def load_config_section(self,
configuration_file,
configuration,
bot_root,
subs: Substitutions = None):
securities = configuration_file.get_section(self.section_name,
configuration)
if securities is not None:
self._authentication = BrainSecurityAuthenticationConfiguration()
self._authentication.load_config_section(configuration_file,
securities,
bot_root,
subs=subs)
self._authorisation = BrainSecurityAuthorisationConfiguration()
self._authorisation.load_config_section(configuration_file,
securities,
bot_root,
subs=subs)
self._account_linker = BrainSecurityAccountLinkerConfiguration()
self._account_linker.load_config_section(configuration_file,
securities,
bot_root,
subs=subs)
class BrainSecuritiesConfiguration(BaseSectionConfigurationData):
def __init__(self):
BaseSectionConfigurationData.__init__(self, "security")
self._authorisation = None
self._authentication = None
@property
def authorisation(self):
return self._authorisation
@property
def authentication(self):
return self._authentication
def load_config_section(self, configuration_file, configuration, bot_root):
securities = configuration_file.get_section(self.section_name, configuration)
if securities is not None:
self._authentication = BrainSecurityAuthenticationConfiguration()
self._authentication.load_config_section(configuration_file, securities, bot_root)
self._authorisation = BrainSecurityAuthorisationConfiguration()
self._authorisation.load_config_section(configuration_file, securities, bot_root)
def to_yaml(self, data, defaults=True):
self.config_to_yaml(data, BrainSecurityAuthenticationConfiguration(), defaults)
self.config_to_yaml(data, BrainSecurityAuthorisationConfiguration(), defaults)
class BrainSecuritiesConfiguration(BaseSectionConfigurationData):
def __init__(self):
BaseSectionConfigurationData.__init__(self, "security")
self._authorisation = None
self._authentication = None
self._account_linker = None
@property
def authorisation(self):
return self._authorisation
@property
def authentication(self):
return self._authentication
@property
def account_linker(self):
return self._account_linker
def load_config_section(self, configuration_file, configuration, bot_root):
securities = configuration_file.get_section(self.section_name, configuration)
if securities is not None:
self._authentication = BrainSecurityAuthenticationConfiguration()
self._authentication.load_config_section(configuration_file, securities, bot_root)
self._authorisation = BrainSecurityAuthorisationConfiguration()
self._authorisation.load_config_section(configuration_file, securities, bot_root)
self._account_linker = BrainSecurityAccountLinkerConfiguration()
self._account_linker.load_config_section(configuration_file, securities, bot_root)
def to_yaml(self, data, defaults=True):
self.config_to_yaml(data, BrainSecurityAuthenticationConfiguration(), defaults)
self.config_to_yaml(data, BrainSecurityAuthorisationConfiguration(), defaults)
self.config_to_yaml(data, BrainSecurityAccountLinkerConfiguration(), defaults)
def test_authorisation_with_data_denied_srai(self):
yaml = YamlConfigurationFile()
self.assertIsNotNone(yaml)
yaml.load_from_text(
"""
brain:
security:
authorisation:
classname: programy.security.authorise.passthrough.PassThroughAuthorisationService
denied_srai: AUTHORISATION_FAILED
""", ConsoleConfiguration(), ".")
brain_config = yaml.get_section("brain")
self.assertIsNotNone(brain_config)
services_config = yaml.get_section("security", brain_config)
self.assertIsNotNone(services_config)
service_config = BrainSecurityAuthorisationConfiguration()
service_config.load_config_section(yaml, services_config, ".")
self.assertEqual(
"programy.security.authorise.passthrough.PassThroughAuthorisationService",
service_config.classname)
self.assertEqual("AUTHORISATION_FAILED", service_config.denied_srai)
self.assertEqual(
BrainSecurityAuthorisationConfiguration.DEFAULT_ACCESS_DENIED,
service_config.denied_text)
def load_config_section(self, configuration_file, configuration, bot_root):
securities = configuration_file.get_section(self.section_name,
configuration)
if securities is not None:
self._authentication = BrainSecurityAuthenticationConfiguration()
self._authentication.load_config_section(configuration_file,
securities, bot_root)
self._authorisation = BrainSecurityAuthorisationConfiguration()
self._authorisation.load_config_section(configuration_file,
securities, bot_root)
def test_usersgroups(self):
service_config = BrainSecurityAuthorisationConfiguration("authorisation")
service_config._usergroups = os.path.dirname(__file__) + os.sep + "test_usergroups.yaml"
service = BasicUserGroupAuthorisationService(service_config)
self.assertIsNotNone(service)
self.assertTrue(service.authorise("console", "root"))
self.assertFalse(service.authorise("console", "uber"))
with self.assertRaises(AuthorisationException):
service.authorise("anyone", "root")
def test_usersgroups(self):
service_config = BrainSecurityAuthorisationConfiguration(
