Example #1
0
 def setUp(self):
   super(AdminDomainTest, self).setUp()
   test_utils.SetupUser(test_utils.Login('manager'))
   test_utils.SetupUser(test_utils.DomainLogin('insider', 'xyz.com'))
   test_utils.SetupUser(test_utils.DomainLogin('reviewer', 'xyz.com'))
   test_utils.SetupUser(test_utils.DomainLogin('outsider', 'not-xyz.com'))
   # TODO(kpy): Consider moving this setup into the tests that use it.
   perms.Grant('xyz.com', perms.Role.MAP_CREATOR, 'xyz.com')
   perms.Grant('manager', perms.Role.DOMAIN_ADMIN, 'xyz.com')
   perms.Grant('reviewer', perms.Role.DOMAIN_REVIEWER, 'xyz.com')
   perms.Grant('insider', perms.Role.CATALOG_EDITOR, 'xyz.com')
   perms.Grant('outsider', perms.Role.MAP_CREATOR, 'xyz.com')
Example #2
0
 def testPost_CreateDomain(self):
   self.assertIsNone(domains.Domain.Get('bar.com'))
   with test_utils.DomainLogin('first_bar_user', 'bar.com'):
     response = self.DoCreateDomainPost('bar.com')
     self.assertTrue('welcome=1' in response.headers['Location'])
     self.assertTrue(domains.Domain.Get('bar.com'))
     # The current user should have been granted administrative rights
     self.assertTrue(perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'bar.com'))
Example #3
0
    def testDomainAdminRole(self):
        with test_utils.RootLogin():
            perms.Grant('xyz.com', perms.Role.DOMAIN_ADMIN, 'xyz.com')
            perms.Grant('outside_friend', perms.Role.DOMAIN_ADMIN, 'xyz.com')

        with test_utils.DomainLogin('insider', 'xyz.com'):
            self.assertTrue(
                perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
        with test_utils.DomainLogin('outside_friend', 'not-xyz.com'):
            self.assertTrue(
                perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
        with test_utils.Login('stranger'):
            self.assertFalse(
                perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
        with test_utils.DomainLogin('stranger_with_ga_domain', 'not-xyz.com'):
            self.assertFalse(
                perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
        with test_utils.RootLogin():
            self.assertTrue(
                perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
Example #4
0
    def testMapCreatorDomains(self):
        """Verifies that the map_creator_domains setting is respected."""
        perms.Grant('foo.com', perms.Role.MAP_CREATOR, 'xyz.com')

        # All users at foo.com have the CREATOR role for xyz.com.
        with test_utils.DomainLogin('insider', 'foo.com'):
            self.assertTrue(
                perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
            self.assertFalse(perms.CheckAccess(perms.Role.ADMIN))
            model.Map.Create({}, 'xyz.com')

        # Users in bar.com don't have the CREATOR role.
        with test_utils.DomainLogin('outsider', 'bar.com'):
            self.assertFalse(
                perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
            self.assertRaises(perms.AuthorizationError, model.Map.Create, {},
                              'xyz.com')

        # All users in gmail.test get MAP_CREATOR.
        perms.Grant('gmail.test', perms.Role.MAP_CREATOR, 'gmail.test')
        with test_utils.Login('gmail_user'):
            self.assertTrue(
                perms.CheckAccess(perms.Role.MAP_CREATOR, 'gmail.test'))
Example #5
0
  def testCreateDomain_HighLatencyDatastore(self):
    self.sent_true = False
    self.false_count = 0

    # Function signature (especially named arguments) needs to match CheckAccess
    # pylint: disable=unused-argument
    def MockCheckAccess(role, target=None, user=None, policy=None):
      if self.false_count < 4:
        self.false_count += 1
        return False
      self.sent_true = True
      return True
    # pylint: enable=unused-argument

    self.assertIsNone(domains.Domain.Get('slow.com'))
    self.mox.stubs.Set(perms, 'CheckAccess', MockCheckAccess)
    self.mox.stubs.Set(time, 'sleep', lambda unused_seconds: None)
    with test_utils.DomainLogin('domain_creator', 'slow.com'):
      self.DoCreateDomainPost('slow.com')
      self.assertTrue(self.sent_true)
      self.assertTrue(domains.Domain.Get('slow.com'))
Example #6
0
    def testDomainRoles(self):
        """Verifies that domain access permissions restrict actions correctly."""
        with test_utils.RootLogin():
            domains.Domain.Put('foo.com',
                               initial_domain_role=perms.Role.MAP_OWNER)
            m = model.Map.Create({}, 'foo.com')

        # Verify that a user in foo.com gets the domain role for foo.com.
        with test_utils.DomainLogin('insider', 'foo.com'):
            self.assertEquals(
                {'MAP_OWNER', 'MAP_EDITOR', 'MAP_REVIEWER', 'MAP_VIEWER'},
                GetRolesForMap(m))

            m.model.domain_role = perms.Role.MAP_EDITOR
            self.assertEquals({'MAP_EDITOR', 'MAP_REVIEWER', 'MAP_VIEWER'},
                              GetRolesForMap(m))

            m.model.domain_role = perms.Role.MAP_REVIEWER
            self.assertEquals({'MAP_REVIEWER', 'MAP_VIEWER'},
                              GetRolesForMap(m))

            m.model.domain_role = perms.Role.MAP_VIEWER
            self.assertEquals({'MAP_VIEWER'}, GetRolesForMap(m))
Example #7
0
 def testGet_NoPermissions(self):
   # xyz.com doesn't grant DOMAIN_ADMIN to the entire domain, so this fails.
   with test_utils.DomainLogin('another_insider', 'xyz.com'):
     self.DoGet('/xyz.com/.admin', 403)
Example #8
0
 def testGetFromDomainReviewer(self):
     perms.Grant('domainreviewer', perms.Role.DOMAIN_REVIEWER, 'xyz.com')
     with test_utils.DomainLogin('domainreviewer', 'xyz.com'):
         self.DoGet('/.maps/%s/review' % self.map_id)