def testRoleFilters(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
self._addUserRole(na, "testuser", "testpass")
roleId = na._getRoleIdByName('testuser')
geoip = {
'1.2.3.4': deps.parseFlavor('country.XC'),
'5.6.7.8': deps.parseFlavor('country.XB'),
}
na.geoIp.getFlags = lambda x: geoip[x]
na.setRoleFilters({'testuser': (
deps.parseFlavor('!country.XA,!country.XB'), None)})
self.assertEqual(na.getRoleFilters(['testuser']),
{'testuser': (
deps.parseFlavor('!country.XA,!country.XB'), deps.Flavor())})
token = AuthToken('testuser', 'testpass', remote_ip='1.2.3.4')
self.assertEqual(
na.getAuthRoles(db.cursor(), token), set([roleId]))
token = AuthToken('testuser', 'testpass', remote_ip='5.6.7.8')
level = netauth.log.level
netauth.log.setLevel(100)
try:
self.assertRaises(errors.InsufficientPermission,
na.getAuthRoles, db.cursor(), token)
finally:
netauth.log.setLevel(level)
def testNetAuthQueries(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
# schema creation creates these for us - we need to get rid of them for this test
for user in na.userAuth.getUserList():
na.deleteUserByName(user)
for group in na.getRoleList():
na.deleteRoleByName(group)
self._addUserRole(na, "testuser", "testpass")
na.addAcl("testuser", None, "conary.rpath.com@rpl:linux", write = True)
users = na.userAuth.getUserList()
groups = na.getRoleList()
assert(users == [('testuser')])
assert(groups == [('testuser')])
groupsByUser = list(na.userAuth.getRolesByUser(users[0]))
perms = list(na.iterPermsByRole(groupsByUser[0]))
assert(groupsByUser == [('testuser')])
assert(perms == [("conary.rpath.com@rpl:linux", 'ALL', 1, 0)])
dictperms = na.getPermsByRole(groupsByUser[0])
assert perms[0][0] == dictperms[0]['label']
assert perms[0][1] == dictperms[0]['item']
assert perms[0][2] == dictperms[0]['canWrite']
assert perms[0][3] == dictperms[0]['canRemove']
def testBatchCheck(self):
if sqlite3.sqlite_version_info() < (3,7,0):
raise testhelp.SkipTestException("buggy sqlite; use embedded sqlite")
self.openRepository()
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "localhost")
db.transaction()
self._addUserRole(na, "ro", "ro")
na.addAcl("ro", "foo:.*", label=None, write=False)
ro = ("ro", "ro", [ (None, None) ], None )
self._addUserRole(na, "rw", "rw")
na.addAcl("rw", "foo:.*", label=None, write=True)
rw = ("rw", "rw", [ (None, None) ], None )
self._addUserRole(na, "mixed", "mixed")
na.addAcl("mixed", "foo:.*", label=None, write=False)
na.addAcl("mixed", "foo:runtime", label=None, write=True)
mixed = ("mixed", "mixed", [ (None, None) ], None )
db.commit()
fr = self.addComponent("foo:runtime")
fd = self.addComponent("foo:devel")
troveList = [ (fr.getName(), fr.getVersion().asString(), fr.getFlavor().freeze()),
(fd.getName(), fd.getVersion().asString(), fd.getFlavor().freeze())]
self.assertEqual(na.batchCheck(ro, troveList), [True,True])
self.assertEqual(na.batchCheck(ro, troveList, write=True), [False,False])
self.assertEqual(na.batchCheck(rw, troveList), [True,True])
self.assertEqual(na.batchCheck(rw, troveList, write=True), [True,True])
self.assertEqual(na.batchCheck(mixed, troveList), [True,True])
self.assertEqual(na.batchCheck(mixed, troveList, write=True), [True,False])
def testInvalidEntitlementClass(self):
db = self.getDB()
schema.createSchema(db)
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
self._addUserRole(na, "root", "rootpass")
na.setAdmin("root", True)
self.assertRaises(errors.UnknownEntitlementClass,
na.addEntitlementKey,
("root", "rootpass", None, None), "group", "1234")
def testCheckTrove(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
assert(na.checkTrove("foo", "foo"))
assert(na.checkTrove("^foo$", "foo"))
assert(not na.checkTrove("foo", "barfoo"))
assert(not na.checkTrove("foo", "foobar"))
assert(na.checkTrove("foo.*", "foo:runtime"))
def testInvalidNames(self):
db = self.getDB()
schema.createSchema(db)
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
try:
na.addUser("test user", "testpass")
except errors.InvalidName, e:
self.assertEqual(str(e), 'InvalidName: test user')
def testAddRole(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
na.addUser("testuser", "testpass")
na.addRole("testgroup")
na.addRoleMember("testgroup", "testuser")
groupsByUser = list(na.userAuth.getRolesByUser("testuser"))
assert(groupsByUser == [ "testgroup" ])
def testManageEntitlements(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
self._addUserRole(na, "normal", "normalpass")
na.addAcl("normal", None, None, write = True)
normalToken = ("normal", "normalpass", [], None )
self._addUserRole(na, "owner", "ownerpass")
na.addAcl("owner", None, None, write = True)
ownerToken = ("owner", "ownerpass", [], None )
self._addUserRole(na, "root", "rootpass")
na.addAcl("root", None, None, write = True)
na.setAdmin("root", True)
rootToken = ("root", "rootpass", [], None )
na.addRole("specialReads")
na.addRole("entOwner")
na.addRoleMember("entOwner", "owner")
self.assertRaises(errors.InsufficientPermission, na.addEntitlementClass,
normalToken, "cust1", "specialReads")
self.assertRaises(errors.InsufficientPermission, na.addEntitlementClass,
(rootToken[0], "foo", [], None ),
"cust1", "specialReads")
self.assertRaises(errors.RoleNotFound, na.addEntitlementClass,
rootToken, "cust1", "unknownRole")
na.addEntitlementClass(rootToken, "cust1", "specialReads")
self.assertRaises(errors.EntitlementClassAlreadyExists, na.addEntitlementClass,
rootToken, "cust1", "specialReads")
self.assertRaises(errors.InsufficientPermission,
na.addEntitlementClassOwner,
normalToken, "specialReads", "cust1")
na.addEntitlementClassOwner(rootToken, "entOwner", "cust1")
self.assertRaises(errors.InsufficientPermission, na.addEntitlementKey,
normalToken, "cust1", "ENTITLEMENT0")
na.addEntitlementKey(rootToken, "cust1", "ENTITLEMENT0")
na.addEntitlementKey(ownerToken, "cust1", "ENTITLEMENT1")
self.assertRaises(errors.EntitlementKeyAlreadyExists, na.addEntitlementKey,
ownerToken, "cust1", "ENTITLEMENT1")
self.assertRaises(errors.InsufficientPermission, na.iterEntitlementKeys,
normalToken, "cust1")
l1 = sorted(na.iterEntitlementKeys(rootToken, "cust1"))
l2 = sorted(na.iterEntitlementKeys(ownerToken, "cust1"))
self.assertEqual(l1, l2)
self.assertEqual(l1, [ 'ENTITLEMENT0', 'ENTITLEMENT1' ])
def _connect(self):
db = self.getDB()
schema.createSchema(db)
schema.setupTempTables(db)
depSchema.setupTempDepTables(db)
store = trovestore.TroveStore(db)
auth = netauth.NetworkAuthorization(db, ['localhost'])
auth.addUser('anonymous', 'anonymous')
auth.addRole('anonymous')
auth.addRoleMember('anonymous', 'anonymous')
auth.addAcl('anonymous', None, None, write=False, remove=False)
auth.setAdmin('anonymous', False)
return store
def addUser(db, name, password=None, write=False):
auth = netauth.NetworkAuthorization(db, [])
try:
auth.userAuth.getUserIdByName(name)
