def test_user_permission_revoke(self): u = self._create_user() r = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) authorization.grant_permission_to_user(r, u['login'], [n]) self.assertTrue(authorization.is_authorized(r, u, o)) authorization.revoke_permission_from_user(r, u['login'], [n]) self.assertFalse(authorization.is_authorized(r, u, o))
def test_consumer_user_permissions(self): u = self._create_user() s = '/consumers/' r = authorization.consumer_users_role authorization.add_user_to_role(r, u['name']) self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE)) self.assertTrue(authorization.is_authorized(s, u, authorization.READ)) self.assertFalse(authorization.is_authorized(s, u, authorization.UPDATE)) self.assertFalse(authorization.is_authorized(s, u, authorization.DELETE)) self.assertFalse(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_super_user_permissions(self): u = self._create_user() s = self._create_resource() r = authorization.super_user_role authorization.add_user_to_role(r, u['name']) self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE)) self.assertTrue(authorization.is_authorized(s, u, authorization.READ)) self.assertTrue(authorization.is_authorized(s, u, authorization.UPDATE)) self.assertTrue(authorization.is_authorized(s, u, authorization.DELETE)) self.assertTrue(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_role_permission_delete(self): u = self._create_user() r = self._create_role() s = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) authorization.add_user_to_role(r['name'], u['login']) authorization.grant_permission_to_role(s, r['name'], [n]) self.assertTrue(authorization.is_authorized(s, u, o)) authorization.delete_role(r['name']) self.assertFalse(authorization.is_authorized(s, u, o))
def test_role_execute(self): u1 = self._create_user() u2 = self._create_user() r = self._create_role() s = self._create_resource() o = authorization.EXECUTE n = authorization.operation_to_name(o) authorization.add_user_to_role(r['name'], u1['login']) authorization.grant_permission_to_role(s, r['name'], [n]) self.assertTrue(authorization.is_authorized(s, u1, o)) self.assertFalse(authorization.is_authorized(s, u2, o))
def test_non_unique_permission_remove(self): u = self._create_user() r1 = self._create_role() r2 = self._create_role() s = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) authorization.add_user_to_role(r1['name'], u['login']) authorization.add_user_to_role(r2['name'], u['login']) authorization.grant_permission_to_role(s, r1['name'], [n]) authorization.grant_permission_to_role(s, r2['name'], [n]) self.assertTrue(authorization.is_authorized(s, u, o)) authorization.remove_user_from_role(r1['name'], u['login']) self.assertTrue(authorization.is_authorized(s, u, o))
def test_user_update_success(self): u = self._create_user() r = self._create_resource() o = authorization.UPDATE n = authorization.operation_to_name(o) authorization.grant_permission_to_user(r, u['login'], [n]) self.assertTrue(authorization.is_authorized(r, u, o))
def test_role_order_of_permission_grant(self): u1 = self._create_user() u2 = self._create_user() r1 = self._create_role() r2 = self._create_role() s = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) # add first, grant second authorization.add_user_to_role(r1['name'], u1['name']) authorization.grant_permission_to_role(s, r1['name'], [n]) self.assertTrue(authorization.is_authorized(s, u1, o)) # grant first, add second authorization.grant_permission_to_role(s, r2['name'], [n]) authorization.add_user_to_role(r2['name'], u2['name']) self.assertTrue(authorization.is_authorized(s, u2, o))
def test_root_permissions(self): u = self._create_user() r = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) authorization.grant_permission_to_user('/', u['login'], [n]) self.assertTrue(authorization.is_authorized(r, u, o))
def test_parent_permissions(self): u = self._create_user() r = self._create_resource() p = r.rsplit('/', 2)[0] + '/' o = authorization.READ n = authorization.operation_to_name(o) authorization.grant_permission_to_user(p, u['login'], [n]) self.assertTrue(authorization.is_authorized(r, u, o))
def _auth_decorator(self, *args, **kwargs): # XXX jesus h christ: is this some god awful shit # please, please refactor this into ... something ... anything! user = None is_consumer = False permissions = {'/v2/consumers/' : [0, 1]} # first, try username:password authentication username, password = http.username_password() if username is not None: user = check_username_password(username, password) if user is None: return self.unauthorized(user_pass_fail_msg) # second, try certificate authentication if user is None: cert_pem = http.ssl_client_cert() if cert_pem is not None: # first, check user certificate user = check_user_cert(cert_pem) if user is None: # second, check consumer certificate # This is temporary solution to solve authorization failure for consumers # because of no associated users. We would likely be going with a similar approach # for v2 with static permissions for consumers instead of associates users. Once we # have users and permissions flushed out for v2, this code will look much better. # user = check_consumer_cert(cert_pem) user = check_consumer_cert_no_user(cert_pem) if user: is_consumer = True consumer_base_url = '/v2/consumers/%s' % user + '/' permissions[consumer_base_url] = [0, 1, 2, 3, 4] # third, check oauth credentials if user is None: auth = http.http_authorization() username = http.request_info('HTTP_PULP_USER') if None in (auth, username): if cert_pem is not None: return self.unauthorized(cert_fail_msg) else: meth = http.request_info('REQUEST_METHOD') url = http.request_url() query = http.request_info('QUERY_STRING') user = check_oauth(username, meth, url, auth, query) if user is None: return self.unauthorized(oauth_fail_msg) # authentication has failed if user is None: return self.unauthorized(authen_fail_msg) # procedure to check consumer permissions - part of the temporary solution described above def is_consumer_authorized(resource, consumer, operation): if consumer_base_url in resource and operation in permissions[consumer_base_url]: return True else: return False # forth, check authorization if super_user_only and not is_superuser(user): return self.unauthorized(author_fail_msg) # if the operation is None, don't check authorization elif operation is not None: if is_consumer and is_consumer_authorized(http.resource_path(), user, operation): value = method(self, *args, **kwargs) clear_principal() return value elif is_authorized(http.resource_path(), user, operation): pass else: return self.unauthorized(author_fail_msg) # everything ok, manage the principal and call the method set_principal(user) value = method(self, *args, **kwargs) clear_principal() return value
def test_user_update_failure(self): u = self._create_user() r = self._create_resource() o = authorization.UPDATE self.assertFalse(authorization.is_authorized(r, u, o))