Add public write support

erwin-eiq · erwin-eiq · commit 349dd27ff7bf · 2022-10-11T09:15:09.000+02:00
diff --git a/opentaxii/cli/persistence.py b/opentaxii/cli/persistence.py
@@ -137,6 +137,9 @@ def add_collection():
     parser.add_argument(
         "--public", action="store_true", help="allow public read access"
     )
+    parser.add_argument(
+        "--public-write", action="store_true", help="allow public write access"
+    )
     parser.set_defaults(public=False)
 
     args = parser.parse_args()
@@ -147,6 +150,7 @@ def add_collection():
             description=args.description,
             alias=args.alias,
             is_public=args.public,
+            is_public_write=args.public_write,
         )
 
 
diff --git a/opentaxii/persistence/sqldb/api.py b/opentaxii/persistence/sqldb/api.py
@@ -647,6 +647,7 @@ def get_collections(self, api_root_id: str) -> List[entities.Collection]:
                 description=obj.description,
                 alias=obj.alias,
                 is_public=obj.is_public,
+                is_public_write=obj.is_public_write,
             )
             for obj in query.all()
         ]
@@ -678,6 +679,7 @@ def get_collection(
             description=obj.description,
             alias=obj.alias,
             is_public=obj.is_public,
+            is_public_write=obj.is_public_write,
         )
 
     def add_collection(
@@ -687,6 +689,7 @@ def add_collection(
         description: Optional[str] = None,
         alias: Optional[str] = None,
         is_public: bool = False,
+        is_public_write: bool = False,
     ) -> entities.Collection:
         """
         Add a new collection.
@@ -696,6 +699,7 @@ def add_collection(
         :param str description: [Optional] Description of the new collection
         :param str alias: [Optional] Alias of the new collection
         :param bool is_public: [Optional] Whether collection should be publicly readable
+        :param bool is_public_write: [Optional] Whether collection should be publicly writable
 
         :return: The added Collection entity.
         """
@@ -705,6 +709,7 @@ def add_collection(
             description=description,
             alias=alias,
             is_public=is_public,
+            is_public_write=is_public_write,
         )
         self.db.session.add(collection)
         self.db.session.commit()
@@ -716,6 +721,7 @@ def add_collection(
             description=collection.description,
             alias=collection.alias,
             is_public=collection.is_public,
+            is_public_write=collection.is_public_write,
         )
 
     def _objects_query(self, collection_id: str, ordered: bool) -> Query:
diff --git a/opentaxii/persistence/sqldb/taxii2models.py b/opentaxii/persistence/sqldb/taxii2models.py
@@ -126,6 +126,7 @@ class Collection(Base):
     description = sqlalchemy.Column(sqlalchemy.Text)
     alias = sqlalchemy.Column(sqlalchemy.String(100), nullable=True)
     is_public = sqlalchemy.Column(sqlalchemy.Boolean, nullable=False)
+    is_public_write = sqlalchemy.Column(sqlalchemy.Boolean, nullable=False)
 
     api_root = relationship("ApiRoot", back_populates="collections")
     objects = relationship("STIXObject", back_populates="collection")
diff --git a/opentaxii/server.py b/opentaxii/server.py
@@ -509,8 +509,19 @@ def api_root_handler(self, api_root_id):
             response["description"] = api_root.description
         return make_taxii2_response(response)
 
-    @register_handler(r"^/taxii2/(?P<api_root_id>[^/]+)/status/(?P<job_id>[^/]+)/$")
+    @register_handler(
+        r"^/taxii2/(?P<api_root_id>[^/]+)/status/(?P<job_id>[^/]+)/$",
+        handles_own_auth=True,
+    )
     def job_handler(self, api_root_id, job_id):
+        try:
+            api_root = self.persistence.get_api_root(api_root_id=api_root_id)
+        except DoesNotExistError:
+            if context.account is None:
+                raise Unauthorized()
+            raise NotFound()
+        if context.account is None and not api_root.is_public:
+            raise Unauthorized()
         try:
             job = self.persistence.get_job_and_details(
                 api_root_id=api_root_id, job_id=job_id
@@ -564,7 +575,10 @@ def collection_handler(self, api_root_id, collection_id_or_alias):
             if context.account is None:
                 raise Unauthorized()
             raise NotFound()
-        if context.account is None and not collection.can_read(context.account):
+        if context.account is None and not (
+            collection.can_read(context.account)
+            or collection.can_write(context.account)
+        ):
             raise Unauthorized()
         response = {
             "id": collection.id,
diff --git a/opentaxii/taxii2/entities.py b/opentaxii/taxii2/entities.py
@@ -39,6 +39,7 @@ class Collection(Entity):
     :param str description: human readable plain text description for this collection
     :param str alias: human readable collection name that can be used on systems to alias a collection id
     :param bool is_public: whether this is a publicly readable collection
+    :param bool is_public_write: whether this is a publicly writable collection
     """
 
