def test_authorize_func(self):
def f(ctx, identity, op):
self.assertEqual(identity.id(), 'bob')
if op.entity == 'a':
return False, None
elif op.entity == 'b':
return True, None
elif op.entity == 'c':
return True, [
checkers.Caveat(location='somewhere', condition='c')
]
elif op.entity == 'd':
return True, [
checkers.Caveat(location='somewhere', condition='d')
]
else:
self.fail('unexpected entity: ' + op.Entity)
ops = [
macaroonbakery.Op('a', 'x'),
macaroonbakery.Op('b', 'x'),
macaroonbakery.Op('c', 'x'),
macaroonbakery.Op('d', 'x')
]
allowed, caveats = macaroonbakery.AuthorizerFunc(f).authorize(
checkers.AuthContext(), macaroonbakery.SimpleIdentity('bob'), ops)
self.assertEqual(allowed, [False, True, True, True])
self.assertEqual(caveats, [
checkers.Caveat(location='somewhere', condition='c'),
checkers.Caveat(location='somewhere', condition='d')
])
def test_context_wired_properly(self):
ctx = checkers.AuthContext({'a': 'aval'})
class Visited:
in_f = False
in_allow = False
in_get_acl = False
def f(ctx, identity, op):
self.assertEqual(ctx.get('a'), 'aval')
Visited.in_f = True
return False, None
macaroonbakery.AuthorizerFunc(f).authorize(
ctx, macaroonbakery.SimpleIdentity('bob'), ['op1'])
self.assertTrue(Visited.in_f)
class TestIdentity(SimplestIdentity, macaroonbakery.ACLIdentity):
def allow(other, ctx, acls):
self.assertEqual(ctx.get('a'), 'aval')
Visited.in_allow = True
return False
def get_acl(ctx, acl):
self.assertEqual(ctx.get('a'), 'aval')
Visited.in_get_acl = True
return []
macaroonbakery.ACLAuthorizer(allow_public=False,
get_acl=get_acl).authorize(
ctx, TestIdentity('bob'), ['op1'])
self.assertTrue(Visited.in_get_acl)
self.assertTrue(Visited.in_allow)
def test_auth_with_third_party_caveats(self):
locator = _DischargerLocator()
ids = _IdService('ids', locator, self)
# We make an authorizer that requires a third party discharge
# when authorizing.
def authorize_with_tp_discharge(ctx, id, op):
if (id is not None and id.id() == 'bob'
and op == macaroonbakery.Op(entity='something',
action='read')):
return True, [
checkers.Caveat(condition='question',
location='other third party')
]
return False, None
auth = macaroonbakery.AuthorizerFunc(authorize_with_tp_discharge)
ts = _Service('myservice', auth, ids, locator)
class _LocalDischargeChecker(macaroonbakery.ThirdPartyCaveatChecker):
def check_third_party_caveat(_, ctx, info):
if info.condition != 'question':
raise ValueError('third party condition not recognized')
self._discharges.append(
_DischargeRecord(location='other third party',
user=ctx.get(_DISCHARGE_USER_KEY)))
return []
locator['other third party'] = _Discharger(
key=macaroonbakery.generate_key(),
checker=_LocalDischargeChecker(),
locator=locator,
)
client = _Client(locator)
ctx = test_context.with_value(_DISCHARGE_USER_KEY, 'bob')
client.do(ctx, ts,
[macaroonbakery.Op(entity='something', action='read')])
self.assertEqual(self._discharges, [
_DischargeRecord(location='ids', user='******'),
_DischargeRecord(location='other third party', user='******')
])