except errors.UserNotFound: # yuck, we need a hasUser interface
pass
else:
auth.deleteUserByName(name)
auth.addUser(name, password)
auth.addRole(name)
auth.addRoleMember(name, name)
auth.addAcl(name, None, None, write, False)
def testChangePassword(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
self._addUserRole(na, "testuser", "testpass")
na.addAcl("testuser", None, None)
authToken = ("testuser", "testpass", [ (None, None) ], None )
authToken2 = ("testuser", "newpass", [ (None, None) ], None )
assert(na.check(authToken) != False)
na.changePassword("testuser", "newpass")
assert(na.check(authToken) != True)
assert(na.check(authToken2) != False)
def testManageAcls(self):
db = self._setupDB()
ts = TroveStore(db)
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
authToken = ("testuser", "testpass", [ (None, None) ], None )
self._addUserRole(na, "testuser", "testpass")
na.addAcl("testuser", None, None, write = True)
## TODO Test the trove/label aspects of ACL management
na.deleteAcl("testuser", None, None)
#If the delete above failed, this will throw an exception
na.addAcl("testuser", None, None)
assert(na.authCheck(authToken, admin=False) == True)
assert(na.authCheck(authToken, admin=True) == False)
#Now give the user has admin rights
na.setAdmin("testuser", True)
assert(na.authCheck(authToken, admin=True) == True)
def testManageRole(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
self._addUserRole(na, "testuser", "testpass")
self._addUserRole(na, "testuser1", "testpass")
na.addRole("testgroup")
na.renameRole("testuser", "renamedgrp")
assert(list(na.userAuth.getRolesByUser("testuser")) ==
[ "renamedgrp" ])
#Should do nothing, but definitely not throw an exception
na.renameRole("testuser", "renamedgrp")
#This will just change the case of the groupname
na.renameRole("testuser", "reNameDgrp")
try:
na.renameRole("testgroup", "renamedgrp")
except errors.RoleAlreadyExists:
db.rollback()
else:
self.fail("RoleAlreadyExists exception expected")
try:
na.renameRole("testgroup", "reNameDgrp")
except errors.RoleAlreadyExists:
db.rollback()
else:
self.fail("RoleAlreadyExists exception expected")
na.updateRoleMembers("testgroup", [ 'testuser', 'testuser1' ])
assert(list(na.getRoleMembers("testgroup")) ==
['testuser', 'testuser1'])
na.updateRoleMembers("testgroup", [])
assert(list(na.getRoleMembers("testgroup")) == [])
def testNetAuthCheck(self):
db = self._setupDB()
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
self._addUserRole(na, "testuser", "testpass")
na.addAcl("testuser", ".*:runtime", "conary.rpath.com@label:1")
tu = ("testuser", "testpass", [ (None, None) ], None )
v1 = versions.VersionFromString("/conary.rpath.com@label:1/1-1")
v2 = versions.VersionFromString("/conary.rpath.com@label:2/1-1")
v3 = versions.VersionFromString("/conary.rpath.com@label:3/1-1")
assert(na.check(tu, label=v1.branch().label(), trove="foo:runtime"))
assert(not na.check(tu, label=v1.branch().label(), trove="foo:runtime", write=True))
assert(not na.check(tu, label=v1.branch().label(), trove="foo:lib"))
assert(not na.check(tu, label=v1.branch().label(), trove="fooruntime"))
assert(not na.check(tu, label=v2.branch().label(), trove="foo:runtime"))
# try old format of the authTokens
assert(na.check(("testuser", "testpass", None, None),
label=v1.branch().label(), trove="foo:runtime"))
assert(na.check(("testuser", "testpass", [ (None, None) ] ),
label=v1.branch().label(), trove="foo:runtime"))
