def test_can_not_manage(self, cluster_permission_obj, project_id, cluster_id): """测试场景:无集群管理权限(同时无项目查看权限)""" username = roles.ANONYMOUS_USER perm_ctx = ClusterPermCtx(username=username, project_id=project_id, cluster_id=cluster_id) with pytest.raises(PermissionDeniedError) as exec: manage_cluster(perm_ctx) assert exec.value.data['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( ClusterAction.MANAGE, resource_type=ClusterPermission.resource_type, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( ClusterAction.VIEW, resource_type=ClusterPermission.resource_type, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( ProjectAction.VIEW, resource_type=ProjectPermission.resource_type, resources=[project_id]), ], )
def test_can_not_instantiate(self, templateset_permission_obj, project_id, template_id): """测试场景:无模板集实例化权限(同时无项目查看权限)""" username = roles.ANONYMOUS_USER perm_ctx = TemplatesetPermCtx(username=username, project_id=project_id, template_id=template_id) with pytest.raises(PermissionDeniedError) as exec: templateset_permission_obj.can_instantiate(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( TemplatesetAction.INSTANTIATE, resource_type=ResourceType.Templateset, resources=[template_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( TemplatesetAction.VIEW, resource_type=ResourceType.Templateset, resources=[template_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_create_but_no_cluster(self, cluster_scoped_permission_obj, project_id, cluster_id): """测试场景:有集群域资源创建权限(但是无集群权限)""" perm_ctx = ClusterScopedPermCtx( username=roles.CLUSTER_SCOPED_NO_CLUSTER_USER, project_id=project_id, cluster_id=cluster_id) with pytest.raises(PermissionDeniedError) as exec: cluster_scoped_permission_obj.can_create(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( roles.CLUSTER_SCOPED_NO_CLUSTER_USER, [ ActionResourcesRequest( ClusterAction.VIEW, resource_type=ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_manage_but_no_view(self, cluster_permission_obj, project_id, cluster_id): """测试场景:有集群管理权限(但是无集群查看权限)""" username = roles.CLUSTER_MANAGE_NOT_VIEW_USER perm_ctx = ClusterPermCtx(username=username, project_id=project_id, cluster_id=cluster_id) with pytest.raises(PermissionDeniedError) as exec: cluster_permission_obj.can_manage(perm_ctx) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( ClusterAction.VIEW, resource_type=ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_not_view_but_project(self, cluster_permission_obj, project_id, cluster_id): """测试场景:无集群查看权限(同时有项目查看权限)""" self._test_can_not_view( roles.PROJECT_NO_CLUSTER_USER, cluster_permission_obj, project_id, cluster_id, expected_action_list=[ ActionResourcesRequest( ClusterAction.VIEW, resource_type=ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, resource_type=ResourceType.Project, resources=[project_id]), ], )
def test_can_not_view(self, cluster_permission_obj, project_id, cluster_id): """测试场景:无集群查看权限(同时无项目查看权限)""" self._test_can_not_view( roles.ANONYMOUS_USER, cluster_permission_obj, project_id, cluster_id, expected_action_list=[ ActionResourcesRequest( ClusterAction.VIEW, resource_type=cluster_permission_obj.resource_type, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest( ProjectAction.VIEW, resource_type=ProjectPermission.resource_type, resources=[project_id], ), ], )
def get_parent_chain(self) -> List[IAMResource]: return [ IAMResource(ResourceType.Project, self.project_id), IAMResource(ResourceType.Cluster, self.cluster_id), ]
def get_parent_chain(self, perm_ctx: TemplatesetPermCtx) -> List[IAMResource]: return [IAMResource(ResourceType.Project, perm_ctx.project_id)]
def test_can_not_instantiate_in_ns( self, templateset_permission_obj, namespace_scoped_permission_obj, project_id, template_id, cluster_id, namespace, ): """测试场景:有模板集实例化权限(但是无实例化到命名空间的权限)""" username = roles.PROJECT_TEMPLATESET_USER perm_ctx = TemplatesetPermCtx(username=username, project_id=project_id, template_id=template_id) with pytest.raises(PermissionDeniedError) as exec: templateset_permission_obj.can_instantiate_in_ns( perm_ctx, cluster_id, namespace) iam_ns_id = calc_iam_ns_id(cluster_id, namespace) assert exec.value.data['perms']['apply_url'] == generate_apply_url( username, [ ActionResourcesRequest( NamespaceScopedAction.CREATE, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceScopedAction.VIEW, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceScopedAction.UPDATE, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceScopedAction.DELETE, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( NamespaceAction.VIEW, ResourceType.Namespace, resources=[iam_ns_id], parent_chain=[ IAMResource(ResourceType.Project, project_id), IAMResource(ResourceType.Cluster, cluster_id), ], ), ActionResourcesRequest( ClusterAction.VIEW, ResourceType.Cluster, resources=[cluster_id], parent_chain=[ IAMResource(ResourceType.Project, project_id) ], ), ActionResourcesRequest(ProjectAction.VIEW, ResourceType.Project, resources=[project_id]), ], )
def get_parent_chain(self, perm_ctx: NamespacePermCtx) -> List[IAMResource]: return [ IAMResource(ResourceType.Project, perm_ctx.project_id), IAMResource(ResourceType.Cluster, perm_ctx.cluster_id), ]