def test_rule_match_suppress_open_access(self): """If a rule returns an acl, then no default access is given.""" principal = Principal("foobar", "foobar") self.policy.add_rule(lambda policy, path: [ make_ace(principal.get_token(), all=True)]) acl = yield self.policy("/random") # Check for matched rule ACL self.assertIn(make_ace(principal.get_token(), all=True), acl) # Verify no default access self.assertNotIn(make_ace("auth", "world", all=True), acl)
def test_rule_match_suppress_open_access(self): """If a rule returns an acl, then no default access is given.""" principal = Principal("foobar", "foobar") self.policy.add_rule( lambda policy, path: [make_ace(principal.get_token(), all=True)]) acl = yield self.policy("/random") # Check for matched rule ACL self.assertIn(make_ace(principal.get_token(), all=True), acl) # Verify no default access self.assertNotIn(make_ace("auth", "world", all=True), acl)
def test_rule_that_returns_deferred(self): """If a rule may do additional lookups, resulting in deferred values. """ principal = Principal("foobar", "foobar") self.policy.add_rule(lambda policy, path: succeed([ make_ace(principal.get_token(), all=True)])) acl = yield self.policy("/random") # Check for matched rule ACL self.assertIn(make_ace(principal.get_token(), all=True), acl) # Verify no default access self.assertNotIn(make_ace("auth", "world", all=True), acl)
def test_rule_that_returns_deferred(self): """If a rule may do additional lookups, resulting in deferred values. """ principal = Principal("foobar", "foobar") self.policy.add_rule(lambda policy, path: succeed( [make_ace(principal.get_token(), all=True)])) acl = yield self.policy("/random") # Check for matched rule ACL self.assertIn(make_ace(principal.get_token(), all=True), acl) # Verify no default access self.assertNotIn(make_ace("auth", "world", all=True), acl)
def test_remove(self): principal = Principal("zebra", "zoo") yield self.db.add(principal) yield self.db.remove(principal) content, stat = yield self.client.get("/token-test") data = yaml.load(content) self.assertEqual(data, {"zebra": principal.get_token()})
def test_owner_ace(self): """If an owner is set, all nodes ACLs will have an owner ACE. """ owner = Principal("john", "doe") self.policy.set_owner(owner) acl = yield self.policy("/random") self.assertIn(make_ace(owner.get_token(), all=True), acl)
def test_add_member(self): group = GroupPrincipal(self.client, "/group-a") yield group.create("group/a", "zebra") principal = Principal("aladdin", "genie") yield group.add_member(principal) acl, stat = yield self.client.get_acl("/group-a") self.assertEqual(acl[1:], [make_ace(principal.get_token(), read=True)]) # Adding a member again is fine yield group.add_member(principal)
def test_add_member(self): group = GroupPrincipal(self.client, "/group-a") yield group.create("group/a", "zebra") principal = Principal("aladdin", "genie") yield group.add_member(principal) acl, stat = yield self.client.get_acl("/group-a") self.assertEqual( acl[1:], [make_ace(principal.get_token(), read=True)]) # Adding a member again is fine yield group.add_member(principal)
def test_prohibit(self): principal = Principal("zebra", "stripes") yield self.tokens.add(principal) path = yield self.client.create("/abc", acls=[ make_ace(self.admin.get_token(), all=True), make_ace(principal.get_token(), write=True)]) acl = ACL(self.client, path) yield acl.prohibit("zebra") acl, stat = yield self.client.get_acl(path) self.assertEqual( acl, [make_ace(self.admin.get_token(), all=True)])
def test_prohibit(self): principal = Principal("zebra", "stripes") yield self.tokens.add(principal) path = yield self.client.create("/abc", acls=[ make_ace(self.admin.get_token(), all=True), make_ace(principal.get_token(), write=True) ]) acl = ACL(self.client, path) yield acl.prohibit("zebra") acl, stat = yield self.client.get_acl(path) self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])
class ACLTest(TestCase): @inlineCallbacks def setUp(self): zookeeper.set_debug_level(0) self.client = yield self.get_zookeeper_client().connect() self.tokens = TokenDatabase(self.client) self.admin = Principal("admin", "admin") yield self.tokens.add(self.admin) self.policy = SecurityPolicy(self.client, self.tokens) attach_deferred = self.admin.attach(self.client) self.client.exists("/") yield attach_deferred def tearDown(self): deleteTree(handle=self.client.handle) self.client.close() @inlineCallbacks def test_acl_on_non_existant_node(self): acl = ACL(self.client, "abc") yield self.assertFailure(acl.grant("admin", all=True), StateNotFound) @inlineCallbacks def test_acl_without_admin(self): """A client needs an attached principle with the admin perm to set acl. """ client = yield self.get_zookeeper_client().connect() principal = Principal("zebra", "stripes") yield self.tokens.add(principal) attach_deferred = principal.attach(client) yield self.client.create( "/abc", acls=[make_ace(self.admin.get_token(), all=True)]) yield attach_deferred acl = ACL(client, "/abc") yield self.assertFailure( acl.grant("zebra", all=True), zookeeper.NoAuthException) @inlineCallbacks def test_grant(self): path = yield