Example #1
0
 def test_can_create_but_no_cluster(self, cluster_scoped_permission_obj,
                                    project_id, cluster_id):
     """测试场景:有集群域资源创建权限(但是无集群权限)"""
     perm_ctx = ClusterScopedPermCtx(
         username=roles.CLUSTER_SCOPED_NO_CLUSTER_USER,
         project_id=project_id,
         cluster_id=cluster_id)
     with pytest.raises(PermissionDeniedError) as exec:
         cluster_scoped_permission_obj.can_create(perm_ctx)
     assert exec.value.data['perms']['apply_url'] == generate_apply_url(
         roles.CLUSTER_SCOPED_NO_CLUSTER_USER,
         [
             ActionResourcesRequest(
                 ClusterAction.VIEW,
                 resource_type=ResourceType.Cluster,
                 resources=[cluster_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(ProjectAction.VIEW,
                                    resource_type=ResourceType.Project,
                                    resources=[project_id]),
         ],
     )
Example #2
0
 def test_can_not_manage(self, cluster_permission_obj, project_id,
                         cluster_id):
     """测试场景:无集群管理权限(同时无项目查看权限)"""
     username = roles.ANONYMOUS_USER
     perm_ctx = ClusterPermCtx(username=username,
                               project_id=project_id,
                               cluster_id=cluster_id)
     with pytest.raises(PermissionDeniedError) as exec:
         manage_cluster(perm_ctx)
     assert exec.value.data['apply_url'] == generate_apply_url(
         username,
         [
             ActionResourcesRequest(
                 ClusterAction.MANAGE,
                 resource_type=ClusterPermission.resource_type,
                 resources=[cluster_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(
                 ClusterAction.VIEW,
                 resource_type=ClusterPermission.resource_type,
                 resources=[cluster_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(
                 ProjectAction.VIEW,
                 resource_type=ProjectPermission.resource_type,
                 resources=[project_id]),
         ],
     )
Example #3
0
 def test_can_manage_but_no_view(self, cluster_permission_obj, project_id,
                                 cluster_id):
     """测试场景:有集群管理权限(但是无集群查看权限)"""
     username = roles.CLUSTER_MANAGE_NOT_VIEW_USER
     perm_ctx = ClusterPermCtx(username=username,
                               project_id=project_id,
                               cluster_id=cluster_id)
     with pytest.raises(PermissionDeniedError) as exec:
         cluster_permission_obj.can_manage(perm_ctx)
     assert exec.value.data['perms']['apply_url'] == generate_apply_url(
         username,
         [
             ActionResourcesRequest(
                 ClusterAction.VIEW,
                 resource_type=ResourceType.Cluster,
                 resources=[cluster_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(ProjectAction.VIEW,
                                    resource_type=ResourceType.Project,
                                    resources=[project_id]),
         ],
     )
Example #4
0
 def test_can_not_instantiate(self, templateset_permission_obj, project_id,
                              template_id):
     """测试场景:无模板集实例化权限(同时无项目查看权限)"""
     username = roles.ANONYMOUS_USER
     perm_ctx = TemplatesetPermCtx(username=username,
                                   project_id=project_id,
                                   template_id=template_id)
     with pytest.raises(PermissionDeniedError) as exec:
         templateset_permission_obj.can_instantiate(perm_ctx)
     assert exec.value.data['perms']['apply_url'] == generate_apply_url(
         username,
         [
             ActionResourcesRequest(
                 TemplatesetAction.INSTANTIATE,
                 resource_type=ResourceType.Templateset,
                 resources=[template_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(
                 TemplatesetAction.VIEW,
                 resource_type=ResourceType.Templateset,
                 resources=[template_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(ProjectAction.VIEW,
                                    resource_type=ResourceType.Project,
                                    resources=[project_id]),
         ],
     )
Example #5
0
 def test_can_not_create(self, cluster_permission_obj, project_id,
                         cluster_id):
     """测试场景:无集群创建权限(同时无项目查看权限)"""
     perm_ctx = ClusterPermCtx(username=roles.ANONYMOUS_USER,
                               project_id=project_id)
     with pytest.raises(PermissionDeniedError) as exec:
         cluster_permission_obj.can_create(perm_ctx)
     assert exec.value.data['perms']['apply_url'] == generate_apply_url(
         roles.ANONYMOUS_USER,
         [
             ActionResourcesRequest(
                 ClusterAction.CREATE,
                 resource_type=ResourceType.Project,
                 resources=[project_id],
             ),
             ActionResourcesRequest(ProjectAction.VIEW,
                                    resource_type=ResourceType.Project,
                                    resources=[project_id]),
         ],
     )
Example #6
0
 def test_can_not_view_but_project(self, cluster_permission_obj, project_id,
                                   cluster_id):
     """测试场景:无集群查看权限(同时有项目查看权限)"""
     self._test_can_not_view(
         roles.PROJECT_NO_CLUSTER_USER,
         cluster_permission_obj,
         project_id,
         cluster_id,
         expected_action_list=[
             ActionResourcesRequest(
                 ClusterAction.VIEW,
                 resource_type=ResourceType.Cluster,
                 resources=[cluster_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(ProjectAction.VIEW,
                                    resource_type=ResourceType.Project,
                                    resources=[project_id]),
         ],
     )
Example #7
0
 def test_can_not_view(self, cluster_permission_obj, project_id,
                       cluster_id):
     """测试场景:无集群查看权限(同时无项目查看权限)"""
     self._test_can_not_view(
         roles.ANONYMOUS_USER,
         cluster_permission_obj,
