Ejemplo n.º 1
0
    def test_create_resource_type(self):
        actions = ['readproject', 'writeproject', 'deleteproject']
        resource_type = 'test_type'
        # a resource type is created
        self._create_resource_type(resource_type, actions)
        test_type = ResourceType(resource_type)

        # cannot do twice
        with self.assertRaises(FusilladeHTTPException):
            ResourceType.create(resource_type, actions)

        # actions are set
        self.assertTrue(set(test_type.actions) == set(actions))

        # owner policy exists
        self.assertIn(f'/resource/{resource_type}/policy/Owner',
                      test_type.list_policies()[0]['policies'])

        # create an additional resource type
        resource_type2 = 'test_type2'
        self._create_resource_type(resource_type2, actions)
        test_type2 = ResourceType(resource_type2)

        # list resources
        resource_types = ResourceType.get_types()
        self.assertEqual([resource_type, resource_type2], resource_types)
Ejemplo n.º 2
0
    def test_eval(self):
        actions = ['test:readproject', 'test:writeproject', 'test:deleteproject']
        resource_type = 'test_type'
        test_type = ResourceType.create(resource_type, actions)
        access_level = 'Reader'
        resource_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Principal": "*",
                    "Sid": "project_reader",
                    "Effect": "Allow",
                    "Action": ['test:readproject'],
                    "Resource": f"{self.arn_prefix}{resource_type}/*"
                }
            ]
        }
        test_type.create_policy(access_level, resource_policy, 'ResourcePolicy')
        user = User.provision_user('test_user')
        type_id = '1234455'
        resource = f'{self.arn_prefix}{resource_type}/{type_id}'

        with self.subTest("A user does not have access when they only have permitting resource_policy and no "
                          "permitting IAMPolicy"):
            test_id = test_type.create_id(type_id)
            test_id.add_principals([user], access_level)
            x = get_resource_authz_parameters(user.name, resource)
            resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy'])
            self.assertFalse(resp['result'])

        with self.subTest("A user has a access when they have a permitting resource policy and IAMPolicy"):
            IAMpolicy = {
                "Statement": [
                    {
                        "Sid": "project_reader",
                        "Effect": "Allow",
                        "Action": [
                            "test:readproject"
                        ],
                        "Resource": f"{self.arn_prefix}{resource_type}/*"
                    }
                ]
            }
            role = Role.create('project_reader', IAMpolicy)

            user.add_roles([role.name])
            x = get_resource_authz_parameters(user.name, resource)
            resp = evaluate_policy(user.name, ['test:readproject'], [resource], x['IAMPolicy'], x['ResourcePolicy'])
            self.assertTrue(resp['result'])
Ejemplo n.º 3
0
    def test_get_authz_params(self):
        actions = ['test:readproject', 'test:writeproject', 'test:deleteproject']
        resource_type = 'test_type'
        test_type = ResourceType.create(resource_type, actions)
        access_level = 'Reader'
        resource_policy = {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Principal": "*",
                    "Sid": "project_reader",
                    "Effect": "Allow",
                    "Action": ['test:readproject'],
                    "Resource": f"{self.arn_prefix}{resource_type}/*"
                }
            ]
        }
        test_type.create_policy(access_level, resource_policy, 'ResourcePolicy')
        user = User.provision_user('test_user')
        type_id = '1234455'
        resource = f'{self.arn_prefix}{resource_type}/{type_id}'

        with self.subTest("A user has no access when no access level set between user and resource"):
            with self.assertRaises(ResourceNotFound):
                get_resource_authz_parameters(user.name, resource)

        with self.subTest("No resource policy parameters are returned when the user tries to access a resource that "
                          "does not use resource policies"):
            params = get_resource_authz_parameters(user.name, f"{self.arn_prefix}non_acl_resource/1234")
            self.assertFalse(params.get('ResourcePolicy'))
            self.assertFalse(params.get('resources'))

        with self.subTest("The resource policy for the access level assigned to the user is returned when a user "
                          "is given access to a resource"):
            test_id = test_type.create_id(type_id)
            test_id.add_principals([user], access_level)
            params = get_resource_authz_parameters(user.name, resource)
            self.assertTrue(json_equal(params['ResourcePolicy'], resource_policy))
            self.assertEqual(['Reader'], params['resources'])

        with self.subTest("No access when the user is disabled."):
            user.disable()
            with self.assertRaises(AuthorizationException):
                get_resource_authz_parameters(user.name, resource)
Ejemplo n.º 4
0
 def _create_resource_type(self, name='test_type', actions=None):
     actions = actions or ['readproject', 'writeproject', 'deleteproject']
     return ResourceType.create(name, actions)