def test_save_policy(self): s = requests.Session() s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name, 'password': '******'}).raise_for_status() response = put_json(get_server_base() + 'systems/%s/access-policy' % self.system.fqdn, session=s, data={'rules': [ # keep two existing rules, drop the other {'id': self.policy.rules[0].id, 'permission': 'view', 'everybody': True, 'user': None, 'group': None}, {'id': self.policy.rules[2].id, 'permission': 'edit_system', 'user': None, 'group': self.privileged_group.group_name}, # .. and add a new rule {'permission': 'control_system', 'everybody': True, 'user': None, 'group': None}, ]}) response.raise_for_status() with session.begin(): session.expire_all() self.assertEquals(len(self.policy.rules), 3) self.assertEquals(self.policy.rules[0].permission, SystemPermission.view) self.assertEquals(self.policy.rules[1].permission, SystemPermission.edit_system) self.assertEquals(self.policy.rules[2].permission, SystemPermission.control_system) self.assertEquals(self.policy.rules[2].everybody, True)
def test_cannot_add_deleted_user_to_access_policy(self): with session.begin(): deleted_user = data_setup.create_user() deleted_user.removed = datetime.datetime.utcnow() bad_rule = {'user': deleted_user.user_name, 'permission': 'edit'} s = requests.Session() s.post(get_server_base() + 'login', data={ 'user_name': self.owner.user_name, 'password': '******' }).raise_for_status() # Two different APIs for manipulating access policy rules response = put_json(get_server_base() + 'pools/%s/access-policy/' % self.pool.name, session=s, data={'rules': [bad_rule]}) self.assertEqual(response.status_code, 400) self.assertEqual( response.text, 'Cannot add deleted user %s to access policy' % deleted_user.user_name) response = post_json(get_server_base() + 'pools/%s/access-policy/rules/' % self.pool.name, session=s, data=bad_rule) self.assertEqual(response.status_code, 400) self.assertEqual( response.text, 'Cannot add deleted user %s to access policy' % deleted_user.user_name)
def test_unprivileged_user_cannot_save_policy(self): with session.begin(): user = data_setup.create_user(password='******') s = requests.Session() s.post(get_server_base() + 'login', data={'user_name': user.user_name, 'password': '******'}).raise_for_status() response = put_json(get_server_base() + 'systems/%s/access-policy' % self.system.fqdn, session=s, data={'rules': []}) self.assertEquals(response.status_code, 403)
def test_cannot_create_keystone_trust_if_openstack_is_disabled(self): if config.get('openstack.identity_api_url'): raise SkipTest('OpenStack integration is enabled') with session.begin(): user = data_setup.create_user() s = requests.Session() requests_login(s) response = put_json(get_server_base() + 'users/%s/keystone-trust' % user.user_name, session=s, data={'openstack_username': u'dummyuser'}) self.assertEqual(response.status_code, 400) self.assertIn('OpenStack Integration is not enabled', response.text)
def test_save_policy(self): with session.begin(): other_user = data_setup.create_user() other_group = data_setup.create_group() s = requests.Session() s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name, 'password': '******'}).raise_for_status() response = put_json(get_server_base() + 'systems/%s/access-policy' % self.system.fqdn, session=s, data={'rules': [ # keep two existing rules, drop the other {'id': self.policy.rules[0].id, 'permission': 'view', 'everybody': True, 'user': None, 'group': None}, {'id': self.policy.rules[2].id, 'permission': 'edit_system', 'user': None, 'group': self.privileged_group.group_name}, # .. and two new rules {'permission': 'control_system', 'everybody': False, 'user': None, 'group': other_group.group_name}, {'permission': 'reserve', 'everybody': False, 'user': other_user.user_name, 'group': None}, ]}) response.raise_for_status() with session.begin(): session.expire_all() self.assertEquals(len(self.policy.rules), 4) self.assertEquals(self.policy.rules[0].permission, SystemPermission.view) self.assertEquals(self.policy.rules[0].everybody, True) self.assertEquals(self.policy.rules[1].permission, SystemPermission.edit_system) self.assertEquals(self.policy.rules[1].group, self.privileged_group) self.assertEquals(self.policy.rules[2].permission, SystemPermission.control_system) self.assertEquals(self.policy.rules[2].group, other_group) self.assertEquals(self.policy.rules[3].permission, SystemPermission.reserve) self.assertEquals(self.policy.rules[3].user, other_user) self.assertEquals(self.system.activity[0].action, u'Added') self.assertEquals(self.system.activity[0].field_name, u'Access