         project_id,
         cluster_id,
         expected_action_list=[
             ActionResourcesRequest(
                 ClusterAction.VIEW,
                 resource_type=cluster_permission_obj.resource_type,
                 resources=[cluster_id],
                 parent_chain=[
                     IAMResource(ResourceType.Project, project_id)
                 ],
             ),
             ActionResourcesRequest(
                 ProjectAction.VIEW,
                 resource_type=ProjectPermission.resource_type,
                 resources=[project_id],
             ),
         ],
     )
Example #8
0
 def test_can_view_but_no_project(self, cluster_permission_obj, project_id,
                                  cluster_id):
     """测试场景:有集群查看权限(同时无项目查看权限)"""
     self._test_can_not_view(
         roles.CLUSTER_NO_PROJECT_USER,
         cluster_permission_obj,
         project_id,
         cluster_id,
         expected_action_list=[
             ActionResourcesRequest(
                 ProjectAction.VIEW,
                 resource_type=ProjectPermission.resource_type,
                 resources=[project_id],
             )
         ],
     )
Example #9
0
 def test_can_manage_but_no_project(self, cluster_permission_obj,
                                    project_id, cluster_id):
     """测试场景:有集群管理权限(但是无项目权限)"""
     username = roles.CLUSTER_NO_PROJECT_USER
     perm_ctx = ClusterPermCtx(username=username,
                               project_id=project_id,
                               cluster_id=cluster_id)
     with pytest.raises(PermissionDeniedError) as exec:
         cluster_permission_obj.can_manage(perm_ctx)
     assert exec.value.data['perms']['apply_url'] == generate_apply_url(
         username,
         [
             ActionResourcesRequest(ProjectAction.VIEW,
                                    resource_type=ResourceType.Project,
                                    resources=[project_id])
         ],
     )
Example #10
0
 def test_can_instantiate_but_no_project(self, templateset_permission_obj,
                                         project_id, template_id):
     """测试场景:有模板集实例化权限(同时无项目查看权限)"""
     username = roles.TEMPLATESET_NO_PROJECT_USER
     perm_ctx = TemplatesetPermCtx(username=username,
                                   project_id=project_id,
                                   template_id=template_id)
     with pytest.raises(PermissionDeniedError) as exec:
         templateset_permission_obj.can_instantiate(perm_ctx)
     assert exec.value.data['perms']['apply_url'] == generate_apply_url(
         username,
         [
             ActionResourcesRequest(ProjectAction.VIEW,
                                    resource_type=ResourceType.Project,
                                    resources=[project_id])
         ],
     )
Example #11
0
    def test_can_not_instantiate_in_ns(
        self,
        templateset_permission_obj,
        namespace_scoped_permission_obj,
        project_id,
        template_id,
        cluster_id,
        namespace,
    ):
        """测试场景:有模板集实例化权限(但是无实例化到命名空间的权限)"""
        username = roles.PROJECT_TEMPLATESET_USER
        perm_ctx = TemplatesetPermCtx(username=username,
                                      project_id=project_id,
                                      template_id=template_id)
        with pytest.raises(PermissionDeniedError) as exec:
            templateset_permission_obj.can_instantiate_in_ns(
                perm_ctx, cluster_id, namespace)

        iam_ns_id = calc_iam_ns_id(cluster_id, namespace)
        assert exec.value.data['perms']['apply_url'] == generate_apply_url(
            username,
            [
                ActionResourcesRequest(
                    NamespaceScopedAction.CREATE,
                    ResourceType.Namespace,
                    resources=[iam_ns_id],
                    parent_chain=[
                        IAMResource(ResourceType.Project, project_id),
                        IAMResource(ResourceType.Cluster, cluster_id),
                    ],
                ),
                ActionResourcesRequest(
                    NamespaceScopedAction.VIEW,
                    ResourceType.Namespace,
                    resources=[iam_ns_id],
                    parent_chain=[
                        IAMResource(ResourceType.Project, project_id),
                        IAMResource(ResourceType.Cluster, cluster_id),
                    ],
                ),
                ActionResourcesRequest(
                    NamespaceScopedAction.UPDATE,
                    ResourceType.Namespace,
                    resources=[iam_ns_id],
                    parent_chain=[
                        IAMResource(ResourceType.Project, project_id),
                        IAMResource(ResourceType.Cluster, cluster_id),
                    ],
                ),
                ActionResourcesRequest(
                    NamespaceScopedAction.DELETE,
                    ResourceType.Namespace,
                    resources=[iam_ns_id],
                    parent_chain=[
                        IAMResource(ResourceType.Project, project_id),
                        IAMResource(ResourceType.Cluster, cluster_id),
                    ],
                ),
                ActionResourcesRequest(
                    NamespaceAction.VIEW,
                    ResourceType.Namespace,
                    resources=[iam_ns_id],
                    parent_chain=[
                        IAMResource(ResourceType.Project, project_id),
                        IAMResource(ResourceType.Cluster, cluster_id),
                    ],
                ),
                ActionResourcesRequest(
                    ClusterAction.VIEW,
                    ResourceType.Cluster,
                    resources=[cluster_id],
                    parent_chain=[
                        IAMResource(ResourceType.Project, project_id)
                    ],
                ),
                ActionResourcesRequest(ProjectAction.VIEW,
                                       ResourceType.Project,
                                       resources=[project_id]),
            ],
        )