def setUp(self):
super(AdminDomainTest, self).setUp()
test_utils.SetupUser(test_utils.Login('manager'))
test_utils.SetupUser(test_utils.DomainLogin('insider', 'xyz.com'))
test_utils.SetupUser(test_utils.DomainLogin('reviewer', 'xyz.com'))
test_utils.SetupUser(test_utils.DomainLogin('outsider', 'not-xyz.com'))
# TODO(kpy): Consider moving this setup into the tests that use it.
perms.Grant('xyz.com', perms.Role.MAP_CREATOR, 'xyz.com')
perms.Grant('manager', perms.Role.DOMAIN_ADMIN, 'xyz.com')
perms.Grant('reviewer', perms.Role.DOMAIN_REVIEWER, 'xyz.com')
perms.Grant('insider', perms.Role.CATALOG_EDITOR, 'xyz.com')
perms.Grant('outsider', perms.Role.MAP_CREATOR, 'xyz.com')
def testPost_CreateDomain(self):
self.assertIsNone(domains.Domain.Get('bar.com'))
with test_utils.DomainLogin('first_bar_user', 'bar.com'):
response = self.DoCreateDomainPost('bar.com')
self.assertTrue('welcome=1' in response.headers['Location'])
self.assertTrue(domains.Domain.Get('bar.com'))
# The current user should have been granted administrative rights
self.assertTrue(perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'bar.com'))
def testDomainAdminRole(self):
with test_utils.RootLogin():
perms.Grant('xyz.com', perms.Role.DOMAIN_ADMIN, 'xyz.com')
perms.Grant('outside_friend', perms.Role.DOMAIN_ADMIN, 'xyz.com')
with test_utils.DomainLogin('insider', 'xyz.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.DomainLogin('outside_friend', 'not-xyz.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.Login('stranger'):
self.assertFalse(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.DomainLogin('stranger_with_ga_domain', 'not-xyz.com'):
self.assertFalse(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.RootLogin():
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
def testMapCreatorDomains(self):
"""Verifies that the map_creator_domains setting is respected."""
perms.Grant('foo.com', perms.Role.MAP_CREATOR, 'xyz.com')
# All users at foo.com have the CREATOR role for xyz.com.
with test_utils.DomainLogin('insider', 'foo.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
self.assertFalse(perms.CheckAccess(perms.Role.ADMIN))
model.Map.Create({}, 'xyz.com')
# Users in bar.com don't have the CREATOR role.
with test_utils.DomainLogin('outsider', 'bar.com'):
self.assertFalse(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
self.assertRaises(perms.AuthorizationError, model.Map.Create, {},
'xyz.com')
# All users in gmail.test get MAP_CREATOR.
perms.Grant('gmail.test', perms.Role.MAP_CREATOR, 'gmail.test')
with test_utils.Login('gmail_user'):
self.assertTrue(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'gmail.test'))
def testCreateDomain_HighLatencyDatastore(self):
self.sent_true = False
self.false_count = 0
# Function signature (especially named arguments) needs to match CheckAccess
# pylint: disable=unused-argument
def MockCheckAccess(role, target=None, user=None, policy=None):
if self.false_count < 4:
self.false_count += 1
return False
self.sent_true = True
return True
# pylint: enable=unused-argument
self.assertIsNone(domains.Domain.Get('slow.com'))
self.mox.stubs.Set(perms, 'CheckAccess', MockCheckAccess)
self.mox.stubs.Set(time, 'sleep', lambda unused_seconds: None)
with test_utils.DomainLogin('domain_creator', 'slow.com'):
self.DoCreateDomainPost('slow.com')
self.assertTrue(self.sent_true)
self.assertTrue(domains.Domain.Get('slow.com'))
def testDomainRoles(self):
"""Verifies that domain access permissions restrict actions correctly."""
with test_utils.RootLogin():
domains.Domain.Put('foo.com',
initial_domain_role=perms.Role.MAP_OWNER)
m = model.Map.Create({}, 'foo.com')
# Verify that a user in foo.com gets the domain role for foo.com.
with test_utils.DomainLogin('insider', 'foo.com'):
self.assertEquals(
{'MAP_OWNER', 'MAP_EDITOR', 'MAP_REVIEWER', 'MAP_VIEWER'},
GetRolesForMap(m))
m.model.domain_role = perms.Role.MAP_EDITOR
self.assertEquals({'MAP_EDITOR', 'MAP_REVIEWER', 'MAP_VIEWER'},
GetRolesForMap(m))
m.model.domain_role = perms.Role.MAP_REVIEWER
self.assertEquals({'MAP_REVIEWER', 'MAP_VIEWER'},
GetRolesForMap(m))
m.model.domain_role = perms.Role.MAP_VIEWER
self.assertEquals({'MAP_VIEWER'}, GetRolesForMap(m))
def testGet_NoPermissions(self):
# xyz.com doesn't grant DOMAIN_ADMIN to the entire domain, so this fails.
with test_utils.DomainLogin('another_insider', 'xyz.com'):
self.DoGet('/xyz.com/.admin', 403)
def testGetFromDomainReviewer(self):
perms.Grant('domainreviewer', perms.Role.DOMAIN_REVIEWER, 'xyz.com')
with test_utils.DomainLogin('domainreviewer', 'xyz.com'):
self.DoGet('/.maps/%s/review' % self.map_id)