def test_operations_checker(self):
     tests = [
         ('all allowed', checkers.allow_caveat(
             ['op1', 'op2', 'op4', 'op3']),
          ['op1', 'op3', 'op2'], None),
         ('none denied', checkers.deny_caveat(['op1', 'op2']),
          ['op3', 'op4'], None),
         ('one not allowed', checkers.allow_caveat(['op1', 'op2']),
          ['op1', 'op3'],
          'caveat "allow op1 op2" not satisfied: op3 not allowed'),
         ('one not denied', checkers.deny_caveat(['op1', 'op2']),
          ['op4', 'op5', 'op2'],
          'caveat "deny op1 op2" not satisfied: op2 not allowed'),
         ('no operations, allow caveat', checkers.allow_caveat(['op1']),
          [],
          'caveat "allow op1" not satisfied: op1 not allowed'),
         ('no operations, deny caveat', checkers.deny_caveat(['op1']),
          [], None),
         ('no operations, empty allow caveat', checkers.Caveat(
             condition=checkers.COND_ALLOW),
          [], 'caveat "allow" not satisfied: no operations allowed'),
     ]
     checker = checkers.Checker()
     for test in tests:
         print(test[0])
         ctx = checkers.context_with_operations(checkers.AuthContext(),
                                                test[2])
         err = checker.check_first_party_caveat(ctx, test[1].condition)
         if test[3] is None:
             self.assertIsNone(err)
             continue
         self.assertEqual(err, test[3])
Beispiel #2
0
 def test_operations_checker(self):
     tests = [
         ('all allowed', checkers.allow_caveat(['op1', 'op2', 'op4', 'op3'
                                                ]), ['op1', 'op3',
                                                     'op2'], None),
         ('none denied', checkers.deny_caveat(['op1',
                                               'op2']), ['op3',
                                                         'op4'], None),
         ('one not allowed', checkers.allow_caveat(['op1',
                                                    'op2']), ['op1', 'op3'],
          'caveat "allow op1 op2" not satisfied: op3 not allowed'),
         ('one not denied', checkers.deny_caveat(['op1', 'op2']),
          ['op4', 'op5',
           'op2'], 'caveat "deny op1 op2" not satisfied: op2 not allowed'),
         ('no operations, allow caveat', checkers.allow_caveat(['op1']), [],
          'caveat "allow op1" not satisfied: op1 not allowed'),
         ('no operations, deny caveat', checkers.deny_caveat(['op1']), [],
          None),
         ('no operations, empty allow caveat',
          checkers.Caveat(condition=checkers.COND_ALLOW), [],
          'caveat "allow" not satisfied: no operations allowed'),
     ]
     checker = checkers.Checker()
     for test in tests:
         print(test[0])
         ctx = checkers.context_with_operations(checkers.AuthContext(),
                                                test[2])
         err = checker.check_first_party_caveat(ctx, test[1].condition)
         if test[3] is None:
             self.assertIsNone(err)
             continue
         self.assertEqual(err, test[3])
Beispiel #3
0
 def test_operation_error_caveat(self):
     tests = [('empty allow', checkers.allow_caveat(None),
               'error no operations allowed'),
              ('allow: invalid operation name',
               checkers.allow_caveat(['op1', 'operation number 2']),
               'error invalid operation name "operation number 2"'),
              ('deny: invalid operation name',
               checkers.deny_caveat(['op1', 'operation number 2']),
               'error invalid operation name "operation number 2"')]
     for test in tests:
         print(test[0])
         self.assertEqual(test[1].condition, test[2])
 def test_operation_error_caveat(self):
     tests = [
         ('empty allow', checkers.allow_caveat(None),
          'error no operations allowed'),
         ('allow: invalid operation name',
          checkers.allow_caveat(['op1', 'operation number 2']),
          'error invalid operation name "operation number 2"'),
         ('deny: invalid operation name',
          checkers.deny_caveat(['op1', 'operation number 2']),
          'error invalid operation name "operation number 2"')
     ]
     for test in tests:
         print(test[0])
         self.assertEqual(test[1].condition, test[2])
    def test_operation_allow_caveat(self):
        locator = _DischargerLocator()
        ids = _IdService('ids', locator, self)
        auth = _OpAuthorizer({
            macaroonbakery.Op(entity='e1', action='read'): {'bob'},
            macaroonbakery.Op(entity='e1', action='write'): {'bob'},
            macaroonbakery.Op(entity='e2', action='read'): {'bob'},
        })
        ts = _Service('myservice', auth, ids, locator)
        client = _Client(locator)

        ctx = test_context.with_value(_DISCHARGE_USER_KEY, 'bob')
        m = client.capability(ctx, ts, [
            macaroonbakery.Op(entity='e1', action='read'),
            macaroonbakery.Op(entity='e1', action='write'),
            macaroonbakery.Op(entity='e2', action='read')
        ])

