def test_acl_mixin(self): roles_map1 = { 'editor': [ ('content', '*', True), ], 'contributor': [('content', '*', True), ('content', 'delete', False)], } AclRules.insert_or_update(area='my_area', user='******', roles=['editor']) class Area(object): def key(self): return 'my_area' class User(object): def key(self): return 'user_1' class MyHandler(AclMixin): roles_map = roles_map1 roles_lock = 'foo' def __init__(self): self.area = Area() self.current_user = User() handler = MyHandler() self.assertEqual(handler.acl.has_access('content', 'add'), True) self.assertEqual(handler.acl.has_access('content', 'edit'), True) self.assertEqual(handler.acl.has_access('content', 'delete'), True) self.assertEqual(handler.acl.has_access('foo', 'delete'), False)
def test_example(self): """Tests the example set in the acl module.""" # Set a dict of roles with an 'admin' role that has full access and assign # users to it. Each role maps to a list of rules. Each rule, a tuple # (topic, name, flag), where flag, as bool to allow or disallow access. # Wildcard '*' can be used to match all topics and/or names. Acl.roles_map = { 'admin': [ ('*', '*', True), ], } # Assign users 'user_1' and 'user_2' to the 'admin' role. AclRules.insert_or_update(area='my_area', user='******', roles=['admin']) AclRules.insert_or_update(area='my_area', user='******', roles=['admin']) # Restrict 'user_2' from accessing a specific resource, adding a new rule # with flag set to False. Now this user has access to everything except this # resource. user_acl = AclRules.get_by_area_and_user('my_area', 'user_2') user_acl.rules.append(('UserAdmin', '*', False)) user_acl.put() # Check 'user_2' permission. acl = Acl(area='my_area', user='******') self.assertEqual(acl.has_access(topic='UserAdmin', name='save'), False) self.assertEqual(acl.has_access(topic='UserAdmin', name='get'), False) self.assertEqual(acl.has_access(topic='AnythingElse', name='put'), True)
def test_has_access_invalid_parameters(self): AclRules.insert_or_update(area='my_area', user='******', rules=[('*', '*', True)]) acl1 = Acl(area='my_area', user='******') self.assertRaises(ValueError, acl1.has_access, 'content', '*') self.assertRaises(ValueError, acl1.has_access, '*', 'content')
def test_is_any(self): AclRules.insert_or_update(area='my_area', user='******', roles=['editor', 'designer']) acl = Acl(area='my_area', user='******') self.assertEqual(acl.is_any(['editor', 'admin']), True) self.assertEqual(acl.is_any(['admin', 'designer']), True) self.assertEqual(acl.is_any(['admin', 'user']), False)
def test_test_insert_or_update(self): user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertEqual(user_acl, None) # Set empty rules. user_acl = AclRules.insert_or_update(area='test', user='******') user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertNotEqual(user_acl, None) self.assertEqual(user_acl.rules, []) self.assertEqual(user_acl.roles, []) rules = [ ('topic_1', 'name_1', True), ('topic_1', 'name_2', True), ('topic_2', 'name_1', False), ] user_acl = AclRules.insert_or_update(area='test', user='******', rules=rules) user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertNotEqual(user_acl, None) self.assertEqual(user_acl.rules, rules) self.assertEqual(user_acl.roles, []) extra_rule = ('topic_3', 'name_3', True) rules.append(extra_rule) user_acl = AclRules.insert_or_update(area='test', user='******', rules=rules, roles=['foo', 'bar', 'baz']) user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertNotEqual(user_acl, None) self.assertEqual(user_acl.rules, rules) self.assertEqual(user_acl.roles, ['foo', 'bar', 'baz'])
def test_acl_mixin(self): roles_map1 = { 'editor': [('content', '*', True),], 'contributor': [('content', '*', True), ('content', 'delete', False)], } AclRules.insert_or_update(area='my_area', user='******', roles=['editor']) class Area(object): def key(self): return 'my_area' class User(object): def key(self): return 'user_1' class MyHandler(AclMixin): roles_map = roles_map1 roles_lock = 'foo' def __init__(self): self.area = Area() self.current_user = User() handler = MyHandler() self.assertEqual(handler.acl.has_access('content', 'add'), True) self.assertEqual(handler.acl.has_access('content', 'edit'), True) self.assertEqual(handler.acl.has_access('content', 'delete'), True) self.assertEqual(handler.acl.has_access('foo', 'delete'), False)
def test_set_rules(self): """Test setting and appending rules.""" rules = [ ('topic_1', 'name_1', True), ('topic_1', 'name_2', True), ('topic_2', 'name_1', False), ] extra_rule = ('topic_3', 'name_3', True) # Set empty rules. user_acl = AclRules.insert_or_update(area='test', user='******') # Set rules and save the record. user_acl = AclRules.insert_or_update(area='test', user='******', rules=rules) # Fetch the record again, and compare. user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertEqual(user_acl.rules, rules) # Append more rules. user_acl.rules.append(extra_rule) user_acl.put() rules.append(extra_rule) # Fetch the record again, and compare. user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertEqual(user_acl.rules, rules)
