Example #1
0
def test_child_role_deletion(acl):
    # create unrelated parent and child
    acl.add_role('unrelated')
    acl.add_role('unrelated', ['spawn'])
    acl.allow('unrelated', 'view', 'news')
    assert 'unrelated' in str(acl._children)
    assert 'spawn' in str(acl._children)

    # create parent and child, that we care about
    acl.add_role('daddy')
    acl.allow('daddy', 'view', 'news')
    assert 'daddy' not in str(acl._children)
    acl.add_role('kiddo', ['daddy'])
    assert 'daddy' in str(acl._children)
    assert 'kiddo' in str(acl._children)
    assert acl.is_allowed('kiddo', 'view', 'news')

    # ensure we can't delete a father who has a dependent child
    with pytest.raises(AssertionError):
        acl.delete_role('daddy')

    # delete child role
    acl.delete_role('kiddo')
    assert 'kiddo' not in str(acl._children)
    assert acl.is_allowed('daddy', 'view', 'news')

    # ensure we CAN delete a father with no dependent children
    acl.delete_role('daddy')
    with pytest.raises(AssertionError):
        acl.is_allowed('daddy', 'view', 'news')

    # make sure those unrelated father and child remain
    assert 'unrelated' in str(acl._children)
    assert 'spawn' in str(acl._children)
Example #2
0
def test_remove_allow(acl):
    only_default_allowed = dict(acl._allowed)
    acl.allow('writer', 'new', 'news')
    allowed_after_allowing_writer = dict(acl._allowed)
    assert only_default_allowed != allowed_after_allowing_writer
    assert acl.is_allowed('writer', 'new', 'news')

    acl.remove_allow('writer', 'new', 'news')
    allowed_after_removing_allowing_writer = dict(acl._allowed)
    assert allowed_after_removing_allowing_writer == only_default_allowed
    assert not acl.is_allowed('writer', 'new', 'news')
Example #3
0
def test_remove_deny(acl):
    acl.add_role('spy')
    only_default_denied = dict(acl._denied)
    acl.deny('spy', 'view', 'news')
    denied_after_denying_spy = dict(acl._denied)
    assert only_default_denied != denied_after_denying_spy
    assert not acl.is_allowed('spy', 'view', 'news')

    acl.remove_deny('spy', 'view', 'news')
    denied_after_removing_deny_spy = dict(acl._denied)
    assert denied_after_removing_deny_spy == only_default_denied
    assert not acl.is_allowed('spy', 'view',
                              'news')  # this should still not be allowed
Example #4
0
def test_undefined(acl):
    # test denied undefined rule
    roles = ['user', 'actived_user', 'writer', 'manager', 'editor']

    for resource in ['comment', 'post', 'news', 'infor', 'event']:
        for role in roles:
            assert not acl.is_allowed(role, 'x', resource)
            assert not acl.is_allowed(role, '', resource)
            assert not acl.is_allowed(role, None, resource)
        assert not acl.is_any_allowed(roles, 'x', resource)
        assert not acl.is_any_allowed(roles, '', resource)
        assert not acl.is_any_allowed(roles, None, resource)

    # test `None` defined rule
    for resource in ['comment', 'post', 'news', 'infor', 'event', None]:
        for op in ['undefined', 'x', '', None]:
            assert acl.is_allowed('super', op, resource)
Example #5
0
def test_undefined(acl):
    # test denied undefined rule
    roles = ['user', 'actived_user', 'writer', 'manager', 'editor']

    for resource in ['comment', 'post', 'news', 'infor', 'event']:
        for role in roles:
            assert not acl.is_allowed(role, 'x', resource)
            assert not acl.is_allowed(role, '', resource)
            assert not acl.is_allowed(role, None, resource)
        assert not acl.is_any_allowed(roles, 'x', resource)
        assert not acl.is_any_allowed(roles, '', resource)
        assert not acl.is_any_allowed(roles, None, resource)

    # test `None` defined rule
    for resource in ['comment', 'post', 'news', 'infor', 'event', None]:
        for op in ['undefined', 'x', '', None]:
            assert acl.is_allowed('super', op, resource)
Example #6
0
def test_assertion(acl):
    # set up assertion
    db = {'newsid': 1}

    def check(acl, role, operation, resource):
        return db['newsid'] == 10

    assertion = check

    # set up rules
    acl.add_role('writer2', parents=['writer'])
    acl.allow('writer', 'edit', 'news', assertion)
    acl.allow('manager', 'edit', 'news')

    # test while assertion is invalid
    assert not acl.is_allowed('writer', 'edit', 'news')
    assert not acl.is_allowed('writer2', 'edit', 'news')
    assert acl.is_allowed('manager', 'edit', 'news')
    assert acl.is_allowed('editor', 'edit', 'news')