        # Sanity check that we can do a write.
        ts.do(test_context, [[m.macaroon]],
              [macaroonbakery.Op(entity='e1', action='write')])

        m.add_caveat(checkers.allow_caveat(['read']), None, None)

        # A read operation should work.
        ts.do(test_context, [[m.macaroon]], [
            macaroonbakery.Op(entity='e1', action='read'),
            macaroonbakery.Op(entity='e2', action='read')
        ])

        # A write operation should fail
        # even though the original macaroon allowed it.
        with self.assertRaises(_DischargeRequiredError):
            ts.do(test_context, [[m.macaroon]],
                  [macaroonbakery.Op(entity='e1', action='write')])
    def test_operation_allow_caveat(self):
        locator = _DischargerLocator()
        ids = _IdService('ids', locator, self)
        auth = _OpAuthorizer({
            bakery.Op(entity='e1', action='read'): {'bob'},
            bakery.Op(entity='e1', action='write'): {'bob'},
            bakery.Op(entity='e2', action='read'): {'bob'},
        })
        ts = _Service('myservice', auth, ids, locator)
        client = _Client(locator)

        ctx = test_context.with_value(_DISCHARGE_USER_KEY, 'bob')
        m = client.capability(ctx, ts, [
            bakery.Op(entity='e1', action='read'),
            bakery.Op(entity='e1', action='write'),
            bakery.Op(entity='e2', action='read'),
        ])

        # Sanity check that we can do a write.
        ts.do(test_context, [[m.macaroon]],
              [bakery.Op(entity='e1', action='write')])

        m.add_caveat(checkers.allow_caveat(['read']), None, None)

        # A read operation should work.
        ts.do(test_context, [[m.macaroon]], [
            bakery.Op(entity='e1', action='read'),
            bakery.Op(entity='e2', action='read'),
        ])

        # A write operation should fail
        # even though the original macaroon allowed it.
        with self.assertRaises(_DischargeRequiredError):
            ts.do(test_context, [[m.macaroon]], [
                bakery.Op(entity='e1', action='write'),
            ])
    def test_first_party_caveat_squashing(self):
        locator = _DischargerLocator()
        ids = _IdService('ids', locator, self)
        auth = _OpAuthorizer({
            bakery.Op(entity='e1', action='read'): {'alice'},
            bakery.Op(entity='e2', action='read'): {'alice'},
        })
        ts = _Service('myservice', auth, ids, locator)
        tests = [
            ('duplicates removed', [
                checkers.Caveat(condition='true 1', namespace='testns'),
                checkers.Caveat(condition='true 2', namespace='testns'),
                checkers.Caveat(condition='true 1', namespace='testns'),
                checkers.Caveat(condition='true 1', namespace='testns'),
                checkers.Caveat(condition='true 3', namespace='testns'),
            ], [
                checkers.Caveat(condition='true 1', namespace='testns'),
                checkers.Caveat(condition='true 2', namespace='testns'),
                checkers.Caveat(condition='true 3', namespace='testns'),
            ]), ('earliest time before', [
                checkers.time_before_caveat(epoch + timedelta(days=1)),
                checkers.Caveat(condition='true 1', namespace='testns'),
                checkers.time_before_caveat(
                    epoch + timedelta(days=0, hours=1)),
                checkers.time_before_caveat(epoch + timedelta(
                    days=0, hours=0, minutes=5)),
            ], [
                checkers.time_before_caveat(epoch + timedelta(
                    days=0, hours=0, minutes=5)),
                checkers.Caveat(condition='true 1', namespace='testns'),
            ]), ('operations and declared caveats removed', [
                checkers.deny_caveat(['foo']),
                checkers.allow_caveat(['read', 'write']),
                checkers.declared_caveat('username', 'bob'),
                checkers.Caveat(condition='true 1', namespace='testns'),
            ], [
                checkers.Caveat(condition='true 1', namespace='testns'),
            ])
        ]
        for test in tests:
            print(test[0])

