def test04_session_permissions(self):
"""
Test the session_perms & check_access method
"""
print_ln('test session_perms')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
session = access.create_session(entity, False)
if session is None:
self.fail('test_session_permissions failed ' + entity.uid)
if session.user.roles is not None and len(
session.user.roles) > 0:
perms = access.session_perms(session)
for idx2, perm in enumerate(perms):
if idx2 % 10 == 0:
sys.stdout.write('`')
sys.stdout.flush()
result = access.check_access(session, perm)
if not result:
self.fail('test_session_permissions failed uid=' +
entity.uid + ', perm obj name=' +
perm.obj_name + ', op name=' +
perm.op_name + ', obj id=' + perm.obj_id)
print()
except Exception as e:
self.fail('test_session_permissions exception=' + e.msg)
def test02_user_roles(self):
"""
Test the user_roles & is_user_in_role method
"""
print_ln('test user_roles')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
session = access.create_session(entity, False)
if session is None:
self.fail('test_user_roles failed ' + entity.uid)
if session.user.roles is not None and len(
session.user.roles) > 0:
roles = access.session_roles(session)
for role in roles:
result = access.is_user_in_role(session, role.name)
if not result:
self.fail('test_user_roles failed uid=' +
entity.uid + ', role=' + role)
print()
except Exception as e:
self.fail('test_user_roles exception=' + e)
def __create_test_user(name, number):
label = name + '-' + str(number)
return User(
uid=label,
description=label + ' Role',
password='******',
ou='py-test',
sn=label,
cn=label,
display_name=label,
employee_type='test',
title='test',
phones=['111-111-1111', '222-222-2222'],
mobiles=['333-333-3333', '444-444-4444'],
emails=['*****@*****.**', '*****@*****.**'],
system = False,
props = ['name1:value1', 'name2:value2'],
department_number = '456',
l = 'Somewhere',
physical_delivery_office_name = 'Someplace',
postal_code = '55555',
room_number = '222',
constraint=Constraint(
name=label,
timeout=TIMEOUT,
begin_time=BEGIN_TIME,
end_time=END_TIME,
begin_date=BEGIN_DATE,
end_date=END_DATE,
begin_lock_date=BEGIN_LOCK_DATE,
end_lock_date=END_LOCK_DATE,
day_mask=ALL
)
)
def delete_role(role):
"""
This command deletes an existing role from the RBAC database. The command is valid if and only if the role to be deleted is a member of the ROLES data set.
This command will also deassign role from all users.
required parameters:
role.name - maps to INetOrgPerson uid
"""
utils.validate_role(role)
# if role has members, deassign all.
members, constraint = roledao.get_members_constraint (role)
for member in members:
try:
userdao.deassign(User(uid=member), constraint)
logger.info('admin.delete_role:' + role.name + ', remove assign for user:'******'admin.delete_role:' + role.name + ', assign not exist for user:'******'admin.delete_role:' + role.name + ', remove grant for perm obj_name:' + perm.obj_name + ', op_name:' + perm.op_name)
# now remove the role entry.
return roledao.delete(role)
def main(argv=None): # IGNORE:C0111
'''Command line options.'''
if argv is None:
argv = sys.argv
else:
sys.argv.extend(argv)
parser = argparse.ArgumentParser(
description='Process py-fortress admin and review commands.')
