def testDeleteIsAllowed(self):
"""
L{SecureUserAPI.delete} can always be invoked by a L{User} with the
L{Role.SUPERUSER}.
"""
UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')])
namespaces = SecureNamespaceAPI(self.system.users['fluiddb'])
namespaces.delete([u'user/private'])
self.users.delete([u'user'])
self.assertIdentical(None, getUser(u'user'))
def testDeleteIsAllowed(self):
"""
L{SecureUserAPI.delete} can always be invoked by a L{User} with the
L{Role.SUPERUSER}.
"""
UserAPI().create([(u'user', u'secret', u'User', u'*****@*****.**')])
namespaces = SecureNamespaceAPI(self.system.users['fluiddb'])
namespaces.delete([u'user/private'])
self.users.delete([u'user'])
self.assertIdentical(None, getUser(u'user'))
class SecureNamespaceAPIWithSuperuserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()), ('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureNamespaceAPIWithSuperuserTest, self).setUp()
system = createSystemData()
user = system.users[u'fluiddb']
self.namespaces = SecureNamespaceAPI(user)
self.permissions = CachingPermissionAPI(user)
def testCreateIsAllowed(self):
"""
Creating a new L{Namespace} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
values = [(u'fluiddb', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
result = self.namespaces.create([(u'fluiddb/test', u'description')])
self.assertEqual(1, len(result))
def testDeleteIsAllowed(self):
"""
Deleting a L{Namespace} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
result1 = self.namespaces.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.DELETE_NAMESPACE, Policy.CLOSED,
[])]
self.permissions.set(values)
result2 = self.namespaces.delete([u'fluiddb/test'])
self.assertEqual(result1, result2)
def testSetIsAllowed(self):
"""
Updating a L{Namespace} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
self.namespaces.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.UPDATE_NAMESPACE, Policy.CLOSED,
[])]
self.permissions.set(values)
self.namespaces.set({u'fluiddb/test': u'new description'})
def testGetIsAllowed(self):
"""
Getting information about a L{Namespace} should be allowed if we're a
user with a L{Role.SUPERUSER} no matter what permissions we have.
"""
self.namespaces.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.LIST_NAMESPACE, Policy.CLOSED,
[])]
self.permissions.set(values)
result = self.namespaces.get([u'fluiddb'],
withDescriptions=False,
withTags=True,
withNamespaces=True)
self.assertEqual(1, len(result))
def run():
namespaces = SecureNamespaceAPI(session.auth.user)
try:
namespaces.delete([path])
except UnknownPathError as error:
session.log.exception(error)
unknownPath = error.paths[0]
raise TNonexistentNamespace(unknownPath.encode('utf-8'))
except NotEmptyError as error:
session.log.exception(error)
raise TNamespaceNotEmpty(path.encode('utf-8'))
except PermissionDeniedError as error:
session.log.exception(error)
path_, operation = error.pathsAndOperations[0]
category, action = getCategoryAndAction(operation)
path_ = path_.encode('utf-8')
raise TPathPermissionDenied(path_, category, action)
def run():
namespaces = SecureNamespaceAPI(session.auth.user)
try:
namespaces.delete([path])
except UnknownPathError as error:
session.log.exception(error)
unknownPath = error.paths[0]
raise TNonexistentNamespace(unknownPath.encode('utf-8'))
except NotEmptyError as error:
session.log.exception(error)
raise TNamespaceNotEmpty(path.encode('utf-8'))
except PermissionDeniedError as error:
session.log.exception(error)
path_, operation = error.pathsAndOperations[0]
category, action = getCategoryAndAction(operation)
path_ = path_.encode('utf-8')
raise TPathPermissionDenied(path_, category, action)
class SecureNamespaceAPIWithSuperuserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()),
('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureNamespaceAPIWithSuperuserTest, self).setUp()
system = createSystemData()
user = system.users[u'fluiddb']
self.namespaces = SecureNamespaceAPI(user)
self.permissions = CachingPermissionAPI(user)
def testCreateIsAllowed(self):
"""
Creating a new L{Namespace} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
values = [(u'fluiddb', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
result = self.namespaces.create([(u'fluiddb/test', u'description')])
self.assertEqual(1, len(result))
def testDeleteIsAllowed(self):
"""
Deleting a L{Namespace} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
result1 = self.namespaces.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.DELETE_NAMESPACE,
Policy.CLOSED, [])]
self.permissions.set(values)
result2 = self.namespaces.delete([u'fluiddb/test'])
self.assertEqual(result1, result2)
def testSetIsAllowed(self):
"""
Updating a L{Namespace} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
self.namespaces.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.UPDATE_NAMESPACE,
Policy.CLOSED, [])]
self.permissions.set(values)
self.namespaces.set({u'fluiddb/test': u'new description'})
def testGetIsAllowed(self):
"""
Getting information about a L{Namespace} should be allowed if we're a
user with a L{Role.SUPERUSER} no matter what permissions we have.
