def test_firerole_ip_mask(self):
"""firerole - firerole core testing ip mask matching"""
self.failUnless(acc_firerole_check_user(self.user_info,
compile_role_definition("allow remote_ip '127.0.0.0/24'"
"\ndeny any")))
self.failIf(acc_firerole_check_user(self.guest,
compile_role_definition("allow remote_ip '127.0.0.0/24'"
"\ndeny any")))
def test_compile_role_definition_with_date(self):
"""firerole - compiling date based role definitions"""
self.failUnless(serialize(compile_role_definition("allow from '2010-11-11'")))
self.failUnless(serialize(compile_role_definition("allow until '2010-11-11'")))
self.assertRaises(
InvenioWebAccessFireroleError, compile_role_definition, "allow from '2010-11-11','2010-11-23'"
)
self.assertRaises(InvenioWebAccessFireroleError, compile_role_definition, "allow from '2010-11'")
def test_firerole_with_past_date(self):
"""firerole - firerole core testing with past date"""
import time
past_date = time.strftime('%Y-%m-%d', time.gmtime(time.time() - 24 * 3600 * 2))
self.failIf(acc_firerole_check_user(self.user_info,
compile_role_definition("allow until '%s'\nallow any" % past_date)))
self.failUnless(acc_firerole_check_user(self.user_info,
compile_role_definition("allow from '%s'\nallow any" % past_date)))
def test_compile_role_definition_with_date(self):
"""firerole - compiling date based role definitions"""
self.failUnless(
serialize(compile_role_definition("allow from '2010-11-11'")))
self.failUnless(
serialize(compile_role_definition("allow until '2010-11-11'")))
self.assertRaises(InvenioWebAccessFireroleError,
compile_role_definition,
"allow from '2010-11-11','2010-11-23'")
self.assertRaises(InvenioWebAccessFireroleError,
compile_role_definition, "allow from '2010-11'")
def test_firerole_ip_mask(self):
"""firerole - firerole core testing ip mask matching"""
self.failUnless(
acc_firerole_check_user(
self.user_info,
compile_role_definition("allow remote_ip '127.0.0.0/24'"
"\ndeny any")))
self.failIf(
acc_firerole_check_user(
self.guest,
compile_role_definition("allow remote_ip '127.0.0.0/24'"
"\ndeny any")))
def test_firerole_uid(self):
"""firerole - firerole core testing with integer uid"""
self.assertEqual(
False,
acc_firerole_check_user(
self.guest,
compile_role_definition("deny uid '-1'\nallow all")))
self.assertEqual(
True,
acc_firerole_check_user(
self.user_info,
compile_role_definition("deny uid '-1'\nallow all")))
def test_firerole_with_past_date(self):
"""firerole - firerole core testing with past date"""
import time
past_date = time.strftime('%Y-%m-%d',
time.gmtime(time.time() - 24 * 3600 * 2))
self.failIf(
acc_firerole_check_user(
self.user_info,
compile_role_definition("allow until '%s'\nallow any" %
past_date)))
self.failUnless(
acc_firerole_check_user(
self.user_info,
compile_role_definition("allow from '%s'\nallow any" %
past_date)))
def test_compile_role_definition_more_rows(self):
"""firerole - compiling more rows role definitions"""
self.failUnless(
serialize(
compile_role_definition("allow email /.*@cern.ch/\nallow groups 'patata' " "# a comment\ndeny any")
)
)
def test_compile_role_definition_complex(self):
"""firerole - compiling complex role definitions"""
self.failUnless(
serialize(
compile_role_definition(
"allow email /.*@cern.ch/\nallow groups 'patata' "
"# a comment\ndeny remote_ip '127.0.0.0/24'\ndeny any")))
def _get_collection_restrictions(collection):
"""Get all restrictions for a given collection, users and fireroles."""
try:
from invenio.dbquery import run_sql
from invenio.access_control_firerole import compile_role_definition
except ImportError:
from invenio.modules.access.firerole import compile_role_definition
from invenio.legacy.dbquery import run_sql
res = run_sql(
'SELECT r.firerole_def_src, email '
'FROM accROLE as r '
'JOIN accROLE_accACTION_accARGUMENT ON r.id=id_accROLE '
'JOIN accARGUMENT AS a ON a.id=id_accARGUMENT '
'JOIN user_accROLE AS u ON r.id=u.id_accROLE '
'JOIN user ON user.id=u.id_user '
'WHERE a.keyword="collection" AND '
'a.value=%s AND '
'id_accACTION=(select id from accACTION where name="viewrestrcoll")',
(collection, ),
run_on_slave=True)
fireroles = set()
users = set()
for f, u in res:
fireroles.add(compile_role_definition(f))
users.add(u)
return {'fireroles': list(fireroles), 'users': users}
def _get_collection_restrictions(collection):
"""Get all restrictions for a given collection, users and fireroles."""
