def test_has_permission_immediate_params(self):
subrole = arbitrary.role()
superrole1 = arbitrary.role(parameters=set(['one']))
arbitrary.grant(to_role=superrole1, from_role=subrole, assignment=dict(one='foo'))
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1.instantiate(dict(one='foo'))))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole1.instantiate(dict(one='baz'))))
def test_has_permission_immediate_params(self):
subrole = arbitrary.role()
superrole1 = arbitrary.role(parameters=set(['one']))
arbitrary.grant(to_role=superrole1, from_role=subrole, assignment=dict(one='foo'))
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1.instantiate(dict(one='foo'))))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole1.instantiate(dict(one='baz'))))
def test_user_role_integration(self):
"""
Basic smoke test of integration of PRBAC with django.contrib.auth
"""
user = arbitrary.user()
role = arbitrary.role()
priv = arbitrary.role()
arbitrary.grant(from_role=role, to_role=priv)
user_role = arbitrary.user_role(user=user, role=role)
self.assertEqual(user.prbac_role, user_role)
self.assertTrue(user.prbac_role.has_privilege(role))
self.assertTrue(user.prbac_role.has_privilege(priv))
def test_user_role_integration(self):
"""
Basic smoke test of integration of PRBAC with django.contrib.auth
"""
user = arbitrary.user()
role = arbitrary.role()
priv = arbitrary.role()
arbitrary.grant(from_role=role, to_role=priv)
user_role = arbitrary.user_role(user=user, role=role)
self.assertEqual(user.prbac_role, user_role)
self.assertTrue(user.prbac_role.has_privilege(role))
self.assertTrue(user.prbac_role.has_privilege(priv))
def test_has_permission_far_transitive_no_params(self):
subrole = arbitrary.role()
superrole1 = arbitrary.role()
superrole2 = arbitrary.role()
midroles = [arbitrary.role() for __ in range(0, 10)]
arbitrary.grant(subrole, midroles[0])
arbitrary.grant(midroles[-1], superrole1)
# Link up all roles in the list that are adjacent
for midsubrole, midsuperrole in zip(midroles[:-1], midroles[1:]):
arbitrary.grant(from_role=midsubrole, to_role=midsuperrole)
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1.instantiate({})))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole2.instantiate({})))
def test_has_permission_immediate_no_params(self):
subrole = arbitrary.role()
superrole1 = arbitrary.role()
superrole2 = arbitrary.role()
arbitrary.grant(to_role=superrole1, from_role=subrole)
# A few ways of saying the same thing
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1.instantiate({})))
self.assertTrue(subrole.has_privilege(superrole1.instantiate({})))
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1))
self.assertTrue(subrole.has_privilege(superrole1))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole2.instantiate({})))
self.assertFalse(subrole.has_privilege(superrole2.instantiate({})))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole2))
self.assertFalse(subrole.has_privilege(superrole2))
def test_has_permission_far_transitive_no_params(self):
subrole = arbitrary.role()
superrole1 = arbitrary.role()
superrole2 = arbitrary.role()
midroles = [arbitrary.role() for __ in range(0, 10)]
arbitrary.grant(subrole, midroles[0])
arbitrary.grant(midroles[-1], superrole1)
# Link up all roles in the list that are adjacent
for midsubrole, midsuperrole in zip(midroles[:-1], midroles[1:]):
arbitrary.grant(from_role=midsubrole, to_role=midsuperrole)
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1.instantiate({})))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole2.instantiate({})))
def test_has_permission_immediate_no_params(self):
subrole = arbitrary.role()
superrole1 = arbitrary.role()
superrole2 = arbitrary.role()
arbitrary.grant(to_role=superrole1, from_role=subrole)
# A few ways of saying the same thing
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1.instantiate({})))
self.assertTrue(subrole.has_privilege(superrole1.instantiate({})))
self.assertTrue(subrole.instantiate({}).has_privilege(superrole1))
self.assertTrue(subrole.has_privilege(superrole1))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole2.instantiate({})))
self.assertFalse(subrole.has_privilege(superrole2.instantiate({})))
self.assertFalse(subrole.instantiate({}).has_privilege(superrole2))
self.assertFalse(subrole.has_privilege(superrole2))
def test_requires_privilege_ok(self):
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
arbitrary.grant(from_role=requestor_role, to_role=self.zazzle_privilege, assignment=dict(domain='zizzle'))
request = HttpRequest()
request.role = requestor_role.instantiate({})
view(request)
def test_requires_privilege_wrong_param(self):
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
arbitrary.grant(from_role=requestor_role, to_role=self.zazzle_privilege, assignment=dict(domain='whapwhap'))
request = HttpRequest()
request.role = requestor_role.instantiate({})
with self.assertRaises(PermissionDenied):
view(request)
def test_requires_privilege_ok(self):
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
arbitrary.grant(from_role=requestor_role,
to_role=self.zazzle_privilege,
assignment=dict(domain='zizzle'))
request = HttpRequest()
request.role = requestor_role.instantiate({})
view(request)
def test_requires_privilege_no_such(self):
"""
When a required privilege is not even defined in the database,
permission is denied; no crashing.
