def setUp(self):
super(KeyValuesControllerRBACTestCase, self).setUp()
self.kvps = {}
# Insert mock users
user_1_db = UserDB(name='user1')
user_1_db = User.add_or_update(user_1_db)
self.users['user_1'] = user_1_db
user_2_db = UserDB(name='user2')
user_2_db = User.add_or_update(user_2_db)
self.users['user_2'] = user_2_db
# Insert mock kvp objects
kvp_api = KeyValuePairSetAPI(name='test_system_scope', value='value1',
scope=FULL_SYSTEM_SCOPE)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_1'] = kvp_db
kvp_api = KeyValuePairSetAPI(name='test_system_scope_secret', value='value_secret',
scope=FULL_SYSTEM_SCOPE, secret=True)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_2'] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE, name='test_user_scope_1', user='******')
kvp_db = KeyValuePairDB(name=name, value='valueu12', scope=FULL_USER_SCOPE)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_3'] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE, name='test_user_scope_2', user='******')
kvp_api = KeyValuePairSetAPI(name=name, value='user_secret', scope=FULL_USER_SCOPE,
secret=True)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_4'] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE, name='test_user_scope_3', user='******')
kvp_db = KeyValuePairDB(name=name, value='valueu21', scope=FULL_USER_SCOPE)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_5'] = kvp_db
self.system_scoped_items_count = 2
self.user_scoped_items_count = 3
self.user_scoped_items_per_user_count = {
'user1': 2,
'user2': 1
}
def setUp(self):
super(KeyValuesControllerRBACTestCase, self).setUp()
self.kvps = {}
# Insert mock users
user_1_db = UserDB(name="user1")
user_1_db = User.add_or_update(user_1_db)
self.users["user_1"] = user_1_db
user_2_db = UserDB(name="user2")
user_2_db = User.add_or_update(user_2_db)
self.users["user_2"] = user_2_db
# Insert mock kvp objects
kvp_api = KeyValuePairSetAPI(name="test_system_scope", value="value1", scope=FULL_SYSTEM_SCOPE)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps["kvp_1"] = kvp_db
kvp_api = KeyValuePairSetAPI(
name="test_system_scope_secret", value="value_secret", scope=FULL_SYSTEM_SCOPE, secret=True
)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps["kvp_2"] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE, name="test_user_scope_1", user="******")
kvp_db = KeyValuePairDB(name=name, value="valueu12", scope=FULL_USER_SCOPE)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps["kvp_3"] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE, name="test_user_scope_2", user="******")
kvp_api = KeyValuePairSetAPI(name=name, value="user_secret", scope=FULL_USER_SCOPE, secret=True)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps["kvp_4"] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE, name="test_user_scope_3", user="******")
kvp_db = KeyValuePairDB(name=name, value="valueu21", scope=FULL_USER_SCOPE)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps["kvp_5"] = kvp_db
self.system_scoped_items_count = 2
self.user_scoped_items_count = 3
self.user_scoped_items_per_user_count = {"user1": 2, "user2": 1}
def setUp(self):
super(KeyValuesControllerRBACTestCase, self).setUp()
self.kvps = {}
# Insert mock users
user_1_db = UserDB(name='user1')
user_1_db = User.add_or_update(user_1_db)
self.users['user_1'] = user_1_db
user_2_db = UserDB(name='user2')
user_2_db = User.add_or_update(user_2_db)
self.users['user_2'] = user_2_db
# Insert mock kvp objects
kvp_api = KeyValuePairSetAPI(name='test_system_scope',
value='value1',
scope=FULL_SYSTEM_SCOPE)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_1'] = kvp_db
kvp_api = KeyValuePairSetAPI(name='test_system_scope_secret',
value='value_secret',
scope=FULL_SYSTEM_SCOPE,
secret=True)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_2'] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE,
name='test_user_scope_1',
user='******')
kvp_db = KeyValuePairDB(name=name,
value='valueu12',
scope=FULL_USER_SCOPE)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_3'] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE,
name='test_user_scope_2',
user='******')
kvp_api = KeyValuePairSetAPI(name=name,
value='user_secret',
scope=FULL_USER_SCOPE,
secret=True)
kvp_db = KeyValuePairSetAPI.to_model(kvp_api)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_4'] = kvp_db
name = get_key_reference(scope=FULL_USER_SCOPE,
name='test_user_scope_3',
user='******')
kvp_db = KeyValuePairDB(name=name,
value='valueu21',
scope=FULL_USER_SCOPE)
kvp_db = KeyValuePair.add_or_update(kvp_db)
kvp_db = KeyValuePairAPI.from_model(kvp_db)
self.kvps['kvp_5'] = kvp_db
self.system_scoped_items_count = 2
self.user_scoped_items_count = 3
self.user_scoped_items_per_user_count = {'user1': 2, 'user2': 1}
def test_admin_permissions_for_user_scoped_kvps(self):