try:
from invenio.dbquery import run_sql
from invenio.access_control_firerole import compile_role_definition
except ImportError:
from invenio.modules.access.firerole import compile_role_definition
from invenio.legacy.dbquery import run_sql
res = run_sql(
'SELECT r.firerole_def_src, email '
'FROM accROLE as r '
'JOIN accROLE_accACTION_accARGUMENT ON r.id=id_accROLE '
'JOIN accARGUMENT AS a ON a.id=id_accARGUMENT '
'JOIN user_accROLE AS u ON r.id=u.id_accROLE '
'JOIN user ON user.id=u.id_user '
'WHERE a.keyword="collection" AND '
'a.value=%s AND '
'id_accACTION=(select id from accACTION where name="viewrestrcoll")',
(collection, ), run_on_slave=True
)
fireroles = set()
users = set()
for f, u in res:
fireroles.add(compile_role_definition(f))
users.add(u)
return {'fireroles': list(fireroles), 'users': users}
def test_compile_role_definition_literal_list(self):
"""firerole - compiling literal list role definitions"""
self.failUnless(
serialize(
compile_role_definition(
"allow email '*****@*****.**', '*****@*****.**'"
)))
def test_compile_role_definition_more_rows(self):
"""firerole - compiling more rows role definitions"""
self.failUnless(
serialize(
compile_role_definition(
"allow email /.*@cern.ch/\nallow groups 'patata' "
"# a comment\ndeny any")))
def test_firerole_literal_email(self):
"""firerole - firerole core testing literal email matching"""
self.failUnless(
acc_firerole_check_user(
self.user_info,
compile_role_definition(
"allow email '*****@*****.**',"
"'*****@*****.**'\ndeny any")))
def test_firerole_literal_email(self):
"""firerole - firerole core testing literal email matching"""
self.failUnless(
acc_firerole_check_user(
self.user_info,
compile_role_definition("allow email '*****@*****.**'," "'*****@*****.**'\ndeny any"),
)
)
def test_webaccess_firerole_serialization(self):
"""webaccess - firerole role definition correctly serialized"""
from invenio.access_control_admin import acc_get_role_definition
from invenio.access_control_firerole import compile_role_definition, \
deserialize
def_ser = compile_role_definition(self.role_definition)
tmp_def_ser = acc_get_role_definition(self.role_id)
self.assertEqual(def_ser, deserialize(tmp_def_ser))
def setUp(self):
"""Create a fake role."""
self.role_name = 'test'
self.role_description = 'test role'
self.role_definition = 'allow email /.*@cern.ch/'
self.role_id, dummy, dummy, dummy = acc_add_role(
self.role_name, self.role_description,
serialize(compile_role_definition(self.role_definition)),
self.role_definition)
def setUp(self):
"""Create a fake role."""
self.role_name = 'test'
self.role_description = 'test role'
self.role_definition = 'allow email /.*@cern.ch/'
self.role_id, dummy, dummy, dummy = acc_add_role(self.role_name,
self.role_description,
serialize(compile_role_definition(self.role_definition)),
self.role_definition)
def test_compile_role_definition_complex(self):
"""firerole - compiling complex role definitions"""
self.failUnless(
serialize(
compile_role_definition(
"allow email /.*@cern.ch/\nallow groups 'patata' "
"# a comment\ndeny remote_ip '127.0.0.0/24'\ndeny any"
)
)
)
def setUp(self):
"""Create a fake role."""
