def testSetWithInvalidPolicy(self):
"""
L{FacadePermissionMixin.updatePermission} raises a L{TInvalidPolicy}
error if the given C{policy} is invalid.
"""
policyAndExceptions = TPolicyAndExceptions(u'invalid', [])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(session, u'namespaces',
u'create', u'username',
policyAndExceptions)
yield self.assertFailure(deferred, TInvalidPolicy)
def testSetWithSuperuser(self):
"""
L{FacadePermissionMixin.updatePermission} raises a L{TInvalidUsername}
error if a superuser is specified in the exceptions list.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed', [u'fluiddb'])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(
session, u'tags', u'update', u'username/tag',
policyAndExceptions)
yield self.assertFailure(deferred, TInvalidUsername)
def testSetWithUnknownTag(self):
"""
L{FacadePermissionMixin.updatePermission} raises a L{TNonexistentTag}
error if the given L{Tag} path does not exist.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed', [])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(
session, u'tags', u'update', u'username/unknown',
policyAndExceptions)
yield self.assertFailure(deferred, TNonexistentTag)
def testSetWithInvalidCategory(self):
"""
L{FacadePermissionMixin.updatePermission} raises a L{TBadRequest} error
if the given C{category} is invalid.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed', [])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(session, u'invalid',
u'update', u'username',
policyAndExceptions)
yield self.assertFailure(deferred, TBadRequest)
def testSetWithAnonymous(self):
"""
L{FacadePermissionMixin.updatePermission} raises a L{TInvalidUsername}
error if the anonymous user is specified in the exceptions list for
non-allowed operations.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed', [u'anon'])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(
session, u'tags', u'update', u'username/tag',
policyAndExceptions)
yield self.assertFailure(deferred, TInvalidUsername)
def testSetWithUnknownUser(self):
"""
L{FacadePermissionMixin.updatePermission} raises a L{TNoSuchUser}
error if a L{User} in the exceptions list doesn't exist.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed', [u'unknown'])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(
session, u'tags', u'update', u'username/tag',
policyAndExceptions)
error = yield self.assertFailure(deferred, TNoSuchUser)
self.assertEqual('unknown', error.name)
def testSetTagValuePermissions(self):
"""
L{FacadePermissionMixin.updatePermission} updates the permissions for a
given L{TagValue} path.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed', [u'username'])
with login(u'username', uuid4(), self.transact) as session:
yield self.facade.updatePermission(session, u'tag-values',
u'write', u'username/tag',
policyAndExceptions)
pathAndAction = (u'username/tag', Operation.WRITE_TAG_VALUE)
result = self.permissions.get([pathAndAction])
self.assertEqual((Policy.CLOSED, [u'username']), result[pathAndAction])
def testSetTagPermissions(self):
"""
L{FacadePermissionMixin.updatePermission} updates the permissions for a
given L{Tag} path.
"""
policyAndExceptions = TPolicyAndExceptions(u'open', [u'username'])
with login(u'username', uuid4(), self.transact) as session:
yield self.facade.updatePermission(session, u'tags', u'update',
u'username/tag',
policyAndExceptions)
pathAndAction = (u'username/tag', Operation.UPDATE_TAG)
result = self.permissions.get([pathAndAction])
self.assertEqual((Policy.OPEN, [u'username']), result[pathAndAction])
def testSetNamespacePermissions(self):
"""
L{FacadePermissionMixin.updatePermission} updates the permissions for a
given L{Namespace} path.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed', [])
with login(u'username', uuid4(), self.transact) as session:
yield self.facade.updatePermission(session, u'namespaces',
u'create', u'username',
policyAndExceptions)
pathAndAction = (u'username', Operation.CREATE_NAMESPACE)
result = self.permissions.get([pathAndAction])
self.assertEqual((Policy.CLOSED, []), result[pathAndAction])
def testSetTagValuePermissionsIsDenied(self):
"""
L{FacadePermissionMixin.updatePermission} raises a
L{TPathPermissionDenied} error if the user doesn't have
C{Operation.CONTROL_TAG_VALUE} permissions on the given L{Tag}.
"""
self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
Policy.CLOSED, [])])
policyAndExceptions = TPolicyAndExceptions(u'open', [])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(
session, u'tag-values', u'control', u'username/tag',
policyAndExceptions)
yield self.assertFailure(deferred, TPathPermissionDenied)
def deferred_render_PUT(self, request):
# TODO: usages should be cached locally; lookup is expensive.
usage = registry.findUsage(httpPermissionCategoryName, 'PUT',
self.__class__)
dictionary = registry.checkRequest(usage, request)
action = request.args[actionArg][0].lower()
policyAndExceptions = TPolicyAndExceptions(
policy=dictionary['policy'],
exceptions=set(dictionary['exceptions']))
yield self.facadeClient.updatePermission(self.session, self.category,
action,
sep.join(request.postpath),
policyAndExceptions)
request.setResponseCode(usage.successCode)
def testSetWithUnknownUserUTF8EncodesUsername(self):
"""
L{FacadePermissionMixin.updatePermission} raises a L{TNoSuchUser}
error if a L{User} in the exceptions list doesn't exist. The username
passed to L{TNoSuchUser} is UTF-8 encoded.
"""
policyAndExceptions = TPolicyAndExceptions(u'closed',
[u'\N{HIRAGANA LETTER A}'])
with login(u'username', uuid4(), self.transact) as session:
deferred = self.facade.updatePermission(
session, u'tags', u'update', u'username/tag',
policyAndExceptions)
error = yield self.assertFailure(deferred, TNoSuchUser)
self.assertEqual(u'\N{HIRAGANA LETTER A}'.encode('utf-8'),
error.name)
def run():
permissions = SecurePermissionAPI(session.auth.user)
try:
result = permissions.get([(path, operation)])
except UnknownPathError as error:
session.log.exception(error)
unknownPath = error.paths[0]
if operation in Operation.TAG_OPERATIONS:
raise TNonexistentTag(unknownPath.encode('utf-8'))
if operation in Operation.NAMESPACE_OPERATIONS:
raise TNonexistentNamespace(unknownPath.encode('utf-8'))
raise
except PermissionDeniedError as error:
session.log.exception(error)
deniedPath, deniedOperation = error.pathsAndOperations[0]
deniedCategory, deniedAction = getCategoryAndAction(
deniedOperation)
raise TPathPermissionDenied(deniedPath, deniedCategory,
deniedAction)
policy, exceptions = result[(path, operation)]
policy = str(policy).lower()
return TPolicyAndExceptions(policy=policy, exceptions=exceptions)