"authorisation")
service_config._usergroups = os.path.dirname(
__file__) + os.sep + "test_usergroups.yaml"
service = BasicUserGroupAuthorisationService(service_config)
self.assertIsNotNone(service)
self.assertTrue(service.authorise("console", "root"))
self.assertFalse(service.authorise("console", "uber"))
with self.assertRaises(AuthorisationException):
service.authorise("anyone", "root")
def test_load_groups_no_groups(self):
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store = UserGroupsStore()
yaml_data = yaml.load("""
others:
group1:
roles:
role1, role2, role3
groups:
group1, group2
users:
user1, user2
group2:
roles:
role4, role5
groups:
group3
users:
user3
""", Loader=yaml.FullLoader)
store._load_groups(yaml_data,authorisor)
self.assertFalse("group1" in authorisor.groups)
self.assertFalse("group2" in authorisor.groups)
def test_load_users(self):
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store = UserGroupsStore()
yaml_data = yaml.load("""
users:
console:
roles:
user
groups:
sysadmin, local
viewer:
roles:
user
groups:
local
""", Loader=yaml.FullLoader)
store._load_users(yaml_data,authorisor)
self.assertTrue("console" in authorisor.users.keys())
self.assertIsInstance(authorisor.users['console'], User)
self.assertTrue("user" in authorisor.users['console'].roles)
self.assertTrue("sysadmin" in authorisor.users['console'].groups)
self.assertTrue("local" in authorisor.users['console'].groups)
self.assertTrue("viewer" in authorisor.users.keys())
self.assertIsInstance(authorisor.users['viewer'], User)
self.assertTrue("user" in authorisor.users['viewer'].roles)
self.assertTrue("local" in authorisor.users['viewer'].groups)
def test_overall_load_missing_groups(self):
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store = UserGroupsStore()
yaml_data = yaml.load("""
users:
user1:
groups:
group1
user2:
groups:
group4
groups:
group1:
roles:
role1, role2, role3
groups:
group1, group2
users:
user1, user2
group2:
roles:
role4, role5
groups:
group5
users:
user3
group3:
roles:
role6 """, Loader=yaml.FullLoader)
store.load_users_and_groups_from_yaml(yaml_data, authorisor)
def to_yaml(self, data, defaults=True):
self.config_to_yaml(data, BrainSecurityAuthenticationConfiguration(),
defaults)
self.config_to_yaml(data, BrainSecurityAuthorisationConfiguration(),
defaults)
self.config_to_yaml(data, BrainSecurityAccountLinkerConfiguration(),
defaults)
def test_load_groups_no_group_users(self):
config = SQLStorageConfiguration()
engine = SQLStorageEngine(config)
engine.initialise()
store = SQLUserGroupStore(engine)
yaml_data = yaml.load("""
groups:
group1:
roles:
role1, role2, role3
groups:
group1, group2
group2:
roles:
role4, role5
groups:
group3
""", Loader=yaml.FullLoader)
store._upload_groups(yaml_data, verbose=False)
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store.load_usergroups(authorisor)
def test_load_users_no_groups(self):
config = SQLStorageConfiguration()
engine = SQLStorageEngine(config)
engine.initialise()
store = SQLUserGroupStore(engine)
yaml_data = yaml.load("""
users:
console:
roles:
user
viewer:
roles:
user
""", Loader=yaml.FullLoader)
store._upload_users(yaml_data, verbose=True)
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store.load_usergroups(authorisor)
self.assertTrue("console" in authorisor.users)
self.assertTrue("viewer" in authorisor.users)
self.assertFalse("sysadmin" in authorisor.groups)
self.assertFalse("local" in authorisor.groups)
self.assertTrue(authorisor.authorise("console", "user"))
self.assertTrue(authorisor.authorise("viewer", "user"))
def test_load_groups_group(self):
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store = UserGroupsStore()
yaml_data = yaml.load("""
groups:
group1:
roles:
role1, role2, role3
groups:
group1, group2
users:
user1, user2
""", Loader=yaml.FullLoader)
store._load_groups_group(yaml_data, "group1", authorisor)
self.assertTrue("group1" in authorisor.groups)
self.assertTrue("role1" in authorisor.groups['group1'].roles)
self.assertTrue("role2" in authorisor.groups['group1'].roles)
self.assertTrue("role2" in authorisor.groups['group1'].roles)
self.assertTrue("group1" in authorisor.groups['group1'].groups)
self.assertTrue("group2" in authorisor.groups['group1'].groups)
self.assertTrue("user1" in authorisor.groups['group1'].users)
self.assertTrue("user2" in authorisor.groups['group1'].users)
def load_config_section(self, configuration_file, configuration, bot_root):
securities = configuration_file.get_section(self.section_name, configuration)
if securities is not None:
self._authentication = BrainSecurityAuthenticationConfiguration()
self._authentication.load_config_section(configuration_file, securities, bot_root)
self._authorisation = BrainSecurityAuthorisationConfiguration()
self._authorisation.load_config_section(configuration_file, securities, bot_root)
def test_load_usergroups(self):
config = SQLStorageConfiguration()