from invenio.access_control_admin import acc_add_role
from invenio.access_control_firerole import compile_role_definition, \
serialize
self.role_name = 'test'
self.role_description = 'test role'
self.role_definition = 'allow email /.*@cern.ch/'
self.role_id, dummy, dummy, dummy = acc_add_role(
self.role_name, self.role_description,
serialize(compile_role_definition(self.role_definition)),
self.role_definition)
def test_firerole_guest(self):
"""firerole - firerole core testing with guest"""
self.assertEqual(
False,
acc_firerole_check_user(
self.guest,
compile_role_definition("deny guest '1'\nallow all")))
self.assertEqual(
True,
acc_firerole_check_user(
self.guest,
compile_role_definition("deny guest '0'\nallow all")))
self.assertEqual(
True,
acc_firerole_check_user(
self.user_info,
compile_role_definition("deny guest '1'\nallow all")))
self.assertEqual(
False,
acc_firerole_check_user(
self.user_info,
compile_role_definition("deny guest '0'\nallow all")))
self.assertEqual(
False,
acc_firerole_check_user(
self.user_info,
compile_role_definition("deny guest '1'\ndeny all")))
self.assertEqual(
False,
acc_firerole_check_user(
self.user_info,
compile_role_definition("deny guest '0'\ndeny all")))
def create_needed_roles(restrictions, apache_group):
"""Create a role for the corresponding apache_group."""
role_name = CFG_PROPOSED_ROLE_NAME % apache_group
role_description = CFG_PROPOSED_ROLE_DESCRIPTION % ', '.join(get_collections_for_group(restrictions, apache_group))
role_definition_src = 'allow apache_group "%s"' % apache_group
print "Creating role '%s' ('%s') with firerole '%s'..." % (role_name, role_description, role_definition_src),
res = acc_add_role(role_name, role_description, serialize(compile_role_definition(role_definition_src)), role_definition_src)
if res == 0:
print "Already existed!"
else:
print "OK!"
return role_name
def create_needed_roles(restrictions, apache_group):
"""Create a role for the corresponding apache_group."""
role_name = CFG_PROPOSED_ROLE_NAME % apache_group
role_description = CFG_PROPOSED_ROLE_DESCRIPTION % ', '.join(
get_collections_for_group(restrictions, apache_group))
role_definition_src = 'allow apache_group "%s"' % apache_group
print "Creating role '%s' ('%s') with firerole '%s'..." % (
role_name, role_description, role_definition_src),
res = acc_add_role(role_name, role_description,
serialize(compile_role_definition(role_definition_src)),
role_definition_src)
if res == 0:
print "Already existed!"
else:
print "OK!"
return role_name
def test_firerole_guest(self):
"""firerole - firerole core testing with guest"""
self.assertEqual(False, acc_firerole_check_user(self.guest,
compile_role_definition("deny guest '1'\nallow all")))
self.assertEqual(True, acc_firerole_check_user(self.guest,
compile_role_definition("deny guest '0'\nallow all")))
self.assertEqual(True, acc_firerole_check_user(self.user_info,
compile_role_definition("deny guest '1'\nallow all")))
self.assertEqual(False, acc_firerole_check_user(self.user_info,
compile_role_definition("deny guest '0'\nallow all")))
self.assertEqual(False, acc_firerole_check_user(self.user_info,
compile_role_definition("deny guest '1'\ndeny all")))
self.assertEqual(False, acc_firerole_check_user(self.user_info,
compile_role_definition("deny guest '0'\ndeny all")))
def test_compile_role_definition_group_field(self):
"""firerole - compiling group field role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow groups 'patata'")))
def test_compile_role_definition_literal_field(self):
"""firerole - compiling literal field role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow email '*****@*****.**'")))
def test_compile_role_definition_allow_any(self):
"""firerole - compiling allow any role definitions"""
self.failUnless(serialize(compile_role_definition("allow any")))
def test_firerole_empty(self):
"""firerole - firerole core testing empty matching"""
self.assertEqual(False, acc_firerole_check_user(self.user_info,
compile_role_definition(None)))
def test_firerole_non_existant_group(self):
"""firerole - firerole core testing non existant group matching"""
self.failIf(acc_firerole_check_user(self.user_info,
compile_role_definition("allow groups 'patat'\ndeny any")))
def test_firerole_literal_group(self):
"""firerole - firerole core testing literal group matching"""
self.failUnless(
acc_firerole_check_user(
self.user_info,
compile_role_definition("allow groups 'patata'\ndeny any")))
def test_compile_role_definition_literal_field(self):
"""firerole - compiling literal field role definitions"""
self.failUnless(
serialize(
compile_role_definition(
"allow email '*****@*****.**'")))
def test_deserialize(self):
"""firerole - deserializing"""
self.assertEqual(compile_role_definition("allow any"), (True, ()))
def test_compile_role_definition_allow_any(self):
"""firerole - compiling allow any role definitions"""
