def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = lambda o, p: [] self.request = DummyRequest(method="GET") self.context = RouteFactory(self.request) self.context.on_plural_endpoint = True self.context.check_permission = mock.Mock(return_value=False)
class GuestAuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = lambda o, p: [] self.request = DummyRequest(method='GET') self.context = RouteFactory(self.request) self.context.on_collection = True self.context.check_permission = mock.Mock(return_value=False) def test_permits_returns_true_if_collection_and_shared_records(self): self.context.fetch_shared_records = mock.MagicMock(return_value=[ 'record1', 'record2']) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_records.assert_called_with( 'read', ['basicauth:bob', 'system.Everyone', 'system.Authenticated'], self.authz.get_bound_permissions) self.assertTrue(allowed) def test_permits_does_not_return_true_if_not_collection(self): self.context.on_collection = False allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) def test_permits_does_not_return_true_if_not_list_operation(self): self.context.required_permission = 'create' allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) allowed = self.authz.permits(self.context, ['userid'], 'create') self.assertFalse(allowed) def test_permits_returns_false_if_collection_is_unknown(self): self.context.fetch_shared_records = mock.MagicMock(return_value=None) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_records.assert_called_with( 'read', ['basicauth:bob', 'system.Everyone', 'system.Authenticated'], self.authz.get_bound_permissions) self.assertFalse(allowed) def test_perm_object_id_is_naive_if_no_record_path_exists(self): def route_path(service_name, **kwargs): # Simulate a resource that has no record_path (only list). if service_name == 'article-record': raise KeyError return '/comments/sub/{id}'.format_map(kwargs) self.request.route_path.side_effect = route_path self.request.path = '/comments' self.context.resource_name = 'comment' obj_id = self.context.get_permission_object_id(self.request, '*') self.assertEquals(obj_id, '/comments/sub/*') self.request.path = '/articles' self.context.resource_name = 'article' obj_id = self.context.get_permission_object_id(self.request, '*') self.assertEquals(obj_id, '/articles/*')
def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = mock.sentinel.get_bound_perms self.request = DummyRequest(method='GET') self.context = RouteFactory(self.request) self.context.on_collection = True self.context.check_permission = mock.Mock(return_value=False)
class GuestAuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = lambda o, p: [] self.request = DummyRequest(method='GET') self.context = RouteFactory(self.request) self.context.on_collection = True self.context.check_permission = mock.Mock(return_value=False) def test_permits_returns_true_if_collection_and_shared_records(self): self.context.fetch_shared_records = mock.MagicMock( return_value=['record1', 'record2']) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_records.assert_called_with( 'read', ['system.Everyone', 'system.Authenticated', 'basicauth:bob'], self.authz.get_bound_permissions) self.assertTrue(allowed) def test_permits_does_not_return_true_if_not_collection(self): self.context.on_collection = False allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) def test_permits_does_not_return_true_if_not_list_operation(self): self.context.required_permission = 'create' allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) allowed = self.authz.permits(self.context, ['userid'], 'create') self.assertFalse(allowed) def test_permits_returns_false_if_collection_is_unknown(self): self.context.fetch_shared_records = mock.MagicMock(return_value=None) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_records.assert_called_with( 'read', ['system.Everyone', 'system.Authenticated', 'basicauth:bob'], self.authz.get_bound_permissions) self.assertFalse(allowed) def test_perm_object_id_is_naive_if_no_record_path_exists(self): def route_path(service_name, **kwargs): # Simulate a resource that has no record_path (only list). if service_name == 'article-record': raise KeyError return '/comments/sub/{id}'.format(**kwargs) self.request.route_path.side_effect = route_path self.request.path = '/comments' self.context.resource_name = 'comment' obj_id = self.context.get_permission_object_id(self.request, '*') self.assertEquals(obj_id, '/comments/sub/*') self.request.path = '/articles' self.context.resource_name = 'article' obj_id = self.context.get_permission_object_id(self.request, '*') self.assertEquals(obj_id, '/articles/*')
