コード例 #1
0
ファイル: _test_authorization.py プロジェクト: stpierre/pulp
    def setUp(self):
        self.user_api = UserApi()
        self.role_api = RoleAPI()

        base.PulpServerTests.setUp(self)

        authorization.ensure_builtin_roles()
        principal.clear_principal()
        self.alhpa_num = string.letters + string.digits
コード例 #2
0
ファイル: _test_authorization.py プロジェクト: stpierre/pulp
class TestAuthorization(base.PulpServerTests):

    def setUp(self):
        self.user_api = UserApi()
        self.role_api = RoleAPI()

        base.PulpServerTests.setUp(self)

        authorization.ensure_builtin_roles()
        principal.clear_principal()
        self.alhpa_num = string.letters + string.digits

    def tearDown(self):
        super(TestAuthorization, self).tearDown()
        self.clean()

    def clean(self):
        self.user_api.clean()
        self.role_api.clean()

    # test data generation

    def _create_user(self):
        username = ''.join(random.sample(self.alhpa_num, random.randint(6, 10)))
        password = ''.join(random.sample(self.alhpa_num, random.randint(6, 10)))
        return self.user_api.create(username, password, username, username)

    def _create_role(self):
        name = ''.join(random.sample(self.alhpa_num, random.randint(6, 10)))
        return self.role_api.create(name)

    def _create_resource(self):
        return '/%s/' % '/'.join(''.join(random.sample(self.alhpa_num,
                                                       random.randint(6, 10)))
                                 for i in range(random.randint(2, 4)))

    # test individual user permissions

    def test_user_create_failure(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.CREATE
        self.assertFalse(authorization.is_authorized(r, u, o))

    def test_user_create_success(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.CREATE
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user(r, u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))

    def test_user_read_failure(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.READ
        self.assertFalse(authorization.is_authorized(r, u, o))

    def test_user_read_success(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user(r, u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))

    def test_user_update_failure(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.UPDATE
        self.assertFalse(authorization.is_authorized(r, u, o))

    def test_user_update_success(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.UPDATE
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user(r, u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))

    def test_user_delete_failure(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.DELETE
        self.assertFalse(authorization.is_authorized(r, u, o))

    def test_user_delete_success(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.DELETE
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user(r, u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))

    def test_user_execute_failure(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.EXECUTE
        self.assertFalse(authorization.is_authorized(r, u, o))

    def test_user_execute_success(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.EXECUTE
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user(r, u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))

    def test_user_permission_revoke(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user(r, u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))
        authorization.revoke_permission_from_user(r, u['login'], [n])
        self.assertFalse(authorization.is_authorized(r, u, o))

    def test_parent_permissions(self):
        u = self._create_user()
        r = self._create_resource()
        p = r.rsplit('/', 2)[0] + '/'
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user(p, u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))

    def test_root_permissions(self):
        u = self._create_user()
        r = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.grant_permission_to_user('/', u['login'], [n])
        self.assertTrue(authorization.is_authorized(r, u, o))

    # test role management

    def test_create_role(self):
        n = 'create_role'
        r1 = authorization.create_role(n)
        r2 = self.role_api.role(n)
        self.assertEquals(r1['_id'], r2['_id'])

    def test_delete_role(self):
        n = 'delete_role'
        r1 = self.role_api.create(n)
        self.assertFalse(r1 is None)
        authorization.delete_role(n)
        r2 = self.role_api.role(n)
        self.assertTrue(r2 is None)

    def test_add_user(self):
        u = self._create_user()
        r = self._create_role()
        authorization.add_user_to_role(r['name'], u['login'])
        user_names = [u['login'] for u in authorization.list_users_in_role(r['name'])]
        self.assertTrue(u['login'] in user_names)

    def test_remove_user(self):
        u = self._create_user()
        r = self._create_role()
        authorization.add_user_to_role(r['name'], u['login'])
        authorization.remove_user_from_role(r['name'], u['login'])
        user_names = [u['login'] for u in authorization.list_users_in_role(r['name'])]
        self.assertFalse(u['login'] in user_names)

    # test role permissions

    def test_role_create(self):
        u1 = self._create_user()
        u2 = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.CREATE
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u1['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u1, o))
        self.assertFalse(authorization.is_authorized(s, u2, o))

    def test_role_read(self):
        u1 = self._create_user()
        u2 = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u1['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u1, o))
        self.assertFalse(authorization.is_authorized(s, u2, o))

    def test_role_update(self):
        u1 = self._create_user()
        u2 = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.UPDATE
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u1['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u1, o))
        self.assertFalse(authorization.is_authorized(s, u2, o))

    def test_role_delete(self):
        u1 = self._create_user()
        u2 = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.DELETE
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u1['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u1, o))
        self.assertFalse(authorization.is_authorized(s, u2, o))

    def test_role_execute(self):
        u1 = self._create_user()
        u2 = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.EXECUTE
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u1['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u1, o))
        self.assertFalse(authorization.is_authorized(s, u2, o))