parser.add_argument('entity',
metavar='entity',
choices=[USER, ROLE, PERM, OBJECT],
help='entity name')
parser.add_argument('operation',
metavar='operand',
choices=[
ADD, UPDATE, DELETE, ASSIGN, DEASSIGN, GRANT,
REVOKE, READ, SEARCH
],
help='operation name')
parser.add_argument('-r', '--role', dest='role', help='role name')
parser.add_argument('--phones', nargs="*", default=[])
parser.add_argument('--mobiles', nargs="*", default=[])
parser.add_argument('--emails', nargs="*", default=[])
parser.add_argument('--props', nargs="*", default=[])
add_args(parser, Role())
add_args(parser, User())
add_args(parser, Perm())
add_args(parser, PermObj())
add_args(parser, Constraint())
args = parser.parse_args()
process(args)
def test_active_roles(self):
"""
Test the add_active_role & drop_active_role methods
"""
print_ln('test active_roles')
try:
u = userdao.read(User(uid="foouser1"))
u.password="******"
session=access.create_session (u, False)
if session.user.roles is not None and len(session.user.roles) > 0:
for role in list(access.session_roles(session)):
access.drop_active_role(session, role)
if session.user.roles is None or len(session.user.roles) > 0:
self.fail('test_active_roles did not inactivate all roles in session for uid=' + entity.uid)
for role in list(u.roles):
access.add_active_role(session, role)
if session.user.roles is None or len(session.user.roles) != len(u.roles):
self.fail('test_active_roles did not activate all roles in session for uid=' + entity.uid)
except Exception as e:
self.fail('test_active_roles exception=' + e.msg)
def test_search_users(self):
"""
Test the user search by uid in file
"""
print_ln('test search users by uid')
try:
for user in userdao.search(User(uid="foo*")):
print_entity(user, "search user")
print_entity(userdao.read(user), "read user")
except Exception as e:
self.fail('user search failed, exception=' + e.msg)
def test_search_wild(self):
"""
Test wildcard match
"""
print_ln('test wildmatch users')
us = userdao.search(User(uid="test*"))
try:
us = sorted(map(lambda u: u.uid, us))
except Exception as e:
self.fail('exception ' + e.msg)
if us != ['testuser1', 'testuser2']:
self.fail('wrong set of users in match: ' + dumps(us))
def test_search_users(self):
"""
Test the user search by uid in ldap
"""
print_ln('test search users by uid')
try:
usr = User(uid = "jts*")
uList = userdao.search(usr)
for idx, entity in enumerate(uList) :
print_user(entity, "User[" + str(idx+1) + "]:")
except Exception as e:
self.fail('user search failed, exception=' + e.msg)
def process_perm(args):
perm = load_entity(Perm(), args)
print(args.entity + ' ' + args.operation)
if args.operation == ADD:
admin.add_perm(perm)
elif args.operation == UPDATE:
admin.update_perm(perm)
elif args.operation == DELETE:
admin.delete_perm(perm)
elif args.operation == GRANT:
role_nm = args.role
print('role=' + role_nm)
admin.grant(perm, Role(name=role_nm))
elif args.operation == REVOKE:
role_nm = args.role
print('role=' + role_nm)
admin.revoke(perm, Role(name=role_nm))
elif args.operation == READ:
print_entity(review.read_perm(perm),
perm.obj_name + '.' + perm.op_name)
pass
elif args.operation == SEARCH:
role_nm = args.role
userid = args.uid
prms = []
label = ''
if userid:
label = userid
prms = review.user_perms(User(uid=userid))
elif role_nm:
label = role_nm
prms = review.role_perms(Role(name=role_nm))
else:
if perm.obj_name:
perm.obj_name += '*'
else:
perm.obj_name = '*'
if perm.op_name:
perm.op_name += '*'
else:
perm.op_name = '*'
label = perm.obj_name + '.' + perm.op_name
prms = review.find_perms(perm)
if len(prms) > 0:
for idx, prm in enumerate(prms):
print_entity(prm, label + ':' + str(idx))
else:
print_ln('No matching records found matching filter: ' + label)
else:
print('process_perm failed, invalid operation=' + args.operation)
return False
return True
def test_delete_users(self):
"""
Test the user delete
"""
print_ln('test delete users')