def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.permission_object_id = "/articles/43/comments/2" self.context.required_permission = "read" self.principals = ["portier:yourself"] self.context.get_prefixed_principals.return_value = self.principals self.permission = "dynamic"
def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.permission_object_id = '/articles/43/comments/2' self.context.required_permission = 'read' self.principals = [] self.context.get_prefixed_principals.return_value = self.principals self.permission = 'dynamic'
def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.get_prefixed_userid.return_value = None self.context.allowed_principals = [] self.context.permission_object_id = mock.sentinel.object_id self.context.required_permission = 'read' self.principals = [] self.permission = 'dynamic'
def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = lambda o, p: [] self.request = DummyRequest(method="GET") self.context = RouteFactory(self.request) self.context.on_collection = True self.context.check_permission = mock.Mock(return_value=False)
class GuestAuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = mock.sentinel.get_bound_perms self.request = DummyRequest(method='GET') self.context = RouteFactory(self.request) self.context.on_collection = True self.context.check_permission = mock.Mock(return_value=False) def test_permits_returns_true_if_collection_and_shared_records(self): self.context.fetch_shared_records = mock.MagicMock(return_value=[ 'record1', 'record2']) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.context.fetch_shared_records.assert_called_with( 'read', ['userid'], get_bound_permissions=mock.sentinel.get_bound_perms) self.assertTrue(allowed) def test_permits_does_not_return_true_if_not_collection(self): self.context.on_collection = False allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) def test_permits_does_not_return_true_if_not_list_operation(self): self.context.required_permission = 'create' allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) allowed = self.authz.permits(self.context, ['userid'], 'create') self.assertFalse(allowed) def test_permits_returns_false_if_collection_is_unknown(self): self.context.fetch_shared_records = mock.MagicMock(return_value=None) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.context.fetch_shared_records.assert_called_with( 'read', ['userid'], get_bound_permissions=mock.sentinel.get_bound_perms) self.assertFalse(allowed)
class GuestAuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = mock.sentinel.get_bound_perms self.request = DummyRequest(method='GET') self.context = RouteFactory(self.request) self.context.on_collection = True self.context.check_permission = mock.Mock(return_value=False) def test_permits_returns_true_if_collection_and_shared_records(self): self.context.fetch_shared_records = mock.MagicMock( return_value=['record1', 'record2']) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.context.fetch_shared_records.assert_called_with( 'read', ['userid'], get_bound_permissions=mock.sentinel.get_bound_perms) self.assertTrue(allowed) def test_permits_does_not_return_true_if_not_collection(self): self.context.on_collection = False allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) def test_permits_does_not_return_true_if_not_list_operation(self): self.context.required_permission = 'create' allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.assertFalse(allowed) allowed = self.authz.permits(self.context, ['userid'], 'create') self.assertFalse(allowed) def test_permits_returns_false_if_collection_is_unknown(self): self.context.fetch_shared_records = mock.MagicMock(return_value=None) allowed = self.authz.permits(self.context, ['userid'], 'dynamic') self.context.fetch_shared_records.assert_called_with( 'read', ['userid'], get_bound_permissions=mock.sentinel.get_bound_perms) self.assertFalse(allowed)
class AuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.permission_object_id = '/articles/43/comments/2' self.context.required_permission = 'read' self.principals = [] self.context.get_prefixed_principals.return_value = self.principals self.permission = 'dynamic' def test_permits_does_not_refer_to_context_if_permission_is_private(self): self.assertFalse(self.authz.permits(None, [], 'private')) def test_permits_return_if_authenticated_when_permission_is_private(self): self.assertTrue( self.authz.permits(None, ['system.Authenticated'], 'private')) def test_permits_refers_to_context_to_check_permissions(self): self.context.check_permission.return_value = True allowed = self.authz.permits(self.context, self.principals, 'dynamic') self.assertTrue(allowed) def test_permits_refers_to_context_to_check_permission_principals(self): self.context.check_permission.return_value = False allowed = self.authz.permits(self.context, ['fxa:user', 'system.Authenticated'], 'dynamic') self.assertTrue(allowed) def test_permits_reads_the_context_when_permission_is_dynamic(self): self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'read')]) def test_permits_uses_get_bound_permissions_if_defined(self): self.authz.get_bound_permissions = lambda o, p: mock.sentinel.callback self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, mock.sentinel.callback) def test_permits_calls_get_bound_permissions_with_context_info(self): self.authz.get_bound_permissions = mock.Mock(return_value=[]) self.authz.permits(self.context, self.principals, 'dynamic') self.authz.get_bound_permissions.assert_called_with( self.context.permission_object_id, 'read') def test_permits_consider_permission_when_not_dynamic(self): self.authz.permits(self.context, self.principals, 'foobar') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'foobar')]) def test_permits_prepend_obj_type_to_permission_on_create(self): self.context.required_permission = 'create' self.context.resource_name = 'record' self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'record:create')]) def test_permits_takes_route_factory_allowed_principals_into_account(self): self.context.resource_name = 'record' self.context.required_permission = 'create' self.context._settings = {'record_create_principals': 'fxa:user'} allowed = self.authz.permits(self.context, ['fxa:user'], 'dynamic') self.context._check_permission.assert_not_called() self.assertTrue(allowed)
class GuestAuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = lambda o, p: [] self.request = DummyRequest(method="GET") self.context = RouteFactory(self.request) self.context.on_plural_endpoint = True self.context.check_permission = mock.Mock(return_value=False) def test_permits_returns_true_if_plural_endpoint_and_shared_objects(self): self.context.fetch_shared_objects = mock.MagicMock( return_value=["object1", "object2"]) allowed = self.authz.permits(self.context, ["userid"], "dynamic") # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_objects.assert_called_with( "read", ["basicauth:bob", "system.Everyone", "system.Authenticated"], self.authz.get_bound_permissions, ) self.assertTrue(allowed) def test_permits_does_not_return_true_if_not_plural_endpoint(self): self.context.on_plural_endpoint = False allowed = self.authz.permits(self.context, ["userid"], "dynamic") self.assertFalse(allowed) def test_permits_does_not_return_true_if_not_list_operation(self): self.context.required_permission = "create" allowed = self.authz.permits(self.context, ["userid"], "dynamic") self.assertFalse(allowed) allowed = self.authz.permits(self.context, ["userid"], "create") self.assertFalse(allowed) def test_permits_returns_false_if_resource_is_unknown(self): self.context.fetch_shared_objects = mock.MagicMock(return_value=None) allowed = self.authz.permits(self.context, ["userid"], "dynamic") # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_objects.assert_called_with( "read", ["basicauth:bob", "system.Everyone", "system.Authenticated"], self.authz.get_bound_permissions, ) self.assertFalse(allowed) def test_perm_object_id_is_naive_if_no_object_path_exists(self): def route_path(service_name, **kwargs): # Simulate a resource that has no object_path (only list). if service_name == "article-object": raise KeyError return "/comments/sub/{id}".format_map(kwargs) self.request.route_path.side_effect = route_path self.request.path = "/comments" self.context.resource_name = "comment" obj_id = self.context.get_permission_object_id(self.request, "*") self.assertEqual(obj_id, "/comments/sub/*") self.request.path = "/articles" self.context.resource_name = "article" obj_id = self.context.get_permission_object_id(self.request, "*") self.assertEqual(obj_id, "/articles/*")
class AuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.permission_object_id = '/articles/43/comments/2' self.context.required_permission = 'read' self.principals = ["portier:yourself"] self.context.get_prefixed_principals.return_value = self.principals self.permission = 'dynamic' def test_permits_does_not_refer_to_context_if_permission_is_private(self): self.assertFalse(self.authz.permits(None, [], 'private')) def test_permits_return_if_authenticated_when_permission_is_private(self): self.assertTrue( self.authz.permits(None, ['system.Authenticated'], 'private')) def test_permits_logs_authz_failures(self): self.context.on_collection = False self.context.check_permission.return_value = False with mock.patch('kinto.core.authorization.logger') as mocked: self.authz.permits(self.context, self.principals, 'dynamic') userid = 'portier:yourself' object_id = '/articles/43/comments/2' perm = 'read' mocked.warn.assert_called_with( 'Permission %r on %r not granted to %r.', perm, object_id, userid, extra=dict(perm=perm, uri=object_id, userid=userid)) def test_permits_refers_to_context_to_check_permissions(self): self.context.check_permission.return_value = True allowed = self.authz.permits(self.context, self.principals, 'dynamic') self.assertTrue(allowed) def test_permits_refers_to_context_to_check_permission_principals(self): self.context.check_permission.return_value = False allowed = self.authz.permits(self.context, self.principals, 'dynamic') self.assertTrue(allowed) def test_permits_reads_the_context_when_permission_is_dynamic(self): self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'read')]) def test_permits_uses_get_bound_permissions_if_defined(self): self.authz.get_bound_permissions = lambda o, p: mock.sentinel.callback self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, mock.sentinel.callback) def test_permits_calls_get_bound_permissions_with_context_info(self): self.authz.get_bound_permissions = mock.Mock(return_value=[]) self.authz.permits(self.context, self.principals, 'dynamic') self.authz.get_bound_permissions.assert_called_with( self.context.permission_object_id, 'read') def test_permits_consider_permission_when_not_dynamic(self): self.authz.permits(self.context, self.principals, 'foobar') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'foobar')]) def test_permits_prepend_obj_type_to_permission_on_create(self): self.context.required_permission = 'create' self.context.resource_name = 'record' self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'record:create')]) def test_permits_takes_route_factory_allowed_principals_into_account(self): self.context.resource_name = 'record' self.context.required_permission = 'create' self.context._settings = {'record_create_principals': 'fxa:user'} allowed = self.authz.permits(self.context, self.principals, 'dynamic') self.context._check_permission.assert_not_called() self.assertTrue(allowed)
class AuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.permission_object_id = "/articles/43/comments/2" self.context.required_permission = "read" self.principals = ["portier:yourself"] self.context.get_prefixed_principals.return_value = self.principals self.permission = "dynamic" def test_permits_logs_authz_failures(self): self.context.on_plural_endpoint = False self.context.check_permission.return_value = False with mock.patch("kinto.core.authorization.logger") as mocked: self.authz.permits(self.context, self.principals, "dynamic") userid = "portier:yourself" object_id = "/articles/43/comments/2" perm = "read" mocked.warning.assert_called_with( "Permission %r on %r not granted to %r.", perm, object_id, userid, extra=dict(perm=perm, uri=object_id, userid=userid), ) def test_permits_refers_to_context_to_check_permissions(self): self.context.check_permission.return_value = True allowed = self.authz.permits(self.context, self.principals, "dynamic") self.assertTrue(allowed) def test_permits_refers_to_context_to_check_permission_principals(self): self.context.check_permission.return_value = False allowed = self.authz.permits(self.context, self.principals, "dynamic") self.assertTrue(allowed) def test_permits_reads_the_context(self): self.authz.permits(self.context, self.principals, "dynamic") self.context.check_permission.assert_called_with( self.principals, [ (self.context.permission_object_id, "read"), (self.context.permission_object_id, "write"), ], ) def