def test_roles_lock_unchanged(self): roles_map1 = { 'editor': [ ('content', '*', True), ], 'contributor': [('content', '*', True), ('content', 'delete', False)], } Acl.roles_map = roles_map1 Acl.roles_lock = 'initial' AclRules.insert_or_update(area='my_area', user='******', roles=['editor']) acl1 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['contributor']) acl2 = Acl(area='my_area', user='******') self.assertEqual(acl1.has_access('content', 'add'), True) self.assertEqual(acl1.has_access('content', 'edit'), True) self.assertEqual(acl1.has_access('content', 'delete'), True) self.assertEqual(acl2.has_access('content', 'add'), True) self.assertEqual(acl2.has_access('content', 'edit'), True) self.assertEqual(acl2.has_access('content', 'delete'), False) roles_map2 = { 'editor': [ ('content', '*', True), ], 'contributor': [('content', '*', True), ('content', 'delete', False), ('content', 'add', False)], } Acl.roles_map = roles_map2 # Don't change the lock to check that the cache will be kept. # Acl.roles_lock = 'changed' acl1 = Acl(area='my_area', user='******') acl2 = Acl(area='my_area', user='******') self.assertEqual(acl1.has_access('content', 'add'), True) self.assertEqual(acl1.has_access('content', 'edit'), True) self.assertEqual(acl1.has_access('content', 'delete'), True) self.assertEqual(acl2.has_access('content', 'add'), True) self.assertEqual(acl2.has_access('content', 'edit'), True) self.assertEqual(acl2.has_access('content', 'delete'), False)
def test_delete_rules(self): rules = [ ('topic_1', 'name_1', True), ('topic_1', 'name_2', True), ('topic_2', 'name_1', False), ] user_acl = AclRules.insert_or_update(area='test', user='******', rules=rules) # Fetch the record again, and compare. user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertEqual(user_acl.rules, rules) key_name = AclRules.get_key_name('test', 'test') acl = Acl('test', 'test') cached = memcache.get(key_name, namespace=AclRules.__name__) self.assertEqual(key_name in _rules_map, True) self.assertEqual(cached, _rules_map[key_name]) user_acl.delete() user_acl2 = AclRules.get_by_area_and_user('test', 'test') cached = memcache.get(key_name, namespace=AclRules.__name__) self.assertEqual(user_acl2, None) self.assertEqual(key_name not in _rules_map, True) self.assertEqual(cached, None)
def test_set_invalid_rules(self): rules = {} self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = ['foo', 'bar', True] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [('foo', )] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [('foo', 'bar')] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [(1, 2, 3)] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [('foo', 'bar', True)] AclRules.insert_or_update(area='test', user='******', rules=rules) user_acl = AclRules.get_by_area_and_user('test', 'test') user_acl.rules.append((1, 2, 3)) self.assertRaises(AssertionError, user_acl.put)
def test_set_invalid_rules(self): rules = {} self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = ['foo', 'bar', True] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [('foo',)] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [('foo', 'bar')] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [(1, 2, 3)] self.assertRaises(AssertionError, AclRules.insert_or_update, area='test', user='******', rules=rules) rules = [('foo', 'bar', True)] AclRules.insert_or_update(area='test', user='******', rules=rules) user_acl = AclRules.get_by_area_and_user('test', 'test') user_acl.rules.append((1, 2, 3)) self.assertRaises(AssertionError, user_acl.put)
def test_roles_lock_unchanged(self): roles_map1 = { 'editor': [('content', '*', True),], 'contributor': [('content', '*', True), ('content', 'delete', False)], } Acl.roles_map = roles_map1 Acl.roles_lock = 'initial' AclRules.insert_or_update(area='my_area', user='******', roles=['editor']) acl1 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['contributor']) acl2 = Acl(area='my_area', user='******') self.assertEqual(acl1.has_access('content', 'add'), True) self.assertEqual(acl1.has_access('content', 'edit'), True) self.assertEqual(acl1.has_access('content', 'delete'), True) self.assertEqual(acl2.has_access('content', 'add'), True) self.assertEqual(acl2.has_access('content', 'edit'), True) self.assertEqual(acl2.has_access('content', 'delete'), False) roles_map2 = { 'editor': [('content', '*', True),], 'contributor': [('content', '*', True), ('content', 'delete', False), ('content', 'add', False)], } Acl.roles_map = roles_map2 # Don't change the lock to check that the cache will be kept. # Acl.roles_lock = 'changed' acl1 = Acl(area='my_area', user='******') acl2 = Acl(area='my_area', user='******') self.assertEqual(acl1.has_access('content', 'add'), True) self.assertEqual(acl1.has_access('content', 'edit'), True) self.assertEqual(acl1.has_access('content', 'delete'), True) self.assertEqual(acl2.has_access('content', 'add'), True) self.assertEqual(acl2.has_access('content', 'edit'), True) self.assertEqual(acl2.has_access('content', 'delete'), False)
