def test_authorized_base(self):
"""
Try to perform an action that is not configured (must be denied), and another
one that is allowed for everyone
"""
self.assertFalse(fts3auth.authorized(fts3auth.CONFIG, env = self.env))
self.assertTrue(fts3auth.authorized(fts3auth.DELEGATION, env = self.env))
def test_authorized_all(self):
"""
Try to perform an action that is configured to be executed by anyone (all)
"""
self.assertTrue(fts3auth.authorized(fts3auth.DELEGATION,
resource_owner = TestAuthorization.DN, env = self.env))
self.assertTrue(fts3auth.authorized(fts3auth.DELEGATION,
resource_owner = 'someone', resource_vo = 'testvo',
env = self.env))
self.assertTrue(fts3auth.authorized(fts3auth.DELEGATION,
resource_owner = 'someone', resource_vo = 'othervo',
env = self.env))
def _getJob(self, id): job = Session.query(Job).get(id) if job is None: abort(404, 'No job with the id "%s" has been found' % id) if not authorized(TRANSFER, resource_owner = job.user_dn, resource_vo = job.vo_name): abort(403, 'Not enough permissions to check the job "%s"' % id) return job
def _getJob(self, id):
job = Session.query(Job).get(id)
if job is None:
abort(404, 'No job with the id "%s" has been found' % id)
if not authorized(
TRANSFER, resource_owner=job.user_dn, resource_vo=job.vo_name):
abort(403, 'Not enough permissions to check the job "%s"' % id)
return job
def _get_job(self, job_id):
job = Session.query(ArchivedJob).get(job_id)
if job is None:
raise HTTPNotFound('No job with the id "%s" has been found in the archive' % job_id)
if not authorized(TRANSFER,
resource_owner=job.user_dn, resource_vo=job.vo_name):
raise HTTPForbidden('Not enough permissions to check the job "%s"' % job_id)
return job
def test_authorized_all(self):
self.assertTrue(
fts3auth.authorized(fts3auth.DELEGATION,
resource_owner=TestAuthorization.DN,
env=self.env))
self.assertTrue(
fts3auth.authorized(fts3auth.DELEGATION,
resource_owner='someone',
resource_vo='testvo',
env=self.env))
self.assertTrue(
fts3auth.authorized(fts3auth.DELEGATION,
resource_owner='someone',
resource_vo='othervo',
env=self.env))
def test_authorized_same_dn_different_vo(self):
"""
If the user is the owner of the resource, even if the DN does not match, it must be granted
permissions.
"""
self.assertTrue(fts3auth.authorized(fts3auth.TRANSFER,
resource_owner = TestAuthorization.DN, resource_vo = 'othervo',
env = self.env))
def test_authorized_vo(self):
self.assertTrue(
fts3auth.authorized(fts3auth.TRANSFER,
resource_owner=TestAuthorization.DN,
env=self.env))
self.assertTrue(
fts3auth.authorized(fts3auth.TRANSFER,
resource_owner='someone',
resource_vo='testvo',
env=self.env))
self.assertFalse(
fts3auth.authorized(fts3auth.TRANSFER,
resource_owner='someone',
resource_vo='othervo',
env=self.env))
def _get_job(job_id):
job = Session.query(Job).get(job_id)
if job is None:
raise HTTPNotFound('No job with the id "%s" has been found' % job_id)
if not authorized(TRANSFER,
resource_owner=job.user_dn, resource_vo=job.vo_name):
raise HTTPForbidden('Not enough permissions to check the job "%s"' % job_id)
return job
def test_authorized_vo(self):
"""
Try to perform an action that is allowed only for users belonging to the same
vo as the resource
"""
# The user is the owner, so it must be allowed
self.assertTrue(fts3auth.authorized(fts3auth.TRANSFER,
resource_owner = TestAuthorization.DN, env = self.env))
# The user belongs to the same vo, and transfer is set to vo, so it
# must be allowed
self.assertTrue(fts3auth.authorized(fts3auth.TRANSFER,
resource_owner = 'someone', resource_vo = 'testvo',
env = self.env))
# The resource belongs to a different user and vo, so it must
# be forbidden
self.assertFalse(fts3auth.authorized(fts3auth.TRANSFER,
resource_owner = 'someone', resource_vo = 'othervo',
env = self.env))
def get_dm(self, job_id):
"""
Get the data management tasks within a job
"""
owner = Session.query(Job.user_dn, Job.vo_name).filter(Job.job_id == job_id).first()
if owner is None:
raise HTTPNotFound('No job with the id "%s" has been found' % job_id)
if not authorized(TRANSFER, resource_owner=owner[0], resource_vo=owner[1]):
raise HTTPForbidden('Not enough permissions to check the job "%s"' % job_id)
dm = Session.query(DataManagement).filter(DataManagement.job_id == job_id)
