def test_check_make_public_block(self):
# 1. Already public.
brl_master = BRLBlock("goku/goku/block/master")
bper_master = ElementPermissions(brl_master, private=False)
self.store.upsert_block_permissions(bper_master)
# 2. Bulma cant make it public even its already public
ensure = Security("bulma", self.store)
self._subscribe("bulma", "enterprise_275_50_x")
self.assertRaises(ForbiddenException, ensure.check_make_private_a_block, "goku")
# 3. Now block is public, so bulma cant make it public
bper_master = ElementPermissions(brl_master, private=True)
self.store.upsert_block_permissions(bper_master)
self.assertRaises(ForbiddenException, ensure.check_make_public_a_block, "goku")
# 4. Grant read and write, and bulma still cant make it public
bper_master.read.grant("bulma")
bper_master.write.grant("bulma")
self.store.upsert_block_permissions(bper_master)
self.assertRaises(ForbiddenException, ensure.check_make_public_a_block, "goku")
# 5. Make bulma an admin, now bulma can make it public
goku = self.store.read_user("goku")
goku.administrators.grant("bulma")
self.store.update_user(goku)
ensure.check_make_public_a_block("goku")
# 5. Bulma can make public the block even when suscription is not active
self._subscribe("bulma", "free")
goku = self.store.read_user("goku")
self.store.update_user(goku)
ensure.check_make_public_a_block("goku")
def test_delete_block(self):
# First create master block permissions. Public
brl = BRLBlock("goku/goku/block/master")
bper_master = ElementPermissions(brl, private=True)
self.store.upsert_block_permissions(bper_master)
# 1. Owner can always delete a private block, even if i am not paying
ensure = Security("goku", self.store)
self._subscribe("goku", "enterprise_275_50_x")
ensure.check_delete_block(brl)
self._subscribe("freezer", "free")
ensure.check_delete_block(brl)
# 2. Other user can't delete block
ensure = Security("freezer", self.store)
self._subscribe("freezer", "enterprise_275_50_x")
self.assertRaises(ForbiddenException, ensure.check_delete_block, brl)
# 3. A user with read and write permissions cant delete
ensure = Security("bulma", self.store)
bper = ElementPermissions(brl, private=True)
bper.write.grant("bulma")
bper.read.grant("bulma")
self.store.upsert_block_permissions(bper)
self.assertRaises(ForbiddenException, ensure.check_delete_block, brl)
# 3. But an admin user can delete it
goku = self.store.read_user("goku")
goku.administrators.grant("bulma")
self.store.update_user(goku)
ensure.check_delete_block(brl)
def test_element_permissions(self):
elem = ElementPermissions(BRLBlock("user/user/block/master"), True)
elem.read.grant("pepe")
elem.write.grant("juan")
serial = elem.serialize()
deserial = ElementPermissions.deserialize(serial)
self.assertEqual(elem, deserial)
def test_element_permissions(self):
elem = ElementPermissions(BRLBlock("user/user/block/master"), True)
elem.read.grant("pepe")
elem.write.grant("juan")
serial = elem.serialize()
deserial = ElementPermissions.deserialize(serial)
self.assertEqual(elem, deserial)
def test_check_publish_block(self):
# 1. Onwer can write the block if its private
brl = BRLBlock("goku/goku/block/master")
self._add_block_to_user("goku", brl, True)
ensure = Security("goku", self.store)
self._subscribe("goku", "enterprise_275_50_x")
pack = PublishRequest(BlockVersion(brl, -1))
pack.cells.append(SimpleCell('user/block/r1.h'))
pack.contents['r1.h'] = Content(id_=None, load=Blob('hola'))
pack.versiontag = 'mytag'
ensure.check_publish_block(brl, pack)
# If the owner is not paying he can't write
ensure = Security("goku", self.store)
self._subscribe("goku", "free")
self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack)
self._subscribe("goku", "enterprise_275_50_x")
