def test_invalid_domain_raises_argument_error(self):
username = '******'
password = '******'
roles = [
Role(name='data_reader', bucket='default'),
Role(name='data_writer', bucket='default')
]
# invalid domain generates argument error
self.assertRaises(InvalidArgumentException,
self.um.get_all_users,
domain_name="fake-domain")
self.assertRaises(InvalidArgumentException,
self.um.get_user,
username,
domain_name="fake-domain")
self.assertRaises(InvalidArgumentException,
self.um.upsert_user,
User(username=username,
password=password,
roles=roles),
domain_name="fake-domain")
self.assertRaises(InvalidArgumentException,
self.um.drop_user,
username,
domain_name="fake-domain")
def test_roles_to_server_str(self):
roles = [
Role(name='data_reader', bucket='default'),
Role(name='data_writer', bucket='default'),
Role(name='scope_admin', bucket='*'),
Role(name='data_writer', bucket='default', scope='my-scope'),
Role(name='data_reader',
bucket='default',
scope='my-scope',
collection='my-collection')
]
for role in roles:
role_str = ''
if role.bucket and role.scope and role.collection:
role_str = '{0}[{1}:{2}:{3}]'.format(role.name, role.bucket,
role.scope,
role.collection)
elif role.bucket and role.scope:
role_str = '{0}[{1}:{2}]'.format(role.name, role.bucket,
role.scope)
elif role.bucket:
role_str = '{0}[{1}]'.format(role.name, role.bucket)
self.assertEqual(role.to_server_str(), role_str)
def test_create_list_get_remove_internal_user(self):
userid = 'custom-user'
password = '******'
roles = [
Role.of(name='data_reader', bucket='default'),
Role.of(name='data_writer', bucket='default')
]
# add user
self.um.upsert_user(User(username=userid,
roles=roles,
password=password),
domain=AuthDomain.Local)
# get all users
users = self.um.get_all_users(AuthDomain.Local)
self.assertIsNotNone(users)
# get single user
user = self.um.get_user(userid, AuthDomain.Local)
self.assertIsNotNone(user)
# remove user
self.um.drop_user(userid, AuthDomain.Local)
def test_external_nopassword(self):
userid = 'custom-user'
password = '******'
roles = [
Role.of(name='data_reader', bucket='default'),
Role.of(name='data_writer', bucket='default')
]
# password with external generates argument error
self.assertRaises(ArgumentError,
self.um.upsert_user,
User(username=userid, password=password,
roles=roles),
domain=AuthDomain.External)
self.assertRaises(ArgumentError,
self.um.upsert_user,
User(username=userid, password=password, roles=None),
domain=AuthDomain.External)
self.assertRaises(ArgumentError,
self.um.upsert_user,
User(username=userid, password=password, roles=[]),
domain=AuthDomain.External)
try:
self.um.upsert_user(User(username=userid,
password=None,
roles=roles),
domain=AuthDomain.External)
except ArgumentError:
raise
except:
pass
def test_groups(self):
fresh_group = Group(name='qweqwe', roles={Role.of(name='admin')})
if UG_WORKING:
self.um.upsert_group(fresh_group)
result = self.um.get_group('qweqwe')
admin_role = Role.of(name='admin')
expected_roles = {admin_role}
actual_roles = result.roles
self.assertSetEqual(expected_roles, actual_roles)
def setUp(self, *args, **kwargs):
if self.config.mock_enabled:
raise SkipTest('Real server must be used for admin tests')
super(UserManagementTests, self).setUp(*args, **kwargs)
self.um = self.cluster.users()
if self.supports_groups():
self.um.upsert_group(Group('qweqwe', roles={Role.of(name='admin')}))
def test_invalid_domain_raises_argument_error(self):
userid = 'custom-user'
password = '******'
roles = [
Role.of(name='data_reader', bucket='default'),
Role.of(name='data_writer', bucket='default')
]
# invalid domain generates argument error
self.assertRaises(ArgumentError, self.um.get_all_users, None)
self.assertRaises(ArgumentError, self.um.get_user, userid, None)
self.assertRaises(ArgumentError,
self.um.upsert_user,
User(username=userid, password=password,
roles=roles),
domain=None)
self.assertRaises(ArgumentError, self.um.drop_user, userid, None)
def test_get_all_groups(self):
roles = [
Role(name='data_reader', bucket='*'),
Role(name='data_writer', bucket='*')
]
fresh_group = Group(name='my-test-group',
roles=roles,
description="test group description")
self.um.upsert_group(fresh_group)
all_groups = self.um.get_all_groups()
