def setUpClass(cls): super(UserScopeDatastoreFunctionTest, cls).setUpClass() user = auth_db.UserDB(name='stanley') user.save() scope = kvp_const.FULL_USER_SCOPE cls.kvps = {} # Plain keys keys = { 'stanley:foo': 'bar', 'stanley:foo_empty': '', 'stanley:foo_null': None } for k, v in six.iteritems(keys): instance = kvp_db.KeyValuePairDB(name=k, value=v, scope=scope) cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance) # Secret key keys = {'stanley:fu': 'bar', 'stanley:fu_empty': ''} for k, v in six.iteritems(keys): value = crypto.symmetric_encrypt( kvp_api.KeyValuePairAPI.crypto_key, v) instance = kvp_db.KeyValuePairDB(name=k, value=value, scope=scope, secret=True) cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance)
def check_permission(inquiry, requester): # Normalize user object. user_db = (auth_db_models.UserDB(requester) if isinstance( requester, six.string_types) else requester) # Deny by default roles_passed = False users_passed = False # Determine role-level permissions roles = getattr(inquiry, 'roles', []) if not roles: # No roles definition so we treat it as a pass roles_passed = True for role in roles: user_has_role = rbac_utils.user_has_role(user_db, role) LOG.debug('Checking user %s is in role %s - %s' % (user_db, role, user_has_role)) if user_has_role: roles_passed = True break # Determine user-level permissions users = getattr(inquiry, 'users', []) if not users or user_db.name in users: users_passed = True # Thow exception if either permission check failed. if not roles_passed or not users_passed: raise inquiry_exceptions.InquiryResponseUnauthorized( str(inquiry.id), requester)
def setUpClass(cls): super(SystemScopeDatastoreFunctionTest, cls).setUpClass() user = auth_db.UserDB(name="stanley") user.save() scope = kvp_const.FULL_SYSTEM_SCOPE cls.kvps = {} # Plain key keys = {"foo": "bar", "foo_empty": "", "foo_null": None} for k, v in six.iteritems(keys): instance = kvp_db.KeyValuePairDB(name=k, value=v, scope=scope) cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance) # Secret key keys = {"fu": "bar", "fu_empty": ""} for k, v in six.iteritems(keys): value = crypto.symmetric_encrypt( kvp_api.KeyValuePairAPI.crypto_key, v) instance = kvp_db.KeyValuePairDB(name=k, value=value, scope=scope, secret=True) cls.kvps[k] = kvp_db_access.KeyValuePair.add_or_update(instance)
def test_get_key(self, deseralize_key_value, KeyValuePair): key, value = ('Lindsay', 'Lohan') decrypt = False KeyValuePair.get_by_scope_and_name().value = value deseralize_key_value.return_value = value result = kv_utl.get_key(key=key, user_db=auth_db.UserDB(name=USER), decrypt=decrypt) self.assertEqual(result, value) KeyValuePair.get_by_scope_and_name.assert_called_with( FULL_USER_SCOPE, 'stanley:%s' % key) deseralize_key_value.assert_called_once_with(value, decrypt)
def setUpClass(cls): super(UserScopeDatastoreFunctionTest, cls).setUpClass() user = auth_db.UserDB(name='stanley') user.save()
def setUp(self): super(InquiryRBACControllerTestCase, self).setUp() self.models = self.fixtures_loader.save_fixtures_to_db( fixtures_pack=FIXTURES_PACK, fixtures_dict=TEST_FIXTURES) # Insert mock users, roles and assignments assignments = { "user_get_db": { "roles": ["role_get"], "permissions": [rbac_types.PermissionType.INQUIRY_VIEW], "resource_type": rbac_types.ResourceType.INQUIRY, "resource_uid": 'inquiry' }, "user_list_db": { "roles": ["role_list"], "permissions": [rbac_types.PermissionType.INQUIRY_LIST], "resource_type": rbac_types.ResourceType.INQUIRY, "resource_uid": 'inquiry' }, "user_respond_db": { "roles": ["role_respond"], "permissions": [rbac_types.PermissionType.INQUIRY_RESPOND], "resource_type": rbac_types.ResourceType.INQUIRY, "resource_uid": 'inquiry' }, "user_respond_paramtest": { "roles": ["role_respond_2"], "permissions": [rbac_types.PermissionType.INQUIRY_RESPOND], "resource_type": rbac_types.ResourceType.INQUIRY, "resource_uid": 'inquiry' }, "user_respond_inherit": { "roles": ["role_inherit"], "permissions": [rbac_types.PermissionType.ACTION_EXECUTE], "resource_type": rbac_types.ResourceType.ACTION, "resource_uid": 'action:wolfpack:inquiry-workflow' } } # Create users for user in assignments.keys(): user_db = auth_db_models.UserDB(name=user) user_db = auth_db_access.User.add_or_update(user_db) self.users[user] = user_db # Create grants and assign to roles for assignment_details in assignments.values(): grant_db = rbac_db_models.PermissionGrantDB( permission_types=assignment_details["permissions"], resource_uid=assignment_details["resource_uid"], resource_type=assignment_details["resource_type"]) grant_db = rbac_db_access.PermissionGrant.add_or_update(grant_db) permission_grants = [str(grant_db.id)] for role in assignment_details["roles"]: role_db = rbac_db_models.RoleDB( name=role, permission_grants=permission_grants) rbac_db_access.Role.add_or_update(role_db) # Assign users to roles for user_name, assignment_details in assignments.items(): user_db = self.users[user_name] for role in assignment_details['roles']: role_assignment_db = rbac_db_models.UserRoleAssignmentDB( user=user_db.name, role=role, source='assignments/%s.yaml' % user_db.name) rbac_db_access.UserRoleAssignment.add_or_update( role_assignment_db) # Create Inquiry data = { 'action': 'wolfpack.ask', 'parameters': { "roles": ['role_respond'] } } result = { "schema": SCHEMA_DEFAULT, "roles": ['role_respond'], "users": [], "route": "", "ttl": 1440 } result_default = { "schema": SCHEMA_DEFAULT, "roles": [], "users": [], "route": "", "ttl": 1440 } # Use admin user for creating test objects user_db = self.users['admin'] self.use_user(user_db) # Create workflow wf_data = {'action': 'wolfpack.inquiry-workflow'} post_resp = self.app.post_json('/v1/executions', wf_data) wf_id = str(post_resp.json.get('id')) inquiry_with_parent = { 'action': 'wolfpack.ask', # 'parameters': {}, 'context': { "parent": { 'execution_id': wf_id } } } resp = self._do_create_inquiry(data, result) self.assertEqual(resp.status_int, http_client.OK) self.inquiry_id = resp.json.get('id') # Validated expected context for inquiries under RBAC expected_context = { 'pack': 'wolfpack', 'user': '******', 'rbac': { 'user': '******', 'roles': ['admin'] } } self.assertEqual(resp.json['context'], expected_context) # Create inquiry in workflow resp = self._do_create_inquiry(inquiry_with_parent, result_default) self.assertEqual(resp.status_int, http_client.OK) self.inquiry_inherit_id = resp.json.get('id') # Validated expected context for inquiries under RBAC expected_context = { 'pack': 'wolfpack', 'parent': { 'execution_id': wf_id }, 'user': '******', 'rbac': { 'user': '******', 'roles': ['admin'] } } self.assertEqual(resp.json['context'], expected_context)