    # test while assertion is valid
    db['newsid'] = 10
    assert acl.is_allowed('writer', 'edit', 'news')
    assert acl.is_allowed('editor', 'edit', 'news')
    assert acl.is_allowed('manager', 'edit', 'news')
Example #7
0
def test_assertion(acl):
    # set up assertion
    db = {'newsid': 1}

    def check(acl, role, operation, resource):
        return db['newsid'] == 10

    assertion = check

    # set up rules
    acl.add_role('writer2', parents=['writer'])
    acl.allow('writer', 'edit', 'news', assertion)
    acl.allow('manager', 'edit', 'news')

    # test while assertion is invalid
    assert not acl.is_allowed('writer', 'edit', 'news')
    assert not acl.is_allowed('writer2', 'edit', 'news')
    assert acl.is_allowed('manager', 'edit', 'news')
    assert acl.is_allowed('editor', 'edit', 'news')

    # test while assertion is valid
    db['newsid'] = 10
    assert acl.is_allowed('writer', 'edit', 'news')
    assert acl.is_allowed('editor', 'edit', 'news')
    assert acl.is_allowed('manager', 'edit', 'news')
Example #8
0
def test_delete_role_with_child_roles_fails(acl):
    acl.add_role('nonspy')  # our control who should remain unaffected
    acl.allow('nonspy', 'view', 'news')
    acl.deny('nonspy', 'edit', 'news')

    acl.add_role('spy')
    acl.add_role('childspy', ['spy'])  # should prevent deletion
    acl.allow('spy', 'view', 'news')
    acl.deny('spy', 'edit', 'news')
    assert acl.is_allowed('spy', 'view', 'news')
    assert not acl.is_allowed('spy', 'edit', 'news')

    # as it has a child role it should assert
    with pytest.raises(AssertionError):
        acl.delete_role('spy')

    # nonspy should be unaffected by all this
    assert acl.is_allowed('nonspy', 'view', 'news')
    assert not acl.is_allowed('nonspy', 'edit', 'news')
Example #9
0
def test_deny(acl):
    # add allowed rule and denied rule
    acl.allow('actived_user', 'new', 'comment')
    acl.deny('manager', 'new', 'comment')

    # test allowed rules
    roles = ['actived_user', 'writer']

    for role in roles:
        assert acl.is_allowed(role, 'new', 'comment')

    assert acl.is_any_allowed(roles, 'new', 'comment')

    # test denied rules
    roles = ['manager', 'editor']

    for role in roles:
        assert not acl.is_allowed(role, 'new', 'comment')

    assert not acl.is_any_allowed(roles, 'new', 'comment')
Example #10
0
def test_deny(acl):
    # add allowed rule and denied rule
    acl.allow('actived_user', 'new', 'comment')
    acl.deny('manager', 'new', 'comment')

    # test allowed rules
    roles = ['actived_user', 'writer']

    for role in roles:
        assert acl.is_allowed(role, 'new', 'comment')

    assert acl.is_any_allowed(roles, 'new', 'comment')

    # test denied rules
    roles = ['manager', 'editor']

    for role in roles:
        assert not acl.is_allowed(role, 'new', 'comment')

    assert not acl.is_any_allowed(roles, 'new', 'comment')
Example #11
0
def test_delete_role(acl):
    acl.add_role('nonspy')  # our control who should remain unaffected
    acl.allow('nonspy', 'view', 'news')
    acl.deny('nonspy', 'edit', 'news')

    acl.add_role('spy')
    acl.allow('spy', 'view', 'news')
    acl.deny('spy', 'edit', 'news')
    assert acl.is_allowed('spy', 'view', 'news')
    assert not acl.is_allowed('spy', 'edit', 'news')

    # oh no! we found a spy! remove them!
    acl.delete_role('spy')

    # as the role no longer exists it should raise an assertion
    with pytest.raises(AssertionError):
        assert not acl.is_allowed('spy', 'view', 'news')
    with pytest.raises(AssertionError):
        assert not acl.is_allowed('spy', 'edit', 'news')

    # as an extra check let's make sure we don't see any orphaned
    # rules for 'spy' in _allowed or _denied
    for rule_list in (acl._allowed, acl._denied):
        for rule in rule_list:
            assert rule[0] != 'spy'

    # nonspy should be unaffected by all this
    assert acl.is_allowed('nonspy', 'view', 'news')
    assert not acl.is_allowed('nonspy', 'edit', 'news')
Example #12
0
def test_allow(acl):
    # add allowed rules
    acl.allow('actived_user', 'view', 'news')
    acl.allow('writer', 'new', 'news')