# NOTE: we could well have other groups on this server, apart from the one we added, so
# lets be ok with there being more of them. However, the one we added _MUST_ be there.
known_group = Group('qweqwe', roles=[Role(name='admin')])
self.um.drop_group('my-test-group')
for g in all_groups:
if known_group == g:
return
self.fail("didn't find expected group in get_all_groups")
def test_reject_ephemeral_attempt(self):
if not self._realserver_info:
raise SkipTest("Need real server")
admin = self.make_admin_connection()
bucket_name = 'ephemeral'
users = [('writer', ('s3cr3t', [
Role(name='data_reader', bucket='ephemeral'),
Role(name='data_writer', bucket='ephemeral')
])),
('reader', ('s3cr3t',
[Role(name='data_reader', bucket='ephemeral')])),
('viewer', ('s3cr3t', [
Role(name='views_reader', bucket='ephemeral'),
Role(name='views_admin', bucket='ephemeral')
]))]
user = users[2]
(userid, password, roles) = user[0], user[1][0], user[1][1]
# add user
try:
admin.bucket_delete(bucket_name)
except:
pass
try:
admin.bucket_create(name=bucket_name,
bucket_type='ephemeral',
ram_quota=100)
except HTTPException:
raise SkipTest("Unable to provision ephemeral bucket")
try:
admin.user_upsert(userid, AuthDomain.Local, password, roles)
admin.wait_ready(bucket_name, timeout=10)
conn_str = "couchbase://{0}/{1}".format(self.cluster_info.host,
bucket_name)
bucket = Bucket(connection_string=conn_str,
username=userid,
password=password)
self.assertIsNotNone(bucket)
self.assertRaisesRegex(
NotSupportedException, "Ephemeral", lambda: bucket.query(
"beer", "brewery_beers", streaming=True, limit=100))
finally:
admin.bucket_delete(bucket_name)
admin.user_remove(userid, AuthDomain.Local)
def test_user_display_name(self):
roles = [
Role(name='data_reader', bucket='default'),
Role(name='data_writer', bucket='default')
]
user = User(username='******',
display_name="Custom User",
roles=roles,
password='******')
# create user
self.um.upsert_user(user, UpsertUserOptions(domain_name="local"))
# get user
user_metadata = self.try_n_times(10, 1, self.um.get_user,
user.username,
GetUserOptions(domain_name="local"))
self.assertEquals(user_metadata.user.display_name, user.display_name)
self.um.drop_user(user.username, DropUserOptions(domain_name="local"))
def test_enhanced_err_present_authorisation(self):
import couchbase_core.subdocument as SD
users = [('writer', ('s3cr3t', [
Role(name='data_reader', bucket='default'),
Role(name='data_writer', bucket='default')
])),
('reader', ('s3cr3t',
[Role(name='data_reader', bucket='default')]))]
#self.mockclient._do_request("SET_ENHANCED_ERRORS",{"enabled":True})
for user in users:
print(str(user))
(userid, password, roles) = user[0], user[1][0], user[1][1]
# add user
self.admin.user_upsert(userid, AuthDomain.Local, password, roles)
time.sleep(1)
try:
connection = self.make_connection(username=userid,
password=password)
key = self.gen_key('create_doc')
connection.mutate_in(key, (SD.upsert('new.path', 'newval'), ),
upsert_doc=True)
except CouchbaseException as e:
print(str(e))
if userid == "writer":
raise e
else:
self.assertRegexpMatches(
e.context, r".*Authorization failure.*",
"doesn't have correct Context field")
self.assertRegexpMatches(e.ref, r"(.*?)-(.*?)-.*",
"doesn't have correct Ref field")
self.assertRegexpMatches(
str(e), r".*Context=Authorization failure.*,.*Ref=.*",
"exception as string doesn't contain both fields")
finally:
#remove user
self.admin.user_remove(userid, AuthDomain.Local)
def act_on_special_bucket(self, bucket_name, password, action, perm_generator=None):
try:
if self.is_realserver:
self.admin.bucket_remove("default")
time.sleep(10)
self.admin.bucket_create(name=bucket_name,
bucket_type='ephemeral',
ram_quota=100,
bucket_password=password)
self.admin.wait_ready(bucket_name, timeout=100)
if perm_generator:
roles = perm_generator(bucket_name)
else:
roles = [Role(name='data_reader', bucket=bucket_name), Role(name='data_writer', bucket=bucket_name)]
self.admin.user_upsert(bucket_name, AuthDomain.Local, password, roles)
# connect to bucket to ensure we can use it
conn_str = "http://{0}:{1}/{2}".format(self.cluster_info.host, self.cluster_info.port,
bucket_name) + "?ipv6="+self.cluster_info.ipv6
bucket = self.factory(connection_string=conn_str, password=password)