     def __init__(
@@ -49,6 +50,7 @@ def __init__(
         description: str,
         alias: str,
         is_public: bool,
+        is_public_write: bool,
     ):
         """Initialize Collection."""
         self.id = id
@@ -57,6 +59,7 @@ def __init__(
         self.description = description
         self.alias = alias
         self.is_public = is_public
+        self.is_public_write = is_public_write
 
     def can_read(self, account: Optional[Account]):
         """Determine if `account` is allowed to read from this collection."""
@@ -69,8 +72,11 @@ def can_read(self, account: Optional[Account]):
 
     def can_write(self, account: Optional[Account]):
         """Determine if `account` is allowed to write to this collection."""
-        return account and (
-            account.is_admin or "write" in set(account.permissions.get(self.id, []))
+        return self.is_public_write or (
+            account
+            and (
+                account.is_admin or "write" in set(account.permissions.get(self.id, []))
+            )
         )
 
 
diff --git a/tests/taxii2/test_taxii2_collection.py b/tests/taxii2/test_taxii2_collection.py
@@ -205,18 +205,26 @@ def test_collection(
 
 
 @pytest.mark.parametrize("is_public", [True, False])
+@pytest.mark.parametrize("is_public_write", [True, False])
 @pytest.mark.parametrize("method", ["get", "post", "delete"])
 def test_collection_unauthenticated(
     client,
     method,
     is_public,
+    is_public_write,
 ):
     if is_public:
         collection_id = COLLECTIONS[6].id
         if method == "get":
             expected_status_code = 200
         else:
             expected_status_code = 405
+    elif is_public_write:
+        collection_id = COLLECTIONS[7].id
+        if method == "get":
+            expected_status_code = 200
+        else:
+            expected_status_code = 405
     else:
         collection_id = COLLECTIONS[0].id
         if method == "get":
@@ -241,14 +249,15 @@ def test_collection_unauthenticated(
 
 
 @pytest.mark.parametrize(
-    ["api_root_id", "title", "description", "alias", "is_public"],
+    ["api_root_id", "title", "description", "alias", "is_public", "is_public_write"],
     [
         pytest.param(
             API_ROOTS[0].id,  # api_root_id
             "my new collection",  # title
             None,  # description
             None,  # alias
             False,  # is_public
+            False,  # is_public_write
             id="api_root_id, title",
         ),
         pytest.param(
@@ -257,6 +266,7 @@ def test_collection_unauthenticated(
             "my description",  # description
             None,  # alias
             True,  # is_public
+            False,  # is_public_write
             id="api_root_id, title, description",
         ),
         pytest.param(
@@ -265,26 +275,29 @@ def test_collection_unauthenticated(
             "my description",  # description
             "my-alias",  # alias
             False,  # is_public
+            True,  # is_public_write
             id="api_root_id, title, description, alias",
         ),
     ],
 )
 def test_add_collection(
-    app, api_root_id, title, description, alias, is_public, db_api_roots, db_collections
+    app, api_root_id, title, description, alias, is_public, is_public_write, db_api_roots, db_collections
 ):
     collection = app.taxii_server.servers.taxii2.persistence.api.add_collection(
         api_root_id=api_root_id,
         title=title,
         description=description,
         alias=alias,
         is_public=is_public,
+        is_public_write=is_public_write,
     )
     assert collection.id is not None
     assert str(collection.api_root_id) == api_root_id
     assert collection.title == title
     assert collection.description == description
     assert collection.alias == alias
     assert collection.is_public == is_public
+    assert collection.is_public_write == is_public_write
     db_collection = (
         app.taxii_server.servers.taxii2.persistence.api.db.session.query(
             taxii2models.Collection
@@ -297,3 +310,4 @@ def test_add_collection(
     assert db_collection.description == description
     assert db_collection.alias == alias
     assert db_collection.is_public == is_public
+    assert db_collection.is_public_write == is_public_write
diff --git a/tests/taxii2/test_taxii2_collections.py b/tests/taxii2/test_taxii2_collections.py
@@ -87,6 +87,14 @@
                         "can_write": False,
                         "media_types": ["application/stix+json;version=2.1"],
                     },
+                    {
+                        "id": COLLECTIONS[7].id,
+                        "title": "7Publicwrite",
+                        "description": "public write description",
+                        "can_read": False,
+                        "can_write": True,
+                        "media_types": ["application/stix+json;version=2.1"],
+                    },
                 ]
             },
             id="good, first",
diff --git a/tests/taxii2/test_taxii2_objects.py b/tests/taxii2/test_taxii2_objects.py
@@ -1239,11 +1239,13 @@ def test_objects(
 
