def test_save_policy(self):
s = requests.Session()
s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name,
'password': '******'}).raise_for_status()
response = put_json(get_server_base() +
'systems/%s/access-policy' % self.system.fqdn, session=s,
data={'rules': [
# keep two existing rules, drop the other
{'id': self.policy.rules[0].id, 'permission': 'view',
'everybody': True, 'user': None, 'group': None},
{'id': self.policy.rules[2].id, 'permission': 'edit_system',
'user': None, 'group': self.privileged_group.group_name},
# .. and add a new rule
{'permission': 'control_system', 'everybody': True,
'user': None, 'group': None},
]})
response.raise_for_status()
with session.begin():
session.expire_all()
self.assertEquals(len(self.policy.rules), 3)
self.assertEquals(self.policy.rules[0].permission,
SystemPermission.view)
self.assertEquals(self.policy.rules[1].permission,
SystemPermission.edit_system)
self.assertEquals(self.policy.rules[2].permission,
SystemPermission.control_system)
self.assertEquals(self.policy.rules[2].everybody, True)
def test_save_policy(self):
s = requests.Session()
s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name,
'password': '******'}).raise_for_status()
response = put_json(get_server_base() +
'systems/%s/access-policy' % self.system.fqdn, session=s,
data={'rules': [
# keep two existing rules, drop the other
{'id': self.policy.rules[0].id, 'permission': 'view',
'everybody': True, 'user': None, 'group': None},
{'id': self.policy.rules[2].id, 'permission': 'edit_system',
'user': None, 'group': self.privileged_group.group_name},
# .. and add a new rule
{'permission': 'control_system', 'everybody': True,
'user': None, 'group': None},
]})
response.raise_for_status()
with session.begin():
session.expire_all()
self.assertEquals(len(self.policy.rules), 3)
self.assertEquals(self.policy.rules[0].permission,
SystemPermission.view)
self.assertEquals(self.policy.rules[1].permission,
SystemPermission.edit_system)
self.assertEquals(self.policy.rules[2].permission,
SystemPermission.control_system)
self.assertEquals(self.policy.rules[2].everybody, True)
def test_cannot_add_deleted_user_to_access_policy(self):
with session.begin():
deleted_user = data_setup.create_user()
deleted_user.removed = datetime.datetime.utcnow()
bad_rule = {'user': deleted_user.user_name, 'permission': 'edit'}
s = requests.Session()
s.post(get_server_base() + 'login',
data={
'user_name': self.owner.user_name,
'password': '******'
}).raise_for_status()
# Two different APIs for manipulating access policy rules
response = put_json(get_server_base() +
'pools/%s/access-policy/' % self.pool.name,
session=s,
data={'rules': [bad_rule]})
self.assertEqual(response.status_code, 400)
self.assertEqual(
response.text, 'Cannot add deleted user %s to access policy' %
deleted_user.user_name)
response = post_json(get_server_base() +
'pools/%s/access-policy/rules/' % self.pool.name,
session=s,
data=bad_rule)
self.assertEqual(response.status_code, 400)
self.assertEqual(
response.text, 'Cannot add deleted user %s to access policy' %
deleted_user.user_name)
def test_unprivileged_user_cannot_save_policy(self):
with session.begin():
user = data_setup.create_user(password='******')
s = requests.Session()
s.post(get_server_base() + 'login', data={'user_name': user.user_name,
'password': '******'}).raise_for_status()
response = put_json(get_server_base() +
'systems/%s/access-policy' % self.system.fqdn,
session=s, data={'rules': []})
self.assertEquals(response.status_code, 403)
def test_cannot_create_keystone_trust_if_openstack_is_disabled(self):
if config.get('openstack.identity_api_url'):
raise SkipTest('OpenStack integration is enabled')
with session.begin():
user = data_setup.create_user()
s = requests.Session()
requests_login(s)
response = put_json(get_server_base() + 'users/%s/keystone-trust' % user.user_name,
session=s, data={'openstack_username': u'dummyuser'})
self.assertEqual(response.status_code, 400)
self.assertIn('OpenStack Integration is not enabled', response.text)
def test_save_policy(self):
with session.begin():
