Esempio n. 1
0
    def test_edit_permission_does_not_exist(self):

        id, name = 1, 'name'

        rbac = RBAC()
        rbac.create_permission(id, name)
        self.assertRaises(ValueError, rbac.edit_permission, 1234, 'new_name')
Esempio n. 2
0
    def test_create_resource(self):
        name1, name2 = 'name1', 'name2'

        rbac = RBAC()
        rbac.create_resource(name1)
        rbac.create_resource(name2)

        self.assertEquals(rbac.registry._resources[name1], set())
        self.assertEquals(rbac.registry._resources[name2], set())
Esempio n. 3
0
    def test_delete_permission_no_client_permission(self):

        id, name = 1, 'name'

        rbac = RBAC()
        rbac.create_permission(id, name)
        rbac.delete_permission(id)

        self.assertTrue(id not in rbac.permissions)
Esempio n. 4
0
    def test_delete_resource_no_roles(self):
        name1, name2 = 'name1', 'name2'

        rbac = RBAC()
        rbac.create_resource(name1)
        rbac.create_resource(name2)
        rbac.delete_resource(name2)

        self.assertEquals(rbac.registry._resources[name1], set())
        self.assertNotIn(name2, rbac.registry._resources)
Esempio n. 5
0
    def test_delete_role_parent_hierarchy_delete_leaf(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        rbac.delete_role(id4, name4)

        self.assertIn(id1, rbac.role_id_to_name)
        self.assertIn(id2, rbac.role_id_to_name)
        self.assertIn(id3, rbac.role_id_to_name)
        self.assertNotIn(id4, rbac.role_id_to_name)

        self.assertIn(name1, rbac.role_name_to_id)
        self.assertIn(name2, rbac.role_name_to_id)
        self.assertIn(name3, rbac.role_name_to_id)
        self.assertNotIn(name4, rbac.role_name_to_id)

        self.assertIn(id1, rbac.registry._roles)
        self.assertIn(id2, rbac.registry._roles)
        self.assertIn(id3, rbac.registry._roles)
        self.assertNotIn(id4, rbac.registry._roles)
Esempio n. 6
0
    def test_create_client_role_valid_role(self):
        client_def1 = 'def1'
        client_def2 = 'def2'

        role_id1, role_name1 = 1, 'name1'
        role_id2, role_name2 = 2, 'name2'
        role_id3, role_name3 = 3, 'name3'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)
        rbac.create_role(role_id3, role_name3, None)

        rbac.create_client_role(client_def1, role_id1)
        rbac.create_client_role(client_def1, role_id2)

        rbac.create_client_role(client_def2, role_id2)
        rbac.create_client_role(client_def2, role_id3)

        self.assertEquals(rbac.client_def_to_role_id[client_def1], set([role_id1, role_id2]))
        self.assertEquals(rbac.client_def_to_role_id[client_def2], set([role_id2, role_id3]))

        self.assertEquals(rbac.role_id_to_client_def[role_id1], set([client_def1]))
        self.assertEquals(rbac.role_id_to_client_def[role_id2], set([client_def1, client_def2]))
Esempio n. 7
0
    def test_create_permission(self):

        id1, name1 = 1, 'name1'
        id2, name2 = 2, 'name2'

        rbac = RBAC()
        rbac.create_permission(id1, name1)
        rbac.create_permission(id2, name2)

        self.assertEquals(rbac.permissions[id1], name1)
        self.assertEquals(rbac.permissions[id2], name2)
Esempio n. 8
0
    def test_create_role_parent_not_given(self):

        id, name = rand_int(), rand_string()

        rbac = RBAC()
        rbac.create_role(id, name, None)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set())
Esempio n. 9
0
    def test_create_role_parent_different_than_id(self):

        id, parent_id = 1, 11
        name = rand_string()

        rbac = RBAC()
        rbac.create_role(id, name, parent_id)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([parent_id]))
Esempio n. 10
0
    def test_edit_role_change_name_only(self):

        id, parent_id = rand_int(count=2)
        old_name, new_name = rand_string(2)

        rbac = RBAC()
        rbac.create_role(id, old_name, parent_id)
        rbac.edit_role(id, old_name, new_name, parent_id)

        self.assertEqual(rbac.role_id_to_name[id], new_name)
        self.assertEqual(rbac.role_name_to_id[new_name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([parent_id]))
Esempio n. 11
0
    def test_edit_permission_exists(self):

        id1, name1 = 1, 'name1'
        id2, name2 = 2, 'name2'

        new_name1 = 'new_name1'

        rbac = RBAC()
        rbac.create_permission(id1, name1)
        rbac.create_permission(id2, name2)
        rbac.edit_permission(id1, new_name1)

        self.assertEquals(rbac.permissions[id1], new_name1)
        self.assertEquals(rbac.permissions[id2], name2)
Esempio n. 12
0
    def test_edit_role_change_parent_id_only(self):

        id = rand_int()
        old_parent_id, new_parent_id = uuid4().int, uuid4().int # Using uuid4 to make sure they really are unique
        old_name = new_name = rand_string()

        rbac = RBAC()
        rbac.create_role(id, old_name, old_parent_id)
        rbac.edit_role(id, old_name, new_name, new_parent_id)

        self.assertEqual(rbac.role_id_to_name[id], new_name)
        self.assertEqual(rbac.role_name_to_id[new_name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([new_parent_id]))
Esempio n. 13
0
    def test_create_role_parent_hierarchy(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        self.assertEqual(rbac.role_id_to_name[id1], name1)
        self.assertEqual(rbac.role_id_to_name[id2], name2)
        self.assertEqual(rbac.role_id_to_name[id3], name3)
        self.assertEqual(rbac.role_id_to_name[id4], name4)

        self.assertIn(id1, rbac.registry._roles)
        self.assertIn(id2, rbac.registry._roles)
        self.assertIn(id3, rbac.registry._roles)
        self.assertIn(id4, rbac.registry._roles)

        self.assertEquals(rbac.registry._roles[id1], set([parent_id1]))
        self.assertEquals(rbac.registry._roles[id2], set([id1]))
        self.assertEquals(rbac.registry._roles[id3], set([id1]))
        self.assertEquals(rbac.registry._roles[id4], set([id2]))

