def run_permission_add(argv):
if len(argv) < 4:
raise utils.CmdLineInputError()
role_id = argv.pop(0)
permission_info_list = argv_to_permission_info_list(argv)
cib = get_cib(get_cib_xml())
provide_role(cib, role_id)
add_permissions_to_role(cib, role_id, permission_info_list)
replace_cib_configuration(cib)
def run_create_role(argv):
if len(argv) < 1:
raise utils.CmdLineInputError()
role_id = argv.pop(0)
description = ""
desc_key = 'description='
if argv and argv[0].startswith(desc_key) and len(argv[0]) > len(desc_key):
description = argv.pop(0)[len(desc_key):]
permission_info_list = argv_to_permission_info_list(argv)
cib = get_cib(get_cib_xml())
create_role(cib, role_id, description)
add_permissions_to_role(cib, role_id, permission_info_list)
replace_cib_configuration(cib)
def test_refuse_bad_permission_and_bad_scope_type(self):
role_id = 'role1'
self.fixture_add_role(role_id)
assert_raise_library_error(
lambda: lib.add_permissions_to_role(
self.cib.tree, role_id, [('readX', 'xpathX', '/whatever')]
),
(
severities.ERROR,
report_codes.INVALID_OPTION_VALUE,
{
"option_name": "permission",
"option_value": "readX",
"allowed_values": ["read", "write", "deny"],
}
),
(
severities.ERROR,
report_codes.INVALID_OPTION_VALUE,
{
"option_name": "scope type",
"option_value": "xpathX",
"allowed_values": ["xpath", "id"],
}
),
)
def add_permission(lib_env, role_id, permission_info_list):
"""
Add permissions do role with id role_id. If role doesn't exist it will be
created.
Raises LibraryError on any failure.
lib_env -- LibraryEnvirnoment
role_id -- id of role
permission_info_list -- list of permissons, items of list should be tuples:
(<read|write|deny>, <xpath|id>, <any string>)
"""
cib = lib_env.get_cib(REQUIRED_CIB_VERSION)
acl.validate_permissions(cib, permission_info_list)
acl.add_permissions_to_role(
acl.provide_role(cib, role_id), permission_info_list
)
lib_env.push_cib(cib)
def add_permission(lib_env, role_id, permission_info_list):
"""
Add permissions do role with id role_id. If role doesn't exist it will be
created.
Raises LibraryError on any failure.
lib_env -- LibraryEnvirnoment
role_id -- id of role
permission_info_list -- list of permissons, items of list should be tuples:
(<read|write|deny>, <xpath|id>, <any string>)
"""
with cib_acl_section(lib_env) as acl_section:
acl.validate_permissions(acl_section, permission_info_list)
acl.add_permissions_to_role(
acl.provide_role(acl_section, role_id),
permission_info_list
)
def create_role(lib_env, role_id, permission_info_list, description):
"""
Create new acl role.
Raises LibraryError on any failure.
lib_env -- LibraryEnvirnoment
role_id -- id of new role which should be created
permission_info_list -- list of permissons, items of list should be tuples:
(<read|write|deny>, <xpath|id>, <any string>)
description -- text description for role
"""
with cib_acl_section(lib_env) as acl_section:
if permission_info_list:
acl.validate_permissions(acl_section, permission_info_list)
role_el = acl.create_role(acl_section, role_id, description)
if permission_info_list:
acl.add_permissions_to_role(role_el, permission_info_list)
def test_add_for_correct_permissions(self):
role_id = 'role1'
self.fixture_add_role(role_id)
lib.add_permissions_to_role(
self.cib.tree, role_id, [('read', 'xpath', '/whatever')]
)
self.assert_cib_equal(
self.create_cib().append_to_first_tag_name('configuration', '''
<acls>
<acl_role id="{0}">
<acl_permission id="{0}-read" kind="read" xpath="/whatever"/>
</acl_role>
</acls>
'''.format(role_id))
)
def test_add_for_correct_permissions(self):
role_id = "role1"
self.fixture_add_role(role_id)
lib.add_permissions_to_role(
self.cib.tree.find(".//acl_role[@id='{0}']".format(role_id)),
[("read", "xpath", "/whatever")],
)
self.assert_cib_equal(self.create_cib().append_to_first_tag_name(
"configuration",
"""
<acls>
<acl_role id="{0}">
<acl_permission id="{0}-read" kind="read" xpath="/whatever"/>
</acl_role>
</acls>
""".format(role_id),
))
def create_role(lib_env, role_id, permission_info_list, description):
"""
Create new acl role.
Raises LibraryError on any failure.
lib_env -- LibraryEnvirnoment
role_id -- id of new role which should be created
permission_info_list -- list of permissons, items of list should be tuples:
(<read|write|deny>, <xpath|id>, <any string>)
description -- text description for role
"""
cib = lib_env.get_cib(REQUIRED_CIB_VERSION)
if permission_info_list:
acl.validate_permissions(cib, permission_info_list)
role_el = acl.create_role(cib, role_id, description)
if permission_info_list:
acl.add_permissions_to_role(role_el, permission_info_list)
lib_env.push_cib(cib)
def create_role(lib_env, role_id, permission_info_list, description):
"""
Create new acl role.
Raises LibraryError on any failure.
lib_env -- LibraryEnvirnoment
role_id -- id of new role which should be created
permission_info_list -- list of permissons, items of list should be tuples:
(<read|write|deny>, <xpath|id>, <any string>)
description -- text description for role
"""
cib = lib_env.get_cib(REQUIRED_CIB_VERSION)
if permission_info_list:
acl.validate_permissions(cib, permission_info_list)
role_el = acl.create_role(cib, role_id, description)
if permission_info_list:
acl.add_permissions_to_role(role_el, permission_info_list)
lib_env.push_cib(cib)
def test_refuse_add_for_nonexistent_role_id(self):
role_id = 'role1'
self.assert_raise_library_error(
lambda: lib.add_permissions_to_role(
self.cib.tree, role_id, [('read', 'xpath', '/whatever')]
),
(
severities.ERROR,
error_codes.ACL_ROLE_NOT_FOUND,
{'role_id': role_id},
),
)
def test_refuse_pointing_to_nonexisten_id(self):
role_id = 'role1'
self.fixture_add_role(role_id)
assert_raise_library_error(
lambda: lib.add_permissions_to_role(
self.cib.tree, role_id, [('read', 'id', 'non-existent')]
),
(
severities.ERROR,
report_codes.ID_NOT_FOUND,
{'id': 'non-existent'}
),
)
def test_refuse_add_for_nonexistent_role_id(self):
role_id = 'role1'
assert_raise_library_error(
lambda: lib.add_permissions_to_role(
self.cib.tree, role_id, [('read', 'xpath', '/whatever')]
),
(
severities.ERROR,
report_codes.ID_NOT_FOUND,
{
"id": role_id,
"id_description": "role",
}
),
)
def test_refuse_bad_permission_and_bad_scope_type(self):
role_id = 'role1'
self.fixture_add_role(role_id)
self.assert_raise_library_error(
lambda: lib.add_permissions_to_role(
self.cib.tree, role_id, [('readX', 'xpathX', '/whatever')]
),
(
severities.ERROR,
error_codes.BAD_ACL_PERMISSION,
{'permission': 'readX'},
),
(
severities.ERROR,
error_codes.BAD_ACL_SCOPE_TYPE,
{'scope_type': 'xpathX'},
),
)