# Insert user scoped key value pairs for user1.
user_1_db = UserDB(name="user115")
user_1_db = User.add_or_update(user_1_db)
self.users[user_1_db.name] = user_1_db
key_1_name = "mykey5"
key_1_ref = get_key_reference(FULL_USER_SCOPE, key_1_name,
user_1_db.name)
kvp_1_api = KeyValuePairSetAPI(
uid="%s:%s:%s" %
(ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, key_1_ref),
scope=FULL_USER_SCOPE,
name=key_1_ref,
value="myval5",
secret=True,
)
kvp_1_db = KeyValuePairSetAPI.to_model(kvp_1_api)
kvp_1_db = KeyValuePair.add_or_update(kvp_1_db)
self.resources[kvp_1_db.uid] = kvp_1_db
# Set context to user
self.use_user(self.users["admin"])
# Admin user should have general list permissions on user1's kvps.
resp = self.app.get("/v1/keys?limit=-1&scope=user&user=%s" %
user_1_db.name)
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 1)
resp = self.app.get("/v1/keys?scope=user&user=%s" % user_1_db.name)
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 1)
self.assertEqual(resp.json[0]["name"], key_1_name)
self.assertEqual(resp.json[0]["user"], user_1_db.name)
resp = self.app.get("/v1/keys?decrypt=True&scope=user&user=%s" %
user_1_db.name)
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 1)
self.assertEqual(resp.json[0]["name"], key_1_name)
self.assertEqual(resp.json[0]["user"], user_1_db.name)
self.assertEqual(resp.json[0]["value"], kvp_1_api.value)
resp = self.app.get("/v1/keys?scope=all")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 2)
self.assertTrue(
all([item["scope"] == FULL_SYSTEM_SCOPE for item in resp.json]))
resp = self.app.get("/v1/keys?scope=system")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 2)
self.assertTrue(
all([item["scope"] == FULL_SYSTEM_SCOPE for item in resp.json]))
resp = self.app.get("/v1/keys?scope=user")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
# Admin user should have read and write permissions to user1's kvps.
k, v = key_1_name, kvp_1_api.value
url = "/v1/keys/%s?decrypt=True&scope=user&user=%s" % (k,
user_1_db.name)
resp = self.app.get(url)
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(resp.json["value"], v)
d = {
"name": key_1_ref,
"value": "value for %s" % k,
"scope": FULL_USER_SCOPE,
"user": user_1_db.name,
"secret": True,
}
resp = self.app.put_json(url, d)
self.assertEqual(resp.status_int, http_client.OK)
resp = self.app.get(url)
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(resp.json["value"], "value for %s" % k)
resp = self.app.delete(url)
self.assertEqual(resp.status_code, http_client.NO_CONTENT)
resp = self.app.get(url, expect_errors=True)
self.assertEqual(resp.status_int, http_client.NOT_FOUND)
def test_user_permissions_for_another_user_kvps(self):
# Setup users.
user_1_db = UserDB(name="user113")
user_1_db = User.add_or_update(user_1_db)
self.users[user_1_db.name] = user_1_db
user_2_db = UserDB(name="user114")
user_2_db = User.add_or_update(user_2_db)