self._addUserRole(na, "gooduser", "goodpass")
gu = ("gooduser", "goodpass", [ (None, None) ], None )
na.addAcl("gooduser", None, None)
na.addAcl("gooduser", ".*:devel", None, write=True)
na.addAcl("gooduser", ".*:test", "conary.rpath.com@label:1", write=True)
na.addAcl("gooduser", None, "conary.rpath.com@label:2", write=True, remove=True)
assert(na.check(gu, label=v1.branch().label(), trove="foo"))
assert(na.check(gu, label=v2.branch().label(), trove="foo"))
assert(na.check(gu, label=v3.branch().label(), trove="foo"))
assert(na.check(gu, label=v1.branch().label(), trove="foo:devel", write=True))
assert(na.check(gu, label=v2.branch().label(), trove="bar:devel", write=True))
assert(na.check(gu, label=v3.branch().label(), trove="baz:devel", write=True))
assert(na.check(gu, label=v1.branch().label(), trove="foo:test", write=True))
assert(na.check(gu, label=v2.branch().label(), trove="foo:test", write=True))
assert(not na.check(gu, label=v3.branch().label(), trove="foo:test", write=True))
assert(not na.check(gu, label=v1.branch().label(), trove="foo:runtime", write=True))
self.assertEqual(na.commitCheck(gu, [("foo:devel",v1),("bar:devel",v2),("baz:devel",v3)]),
[True]*3)
self.assertEqual(na.commitCheck(gu, [("foo:test",v1),("bar:test",v1),("baz:test",v1)]),
[True]*3)
self.assertEqual(na.commitCheck(gu, [("foo:junk",v2),("bar:test",v2),("baz:lib",v2)]),
[True]*3)
self.assertEqual(na.commitCheck(gu, [("foo:test",v1),("bar:test",v1),("baz:lib",v1)]),
[True,True,False])
self._addUserRole(na, "zerouser", "zeropass")
zu = ("zerouser", "zeropass", [ (None, None) ], None )
assert(not na.check(zu, label=v1.branch().label(), trove="foo"))
assert(not na.check(zu, label=v2.branch().label(), trove="ALL"))
assert(not na.check(zu, label=v3.branch().label(), trove="foo:runtime"))
self.assertEqual(na.commitCheck(zu, [("foo", v1)]), [False])
# Try the shim bypass token
bypass = ("gooduser", netauth.ValidPasswordToken,
[ (None, None) ],None )
self.assertTrue(na.check(bypass,
label=v1.branch().label(), trove="foo"))
self.assertTrue(na.check(bypass,
label=v2.branch().label(), trove="foo:devel", write=True))
self.assertTrue(na.check(bypass,
label=v3.branch().label(), trove="foo:runtime"))
bypass_zero = ("zerouser", netauth.ValidPasswordToken,
[ (None, None) ],None )
self.assertFalse(na.check(bypass_zero,
label=v1.branch().label(), trove="foo"))
self.assertFalse(na.check(bypass_zero,
label=v2.branch().label(), trove="foo:devel", write=True))
self.assertFalse(na.check(bypass_zero,
label=v3.branch().label(), trove="foo:runtime"))
def _testSlowActionWithStandalone(self, useSSL = False):
# Test to make sure that slow commits still work even with the
# proxy keepalive code added (CNY-1341)
cfg = server.ServerConfig()
cfg.port = testhelp.findPorts(1)[0]
cfg.contentsDir = ('legacy', [self.workDir + '/contents'])
cfg.repositoryDB = ('sqlite', self.workDir + '/serverdb')
cfg.logFile = self.workDir + '/serverlog'
cfg.tmpDir = self.workDir + '/tmp'
cfg.serverName = 'localhost'
util.mkdirChain(cfg.tmpDir)
util.mkdirChain(cfg.contentsDir[1][0])
if useSSL:
cfg.useSSL = True
cfg.sslCert = os.path.join(resources.get_archive(), 'ssl-cert.crt')
cfg.sslKey = os.path.join(resources.get_archive(), 'ssl-cert.key')
(driver, database) = cfg.repositoryDB
db = dbstore.connect(database, driver)
schema.loadSchema(db)
schema.setupTempTables(db)
auth = netauth.NetworkAuthorization(db, 'localhost')
