
@@ -8,6 +8,7 @@
 from dataall.core.environment.services.environment_service import EnvironmentService
 from dataall.core.tasks.db.task_models import Task
 from dataall.base.db.exceptions import ObjectNotFound
+from dataall.base.db import exceptions
 from dataall.modules.s3_datasets.aws.glue_profiler_client import GlueDatasetProfilerClient
 from dataall.modules.s3_datasets.aws.s3_profiler_client import S3ProfilerClient
 from dataall.modules.s3_datasets.db.dataset_profiling_repositories import DatasetProfilingRepository
@@ -102,12 +103,9 @@ def _check_preview_permissions_if_needed(session, table_uri):
         if (
             ConfidentialityClassification.get_confidentiality_level(dataset.confidentiality)
             != ConfidentialityClassification.Unclassified.value
-        ):
-            ResourcePolicyService.check_user_resource_permission(
-                session=session,
-                username=context.username,
-                groups=context.groups,
-                resource_uri=table.tableUri,
-                permission_name=PREVIEW_DATASET_TABLE,
+        ) and (dataset.SamlAdminGroupName not in context.groups and dataset.stewards not in context.groups):
+            raise exceptions.UnauthorizedOperation(
+                action='GET_TABLE_PROFILING_METRICS',
+                message='User is not authorized to view Profiling Metrics for Confidential datasets',
             )
         return True
diff --git a/backend/dataall/modules/s3_datasets/services/dataset_table_service.py b/backend/dataall/modules/s3_datasets/services/dataset_table_service.py
@@ -1,5 +1,6 @@
 import logging
 from dataall.base.context import get_context
+from dataall.base.db import exceptions
 from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService
 from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService
 from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository
@@ -91,13 +92,10 @@ def preview(uri: str):
             if (
                 ConfidentialityClassification.get_confidentiality_level(dataset.confidentiality)
                 != ConfidentialityClassification.Unclassified.value
-            ):
-                ResourcePolicyService.check_user_resource_permission(
-                    session=session,
-                    username=context.username,
-                    groups=context.groups,
-                    resource_uri=table.tableUri,
-                    permission_name=PREVIEW_DATASET_TABLE,
+            ) and (dataset.SamlAdminGroupName not in context.groups and dataset.stewards not in context.groups):
+                raise exceptions.UnauthorizedOperation(
+                    action=PREVIEW_DATASET_TABLE,
+                    message='User is not authorized to Preview Table for Confidential datasets',
                 )
             env = EnvironmentService.get_environment_by_uri(session, dataset.environmentUri)
             return AthenaTableClient(env, table).get_table(dataset_uri=dataset.datasetUri)

diff --git a/tests/modules/dashboards/test_dashboards.py b/tests/modules/dashboards/test_dashboards.py
@@ -262,40 +262,6 @@ def test_request_dashboard_share(
     )
     assert len(response.data.searchDashboards['nodes']) == 0
 
-    response = client.query(
-        """
-        mutation shareDashboard($dashboardUri:String!, $principalId:String!){
-            shareDashboard(dashboardUri:$dashboardUri, principalId:$principalId){
-                shareUri
-                status
-            }
-        }
-        """,
-        dashboardUri=dashboard.dashboardUri,
-        principalId=group2.name,
-        username=user.username,
-        groups=[group.name],
-    )
-    assert response.data.shareDashboard.shareUri
-
-    response = client.query(
-        """
-        query searchDashboards($filter:DashboardFilter!){
-            searchDashboards(filter:$filter){
-                count
-                nodes{
-                    dashboardUri
-                    userRoleForDashboard
-                }
-            }
-        }
-        """,
-        filter={},
-        username=user2.username,
-        groups=[group2.name],
-    )
-    assert len(response.data.searchDashboards['nodes']) == 1
-
 
 def test_delete_dashboard(client, env_fixture, db, user, group, module_mocker, dashboard, patch_es):
     response = client.query(

diff --git a/tests/modules/s3_datasets/conftest.py b/tests/modules/s3_datasets/conftest.py
@@ -77,10 +77,6 @@ def factory(
                     description
                     owner
                     SamlAdminGroupName
-                    enableExpiration
-                    expirySetting
-                    expiryMinDuration
-                    expiryMaxDuration
                     restricted {
                       AwsAccountId
                       region