"""
@requires_privilege('bomboozle', domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
request = HttpRequest()
request.role = requestor_role
with self.assertRaises(PermissionDenied):
view(request)
def test_requires_privilege_no_such(self):
"""
When a required privilege is not even defined in the database,
permission is denied; no crashing.
"""
@requires_privilege('bomboozle', domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
request = HttpRequest()
request.role = requestor_role
with self.assertRaises(PermissionDenied):
view(request)
def test_requires_privilege_wrong_param(self):
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
arbitrary.grant(from_role=requestor_role,
to_role=self.zazzle_privilege,
assignment=dict(domain='whapwhap'))
request = HttpRequest()
request.role = requestor_role.instantiate({})
with self.assertRaises(PermissionDenied):
view(request)
def test_instantiated_to_role_smoke_test(self):
"""
Basic smoke test:
1. grant.instantiated_role({})[param] == grant.assignment[param] if param is free for the role
2. grant.instantiated_role({})[param] does not exist if param is not free for the role
"""
parameters = ['one']
superrole = arbitrary.role(parameters=parameters)
grant = arbitrary.grant(to_role=superrole, assignment={'one':'hello'})
self.assertEqual(grant.instantiated_to_role({}).assignment, {'one':'hello'})
grant = arbitrary.grant(to_role=superrole, assignment={'two': 'goodbye'})
self.assertEqual(grant.instantiated_to_role({}).assignment, {})
def test_instantiated_to_role_smoke_test(self):
"""
Basic smoke test:
1. grant.instantiated_role({})[param] == grant.assignment[param] if param is free for the role
2. grant.instantiated_role({})[param] does not exist if param is not free for the role
"""
parameters = ['one']
superrole = arbitrary.role(parameters=parameters)
grant = arbitrary.grant(to_role=superrole, assignment={'one':'hello'})
self.assertEqual(grant.instantiated_to_role({}).assignment, {'one':'hello'})
grant = arbitrary.grant(to_role=superrole, assignment={'two': 'goodbye'})
self.assertEqual(grant.instantiated_to_role({}).assignment, {})
def test_requires_privilege_denied(self):
"""
When a privilege exists but the current
role does not have access to it, permission
is denied
"""
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
request = HttpRequest()
request.role = requestor_role.instantiate({})
with self.assertRaises(PermissionDenied):
view(request)
def test_requires_privilege_role_on_user_ok(self):
"""
Verify that privilege is recognized when the request user has the prbac_role, but request.role is not set.
"""
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
user = arbitrary.user()
requestor_role = arbitrary.role()
arbitrary.grant(from_role=requestor_role, to_role=self.zazzle_privilege, assignment=dict(domain='zizzle'))
arbitrary.user_role(user=user, role=requestor_role)
request = HttpRequest()
request.user = user
view(request)
def test_requires_privilege_denied(self):
"""
When a privilege exists but the current
role does not have access to it, permission
is denied
"""
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
requestor_role = arbitrary.role()
request = HttpRequest()
request.role = requestor_role.instantiate({})
with self.assertRaises(PermissionDenied):
view(request)
def test_requires_privilege_role_on_user_ok(self):
"""
Verify that privilege is recognized when the request user has the prbac_role, but request.role is not set.
"""
@requires_privilege(self.zazzle_privilege.slug, domain='zizzle')
def view(request, *args, **kwargs):
pass
user = arbitrary.user()
requestor_role = arbitrary.role()
arbitrary.grant(from_role=requestor_role,
to_role=self.zazzle_privilege,
assignment=dict(domain='zizzle'))
arbitrary.user_role(user=user, role=requestor_role)
request = HttpRequest()
request.user = user
view(request)
def test_unsaved_role_does_not_have_permission(self):
role1 = Role()
role2 = arbitrary.role()
self.assertFalse(role1.has_privilege(role2))
self.assertFalse(role2.has_privilege(role1))
def test_unsaved_role_does_not_have_permission(self):
role1 = Role()
role2 = arbitrary.role()
self.assertFalse(role1.has_privilege(role2))
self.assertFalse(role2.has_privilege(role1))
def setUp(self):
Role.get_cache().clear()
self.zazzle_privilege = arbitrary.role(slug=arbitrary.unique_slug('zazzle'), parameters=set(['domain']))
def setUp(self):
Role.get_cache().clear()
self.zazzle_privilege = arbitrary.role(
slug=arbitrary.unique_slug('zazzle'), parameters=set(['domain']))
def setUp(self):
self.zazzle_privilege = arbitrary.role(slug=arbitrary.unique_slug('zazzle'), parameters=set(['domain']))