# 1b. But other not granted user can't write
ensure = Security("freezer", self.store)
self._subscribe("freezer", "enterprise_275_50_x")
self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack)
# 2. If bulma is granted as administrator or write he can write
ensure = Security("bulma", self.store)
self._subscribe("bulma", "enterprise_275_50_x")
goku = self.store.read_user("goku")
goku.administrators.grant("bulma")
self.store.update_user(goku)
ensure.check_publish_block(brl, pack)
goku.administrators.revoke("bulma")
self.store.update_user(goku)
self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack)
bper = ElementPermissions(brl, private=True)
bper.write.grant("bulma")
self.store.upsert_block_permissions(bper)
ensure.check_publish_block(brl, pack)
bper.write.remove("bulma")
self.store.upsert_block_permissions(bper)
self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack)
# 3. If we give read permissions only, user cant write
bper = ElementPermissions(brl, private=True)
bper.read.grant("bulma")
self.store.upsert_block_permissions(bper)
self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack)
def test_read_block(self):
# 1. Check we can always access a public block
brl = BRLBlock("goku/goku/block/master")
bper = ElementPermissions(brl, private=False)
self.store.upsert_block_permissions(bper)
ensure = Security("freezer", self.store)
self._subscribe("freezer", "enterprise_275_50_x")
ensure.check_read_block(brl)
# Even owner is not paying
self._subscribe("freezer", "free")
ensure.check_read_block(brl)
self._subscribe("freezer", "enterprise_275_50_x")
# 2. Check we can read a private block due to being the owner
bper = ElementPermissions(brl, private=True)
self.store.upsert_block_permissions(bper)
ensure = Security("goku", self.store)
self._subscribe("freezer", "enterprise_275_50_x")
ensure.check_read_block(brl)
# 4. Check we can read the block even subscription is not valid
self._subscribe("freezer", "free")
ensure.check_read_block(brl)
# 5. A user without read permissions cant read the block
ensure = Security("bulma", self.store)
self._subscribe("bulma", "enterprise_275_50_x")
self.assertRaises(ForbiddenException, ensure.check_read_block, brl)
# 6. Until is granted as administrator or read granted
goku = self.store.read_user("goku")
goku.administrators.grant("bulma")
self.store.update_user(goku)
ensure.check_read_block(brl)
goku.administrators.revoke("bulma")
self.store.update_user(goku)
self.assertRaises(ForbiddenException, ensure.check_read_block, brl)
bper = ElementPermissions(brl, private=True)
bper.read.grant("bulma")
self.store.upsert_block_permissions(bper)
ensure.check_read_block(brl)
bper.read.remove("bulma")
self.store.upsert_block_permissions(bper)
self.assertRaises(ForbiddenException, ensure.check_read_block, brl)
def test_create_block(self):
brl = BRLBlock("goku/goku/block/master")
# Always can make a block if its public
ensure = Security("goku", self.store)
self._subscribe("goku", "free")
ensure.check_create_block(brl.owner, private=False)
# Only can make a private block if subscription is ok
self.assertRaises(ForbiddenException, ensure.check_create_block, brl.owner, private=True)
self._subscribe("goku", "enterprise_275_50_x")
ensure.check_create_block(brl.owner, private=True)
# Other user can create a block in my namespace if its an admin, not write and read is enought
ensure = Security("bulma", self.store)
self._subscribe("bulma", "enterprise_275_50_x")
self.assertRaises(ForbiddenException, ensure.check_create_block, brl.owner, private=True)
bper = ElementPermissions(brl.owner, private=True)
bper.write.grant("bulma")
bper.read.grant("bulma")
self.store.upsert_block_permissions(bper)
