Beispiel #1
0
def testGettingAccessButDenyingAttributesOnSelf(extendedConfigDataBackend):
    backend = extendedConfigDataBackend

    configServer, depotServer, clients = fillBackendWithHosts(backend)
    createdHosts = list(depotServer) + list(clients) + [configServer]

    denyAttributes = set(['opsiHostKey', 'description'])
    backend = BackendAccessControl(backend=backend,
                                   username=configServer.id,
                                   password=configServer.opsiHostKey,
                                   acl=[[
                                       '.*',
                                       [{
                                           'type': u'opsi_depotserver',
                                           'ids': [],
                                           'denyAttributes': denyAttributes,
                                           'allowAttributes': []
                                       }, {
                                           'type': u'self',
                                           'ids': [],
                                           'denyAttributes': [],
                                           'allowAttributes': []
                                       }]
                                   ]])

    hosts = backend.host_getObjects()
    assert len(createdHosts) == len(hosts)

    for host in hosts:
        if host.id == configServer.id:
            assert configServer.opsiHostKey == host.opsiHostKey
        else:
            for attribute, value in host.toHash().items():
                if attribute in denyAttributes:
                    assert value is None
Beispiel #2
0
def testGettingAccessAndOnlyAllowingSomeAttributes(extendedConfigDataBackend):
    backend = extendedConfigDataBackend

    configServer, depotServer, clients = fillBackendWithHosts(backend)
    createdHosts = list(depotServer) + list(clients) + [configServer]

    allowAttributes = set(['type', 'id', 'description', 'notes'])
    backend = BackendAccessControl(backend=backend,
                                   username=configServer.id,
                                   password=configServer.opsiHostKey,
                                   acl=[[
                                       '.*',
                                       [{
                                           'type': u'opsi_depotserver',
                                           'ids': [],
                                           'denyAttributes': [],
                                           'allowAttributes': allowAttributes
                                       }]
                                   ]])

    hosts = backend.host_getObjects()
    assert len(createdHosts) == len(hosts)

    for host in hosts:
        for attribute, value in host.toHash().items():
            if attribute not in allowAttributes:
                assert value is None
Beispiel #3
0
def testGettingFullAccess(extendedConfigDataBackend):
    backend = extendedConfigDataBackend

    configServer, depotServer, clients = fillBackendWithHosts(backend)
    createdHosts = list(depotServer) + list(clients) + [configServer]

    backend = BackendAccessControl(backend=backend,
                                   username=configServer.id,
                                   password=configServer.opsiHostKey,
                                   acl=[[
                                       '.*',
                                       [{
                                           'type': u'opsi_depotserver',
                                           'ids': [],
                                           'denyAttributes': [],
                                           'allowAttributes': []
                                       }]
                                   ]])

    hosts = backend.host_getObjects()
    assert len(createdHosts) == len(hosts)

    for host in hosts:
        for h in createdHosts:
            if h.id != host.id:
                continue

            assert h.opsiHostKey == host.opsiHostKey
Beispiel #4
0
def testDenyingAttributes(extendedConfigDataBackend):
    """
    Access to attributes can be denied.

    In this case the backend can only access its own opsiHostKey and
    for other clients no value is given.
    """
    backend = extendedConfigDataBackend
    _, _, clients = fillBackendWithHosts(backend)

    client1 = clients[0]

    backendAccessControl = BackendAccessControl(username=client1.id,
                                                password=client1.opsiHostKey,
                                                backend=backend,
                                                acl=[
                                                    [
                                                        'host_getObjects',
                                                        [{
                                                            'type': u'self',
                                                            'ids': [],
                                                            'denyAttributes':
                                                            [],
                                                            'allowAttributes':
                                                            []
                                                        }]
                                                    ],
                                                    [
                                                        'host_getObjects',
                                                        [{
                                                            'type':
                                                            u'opsi_client',
                                                            'ids': [],
                                                            'denyAttributes':
                                                            ['opsiHostKey'],
                                                            'allowAttributes':
                                                            []
                                                        }]
                                                    ],
                                                ])

    for host in backendAccessControl.host_getObjects():
        if host.id == client1.id:
            assert host.opsiHostKey == client1.opsiHostKey
        else:
            assert host.opsiHostKey is None
Beispiel #5
0
def testAccessingSelfProductOnClients(extendedConfigDataBackend):
    dataBackend = extendedConfigDataBackend

    configServer, depotServer, clients = fillBackendWithHosts(dataBackend)
    products = fillBackendWithProducts(dataBackend)
    productOnClients = fillBackendWithProductOnClients(dataBackend, products,
                                                       clients)

    for client in clients:
        if client.id == productOnClients[0].clientId:
            break
    else:
        raise RuntimeError("Missing client!")

    backend = BackendAccessControl(backend=dataBackend,
                                   username=client.id,
                                   password=client.opsiHostKey,
                                   acl=[[
                                       '.*',
                                       [{
                                           'type': u'self',
                                           'ids': [],
                                           'denyAttributes': [],
                                           'allowAttributes': []
                                       }]
                                   ]])

    productOnClients = backend.productOnClient_getObjects()
    for productOnClient in productOnClients:
        assert client.id == productOnClient.clientId, u"Expected client id %s in productOnClient, but got client id '%s'" % (
            client.id, productOnClient.clientId)

    for c in clients:
        if client.id != c.id:
            otherClientId = c.id
            break
    else:
        raise RuntimeError("Failed to get different clientID.")

    productOnClient = productOnClients[0].clone()
    productOnClient.clientId = otherClientId

    with pytest.raises(Exception):
        backend.productOnClient_updateObjects(productOnClient)
Beispiel #6
0
def testOnlyAccessingSelfIsPossible(extendedConfigDataBackend):
    backend = extendedConfigDataBackend

    configServer, _, _ = fillBackendWithHosts(backend)

    backend = BackendAccessControl(backend=backend,
                                   username=configServer.id,
                                   password=configServer.opsiHostKey,
                                   acl=[[
                                       '.*',
                                       [{
                                           'type': u'self',
                                           'ids': [],
                                           'denyAttributes': [],
                                           'allowAttributes': []
                                       }]
                                   ]])

    hosts = backend.host_getObjects()
    assert 1 == len(hosts)
Beispiel #7
0
def testAllowingMethodsForSpecificClient(extendedConfigDataBackend):
    """
    Access to methods can be limited to specific clients.

    In this example client1 can access host_getObjects but not
    config_getObjects.
    """
    backend = extendedConfigDataBackend
    _, _, clients = fillBackendWithHosts(backend)

    client1, client2 = clients[:2]

    backendAccessControl = BackendAccessControl(
        username=client1.id,
        password=client1.opsiHostKey,
        backend=backend,
        acl=[
            [
                'host_getObjects',
                [{
                    'type': u'opsi_client',
                    'ids': [client1.id],
                    'denyAttributes': [],
                    'allowAttributes': []
                }]
            ],
            [
                'config_getObjects',
                [{
                    'type': u'opsi_client',
                    'ids': [client2.id],
                    'denyAttributes': [],
                    'allowAttributes': []
                }]
            ],
        ])

    backendAccessControl.host_getObjects()

    with pytest.raises(BackendPermissionDeniedError):
        backendAccessControl.config_getObjects()
Beispiel #8
0
def testDenyingAccessToOtherObjects(extendedConfigDataBackend):
    """
    It must be possible to deny access to foreign objects.

    In this test we first make sure that the access to productOnClient_create
    is possible for the object accessing the backend.
    After that we test the same referencing another object which we
    want to fail.
    """
    backend = extendedConfigDataBackend

    serverFqdn = forceHostId(getfqdn())  # using local FQDN
    depotserver1 = {
        "isMasterDepot": True,
        "type": "OpsiConfigserver",
        "id": serverFqdn,
    }

    backend.host_createObjects(depotserver1)

    clients = getClients()
    backend.host_createObjects(clients)
    client1 = clients[0]
    client2 = clients[1]

    products = getProducts()
    backend.product_createObjects(products)

    product1 = products[0]

    backend.config_createObjects([{
        "id": u'clientconfig.depot.id',
        "type": "UnicodeConfig",
    }])
    backend.configState_create(u'clientconfig.depot.id',
                               client1.getId(),
                               values=[depotserver1['id']])

    productOnDepot1 = OPSI.Object.ProductOnDepot(
        productId=product1.getId(),
        productType=product1.getType(),
        productVersion=product1.getProductVersion(),
        packageVersion=product1.getPackageVersion(),
        depotId=depotserver1['id'],
        locked=False)

    backend.productOnDepot_createObjects([productOnDepot1])

    backendAccessControl = BackendAccessControl(
        username=client1.id,
        password=client1.opsiHostKey,
        backend=backend,
        acl=[
            [
                'productOnClient_create',
                [{
                    'type': u'self',
                    'ids': [],
                    'denyAttributes': [],
                    'allowAttributes': []
                }]
            ],
        ])

    backendAccessControl.productOnClient_create(productId=product1.id,
                                                productType=product1.getType(),
                                                clientId=client1.id,
                                                installationStatus='installed')

    with pytest.raises(Exception):
        backendAccessControl.productOnClient_create(
            productId=product1.id,
            productType=product1.getType(),
            clientId=client2.id,  # here is the difference
            installationStatus='installed')