def test_delete_role(acl):
acl.add_role('nonspy') # our control who should remain unaffected
acl.allow('nonspy', 'view', 'news')
acl.deny('nonspy', 'edit', 'news')
acl.add_role('spy')
acl.allow('spy', 'view', 'news')
acl.deny('spy', 'edit', 'news')
assert acl.is_allowed('spy', 'view', 'news')
assert not acl.is_allowed('spy', 'edit', 'news')
# oh no! we found a spy! remove them!
acl.delete_role('spy')
# as the role no longer exists it should raise an assertion
with pytest.raises(AssertionError):
assert not acl.is_allowed('spy', 'view', 'news')
with pytest.raises(AssertionError):
assert not acl.is_allowed('spy', 'edit', 'news')
# as an extra check let's make sure we don't see any orphaned
# rules for 'spy' in _allowed or _denied
for rule_list in (acl._allowed, acl._denied):
for rule in rule_list:
assert rule[0] != 'spy'
# nonspy should be unaffected by all this
assert acl.is_allowed('nonspy', 'view', 'news')
assert not acl.is_allowed('nonspy', 'edit', 'news')
def test_remove_deny(acl):
acl.add_role('spy')
only_default_denied = dict(acl._denied)
acl.deny('spy', 'view', 'news')
denied_after_denying_spy = dict(acl._denied)
assert only_default_denied != denied_after_denying_spy
assert not acl.is_allowed('spy', 'view', 'news')
acl.remove_deny('spy', 'view', 'news')
denied_after_removing_deny_spy = dict(acl._denied)
assert denied_after_removing_deny_spy == only_default_denied
assert not acl.is_allowed('spy', 'view',
'news') # this should still not be allowed
def acl():
# create context
acl = rbac.acl.Registry()
# self.denied_error = rbac.context.PermissionDenied
# register roles and resources
acl.add_role('staff')
acl.add_role('editor', parents=['staff'])
acl.add_role('badguy', parents=['staff'])
acl.add_resource('article')
# add rules
acl.allow('staff', 'view', 'article')
acl.allow('editor', 'edit', 'article')
acl.deny('badguy', None, 'article')
return acl
def test_delete_role_with_child_roles_fails(acl):
acl.add_role('nonspy') # our control who should remain unaffected
acl.allow('nonspy', 'view', 'news')
acl.deny('nonspy', 'edit', 'news')
acl.add_role('spy')
acl.add_role('childspy', ['spy']) # should prevent deletion
acl.allow('spy', 'view', 'news')
acl.deny('spy', 'edit', 'news')
assert acl.is_allowed('spy', 'view', 'news')
assert not acl.is_allowed('spy', 'edit', 'news')
# as it has a child role it should assert
with pytest.raises(AssertionError):
acl.delete_role('spy')
# nonspy should be unaffected by all this
assert acl.is_allowed('nonspy', 'view', 'news')
assert not acl.is_allowed('nonspy', 'edit', 'news')
def test_deny(acl):
# add allowed rule and denied rule
acl.allow('actived_user', 'new', 'comment')
acl.deny('manager', 'new', 'comment')
# test allowed rules
roles = ['actived_user', 'writer']
for role in roles:
assert acl.is_allowed(role, 'new', 'comment')
assert acl.is_any_allowed(roles, 'new', 'comment')
# test denied rules
roles = ['manager', 'editor']
for role in roles:
assert not acl.is_allowed(role, 'new', 'comment')
assert not acl.is_any_allowed(roles, 'new', 'comment')
def test_deny(acl):
# add allowed rule and denied rule
acl.allow('actived_user', 'new', 'comment')
acl.deny('manager', 'new', 'comment')
# test allowed rules
roles = ['actived_user', 'writer']
for role in roles:
assert acl.is_allowed(role, 'new', 'comment')
assert acl.is_any_allowed(roles, 'new', 'comment')
# test denied rules
roles = ['manager', 'editor']
for role in roles:
assert not acl.is_allowed(role, 'new', 'comment')
assert not acl.is_any_allowed(roles, 'new', 'comment')
def test_short_circuit_skip_deny(acl, context, evaluated_roles):
""" If no remaining role could grant access, don't bother checking """
# track which roles are evaluated
setattr(acl, 'is_allowed', _FunctionProxy(acl.is_allowed, evaluated_roles))
acl.add_resource('the dinosaurs')
roles = ['tourist', 'scientist', 'intern']
for role in roles:
acl.add_role(role)
context.set_roles_loader(lambda: roles)
# explicitly deny one role and don't allow any permissions to others
acl.deny('intern', 'feed', 'the dinosaurs')
context.has_permission('feed', 'the dinosaurs')
# no roles checked, since all are deny-only
assert evaluated_roles == []
acl.allow('scientist', 'study', 'the dinosaurs')
context.has_permission('feed', 'the dinosaurs')