engine = SQLStorageEngine(config)
engine.initialise()
store = SQLUserGroupStore(engine)
yaml_data = yaml.load("""
users:
user1:
groups:
group1
user2:
groups:
group4
user3:
groups:
group1
groups:
group1:
roles:
role1, role2, role3
groups:
group1, group2
users:
user1, user2
group2:
roles:
role4, role5
groups:
group5
users:
user3
group3:
roles:
role6
""", Loader=yaml.FullLoader)
store.load_from_yaml(yaml_data, verbose=False)
store.commit()
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store.load_usergroups(authorisor)
self.assertTrue("user1" in authorisor.users)
self.assertTrue("user2" in authorisor.users)
self.assertTrue("user3" in authorisor.users)
self.assertTrue("group1" in authorisor.groups)
self.assertTrue("group2" in authorisor.groups)
self.assertTrue("group3" in authorisor.groups)
self.assertTrue(authorisor.authorise("user3", "role3"))
def test_defaults(self):
authenticate_config = BrainSecurityAuthenticationConfiguration()
data = {}
authenticate_config.to_yaml(data, True)
BrainSecurityConfigurationTests.assert_authenticate_defaults(
self, data)
authorise_config = BrainSecurityAuthorisationConfiguration()
data = {}
authorise_config.to_yaml(data, True)
BrainSecurityConfigurationTests.assert_authorise_defaults(self, data)
accountlinker_config = BrainSecurityAccountLinkerConfiguration()
data = {}
accountlinker_config.to_yaml(data, True)
BrainSecurityConfigurationTests.assert_accountlinker_defaults(
self, data)
def test_authorisation_with_data_neither_denied_srai_or_text(self):
yaml = YamlConfigurationFile()
self.assertIsNotNone(yaml)
yaml.load_from_text("""
brain:
security:
authorisation:
classname: programy.security.authorise.passthrough.PassThroughAuthorisationService
""", ConsoleConfiguration(), ".")
brain_config = yaml.get_section("brain")
self.assertIsNotNone(brain_config)
services_config = yaml.get_section("security", brain_config)
self.assertIsNotNone(services_config)
service_config = BrainSecurityAuthorisationConfiguration()
service_config.load_config_section(yaml, services_config, ".")
self.assertEqual("programy.security.authorise.passthrough.PassThroughAuthorisationService", service_config.classname)
self.assertEqual(BrainSecurityAuthorisationConfiguration.DEFAULT_ACCESS_DENIED, service_config.denied_text)
self.assertIsNone(service_config.denied_srai)
def load_configuration(self, arguments, subs: Substitutions = None):
super(AuthoriseTestClient, self).load_configuration(arguments)
self.configuration.client_configuration.configurations[0].configurations[
0].security._authorisation = BrainSecurityAuthorisationConfiguration(
)
self.configuration.client_configuration.configurations[0].configurations[0].security.authorisation._classname = \
"programy.security.authorise.usergroupsauthorisor.BasicUserGroupAuthorisationService"
self.configuration.client_configuration.configurations[
0].configurations[
0].security.authorisation._denied_srai = "ACCESS_DENIED"
self.configuration.client_configuration.configurations[
0].configurations[
0].security.authorisation._usergroups = os.path.dirname(
__file__) + os.sep + "usergroups.yaml"
def test_fail_load_authorisation_class(self):
config = BrainSecuritiesConfiguration()
config._authorisation = BrainSecurityAuthorisationConfiguration()
config._authentication = BrainSecurityAuthenticationConfiguration()
config._account_linker = BrainSecurityAccountLinkerConfiguration()
mgr = MockSecurityManager(config, fail_authorise=True)
self.assertIsNotNone(mgr)
client = TestClient()
mgr.load_security_services(client)
self.assertIsNone(mgr.authorisation)
self.assertIsNotNone(mgr.authentication)
self.assertIsNotNone(mgr.account_linker)
def test_fail_load_account_linking_class_missing(self):
config = BrainSecuritiesConfiguration()
config._authorisation = BrainSecurityAuthorisationConfiguration()
config._authentication = BrainSecurityAuthenticationConfiguration()
config._account_linker = BrainSecurityAccountLinkerConfiguration()
config._account_linker._classname = None
mgr = SecurityManager(config)
self.assertIsNotNone(mgr)
client = TestClient()
mgr.load_security_services(client)
self.assertIsNotNone(mgr.authorisation)
self.assertIsNotNone(mgr.authentication)
self.assertIsNone(mgr.account_linker)
def test_load_users_no_users(self):
authorisor = BasicUserGroupAuthorisationService(BrainSecurityAuthorisationConfiguration())
store = UserGroupsStore()
yaml_data = yaml.load("""
others:
console:
roles:
user
groups:
sysadmin, local
viewer:
roles:
user
groups:
local
""", Loader=yaml.FullLoader)
store._load_users(yaml_data,authorisor)
self.assertFalse("console" in authorisor.users.keys())
self.assertFalse("viewer" in authorisor.users.keys())
def test_authorisor(self):
service = PassThroughAuthorisationService(
BrainSecurityAuthorisationConfiguration("authorisation"))
self.assertIsNotNone(service)
self.assertTrue(service.authorise("console", "sysadmin"))
self.assertTrue(service.authorise("anyone", "sysadmin"))