self.assertRaises(ForbiddenException, ensure.check_create_block, brl.owner, private=True)
# 3. But an admin user can delete it
goku = self.store.read_user("goku")
goku.administrators.grant("bulma")
self.store.update_user(goku)
ensure.check_create_block(brl.owner, private=True)
ensure.check_create_block(brl.owner, private=False)
def test_publish_dev_with_tag(self, enqueuer):
brl = BRLBlock('owner/user/block/branch')
store = Mock(MongoServerStore)
store.read_block_permissions = Mock(
return_value=ElementPermissions(brl, private=False))
user = Mock()
user.blocks = {}
store.read_user = Mock(return_value=user)
block = Mock(Block)
block.add_publication.return_value = (['mock_id'], [], [], [])
block.deltas = []
ensure = Security('authUser', store)
ensure.check_read_block = Mock(return_value=True)
ensure.check_create_block = Mock(return_value=True)
ensure.check_write_block = Mock(return_value=True)
ensure.check_publish_block = Mock(return_value=True)
store.read_block.return_value = block
store.read_published_cells.return_value = {}
p = PublishService(store, 'authUser')
p.security = ensure
pack = PublishRequest(BlockVersion(brl, -1))
pack.cells.append(SimpleCell('user/block/r1.h'))
pack.deptable = BlockVersionTable()
p.publish(pack)
def get_version_info_test(self):
store = Mock(GenericServerStore)
# Block doesn't exist and user is other
p = PublishService(store, 'any_user')
block_brl = BRLBlock("user/user/theblock/master")
store.read_block_permissions = Mock(side_effect=NotInStoreException())
block_info = p.get_block_info(block_brl)
self.assertFalse(block_info.can_write)
# Now block exists
store.read_block_permissions = Mock(
return_value=ElementPermissions(block_brl))
# Block exists and user is the authorized one
p = PublishService(store, 'theuser')
block_brl = BRLBlock("theuser/theuser/theblock/master")
block_info = p.get_block_info(block_brl)
self.assertTrue(block_info.can_write)
# No authorized write to an existing block
p = PublishService(store, 'wronguser')
user = Mock(User)
user.administrators = Permissions()
store.read_user = Mock(return_value=user)
block_info = p.get_block_info(block_brl)
self.assertFalse(block_info.can_write)
# Authorized user with an existing block
p = PublishService(store, 'theuser')
block_brl = BRLBlock("theuser/theuser/theblock/master")
block_info = p.get_block_info(block_brl)
self.assertTrue(block_info.can_write)
def test_grant(self):
perm = ElementPermissions(1, True)
self.assertFalse(perm.read.is_granted("espartaco"))
perm.read.grant("espartaco")
self.assertTrue(perm.read.is_granted("espartaco"))
self.assertFalse(perm.write.is_granted("espartaco"))
perm.read.grant("tiopepe")
perm.write.grant("tiopepe")
self.assertTrue(perm.write.is_granted("tiopepe"))
self.assertTrue(perm.read.is_granted("tiopepe"))
perm = ElementPermissions(1, True)
perm.read.grant("espartaco")
self.assertTrue(perm.read.is_granted("espartaco"))
self.assertFalse(perm.write.is_granted("espartaco"))
perm.read.revoke("espartaco")
self.assertFalse(perm.read.is_granted("espartaco"))
self.assertFalse(perm.write.is_granted("espartaco"))
#Revoke read, revoke all
perm.write.grant("espartaco")
perm.read.grant("espartaco")
self.assertTrue(perm.read.is_granted("espartaco"))
self.assertTrue(perm.write.is_granted("espartaco"))
perm.read.revoke("espartaco")
self.assertFalse(perm.read.is_granted("espartaco"))
self.assertTrue(perm.write.is_granted("espartaco"))
#Revoke write, keep read
perm.read.grant("espartaco")
perm.write.revoke("espartaco")
self.assertTrue(perm.read.is_granted("espartaco"))
self.assertFalse(perm.write.is_granted("espartaco"))
perm.write.revoke("espartaco")
self.assertTrue(perm.read.is_granted("espartaco"))
self.assertFalse(perm.write.is_granted("espartaco"))