self.users[user_2_db.name] = user_2_db
# Insert user scoped key value pairs for user1.
key_1_name = "mykey3"
key_1_ref = get_key_reference(FULL_USER_SCOPE, key_1_name,
user_1_db.name)
kvp_1_api = KeyValuePairSetAPI(
uid="%s:%s:%s" %
(ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, key_1_ref),
scope=FULL_USER_SCOPE,
name=key_1_ref,
value="myval3",
secret=True,
)
kvp_1_db = KeyValuePairSetAPI.to_model(kvp_1_api)
kvp_1_db = KeyValuePair.add_or_update(kvp_1_db)
self.resources[kvp_1_db.uid] = kvp_1_db
# Setup bad grant, role, and assignment records where administrator
# accidentally or intentionally try to grant a user's kvps to another user.
grant_db = PermissionGrantDB(
resource_uid=kvp_1_db.get_uid(),
resource_type=ResourceType.KEY_VALUE_PAIR,
permission_types=[PermissionType.KEY_VALUE_PAIR_ALL],
)
grant_db = PermissionGrant.add_or_update(grant_db)
role_db = RoleDB(
name="custom_role_user_key3_all_grant",
permission_grants=[str(grant_db.id)],
)
role_db = Role.add_or_update(role_db)
self.roles[role_db.name] = role_db
role_assignment_db = UserRoleAssignmentDB(
user=user_2_db.name,
role=role_db.name,
source="assignments/%s.yaml" % user_2_db.name,
)
UserRoleAssignment.add_or_update(role_assignment_db)
# Set context to user
self.use_user(self.users[user_2_db.name])
# User2 should not be able to list user1's kvp.
resp = self.app.get(
"/v1/keys?limit=-1") # server defaults no scope to system scope
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
resp = self.app.get(
"/v1/keys/") # server defaults no scope to system scope
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
resp = self.app.get("/v1/keys?scope=all")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
resp = self.app.get("/v1/keys?scope=system")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
resp = self.app.get("/v1/keys?scope=user")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
# User2 should not have read and write permissions on user1's kvp.
k = key_1_name
url = "/v1/keys/%s?scope=user&user=%s" % (k, user_1_db.name)
resp = self.app.get(url, expect_errors=True)
self.assertEqual(resp.status_int, http_client.FORBIDDEN)
d = {
"name": key_1_ref,
"value": "value for %s" % k,
"scope": FULL_USER_SCOPE,
"user": user_1_db.name,
}
resp = self.app.put_json(url, d, expect_errors=True)
self.assertEqual(resp.status_int, http_client.FORBIDDEN)
resp = self.app.delete(url, expect_errors=True)
self.assertEqual(resp.status_code, http_client.FORBIDDEN)
def test_user_permissions_for_user_scope_kvps(self):
# Insert user scoped key value pairs for user1.
user_1_db = UserDB(name="user111")
user_1_db = User.add_or_update(user_1_db)
self.users[user_1_db.name] = user_1_db
key_1_name = "mykey1"
key_1_ref = get_key_reference(FULL_USER_SCOPE, key_1_name,
user_1_db.name)
kvp_1_api = KeyValuePairSetAPI(
uid="%s:%s:%s" %
(ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, key_1_ref),
scope=FULL_USER_SCOPE,
name=key_1_ref,
value="myval1",
secret=True,
)
kvp_1_db = KeyValuePairSetAPI.to_model(kvp_1_api)
kvp_1_db = KeyValuePair.add_or_update(kvp_1_db)
self.resources[kvp_1_db.uid] = kvp_1_db
# Insert user scoped key value pairs for user2.
user_2_db = UserDB(name="user112")
user_2_db = User.add_or_update(user_2_db)
self.users[user_2_db.name] = user_2_db
key_2_name = "mykey2"
key_2_ref = get_key_reference(FULL_USER_SCOPE, key_2_name,
user_2_db.name)
kvp_2_api = KeyValuePairSetAPI(
uid="%s:%s:%s" %
(ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, key_2_ref),
scope=FULL_USER_SCOPE,
name=key_2_ref,
value="myval2",
secret=True,
)
kvp_2_db = KeyValuePairSetAPI.to_model(kvp_2_api)
kvp_2_db = KeyValuePair.add_or_update(kvp_2_db)
self.resources[kvp_2_db.uid] = kvp_2_db
# Set context to user
self.use_user(self.users[user_1_db.name])
