def test_can_not_manage(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:无集群管理权限(同时无项目查看权限)"""
username = roles.ANONYMOUS_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
manage_cluster(perm_ctx)
assert exec.value.data['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ClusterAction.MANAGE,
resource_type=ClusterPermission.resource_type,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ClusterPermission.resource_type,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ProjectPermission.resource_type,
resources=[project_id]),
],
)
def test_can_manage_but_no_view(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:有集群管理权限(但是无集群查看权限)"""
username = roles.CLUSTER_MANAGE_NOT_VIEW_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_manage(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_create_but_no_cluster(self, cluster_scoped_permission_obj,
project_id, cluster_id):
"""测试场景:有集群域资源创建权限(但是无集群权限)"""
perm_ctx = ClusterScopedPermCtx(
username=roles.CLUSTER_SCOPED_NO_CLUSTER_USER,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_scoped_permission_obj.can_create(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
roles.CLUSTER_SCOPED_NO_CLUSTER_USER,
[
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_not_instantiate(self, templateset_permission_obj, project_id,
template_id):
"""测试场景:无模板集实例化权限(同时无项目查看权限)"""
username = roles.ANONYMOUS_USER
perm_ctx = TemplatesetPermCtx(username=username,
project_id=project_id,
template_id=template_id)
with pytest.raises(PermissionDeniedError) as exec:
templateset_permission_obj.can_instantiate(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
TemplatesetAction.INSTANTIATE,
resource_type=ResourceType.Templateset,
resources=[template_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
TemplatesetAction.VIEW,
resource_type=ResourceType.Templateset,
resources=[template_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def _test_can_not_view(self, username, cluster_permission_obj, project_id,
cluster_id, expected_action_list):
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_view(perm_ctx)
assert exec.value.data['apply_url'] == generate_apply_url(
username, expected_action_list)
def test_can_edit_not_view(self, project_permission_obj, project_id):
"""测试场景:有项目编辑权限(同时无项目查看权限)"""
username = roles.PROJECT_NO_VIEW_USER
perm_ctx = ProjectPermCtx(username=username, project_id=project_id)
with pytest.raises(PermissionDeniedError) as exec:
project_permission_obj.can_edit(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id],
),
],
)
def test_can_manage_but_no_project(self, cluster_permission_obj,
project_id, cluster_id):
"""测试场景:有集群管理权限(但是无项目权限)"""
username = roles.CLUSTER_NO_PROJECT_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_manage(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id])
],
)
def test_can_instantiate_but_no_project(self, templateset_permission_obj,
project_id, template_id):
"""测试场景:有模板集实例化权限(同时无项目查看权限)"""
username = roles.TEMPLATESET_NO_PROJECT_USER
perm_ctx = TemplatesetPermCtx(username=username,
project_id=project_id,
template_id=template_id)
with pytest.raises(PermissionDeniedError) as exec:
templateset_permission_obj.can_instantiate(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id])
],
)
def test_can_not_create(self, project_permission_obj):
"""测试场景:无项目创建权限"""
# 无权限不抛出异常
username = roles.NO_PROJECT_USER
perm_ctx = ProjectPermCtx(username=username)
assert not project_permission_obj.can_create(perm_ctx,
raise_exception=False)
# 无权限抛出异常
with pytest.raises(PermissionDeniedError) as exec:
project_permission_obj.can_create(perm_ctx)
assert exec.value.code == PermissionDeniedError.code
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
action_request_list=[
ActionResourcesRequest(ProjectAction.CREATE,
resource_type=ResourceType.Project)
],
)
def test_can_not_create(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:无集群创建权限(同时无项目查看权限)"""
perm_ctx = ClusterPermCtx(username=roles.ANONYMOUS_USER,
project_id=project_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_create(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
roles.ANONYMOUS_USER,
[
ActionResourcesRequest(
ClusterAction.CREATE,
resource_type=ResourceType.Project,
resources=[project_id],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_not_view(self, project_permission_obj, project_id):
"""测试场景:无项目查看权限"""
# 无权限不抛出异常
username = roles.NO_PROJECT_USER
perm_ctx = ProjectPermCtx(username=username, project_id=project_id)
assert not project_permission_obj.can_view(perm_ctx,
raise_exception=False)
# 无权限抛出异常
with pytest.raises(PermissionDeniedError) as exec:
project_permission_obj.can_view(perm_ctx)
assert exec.value.code == PermissionDeniedError.code
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id],
)
],
)
def test_can_not_instantiate_in_ns(
self,
templateset_permission_obj,
namespace_scoped_permission_obj,
project_id,
template_id,
cluster_id,
namespace,
):
"""测试场景:有模板集实例化权限(但是无实例化到命名空间的权限)"""
username = roles.PROJECT_TEMPLATESET_USER
perm_ctx = TemplatesetPermCtx(username=username,
project_id=project_id,
template_id=template_id)
with pytest.raises(PermissionDeniedError) as exec:
templateset_permission_obj.can_instantiate_in_ns(
perm_ctx, cluster_id, namespace)
iam_ns_id = calc_iam_ns_id(cluster_id, namespace)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
NamespaceScopedAction.CREATE,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceScopedAction.VIEW,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceScopedAction.UPDATE,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceScopedAction.DELETE,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceAction.VIEW,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
ClusterAction.VIEW,
ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
ResourceType.Project,
resources=[project_id]),
],
)