self.failUnless(serialize(compile_role_definition("allow any")))
def test_compile_role_definition_empty(self):
"""firerole - compiling empty role definitions"""
self.assertEqual(compile_role_definition(None),
deserialize(CFG_ACC_EMPTY_ROLE_DEFINITION_SER))
def test_firerole_regexp_email(self):
"""firerole - firerole core testing regexp email matching"""
self.failUnless(
acc_firerole_check_user(
self.user_info,
compile_role_definition("allow email /.*@cern.ch/\ndeny any")))
def test_firerole_empty(self):
"""firerole - firerole core testing empty matching"""
self.assertEqual(
False,
acc_firerole_check_user(self.user_info,
compile_role_definition(None)))
def test_compile_role_definition_literal_list(self):
"""firerole - compiling literal list role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow email '*****@*****.**', '*****@*****.**'")))
def test_compile_role_definition_not(self):
"""firerole - compiling not role definitions"""
self.failUnless(
serialize(
compile_role_definition(
"allow not email '*****@*****.**'")))
def test_compile_role_definition_group_field(self):
"""firerole - compiling group field role definitions"""
self.failUnless(
serialize(compile_role_definition("allow groups 'patata'")))
def test_firerole_literal_group(self):
"""firerole - firerole core testing literal group matching"""
self.failUnless(acc_firerole_check_user(self.user_info,
compile_role_definition("allow groups 'patata'\ndeny any")))
def test_compile_role_definition_regexp_field(self):
"""firerole - compiling regexp field role definitions"""
self.failUnless(
serialize(compile_role_definition("allow email /.*@cern.ch/")))
def test_compile_role_definition_guest_field(self):
"""firerole - compiling guest field role definitions"""
self.failUnless(serialize(compile_role_definition("allow guest '1'")))
def test_webaccess_firerole_serialization(self):
"""webaccess - firerole role definition correctly serialized"""
def_ser = compile_role_definition(self.role_definition)
tmp_def_ser = acc_get_role_definition(self.role_id)
self.assertEqual(def_ser, deserialize(tmp_def_ser))
def test_firerole_uid(self):
"""firerole - firerole core testing with integer uid"""
self.assertEqual(False, acc_firerole_check_user(self.guest,
compile_role_definition("deny uid '-1'\nallow all")))
self.assertEqual(True, acc_firerole_check_user(self.user_info,
compile_role_definition("deny uid '-1'\nallow all")))
def test_compile_role_definition_literal_list(self):
"""firerole - compiling literal list role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow email '*****@*****.**', '*****@*****.**'")))
def test_compile_role_definition_empty(self):
"""firerole - compiling empty role definitions"""
self.assertEqual(compile_role_definition(None),
deserialize(CFG_ACC_EMPTY_ROLE_DEFINITION_SER))
def test_compile_role_definition_not(self):
"""firerole - compiling not role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow not email '*****@*****.**'")))
def test_compile_role_definition_deny_any(self):
"""firerole - compiling deny any role definitions"""
self.failIf(serialize(compile_role_definition("deny any")))
def test_webaccess_firerole_serialization(self):
"""webaccess - firerole role definition correctly serialized"""
def_ser = compile_role_definition(self.role_definition)
tmp_def_ser = acc_get_role_definition(self.role_id)
self.assertEqual(def_ser, deserialize(tmp_def_ser))
def test_compile_role_definition_not(self):
"""firerole - compiling not role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow not email '*****@*****.**'")))
def test_firerole_literal_email(self):
"""firerole - firerole core testing literal email matching"""
self.failUnless(acc_firerole_check_user(self.user_info,
compile_role_definition("allow email '*****@*****.**',"
"'*****@*****.**'\ndeny any")))
def test_compile_role_definition_regexp_field(self):
"""firerole - compiling regexp field role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow email /.*@cern.ch/")))
def test_deserialize(self):
"""firerole - deserializing"""
self.assertEqual(compile_role_definition("allow any"),
(True, ()))
def test_compile_role_definition_guest_field(self):
"""firerole - compiling guest field role definitions"""
self.failUnless(serialize(compile_role_definition(
"allow guest '1'")))
def test_firerole_regexp_email(self):
"""firerole - firerole core testing regexp email matching"""
self.failUnless(acc_firerole_check_user(self.user_info,
compile_role_definition("allow email /.*@cern.ch/\ndeny any")))
def test_compile_role_definition_deny_any(self):
"""firerole - compiling deny any role definitions"""
self.failIf(serialize(compile_role_definition("deny any")))
def test_firerole_non_existant_group(self):
"""firerole - firerole core testing non existant group matching"""
self.failIf(
acc_firerole_check_user(
self.user_info,
compile_role_definition("allow groups 'patat'\ndeny any")))