        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)), [None, id1, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id2)), [None, id1, id2, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id3)), [None, id1, id3, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id4)), [None, id1, id2, id4, parent_id1])
Esempio n. 14
0
    def test_delete_role_parent_not_given(self):

        id, name = rand_int(), rand_string()

        rbac = RBAC()

        # Create and confirm it was added
        rbac.create_role(id, name, None)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set())

        # Delete and confirm the action
        rbac.delete_role(id, name)

        self.assertNotIn(id, rbac.role_id_to_name)
        self.assertNotIn(name, rbac.role_name_to_id)
        self.assertNotIn(id, rbac.registry._roles)
Esempio n. 15
0
    def test_is_role_allowed_parent_hierarchy(self):

        role_id1, role_id2 = 1, 2
        role_name1, role_name2 = 'role_name1', 'role_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        perm_id1 = 11
        perm_name1 = 'perm_name1'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, role_id1)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_permission(perm_id1, perm_name1)

        rbac.create_role_permission_allow(role_id2, perm_id1, res_name1)
        rbac.create_role_permission_deny(role_id2, perm_id1, res_name2)

        self.assertTrue(rbac.is_role_allowed(role_id2, perm_id1, res_name1))
        self.assertFalse(rbac.is_role_allowed(role_id2, perm_id1, res_name2))

        # Denied implicitly because there is no explicit 'allow'
        self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name1))
        self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name2))
Esempio n. 16
0
    def test_delete_role_permission_deny(self):

        role_id1, role_id2 = 1, 2
        role_name1, role_name2 = 'role_name1', 'role_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        perm_id1, perm_id2 = 11, 22
        perm_name1, perm_name2 = 'perm_name1', 'perm_name2'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_permission(perm_id1, perm_name1)
        rbac.create_permission(perm_id2, perm_name2)

        rbac.create_role_permission_deny(role_id1, perm_id1, res_name1)
        rbac.create_role_permission_deny(role_id1, perm_id2, res_name1)

        rbac.create_role_permission_deny(role_id2, perm_id1, res_name2)
        rbac.create_role_permission_deny(role_id2, perm_id2, res_name2)

        self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._denied)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._denied)

        self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._denied)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._denied)

        rbac.delete_role_permission_deny(role_id1, perm_id1, res_name1)
        rbac.delete_role_permission_deny(role_id2, perm_id1, res_name2)

        self.assertNotIn((role_id1, perm_id1, res_name1), rbac.registry._denied)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._denied)

        self.assertNotIn((role_id2, perm_id1, res_name2), rbac.registry._denied)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._denied)
Esempio n. 17
0
    def test_edit_role_parent_hierarchy(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        parent_id1_new, parent_id2_new, parent_id3_new = 111, 222, 333

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'
        name1_new, name3_new, name4_new = 'name1_new', 'name3_new', 'name4_new'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        # Changing only the name here
        rbac.edit_role(id1, name1, name1_new, parent_id1)
        self.assertEqual(rbac.role_id_to_name[id1], name1_new)
        self.assertIn(id1, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id1], set([parent_id1]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)), [None, id1, parent_id1])

        # Changing the id1's parent ID here
        rbac.edit_role(id1, name1_new, name1_new, parent_id1_new)
        self.assertEqual(rbac.role_id_to_name[id1], name1_new)
        self.assertIn(id1, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id1], set([parent_id1_new]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)), [None, id1, parent_id1_new])

        # Changing both name and parent ID of id3
        rbac.edit_role(id3, name3, name3_new, parent_id3_new)
        self.assertEqual(rbac.role_id_to_name[id3], name3_new)
        self.assertIn(id3, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id3], set([parent_id3_new]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id3)), [None, id3, parent_id3_new])

        # id4 should have parent_id2_new as one of its predecessors as a result of the first edit
        # whereas the second one should update id4's name.
        rbac.edit_role(id2, name2, name2, parent_id2_new)
        rbac.edit_role(id4, name4, name4_new, id2)

        self.assertEquals(sorted(get_family(rbac.registry._roles, id4)), [None, id2, id4, parent_id2_new])
        self.assertEqual(rbac.role_id_to_name[id4], name4_new)
Esempio n. 18
0
    def test_delete_permission_has_role_permission(self):

        role_id1, role_name1 = 1, 'role_name1'
        role_id2, role_name2 = 2, 'role_name2'

        perm_id1, perm_name1 = 11, 'perm_name1'
        perm_id2, perm_name2 = 22, 'perm_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)

        rbac.create_permission(perm_id1, perm_name1)
        rbac.create_permission(perm_id2, perm_name2)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_role_permission_allow(role_id1, perm_id1, res_name1)
        rbac.create_role_permission_allow(role_id1, perm_id2, res_name1)

        rbac.create_role_permission_allow(role_id2, perm_id1, res_name2)
        rbac.create_role_permission_allow(role_id2, perm_id2, res_name2)

        self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._allowed)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed)

        self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._allowed)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed)

        rbac.delete_permission(perm_id1)

        self.assertNotIn((role_id1, perm_id1, res_name1), rbac.registry._allowed)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed)

        self.assertNotIn((role_id2, perm_id1, res_name2), rbac.registry._allowed)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed)