def test_access_controller(self): logging.debug('') logging.debug('test_access_controller') # Credential-to-role mapping. owner = get_credentials() controller = AccessController() self.assertEqual(controller.get_role(None), '') self.assertEqual(controller.get_role(owner), 'owner') user = Credentials() user.user = '******' self.assertEqual(controller.get_role(user), 'user') assert_raises(self, 'controller.get_role(object())', globals(), locals(), TypeError, 'credentials is not a Credentials object') # Proxy role-to-credential mapping. obj = Object() assert_raises(self, 'controller.get_proxy_credentials(obj.no_rbac, user)', globals(), locals(), RoleError, 'No RBAC for method') self.assertEqual( controller.get_proxy_credentials(obj.single_role, user), user) self.assertEqual( controller.get_proxy_credentials(obj.proxy_role, user), owner) assert_raises( self, 'controller.get_proxy_credentials(obj.proxy_other, user)', globals(), locals(), RoleError, 'No credentials for proxy role other') assert_raises(self, "controller.set_proxy_credentials('other', object())", globals(), locals(), TypeError, 'credentials is not a Credentials object') other = Credentials() other.user = '******' controller.set_proxy_credentials('other', other) self.assertEqual( controller.get_proxy_credentials(obj.proxy_other, user), other) # Attribute access. controller.check_access('user', '__getattr__', obj, 'dummy') controller.check_access('owner', '__setattr__', obj, 'dummy') assert_raises( self, "controller.check_access('user', '__delattr__', obj, 'dummy')", globals(), locals(), RoleError, "No __delattr__ access to 'dummy' by role 'user'") assert_raises( self, "controller.check_access('', '__getattr__', obj, 'dummy')", globals(), locals(), RoleError, 'No access by null role') # Attribute proxying. proxy_value = ProxyRequired() self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy') self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy', False) self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.class_proxy_required(ProxyRequired) self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
def test_access_controller(self): logging.debug('') logging.debug('test_access_controller') # Credential-to-role mapping. owner = get_credentials() controller = AccessController() self.assertEqual(controller.get_role(None), '') self.assertEqual(controller.get_role(owner), 'owner') user = Credentials() user.user = '******' self.assertEqual(controller.get_role(user), 'user') assert_raises(self, 'controller.get_role(object())', globals(), locals(), TypeError, 'credentials is not a Credentials object') # Proxy role-to-credential mapping. obj = Object() assert_raises(self, 'controller.get_proxy_credentials(obj.no_rbac, user)', globals(), locals(), RoleError, 'No RBAC for method') self.assertEqual(controller.get_proxy_credentials(obj.single_role, user), user) self.assertEqual(controller.get_proxy_credentials(obj.proxy_role, user), owner) assert_raises(self, 'controller.get_proxy_credentials(obj.proxy_other, user)', globals(), locals(), RoleError, 'No credentials for proxy role other') assert_raises(self, "controller.set_proxy_credentials('other', object())", globals(), locals(), TypeError, 'credentials is not a Credentials object') other = Credentials() other.user = '******' controller.set_proxy_credentials('other', other) self.assertEqual(controller.get_proxy_credentials(obj.proxy_other, user), other) # Attribute access. controller.check_access('user', '__getattr__', obj, 'dummy') controller.check_access('owner', '__setattr__', obj, 'dummy') assert_raises(self, "controller.check_access('user', '__delattr__', obj, 'dummy')", globals(), locals(), RoleError, "No __delattr__ access to 'dummy' by role 'user'") assert_raises(self, "controller.check_access('', '__getattr__', obj, 'dummy')", globals(), locals(), RoleError, 'No access by null role') # Attribute proxying. proxy_value = ProxyRequired() self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy') self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value)) controller.attr_proxy_required(obj, 'dummy', False) self.assertFalse(controller.need_proxy(obj, 'dummy', proxy_value)) controller.class_proxy_required(ProxyRequired) self.assertTrue(controller.need_proxy(obj, 'dummy', proxy_value))
def test_credentials(self): logging.debug('') logging.debug('test_credentials') # Basic form. owner = Credentials() if sys.platform == 'win32' and not HAVE_PYWIN32: self.assertEqual('%s' % owner, owner.user + ' (transient)') else: self.assertEqual('%s' % owner, owner.user) # Comparison. user = Credentials() self.assertEqual(user, owner) user.user = '******' self.assertNotEqual(user, owner) self.assertNotEqual(user, 'xyzzy') # Thread storage. try: del threading.current_thread().credentials # Ensure empty. except AttributeError: pass self.assertEqual(get_credentials(), owner) # Sign/verify. encoded = owner.encode() Credentials.verify(encoded, allowed_users=None) # 'First sighting'. Credentials.verify(encoded, allowed_users=None) # Cached verification. data, signature, client_creds = encoded encoded = (data[:1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid data') encoded = (data[:-1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') encoded = (data, signature[:-1], client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') newline = data.find('\n') # .user newline = data.find('\n', newline + 1) # .transient # Expecting '-' mangled = data[:newline + 1] + '*' + data[newline + 2:] encoded = (mangled, signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid key') # Detect mismatched key. get_key_pair(owner.user, overwrite_cache=True) spook = Credentials() encoded = spook.encode() assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Public key mismatch') # Check if remote access. self.assertFalse(remote_access())
def test_credentials(self): logging.debug('') logging.debug('test_credentials') # Basic form. owner = Credentials() if sys.platform == 'win32' and not HAVE_PYWIN32: self.assertEqual('%s' % owner, owner.user+' (transient)') else: self.assertEqual('%s' % owner, owner.user) # Comparison. user = Credentials() self.assertEqual(user, owner) user.user = '******' self.assertNotEqual(user, owner) self.assertNotEqual(user, 'xyzzy') # Thread storage. try: del threading.current_thread().credentials # Ensure empty. except AttributeError: pass self.assertEqual(get_credentials(), owner) # Sign/verify. encoded = owner.encode() Credentials.verify(encoded, allowed_users=None) # 'First sighting'. Credentials.verify(encoded, allowed_users=None) # Cached verification. data, signature, client_creds = encoded encoded = (data[:1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid data') encoded = (data[:-1], signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') encoded = (data, signature[:-1], client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid signature') newline = data.find('\n') # .user newline = data.find('\n', newline+1) # .transient # Expecting '-' mangled = data[:newline+1] + '*' + data[newline+2:] encoded = (mangled, signature, client_creds) assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Invalid key') # Detect mismatched key. get_key_pair(owner.user, overwrite_cache=True) spook = Credentials() encoded = spook.encode() assert_raises(self, 'Credentials.verify(encoded, None)', globals(), locals(), CredentialsError, 'Public key mismatch') # Check if remote access. self.assertFalse(remote_access())