auth.addRole('foo')
auth.addUser('foo', 'foo')
auth.addRoleMember('foo', 'foo')
auth.addAcl('foo', None, None, write = True)
if useSSL:
proto = "https"
else:
proto = "http"
baseUrl = '%s://localhost:%s/' % (proto, cfg.port)
pid = os.fork()
if not pid:
try:
netServer = netserver.NetworkRepositoryServer(cfg, baseUrl)
oldGetChangeSet = netServer.getChangeSet
@netserver.accessReadOnly
def getChangeSet(*args, **kw):
rv = oldGetChangeSet(*args, **kw)
# make sure the client sends its message
self.sleep(7)
return rv
getChangeSet.im_func = getChangeSet
netServer.getChangeSet = getChangeSet
class HttpRequestsSubclass(server.HttpRequests):
tmpDir = cfg.tmpDir
netRepos = proxy.SimpleRepositoryFilter(cfg, baseUrl, netServer)
restHandler = None
HttpRequestsSubclass.cfg = cfg
if useSSL:
ctx = server.createSSLContext(cfg)
httpServer = server.SecureHTTPServer(("", cfg.port),
HttpRequestsSubclass, ctx)
else:
httpServer = server.HTTPServer(("", cfg.port),
HttpRequestsSubclass)
self.captureOutput(server.serve, httpServer)
finally:
os._exit(0)
try:
sock_utils.tryConnect("127.0.0.1", cfg.port)
cfg = conarycfg.ConaryConfiguration(False)
cfg.repositoryMap = {'localhost' : baseUrl }
cfg.user.addServerGlob('localhost', 'foo', 'foo')
client = conaryclient.ConaryClient(cfg)
repos = client.getRepos()
trv, cs = self.Component('foo:run', '1')
repos.commitChangeSet(cs)
# getTrove will fail because it takes more than 5 seconds
assert(repos.getTrove(*trv.getNameVersionFlavor()))
finally:
os.kill(pid, signal.SIGTERM)
os.waitpid(pid, 0)
def testNetAuth(self):
db = self._setupDB()
ts = TroveStore(db)
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
self._addUserRole(na, "testuser", "testpass")
na.addAcl("testuser", None, None, write = True, remove = True)
self._addUserRole(na, "luser", "luserpass")
na.addAcl("luser", None, None)
self._addUserRole(na, "root", "rootpass")
na.addAcl("root", None, None, write = True, remove = True)
na.setAdmin("root", True)
authToken = ("testuser", "testpass", [ (None, None) ], None )
badAuthToken = ("testuser", "testPass", [ (None, None) ], None )
luserToken = ("luser", "luserpass", [ (None, None) ], None )
badLuserToken = ("luser", "luserfoo", [ (None, None) ], None )
rootToken = ("root", "rootpass", [ (None, None) ], None )
assert(na.check(authToken, write=False) != False)
assert(na.check(authToken, write=True) != False)
assert(na.check(badAuthToken, write=False) != True)
assert(na.check(badAuthToken, write=True) != True)
assert(na.check(luserToken, write=False) != False)
assert(na.check(luserToken, write=True) != True)
assert(na.authCheck(rootToken, admin=True) != False)
assert(na.authCheck(luserToken, admin=True) != True)
assert(na.check(rootToken, remove=True) != False)
assert(na.check(luserToken, remove=True) != True)
assert(na.check(authToken, remove=True) != False)
assert(na.check(authToken) != False)
assert(na.check(badAuthToken) != True)
# Shim clients, with a ValidPasswordToken
entitlements = [(None, None)]
authShim = ("testuser", netauth.ValidPasswordToken, entitlements, None)
luserShim = ("luser", netauth.ValidPasswordToken, entitlements, None)
badShim = ("nobody", netauth.ValidPasswordToken, entitlements, None)
assert na.check(authShim, write=False)
assert na.check(authShim, write=True)
assert na.check(authShim, remove=True)
assert na.check(luserShim, write=False)
assert not na.check(luserShim, write=True)
assert not na.check(luserShim, remove=True)