try:
uList = userdao.search(User(uid='py-test*'))
for usr in uList:
entity = userdao.delete(usr)
print_ln("Delete user=" + entity.uid)
except Exception as e:
self.fail('user delete failed, exception=' + e.msg)
def test05_delete_user(self):
"""
Test the user delete user method
"""
print_ln('test_delete_user')
try:
# TODO: search for roles assigned to user and remove the occupant
uList = review.find_users(User(uid='py-user*'))
for usr in uList:
entity = admin.delete_user(usr)
print_ln("Delete user=" + entity.uid)
except Exception as e:
self.fail('test_delete_user failed, exception=' + e.msg)
def test_create_sessions(self):
"""
Test the create_session method
"""
print_ln('test create sessions')
try:
for user in userdao.search(User(uid="*")):
user.password = user.uid
session = access.create_session(user, False)
if session is None:
self.fail('create session {} returned None'.format(user.uid))
print ('session made for user {}'.format(user.uid))
except Exception as e:
self.fail('user create_session exception=' + e.msg)
def test02_assigned_roles(self):
"""
Test the assigned roles method
"""
print_ln('test_assigned_roles')
try:
uList = review.find_users(User(uid='py-user*'))
for usr in uList:
print_ln("Assigned roles user="******"Assigned role", 1)
except Exception as e:
self.fail('test_assigned_roles failed, exception=' + e.msg)
def test04_deassign_user(self):
"""
Test the user deassign method
"""
print_ln('test_deassign_user')
try:
uList = review.find_users(User(uid='py-user*'))
rles = role_test_data.get_test_roles('py-role', 10)
for usr in uList:
for rle in rles:
entity = admin.deassign(usr, rle)
print_ln("Deassign User=" + entity.uid + ', Role=' + rle.name)
except Exception as e:
pass
def test05_user_perms(self):
"""
Test the user perms method
"""
print_ln('test_user_perms')
try:
uList = review.find_users(User(uid='py-user*'))
for usr in uList:
print_ln("Assigned perms user="******"Assigned perm obj name=" + perm.obj_name +
', op name=' + perm.op_name + ', obj id=' +
perm.obj_id, 1)
except Exception as e:
self.fail('test_user_perms failed, exception=' + e.msg)
def test_bind_users(self):
"""
Test the user bind
"""
print_ln('test bind users')
try:
usr = User(uid = "jtsuser*")
uList = userdao.search(usr)
for idx, entity in enumerate(uList) :
entity.password = '******' + str(idx+1)
try:
userdao.authenticate(entity)
except InvalidCredentials as e:
print_ln(e.msg)
#self.fail('user bind invalid creds, user='******'user bind exception=' + e.msg)
def test_bind_users_negative(self):
"""
Test the user bind
"""
print_ln('test bind users')
try:
usr = User(uid = "jtsuser*")
uList = userdao.search(usr)
for idx, entity in enumerate(uList) :
entity.password = '******'
try:
userdao.authenticate(entity)
self.fail('test bind negative failed ' + entity.uid)
except InvalidCredentials:
pass
except Exception as e:
self.fail('user bind failed, exception=' + e.msg)
def main(argv=None):
'''Command line options.'''
if argv is None:
argv = sys.argv
else:
sys.argv.extend(argv)
program_name = 'Process py-fortress access commands.'
parser = argparse.ArgumentParser(description=program_name)
parser.add_argument(
'operation',
metavar='operand',
choices=[AUTH, CHCK, ROLES, PERMS, ADD, DELETE, SHOW, DROP],
help='operation name')
parser.add_argument('-r', '--role', dest='role', help='role name')
add_args(parser, User())
add_args(parser, Perm())
args = parser.parse_args()
process(args)
def process_user(args):
user = load_entity(User(), args)
print(args.entity + ' ' + args.operation)
if not args.uid:
print("error --uid required for entity user")
return False
elif args.operation == ADD:
if not args.name:
args.name = args.uid
constraint = load_entity(Constraint(), args)
user.constraint = constraint
admin.add_user(user)
elif args.operation == UPDATE:
if args.name is not None:
constraint = load_entity(Constraint(), args)
user.constraint = constraint
