def test_view_application_configurations(user_policy: Policy,
user_sdk: ADCMClient, prepare_objects,
second_objects):
"""Test that View application configuration role is ok"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
user_second_objects = as_user_objects(user_sdk, *second_objects)
second_service_on_first_cluster = user_sdk.service(
id=cluster_via_admin.service_add(name="new_service").id)
second_component_on_first_cluster = second_service_on_first_cluster.component(
name="test_component")
objects_affected_by_policy = (
cluster,
service,
component,
second_service_on_first_cluster,
second_component_on_first_cluster,
)
is_allowed_to_view(*objects_affected_by_policy)
is_denied_to_edit(*objects_affected_by_policy)
is_denied_to_view(provider, host, *user_second_objects)
delete_policy(user_policy)
is_denied_to_view(*objects_affected_by_policy)
def test_service_administrator(user, user_sdk: ADCMClient, sdk_client_fs,
prepare_objects, second_objects):
"""Test that service administrator role grants access to single service and its components"""
cluster, service, component, *provider_objects = as_user_objects(
user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_service_on_first_cluster = user_sdk.service(
id=cluster_via_admin.service_add(name="new_service").id)
second_cluster, second_service, second_component, *second_provider_objects = as_user_objects(
user_sdk, *second_objects)
role = sdk_client_fs.role(name=RbacRoles.ServiceAdministrator.value)
sdk_client_fs.policy_create(name=f"Policy with role {role.name}",
role=role,
objects=[service],
user=[user],
group=[])
is_allowed_to_view(service, component)
is_allowed_to_edit(service, component)
is_denied_to_view(
cluster,
second_cluster,
second_service,
second_component,
second_service_on_first_cluster,
*provider_objects,
*second_provider_objects,
)
def __check_components(
adcm_client: ADCMClient,
comparator: Callable,
components: Dict[int, ADCMObjectField],
service_ids: Collection[int],
):
"""Check components config is intact since .component is not implemented"""
component_ids = components.keys()
for service in (adcm_client.service(id=sid) for sid in service_ids):
for component in get_objects_via_pagination(service.component_list):
if (component_id := component.id) in component_ids:
comparator(component, components[component_id])
def test_remove_another_object_from_policy(user_sdk: ADCMClient, user,
prepare_objects, sdk_client_fs):
"""
Test that user is still have access if object removed from policy but exists high-level object
"""
cluster_via_admin, service_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
service = user_sdk.service(id=service_via_admin.id)
policy = create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[cluster, service],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
with allure.step("Remove object from policy"):
policy.update(object=[{"id": cluster.id, "type": "cluster"}])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
def test_remove_object_from_policy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if object changed from policy
"""
cluster_via_admin, service_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
service = user_sdk.service(id=service_via_admin.id)
policy = create_policy(
sdk_client_fs,
[
BusinessRoles.ViewClusterConfigurations,
BusinessRoles.ViewServiceConfigurations
],
objects=[cluster],
users=[user],
groups=[],
)
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Change policy object from cluster to service"):
policy.update(object=[{"id": service_via_admin.id, "type": "service"}])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewClusterConfigurations)