def test_child_role_deletion(acl):
# create unrelated parent and child
acl.add_role('unrelated')
acl.add_role('unrelated', ['spawn'])
acl.allow('unrelated', 'view', 'news')
assert 'unrelated' in str(acl._children)
assert 'spawn' in str(acl._children)
# create parent and child, that we care about
acl.add_role('daddy')
acl.allow('daddy', 'view', 'news')
assert 'daddy' not in str(acl._children)
acl.add_role('kiddo', ['daddy'])
assert 'daddy' in str(acl._children)
assert 'kiddo' in str(acl._children)
assert acl.is_allowed('kiddo', 'view', 'news')
# ensure we can't delete a father who has a dependent child
with pytest.raises(AssertionError):
acl.delete_role('daddy')
# delete child role
acl.delete_role('kiddo')
assert 'kiddo' not in str(acl._children)
assert acl.is_allowed('daddy', 'view', 'news')
# ensure we CAN delete a father with no dependent children
acl.delete_role('daddy')
with pytest.raises(AssertionError):
acl.is_allowed('daddy', 'view', 'news')
# make sure those unrelated father and child remain
assert 'unrelated' in str(acl._children)
assert 'spawn' in str(acl._children)
def test_remove_allow(acl):
only_default_allowed = dict(acl._allowed)
acl.allow('writer', 'new', 'news')
allowed_after_allowing_writer = dict(acl._allowed)
assert only_default_allowed != allowed_after_allowing_writer
assert acl.is_allowed('writer', 'new', 'news')
acl.remove_allow('writer', 'new', 'news')
allowed_after_removing_allowing_writer = dict(acl._allowed)
assert allowed_after_removing_allowing_writer == only_default_allowed
assert not acl.is_allowed('writer', 'new', 'news')
def test_remove_deny(acl):
acl.add_role('spy')
only_default_denied = dict(acl._denied)
acl.deny('spy', 'view', 'news')
denied_after_denying_spy = dict(acl._denied)
assert only_default_denied != denied_after_denying_spy
assert not acl.is_allowed('spy', 'view', 'news')
acl.remove_deny('spy', 'view', 'news')
denied_after_removing_deny_spy = dict(acl._denied)
assert denied_after_removing_deny_spy == only_default_denied
assert not acl.is_allowed('spy', 'view',
'news') # this should still not be allowed
def test_undefined(acl):
# test denied undefined rule
roles = ['user', 'actived_user', 'writer', 'manager', 'editor']
for resource in ['comment', 'post', 'news', 'infor', 'event']:
for role in roles:
assert not acl.is_allowed(role, 'x', resource)
assert not acl.is_allowed(role, '', resource)
assert not acl.is_allowed(role, None, resource)
assert not acl.is_any_allowed(roles, 'x', resource)
assert not acl.is_any_allowed(roles, '', resource)
assert not acl.is_any_allowed(roles, None, resource)
# test `None` defined rule
for resource in ['comment', 'post', 'news', 'infor', 'event', None]:
for op in ['undefined', 'x', '', None]:
assert acl.is_allowed('super', op, resource)
def test_undefined(acl):
# test denied undefined rule
roles = ['user', 'actived_user', 'writer', 'manager', 'editor']
for resource in ['comment', 'post', 'news', 'infor', 'event']:
for role in roles:
assert not acl.is_allowed(role, 'x', resource)
assert not acl.is_allowed(role, '', resource)
assert not acl.is_allowed(role, None, resource)
assert not acl.is_any_allowed(roles, 'x', resource)
assert not acl.is_any_allowed(roles, '', resource)
assert not acl.is_any_allowed(roles, None, resource)
# test `None` defined rule
for resource in ['comment', 'post', 'news', 'infor', 'event', None]:
for op in ['undefined', 'x', '', None]:
assert acl.is_allowed('super', op, resource)
def test_assertion(acl):
# set up assertion
db = {'newsid': 1}
def check(acl, role, operation, resource):
return db['newsid'] == 10
assertion = check
# set up rules
acl.add_role('writer2', parents=['writer'])
acl.allow('writer', 'edit', 'news', assertion)
acl.allow('manager', 'edit', 'news')
# test while assertion is invalid
assert not acl.is_allowed('writer', 'edit', 'news')
assert not acl.is_allowed('writer2', 'edit', 'news')
assert acl.is_allowed('manager', 'edit', 'news')
assert acl.is_allowed('editor', 'edit', 'news')
# test while assertion is valid
db['newsid'] = 10
assert acl.is_allowed('writer', 'edit', 'news')
assert acl.is_allowed('editor', 'edit', 'news')
assert acl.is_allowed('manager', 'edit', 'news')
def test_assertion(acl):
# set up assertion
db = {'newsid': 1}
def check(acl, role, operation, resource):
return db['newsid'] == 10
assertion = check
# set up rules
acl.add_role('writer2', parents=['writer'])
acl.allow('writer', 'edit', 'news', assertion)
acl.allow('manager', 'edit', 'news')
# test while assertion is invalid
assert not acl.is_allowed('writer', 'edit', 'news')
assert not acl.is_allowed('writer2', 'edit', 'news')
assert acl.is_allowed('manager', 'edit', 'news')
assert acl.is_allowed('editor', 'edit', 'news')
# test while assertion is valid
db['newsid'] = 10
assert acl.is_allowed('writer', 'edit', 'news')
assert acl.is_allowed('editor', 'edit', 'news')
assert acl.is_allowed('manager', 'edit', 'news')
def test_delete_role_with_child_roles_fails(acl):
acl.add_role('nonspy') # our control who should remain unaffected
acl.allow('nonspy', 'view', 'news')
acl.deny('nonspy', 'edit', 'news')
acl.add_role('spy')
acl.add_role('childspy', ['spy']) # should prevent deletion
acl.allow('spy', 'view', 'news')
acl.deny('spy', 'edit', 'news')
assert acl.is_allowed('spy', 'view', 'news')
assert not acl.is_allowed('spy', 'edit', 'news')
# as it has a child role it should assert
with pytest.raises(AssertionError):
acl.delete_role('spy')
# nonspy should be unaffected by all this
assert acl.is_allowed('nonspy', 'view', 'news')
assert not acl.is_allowed('nonspy', 'edit', 'news')
def test_deny(acl):
# add allowed rule and denied rule
acl.allow('actived_user', 'new', 'comment')
acl.deny('manager', 'new', 'comment')
# test allowed rules
roles = ['actived_user', 'writer']
for role in roles:
assert acl.is_allowed(role, 'new', 'comment')
assert acl.is_any_allowed(roles, 'new', 'comment')
# test denied rules
roles = ['manager', 'editor']
for role in roles:
assert not acl.is_allowed(role, 'new', 'comment')
assert not acl.is_any_allowed(roles, 'new', 'comment')
def test_deny(acl):
# add allowed rule and denied rule
acl.allow('actived_user', 'new', 'comment')
acl.deny('manager', 'new', 'comment')
# test allowed rules
roles = ['actived_user', 'writer']
for role in roles:
assert acl.is_allowed(role, 'new', 'comment')
assert acl.is_any_allowed(roles, 'new', 'comment')
# test denied rules
roles = ['manager', 'editor']
for role in roles:
assert not acl.is_allowed(role, 'new', 'comment')
assert not acl.is_any_allowed(roles, 'new', 'comment')
def test_delete_role(acl):
acl.add_role('nonspy') # our control who should remain unaffected
acl.allow('nonspy', 'view', 'news')
acl.deny('nonspy', 'edit', 'news')
acl.add_role('spy')
acl.allow('spy', 'view', 'news')
acl.deny('spy', 'edit', 'news')
assert acl.is_allowed('spy', 'view', 'news')
assert not acl.is_allowed('spy', 'edit', 'news')
# oh no! we found a spy! remove them!
acl.delete_role('spy')
# as the role no longer exists it should raise an assertion
with pytest.raises(AssertionError):
assert not acl.is_allowed('spy', 'view', 'news')
with pytest.raises(AssertionError):
assert not acl.is_allowed('spy', 'edit', 'news')
# as an extra check let's make sure we don't see any orphaned
# rules for 'spy' in _allowed or _denied
for rule_list in (acl._allowed, acl._denied):
for rule in rule_list:
assert rule[0] != 'spy'
# nonspy should be unaffected by all this
assert acl.is_allowed('nonspy', 'view', 'news')
assert not acl.is_allowed('nonspy', 'edit', 'news')
def test_allow(acl):
# add allowed rules
acl.allow('actived_user', 'view', 'news')
acl.allow('writer', 'new', 'news')
# test 'view' operation
roles = ['actived_user', 'writer', 'manager', 'editor']
for role in roles:
for resource in ['news', 'event']:
assert acl.is_allowed(role, 'view', resource)
for resource in ['post', 'infor']:
assert not acl.is_allowed(role, 'view', resource)
for resource in ['news', 'event']:
assert acl.is_any_allowed(roles, 'view', resource)
for resource in ['post', 'infor']:
assert not acl.is_any_allowed(roles, 'view', resource)
for resource in ['post', 'news', 'infor', 'event']:
assert not acl.is_allowed('user', 'view', resource)
assert acl.is_allowed('super', 'view', resource)
assert acl.is_allowed('super', 'new', resource)
assert acl.is_any_allowed(['user', 'super'], 'view', resource)
# test 'new' operation
roles = ['writer', 'editor']
for role in roles:
for resource in ['news', 'event']:
assert acl.is_allowed(role, 'new', resource)
for resource in ['post', 'infor']:
assert not acl.is_allowed(role, 'new', resource)
for resource in ['news', 'event']:
assert acl.is_any_allowed(roles, 'new', resource)
for resource in ['post', 'infor']:
assert not acl.is_any_allowed(roles, 'new', resource)
roles = ['user', 'manager']
for role in roles:
for resource in ['news', 'event', 'post', 'infor']:
assert not acl.is_allowed(role, 'new', resource)
for resource in ['news', 'event', 'post', 'infor']:
assert not acl.is_any_allowed(roles, 'new', resource)
def test_allow(acl):
# add allowed rules
acl.allow('actived_user', 'view', 'news')
acl.allow('writer', 'new', 'news')
# test 'view' operation
roles = ['actived_user', 'writer', 'manager', 'editor']
for role in roles:
for resource in ['news', 'event']:
assert acl.is_allowed(role, 'view', resource)
for resource in ['post', 'infor']:
assert not acl.is_allowed(role, 'view', resource)
for resource in ['news', 'event']:
assert acl.is_any_allowed(roles, 'view', resource)
for resource in ['post', 'infor']:
assert not acl.is_any_allowed(roles, 'view', resource)
for resource in ['post', 'news', 'infor', 'event']:
assert not acl.is_allowed('user', 'view', resource)
assert acl.is_allowed('super', 'view', resource)
assert acl.is_allowed('super', 'new', resource)
assert acl.is_any_allowed(['user', 'super'], 'view', resource)
# test 'new' operation
roles = ['writer', 'editor']
for role in roles:
for resource in ['news', 'event']:
assert acl.is_allowed(role, 'new', resource)
for resource in ['post', 'infor']:
assert not acl.is_allowed(role, 'new', resource)
for resource in ['news', 'event']:
assert acl.is_any_allowed(roles, 'new', resource)
for resource in ['post', 'infor']:
assert not acl.is_any_allowed(roles, 'new', resource)
roles = ['user', 'manager']
for role in roles:
for resource in ['news', 'event', 'post', 'infor']:
assert not acl.is_allowed(role, 'new', resource)
for resource in ['news', 'event', 'post', 'infor']:
assert not acl.is_any_allowed(roles, 'new', resource)
def get(self, request, action, *args, **kwargs):
acl = rbac.acl.Registry()
if action == 'generate-roles':
print 'Generating roles...'
acl.add_role("InternUsers")
print "\t Added Role: InternUsers"
acl.add_role("Directors",["InternUsers"])
print "\t Added Role: Directors"
acl.add_role("Writers",["InternUsers"])
print "\t Added Role: Writers"
acl.add_role("Auditors",["InternUsers"])
print "\t Added Role: Auditors"
acl.add_role("ExternUsers")
print "\t Added Role: ExternUsers"
print "\t\t[Done]"
#TODO [POM] Agregar usuarios creados a roles como hojas del arbol
elif action == 'generate-resources':
print 'Generating resources...'
acl.add_resource("noticia")
print "\t Added Resource: Noticia"
noticias = Noticia.objects.all()
for noticia in noticias:
acl.add_resource("noticia-"+noticia.title, ["noticia"])
print "\t Added Resource: noticia-%s" % noticia.title
print "\t\t[Done]"
elif action == 'generate-rules':
print 'Generating rules...'
