Python SettingsCfg Beispiele

Beispiel #1

 def settings():
     return config_pb2.SettingsCfg(auth=config_pb2.AuthSettings(
         admins_group='admins',
         bot_bootstrap_group='bot_bootstrap',
         privileged_users_group='privileged_users',
         users_group='users',
         view_all_bots_group='view_all_bots',
         view_all_tasks_group='view_all_tasks'))

Beispiel #2

Datei: config_test.py Projekt: amymariaparker2401/luci-py

    def test_validate_settings(self):
        self.validator_test(
            config._validate_settings,
            config_pb2.SettingsCfg(bot_death_timeout_secs=-1,
                                   reusable_task_age_secs=-1),
            [
                'bot_death_timeout_secs cannot be negative',
                'reusable_task_age_secs cannot be negative',
            ])

        self.validator_test(
            config._validate_settings,
            config_pb2.SettingsCfg(
                bot_death_timeout_secs=config._SECONDS_IN_YEAR + 1,
                reusable_task_age_secs=config._SECONDS_IN_YEAR + 1), [
                    'bot_death_timeout_secs cannot be more than a year',
                    'reusable_task_age_secs cannot be more than a year',
                ])

        self.validator_test(
            config._validate_settings,
            config_pb2.SettingsCfg(
                display_server_url_template='http://foo/bar',
                extra_child_src_csp_url=['http://alpha/beta', 'https://']),
            [
                'display_server_url_template URL http://foo/bar must be https',
                'extra_child_src_csp_url URL http://alpha/beta must be https',
                'extra_child_src_csp_url URL https:// must be https',
            ])

        self.validator_test(
            config._validate_settings,
            config_pb2.SettingsCfg(
                display_server_url_template='https://foo/',
                extra_child_src_csp_url=['https://alpha/beta/']), [])

        self.validator_test(config._validate_settings,
                            config_pb2.SettingsCfg(), [])

Beispiel #3

    def test_call_resultdb_recorder_api(self):

        with mock.patch('server.config.settings') as mock_settings, mock.patch(
                'components.net.json_request_async'
        ) as mock_json_request_async:
            mock_settings.return_value = config_pb2.SettingsCfg(
                resultdb=config_pb2.ResultDBSettings(
                    server='https://results.api.cr.dev'), )
            mock_json_request_async.side_effect = self.nop_async

            resultdb._call_resultdb_recorder_api_async('FinalizeInvocation',
                                                       {}).get_result()

            mock_settings.assert_called_once()
            mock_json_request_async.assert_called_once()

Beispiel #4

    def setUp(self):
        super(AppTestBase, self).setUp()
        self.bot_version = None
        self.source_ip = '192.168.2.2'
        self.testbed.init_user_stub()

        gae_ts_mon.reset_for_unittest(disable=True)
        event_mon_metrics.initialize()

        # By default requests in tests are coming from bot with fake IP.
        # WSGI app that implements auth REST API.
        self.auth_app = webtest.TestApp(
            auth.create_wsgi_application(debug=True),
            extra_environ={
                'REMOTE_ADDR': self.source_ip,
                'SERVER_SOFTWARE': os.environ['SERVER_SOFTWARE'],
            })

        admins_group = 'test_admins_group'
        priv_users_group = 'test_priv_users_group'
        users_group = 'test_users_group'

        cfg = config_pb2.SettingsCfg(auth=config_pb2.AuthSettings(
            admins_group=admins_group,
            privileged_users_group=priv_users_group,
            users_group=users_group,
        ))
        self.mock(config, '_get_settings', lambda: ('test_rev', cfg))
        utils.clear_cache(config.settings)

        # Note that auth.ADMIN_GROUP != admins_group.
        auth.bootstrap_group(
            auth.ADMIN_GROUP,
            [auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
        auth.bootstrap_group(
            admins_group,
            [auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
        auth.bootstrap_group(
            priv_users_group,
            [auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
        auth.bootstrap_group(
            users_group,
            [auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])

Beispiel #5

def _get_settings_with_defaults():
    """Returns (rev, cfg) where cfg is a parsed SettingsCfg message.

  If config does not exists, returns (None, <cfg with defaults>).

  The config is cached in the datastore.
  """
    rev, cfg = _get_settings()
    cfg = cfg or config_pb2.SettingsCfg()
    cfg.reusable_task_age_secs = cfg.reusable_task_age_secs or 7 * 24 * 60 * 60
    cfg.bot_death_timeout_secs = cfg.bot_death_timeout_secs or 10 * 60

    cfg.auth.admins_group = cfg.auth.admins_group or 'administrators'
    cfg.auth.bot_bootstrap_group = cfg.auth.bot_bootstrap_group or \
       'administrators'
    cfg.auth.privileged_users_group = cfg.auth.privileged_users_group or \
       'administrators'
    cfg.auth.users_group = cfg.auth.users_group or 'administrators'

    return rev, cfg

Beispiel #6

Datei: bot_archive_test.py Projekt: brandonscott1780/luci-py

 def test_make(self):
     settings = config_pb2.SettingsCfg()
     config = json.loads(
         bot_archive._make_config_json('host', 'host_version', settings))
     self.assertEqual(_EXPECTED_CONFIG_KEYS, set(config))

Beispiel #7

Datei: realms_test.py Projekt: amymariaparker2401/luci-py

class RealmsTest(test_case.TestCase):
    def setUp(self):
        super(RealmsTest, self).setUp()
        self._has_permission_mock = mock.Mock()
        self._has_permission_dryrun_mock = mock.Mock()
        self.mock(auth, 'has_permission', self._has_permission_mock)
        self.mock(auth, 'has_permission_dryrun',
                  self._has_permission_dryrun_mock)
        self.mock(service_accounts, 'has_token_server', lambda: True)
        utils.clear_cache(config.settings)

    def tearDown(self):
        super(RealmsTest, self).tearDown()
        utils.clear_cache(config.settings)

    def test_get_permission(self):
        perm = realms.get_permission(
            realms_pb2.REALM_PERMISSION_POOLS_CREATE_TASK)
        self.assertEqual(_PERM_POOLS_CREATE_TASK, perm)

    @parameterized.expand([
        # should return False if the permission is not configured in settings.cfg
        # and in pools.cfg.
        (
            False,
            config_pb2.SettingsCfg(),
            _gen_pool_config(),
        ),
        # should return True if the permission is enforced in the pool.
        (True, config_pb2.SettingsCfg(),
         _gen_pool_config(enforced_realm_permissions=[
             realms_pb2.REALM_PERMISSION_POOLS_CREATE_TASK
         ])),
        # return True if the permission is enforced globally.
        (True,
         config_pb2.SettingsCfg(auth=config_pb2.AuthSettings(
             enforced_realm_permissions=[
                 realms_pb2.REALM_PERMISSION_POOLS_CREATE_TASK
             ])), _gen_pool_config()),
    ])
    def test_is_enforced_permission(self, expected, settings_cfg, pool_cfg):
        self.mock(config, '_get_settings', lambda: (None, settings_cfg))
        self.assertEqual(
            expected,
            realms.is_enforced_permission(
                realms_pb2.REALM_PERMISSION_POOLS_CREATE_TASK, pool_cfg))

    def _mock_is_allowed_to_schedule_legacy(self, ret):
        self.mock(task_scheduler, '_is_allowed_to_schedule', lambda _: ret)

    def _mock_get_pool_config(self, realm='test:pool'):
        pool_cfg = _gen_pool_config(realm=realm)
        self.mock(pools_config, 'get_pool_config', lambda _: pool_cfg)
        return pool_cfg

    def _mock_bot(self, bot_dimensions):
        bot_events = [_gen_bot_event_mock(dimensions_flat=bot_dimensions)]
        query = lambda *_: mock.Mock(fetch=lambda _: bot_events)
        self.mock(bot_management, 'get_events_query', query)

    def test_check_pools_create_task_legacy_allowed(self):
        self._mock_is_allowed_to_schedule_legacy(True)
        pool_cfg = self._mock_get_pool_config(realm='test:pool')
        used_realms = realms.check_pools_create_task(pool_cfg, False)
        self.assertFalse(used_realms)
        self._has_permission_dryrun_mock.assert_called_once_with(
            _PERM_POOLS_CREATE_TASK, [u'test:pool'],
            True,
            tracking_bug='crbug.com/1066839')

    def test_check_pools_create_task_legacy_allowed_no_pool_realm(self):
        self._mock_is_allowed_to_schedule_legacy(True)
        pool_cfg = self._mock_get_pool_config(realm=None)
        used_realms = realms.check_pools_create_task(pool_cfg, False)
        self.assertFalse(used_realms)
        self._has_permission_dryrun_mock.assert_not_called()

    def test_check_pools_create_task_legacy_not_allowed(self):
        self._mock_is_allowed_to_schedule_legacy(False)
        pool_cfg = self._mock_get_pool_config(realm='test:pool')
        with self.assertRaises(auth.AuthorizationError):
            realms.check_pools_create_task(pool_cfg, False)
        self._has_permission_dryrun_mock.assert_called_once_with(
            _PERM_POOLS_CREATE_TASK, [u'test:pool'],
            False,
            tracking_bug='crbug.com/1066839')

    def test_check_pools_create_task_legacy_not_allowed_no_pool_realm(self):
        self._mock_is_allowed_to_schedule_legacy(False)
        pool_cfg = self._mock_get_pool_config(realm=None)
        with self.assertRaises(auth.AuthorizationError):
            realms.check_pools_create_task(pool_cfg, False)
        self._has_permission_dryrun_mock.assert_not_called()

    def test_check_pools_create_task_enforced_allowed(self):
        pool_cfg = self._mock_get_pool_config()
        self._has_permission_mock.return_value = True
        used_realms = realms.check_pools_create_task(pool_cfg, True)
        self.assertTrue(used_realms)
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_CREATE_TASK, [u'test:pool'],
            identity=auth.get_current_identity())

    def test_check_pools_create_task_enforced_not_allowed(self):
        pool_cfg = self._mock_get_pool_config()
        self._has_permission_mock.return_value = False
        with self.assertRaises(auth.AuthorizationError):
            realms.check_pools_create_task(pool_cfg, True)
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_CREATE_TASK, [u'test:pool'],
            identity=auth.get_current_identity())

    def test_check_pools_create_task_enforced_no_pool_realm(self):
        pool_cfg = self._mock_get_pool_config(realm=None)
        with self.assertRaises(auth.AuthorizationError):
            realms.check_pools_create_task(pool_cfg, True)
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_create_in_realm_legacy_not_enforced(self):
        # If not enforced, allows any legacy (realm-less) task.
        self.mock(realms, 'is_enforced_permission', lambda *_: False)
        pool_cfg_mock = _gen_pool_config()
        used_realms = realms.check_tasks_create_in_realm(
            None, pool_cfg_mock, False)
        self.assertFalse(used_realms)
        self._has_permission_dryrun_mock.assert_not_called()

    def test_check_tasks_create_in_realm_legacy_enforced(self):
        # If enforced, rejects all legacy (realm-less) tasks.
        pool_cfg_mock = _gen_pool_config()
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_create_in_realm(None, pool_cfg_mock, True)
        self._has_permission_dryrun_mock.assert_not_called()

    def test_check_tasks_create_in_realm_enforced_allowed(self):
        self._has_permission_mock.return_value = True
        pool_cfg_mock = _gen_pool_config()
        used_realms = realms.check_tasks_create_in_realm(
            'test:realm', pool_cfg_mock, True)
        self.assertTrue(used_realms)
        self._has_permission_mock.assert_called_once_with(
            _PERM_TASKS_CREATE_IN_REALM, [u'test:realm'],
            identity=auth.get_current_identity())

    def test_check_tasks_create_in_realm_enforced_not_allowed(self):
        self._has_permission_mock.return_value = False
        pool_cfg_mock = _gen_pool_config()
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_create_in_realm('test:realm', pool_cfg_mock,
                                               True)
        self._has_permission_mock.assert_called_once_with(
            _PERM_TASKS_CREATE_IN_REALM, [u'test:realm'],
            identity=auth.get_current_identity())

    def test_check_tasks_act_as_legacy_allowed_no_realm(self):
        self.mock(task_scheduler, '_is_allowed_service_account',
                  lambda *_: True)
        task_request_mock = _gen_task_request_mock(realm=None)
        pool_cfg_mock = _gen_pool_config()
        used_realms = realms.check_tasks_act_as(task_request_mock,
                                                pool_cfg_mock, False)
        self.assertFalse(used_realms)
        self._has_permission_dryrun_mock.assert_not_called()

    def test_check_tasks_act_as_legacy_allowed_with_realm(self):
        self.mock(task_scheduler, '_is_allowed_service_account',
                  lambda *_: True)
        task_request_mock = _gen_task_request_mock(realm='test:realm')
        pool_cfg_mock = _gen_pool_config()
        used_realms = realms.check_tasks_act_as(task_request_mock,
                                                pool_cfg_mock, False)
        self.assertFalse(used_realms)
        self._has_permission_dryrun_mock.assert_called_once_with(
            _PERM_TASKS_ACT_AS, [u'test:realm'],
            True,
            identity=_TASK_SERVICE_ACCOUNT_IDENTITY,
            tracking_bug=realms._TRACKING_BUG)

    def test_check_tasks_act_as_legacy_not_allowed(self):
        self.mock(task_scheduler, '_is_allowed_service_account',
                  lambda *_: False)
        task_request_mock = _gen_task_request_mock(realm=None)
        pool_cfg_mock = _gen_pool_config()
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_act_as(task_request_mock, pool_cfg_mock, False)

    def test_check_tasks_act_as_enforced_allowed(self):
        self._has_permission_mock.return_value = True
        task_request_mock = _gen_task_request_mock(realm='test:realm')
        pool_cfg_mock = _gen_pool_config()
        used_realms = realms.check_tasks_act_as(task_request_mock,
                                                pool_cfg_mock, True)
        self.assertTrue(used_realms)
        self._has_permission_mock.assert_called_once_with(
            _PERM_TASKS_ACT_AS, [u'test:realm'],
            identity=_TASK_SERVICE_ACCOUNT_IDENTITY)

    def test_check_tasks_act_as_enforced_no_realm(self):
        self._has_permission_mock.return_value = False
        task_request_mock = _gen_task_request_mock(realm=None)
        pool_cfg_mock = _gen_pool_config(enforced_realm_permissions=[
            realms_pb2.REALM_PERMISSION_TASKS_ACT_AS
        ])
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_act_as(task_request_mock, pool_cfg_mock, True)
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_act_as_enforced_not_allowed(self):
        self.mock(realms, 'is_enforced_permission', lambda *_: True)
        self._has_permission_mock.return_value = False
        task_request_mock = _gen_task_request_mock(realm='test:realm')
        pool_cfg_mock = _gen_pool_config()
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_act_as(task_request_mock, pool_cfg_mock, True)
        self._has_permission_mock.assert_called_once_with(
            _PERM_TASKS_ACT_AS, [u'test:realm'],
            identity=_TASK_SERVICE_ACCOUNT_IDENTITY)

    def test_check_bot_get_acl_with_global_permission(self):
        self.mock(acl, 'can_view_bot', lambda: True)

        realms.check_bot_get_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_get_acl_allowed(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        realms.check_bot_get_acl('bot1')
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_LIST_BOTS, ['test:pool1', 'test:pool2'],
            identity=auth.get_current_identity())

    def test_check_bot_get_acl_not_allowed(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_get_acl('bot1')
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_LIST_BOTS, ['test:pool1', 'test:pool2'],
            identity=auth.get_current_identity())