self.assertIsNotNone(bucket)
action(bucket)
finally:
try:
self.admin.user_remove(bucket_name, AuthDomain.Local)
self.admin.bucket_delete(bucket_name)
finally:
if self.is_realserver:
time.sleep(10)
self.admin.bucket_create(name="default",
bucket_type='couchbase',
ram_quota=100,
bucket_password=password)
self.admin.wait_ready("default", timeout=100)
def test_default_domain(self):
username = '******'
password = '******'
roles = [
Role(name='data_reader', bucket='default'),
Role(name='data_writer', bucket='default')
]
self.um.upsert_user(
User(username=username, password=password, roles=roles))
user_metadata = self.try_n_times(10, 1, self.um.get_user, username)
self.assertIsNotNone(user_metadata)
# handle 7.0 roles w/ scopes/collections
test_roles = roles
if self.supports_collections():
test_roles = []
for r in roles:
test_roles.append(
Role(name=r.name,
bucket=r.bucket,
scope='*',
collection='*'))
self.validate_user_and_metadata(user_metadata, user_roles=test_roles)
users_metadata = self.um.get_all_users()
self.assertIsNotNone(users_metadata)
result = all(
map(lambda um: self.validate_user_and_metadata(um),
users_metadata))
self.assertTrue(result)
self.um.drop_user(username)
def test_external_nopassword(self):
username = '******'
password = '******'
roles = [
Role(name='data_reader', bucket='default'),
Role(name='data_writer', bucket='default')
]
# password with external generates argument error
self.assertRaises(InvalidArgumentException,
self.um.upsert_user,
User(username=username,
password=password,
roles=roles),
domain_name="external")
self.assertRaises(InvalidArgumentException,
self.um.upsert_user,
User(username=username,
password=password,
roles=None),
domain_name="external")
self.assertRaises(InvalidArgumentException,
self.um.upsert_user,
User(username=username, password=password, roles=[]),
domain_name="external")
try:
self.um.upsert_user(
User(username=username, password=None, roles=roles),
UpsertUserOptions(domain_name="external"))
except InvalidArgumentException:
raise
except:
pass
finally:
self.um.drop_user(username, domain_name="external")
def test_group_feature_not_found(self):
if self.supports_groups():
raise SkipTest('Only test on Server < 6.5')
roles = Role(name='admin')
test_group = Group(name='my-test-group',
roles=roles,
description="test group description")
self.assertRaises(FeatureNotFoundException, self.um.upsert_group,
test_group)
self.assertRaises(FeatureNotFoundException, self.um.get_all_groups)
self.assertRaises(FeatureNotFoundException, self.um.get_group,
test_group.name)
self.assertRaises(FeatureNotFoundException, self.um.drop_group,
test_group.name)
def setUp(self, *args, **kwargs):
if self.config.mock_enabled:
raise SkipTest('Real server must be used for admin tests')
super(UserManagementTests, self).setUp(*args, **kwargs)
self.bm = self.cluster.buckets()
try:
self.test_bucket = self.bm.get_bucket("default")
except BucketDoesNotExistException:
self.bm.create_bucket(
CreateBucketSettings(name="default",
bucket_type="couchbase",
ram_quota_mb=100))
self.um = self.cluster.users()
if self.supports_groups():
self.um.upsert_group(Group('qweqwe', roles={Role(name='admin')}))
def test_group(self):
roles = Role(name='admin')
test_group = Group(name='my-test-group',
roles=roles,
description="test group description")
# add group
self.um.upsert_group(test_group)
# get group
result = self.try_n_times(10, 1, self.um.get_group, test_group.name)
self.validate_group(result, test_group.roles)
# remove group
self.um.drop_group(test_group.name)
self.try_n_times_till_exception(
10,
1,
self.um.get_group,
test_group.name,
expected_exceptions=GroupNotFoundException)
def test_user_scopes_collections(self):
if not self.supports_collections():
raise SkipTest('Only test on Server >= 7.0')
def get_bucket(name):
return self.cluster.bucket(name)
test_bucket = self.try_n_times(10, 3, get_bucket, 'default')
cm = test_bucket.collections()
cm.create_scope('test-scope')
for _ in range(3):
scope = next(
(s for s in cm.get_all_scopes() if s.name == 'test-scope'),
None)
if scope:
break
time.sleep(1)
collection = CollectionSpec('test-collection', scope_name='test-scope')
cm.create_collection(collection)
for _ in range(3):
scope = next(