# User should be able to list the system and user scoped kvps that user has permission to.
resp = self.app.get(
"/v1/keys?limit=-1") # server defaults no scope to system scope
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
resp = self.app.get(
"/v1/keys/") # server defaults no scope to system scope
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
resp = self.app.get("/v1/keys?scope=all")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 1)
self.assertTrue(
all([item["scope"] == FULL_USER_SCOPE for item in resp.json]))
resp = self.app.get("/v1/keys?scope=system")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 0)
resp = self.app.get("/v1/keys?scope=user")
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(len(resp.json), 1)
self.assertTrue(
all([item["scope"] == FULL_USER_SCOPE for item in resp.json]))
# User should have read and write permissions to his/her own kvps.
k, v = key_1_name, kvp_1_api.value
resp = self.app.get("/v1/keys/%s?decrypt=True&scope=user" % k)
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(resp.json["value"], v)
d = {
"name": key_1_ref,
"value": "value for %s" % k,
"scope": FULL_USER_SCOPE,
"secret": True,
}
resp = self.app.put_json("/v1/keys/%s?scope=user" % k, d)
self.assertEqual(resp.status_int, http_client.OK)
resp = self.app.get("/v1/keys/%s?decrypt=True&scope=user" % k)
self.assertEqual(resp.status_int, http_client.OK)
self.assertEqual(resp.json["value"], "value for %s" % k)
resp = self.app.delete("/v1/keys/%s?scope=user" % k)
self.assertEqual(resp.status_code, http_client.NO_CONTENT)
resp = self.app.get("/v1/keys/%s?scope=user" % k, expect_errors=True)
self.assertEqual(resp.status_int, http_client.NOT_FOUND)
def setUp(self):
super(KeyValueSystemScopeControllerRBACTestCase, self).setUp()
# Insert system scoped key value pairs.
kvp_1_api = KeyValuePairSetAPI(
uid="%s:%s:key1" %
(ResourceType.KEY_VALUE_PAIR, FULL_SYSTEM_SCOPE),
scope=FULL_SYSTEM_SCOPE,
name="key1",
value="val1",
secret=True,
)
kvp_1_db = KeyValuePairSetAPI.to_model(kvp_1_api)
kvp_1_db = KeyValuePair.add_or_update(kvp_1_db)
self.resources[kvp_1_db.uid] = kvp_1_db
kvp_2_api = KeyValuePairSetAPI(
uid="%s:%s:key2" %
(ResourceType.KEY_VALUE_PAIR, FULL_SYSTEM_SCOPE),
scope=FULL_SYSTEM_SCOPE,
name="key2",
value="val2",
secret=True,
)
kvp_2_db = KeyValuePairSetAPI.to_model(kvp_2_api)
kvp_2_db = KeyValuePair.add_or_update(kvp_2_db)
self.resources[kvp_2_db.uid] = kvp_2_db
# Setup users for user scoped KVPs.
user_1_db = UserDB(name="user101")
user_1_db = User.add_or_update(user_1_db)
self.users[user_1_db.name] = user_1_db
user_2_db = UserDB(name="user102")
user_2_db = User.add_or_update(user_2_db)
self.users[user_2_db.name] = user_2_db
# Insert user scoped key value pairs for user1.
key_1_name = "mykey1"
key_1_ref = get_key_reference(FULL_USER_SCOPE, key_1_name,
user_1_db.name)
kvp_1_db = KeyValuePairDB(
uid="%s:%s:%s" %
(ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, key_1_ref),
scope=FULL_USER_SCOPE,
name=key_1_ref,
value="myval1",
)
kvp_1_db = KeyValuePair.add_or_update(kvp_1_db)
self.resources[kvp_1_db.uid] = kvp_1_db
key_2_name = "mykey2"
key_2_ref = get_key_reference(FULL_USER_SCOPE, key_2_name,
user_1_db.name)
kvp_2_db = KeyValuePairDB(
uid="%s:%s:%s" %
(ResourceType.KEY_VALUE_PAIR, FULL_USER_SCOPE, key_2_ref),
scope=FULL_USER_SCOPE,
name=key_2_ref,
value="myval2",
)
kvp_2_db = KeyValuePair.add_or_update(kvp_2_db)
self.resources[kvp_2_db.uid] = kvp_2_db