    def test_check_bot_get_acl_no_bot(self):
        self.mock(acl, 'can_view_bot', lambda: False)
        with self.assertRaises(endpoints.NotFoundException):
            realms.check_bot_get_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_get_acl_no_realms(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_get_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_get_acl_no_pool_cfg(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_get_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bots_list_acl_with_global_permission(self):
        self.mock(acl, 'can_view_bot', lambda: True)

        realms.check_bots_list_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_bots_list_acl_realm_allowed(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        realms.check_bots_list_acl(['pool1', 'pool2'])
        for pool_realm in ['test:pool1', 'test:pool2']:
            self._has_permission_mock.assert_any_call(
                _PERM_POOLS_LIST_BOTS, [pool_realm],
                identity=auth.get_current_identity())

    def test_check_bots_list_acl_realm_not_allowed(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bots_list_acl(['pool1', 'pool2'])
        # it checks only the first realm and fails.
        self._has_permission_mock.assert_any_call(
            _PERM_POOLS_LIST_BOTS, ['test:pool1'],
            identity=auth.get_current_identity())

    def test_check_bots_list_acl_realm_missing_any_permission(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.side_effect = [True, False]

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bots_list_acl(['pool1', 'pool2'])
        for pool_realm in ['test:pool1', 'test:pool2']:
            self._has_permission_mock.assert_any_call(
                _PERM_POOLS_LIST_BOTS, [pool_realm],
                identity=auth.get_current_identity())

    def test_check_bots_list_acl_realm_no_pool_dimension(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bots_list_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_bots_list_acl_realm_no_pool_realms(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bots_list_acl(['pool1', 'pool2'])
        self._has_permission_mock.assert_not_called()

    def test_check_bots_list_acl_realm_unknown_pool(self):
        # mock
        self.mock(acl, 'can_view_bot', lambda: False)
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        with self.assertRaises(endpoints.BadRequestException):
            realms.check_bots_list_acl(['unknown'])
        self._has_permission_mock.assert_not_called()

    def test_can_list_bots(self):
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # True case.
        self.mock(acl, 'can_view_bot', lambda: True)
        self.assertTrue(realms.can_list_bots('pool1'))
        self.mock(acl, 'can_view_bot', lambda: False)
        self._has_permission_mock.return_value = True
        self.assertTrue(realms.can_list_bots('pool1'))

        # False case.
        self._has_permission_mock.return_value = False
        self.assertFalse(realms.can_list_bots('pool1'))

    def test_check_task_get_acl_with_global_permission(self):
        self.mock(acl, 'can_view_task', lambda _: True)

        realms.check_task_get_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_task_get_acl_no_pool_cfg(self):
        # mock
        self.mock(acl, 'can_view_task', lambda _: False)
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        task = _gen_task_request_mock(pool='pool1')
        with self.assertRaises(endpoints.InternalServerErrorException):
            realms.check_task_get_acl(task)
        self._has_permission_mock.assert_not_called()

    def test_check_task_get_acl_no_pool_realm(self):
        # mock
        self.mock(acl, 'can_view_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._mock_bot(['pool:pool1'])

        # call
        task = _gen_task_request_mock(pool='pool1', bot_id='bot1', realm=None)
        with self.assertRaises(auth.AuthorizationError):
            realms.check_task_get_acl(task)
        self._has_permission_mock.assert_not_called()

    def test_check_task_get_acl_allowed_by_task_pool_permission(self):
        # mock
        self.mock(acl, 'can_view_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = True

        # call
        task = _gen_task_request_mock(pool='pool1')
        realms.check_task_get_acl(task)
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_LIST_TASKS, ['test:pool1'])

    def test_check_task_get_acl_allowed_by_bot_pool_permission(self):
        # mock
        self.mock(acl, 'can_view_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        self._has_permission_mock.return_value = True

        # call
        task = _gen_task_request_mock(bot_id='bot1')
        realms.check_task_get_acl(task)
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_LIST_TASKS, ['test:pool1', 'test:pool2'])

    def test_check_task_get_acl_allowed_by_task_permission(self):
        # mock
        self.mock(acl, 'can_view_task', lambda _: False)
        get_pool_config = lambda _: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = True

