def test_root_access(self, mock_perm_collection, mock_model, mock_f):
"""
Ensure that a user that has access to the root domain '/' has access to everything.
"""
def root_only(permission, login):
"""
Simulate permission over root domain, but nothing else.
"""
if permission == '/':
return ['op']
else:
return []
m_user = mock_model.objects.get_or_404.return_value
m_user.is_superuser.return_value = False
mock_pqm = mock_f.permission_query_manager.return_value
mock_pqm.find_by_resource.side_effect = lambda x: x
mock_pqm.find_user_permission.side_effect = root_only
mock_perm_collection.return_value.find_one.return_value = '/'
self.assertTrue(
user_controller.is_authorized('/mock/resource/', 'test-user',
'op'))
self.assertTrue(
user_controller.is_authorized('/mock/other_resource/', 'test-user',
'op'))
self.assertTrue(user_controller.is_authorized('/', 'test-user', 'op'))
def test_subdomain_access(self, mock_model, mock_f):
"""
Ensure that a user with access to the subdomain of a url has access to the url.
"""
def base_only(permission, login):
"""
Simulate permission over a subdomain, but nothing else.
"""
if permission == '/mock/':
return ['op']
else:
return []
m_user = mock_model.objects.get_or_404.return_value
m_user.is_superuser.return_value = False
mock_pqm = mock_f.permission_query_manager.return_value
mock_pqm.find_by_resource.side_effect = lambda x: x
mock_pqm.find_user_permission.side_effect = base_only
self.assertTrue(
user_controller.is_authorized('/mock/resource/', 'test-user',
'op'))
self.assertTrue(
user_controller.is_authorized('/mock/other_resource/', 'test-user',
'op'))
self.assertFalse(
user_controller.is_authorized('/other/', 'test-user', 'op'))
self.assertFalse(user_controller.is_authorized('/', 'test-user', 'op'))
def test_user_permission_revoke(self):
u = self._create_user()
r = self._create_resource()
o = authorization.READ
self.permission_manager.grant(r, u.login, [o])
self.assertTrue(user_controller.is_authorized(r, u.login, o))
self.permission_manager.revoke(r, u.login, [o])
self.assertFalse(user_controller.is_authorized(r, u.login, o))
def test_user_permission_revoke(self):
u = self._create_user()
r = self._create_resource()
o = authorization.READ
self.permission_manager.grant(r, u.login, [o])
self.assertTrue(user_controller.is_authorized(r, u.login, o))
self.permission_manager.revoke(r, u.login, [o])
self.assertFalse(user_controller.is_authorized(r, u.login, o))
def test_super_user_permissions(self):
u = self._create_user()
s = self._create_resource()
r = cud.SUPER_USER_ROLE
self.role_manager.add_user_to_role(r, u.login)
self.assertTrue(user_controller.is_authorized(s, u.login, authorization.CREATE))
self.assertTrue(user_controller.is_authorized(s, u.login, authorization.READ))
self.assertTrue(user_controller.is_authorized(s, u.login, authorization.UPDATE))
self.assertTrue(user_controller.is_authorized(s, u.login, authorization.DELETE))
self.assertTrue(user_controller.is_authorized(s, u.login, authorization.EXECUTE))
def test_non_unique_permission_delete(self):
u = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
self.role_manager.add_user_to_role(r1['id'], u.login)
self.role_manager.add_user_to_role(r2['id'], u.login)
self.role_manager.add_permissions_to_role(r1['id'], s, [o])
self.role_manager.add_permissions_to_role(r2['id'], s, [o])
self.assertTrue(user_controller.is_authorized(s, u.login, o))
self.role_manager.delete_role(r1['id'])
self.assertTrue(user_controller.is_authorized(s, u.login, o))
def test_non_unique_permission_revoke(self):
u = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
self.role_manager.add_user_to_role(r1['id'], u.login)
self.role_manager.add_user_to_role(r2['id'], u.login)
self.role_manager.add_permissions_to_role(r1['id'], s, [o])
self.role_manager.add_permissions_to_role(r2['id'], s, [o])
self.assertTrue(user_controller.is_authorized(s, u.login, o))
self.role_manager.remove_permissions_from_role(r1['id'], s, [o])
u = model.User.objects(login=u.login).first()
self.assertTrue(user_controller.is_authorized(s, u.login, o))
def test_parent_permissions(self):
u = self._create_user()
r = self._create_resource()
p = r.rsplit('/', 2)[0] + '/'
o = authorization.READ
self.permission_manager.grant(p, u.login, [o])
self.assertTrue(user_controller.is_authorized(r, u.login, o))
def test_parent_permissions(self):
u = self._create_user()
r = self._create_resource()
p = r.rsplit('/', 2)[0] + '/'
o = authorization.READ
self.permission_manager.grant(p, u.login, [o])
self.assertTrue(user_controller.is_authorized(r, u.login, o))
def test_explicit_access(self, mock_model, mock_f):
"""
Ensure that a user with access to a resource url is authorized for it.
