def test_root_permissions(self):
u = self._create_user()
r = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user('/', u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
def test_user_update_success(self):
u = self._create_user()
r = self._create_resource()
o = authorization.UPDATE
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user(r, u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
def test_parent_permissions(self):
u = self._create_user()
r = self._create_resource()
p = r.rsplit('/', 2)[0] + '/'
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user(p, u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
def test_user_permission_revoke(self):
u = self._create_user()
r = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user(r, u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
authorization.revoke_permission_from_user(r, u['login'], [n])
self.assertFalse(authorization.is_authorized(r, u, o))
def test_role_permission_delete(self):
u = self._create_user()
r = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r['name'], u['login'])
authorization.grant_permission_to_role(s, r['name'], [n])
self.assertTrue(authorization.is_authorized(s, u, o))
authorization.delete_role(r['name'])
self.assertFalse(authorization.is_authorized(s, u, o))
def test_role_execute(self):
u1 = self._create_user()
u2 = self._create_user()
r = self._create_role()
s = self._create_resource()
o = authorization.EXECUTE
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r['name'], u1['login'])
authorization.grant_permission_to_role(s, r['name'], [n])
self.assertTrue(authorization.is_authorized(s, u1, o))
self.assertFalse(authorization.is_authorized(s, u2, o))
def test_non_unique_permission_remove(self):
u = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r1['name'], u['login'])
authorization.add_user_to_role(r2['name'], u['login'])
authorization.grant_permission_to_role(s, r1['name'], [n])
authorization.grant_permission_to_role(s, r2['name'], [n])
self.assertTrue(authorization.is_authorized(s, u, o))
authorization.remove_user_from_role(r1['name'], u['login'])
self.assertTrue(authorization.is_authorized(s, u, o))
def test_non_unique_permission_delete(self):
u = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
self.role_manager.add_user_to_role(r1['id'], u['login'])
self.role_manager.add_user_to_role(r2['id'], u['login'])
self.role_manager.add_permissions_to_role(r1['id'], s, [o])
self.role_manager.add_permissions_to_role(r2['id'], s, [o])
self.assertTrue(self.user_query_manager.is_authorized(s, u['login'], o))
self.role_manager.delete_role(r1['id'])
self.assertTrue(self.user_query_manager.is_authorized(s, u['login'], o))
def test_non_unique_permission_delete(self):
u = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
self.role_manager.add_user_to_role(r1['id'], u['login'])
self.role_manager.add_user_to_role(r2['id'], u['login'])
self.role_manager.add_permissions_to_role(r1['id'], s, [o])
self.role_manager.add_permissions_to_role(r2['id'], s, [o])
self.assertTrue(self.user_query_manager.is_authorized(s, u['login'], o))
self.role_manager.delete_role(r1['id'])
self.assertTrue(self.user_query_manager.is_authorized(s, u['login'], o))
def GET(self):
role_query_manager = managers.role_query_manager()
roles = role_query_manager.find_all()
for role in roles:
role['users'] = [u['login'] for u in
managers.user_query_manager().find_users_belonging_to_role(role['id'])]
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [operation_to_name(o)
for o in operations]
for role in roles:
role.update(serialization.link.child_link_obj(role['id']))
return self.ok(roles)
def test_role_order_of_permission_grant(self):
u1 = self._create_user()
u2 = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
# add first, grant second
authorization.add_user_to_role(r1['name'], u1['name'])
authorization.grant_permission_to_role(s, r1['name'], [n])
self.assertTrue(authorization.is_authorized(s, u1, o))
# grant first, add second
authorization.grant_permission_to_role(s, r2['name'], [n])
authorization.add_user_to_role(r2['name'], u2['name'])
self.assertTrue(authorization.is_authorized(s, u2, o))
def GET(self, role_id):
manager = managers.role_query_manager()
role = manager.find_by_id(role_id)
if role is None:
raise exceptions.MissingResource(role_id)
role['users'] = [u['login'] for u in
managers.user_query_manager().find_users_belonging_to_role(role['id'])]
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [operation_to_name(o)
for o in operations]
role.update(serialization.link.current_link_obj())
return self.ok(role)
def GET(self):
query_params = web.input()
resource = query_params.get('resource', None)
permissions = []
if resource is None:
permissions = managers.permission_query_manager().find_all()
else:
permission = managers.permission_query_manager().find_by_resource(resource)
if permission is not None:
permissions = [permission]
for permission in permissions:
users = permission['users']
for user, ops in users.items():
users[user] = [operation_to_name(o) for o in ops]
return self.ok(permissions)
def GET(self):
role_query_manager = managers.role_query_manager()
roles = role_query_manager.find_all()
for role in roles:
role['users'] = [
u['login'] for u in managers.user_query_manager().
find_users_belonging_to_role(role['id'])
]
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [
operation_to_name(o) for o in operations
]
for role in roles:
role.update(serialization.link.child_link_obj(role['id']))
return self.ok(roles)
def GET(self):
query_params = web.input()
resource = query_params.get('resource', None)
permissions = []
if resource is None:
permissions = managers.permission_query_manager().find_all()
else:
permission = managers.permission_query_manager().find_by_resource(
resource)
if permission is not None:
permissions = [permission]
for permission in permissions:
users = permission['users']
for user, ops in users.items():
users[user] = [operation_to_name(o) for o in ops]
return self.ok(permissions)
def GET(self, role_id):
manager = managers.role_query_manager()
role = manager.find_by_id(role_id)
if role is None:
raise exceptions.MissingResource(role_id)
role['users'] = [
u['login'] for u in managers.user_query_manager().
find_users_belonging_to_role(role['id'])
]
for resource, operations in role['permissions'].items():
role['permissions'][resource] = [
operation_to_name(o) for o in operations
]
role.update(serialization.link.current_link_obj())
return self.ok(role)
def test_consumer_users_revoke(self):
s = self._create_resource()
n = authorization.operation_to_name(authorization.READ)
self.assertRaises(authorization.PulpAuthorizationError,
authorization.revoke_permission_from_role,
s, authorization.consumer_users_role, [n])
def test_super_users_grant(self):
s = self._create_resource()
n = authorization.operation_to_name(authorization.READ)
self.assertRaises(authorization.PulpAuthorizationError,
authorization.grant_permission_to_role,
s, authorization.super_user_role, [n])