def test_can_create_but_no_cluster(self, cluster_scoped_permission_obj, project_id, cluster_id): """测试场景:有集群域资源创建权限(但是无集群权限)""" perm_ctx = ClusterScopedPermCtx( username=roles.CLUSTER_SCOPED_NO_CLUSTER_USER, project_id=project_id, cluster_id=cluster_id) with pytest.raises(PermissionDeniedError) as exec: cluster_scoped_permission_obj.can_create(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( roles.CLUSTER_SCOPED_NO_CLUSTER_USER, [ ActionResourcesRequest( ClusterAction.VIEW, resource_type=ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_not_manage(self, cluster_permission_obj, project_id, cluster_id): """测试场景:无集群管理权限(同时无项目查看权限)""" username = roles.ANONYMOUS_USER perm_ctx = ClusterPermCtx(username=username, project_id=project_id, cluster_id=cluster_id) with pytest.raises(PermissionDeniedError) as exec: manage_cluster(perm_ctx) assert exec.value.data['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( ClusterAction.MANAGE, resource_type=ClusterPermission.resource_type, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( ClusterAction.VIEW, resource_type=ClusterPermission.resource_type, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( ProjectAction.VIEW, resource_type=ProjectPermission.resource_type, resources=[project_id]), ], )
def test_can_manage_but_no_view(self, cluster_permission_obj, project_id, cluster_id): """测试场景:有集群管理权限(但是无集群查看权限)""" username = roles.CLUSTER_MANAGE_NOT_VIEW_USER perm_ctx = ClusterPermCtx(username=username, project_id=project_id, cluster_id=cluster_id) with pytest.raises(PermissionDeniedError) as exec: cluster_permission_obj.can_manage(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( ClusterAction.VIEW, resource_type=ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_not_instantiate(self, templateset_permission_obj, project_id, template_id): """测试场景:无模板集实例化权限(同时无项目查看权限)""" username = roles.ANONYMOUS_USER perm_ctx = TemplatesetPermCtx(username=username, project_id=project_id, template_id=template_id) with pytest.raises(PermissionDeniedError) as exec: templateset_permission_obj.can_instantiate(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( TemplatesetAction.INSTANTIATE, resource_type=ResourceType.Templateset, resources=[template_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( TemplatesetAction.VIEW, resource_type=ResourceType.Templateset, resources=[template_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_not_create(self, cluster_permission_obj, project_id, cluster_id): """测试场景:无集群创建权限(同时无项目查看权限)""" perm_ctx = ClusterPermCtx(username=roles.ANONYMOUS_USER, project_id=project_id) with pytest.raises(PermissionDeniedError) as exec: cluster_permission_obj.can_create(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( roles.ANONYMOUS_USER, [ ActionResourcesRequest( ClusterAction.CREATE, resource_type=ResourceType.Project, resources=[project_id], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_not_view_but_project(self, cluster_permission_obj, project_id, cluster_id): """测试场景:无集群查看权限(同时有项目查看权限)""" self._test_can_not_view( roles.PROJECT_NO_CLUSTER_USER, cluster_permission_obj, project_id, cluster_id, expected_action_list=[ ActionResourcesRequest( ClusterAction.VIEW, resource_type=ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_not_view(self, cluster_permission_obj, project_id, cluster_id): """测试场景:无集群查看权限(同时无项目查看权限)""" self._test_can_not_view( roles.ANONYMOUS_USER, cluster_permission_obj, project_id, cluster_id, expected_action_list=[ ActionResourcesRequest( ClusterAction.VIEW, resource_type=cluster_permission_obj.resource_type, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( ProjectAction.VIEW, resource_type=ProjectPermission.resource_type, resources=[project_id], ), ], )
def test_can_view_but_no_project(self, cluster_permission_obj, project_id, cluster_id): """测试场景:有集群查看权限(同时无项目查看权限)""" self._test_can_not_view( roles.CLUSTER_NO_PROJECT_USER, cluster_permission_obj, project_id, cluster_id, expected_action_list=[ ActionResourcesRequest( ProjectAction.VIEW, resource_type=ProjectPermission.resource_type, resources=[project_id], ) ], )
def test_can_manage_but_no_project(self, cluster_permission_obj, project_id, cluster_id): """测试场景:有集群管理权限(但是无项目权限)""" username = roles.CLUSTER_NO_PROJECT_USER perm_ctx = ClusterPermCtx(username=username, project_id=project_id, cluster_id=cluster_id) with pytest.raises(PermissionDeniedError) as exec: cluster_permission_obj.can_manage(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]) ], )
def test_can_instantiate_but_no_project(self, templateset_permission_obj, project_id, template_id): """测试场景:有模板集实例化权限(同时无项目查看权限)""" username = roles.TEMPLATESET_NO_PROJECT_USER perm_ctx = TemplatesetPermCtx(username=username, project_id=project_id, template_id=template_id) with pytest.raises(PermissionDeniedError) as exec: templateset_permission_obj.can_instantiate(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]) ], )
def test_can_not_instantiate_in_ns( self, templateset_permission_obj, namespace_scoped_permission_obj, project_id, template_id, cluster_id, namespace, ): """测试场景:有模板集实例化权限(但是无实例化到命名空间的权限)""" username = roles.PROJECT_TEMPLATESET_USER perm_ctx = TemplatesetPermCtx(username=username, project_id=project_id, template_id=template_id) with pytest.raises(PermissionDeniedError) as exec: templateset_permission_obj.can_instantiate_in_ns( perm_ctx, cluster_id, namespace) iam_ns_id = calc_iam_ns_id(cluster_id, namespace) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( NamespaceScopedAction.CREATE, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceScopedAction.VIEW, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceScopedAction.UPDATE, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceScopedAction.DELETE, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceAction.VIEW, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( ClusterAction.VIEW, ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, ResourceType.Project, resources=[project_id]), ], )