"""
self.namespaces.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.LIST_NAMESPACE,
Policy.CLOSED, [])]
self.permissions.set(values)
result = self.namespaces.get([u'fluiddb'], withDescriptions=False,
withTags=True, withNamespaces=True)
self.assertEqual(1, len(result))
class SecureNamespaceAPIWithNormalUserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()), ('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureNamespaceAPIWithNormalUserTest, self).setUp()
createSystemData()
UserAPI().create([(u'user', u'password', u'User', u'*****@*****.**')
])
self.user = getUser(u'user')
self.permissions = CachingPermissionAPI(self.user)
self.namespaces = SecureNamespaceAPI(self.user)
def testCreateIsAllowed(self):
"""
L{SecureNamespaceAPI.create} should allow the creation of namespaces
whose parent has open CREATE permissions.
"""
values = [(u'user', Operation.CREATE_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
result = self.namespaces.create([(u'user/test', u'description')])
self.assertEqual(1, len(result))
def testCreateIsDenied(self):
"""
L{SecureNamespaceAPI.create} should raise L{PermissonDeniedError} if
the user doesn't have CREATE permissions on the parent namespace.
"""
values = [(u'user', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.create,
[(u'user/test', u'description')])
self.assertEqual([(u'user', Operation.CREATE_NAMESPACE)],
sorted(error.pathsAndOperations))
def testDeleteIsAllowed(self):
"""
{SecureNamespaceAPI.delete} should allow the deletion of a namespace
if the user has DELETE permissions.
"""
result1 = self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.DELETE_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
result2 = self.namespaces.delete([u'user/test'])
self.assertEqual(result1, result2)
def testDeleteIsDenied(self):
"""
L{SecureNamespaceAPI.delete} should raise L{PermissonDeniedError} if
the user doesn't have DELETE permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.DELETE_NAMESPACE, Policy.OPEN,
[u'user'])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.delete, [(u'user/test')])
self.assertEqual([(u'user/test', Operation.DELETE_NAMESPACE)],
sorted(error.pathsAndOperations))
def testGetChildNamespacesIsAllowed(self):
"""
L{SecureNamespaceAPI.get} should allow getting a list of child
namespaces if the user has permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
result = self.namespaces.get([u'user'], withNamespaces=True)
self.assertEqual(1, len(result))
def testGetChildNamespacesIsDenied(self):
"""
L{SecureNamespaceAPI.get} should raise L{PermissonDeniedError} if the
user doesn't have LIST permissions when trying to get the child
namespaces.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.get, [(u'user')],
withNamespaces=True)
self.assertEqual([(u'user', Operation.LIST_NAMESPACE)],
sorted(error.pathsAndOperations))
def testGetChildTagsIsAllowed(self):
"""
L{SecureNamespaceAPI.get} should allow getting a list of child tags if
the user has permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE, Policy.CLOSED, [u'user'])
]
self.permissions.set(values)
result = self.namespaces.get([u'user'], withTags=True)
self.assertEqual(1, len(result))
def testGetChildTagsIsDenied(self):
"""
L{SecureNamespaceAPI.get} should raise L{PermissonDeniedError} if the
user doesn't have LIST permissions when trying to get the child
tags.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE, Policy.OPEN, [u'user'])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.get, [(u'user')],
withTags=True)
self.assertEqual([(u'user', Operation.LIST_NAMESPACE)],
sorted(error.pathsAndOperations))
def testSetIsAllowed(self):
"""
L{SecureNamespaceAPI.get} should allow updating the description of a
namespace if the user has permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.UPDATE_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
self.namespaces.set({u'user/test': u'description'})
def testSetIsDenied(self):
"""
L{SecureNamespaceAPI.get} should raise L{PermissonDeniedError} if the
user doesn't have UPDATE permissions when trying to update a
namespace's description.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.UPDATE_NAMESPACE, Policy.CLOSED, [])
]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError, self.namespaces.set,
{u'user/test': u'description'})
self.assertEqual([(u'user/test', Operation.UPDATE_NAMESPACE)],
sorted(error.pathsAndOperations))
class SecureNamespaceAPIWithNormalUserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()),
('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureNamespaceAPIWithNormalUserTest, self).setUp()
createSystemData()
UserAPI().create([(u'user', u'password', u'User',
u'*****@*****.**')])
self.user = getUser(u'user')
self.permissions = CachingPermissionAPI(self.user)
self.namespaces = SecureNamespaceAPI(self.user)
def testCreateIsAllowed(self):
"""
L{SecureNamespaceAPI.create} should allow the creation of namespaces
whose parent has open CREATE permissions.