Policy Rule') self.assertEquals(self.system.activity[0].new_value, u'User:%s:reserve' % other_user.user_name) self.assertEquals(self.system.activity[1].action, u'Added') self.assertEquals(self.system.activity[1].field_name, u'Access Policy Rule') self.assertEquals(self.system.activity[1].new_value, u'Group:%s:control_system' % other_group.group_name) self.assertEquals(self.system.activity[2].action, u'Removed') self.assertEquals(self.system.activity[2].field_name, u'Access Policy Rule') self.assertEquals(self.system.activity[2].old_value, u'Everybody::reserve')
def test_cant_return_sneakily(self): with session.begin(): system = data_setup.create_system(shared=True, status=SystemStatus.manual) user = data_setup.create_user(password=u'password') b = self.browser login(b) #login as admin b.get(get_server_base() + 'view/%s' % system.fqdn) b.find_element_by_link_text('Take').click() b.find_element_by_xpath('//div[contains(@class, "system-quick-usage")]' '//span[@class="label" and text()="Reserved"]') # Test for https://bugzilla.redhat.com/show_bug.cgi?id=747328 s = requests.Session() requests_login(s, user.user_name, 'password') response = put_json(get_server_base() + 'systems/%s/reservations/+current' % system.fqdn, session=s, data=dict(finish_time='now')) self.assertEquals(response.status_code, 403) self.assertIn('Cannot return system', response.text)
def test_cannot_return_running_recipe(self): with session.begin(): recipe = data_setup.create_recipe() data_setup.create_job_for_recipes([recipe]) data_setup.mark_recipe_running(recipe) system = recipe.resource.system b = self.browser login(b) b.get(get_server_base() + 'view/%s' % system.fqdn) # "Return" button should be absent b.find_element_by_xpath('//div[contains(@class, "system-quick-usage")' ' and not(.//a[text()="Return"])]') # try doing it directly s = requests.Session() requests_login(s) response = put_json(get_server_base() + 'systems/%s/reservations/+current' % system.fqdn, session=s, data=dict(finish_time='now')) self.assertEquals(response.status_code, 400) self.assertEquals(response.text, 'Cannot return system with running %s' % recipe.t_id)
def test_cannot_add_deleted_user_to_access_policy(self): with session.begin(): deleted_user = data_setup.create_user() deleted_user.removed = datetime.datetime.utcnow() bad_rule = {'user': deleted_user.user_name, 'permission': 'edit'} s = requests.Session() s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name, 'password': '******'}).raise_for_status() # Two different APIs for manipulating access policy rules response = put_json(get_server_base() + 'systems/%s/access-policy' % self.system.fqdn, session=s, data={'rules': [bad_rule]}) self.assertEqual(response.status_code, 400) self.assertEqual(response.text, 'Cannot add deleted user %s to access policy' % deleted_user.user_name) response = post_json(get_server_base() + 'systems/%s/access-policy/rules/' % self.system.fqdn, session=s, data=bad_rule) self.assertEqual(response.status_code, 400) self.assertEqual(response.text, 'Cannot add deleted user %s to access policy' % deleted_user.user_name)
def test_system_reserved_on_recipe(self): with session.begin(): user = data_setup.create_user(password=u'password') lc = data_setup.create_labcontroller() system = data_setup.create_system(owner=user, lab_controller=lc) recipe = data_setup.create_recipe(reservesys=True) job = data_setup.create_job_for_recipes([recipe]) data_setup.mark_recipe_tasks_finished(recipe, system=system) job.update_status() self.assertEquals(recipe.status, TaskStatus.reserved) s = requests.Session() requests_login(s, user.user_name, 'password') response = put_json(get_server_base() + 'systems/%s/reservations/+current' % system.fqdn, session=s, data=dict(finish_time='now')) response.raise_for_status() with session.begin(): session.expire_all() job.update_status() self.assertEquals(job.status, TaskStatus.completed) self.assertEquals(system.user, None)
def test_anonymous_cannot_save_policy(self): response = put_json(get_server_base() + 'systems/%s/access-policy' % self.system.fqdn, data={'rules': []}) self.assertEquals(response.status_code, 401)