#Revoke read and write
perm.write.grant("espartaco")
self.assertTrue(perm.read.is_granted("espartaco"))
self.assertTrue(perm.write.is_granted("espartaco"))
perm.write.revoke("espartaco")
perm.read.revoke("espartaco")
self.assertFalse(perm.read.is_granted("espartaco"))
self.assertFalse(perm.write.is_granted("espartaco"))
def _add_block_to_user(self, brl_user, brl_block, private):
brl_block = BRLBlock(brl_block)
user = self.store.read_user(brl_user)
user.add_block(brl_block)
self.store.update_user(user)
bper_master = ElementPermissions(brl_block, private)
self.store.upsert_block_permissions(bper_master)
def test_write_block(self):
# 1. Onwer can write the block if its private
brl = BRLBlock("goku/goku/block/master")
self._add_block_to_user("goku", brl, True)
ensure = Security("goku", self.store)
self._subscribe("goku", "enterprise_275_50_x")
ensure.check_write_block(brl)
# If the owner is not paying he can't write
ensure = Security("goku", self.store)
self._subscribe("goku", "free")
self.assertRaises(ForbiddenException, ensure.check_write_block, brl)
self._subscribe("goku", "enterprise_275_50_x")
# 1b. But other not granted user can't write
ensure = Security("freezer", self.store)
self._subscribe("freezer", "enterprise_275_50_x")
self.assertRaises(ForbiddenException, ensure.check_write_block, brl)
# 2. If bulma is granted as administrator or write he can write
ensure = Security("bulma", self.store)
self._subscribe("bulma", "enterprise_275_50_x")
goku = self.store.read_user("goku")
goku.administrators.grant("bulma")
self.store.update_user(goku)
ensure.check_write_block(brl)
goku.administrators.revoke("bulma")
self.store.update_user(goku)
self.assertRaises(ForbiddenException, ensure.check_write_block, brl)
bper = ElementPermissions(brl, private=True)
bper.write.grant("bulma")
self.store.upsert_block_permissions(bper)
ensure.check_write_block(brl)
bper.write.remove("bulma")
self.store.upsert_block_permissions(bper)
self.assertRaises(ForbiddenException, ensure.check_write_block, brl)
# 3. If we give read permissions only, user cant write
bper = ElementPermissions(brl, private=True)
bper.read.grant("bulma")
self.store.upsert_block_permissions(bper)
self.assertRaises(ForbiddenException, ensure.check_write_block, brl)
def test_publish_no_contents(self, enqueuer):
brl = BRLBlock('owner/user/block/branch')
store = Mock(MongoServerStore)
store.read_block_permissions = Mock(
return_value=ElementPermissions(brl, private=False))
p = PublishService(store, 'authUser')
pack = PublishRequest(BlockVersion(brl, -1))
pack.cells.append(SimpleCell('user/block/r1.h'))
pack.contents['r1.h'] = Content(id_=None, load=Blob('hola'))
pack.versiontag = 'mytag'
with self.assertRaisesRegexp(PublishException, 'DEV'):
p.publish(pack)
def test_equals(self):
perm1 = ElementPermissions(1, True)
perm2 = ElementPermissions(1, False)
self.assertNotEqual(perm1, perm2)
perm1.is_private = False
perm1.read.grant(BRLUser("laso"))
perm2.read.grant(BRLUser("laso"))
self.assertEqual(perm1, perm2)
perm1.read.grant(BRLUser("laso2"))
perm2.read.grant(BRLUser("laso3"))
self.assertNotEqual(perm1, perm2)
perm1.read.grant(BRLUser("laso3"))
perm2.read.grant(BRLUser("laso2"))
self.assertEqual(perm1, perm2)
perm1.write.grant(BRLUser("laso"))
self.assertNotEqual(perm1, perm2)
perm2.write.grant(BRLUser("laso"))
self.assertEqual(perm1, perm2)
def test_equals(self):
perm1 = ElementPermissions(1, True)
perm2 = ElementPermissions(1, False)
self.assertNotEqual(perm1, perm2)
perm1.is_private = False
perm1.read.grant(BRLUser("laso"))
perm2.read.grant(BRLUser("laso"))
self.assertEqual(perm1, perm2)
perm1.read.grant(BRLUser("laso2"))
perm2.read.grant(BRLUser("laso3"))
self.assertNotEqual(perm1, perm2)