self.client.create("/abc") acl = ACL(self.client, path) yield acl.grant("admin", all=True) node_acl, stat = yield self.client.get_acl(path) self.assertEqual( node_acl, [ZOO_OPEN_ACL_UNSAFE, make_ace(self.admin.get_token(), all=True)]) @inlineCallbacks def test_grant_additive(self): path = yield self.client.create("/abc") acl = ACL(self.client, "/abc") yield acl.grant("admin", read=True) yield acl.grant("admin", write=True) test_ace = make_ace(":", read=True, write=True) node_acl, stat = yield self.client.get_acl(path) self.assertEqual(node_acl[-1]["perms"], test_ace["perms"]) @inlineCallbacks def test_grant_not_in_token_database(self): path = yield self.client.create("/abc") acl = ACL(self.client, path) yield self.assertFailure(acl.grant("zebra"), PrincipalNotFound) @inlineCallbacks def test_prohibit(self): principal = Principal("zebra", "stripes") yield self.tokens.add(principal) path = yield self.client.create("/abc", acls=[ make_ace(self.admin.get_token(), all=True), make_ace(principal.get_token(), write=True)]) acl = ACL(self.client, path) yield acl.prohibit("zebra") acl, stat = yield self.client.get_acl(path) self.assertEqual( acl, [make_ace(self.admin.get_token(), all=True)]) @inlineCallbacks def test_prohibit_non_existant_node(self): acl = ACL(self.client, "/abc") yield self.assertFailure( acl.prohibit("zebra"), StateNotFound) @inlineCallbacks def test_prohibit_not_in_acl(self): principal = Principal("zebra", "stripes") yield self.tokens.add(principal) path = yield self.client.create("/abc", acls=[ make_ace(self.admin.get_token(), all=True)]) acl = ACL(self.client, path) # We get to the same end state so its fine. yield acl.prohibit("zebra") acl, stat = yield self.client.get_acl(path) self.assertEqual( acl, [make_ace(self.admin.get_token(), all=True)])
def test_get(self): principal = Principal("zebra", "zoo") yield self.db.add(principal) token = yield self.db.get(principal.name) self.assertEqual(token, principal.get_token())
def test_get_token(self): """An identity token can be gotten from a Principal.""" principal = Principal("foobar", "secret") self.assertEqual(principal.get_token(), make_identity("foobar:secret"))
class ACLTest(TestCase): @inlineCallbacks def setUp(self): zookeeper.set_debug_level(0) self.client = yield self.get_zookeeper_client().connect() self.tokens = TokenDatabase(self.client) self.admin = Principal("admin", "admin") yield self.tokens.add(self.admin) self.policy = SecurityPolicy(self.client, self.tokens) attach_deferred = self.admin.attach(self.client) self.client.exists("/") yield attach_deferred def tearDown(self): deleteTree(handle=self.client.handle) self.client.close() @inlineCallbacks def test_acl_on_non_existant_node(self): acl = ACL(self.client, "abc") yield self.assertFailure(acl.grant("admin", all=True), StateNotFound) @inlineCallbacks def test_acl_without_admin(self): """A client needs an attached principle with the admin perm to set acl. """ client = yield self.get_zookeeper_client().connect() principal = Principal("zebra", "stripes") yield self.tokens.add(principal) attach_deferred = principal.attach(client) yield self.client.create( "/abc", acls=[make_ace(self.admin.get_token(), all=True)]) yield attach_deferred acl = ACL(client, "/abc") yield self.assertFailure(acl.grant("zebra", all=True), zookeeper.NoAuthException) @inlineCallbacks def test_grant(self): path = yield self.client.create("/abc") acl = ACL(self.client, path) yield acl.grant("admin", all=True) node_acl, stat = yield self.client.get_acl(path) self.assertEqual( node_acl, [ZOO_OPEN_ACL_UNSAFE, make_ace(self.admin.get_token(), all=True)]) @inlineCallbacks def test_grant_additive(self): path = yield self.client.create("/abc") acl = ACL(self.client, "/abc") yield acl.grant("admin", read=True) yield acl.grant("admin", write=True) test_ace = make_ace(":", read=True, write=True) node_acl, stat = yield self.client.get_acl(path) self.assertEqual(node_acl[-1]["perms"], test_ace["perms"]) @inlineCallbacks def test_grant_not_in_token_database(self): path = yield self.client.create("/abc") acl = ACL(self.client, path) yield self.assertFailure(acl.grant("zebra"), PrincipalNotFound) @inlineCallbacks def test_prohibit(self): principal = Principal("zebra", "stripes") yield self.tokens.add(principal) path = yield self.client.create("/abc", acls=[ make_ace(self.admin.get_token(), all=True), make_ace(principal.get_token(), write=True) ]) acl = ACL(self.client, path) yield acl.prohibit("zebra") acl, stat = yield self.client.get_acl(path) self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)]) @inlineCallbacks def test_prohibit_non_existant_node(self): acl = ACL(self.client, "/abc") yield self.assertFailure(acl.prohibit("zebra"), StateNotFound) @inlineCallbacks def test_prohibit_not_in_acl(self): principal = Principal("zebra", "stripes") yield self.tokens.add(principal) path = yield self.client.create( "/abc", acls=[make_ace(self.admin.get_token(), all=True)]) acl = ACL(self.client, path) # We get to the same end state so its fine. yield acl.prohibit("zebra") acl, stat = yield self.client.get_acl(path) self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])