def setUp(self):
super(WebhookControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='webhook_list')
user_1_db = User.add_or_update(user_1_db)
self.users['webhook_list'] = user_1_db
user_2_db = UserDB(name='webhook_view')
user_2_db = User.add_or_update(user_2_db)
self.users['webhook_view'] = user_2_db
# Roles
# webhook_list
grant_db = PermissionGrantDB(
resource_uid=None,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_list',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_list'] = role_1_db
# webhook_view on webhook 1 (git)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_uid = webhook_db.get_uid()
grant_db = PermissionGrantDB(
resource_uid=webhook_uid,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_view',
permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_list'].name,
role=self.roles['webhook_list'].name,
source='assignments/%s.yaml' % self.users['webhook_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_view'].name,
role=self.roles['webhook_view'].name,
source='assignments/%s.yaml' % self.users['webhook_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def test_get_one_no_permissions(self):
user_db = self.users['no_permissions']
self.use_user(user_db)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_id = name
webhook_uid = webhook_db.get_uid()
resp = self.app.get('/v1/webhooks/%s' % (webhook_id), expect_errors=True)
expected_msg = ('User "no_permissions" doesn\'t have required permission "webhook_view"'
' on resource "%s"' % (webhook_uid))
self.assertEqual(resp.status_code, httplib.FORBIDDEN)
self.assertEqual(resp.json['faultstring'], expected_msg)
def setUp(self):
super(WebhookControllerRBACTestCase, self).setUp()
# Insert mock users, roles and assignments
# Users
user_1_db = UserDB(name='webhook_list')
user_1_db = User.add_or_update(user_1_db)
self.users['webhook_list'] = user_1_db
user_2_db = UserDB(name='webhook_view')
user_2_db = User.add_or_update(user_2_db)
self.users['webhook_view'] = user_2_db
# Roles
# webhook_list
grant_db = PermissionGrantDB(resource_uid=None,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_LIST])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_list', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_list'] = role_1_db
# webhook_view on webhook 1 (git)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_uid = webhook_db.get_uid()
grant_db = PermissionGrantDB(resource_uid=webhook_uid,
resource_type=ResourceType.WEBHOOK,
permission_types=[PermissionType.WEBHOOK_VIEW])
grant_db = PermissionGrant.add_or_update(grant_db)
permission_grants = [str(grant_db.id)]
role_1_db = RoleDB(name='webhook_view', permission_grants=permission_grants)
role_1_db = Role.add_or_update(role_1_db)
self.roles['webhook_view'] = role_1_db
# Role assignments
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_list'].name,
role=self.roles['webhook_list'].name,
source='assignments/%s.yaml' % self.users['webhook_list'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
role_assignment_db = UserRoleAssignmentDB(
user=self.users['webhook_view'].name,
role=self.roles['webhook_view'].name,
source='assignments/%s.yaml' % self.users['webhook_view'].name)
UserRoleAssignment.add_or_update(role_assignment_db)
def test_get_one_no_permissions(self):
user_db = self.users['no_permissions']
self.use_user(user_db)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_id = name
webhook_uid = webhook_db.get_uid()
resp = self.app.get('/v1/webhooks/%s' % (webhook_id), expect_errors=True)
expected_msg = ('User "no_permissions" doesn\'t have required permission "webhook_view"'
' on resource "%s"' % (webhook_uid))
self.assertEqual(resp.status_code, http_client.FORBIDDEN)
self.assertEqual(resp.json['faultstring'], expected_msg)
def test_get_all_permission_success_get_one_no_permission_failure(self):
user_db = self.users['webhook_list']
self.use_user(user_db)
# webhook_list permission, but no webhook_view permission
resp = self.app.get('/v1/webhooks')
self.assertEqual(resp.status_code, httplib.OK)
self.assertEqual(len(resp.json), 1)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_id = name
webhook_uid = webhook_db.get_uid()
resp = self.app.get('/v1/webhooks/%s' % (webhook_id), expect_errors=True)
expected_msg = ('User "webhook_list" doesn\'t have required permission "webhook_view"'
' on resource "%s"' % (webhook_uid))
self.assertEqual(resp.status_code, httplib.FORBIDDEN)
self.assertEqual(resp.json['faultstring'], expected_msg)
def test_get_all_permission_success_get_one_no_permission_failure(self):
user_db = self.users['webhook_list']
self.use_user(user_db)
# webhook_list permission, but no webhook_view permission
resp = self.app.get('/v1/webhooks')
self.assertEqual(resp.status_code, http_client.OK)
self.assertEqual(len(resp.json), 1)
name = 'git'
webhook_db = WebhookDB(name=name)
webhook_id = name
webhook_uid = webhook_db.get_uid()
resp = self.app.get('/v1/webhooks/%s' % (webhook_id), expect_errors=True)
expected_msg = ('User "webhook_list" doesn\'t have required permission "webhook_view"'
' on resource "%s"' % (webhook_uid))
self.assertEqual(resp.status_code, http_client.FORBIDDEN)
self.assertEqual(resp.json['faultstring'], expected_msg)