assert not na.check(badShim, write=False)
# Shim clients, with a ValidUser()
authRoleShim = (netauth.ValidUser('testuser'), None, entitlements, None)
luserRoleShim = (netauth.ValidUser('luser'), None, entitlements, None)
badRoleShim = (netauth.ValidUser('nobody'), None, entitlements, None)
assert na.check(authRoleShim, write=False)
assert na.check(authRoleShim, write=True)
assert na.check(authRoleShim, remove=True)
assert na.check(luserRoleShim, write=False)
assert not na.check(luserRoleShim, write=True)
assert not na.check(luserRoleShim, remove=True)
assert not na.check(badRoleShim, write=False)
try:
na.addAcl("testuser", None, None, write = True)
except errors.PermissionAlreadyExists:
pass
else:
self.fail("PermissionAlreadyExists exception expected")
try:
na.addUser("teStUseR", 'TeStPaSs')
except (errors.UserAlreadyExists, errors.RoleAlreadyExists):
pass
else:
self.fail("UserAlreadyExists or RoleAlreadyExists exception expected")
try:
na.addRole("lUseR")
except errors.RoleAlreadyExists:
pass
else:
self.fail("RoleAlreadyExists exception expected")
def testDeleteAuth(self):
db = self._setupDB()
ts = TroveStore(db)
na = netauth.NetworkAuthorization(db, "conary.rpath.com")
# schema creation creates these for us - we need to get rid of them for this test
for user in na.userAuth.getUserList():
na.deleteUserByName(user)
for group in na.getRoleList():
na.deleteRoleByName(group)
self._addUserRole(na, "deluser1", "delpass")
na.addAcl("deluser1", None, None)
self._addUserRole(na, "deluser2", "delpass")
na.addAcl("deluser2", None, None, write = True)
na.addRoleMember("deluser2", "deluser1")
# Create another group and add deluser1 to said group
na.addRole('delgroup1')
na.addAcl('delgroup1', None, None, write = True)
na.setAdmin('delgroup1', True)
na.addRoleMember("delgroup1", "deluser1")
na.addRole('delgroup2')
na.addAcl('delgroup2', None, None, write = True)
na.setAdmin('delgroup2', True)
na.addRoleMember("delgroup2", "deluser1")
na.addRoleMember("delgroup2", "deluser2")
self.assertEqual(na.getRoles('deluser1'),
['deluser1', 'deluser2', 'delgroup1', 'delgroup2'])
self.assertEqual(na.getRoles('deluser2'),
['deluser2', 'delgroup2'])
# Delete user2 and see if group2 still lists user2
na.deleteUserByName('deluser2')
self.assertEqual(list(na.getRoleMembers('delgroup2')),
['deluser1'] )
self.assertEqual(list(na.userAuth.getRolesByUser('deluser1')),
[ 'deluser1', 'deluser2', 'delgroup1', 'delgroup2' ])
na.deleteRole('delgroup1')
self.assertEqual(list(na.userAuth.getRolesByUser('deluser1')),
[ 'deluser1', 'deluser2', 'delgroup2' ])
# because deluser1 will have no acl, it should go too
na.deleteAcl("deluser1", None, None)
na.deleteUserByName('deluser1')
self.assertEqual(list(na.getRoleMembers('delgroup2')), [])
na.deleteRole('delgroup2')
self.assertEqual(na.getRoleList(), ['deluser2'] )
na.deleteRole('deluser2')
try:
na.deleteUserByName("nonexistentUser")
except errors.UserNotFound:
pass
else:
self.fail("UserNotFound exception expected")
#try adding a user to make sure that it happens successfully
self._addUserRole(na, 'user1afterdel', 'testpass')
#delete the group, but not the user
na.deleteRole('user1afterdel')
self.assertEqual(na.getRoleList(), [] )
self.assertEqual(list(na.userAuth.getUserList()),
[('user1afterdel')])
self._addUserRole(na, 'user2afterdel', 'testpass')
na.addAcl("user2afterdel", None, None)
na.deleteUserByName('user1afterdel')