test_permits_bypasses_the_permissions_backend_if_private(self): self.authz.permits(self.context, self.principals, "private") self.context.check_permission.assert_not_called() def test_permits_returns_true_if_authenticated(self): assert self.authz.permits(self.context, ["system.Authenticated"], "private") assert not self.authz.permits(self.context, [], "private") def test_permits_uses_get_bound_permissions_if_defined(self): self.authz.get_bound_permissions = lambda o, p: mock.sentinel.callback self.authz.permits(self.context, self.principals, "dynamic") self.context.check_permission.assert_called_with( self.principals, mock.sentinel.callback) def test_permits_calls_get_bound_permissions_with_context_info(self): self.authz.get_bound_permissions = mock.Mock(return_value=[]) self.authz.permits(self.context, self.principals, "dynamic") self.authz.get_bound_permissions.assert_called_with( self.context.permission_object_id, "read") def test_permits_prepend_obj_type_to_permission_on_create(self): self.context.required_permission = "create" self.context.resource_name = "object" self.authz.permits(self.context, self.principals, "dynamic") self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, "object:create")]) def test_permits_takes_route_factory_allowed_principals_into_account(self): self.context.resource_name = "object" self.context.required_permission = "create" self.context._settings = {"object_create_principals": "fxa:user"} allowed = self.authz.permits(self.context, self.principals, "dynamic") self.context._check_permission.assert_not_called() self.assertTrue(allowed)
class AuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.permission_object_id = "/articles/43/comments/2" self.context.required_permission = "read" self.principals = ["portier:yourself"] self.context.get_prefixed_principals.return_value = self.principals self.permission = "dynamic" def test_permits_does_not_refer_to_context_if_permission_is_private(self): self.assertFalse(self.authz.permits(None, [], "private")) def test_permits_return_if_authenticated_when_permission_is_private(self): self.assertTrue(self.authz.permits(None, ["system.Authenticated"], "private")) def test_permits_logs_authz_failures(self): self.context.on_collection = False self.context.check_permission.return_value = False with mock.patch("kinto.core.authorization.logger") as mocked: self.authz.permits(self.context, self.principals, "dynamic") userid = "portier:yourself" object_id = "/articles/43/comments/2" perm = "read" mocked.warn.assert_called_with( "Permission %r on %r not granted to %r.", perm, object_id, userid, extra=dict(perm=perm, uri=object_id, userid=userid), ) def test_permits_refers_to_context_to_check_permissions(self): self.context.check_permission.return_value = True allowed = self.authz.permits(self.context, self.principals, "dynamic") self.assertTrue(allowed) def test_permits_refers_to_context_to_check_permission_principals(self): self.context.check_permission.return_value = False allowed = self.authz.permits(self.context, self.principals, "dynamic") self.assertTrue(allowed) def test_permits_reads_the_context_when_permission_is_dynamic(self): self.authz.permits(self.context, self.principals, "dynamic") self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, "read")] ) def test_permits_uses_get_bound_permissions_if_defined(self): self.authz.get_bound_permissions = lambda o, p: mock.sentinel.callback self.authz.permits(self.context, self.principals, "dynamic") self.context.check_permission.assert_called_with(self.principals, mock.sentinel.callback) def test_permits_calls_get_bound_permissions_with_context_info(self): self.authz.get_bound_permissions = mock.Mock(return_value=[]) self.authz.permits(self.context, self.principals, "dynamic") self.authz.get_bound_permissions.assert_called_with( self.context.permission_object_id, "read" ) def test_permits_consider_permission_when_not_dynamic(self): self.authz.permits(self.context, self.principals, "foobar") self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, "foobar")] ) def test_permits_prepend_obj_type_to_permission_on_create(self): self.context.required_permission = "create" self.context.resource_name = "record" self.authz.permits(self.context, self.principals, "dynamic") self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, "record:create")] ) def test_permits_takes_route_factory_allowed_principals_into_account(self): self.context.resource_name = "record" self.context.required_permission = "create" self.context._settings = {"record_create_principals": "fxa:user"} allowed = self.authz.permits(self.context, self.principals, "dynamic") self.context._check_permission.assert_not_called() self.assertTrue(allowed)
class AuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = mock.sentinel.get_bound_perms self.context = mock.MagicMock() self.context.get_prefixed_userid.return_value = None self.context.allowed_principals = [] self.context.object_id = mock.sentinel.object_id self.context.required_permission = 'read' self.principals = [] self.permission = 'dynamic' def test_permits_does_not_refer_to_context_if_permission_is_private(self): self.assertFalse(self.authz.permits(None, [], 'private')) def test_permits_return_if_authenticated_when_permission_is_private(self): self.assertTrue( self.authz.permits(None, ['system.Authenticated'], 'private')) def test_permits_refers_to_context_to_check_permissions(self): self.context.check_permission.return_value = True allowed = self.authz.permits(self.context, self.principals, 'dynamic') self.assertTrue(allowed) def test_permits_refers_to_context_to_check_permission_principals(self): self.context.check_permission.return_value = False self.context.allowed_principals = ['fxa:user'] allowed = self.authz.permits(self.context, ['fxa:user', 'system.Authenticated'], 'dynamic') self.assertTrue(allowed) def test_permits_reads_the_context_when_permission_is_dynamic(self): self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( 'read', self.principals, get_bound_permissions=mock.sentinel.get_bound_perms) def test_permits_consider_permission_when_not_dynamic(self): self.authz.permits(self.context, self.principals, 'foobar') self.context.check_permission.assert_called_with( 'foobar', self.principals, get_bound_permissions=mock.sentinel.get_bound_perms) def test_permits_prepend_obj_type_to_permission_on_create(self): self.context.required_permission = 'create' self.context.resource_name = 'record' self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( 'record:create', self.principals, get_bound_permissions=mock.sentinel.get_bound_perms) def test_permits_takes_route_factory_allowed_principals_into_account(self): self.context.resource_name = 'record' self.context.required_permission = 'create' self.context.allowed_principals = ['fxa:user'] has_permission = self.authz.permits(self.context, ['fxa:user'], 'dynamic') self.context.check_permission.assert_not_called() self.assertTrue(has_permission) def test_prefixed_userid_is_added_to_principals(self): self.context.get_prefixed_userid.return_value = 'fxa:userid' self.authz.permits(self.context, self.principals, 'foobar') self.context.check_permission.assert_called_with( 'foobar', self.principals + ['fxa:userid', 'fxa_userid'], get_bound_permissions=mock.sentinel.get_bound_perms) def test_unprefixed_userid_is_removed_from_principals(self): self.context.get_prefixed_userid.return_value = 'fxa:userid' self.authz.permits(self.context, ['userid'], 'foobar') self.context.check_permission.assert_called_with( 'foobar', ['fxa:userid', 'fxa_userid'], get_bound_permissions=mock.sentinel.get_bound_perms)
class GuestAuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.authz.get_bound_permissions = lambda o, p: [] self.request = DummyRequest(method="GET") self.context = RouteFactory(self.request) self.context.on_collection = True self.context.check_permission = mock.Mock(return_value=False) def test_permits_returns_true_if_collection_and_shared_records(self): self.context.fetch_shared_records = mock.MagicMock(return_value=["record1", "record2"]) allowed = self.authz.permits(self.context, ["userid"], "dynamic") # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_records.assert_called_with( "read", ["basicauth:bob", "system.Everyone", "system.Authenticated"], self.authz.get_bound_permissions, ) self.assertTrue(allowed) def test_permits_does_not_return_true_if_not_collection(self): self.context.on_collection = False allowed = self.authz.permits(self.context, ["userid"], "dynamic") self.assertFalse(allowed) def test_permits_does_not_return_true_if_not_list_operation(self): self.context.required_permission = "create" allowed = self.authz.permits(self.context, ["userid"], "dynamic") self.assertFalse(allowed) allowed = self.authz.permits(self.context, ["userid"], "create") self.assertFalse(allowed) def