admin.update_user(user)
elif args.operation == DELETE:
admin.delete_user(user)
elif args.operation == ASSIGN:
role_nm = args.role
print('role=' + role_nm)
admin.assign(user, Role(name=role_nm))
elif args.operation == DEASSIGN:
role_nm = args.role
print('role name=' + role_nm)
admin.deassign(user, Role(name=role_nm))
elif args.operation == READ:
print_user(review.read_user(user), user.uid)
pass
elif args.operation == SEARCH:
user.uid += '*'
users = review.find_users(user)
if len(users) > 0:
for idx, usr in enumerate(users):
print_user(usr, user.uid + ':' + str(idx))
else:
print_ln('No matching records found matching filter: ' + user.uid)
else:
print('process_user failed, invalid operation=' + args.operation)
return False
return True
def test_user_roles(self):
"""
Test the user_roles & is_user_in_role method
"""
print_ln('test user_roles')
try:
for user in userdao.search(User(uid="*")):
user.password = user.uid
session = access.create_session(user, False)
if session is None:
self.fail('create session {} returned None'.format(user.uid))
print ('session made for user {}'.format(user.uid))
if session.user.roles is not None and len(session.user.roles) > 0:
roles = access.session_roles(session)
for role in roles:
result = access.is_user_in_role(session, role)
if not result:
self.fail('test_user_roles failed uid=' + entity.uid + ', role=' + role)
print()
except Exception as e:
self.fail('test_user_roles exception=' + e.msg)
def test01_create_sessions(self):
"""
Test the create_session method
"""
print_ln('test create sessions')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
loop_cnt = len(uList)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
try:
session = access.create_session(entity, False)
if session is None:
self.fail('test create sessions failed ' + entity.uid)
except InvalidCredentials as e:
print_ln(e.msg)
print()
except Exception as e:
self.fail('user create_session exception=' + e.msg)
def __unload(dn, attrs):
entity = User()
entity.dn = dn
attrs = CIDict(attrs)
entity.uid = ldaphelper.get_one_attr_val(attrs.get(global_ids.UID, []))
entity.ou = ldaphelper.get_one_attr_val(attrs.get(global_ids.OU, []))
entity.internal_id = ldaphelper.get_attr_val(
attrs.get(global_ids.INTERNAL_ID, []))
entity.pw_policy = ldaphelper.get_attr_val(attrs.get(PW_POLICY, []))
entity.cn = ldaphelper.get_one_attr_val(attrs.get(global_ids.CN, []))
entity.sn = ldaphelper.get_one_attr_val(attrs.get(global_ids.SN, []))
entity.description = ldaphelper.get_one_attr_val(
attrs.get(global_ids.DESC, []))
entity.display_name = ldaphelper.get_attr_val(attrs.get(DISPLAY_NAME, []))
entity.employee_type = ldaphelper.get_one_attr_val(
attrs.get(EMPLOYEE_TYPE, []))
entity.title = ldaphelper.get_one_attr_val(attrs.get(TITLE, []))
entity.reset = ldaphelper.get_bool(attrs.get(IS_RESET, []))
entity.system = ldaphelper.get_bool(attrs.get(IS_SYSTEM, []))
entity.department_number = ldaphelper.get_one_attr_val(
attrs.get(DEPT_NUM, []))
entity.l = ldaphelper.get_one_attr_val(attrs.get(LOCATION, []))
entity.physical_delivery_office_name = ldaphelper.get_one_attr_val(
attrs.get(PHYSICAL_OFFICE_NM, []))
entity.postal_code = ldaphelper.get_one_attr_val(attrs.get(
POSTAL_CODE, []))
entity.room_number = ldaphelper.get_one_attr_val(attrs.get(RM_NUM, []))
# Get the attr as object:
entity.locked_time = ldaphelper.get_attr_object(attrs.get(LOCKED_TIME, []))
# Get the multi-occurring attrs:
entity.props = ldaphelper.get_list(attrs.get(global_ids.PROPS, []))
entity.phones = ldaphelper.get_list(attrs.get(TELEPHONE_NUMBER, []))
entity.mobiles = ldaphelper.get_list(attrs.get(MOBILE, []))
entity.emails = ldaphelper.get_list(attrs.get(MAIL, []))
entity.roles = ldaphelper.get_list(attrs.get(ROLES, []))
# unload raw user constraint:
entity.constraint = Constraint(
ldaphelper.get_attr_val(attrs.get(global_ids.CONSTRAINT, [])))
# now, unload raw user-role constraints:
rcsRaw = ldaphelper.get_list(attrs.get(ROLE_CONSTRAINTS, []))