    def test_role_order_of_permission_grant(self):
        u1 = self._create_user()
        u2 = self._create_user()
        r1 = self._create_role()
        r2 = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        # add first, grant second
        authorization.add_user_to_role(r1['name'], u1['name'])
        authorization.grant_permission_to_role(s, r1['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u1, o))
        # grant first, add second
        authorization.grant_permission_to_role(s, r2['name'], [n])
        authorization.add_user_to_role(r2['name'], u2['name'])
        self.assertTrue(authorization.is_authorized(s, u2, o))

    def test_role_permission_revoke(self):
        u = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u, o))
        authorization.revoke_permission_from_role(s, r['name'], [n])
        self.assertFalse(authorization.is_authorized(s, u, o))

    def test_role_permission_remove(self):
        u = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u, o))
        authorization.remove_user_from_role(r['name'], u['login'])
        self.assertFalse(authorization.is_authorized(s, u, o))

    def test_role_permission_delete(self):
        u = self._create_user()
        r = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r['name'], u['login'])
        authorization.grant_permission_to_role(s, r['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u, o))
        authorization.delete_role(r['name'])
        self.assertFalse(authorization.is_authorized(s, u, o))

    # test multi-role/permission interaction

    def test_non_unique_permission_revoke(self):
        u = self._create_user()
        r1 = self._create_role()
        r2 = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r1['name'], u['login'])
        authorization.add_user_to_role(r2['name'], u['login'])
        authorization.grant_permission_to_role(s, r1['name'], [n])
        authorization.grant_permission_to_role(s, r2['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u, o))
        authorization.revoke_permission_from_role(s, r1['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u, o))

    def test_non_unique_permission_remove(self):
        u = self._create_user()
        r1 = self._create_role()
        r2 = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r1['name'], u['login'])
        authorization.add_user_to_role(r2['name'], u['login'])
        authorization.grant_permission_to_role(s, r1['name'], [n])
        authorization.grant_permission_to_role(s, r2['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u, o))
        authorization.remove_user_from_role(r1['name'], u['login'])
        self.assertTrue(authorization.is_authorized(s, u, o))

    def test_non_unique_permission_delete(self):
        u = self._create_user()
        r1 = self._create_role()
        r2 = self._create_role()
        s = self._create_resource()
        o = authorization.READ
        n = authorization.operation_to_name(o)
        authorization.add_user_to_role(r1['name'], u['login'])
        authorization.add_user_to_role(r2['name'], u['login'])
        authorization.grant_permission_to_role(s, r1['name'], [n])
        authorization.grant_permission_to_role(s, r2['name'], [n])
        self.assertTrue(authorization.is_authorized(s, u, o))
        authorization.delete_role(r1['name'])
        self.assertTrue(authorization.is_authorized(s, u, o))

    # test built in roles

    def test_super_users(self):
        role = self.role_api.role(authorization.super_user_role)
        self.assertFalse(role is None)

    def test_super_users_grant(self):
        s = self._create_resource()
        n = authorization.operation_to_name(authorization.READ)
        self.assertRaises(authorization.PulpAuthorizationError,
                          authorization.grant_permission_to_role,
                          s, authorization.super_user_role, [n])

    def test_super_users_revoke(self):
        s = self._create_resource()
        n = authorization.operation_to_name(authorization.READ)
        self.assertRaises(authorization.PulpAuthorizationError,
                          authorization.revoke_permission_from_role,
                          s, authorization.super_user_role, [n])

    def test_super_user_permissions(self):
        u = self._create_user()
        s = self._create_resource()
        r = authorization.super_user_role
        authorization.add_user_to_role(r, u['name'])
        self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE))
        self.assertTrue(authorization.is_authorized(s, u, authorization.READ))
        self.assertTrue(authorization.is_authorized(s, u, authorization.UPDATE))
        self.assertTrue(authorization.is_authorized(s, u, authorization.DELETE))
        self.assertTrue(authorization.is_authorized(s, u, authorization.EXECUTE))

    # test consumer auto-permissions

    def test_consumer_users(self):
        role = self.role_api.role(authorization.consumer_users_role)
        self.assertFalse(role is None)

    def test_consumer_users_grant(self):
        s = self._create_resource()
        n = authorization.operation_to_name(authorization.READ)
        self.assertRaises(authorization.PulpAuthorizationError,
                          authorization.grant_permission_to_role,
                          s, authorization.consumer_users_role, [n])

    def test_consumer_users_revoke(self):
        s = self._create_resource()
        n = authorization.operation_to_name(authorization.READ)
        self.assertRaises(authorization.PulpAuthorizationError,
                          authorization.revoke_permission_from_role,
                          s, authorization.consumer_users_role, [n])

    def test_consumer_user_permissions(self):
        u = self._create_user()
        s = '/consumers/'
        r = authorization.consumer_users_role
        authorization.add_user_to_role(r, u['name'])
        self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE))
        self.assertTrue(authorization.is_authorized(s, u, authorization.READ))
        self.assertFalse(authorization.is_authorized(s, u, authorization.UPDATE))
        self.assertFalse(authorization.is_authorized(s, u, authorization.DELETE))
        self.assertFalse(authorization.is_authorized(s, u, authorization.EXECUTE))