test_permits_returns_false_if_collection_is_unknown(self): self.context.fetch_shared_records = mock.MagicMock(return_value=None) allowed = self.authz.permits(self.context, ["userid"], "dynamic") # Note: we use the list of principals from request.prefixed_principals self.context.fetch_shared_records.assert_called_with( "read", ["basicauth:bob", "system.Everyone", "system.Authenticated"], self.authz.get_bound_permissions, ) self.assertFalse(allowed) def test_perm_object_id_is_naive_if_no_record_path_exists(self): def route_path(service_name, **kwargs): # Simulate a resource that has no record_path (only list). if service_name == "article-record": raise KeyError return "/comments/sub/{id}".format_map(kwargs) self.request.route_path.side_effect = route_path self.request.path = "/comments" self.context.resource_name = "comment" obj_id = self.context.get_permission_object_id(self.request, "*") self.assertEqual(obj_id, "/comments/sub/*") self.request.path = "/articles" self.context.resource_name = "article" obj_id = self.context.get_permission_object_id(self.request, "*") self.assertEqual(obj_id, "/articles/*")
class AuthorizationPolicyTest(unittest.TestCase): def setUp(self): self.authz = AuthorizationPolicy() self.context = mock.MagicMock() self.context.get_prefixed_userid.return_value = None self.context.allowed_principals = [] self.context.permission_object_id = mock.sentinel.object_id self.context.required_permission = 'read' self.principals = [] self.permission = 'dynamic' def test_permits_does_not_refer_to_context_if_permission_is_private(self): self.assertFalse(self.authz.permits(None, [], 'private')) def test_permits_return_if_authenticated_when_permission_is_private(self): self.assertTrue(self.authz.permits(None, ['system.Authenticated'], 'private')) def test_permits_refers_to_context_to_check_permissions(self): self.context.check_permission.return_value = True allowed = self.authz.permits(self.context, self.principals, 'dynamic') self.assertTrue(allowed) def test_permits_refers_to_context_to_check_permission_principals(self): self.context.check_permission.return_value = False allowed = self.authz.permits( self.context, ['fxa:user', 'system.Authenticated'], 'dynamic') self.assertTrue(allowed) def test_permits_reads_the_context_when_permission_is_dynamic(self): self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'read')]) def test_permits_uses_get_bound_permissions_if_defined(self): self.authz.get_bound_permissions = lambda o, p: mock.sentinel.callback self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, mock.sentinel.callback) def test_permits_calls_get_bound_permissions_with_context_info(self): self.authz.get_bound_permissions = mock.Mock(return_value=[]) self.authz.permits(self.context, self.principals, 'dynamic') self.authz.get_bound_permissions.assert_called_with( self.context.permission_object_id, 'read') def test_permits_consider_permission_when_not_dynamic(self): self.authz.permits(self.context, self.principals, 'foobar') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'foobar')]) def test_permits_prepend_obj_type_to_permission_on_create(self): self.context.required_permission = 'create' self.context.resource_name = 'record' self.authz.permits(self.context, self.principals, 'dynamic') self.context.check_permission.assert_called_with( self.principals, [(self.context.permission_object_id, 'record:create')]) def test_permits_takes_route_factory_allowed_principals_into_account(self): self.context.resource_name = 'record' self.context.required_permission = 'create' self.context.allowed_principals = ['fxa:user'] allowed = self.authz.permits(self.context, ['fxa:user'], 'dynamic') self.context.check_permission.assert_not_called() self.assertTrue(allowed) def test_prefixed_userid_is_added_to_principals(self): self.context.get_prefixed_userid.return_value = 'fxa:userid' self.authz.permits(self.context, self.principals, 'foobar') self.context.check_permission.assert_called_with( self.principals + ['fxa:userid', 'fxa_userid'], [(self.context.permission_object_id, 'foobar')]) def test_unprefixed_userid_is_removed_from_principals(self): self.context.get_prefixed_userid.return_value = 'fxa:userid' self.authz.permits(self.context, ['userid'], 'foobar') self.context.check_permission.assert_called_with( ['fxa:userid', 'fxa_userid'], [(self.context.permission_object_id, 'foobar')])