# since scientist is no longer deny-only,
# only the intern check will be skipped
assert evaluated_roles == ['tourist', 'scientist']
def test_short_circuit_skip_deny(acl, context, evaluated_roles):
""" If no remaining role could grant access, don't bother checking """
# track which roles are evaluated
setattr(acl, 'is_allowed', _FunctionProxy(acl.is_allowed, evaluated_roles))
acl.add_resource('the dinosaurs')
roles = ['tourist', 'scientist', 'intern']
for role in roles:
acl.add_role(role)
context.set_roles_loader(lambda: roles)
# explicitly deny one role and don't allow any permissions to others
acl.deny('intern', 'feed', 'the dinosaurs')
context.has_permission('feed', 'the dinosaurs')
# no roles checked, since all are deny-only
assert evaluated_roles == []
acl.allow('scientist', 'study', 'the dinosaurs')
context.has_permission('feed', 'the dinosaurs')
# since scientist is no longer deny-only,
# only the intern check will be skipped
assert evaluated_roles == ['tourist', 'scientist']
def edit_role(user):
role = input("which role you want to edit ")
if acl.is_valid_role(role):
allowed, denied = acl.get_role_permissions(role)
print(
f" Current permissions for {role} are: Allowed: {allowed}, Denied: {denied}"
)
print(f" All available resources are: {acl.get_all_resources()}")
resource = input(" Enter resource name ")
if acl.is_valid_resource(resource):
operation = input(
" Enter permission name like read, write or delete ")
allow_or_deny = input(
" Enter permission Type, Press 1 for Allow, 2 for deny ")
if allow_or_deny == "1":
acl.allow(role, operation, resource)
elif allow_or_deny == "2":
acl.deny(role, operation, resource)
else:
print("Wrong input {allow_or_deny}")
start_intracting(user)
allowed, denied = acl.get_role_permissions(role)
print(
f" Updated permissions for {role} are: Allowed: {allowed}, Denied: {denied}"
)
else:
print(
f" This {resource} is not a valid resource, you can try again")
edit_role(user)
else:
print(f"{role} is not valid role")
print(" Valid roles are: ", acl.get_all_roles())
print(" Press X for restart: ")
if role.lower() == "x":
start_intracting(user)
edit_role(user)
# create access control list
acl = rbac.acl.Registry()
# add roles
acl.add_role("member")
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])
# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])
# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")
# use acl to check permission
if acl.is_allowed("student", "view", "course"):
print("Students chould view courses.")
else:
print("Students chould not view courses.")
# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
print("Junior students chould learn senior courses.")
else:
print("Junior students chould not learn senior courses.")
# -*- coding: utf-8 -*- # __author__: musibii # __file__ : test1.py # __time__ : 2020/4/29 11:05 上午 import rbac.acl acl = rbac.acl.Registry() acl.add_role() acl.add_resource(acl) acl.allow() acl.deny() acl.is_allowed()
acl.add_resource("resource-2")
# set rules
# Admin have all permissions
acl.allow("admin", "read", "resource-1")
acl.allow("admin", "write", "resource-1")
acl.allow("admin", "delete", "resource-1")
acl.allow("admin", "read", "resource-2")
acl.allow("admin", "write", "resource-2")
acl.allow("admin", "delete", "resource-2")
# Developer have read, write permission but not delete
acl.allow("developer", "read", "resource-1")
acl.allow("developer", "write", "resource-1")
acl.deny("developer", "delete", "resource-1")
def edit_role(user):
role = input("which role you want to edit ")
if acl.is_valid_role(role):
allowed, denied = acl.get_role_permissions(role)
print(
f" Current permissions for {role} are: Allowed: {allowed}, Denied: {denied}"
)
print(f" All available resources are: {acl.get_all_resources()}")
resource = input(" Enter resource name ")
if acl.is_valid_resource(resource):
operation = input(
" Enter permission name like read, write or delete ")
allow_or_deny = input(
# add roles
acl.add_role("member")
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])
# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])
# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")
# use acl to check permission
if acl.is_allowed("student", "view", "course"):
print ("Students chould view courses.")
else:
print ("Students chould not view courses.")
# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
print ("Junior students chould learn senior courses.")
else:
print ("Junior students chould not learn senior courses.")
########NEW FILE########
__FILENAME__ = context
# add roles
acl.add_role("member")
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])
# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])
# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")
# use acl to check permission
if acl.is_allowed("student", "view", "course"):
print("Students chould view courses.")
else:
print("Students chould not view courses.")
# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
print("Junior students chould learn senior courses.")
else:
print("Junior students chould not learn senior courses.")
########NEW FILE########
__FILENAME__ = context
def get(self, request, action, *args, **kwargs):
acl = rbac.acl.Registry()
if action == 'generate-roles':
print 'Generating roles...'
acl.add_role("InternUsers")
print "\t Added Role: InternUsers"
acl.add_role("Directors",["InternUsers"])
print "\t Added Role: Directors"
acl.add_role("Writers",["InternUsers"])
print "\t Added Role: Writers"
acl.add_role("Auditors",["InternUsers"])
print "\t Added Role: Auditors"
acl.add_role("ExternUsers")
print "\t Added Role: ExternUsers"
print "\t\t[Done]"
#TODO [POM] Agregar usuarios creados a roles como hojas del arbol
elif action == 'generate-resources':
print 'Generating resources...'
acl.add_resource("noticia")
print "\t Added Resource: Noticia"
noticias = Noticia.objects.all()
for noticia in noticias:
acl.add_resource("noticia-"+noticia.title, ["noticia"])
print "\t Added Resource: noticia-%s" % noticia.title
print "\t\t[Done]"
elif action == 'generate-rules':
print 'Generating rules...'
acl.allow("InternUsers","read","noticia")
print "\tInternUsers can read noticia"
acl.allow("Writers","write","noticia")
print "\tWriters can write noticia"
acl.allow("Auditors","update","noticia")
print "\tAuditors can update noticia"
acl.allow("Auditors","delete","noticia")
print "\tAuditors can delete noticia"
acl.deny("ExternUsers","write","noticia")
print "\tExternUsers can not write noticia"
acl.deny("ExternUsers","update","noticia")
print "\tExternUsers can not update noticia"
acl.deny("ExternUsers","delete","noticia")
print "\tExternUsers can not delete noticia"
print "\t\t[Done]"
#TODO [POM] Permitir a usuarios que compartan la misma revista, que compartan el mismo permiso
elif action == 'test-onthefly':
print 'Generating roles...'
acl.add_role("InternUsers")
print "\t Added Role: InternUsers"
acl.add_role("Directors",["InternUsers"])
print "\t Added Role: Directors"
acl.add_role("Writers",["InternUsers"])
print "\t Added Role: Writers"
acl.add_role("Auditors",["InternUsers"])
print "\t Added Role: Auditors"
acl.add_role("ExternUsers")
print "\t Added Role: ExternUsers"
print "\t\t[Done]"
print 'Generating resources...'
acl.add_resource("noticia")
print "\t Added Resource: Noticia"
noticias = Noticia.objects.all()
for noticia in noticias:
acl.add_resource("noticia-"+noticia.title, ["noticia"])
print "\t Added Resource: noticia-%s" % noticia.title
print "\t\t[Done]"
print 'Generating rules...'
acl.allow("InternUsers","read","noticia")
print "\tInternUsers can read noticia"
acl.allow("Writers","write","noticia")
print "\tWriters can write noticia"
acl.allow("Auditors","update","noticia")
print "\tAuditors can update noticia"
acl.allow("Auditors","delete","noticia")
print "\tAuditors can delete noticia"
acl.deny("ExternUsers","write","noticia")
print "\tExternUsers can not write noticia"
acl.deny("ExternUsers","update","noticia")
print "\tExternUsers can not update noticia"
acl.deny("ExternUsers","delete","noticia")
print "\tExternUsers can not delete noticia"
print "\t\t[Done]"
if acl.is_allowed("Auditors","write","noticia"):
print "Auditors can write noticia"
else:
print "Auditors can not write noticia"
else:
print 'Command unknown.'
return super(RoleManager,self).get(self,request,*args,**kwargs)
# create access control list
acl = rbac.acl.Registry()
# add roles
acl.add_role("member")
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])
# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])
# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")
# use acl to check permission
if acl.is_allowed("student", "view", "course"):
print("Students chould view courses.")
else:
print("Students chould not view courses.")
# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
print("Junior students chould learn senior courses.")
else:
print("Junior students chould not learn senior courses.")