"""
m_user = mock_model.objects.get_or_404.return_value
m_user.is_superuser.return_value = False
mock_pqm = mock_f.permission_query_manager.return_value
mock_pqm.find_by_resource.return_value = "/mock/resource/"
mock_pqm.find_user_permission.return_value = ["op"]
self.assertTrue(user_controller.is_authorized("/mock/resource/", "testuser", "op"))
mock_pqm.find_by_resource.assert_called_once_with("/mock/resource/")
mock_pqm.find_user_permission.assert_called_once_with("/mock/resource/", "testuser")
def test_subdomain_access(self, mock_model, mock_f):
"""
Ensure that a user with access to the subdomain of a url has access to the url.
"""
def base_only(permission, login):
"""
Simulate permission over a subdomain, but nothing else.
"""
if permission == "/mock/":
return ["op"]
else:
return []
m_user = mock_model.objects.get_or_404.return_value
m_user.is_superuser.return_value = False
mock_pqm = mock_f.permission_query_manager.return_value
mock_pqm.find_by_resource.side_effect = lambda x: x
mock_pqm.find_user_permission.side_effect = base_only
self.assertTrue(user_controller.is_authorized("/mock/resource/", "test-user", "op"))
self.assertTrue(user_controller.is_authorized("/mock/other_resource/", "test-user", "op"))
self.assertFalse(user_controller.is_authorized("/other/", "test-user", "op"))
self.assertFalse(user_controller.is_authorized("/", "test-user", "op"))
def test_explicit_access(self, mock_model, mock_f):
"""
Ensure that a user with access to a resource url is authorized for it.
"""
m_user = mock_model.objects.get_or_404.return_value
m_user.is_superuser.return_value = False
mock_pqm = mock_f.permission_query_manager.return_value
mock_pqm.find_by_resource.return_value = '/mock/resource/'
mock_pqm.find_user_permission.return_value = ['op']
self.assertTrue(
user_controller.is_authorized('/mock/resource/', 'testuser', 'op'))
mock_pqm.find_by_resource.assert_called_once_with('/mock/resource/')
mock_pqm.find_user_permission.assert_called_once_with(
'/mock/resource/', 'testuser')
def test_root_access(self, mock_perm_collection, mock_model, mock_f):
"""
Ensure that a user that has access to the root domain '/' has access to everything.
"""
def root_only(permission, login):
"""
Simulate permission over root domain, but nothing else.
"""
if permission == "/":
return ["op"]
else:
return []
m_user = mock_model.objects.get_or_404.return_value
m_user.is_superuser.return_value = False
mock_pqm = mock_f.permission_query_manager.return_value
mock_pqm.find_by_resource.side_effect = lambda x: x
mock_pqm.find_user_permission.side_effect = root_only
mock_perm_collection.return_value.find_one.return_value = "/"
self.assertTrue(user_controller.is_authorized("/mock/resource/", "test-user", "op"))
self.assertTrue(user_controller.is_authorized("/mock/other_resource/", "test-user", "op"))
self.assertTrue(user_controller.is_authorized("/", "test-user", "op"))
def test_user_execute_failure(self):
u = self._create_user()
r = self._create_resource()
o = authorization.EXECUTE
self.assertFalse(user_controller.is_authorized(r, u.login, o))
def test_user_delete_success(self):
u = self._create_user()
r = self._create_resource()
o = authorization.DELETE
self.permission_manager.grant(r, u.login, [o])
self.assertTrue(user_controller.is_authorized(r, u.login, o))
def _verify_auth(self, operation, super_user_only, method, *args, **kwargs):
"""
Internal method for checking authentication and authorization. This code
is kept outside of the decorator which calls it so that it can be mocked.
This allows for the decorator itself which calls here to have assertions
made about the operation and super_user values set in the view code.
An operation of None means not to check authorization; only check
authentication.
The super_user_only flag set to True means that only members of the
built in SuperUsers role are authorized.