acl.allow("InternUsers","read","noticia")
print "\tInternUsers can read noticia"
acl.allow("Writers","write","noticia")
print "\tWriters can write noticia"
acl.allow("Auditors","update","noticia")
print "\tAuditors can update noticia"
acl.allow("Auditors","delete","noticia")
print "\tAuditors can delete noticia"
acl.deny("ExternUsers","write","noticia")
print "\tExternUsers can not write noticia"
acl.deny("ExternUsers","update","noticia")
print "\tExternUsers can not update noticia"
acl.deny("ExternUsers","delete","noticia")
print "\tExternUsers can not delete noticia"
print "\t\t[Done]"
#TODO [POM] Permitir a usuarios que compartan la misma revista, que compartan el mismo permiso
elif action == 'test-onthefly':
print 'Generating roles...'
acl.add_role("InternUsers")
print "\t Added Role: InternUsers"
acl.add_role("Directors",["InternUsers"])
print "\t Added Role: Directors"
acl.add_role("Writers",["InternUsers"])
print "\t Added Role: Writers"
acl.add_role("Auditors",["InternUsers"])
print "\t Added Role: Auditors"
acl.add_role("ExternUsers")
print "\t Added Role: ExternUsers"
print "\t\t[Done]"
print 'Generating resources...'
acl.add_resource("noticia")
print "\t Added Resource: Noticia"
noticias = Noticia.objects.all()
for noticia in noticias:
acl.add_resource("noticia-"+noticia.title, ["noticia"])
print "\t Added Resource: noticia-%s" % noticia.title
print "\t\t[Done]"
print 'Generating rules...'
acl.allow("InternUsers","read","noticia")
print "\tInternUsers can read noticia"
acl.allow("Writers","write","noticia")
print "\tWriters can write noticia"
acl.allow("Auditors","update","noticia")
print "\tAuditors can update noticia"
acl.allow("Auditors","delete","noticia")
print "\tAuditors can delete noticia"
acl.deny("ExternUsers","write","noticia")
print "\tExternUsers can not write noticia"
acl.deny("ExternUsers","update","noticia")
print "\tExternUsers can not update noticia"
acl.deny("ExternUsers","delete","noticia")
print "\tExternUsers can not delete noticia"
print "\t\t[Done]"
if acl.is_allowed("Auditors","write","noticia"):
print "Auditors can write noticia"
else:
print "Auditors can not write noticia"
else:
print 'Command unknown.'
return super(RoleManager,self).get(self,request,*args,**kwargs)
# set rules
acl.allow("viewer", "access", "register")
acl.allow("viewer", "access", "user_login")
acl.allow("user", "access", "user_search")
acl.allow("user", "access", "make_transaction")
acl.allow("user", "access", "user_profile_view")
acl.allow("user", "access", "user_profile")
acl.allow("user", "access", "show_notification")
acl.allow("user", "access", "delete_account")
acl.allow("user", "access", "add_notification")
acl.allow("user", "access", "move_notification")
acl.allow("user", "access", "logout")
if (__name__ == "__main__"):
# use acl to check permission
if acl.is_allowed("viewer", "access", "register"):
print("Viewer can access register.")
else:
print("Viewer cannnot access register.")
# use acl to check permission
if acl.is_allowed("viewer", "access", "user_search"):
print("Viewer can access user_search.")
else:
print("Viewer cannnot access user_search.")
# use acl to check permission again
if acl.is_allowed("user", "access", "user_search"):
print("user can access user_search.")
else:
print("user cannnot access user_search.")
# -*- coding: utf-8 -*- # __author__: musibii # __file__ : test1.py # __time__ : 2020/4/29 11:05 上午 import rbac.acl acl = rbac.acl.Registry() acl.add_role() acl.add_resource(acl) acl.allow() acl.deny() acl.is_allowed()
# create access control list
acl = rbac.acl.Registry()
# add roles
acl.add_role("member")
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])
# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])
# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")
# use acl to check permission
if acl.is_allowed("student", "view", "course"):
print("Students chould view courses.")
else:
print("Students chould not view courses.")
# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
print("Junior students chould learn senior courses.")
else:
print("Junior students chould not learn senior courses.")
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])
# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])
# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")
# use acl to check permission
if acl.is_allowed("student", "view", "course"):
print("Students chould view courses.")
else:
print("Students chould not view courses.")
# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
print("Junior students chould learn senior courses.")
else:
print("Junior students chould not learn senior courses.")
########NEW FILE########
__FILENAME__ = context
#!/usr/bin/env python
#-*- coding:utf-8 -*-