(s for s in cm.get_all_scopes() if s.name == 'test-scope'),
None)
if scope:
coll = next((c for c in scope.collections
if c.name == 'test-collection'), None)
if coll:
break
time.sleep(1)
username = '******'
password = '******'
roles = [
Role(name='data_reader', bucket='default', scope='test-scope'),
Role(name='data_writer',
bucket='default',
scope='test-scope',
collection='test-collection')
]
initial_user = User(username=username, roles=roles, password=password)
# create user
self.um.upsert_user(initial_user, domain_name="local")
# get single user
user_metadata = self.try_n_times(10,
1,
self.um.get_user,
username,
domain_name="local")
# handle 7.0 roles w/ scopes/collections
test_roles = roles
if self.supports_collections():
test_roles = []
for r in roles:
if not r.collection:
test_roles.append(
Role(name=r.name,
bucket=r.bucket,
scope=r.scope,
collection='*'))
else:
test_roles.append(r)
self.assertIsNotNone(user_metadata)
self.validate_user_and_metadata(user_metadata, user_roles=test_roles)
self.um.drop_user(username)
cm.drop_collection(collection)
cm.drop_scope('test-scope')
def test_api_object_creation(self):
# roles, users and groups must have a name
self.assertRaises(InvalidArgumentException, Role)
self.assertRaises(InvalidArgumentException, User)
self.assertRaises(InvalidArgumentException, Group)
# user roles should be a set, but allow users to create
# user w/ 1 or many roles
roles = Role('admin')
user = User(username='******',
roles=roles,
password='******')
self.validate_user(user, user_roles=[roles])
roles = [Role('admin'), Role('data-reader', bucket='default')]
user = User(username='******',
roles=roles,
password='******')
self.validate_user(user, user_roles=roles)
roles = {Role('admin'), Role('data-reader', bucket='default')}
user = User(username='******',
roles=roles,
password='******')
self.validate_user(user, user_roles=roles)
roles = (Role('admin'), Role('data-reader', bucket='default'))
user = User(username='******',
roles=roles,
password='******')
self.validate_user(user, user_roles=roles)
# group roles should be a set, but allow users to create
# group w/ 1 or many roles
roles = Role('admin')
group = Group(name='test-group', roles=roles)
self.validate_group(group, roles=[roles])
roles = [Role('admin'), Role('data-reader', bucket='default')]
group = Group(name='test-group', roles=roles)
self.validate_group(group, roles=roles)
roles = {Role('admin'), Role('data-reader', bucket='default')}
group = Group(name='test-group', roles=roles)
self.validate_group(group, roles=roles)
roles = (Role('admin'), Role('data-reader', bucket='default'))
group = Group(name='test-group', roles=roles)
self.validate_group(group, roles=roles)
def test_external_user(self):
"""
test_external_user()
Tests create, retrieve, update and removal
of external (domain_name="external")
Uses *UserOptions() for options
"""
username = '******'
roles = [
Role(name='data_reader', bucket='default'),
Role(name='data_writer', bucket='default')
]
initial_user = User(username=username, roles=roles)
# create user
self.um.upsert_user(initial_user,
UpsertUserOptions(domain_name="external"))
# get user
user_metadata = self.try_n_times(
10, 1, self.um.get_user, username,
GetUserOptions(domain_name="external"))
# handle 7.0 roles w/ scopes/collections
test_roles = roles
if self.supports_collections():
test_roles = []
for r in roles:
test_roles.append(
Role(name=r.name,
bucket=r.bucket,
scope='*',
collection='*'))
self.assertIsNotNone(user_metadata)
self.validate_user_and_metadata(user_metadata, user_roles=test_roles)
# update user
user = user_metadata.user
user.roles = Role('admin')
self.um.upsert_user(user, UpsertUserOptions(domain_name="external"))
# get user and verify updates
user_metadata = self.try_n_times(
10, 1, self.um.get_user, username,
GetUserOptions(domain_name="external"))
self.assertIsNotNone(user_metadata)
self.validate_user_and_metadata(user_metadata, user_roles=user.roles)
user_update = user_metadata.user
self.assertNotEqual(initial_user, user_update)
# remove user
self.um.drop_user(username, DropUserOptions(domain_name="external"))
self.try_n_times_till_exception(
10,
1,
self.um.get_user,
username,
domain_name="external",
expected_exceptions=UserNotFoundException)
pw = "test-passw0rd!"