return dm.yield_per(100).enable_eagerloads(False)
def get_files(self, job_id):
"""
Get the files within a job
"""
owner = Session.query(Job.user_dn, Job.vo_name).filter(Job.job_id == job_id).first()
if owner is None:
raise HTTPNotFound('No job with the id "%s" has been found' % job_id)
if not authorized(TRANSFER, resource_owner=owner[0], resource_vo=owner[1]):
raise HTTPForbidden('Not enough permissions to check the job "%s"' % job_id)
files = Session.query(File).filter(File.job_id == job_id).options(noload(File.retries))
return files.all()
def get_files(self, job_id):
"""
Get the files within a job
"""
owner = Session.query(Job.user_dn, Job.vo_name).filter(Job.job_id == job_id).first()
if owner is None:
raise HTTPNotFound('No job with the id "%s" has been found' % job_id)
if not authorized(TRANSFER, resource_owner=owner[0], resource_vo=owner[1]):
raise HTTPForbidden('Not enough permissions to check the job "%s"' % job_id)
files = Session.query(File).filter(File.job_id == job_id).options(noload(File.retries))
return files.yield_per(100).enable_eagerloads(False)
def test_authorize_config_via_db(self):
"""
Credentials with no vo extensions, if the DN is in the database as authorized,
configuration should be allowed
"""
del self.creds
del self.env['fts3.User.Credentials']
env = dict(GRST_CRED_AURI_0='dn:' + TestAuthorization.DN)
self.creds = fts3auth.UserCredentials(env, TestAuthorization.ROLES)
self.env['fts3.User.Credentials'] = self.creds
self.assertFalse(fts3auth.authorized(fts3auth.CONFIG, env = self.env))
authz = AuthorizationByDn(dn=TestAuthorization.DN, operation=fts3auth.CONFIG)
Session.merge(authz)
Session.commit()
# Force reload of creds
self.creds = fts3auth.UserCredentials(env, TestAuthorization.ROLES)
self.env['fts3.User.Credentials'] = self.creds
self.assertTrue(fts3auth.authorized(fts3auth.CONFIG, env = self.env))
def get_file_retries(self, job_id, file_id):
"""
Get the retries for a given file
"""
owner = Session.query(Job.user_dn, Job.vo_name).filter(Job.job_id == job_id).all()
if owner is None or len(owner) < 1:
raise HTTPNotFound('No job with the id "%s" has been found' % job_id)
if not authorized(TRANSFER,
resource_owner=owner[0][0], resource_vo=owner[0][1]):
raise HTTPForbidden('Not enough permissions to check the job "%s"' % job_id)
f = Session.query(File.file_id).filter(File.file_id == file_id)
if not f:
raise HTTPNotFound('No file with the id "%d" has been found' % file_id)
retries = Session.query(FileRetryLog).filter(FileRetryLog.file_id == file_id)
return retries.all()
def get_file_retries(self, job_id, file_id):
"""
Get the retries for a given file
"""
owner = Session.query(Job.user_dn, Job.vo_name).filter(Job.job_id == job_id).all()
if owner is None or len(owner) < 1:
raise HTTPNotFound('No job with the id "%s" has been found' % job_id)
if not authorized(TRANSFER,
resource_owner=owner[0][0], resource_vo=owner[0][1]):
raise HTTPForbidden('Not enough permissions to check the job "%s"' % job_id)
f = Session.query(File.file_id).filter(File.file_id == file_id)
if not f:
raise HTTPNotFound('No file with the id "%d" has been found' % file_id)
retries = Session.query(FileRetryLog).filter(FileRetryLog.file_id == file_id)
return retries.all()
def test_authorize_root(self):
"""
If the credentials are those of the server (hostcert.pem), then grant full
access
"""
env = dict()
env['SSL_SERVER_S_DN'] = '/DN=test'
env['GRST_CRED_AURI_0'] = 'dn:/DN=notme'
env['fts3.User.Credentials'] = fts3auth.UserCredentials(env, TestAuthorization.ROLES)
self.assertFalse(fts3auth.authorized(fts3auth.CONFIG, env=env))
self.assertTrue(fts3auth.authorized(fts3auth.DELEGATION, env=env))
self.assertFalse(fts3auth.authorized(fts3auth.TRANSFER, env=env, resource_vo='atlas'))
env['GRST_CRED_AURI_0'] = 'dn:/DN=test'
env['fts3.User.Credentials'] = fts3auth.UserCredentials(env, TestAuthorization.ROLES)
self.assertTrue(fts3auth.authorized(fts3auth.CONFIG, env=env))
self.assertTrue(fts3auth.authorized(fts3auth.DELEGATION, env=env))
self.assertTrue(fts3auth.authorized(fts3auth.TRANSFER, env=env, resource_vo='atlas'))
def test_authorized_base(self):
self.assertFalse(fts3auth.authorized(fts3auth.CONFIG, env=self.env))
self.assertTrue(fts3auth.authorized(fts3auth.DELEGATION, env=self.env))