 
 @pytest.mark.parametrize("is_public", [True, False])
+@pytest.mark.parametrize("is_public_write", [True, False])
 @pytest.mark.parametrize("method", ["get", "post", "delete"])
 def test_objects_unauthenticated(
     client,
     method,
     is_public,
+    is_public_write,
 ):
     if is_public:
         collection_id = COLLECTIONS[6].id
@@ -1253,6 +1255,14 @@ def test_objects_unauthenticated(
             expected_status_code = 401
         else:
             expected_status_code = 405
+    elif is_public_write:
+        collection_id = COLLECTIONS[7].id
+        if method == "get":
+            expected_status_code = 401
+        elif method == "post":
+            expected_status_code = 202
+        else:
+            expected_status_code = 405
     else:
         collection_id = COLLECTIONS[0].id
         if method == "get":
@@ -1269,7 +1279,11 @@ def test_objects_unauthenticated(
         client.application.taxii_server.servers.taxii2.persistence.api,
         "get_collection",
         side_effect=GET_COLLECTION_MOCK,
-    ):
+    ), patch.object(
+        client.application.taxii_server.servers.taxii2.persistence.api,
+        "add_objects",
+        side_effect=ADD_OBJECTS_MOCK,
+    ) as add_objects_mock:
         kwargs = {
             "headers": {
                 "Accept": "application/taxii+json;version=2.1",
@@ -1302,3 +1316,11 @@ def test_objects_unauthenticated(
             **kwargs,
         )
     assert response.status_code == expected_status_code
+    if method == "post" and expected_status_code == 202:
+        add_objects_mock.assert_called_once_with(
+            api_root_id=API_ROOTS[0].id,
+            collection_id=COLLECTIONS[7].id,
+            objects=kwargs["json"]["objects"],
+        )
+    else:
+        add_objects_mock.assert_not_called()
diff --git a/tests/taxii2/test_taxii2_status.py b/tests/taxii2/test_taxii2_status.py
@@ -5,8 +5,9 @@
 import pytest
 from opentaxii.persistence.sqldb import taxii2models
 from opentaxii.taxii2.utils import taxii2_datetimeformat
-from tests.taxii2.utils import (API_ROOTS, GET_JOB_AND_DETAILS_MOCK, JOBS,
-                                config_noop, server_mapping_noop,
+from tests.taxii2.utils import (API_ROOTS, GET_API_ROOT_MOCK,
+                                GET_JOB_AND_DETAILS_MOCK, JOBS, config_noop,
+                                server_mapping_noop,
                                 server_mapping_remove_fields)
 
 
@@ -251,6 +252,10 @@ def test_status(
         authenticated_client.application.taxii_server.servers.taxii2.persistence.api,
         "get_api_roots",
         return_value=API_ROOTS,
+    ), patch.object(
+        authenticated_client.application.taxii_server.servers.taxii2.persistence.api,
+        "get_api_root",
+        side_effect=GET_API_ROOT_MOCK,
     ), patch.object(
         authenticated_client.application.taxii_server.servers.taxii2.persistence.api,
         "get_job_and_details",
@@ -278,14 +283,41 @@ def test_status(
     assert content == expected_content
 
 
+@pytest.mark.parametrize("is_public", [True, False])
 @pytest.mark.parametrize("method", ["get", "post", "delete"])
 def test_status_unauthenticated(
     client,
     method,
+    is_public,
 ):
-    func = getattr(client, method)
-    response = func(f"/taxii2/{API_ROOTS[0].id}/status/{JOBS[0].id}/")
-    assert response.status_code == 401
+    if is_public:
+        api_root_id = API_ROOTS[1].id
+        job_id = JOBS[2].id
+        if method == "get":
+            expected_status_code = 200
+        else:
+            expected_status_code = 405
+    else:
+        api_root_id = API_ROOTS[0].id
+        job_id = JOBS[0].id
+        if method == "get":
+            expected_status_code = 401
+        else:
+            expected_status_code = 405
+    with patch.object(
+        client.application.taxii_server.servers.taxii2.persistence.api,
+        "get_api_root",
+        side_effect=GET_API_ROOT_MOCK,
+    ), patch.object(
+        client.application.taxii_server.servers.taxii2.persistence.api,
+        "get_job_and_details",
+        side_effect=GET_JOB_AND_DETAILS_MOCK,
+    ):
+        func = getattr(client, method)
+        response = func(f"/taxii2/{api_root_id}/status/{job_id}/",
+            headers={"Accept": "application/taxii+json;version=2.1"},
+                        )
+    assert response.status_code == expected_status_code
 
 
 def test_job_cleanup(app, db_jobs):
diff --git a/tests/taxii2/utils.py b/tests/taxii2/utils.py
diff --git a/tests/test_cli.py b/tests/test_cli.py

