chore: unit tests for catalog_access (apache#28406)

xyb · May 9, 2024 · ba2cf5d · ba2cf5d
1 parent de1ae2b
commit ba2cf5d
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/tests/unit_tests/security/manager_test.py b/tests/unit_tests/security/manager_test.py
@@ -561,3 +561,51 @@ def test_get_schema_perm() -> None:
     )
     assert sm.get_schema_perm("my_db", None, None) is None
     assert sm.get_schema_perm("my_db", "my_catalog", None) is None
+
+
+def test_raise_for_access_catalog(
+    mocker: MockFixture,
+    app_context: None,
+) -> None:
+    """
+    Test catalog-level permissions.
+    """
+    sm = SupersetSecurityManager(appbuilder)
+    mocker.patch.object(sm, "can_access_database", return_value=False)
+    mocker.patch.object(
+        sm,
+        "get_catalog_perm",
+        return_value="[PostgreSQL].[db1].[public]",
+    )
+    mocker.patch.object(sm, "is_guest_user", return_value=False)
+    SqlaTable = mocker.patch("superset.connectors.sqla.models.SqlaTable")
+    SqlaTable.query_datasources_by_name.return_value = []
+
+    database = mocker.MagicMock()
+    database.get_default_catalog.return_value = "db1"
+    database.get_default_schema_for_query.return_value = "public"
+    query = mocker.MagicMock()
+    query.database = database
+    query.sql = "SELECT * FROM ab_user"
+
+    can_access = mocker.patch.object(sm, "can_access", return_value=True)
+    sm.raise_for_access(query=query)
+    can_access.assert_called_with("catalog_access", "[PostgreSQL].[db1].[public]")
+
+    mocker.patch.object(sm, "can_access", return_value=False)
+    with pytest.raises(SupersetSecurityException) as excinfo:
+        sm.raise_for_access(query=query)
+    assert (
+        str(excinfo.value)
+        == """You need access to the following tables: `db1.public.ab_user`,
+            `all_database_access` or `all_datasource_access` permission"""
+    )
+
+    query.sql = "SELECT * FROM db2.public.ab_user"
+    with pytest.raises(SupersetSecurityException) as excinfo:
+        sm.raise_for_access(query=query)
+    assert (
+        str(excinfo.value)
+        == """You need access to the following tables: `db2.public.ab_user`,
+            `all_database_access` or `all_datasource_access` permission"""
+    )