def policy_creation_should_fail(admin_client: ADCMClient, role: Role, adcm_object: AnyADCMObject, user: User):
"""Try to create policy based on given role and expect creation to fail"""
with allure.step(f'Create policy based on role "{role.display_name}" and expect it to fail'):
policy_name = f'Test role {random_string(5)}'
with pytest.raises(ErrorMessage) as e:
admin_client.policy_create(name=policy_name, role=role, objects=[adcm_object], user=[user])
BAD_REQUEST.equal(e, f'Role with type "{role.type}" could not be used in policy')
def create_action_policy(
client: ADCMClient,
adcm_object: Union[AnyADCMObject, List[AnyADCMObject]],
*business_roles: BusinessRole,
user=None,
group=None,
) -> Policy:
"""Create policy based on business roles"""
if not (user or group):
raise ValueError(
"Either user or group should be provided to create policy")
user = user or []
group = group or []
child_roles = [{
'id': client.role(name=role.role_name).id
} for role in business_roles]
role_name = f"Test Action Role {random_string(6)}"
action_parent_role = client.role_create(name=role_name,
display_name=role_name,
child=child_roles)
return client.policy_create(
name=f"Test Action Policy {role_name[-6:]}",
role=action_parent_role,
objects=adcm_object
if isinstance(adcm_object, list) else [adcm_object],
user=user if isinstance(user, list) else [user],
group=group if isinstance(group, list) else [group],
)
def test_remove_policy(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Remove policy" role is ok"""
BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs)
custom_role = sdk_client_fs.role(name="Custom role")
user = sdk_client_fs.user(username="******")
is_allowed(user_sdk, BusinessRoles.ViewPolicies)
is_denied(user_sdk,
BusinessRoles.CreatePolicy,
role=custom_role,
user=[user])
custom_policy = user_sdk.policy(id=sdk_client_fs.policy_create(
name="Test policy", objects=[], role=custom_role, user=[user]).id)
is_denied(custom_policy, BusinessRoles.EditPolicy)
is_allowed(custom_policy, BusinessRoles.RemovePolicy)
delete_policy(user_policy)
sdk_client_fs.policy_create(name="Test policy",
objects=[],
role=custom_role,
user=[user])
is_denied(user_sdk, BusinessRoles.ViewPolicies)
def grant_role(self, client: ADCMClient, user: User, role: RbacRoles, *objects: AnyADCMObject) -> Policy:
"""Grant RBAC default role to a user"""
with allure.step(f'Grant role "{role.value}" to user {user.username}'):
return client.policy_create(
name=f'{user.username} is {role.value}', role=client.role(name=role.value), objects=objects, user=[user]
)
def policy_creation_should_succeeded(admin_client: ADCMClient, role: Role, adcm_object: AnyADCMObject, user: User):
"""Try to create policy based on give role and expect creation to succeed"""
with allure.step(f'Create policy based on role "{role.display_name}" and expect it to succeeded'):
policy_name = f'Test role {random_string(5)}'
with catch_failed(ErrorMessage, 'Policy should be created'):
admin_client.policy_create(name=policy_name, role=role, objects=[adcm_object], user=[user])