other_user = data_setup.create_user()
other_group = data_setup.create_group()
s = requests.Session()
s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name,
'password': '******'}).raise_for_status()
response = put_json(get_server_base() +
'systems/%s/access-policy' % self.system.fqdn, session=s,
data={'rules': [
# keep two existing rules, drop the other
{'id': self.policy.rules[0].id, 'permission': 'view',
'everybody': True, 'user': None, 'group': None},
{'id': self.policy.rules[2].id, 'permission': 'edit_system',
'user': None, 'group': self.privileged_group.group_name},
# .. and two new rules
{'permission': 'control_system', 'everybody': False,
'user': None, 'group': other_group.group_name},
{'permission': 'reserve', 'everybody': False,
'user': other_user.user_name, 'group': None},
]})
response.raise_for_status()
with session.begin():
session.expire_all()
self.assertEquals(len(self.policy.rules), 4)
self.assertEquals(self.policy.rules[0].permission,
SystemPermission.view)
self.assertEquals(self.policy.rules[0].everybody, True)
self.assertEquals(self.policy.rules[1].permission,
SystemPermission.edit_system)
self.assertEquals(self.policy.rules[1].group, self.privileged_group)
self.assertEquals(self.policy.rules[2].permission,
SystemPermission.control_system)
self.assertEquals(self.policy.rules[2].group, other_group)
self.assertEquals(self.policy.rules[3].permission,
SystemPermission.reserve)
self.assertEquals(self.policy.rules[3].user, other_user)
self.assertEquals(self.system.activity[0].action, u'Added')
self.assertEquals(self.system.activity[0].field_name, u'Access Policy Rule')
self.assertEquals(self.system.activity[0].new_value,
u'User:%s:reserve' % other_user.user_name)
self.assertEquals(self.system.activity[1].action, u'Added')
self.assertEquals(self.system.activity[1].field_name, u'Access Policy Rule')
self.assertEquals(self.system.activity[1].new_value,
u'Group:%s:control_system' % other_group.group_name)
self.assertEquals(self.system.activity[2].action, u'Removed')
self.assertEquals(self.system.activity[2].field_name, u'Access Policy Rule')
self.assertEquals(self.system.activity[2].old_value, u'Everybody::reserve')
def test_cant_return_sneakily(self):
with session.begin():
system = data_setup.create_system(shared=True,
status=SystemStatus.manual)
user = data_setup.create_user(password=u'password')
b = self.browser
login(b) #login as admin
b.get(get_server_base() + 'view/%s' % system.fqdn)
b.find_element_by_link_text('Take').click()
b.find_element_by_xpath('//div[contains(@class, "system-quick-usage")]'
'//span[@class="label" and text()="Reserved"]')
# Test for https://bugzilla.redhat.com/show_bug.cgi?id=747328
s = requests.Session()
requests_login(s, user.user_name, 'password')
response = put_json(get_server_base() +
'systems/%s/reservations/+current' % system.fqdn,
session=s, data=dict(finish_time='now'))
self.assertEquals(response.status_code, 403)
self.assertIn('Cannot return system', response.text)
def test_cannot_return_running_recipe(self):
with session.begin():
recipe = data_setup.create_recipe()
data_setup.create_job_for_recipes([recipe])
data_setup.mark_recipe_running(recipe)
system = recipe.resource.system
b = self.browser
login(b)
b.get(get_server_base() + 'view/%s' % system.fqdn)
# "Return" button should be absent
b.find_element_by_xpath('//div[contains(@class, "system-quick-usage")'
' and not(.//a[text()="Return"])]')
# try doing it directly
s = requests.Session()
requests_login(s)
response = put_json(get_server_base() +
'systems/%s/reservations/+current' % system.fqdn,
session=s, data=dict(finish_time='now'))
self.assertEquals(response.status_code, 400)
self.assertEquals(response.text, 'Cannot return system with running %s' % recipe.t_id)
def test_cant_return_sneakily(self):
with session.begin():
system = data_setup.create_system(shared=True,
status=SystemStatus.manual)
user = data_setup.create_user(password=u'password')
b = self.browser
login(b) #login as admin
b.get(get_server_base() + 'view/%s' % system.fqdn)
b.find_element_by_link_text('Take').click()