adm_cluster = Cluster("couchbase://localhost",
authenticator=PasswordAuthenticator(
"Administrator", "password"))
# For Server versions 6.5 or later you do not need to open a bucket here
adm_bucket = adm_cluster.bucket(bucket_name)
# tag::create_user[]
user_manager = adm_cluster.users()
user = User(
username=username,
display_name="Test User",
roles=[
# Roles required for reading data from bucket
Role(name="data_reader", bucket="*"),
Role(name="query_select", bucket="*"),
# Roles require for writing data to bucket
Role(name="data_writer", bucket=bucket_name),
Role(name="query_insert", bucket=bucket_name),
Role(name="query_delete", bucket=bucket_name),
# Role required for idx creation on bucket
Role(name="query_manage_index", bucket=bucket_name),
],
password=pw)
user_manager.upsert_user(user)
# end::create_user[]
# tag::get_all_users[]
users_metadata = user_manager.get_all_users()
# end::listing-scope-collection[]
cluster = Cluster("couchbase://localhost",
authenticator=PasswordAuthenticator("Administrator",
"password"))
print("scopeAdmin\n")
# tag::scopeAdmin[]
users = cluster.users()
user = User(username="******",
password="******",
display_name="Manage Scopes [travel-sample:*]",
roles=[
Role(name="scope_admin", bucket="travel-sample"),
Role(name="data_reader", bucket="travel-sample")
])
users.upsert_user(user)
# end::scopeAdmin[]
cluster = Cluster("couchbase://localhost",
authenticator=PasswordAuthenticator("scopeAdmin",
"password"))
# tag::create_collections_mgr[]
bucket = cluster.bucket("travel-sample")
coll_manager = bucket.collections()
# end::create_collections_mgr[]
# tag::create_scope[]
def test_user_and_groups(self):
user_roles = [
Role(name='query_select', bucket='default'),
Role(name='fts_searcher', bucket='default')
]
group_roles = [
Role(name='data_reader', bucket='*'),
Role(name='data_writer', bucket='*')
]
groups = [
Group(name='my-test-group',
roles=group_roles,
description="test group description"),
Group(name='my-test-group-1',
roles=Role(name='admin'),
description="test group description")
]
# add groups
for group in groups:
self.um.upsert_group(group)
self.try_n_times(10, 1, self.um.get_group, group.name)
user_groups = list(map(lambda g: g.name, groups))
# add user
test_user = User(username='******',
roles=user_roles,
groups=user_groups,
password='******')
self.um.upsert_user(test_user, domain_name="local")
# get user
user_metadata = self.try_n_times(10,
1,
self.um.get_user,
test_user.username,
domain_name="local")
# handle 7.0 roles w/ scopes/collections
test_roles = user_roles
if self.supports_collections():
test_roles = []
for r in user_roles:
test_roles.append(
Role(name=r.name,
bucket=r.bucket,
scope='*',
collection='*'))
self.assertIsNotNone(user_metadata)
self.validate_user_and_metadata(user_metadata,
user_roles=test_roles,
groups=groups)
# remove group
remove_group = groups.pop()
self.um.drop_group(remove_group.name)
self.try_n_times_till_exception(
10,
1,
self.um.get_group,
remove_group.name,
expected_exceptions=GroupNotFoundException)
# get user to verify roles from removed group are removed
user_metadata = self.try_n_times(10,
1,
self.um.get_user,
test_user.username,
domain_name="local")
# handle 7.0 roles w/ scopes/collections
if self.supports_collections():
test_roles = []
for r in user_roles:
test_roles.append(
Role(name=r.name,
bucket=r.bucket,
scope='*',
collection='*'))
self.assertIsNotNone(user_metadata)
self.validate_user_and_metadata(user_metadata,
user_roles=test_roles,
groups=groups)
# cleanup
self.um.drop_user(test_user.username, domain_name="local")
for group in groups:
self.um.drop_group(group.name)