if rcsRaw is not None:
entity.role_constraints = []
for rcRaw in rcsRaw:
entity.role_constraints.append(Constraint(rcRaw))
return entity
def process(args):
sess = None
result = False
user = load_entity(User(), args)
perm = load_entity(Perm(), args)
print(args.operation)
try:
if args.operation == AUTH:
sess = access.create_session(user, False)
result = True
elif args.operation == CHCK:
sess = un_pickle()
result = access.check_access(sess, perm)
elif args.operation == ROLES:
sess = un_pickle()
roles = access.session_roles(sess)
for idx, role in enumerate(roles):
print_entity(role, role.name + ':' + str(idx))
result = True
elif args.operation == PERMS:
sess = un_pickle()
perms = access.session_perms(sess)
for idx, perm in enumerate(perms):
print_entity(
perm, perm.obj_name + '.' + perm.op_name + ':' + str(idx))
result = True
elif args.operation == SHOW:
sess = un_pickle()
print_entity(sess, 'session')
print_user(sess.user, 'user')
result = True
elif args.operation == ADD:
sess = un_pickle()
if not args.role:
print("error --role required for this op")
return False
print('role=' + args.role)
access.add_active_role(sess, args.role)
result = True
elif args.operation == DROP:
sess = un_pickle()
if not args.role:
print("error --role required for this op")
return False
print('role=' + args.role)
access.drop_active_role(sess, args.role)
result = True
else:
print('process failed, invalid operation=' + args.operation)
if result:
print('success')
else:
print('failed')
pickle_it(sess)
except RbacError as e:
if e.id == global_ids.ACTV_FAILED_DAY:
print('failed day of week, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_DATE:
print('failed for date, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_TIME:
print('failed for time of day, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_TIMEOUT:
print('failed inactivity timeout, id=' + str(e.id) + ', msg=' +
e.msg)
elif e.id == global_ids.ACTV_FAILED_LOCK:
print('failed locked date')
else:
print('RbacError id=' + str(e.id) + ', ' + e.msg)
def test03_active_roles(self):
"""
Test the add_active_role & drop_active_role methods
"""
print_ln('test active_roles')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
session = access.create_session(entity, False)
if session is None:
self.fail('test_active_roles failed ' + entity.uid)
if session.user.roles is not None and len(
session.user.roles) > 0:
roles = access.session_roles(session)
active_roles = list(roles)
# now deactivate all of the roles:
for idx2, role in enumerate(active_roles):
if idx2 % 10 == 0:
sys.stdout.write('`')
sys.stdout.flush()
result = access.is_user_in_role(session, role.name)
if not result:
self.fail('test_active_roles failed uid=' +
entity.uid + ', role=' + role)
access.drop_active_role(session, role.name)
result = access.is_user_in_role(session, role.name)
if result:
self.fail(
'test_active_roles negative failed uid=' +
entity.uid + ', role=' + role)
if session.user.roles is None or len(
session.user.roles) > 0:
self.fail(
'test_active_roles did not inactivate all roles in session for uid='
+ entity.uid)
# now activate all of the roles once again:
for idx2, role in enumerate(active_roles):
if idx2 % 10 == 0:
sys.stdout.write('`')
sys.stdout.flush()
result = access.is_user_in_role(session, role.name)
if result:
self.fail(
'test_active_roles failed inactive negative check uid='
+ entity.uid + ', role=' + role)
access.add_active_role(session, role.name)
result = access.is_user_in_role(session, role.name)
if not result:
self.fail(
'test_active_roles failed inactive positive check uid='
+ entity.uid + ', role=' + role)
if session.user.roles is None or len(
session.user.roles) != len(active_roles):
self.fail(
'test_active_roles did not activate all roles in session for uid='
+ entity.uid)
print()
except Exception as e:
self.fail('test_active_roles exception=' + e.msg)