def setUpClass(cls):
super(UserScopeDatastoreFunctionTest, cls).setUpClass()
user = auth_db.UserDB(name='stanley')
user.save()
scope = kvp_const.FULL_USER_SCOPE
cls.kvps = {}
# Plain keys
keys = {
'stanley:foo': 'bar',
'stanley:foo_empty': '',
'stanley:foo_null': None
}
for k, v in six.iteritems(keys):
instance = kvp_db.KeyValuePairDB(name=k, value=v, scope=scope)
cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance)
# Secret key
keys = {'stanley:fu': 'bar', 'stanley:fu_empty': ''}
for k, v in six.iteritems(keys):
value = crypto.symmetric_encrypt(
kvp_api.KeyValuePairAPI.crypto_key, v)
instance = kvp_db.KeyValuePairDB(name=k,
value=value,
scope=scope,
secret=True)
cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance)
def check_permission(inquiry, requester):
# Normalize user object.
user_db = (auth_db_models.UserDB(requester) if isinstance(
requester, six.string_types) else requester)
# Deny by default
roles_passed = False
users_passed = False
# Determine role-level permissions
roles = getattr(inquiry, 'roles', [])
if not roles:
# No roles definition so we treat it as a pass
roles_passed = True
for role in roles:
user_has_role = rbac_utils.user_has_role(user_db, role)
LOG.debug('Checking user %s is in role %s - %s' %
(user_db, role, user_has_role))
if user_has_role:
roles_passed = True
break
# Determine user-level permissions
users = getattr(inquiry, 'users', [])
if not users or user_db.name in users:
users_passed = True
# Thow exception if either permission check failed.
if not roles_passed or not users_passed:
raise inquiry_exceptions.InquiryResponseUnauthorized(
str(inquiry.id), requester)
def setUpClass(cls):
super(SystemScopeDatastoreFunctionTest, cls).setUpClass()
user = auth_db.UserDB(name="stanley")
user.save()
scope = kvp_const.FULL_SYSTEM_SCOPE
cls.kvps = {}
# Plain key
keys = {"foo": "bar", "foo_empty": "", "foo_null": None}
for k, v in six.iteritems(keys):
instance = kvp_db.KeyValuePairDB(name=k, value=v, scope=scope)
cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance)
# Secret key
keys = {"fu": "bar", "fu_empty": ""}
for k, v in six.iteritems(keys):
value = crypto.symmetric_encrypt(
kvp_api.KeyValuePairAPI.crypto_key, v)
instance = kvp_db.KeyValuePairDB(name=k,
value=value,
scope=scope,
secret=True)
cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance)
def test_get_key(self, deseralize_key_value, KeyValuePair):
key, value = ('Lindsay', 'Lohan')
decrypt = False
KeyValuePair.get_by_scope_and_name().value = value
deseralize_key_value.return_value = value
result = kv_utl.get_key(key=key,
user_db=auth_db.UserDB(name=USER),
decrypt=decrypt)
self.assertEqual(result, value)
KeyValuePair.get_by_scope_and_name.assert_called_with(
FULL_USER_SCOPE, 'stanley:%s' % key)
deseralize_key_value.assert_called_once_with(value, decrypt)
def setUpClass(cls):
super(UserScopeDatastoreFunctionTest, cls).setUpClass()
user = auth_db.UserDB(name='stanley')
user.save()
def setUp(self):
super(InquiryRBACControllerTestCase, self).setUp()
self.models = self.fixtures_loader.save_fixtures_to_db(
fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES)
# Insert mock users, roles and assignments
assignments = {
"user_get_db": {
"roles": ["role_get"],
"permissions": [rbac_types.PermissionType.INQUIRY_VIEW],
"resource_type": rbac_types.ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_list_db": {
"roles": ["role_list"],
"permissions": [rbac_types.PermissionType.INQUIRY_LIST],
"resource_type": rbac_types.ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_respond_db": {
"roles": ["role_respond"],
"permissions": [rbac_types.PermissionType.INQUIRY_RESPOND],
"resource_type": rbac_types.ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_respond_paramtest": {
"roles": ["role_respond_2"],
"permissions": [rbac_types.PermissionType.INQUIRY_RESPOND],
"resource_type": rbac_types.ResourceType.INQUIRY,
"resource_uid": 'inquiry'
},
"user_respond_inherit": {
"roles": ["role_inherit"],
"permissions": [rbac_types.PermissionType.ACTION_EXECUTE],
"resource_type": rbac_types.ResourceType.ACTION,
"resource_uid": 'action:wolfpack:inquiry-workflow'
}
}
# Create users
for user in assignments.keys():
user_db = auth_db_models.UserDB(name=user)
user_db = auth_db_access.User.add_or_update(user_db)
self.users[user] = user_db
# Create grants and assign to roles
for assignment_details in assignments.values():
grant_db = rbac_db_models.PermissionGrantDB(
permission_types=assignment_details["permissions"],
resource_uid=assignment_details["resource_uid"],
resource_type=assignment_details["resource_type"])
grant_db = rbac_db_access.PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
for role in assignment_details["roles"]:
role_db = rbac_db_models.RoleDB(
name=role, permission_grants=permission_grants)
rbac_db_access.Role.add_or_update(role_db)
# Assign users to roles
for user_name, assignment_details in assignments.items():
user_db = self.users[user_name]
for role in assignment_details['roles']:
role_assignment_db = rbac_db_models.UserRoleAssignmentDB(
user=user_db.name,
role=role,
source='assignments/%s.yaml' % user_db.name)
rbac_db_access.UserRoleAssignment.add_or_update(
role_assignment_db)
# Create Inquiry
data = {
'action': 'wolfpack.ask',
'parameters': {
"roles": ['role_respond']
}
}
result = {
"schema": SCHEMA_DEFAULT,
"roles": ['role_respond'],
"users": [],
"route": "",
"ttl": 1440
}
result_default = {
"schema": SCHEMA_DEFAULT,
"roles": [],
"users": [],
"route": "",
"ttl": 1440
}
# Use admin user for creating test objects
user_db = self.users['admin']
self.use_user(user_db)
# Create workflow
wf_data = {'action': 'wolfpack.inquiry-workflow'}
post_resp = self.app.post_json('/v1/executions', wf_data)
wf_id = str(post_resp.json.get('id'))
inquiry_with_parent = {
'action': 'wolfpack.ask',
# 'parameters': {},
'context': {
"parent": {
'execution_id': wf_id
}
}
}
resp = self._do_create_inquiry(data, result)
self.assertEqual(resp.status_int, http_client.OK)
self.inquiry_id = resp.json.get('id')
# Validated expected context for inquiries under RBAC
expected_context = {
'pack': 'wolfpack',
'user': '******',
'rbac': {
'user': '******',
'roles': ['admin']
}
}
self.assertEqual(resp.json['context'], expected_context)
# Create inquiry in workflow
resp = self._do_create_inquiry(inquiry_with_parent, result_default)
self.assertEqual(resp.status_int, http_client.OK)
self.inquiry_inherit_id = resp.json.get('id')
# Validated expected context for inquiries under RBAC
expected_context = {
'pack': 'wolfpack',
'parent': {
'execution_id': wf_id
},
'user': '******',
'rbac': {
'user': '******',
'roles': ['admin']
}
}
self.assertEqual(resp.json['context'], expected_context)