b.find_element_by_xpath('//div[contains(@class, "system-quick-usage")]'
'//span[@class="label" and text()="Reserved"]')
# Test for https://bugzilla.redhat.com/show_bug.cgi?id=747328
s = requests.Session()
requests_login(s, user.user_name, 'password')
response = put_json(get_server_base() +
'systems/%s/reservations/+current' % system.fqdn,
session=s, data=dict(finish_time='now'))
self.assertEquals(response.status_code, 403)
self.assertIn('Cannot return system', response.text)
def test_cannot_return_running_recipe(self):
with session.begin():
recipe = data_setup.create_recipe()
data_setup.create_job_for_recipes([recipe])
data_setup.mark_recipe_running(recipe)
system = recipe.resource.system
b = self.browser
login(b)
b.get(get_server_base() + 'view/%s' % system.fqdn)
# "Return" button should be absent
b.find_element_by_xpath('//div[contains(@class, "system-quick-usage")'
' and not(.//a[text()="Return"])]')
# try doing it directly
s = requests.Session()
requests_login(s)
response = put_json(get_server_base() +
'systems/%s/reservations/+current' % system.fqdn,
session=s, data=dict(finish_time='now'))
self.assertEquals(response.status_code, 400)
self.assertEquals(response.text, 'Cannot return system with running %s' % recipe.t_id)
def test_cannot_add_deleted_user_to_access_policy(self):
with session.begin():
deleted_user = data_setup.create_user()
deleted_user.removed = datetime.datetime.utcnow()
bad_rule = {'user': deleted_user.user_name, 'permission': 'edit'}
s = requests.Session()
s.post(get_server_base() + 'login', data={'user_name': self.owner.user_name,
'password': '******'}).raise_for_status()
# Two different APIs for manipulating access policy rules
response = put_json(get_server_base() +
'systems/%s/access-policy' % self.system.fqdn, session=s,
data={'rules': [bad_rule]})
self.assertEqual(response.status_code, 400)
self.assertEqual(response.text,
'Cannot add deleted user %s to access policy' % deleted_user.user_name)
response = post_json(get_server_base() +
'systems/%s/access-policy/rules/' % self.system.fqdn, session=s,
data=bad_rule)
self.assertEqual(response.status_code, 400)
self.assertEqual(response.text,
'Cannot add deleted user %s to access policy' % deleted_user.user_name)
def test_system_reserved_on_recipe(self):
with session.begin():
user = data_setup.create_user(password=u'password')
lc = data_setup.create_labcontroller()
system = data_setup.create_system(owner=user, lab_controller=lc)
recipe = data_setup.create_recipe(reservesys=True)
job = data_setup.create_job_for_recipes([recipe])
data_setup.mark_recipe_tasks_finished(recipe, system=system)
job.update_status()
self.assertEquals(recipe.status, TaskStatus.reserved)
s = requests.Session()
requests_login(s, user.user_name, 'password')
response = put_json(get_server_base() +
'systems/%s/reservations/+current' % system.fqdn,
session=s, data=dict(finish_time='now'))
response.raise_for_status()
with session.begin():
session.expire_all()
job.update_status()
self.assertEquals(job.status, TaskStatus.completed)
self.assertEquals(system.user, None)
def test_system_reserved_on_recipe(self):
with session.begin():
user = data_setup.create_user(password=u'password')
lc = data_setup.create_labcontroller()
system = data_setup.create_system(owner=user, lab_controller=lc)
recipe = data_setup.create_recipe(reservesys=True)
job = data_setup.create_job_for_recipes([recipe])
data_setup.mark_recipe_tasks_finished(recipe, system=system)
job.update_status()
self.assertEquals(recipe.status, TaskStatus.reserved)
s = requests.Session()
requests_login(s, user.user_name, 'password')
response = put_json(get_server_base() +
'systems/%s/reservations/+current' % system.fqdn,
session=s, data=dict(finish_time='now'))
response.raise_for_status()
with session.begin():
session.expire_all()
job.update_status()
self.assertEquals(job.status, TaskStatus.completed)
self.assertEquals(system.user, None)
def test_anonymous_cannot_save_policy(self):
response = put_json(get_server_base() +
'systems/%s/access-policy' % self.system.fqdn,
data={'rules': []})
self.assertEquals(response.status_code, 401)