    # test 'view' operation
    roles = ['actived_user', 'writer', 'manager', 'editor']

    for role in roles:
        for resource in ['news', 'event']:
            assert acl.is_allowed(role, 'view', resource)
        for resource in ['post', 'infor']:
            assert not acl.is_allowed(role, 'view', resource)

    for resource in ['news', 'event']:
        assert acl.is_any_allowed(roles, 'view', resource)
    for resource in ['post', 'infor']:
        assert not acl.is_any_allowed(roles, 'view', resource)

    for resource in ['post', 'news', 'infor', 'event']:
        assert not acl.is_allowed('user', 'view', resource)
        assert acl.is_allowed('super', 'view', resource)
        assert acl.is_allowed('super', 'new', resource)
        assert acl.is_any_allowed(['user', 'super'], 'view', resource)

    # test 'new' operation
    roles = ['writer', 'editor']

    for role in roles:
        for resource in ['news', 'event']:
            assert acl.is_allowed(role, 'new', resource)
        for resource in ['post', 'infor']:
            assert not acl.is_allowed(role, 'new', resource)

    for resource in ['news', 'event']:
        assert acl.is_any_allowed(roles, 'new', resource)
    for resource in ['post', 'infor']:
        assert not acl.is_any_allowed(roles, 'new', resource)

    roles = ['user', 'manager']

    for role in roles:
        for resource in ['news', 'event', 'post', 'infor']:
            assert not acl.is_allowed(role, 'new', resource)
    for resource in ['news', 'event', 'post', 'infor']:
        assert not acl.is_any_allowed(roles, 'new', resource)
Example #13
0
def test_allow(acl):
    # add allowed rules
    acl.allow('actived_user', 'view', 'news')
    acl.allow('writer', 'new', 'news')

    # test 'view' operation
    roles = ['actived_user', 'writer', 'manager', 'editor']

    for role in roles:
        for resource in ['news', 'event']:
            assert acl.is_allowed(role, 'view', resource)
        for resource in ['post', 'infor']:
            assert not acl.is_allowed(role, 'view', resource)

    for resource in ['news', 'event']:
        assert acl.is_any_allowed(roles, 'view', resource)
    for resource in ['post', 'infor']:
        assert not acl.is_any_allowed(roles, 'view', resource)

    for resource in ['post', 'news', 'infor', 'event']:
        assert not acl.is_allowed('user', 'view', resource)
        assert acl.is_allowed('super', 'view', resource)
        assert acl.is_allowed('super', 'new', resource)
        assert acl.is_any_allowed(['user', 'super'], 'view', resource)

    # test 'new' operation
    roles = ['writer', 'editor']

    for role in roles:
        for resource in ['news', 'event']:
            assert acl.is_allowed(role, 'new', resource)
        for resource in ['post', 'infor']:
            assert not acl.is_allowed(role, 'new', resource)

    for resource in ['news', 'event']:
        assert acl.is_any_allowed(roles, 'new', resource)
    for resource in ['post', 'infor']:
        assert not acl.is_any_allowed(roles, 'new', resource)

    roles = ['user', 'manager']

    for role in roles:
        for resource in ['news', 'event', 'post', 'infor']:
            assert not acl.is_allowed(role, 'new', resource)
    for resource in ['news', 'event', 'post', 'infor']:
        assert not acl.is_any_allowed(roles, 'new', resource)
    def get(self, request, action, *args, **kwargs):

        acl = rbac.acl.Registry()
        if action == 'generate-roles':
            print 'Generating roles...'
            acl.add_role("InternUsers")
            print "\t Added Role: InternUsers"
            acl.add_role("Directors",["InternUsers"])
            print "\t Added Role: Directors"
            acl.add_role("Writers",["InternUsers"])
            print "\t Added Role: Writers"
            acl.add_role("Auditors",["InternUsers"])
            print "\t Added Role: Auditors"
            acl.add_role("ExternUsers")
            print "\t Added Role: ExternUsers"
            print "\t\t[Done]"
            #TODO [POM] Agregar usuarios creados a roles como hojas del arbol

        elif action == 'generate-resources':
            print 'Generating resources...'
            acl.add_resource("noticia")
            print "\t Added Resource: Noticia"
            noticias = Noticia.objects.all()
            for noticia in noticias:
                acl.add_resource("noticia-"+noticia.title, ["noticia"])
                print "\t Added Resource: noticia-%s" % noticia.title
            print "\t\t[Done]"


        elif action == 'generate-rules':
            print 'Generating rules...'
            acl.allow("InternUsers","read","noticia")
            print "\tInternUsers can read noticia"
            acl.allow("Writers","write","noticia")
            print "\tWriters can write noticia"
            acl.allow("Auditors","update","noticia")
            print "\tAuditors can update noticia"
            acl.allow("Auditors","delete","noticia")
            print "\tAuditors can delete noticia"

            acl.deny("ExternUsers","write","noticia")
            print "\tExternUsers can not write noticia"
            acl.deny("ExternUsers","update","noticia")
            print "\tExternUsers can not update noticia"
            acl.deny("ExternUsers","delete","noticia")
            print "\tExternUsers can not delete noticia"