        # call
        task = _gen_task_request_mock(realm='test:realm')
        realms.check_task_get_acl(task)
        self._has_permission_mock.assert_called_once_with(
            _PERM_TASKS_GET, ['test:realm'])

    def test_check_task_get_acl_not_allowed(self):
        # mock
        self.mock(acl, 'can_view_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            task = _gen_task_request_mock(pool='pool1',
                                          bot_id='bot1',
                                          realm='test:realm')
            realms.check_task_get_acl(task)
        self._has_permission_mock.assert_any_call(_PERM_POOLS_LIST_TASKS,
                                                  ['test:pool1'])
        self._has_permission_mock.assert_any_call(_PERM_POOLS_LIST_TASKS,
                                                  ['test:pool1', 'test:pool2'])
        self._has_permission_mock.assert_any_call(_PERM_TASKS_GET,
                                                  ['test:realm'])

    def test_check_task_cancel_acl_with_global_permission(self):
        self.mock(acl, 'can_edit_task', lambda _: True)

        realms.check_task_cancel_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_task_cancel_acl_no_pool_cfg(self):
        # mock
        self.mock(acl, 'can_edit_task', lambda _: False)
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        task = _gen_task_request_mock(pool='pool1')
        with self.assertRaises(endpoints.InternalServerErrorException):
            realms.check_task_cancel_acl(task)
        self._has_permission_mock.assert_not_called()

    def test_check_task_cancel_acl_no_pool_realm(self):
        # mock
        self.mock(acl, 'can_edit_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._mock_bot(['pool:pool1'])

        # call
        task = _gen_task_request_mock(pool='pool1', bot_id='bot1', realm=None)
        with self.assertRaises(auth.AuthorizationError):
            realms.check_task_cancel_acl(task)
        self._has_permission_mock.assert_not_called()

    def test_check_task_cancel_acl_allowed_by_task_pool_permission(self):
        # mock
        self.mock(acl, 'can_edit_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = True

        # call
        realms.check_task_cancel_acl(_gen_task_request_mock(pool='pool1'))
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_CANCEL_TASK, ['test:pool1'])

    def test_check_task_cancel_acl_allowed_by_bot_pool_permission(self):
        # mock
        self.mock(acl, 'can_edit_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        self._has_permission_mock.return_value = True

        # call
        realms.check_task_cancel_acl(_gen_task_request_mock(bot_id='bot1'))
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_CANCEL_TASK, ['test:pool1', 'test:pool2'])

    def test_check_task_cancel_acl_allowed_by_task_permission(self):
        # mock
        self.mock(acl, 'can_edit_task', lambda _: False)
        get_pool_config = lambda _: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = True

        # call
        realms.check_task_cancel_acl(
            _gen_task_request_mock(realm='test:realm'))
        self._has_permission_mock.assert_called_once_with(
            _PERM_TASKS_CANCEL, ['test:realm'])

    def test_check_task_cancel_acl_not_allowed(self):
        # mock
        self.mock(acl, 'can_edit_task', lambda _: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            task = _gen_task_request_mock(pool='pool1',
                                          bot_id='bot1',
                                          realm='test:realm')
            realms.check_task_cancel_acl(task)
        self._has_permission_mock.assert_any_call(_PERM_POOLS_CANCEL_TASK,
                                                  ['test:pool1'])
        self._has_permission_mock.assert_any_call(_PERM_POOLS_CANCEL_TASK,
                                                  ['test:pool1', 'test:pool2'])
        self._has_permission_mock.assert_any_call(_PERM_TASKS_CANCEL,
                                                  ['test:realm'])

    def test_can_cancel_task(self):
        # True case
        self.mock(acl, 'can_edit_task', lambda _: True)
        self.assertTrue(realms.can_cancel_task(None))