            # Make a first macaroon with all the required first party caveats.
            ctx = test_context.with_value(_DISCHARGE_USER_KEY, 'alice')
            m1 = _Client(locator).capability(
                ctx, ts, [bakery.Op(entity='e1', action='read')])
            m1.add_caveats(test[1], None, None)

            # Make a second macaroon that's not used to check that it's
            # caveats are not added.
            m2 = _Client(locator).capability(
                ctx, ts, [bakery.Op(entity='e1', action='read')])
            m2.add_caveat(checkers.Caveat(
                condition='true notused', namespace='testns'), None, None)
            client = _Client(locator)
            client.add_macaroon(ts, 'authz1', [m1.macaroon])
            client.add_macaroon(ts, 'authz2', [m2.macaroon])

            m3 = client.capability(
                test_context, ts, [bakery.Op(entity='e1', action='read')])
            self.assertEqual(
                _macaroon_conditions(m3.macaroon.caveats, False),
                _resolve_caveats(m3.namespace, test[2]))
    def test_first_party_caveat_squashing(self):
        locator = _DischargerLocator()
        ids = _IdService('ids', locator, self)
        auth = _OpAuthorizer({
            macaroonbakery.Op(entity='e1', action='read'): {'alice'},
            macaroonbakery.Op(entity='e2', action='read'): {'alice'},
        })
        ts = _Service('myservice', auth, ids, locator)
        tests = [('duplicates removed', [
            checkers.Caveat(condition='true 1', namespace='testns'),
            checkers.Caveat(condition='true 2', namespace='testns'),
            checkers.Caveat(condition='true 1', namespace='testns'),
            checkers.Caveat(condition='true 1', namespace='testns'),
            checkers.Caveat(condition='true 3', namespace='testns'),
        ], [
            checkers.Caveat(condition='true 1', namespace='testns'),
            checkers.Caveat(condition='true 2', namespace='testns'),
            checkers.Caveat(condition='true 3', namespace='testns'),
        ]),
                 ('earliest time before', [
                     checkers.time_before_caveat(epoch + timedelta(days=1)),
                     checkers.Caveat(condition='true 1', namespace='testns'),
                     checkers.time_before_caveat(epoch +
                                                 timedelta(days=0, hours=1)),
                     checkers.time_before_caveat(
                         epoch + timedelta(days=0, hours=0, minutes=5)),
                 ], [
                     checkers.time_before_caveat(
                         epoch + timedelta(days=0, hours=0, minutes=5)),
                     checkers.Caveat(condition='true 1', namespace='testns'),
                 ]),
                 ('operations and declared caveats removed', [
                     checkers.deny_caveat(['foo']),
                     checkers.allow_caveat(['read', 'write']),
                     checkers.declared_caveat('username', 'bob'),
                     checkers.Caveat(condition='true 1', namespace='testns'),
                 ], [
                     checkers.Caveat(condition='true 1', namespace='testns'),
                 ])]
        for test in tests:
            print(test[0])

            # Make a first macaroon with all the required first party caveats.
            ctx = test_context.with_value(_DISCHARGE_USER_KEY, 'alice')
            m1 = _Client(locator).capability(
                ctx, ts, [macaroonbakery.Op(entity='e1', action='read')])
            m1.add_caveats(test[1], None, None)

            # Make a second macaroon that's not used to check that it's
            # caveats are not added.
            m2 = _Client(locator).capability(
                ctx, ts, [macaroonbakery.Op(entity='e1', action='read')])
            m2.add_caveat(
                checkers.Caveat(condition='true notused', namespace='testns'),
                None, None)
            client = _Client(locator)
            client.add_macaroon(ts, 'authz1', [m1.macaroon])
            client.add_macaroon(ts, 'authz2', [m2.macaroon])

            m3 = client.capability(
                test_context, ts,
                [macaroonbakery.Op(entity='e1', action='read')])
            self.assertEqual(_macaroon_conditions(m3.macaroon.caveats, False),
                             _resolve_caveats(m3.namespace, test[2]))