            print "\t\t[Done]"
            #TODO [POM] Permitir a usuarios que compartan la misma revista, que compartan el mismo permiso

        elif action == 'test-onthefly':
            print 'Generating roles...'
            acl.add_role("InternUsers")
            print "\t Added Role: InternUsers"
            acl.add_role("Directors",["InternUsers"])
            print "\t Added Role: Directors"
            acl.add_role("Writers",["InternUsers"])
            print "\t Added Role: Writers"
            acl.add_role("Auditors",["InternUsers"])
            print "\t Added Role: Auditors"
            acl.add_role("ExternUsers")
            print "\t Added Role: ExternUsers"
            print "\t\t[Done]"


            print 'Generating resources...'
            acl.add_resource("noticia")
            print "\t Added Resource: Noticia"
            noticias = Noticia.objects.all()
            for noticia in noticias:
                acl.add_resource("noticia-"+noticia.title, ["noticia"])
                print "\t Added Resource: noticia-%s" % noticia.title
            print "\t\t[Done]"

            print 'Generating rules...'
            acl.allow("InternUsers","read","noticia")
            print "\tInternUsers can read noticia"
            acl.allow("Writers","write","noticia")
            print "\tWriters can write noticia"
            acl.allow("Auditors","update","noticia")
            print "\tAuditors can update noticia"
            acl.allow("Auditors","delete","noticia")
            print "\tAuditors can delete noticia"

            acl.deny("ExternUsers","write","noticia")
            print "\tExternUsers can not write noticia"
            acl.deny("ExternUsers","update","noticia")
            print "\tExternUsers can not update noticia"
            acl.deny("ExternUsers","delete","noticia")
            print "\tExternUsers can not delete noticia"

            print "\t\t[Done]"

            if acl.is_allowed("Auditors","write","noticia"):
                print "Auditors can write noticia"
            else:
                print "Auditors can not write noticia"

        else:
            print 'Command unknown.'

        return super(RoleManager,self).get(self,request,*args,**kwargs)
Example #15
0
# set rules
acl.allow("viewer", "access", "register")
acl.allow("viewer", "access", "user_login")
acl.allow("user", "access", "user_search")
acl.allow("user", "access", "make_transaction")
acl.allow("user", "access", "user_profile_view")
acl.allow("user", "access", "user_profile")
acl.allow("user", "access", "show_notification")
acl.allow("user", "access", "delete_account")
acl.allow("user", "access", "add_notification")
acl.allow("user", "access", "move_notification")
acl.allow("user", "access", "logout")

if (__name__ == "__main__"):
    # use acl to check permission
    if acl.is_allowed("viewer", "access", "register"):
        print("Viewer can access register.")
    else:
        print("Viewer cannnot access register.")

    # use acl to check permission
    if acl.is_allowed("viewer", "access", "user_search"):
        print("Viewer can access user_search.")
    else:
        print("Viewer cannnot access user_search.")

    # use acl to check permission again
    if acl.is_allowed("user", "access", "user_search"):
        print("user can access user_search.")
    else:
        print("user cannnot access user_search.")
Example #16
0
# -*- coding: utf-8 -*-
# __author__: musibii
# __file__  : test1.py
# __time__  : 2020/4/29 11:05 上午

import rbac.acl
acl = rbac.acl.Registry()

acl.add_role()
acl.add_resource(acl)

acl.allow()
acl.deny()

acl.is_allowed()
Example #17
0
# create access control list
acl = rbac.acl.Registry()

# add roles
acl.add_role("member")
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])

# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])

# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")

# use acl to check permission
if acl.is_allowed("student", "view", "course"):
    print("Students chould view courses.")
else:
    print("Students chould not view courses.")

# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
    print("Junior students chould learn senior courses.")
else:
    print("Junior students chould not learn senior courses.")
Example #18
0
acl.add_role("student", ["member"])
acl.add_role("teacher", ["member"])
acl.add_role("junior-student", ["student"])

# add resources
acl.add_resource("course")
acl.add_resource("senior-course", ["course"])

# set rules
acl.allow("member", "view", "course")
acl.allow("student", "learn", "course")
acl.allow("teacher", "teach", "course")
acl.deny("junior-student", "learn", "senior-course")

# use acl to check permission
if acl.is_allowed("student", "view", "course"):
    print("Students chould view courses.")
else:
    print("Students chould not view courses.")

# use acl to check permission again
if acl.is_allowed("junior-student", "learn", "senior-course"):
    print("Junior students chould learn senior courses.")
else:
    print("Junior students chould not learn senior courses.")

########NEW FILE########
__FILENAME__ = context
#!/usr/bin/env python
#-*- coding:utf-8 -*-