:type operation: int or None
:param operation: The operation a user needs permission for, or None to
skip authorization.
:type super_user_only: bool
:param super_user_only: Only authorize a user if they are a super user.
"""
# Check Authentication
# Run through each registered and enabled auth function
is_consumer = False
registered_auth_functions = [
check_preauthenticated, password_authentication,
user_cert_authentication, consumer_cert_authentication,
oauth_authentication
]
user_authenticated = False
for authenticate_user in registered_auth_functions:
if authenticate_user == oauth_authentication:
login, is_consumer = authenticate_user()
else:
login = authenticate_user()
if login is not None:
user_authenticated = True
if authenticate_user == consumer_cert_authentication:
is_consumer = True
break
if not user_authenticated:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025)
# Check Authorization
principal_manager = factory.principal_manager()
# Consumers are not part of the User collection
if not is_consumer:
user = model.User.objects.get(login=login)
if super_user_only and not user.is_superuser():
raise PulpCodedAuthenticationException(
error_code=error_codes.PLP0026,
user=login,
operation=OPERATION_NAMES[operation])
# if the operation is None, don't check authorization
if operation is not None:
if is_consumer:
if is_consumer_authorized(http.resource_path(), login, operation):
# set default principal = SYSTEM
principal_manager.set_principal()
else:
raise PulpCodedAuthenticationException(
error_code=error_codes.PLP0026,
user=login,
operation=OPERATION_NAMES[operation])
elif user_controller.is_authorized(http.resource_path(), login,
operation):
user = model.User.objects.get(login=login)
principal_manager.set_principal(user)
else:
raise PulpCodedAuthenticationException(
error_code=error_codes.PLP0026,
user=login,
operation=OPERATION_NAMES[operation])
# Authentication and authorization succeeded. Call method and then clear principal.
value = method(self, *args, **kwargs)
principal_manager.clear_principal()
return value
def _verify_auth(self, operation, super_user_only, method, *args, **kwargs):
"""
Internal method for checking authentication and authorization. This code
is kept outside of the decorator which calls it so that it can be mocked.
This allows for the decorator itself which calls here to have assertions
made about the operation and super_user values set in the view code.
An operation of None means not to check authorization; only check
authentication.
The super_user_only flag set to True means that only members of the
built in SuperUsers role are authorized.
:type operation: int or None
:param operation: The operation a user needs permission for, or None to
skip authorization.
:type super_user_only: bool
:param super_user_only: Only authorize a user if they are a super user.
"""
# Check Authentication
# Run through each registered and enabled auth function
is_consumer = False
registered_auth_functions = [check_preauthenticated,
password_authentication,
user_cert_authentication,
consumer_cert_authentication,
oauth_authentication]
user_authenticated = False
for authenticate_user in registered_auth_functions:
if authenticate_user == oauth_authentication:
login, is_consumer = authenticate_user()
else:
login = authenticate_user()
if login is not None:
user_authenticated = True
if authenticate_user == consumer_cert_authentication:
is_consumer = True
break
if not user_authenticated:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0025)
# Check Authorization
principal_manager = factory.principal_manager()
# Consumers are not part of the User collection
if not is_consumer:
user = model.User.objects.get(login=login)
if super_user_only and not user.is_superuser():
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026, user=login,
operation=OPERATION_NAMES[operation])
# if the operation is None, don't check authorization
if operation is not None:
if is_consumer:
if is_consumer_authorized(http.resource_path(), login, operation):
# set default principal = SYSTEM
principal_manager.set_principal()
else:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026,
user=login,
operation=OPERATION_NAMES[operation])
elif user_controller.is_authorized(http.resource_path(), login, operation):
user = model.User.objects.get(login=login)
principal_manager.set_principal(user)
else:
raise PulpCodedAuthenticationException(error_code=error_codes.PLP0026,
user=login,
operation=OPERATION_NAMES[operation])
# Authentication and authorization succeeded. Call method and then clear principal.
value = method(self, *args, **kwargs)
principal_manager.clear_principal()
return value
def test_user_delete_success(self):
u = self._create_user()
r = self._create_resource()
o = authorization.DELETE
self.permission_manager.grant(r, u.login, [o])
self.assertTrue(user_controller.is_authorized(r, u.login, o))
def test_user_delete_failure(self):
u = self._create_user()
r = self._create_resource()
o = authorization.DELETE
self.assertFalse(user_controller.is_authorized(r, u.login, o))