Original file line number	Diff line number	Diff line change
`@@ -137,6 +137,9 @@ def add_collection():`
`137`	`137`	`parser.add_argument(`
`138`	`138`	`"--public", action="store_true", help="allow public read access"`
`139`	`139`	`)`
	`140`	`+ parser.add_argument(`
	`141`	`+ "--public-write", action="store_true", help="allow public write access"`
	`142`	`+ )`
`140`	`143`	`parser.set_defaults(public=False)`
`141`	`144`
`142`	`145`	`args = parser.parse_args()`
`@@ -147,6 +150,7 @@ def add_collection():`
`147`	`150`	`description=args.description,`
`148`	`151`	`alias=args.alias,`
`149`	`152`	`is_public=args.public,`
	`153`	`+ is_public_write=args.public_write,`
`150`	`154`	`)`
`151`	`155`
`152`	`156`
-Original file line number
+Diff line change
         "Read only description",
         None,
         False,
 +        False,
     ),
     Collection(
         str(uuid4()),
         "Write only description",
         None,
         False,
 +        False,
     ),
     Collection(
         str(uuid4()),
         "Read/Write description",
         None,
         False,
 +        False,
     ),
     Collection(
         str(uuid4()),
         "No permissions description",
         None,
         False,
 +        False,
     ),
 -    Collection(str(uuid4()), API_ROOTS[0].id, "4No description", "", None, False),
 +    Collection(str(uuid4()), API_ROOTS[0].id, "4No description", "", None, False, False),
     Collection(
         str(uuid4()),
         API_ROOTS[0].id,
         "5With alias",
         "With alias description",
         "this-is-an-alias",
         False,
 +        False,
     ),
     Collection(
         str(uuid4()),
         "public description",
         "",
         True,
 +        False,
 +    ),
 +    Collection(
 +        str(uuid4()),
 +        API_ROOTS[0].id,
 +        "7Publicwrite",
 +        "public write description",
 +        None,
 +        False,
 +        True,
     ),
+)
 STIX_OBJECTS = (
-Original file line number
+Diff line change
                 "description": None,
                 "alias": None,
                 "is_public": False,
 +                "is_public_write": False,
             },  # expected_call
             id="rootid, title only",
         ),
                 "description": "my description",
                 "alias": None,
                 "is_public": False,
 +                "is_public_write": False,
             },  # expected_call
             id="rootid, title, description",
         ),
                 "description": "my description",
                 "alias": "my-alias",
                 "is_public": False,
 +                "is_public_write": False,
             },  # expected_call
             id="rootid, title, description, alias",
         ),
                 "description": None,
                 "alias": None,
                 "is_public": True,
 +                "is_public_write": False,
             },  # expected_call
             id="rootid, titlei, public",
         ),
 +        pytest.param(
 +            ["-r", API_ROOTS[0].id, "-t", "my new collection", "--public-write"],  # argv
 +            False,  # raises
 +            None,  # message
 +            "",  # stdout
 +            "",  # stderr
 +            {
 +                "api_root_id": API_ROOTS[0].id,
 +                "title": "my new collection",
 +                "description": None,
 +                "alias": None,
 +                "is_public": False,
 +                "is_public_write": True,
 +            },  # expected_call
 +            id="rootid, titlei, publicwrite",
 +        ),
         pytest.param(
             ["-r", "fake-uuid", "-t", "my new collection"],  # argv
             SystemExit,  # raises
                     "[-d DESCRIPTION]",
                     "[-a ALIAS]",
                     "[--public]",
 +                    "[--public-write]",
                     ": error: argument -r/--rootid: invalid choice: 'fake-uuid'",
                     "(choose from WRAPPED_ROOTIDS)",
+                ]
                     "[-d DESCRIPTION]",
                     "[-a ALIAS]",
                     "[--public]",
 +                    "[--public-write]",
                     ": error: the following arguments are required: -r/--rootid, -t/--title",
+                ]
             ),