"""
values = [(u'user', Operation.CREATE_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
result = self.namespaces.create([(u'user/test', u'description')])
self.assertEqual(1, len(result))
def testCreateIsDenied(self):
"""
L{SecureNamespaceAPI.create} should raise L{PermissonDeniedError} if
the user doesn't have CREATE permissions on the parent namespace.
"""
values = [(u'user', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.create,
[(u'user/test', u'description')])
self.assertEqual([(u'user', Operation.CREATE_NAMESPACE)],
sorted(error.pathsAndOperations))
def testDeleteIsAllowed(self):
"""
{SecureNamespaceAPI.delete} should allow the deletion of a namespace
if the user has DELETE permissions.
"""
result1 = self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.DELETE_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
result2 = self.namespaces.delete([u'user/test'])
self.assertEqual(result1, result2)
def testDeleteIsDenied(self):
"""
L{SecureNamespaceAPI.delete} should raise L{PermissonDeniedError} if
the user doesn't have DELETE permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.DELETE_NAMESPACE,
Policy.OPEN, [u'user'])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.delete, [(u'user/test')])
self.assertEqual([(u'user/test', Operation.DELETE_NAMESPACE)],
sorted(error.pathsAndOperations))
def testGetChildNamespacesIsAllowed(self):
"""
L{SecureNamespaceAPI.get} should allow getting a list of child
namespaces if the user has permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
result = self.namespaces.get([u'user'], withNamespaces=True)
self.assertEqual(1, len(result))
def testGetChildNamespacesIsDenied(self):
"""
L{SecureNamespaceAPI.get} should raise L{PermissonDeniedError} if the
user doesn't have LIST permissions when trying to get the child
namespaces.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.get,
[(u'user')], withNamespaces=True)
self.assertEqual([(u'user', Operation.LIST_NAMESPACE)],
sorted(error.pathsAndOperations))
def testGetChildTagsIsAllowed(self):
"""
L{SecureNamespaceAPI.get} should allow getting a list of child tags if
the user has permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE,
Policy.CLOSED, [u'user'])]
self.permissions.set(values)
result = self.namespaces.get([u'user'], withTags=True)
self.assertEqual(1, len(result))
def testGetChildTagsIsDenied(self):
"""
L{SecureNamespaceAPI.get} should raise L{PermissonDeniedError} if the
user doesn't have LIST permissions when trying to get the child
tags.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user', Operation.LIST_NAMESPACE, Policy.OPEN, [u'user'])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.get,
[(u'user')], withTags=True)
self.assertEqual([(u'user', Operation.LIST_NAMESPACE)],
sorted(error.pathsAndOperations))
def testSetIsAllowed(self):
"""
L{SecureNamespaceAPI.get} should allow updating the description of a
namespace if the user has permissions.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.UPDATE_NAMESPACE, Policy.OPEN, [])]
self.permissions.set(values)
self.namespaces.set({u'user/test': u'description'})
def testSetIsDenied(self):
"""
L{SecureNamespaceAPI.get} should raise L{PermissonDeniedError} if the
user doesn't have UPDATE permissions when trying to update a
namespace's description.
"""
self.namespaces.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.UPDATE_NAMESPACE,
Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.namespaces.set,
{u'user/test': u'description'})
self.assertEqual([(u'user/test', Operation.UPDATE_NAMESPACE)],
sorted(error.pathsAndOperations))