        # False case
        self.mock(acl, 'can_edit_task', lambda _: False)
        get_pool_config = lambda _: _gen_pool_config(realm='test:pool')
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = False
        self.assertFalse(
            realms.can_cancel_task(_gen_task_request_mock(realm='test:realm')))

    def test_can_cancel_task_no_pool_cfg(self):
        self.mock(acl, 'can_edit_task', lambda _: False)
        self.mock(pools_config, 'get_pool_config', lambda _: None)
        self.assertFalse(
            realms.can_cancel_task(_gen_task_request_mock(pool='pool1')))

    def test_check_tasks_list_acl_with_global_permission(self):
        self.mock(acl, 'can_view_all_tasks', lambda: True)

        realms.check_tasks_list_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_list_acl_realm_allowed(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        realms.check_tasks_list_acl(['pool1', 'pool2'])
        for pool_realm in ['test:pool1', 'test:pool2']:
            self._has_permission_mock.assert_any_call(
                _PERM_POOLS_LIST_TASKS, [pool_realm],
                identity=auth.get_current_identity())

    def test_check_tasks_list_acl_realm_not_allowed(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_list_acl(['pool1', 'pool2'])
        # it checks only the first realm and fails.
        self._has_permission_mock.assert_any_call(
            _PERM_POOLS_LIST_TASKS, ['test:pool1'],
            identity=auth.get_current_identity())

    def test_check_tasks_list_acl_realm_missing_any_permission(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.side_effect = [True, False]

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_list_acl(['pool1', 'pool2'])
        for pool_realm in ['test:pool1', 'test:pool2']:
            self._has_permission_mock.assert_any_call(
                _PERM_POOLS_LIST_TASKS, [pool_realm],
                identity=auth.get_current_identity())

    def test_check_tasks_list_acl_realm_no_pool_dimension(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_list_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_list_acl_realm_no_pool_realms(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_list_acl(['pool1', 'pool2'])
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_list_acl_realm_unknown_pool(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        with self.assertRaises(endpoints.BadRequestException):
            realms.check_tasks_list_acl(['unknown'])
        self._has_permission_mock.assert_not_called()

    def test_can_list_tasks(self):
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # True case.
        self.mock(acl, 'can_view_all_tasks', lambda: True)
        self.assertTrue(realms.can_list_tasks('pool1'))
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        self._has_permission_mock.return_value = True
        self.assertTrue(realms.can_list_tasks('pool1'))

        # False case.
        self._has_permission_mock.return_value = False
        self.assertFalse(realms.can_list_tasks('pool1'))

    def test_check_bot_tasks_acl_with_global_permission(self):
        self.mock(acl, 'can_view_all_tasks', lambda: True)

        realms.check_bot_tasks_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_tasks_acl_allowed(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        realms.check_bot_tasks_acl('bot1')
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_LIST_TASKS, ['test:pool1', 'test:pool2'],
            identity=auth.get_current_identity())

    def test_check_bot_tasks_acl_not_allowed(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_tasks_acl('bot1')
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_LIST_TASKS, ['test:pool1', 'test:pool2'],
            identity=auth.get_current_identity())

    def test_check_bot_tasks_acl_no_bot(self):
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        with self.assertRaises(endpoints.NotFoundException):
            realms.check_bot_tasks_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_tasks_acl_no_realms(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_tasks_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_tasks_acl_no_pool_cfg(self):
        # mock
        self.mock(acl, 'can_view_all_tasks', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_tasks_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_cancel_acl_with_global_permission(self):
        self.mock(acl, 'can_edit_all_tasks', lambda: True)

        realms.check_tasks_cancel_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_cancel_acl_realm_allowed(self):
        # mock
        self.mock(acl, 'can_edit_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        realms.check_tasks_cancel_acl(['pool1', 'pool2'])
        for pool_realm in ['test:pool1', 'test:pool2']:
            self._has_permission_mock.assert_any_call(
                _PERM_POOLS_CANCEL_TASK, [pool_realm],
                identity=auth.get_current_identity())

    def test_check_tasks_cancel_acl_realm_not_allowed(self):
        # mock
        self.mock(acl, 'can_edit_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_cancel_acl(['pool1', 'pool2'])
        # it checks only the first realm and fails.
        self._has_permission_mock.assert_any_call(
            _PERM_POOLS_CANCEL_TASK, ['test:pool1'],
            identity=auth.get_current_identity())

    def test_check_tasks_cancel_acl_realm_missing_any_permission(self):
        # mock
        self.mock(acl, 'can_edit_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.side_effect = [True, False]

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_cancel_acl(['pool1', 'pool2'])
        for pool_realm in ['test:pool1', 'test:pool2']:
            self._has_permission_mock.assert_any_call(
                _PERM_POOLS_CANCEL_TASK, [pool_realm],
                identity=auth.get_current_identity())

    def test_check_tasks_cancel_acl_realm_no_pool_dimension(self):
        # mock
        self.mock(acl, 'can_edit_all_tasks', lambda: False)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_cancel_acl(None)
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_cancel_acl_realm_no_pool_realms(self):
        # mock
        self.mock(acl, 'can_edit_all_tasks', lambda: False)
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_tasks_cancel_acl(['pool1', 'pool2'])
        self._has_permission_mock.assert_not_called()

    def test_check_tasks_cancel_acl_realm_unknown_pool(self):
        # mock
        self.mock(acl, 'can_edit_all_tasks', lambda: False)
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        with self.assertRaises(endpoints.BadRequestException):
            realms.check_tasks_cancel_acl(['unknown'])
        self._has_permission_mock.assert_not_called()

    def test_can_cancel_tasks(self):
        # True case
        self.mock(acl, 'can_edit_all_tasks', lambda: True)
        self.assertTrue(realms.can_cancel_tasks(['pool1', 'pool2']))

        # False case
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self.mock(acl, 'can_edit_all_tasks', lambda: False)
        self.assertFalse(realms.can_cancel_tasks(['pool1', 'pool2']))

    def test_check_bot_terminate_acl_with_global_permission(self):
        self.mock(acl, 'can_edit_bot', lambda: True)

        realms.check_bot_terminate_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_terminate_acl_allowed(self):
        # mock
        self.mock(acl, 'can_edit_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        realms.check_bot_terminate_acl('bot1')
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_TERMINATE_BOT, ['test:pool1', 'test:pool2'],
            identity=auth.get_current_identity())

    def test_check_bot_terminate_acl_not_allowed(self):
        # mock
        self.mock(acl, 'can_edit_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm='test:' + p)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self._has_permission_mock.return_value = False

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_terminate_acl('bot1')
        self._has_permission_mock.assert_called_once_with(
            _PERM_POOLS_TERMINATE_BOT, ['test:pool1', 'test:pool2'],
            identity=auth.get_current_identity())

    def test_check_bot_terminate_acl_no_bot(self):
        self.mock(acl, 'can_edit_bot', lambda: False)
        with self.assertRaises(endpoints.NotFoundException):
            realms.check_bot_terminate_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_terminate_acl_no_realms(self):
        # mock
        self.mock(acl, 'can_edit_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_terminate_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_check_bot_terminate_acl_no_pool_cfg(self):
        # mock
        self.mock(acl, 'can_edit_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        self.mock(pools_config, 'get_pool_config', lambda _: None)

        # call
        with self.assertRaises(auth.AuthorizationError):
            realms.check_bot_terminate_acl('bot1')
        self._has_permission_mock.assert_not_called()

    def test_can_terminate_bot(self):
        # True case
        self.mock(acl, 'can_edit_bot', lambda: True)
        self.assertTrue(realms.can_terminate_bot('bot1'))

        # False case
        self.mock(acl, 'can_edit_bot', lambda: False)
        self._mock_bot(['pool:pool1', 'pool:pool2'])
        get_pool_config = lambda p: _gen_pool_config(realm=None)
        self.mock(pools_config, 'get_pool_config', get_pool_config)
        self.assertFalse(realms.can_terminate_bot('bot1'))