perm1.read.grant(BRLUser("laso3"))
perm2.read.grant(BRLUser("laso2"))
self.assertEqual(perm1, perm2)
perm1.write.grant(BRLUser("laso"))
self.assertNotEqual(perm1, perm2)
perm2.write.grant(BRLUser("laso"))
self.assertEqual(perm1, perm2)
def setUp(self):
unittest.TestCase.setUp(self)
self.store = TestingMemServerStore()
self.store.create_user(User("goku"))
self.store.create_user(User("krilin"))
self.store.create_user(User("freezer"))
self.store.create_user(User("bulma"))
self.public_brl = BRLBlock("goku/goku/block/ballno1")
bper = ElementPermissions(self.public_brl, private=False)
self.store.upsert_block_permissions(bper)
goku = self.store.read_user("goku")
goku.add_block(self.public_brl)
self.store.update_user(goku)
def test_update_permissions(self):
myblock = self.mother.make_block(self.user)
# Check default permissions
access = self.store.read_block_permissions(myblock.ID)
perm = ElementPermissions(False)
self.assertTrue(access, perm)
# Update permissions
access.read.grant("pepe")
access.read.grant("jaunito")
access.write.grant("jaunito")
self.store.update_block_permissions(access)
perms = self.store.read_block_permissions(myblock.ID)
self.assertTrue(perms.read.is_granted("pepe"))
self.assertFalse(perms.write.is_granted("pepe"))
self.assertTrue(perms.read.is_granted("jaunito"))
self.assertTrue(perms.write.is_granted("jaunito"))
def test_publish(self, enqueuer):
brl = BRLBlock('owner/user/block/branch')
# moduleID=BlockID(UserID(123),456)
store = Mock(MongoServerStore)
store.read_block_permissions = Mock(
return_value=ElementPermissions(brl, private=False))
user = User("owner")
user.numeric_id = 1
user.blocks = {}
store.read_user = Mock(return_value=user)
block = Mock(Block)
block.last_version.return_value = Mock(BlockVersion)
block.add_publication.return_value = (Mock(list), Mock(list),
Mock(list), Mock(list))
block.deltas = []
ensure = Security('authUser', store)
ensure.check_create_block = Mock(return_value=True)
ensure.check_write_block = Mock(return_value=True)
ensure.check_read_block = Mock(return_value=True)
store.read_block.return_value = block
store.read_published_cells.return_value = {}
p = PublishService(store, 'authUser')
p.security = ensure
pack = PublishRequest(BlockVersion(brl, -1))
pack.cells.append(SimpleCell('user/block/r1.h'))
pack.contents['r1.h'] = Content(id_=None, load=Blob('hola'))
pack.cells.append(SimpleCell('user/block/r2.h'))
pack.contents['r2.h'] = Content(id_=None, load=Blob('hola'))
pack.cells.append(SimpleCell('user/block/r3.h'))
pack.contents['r3.h'] = Content(id_=None, load=Blob('hola'))
pack.deptable = BlockVersionTable()
p.publish(pack)
block.add_publication.assert_called_once_with(pack, p.auth_user)
store.update_block.assert_called_once_with(block)
self.assertEqual(1, store.create_published_cells.call_count)
self.assertEqual(1, store.create_published_contents.call_count)
# Check sizes
self.assertEquals(user.blocks_bytes, 12) # 12 bytes "hola" * 3
# Publish again, see the size incremented
pack._bytes = None # Lazy computed
p.publish(pack)
self.assertEquals(user.blocks_bytes,
24) # 24 bytes: "hola" * 3 * 2 publications
# Max size exceeded for user
user.max_workspace_size = 25
self.assertRaises(ForbiddenException, p.publish, pack)
# Try to publish only 1 byte
pack._bytes = None # Lazy computed
pack.cells = []
pack.contents = {}
pack.cells.append(SimpleCell('user/block/r1.h'))
pack.contents['r1.h'] = Content(id_=None, load=Blob('h'))
p.publish(pack)
def create_block(self, value, private=False):
'''Insert a block. Value is a Block instance'''
# Create default permissions
self.create(ElementPermissions(value.ID, private),
GenericServerStore.BLOCK_PERMISSIONS_ST)
return self.create(value, GenericServerStore.BLOCK_ST)