def test_has_access(self): AclRules.insert_or_update(area='my_area', user='******', rules=[('*', '*', True)]) AclRules.insert_or_update(area='my_area', user='******', rules=[('content', '*', True), ('content', 'delete', False)]) AclRules.insert_or_update(area='my_area', user='******', rules=[('content', 'read', True)]) acl1 = Acl(area='my_area', user='******') acl2 = Acl(area='my_area', user='******') acl3 = Acl(area='my_area', user='******') self.assertEqual(acl1.has_access('content', 'read'), True) self.assertEqual(acl1.has_access('content', 'update'), True) self.assertEqual(acl1.has_access('content', 'delete'), True) self.assertEqual(acl2.has_access('content', 'read'), True) self.assertEqual(acl2.has_access('content', 'update'), True) self.assertEqual(acl2.has_access('content', 'delete'), False) self.assertEqual(acl3.has_access('content', 'read'), True) self.assertEqual(acl3.has_access('content', 'update'), False) self.assertEqual(acl3.has_access('content', 'delete'), False)
def test_is_rule_set(self): rules = [ ('topic_1', 'name_1', True), ('topic_1', 'name_2', True), ('topic_2', 'name_1', False), ] user_acl = AclRules.insert_or_update(area='test', user='******', rules=rules) # Fetch the record again, and compare. user_acl = AclRules.get_by_area_and_user('test', 'test') self.assertEqual(user_acl.is_rule_set(*rules[0]), True) self.assertEqual(user_acl.is_rule_set(*rules[1]), True) self.assertEqual(user_acl.is_rule_set(*rules[2]), True) self.assertEqual(user_acl.is_rule_set('topic_1', 'name_3', True), False)
def test_has_access_with_roles(self): Acl.roles_map = { 'admin': [('*', '*', True),], 'editor': [('content', '*', True),], 'contributor': [('content', '*', True), ('content', 'delete', False)], 'designer': [('design', '*', True),], } AclRules.insert_or_update(area='my_area', user='******', roles=['admin']) acl1 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['admin'], rules=[('ManageUsers', '*', False)]) acl2 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['editor']) acl3 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['contributor'], rules=[('design', '*', True),]) acl4 = Acl(area='my_area', user='******') self.assertEqual(acl1.has_access('ApproveUsers', 'save'), True) self.assertEqual(acl1.has_access('ManageUsers', 'edit'), True) self.assertEqual(acl1.has_access('ManageUsers', 'delete'), True) self.assertEqual(acl1.has_access('ApproveUsers', 'save'), True) self.assertEqual(acl2.has_access('ManageUsers', 'edit'), False) self.assertEqual(acl2.has_access('ManageUsers', 'delete'), False) self.assertEqual(acl3.has_access('ApproveUsers', 'save'), False) self.assertEqual(acl3.has_access('ManageUsers', 'edit'), False) self.assertEqual(acl3.has_access('ManageUsers', 'delete'), False) self.assertEqual(acl3.has_access('content', 'edit'), True) self.assertEqual(acl3.has_access('content', 'delete'), True) self.assertEqual(acl3.has_access('content', 'save'), True) self.assertEqual(acl3.has_access('design', 'edit'), False) self.assertEqual(acl3.has_access('design', 'delete'), False) self.assertEqual(acl4.has_access('ApproveUsers', 'save'), False) self.assertEqual(acl4.has_access('ManageUsers', 'edit'), False) self.assertEqual(acl4.has_access('ManageUsers', 'delete'), False) self.assertEqual(acl4.has_access('content', 'edit'), True) self.assertEqual(acl4.has_access('content', 'delete'), False) self.assertEqual(acl4.has_access('content', 'save'), True) self.assertEqual(acl4.has_access('design', 'edit'), True) self.assertEqual(acl4.has_access('design', 'delete'), True)
def test_has_any_access(self): AclRules.insert_or_update(area='my_area', user='******', roles=['editor', 'designer']) AclRules.insert_or_update(area='my_area', user='******', rules=[('*', '*', True)]) AclRules.insert_or_update(area='my_area', user='******') acl = Acl(area='my_area', user='******') self.assertEqual(acl.has_any_access(), True) acl = Acl(area='my_area', user='******') self.assertEqual(acl.has_any_access(), True) acl = Acl(area='my_area', user='******') self.assertEqual(acl.has_any_access(), False) self.assertEqual(acl._rules, []) self.assertEqual(acl._roles, [])
def test_has_access_with_roles(self): Acl.roles_map = { 'admin': [ ('*', '*', True), ], 'editor': [ ('content', '*', True), ], 'contributor': [('content', '*', True), ('content', 'delete', False)], 'designer': [ ('design', '*', True), ], } AclRules.insert_or_update(area='my_area', user='******', roles=['admin']) acl1 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['admin'], rules=[('ManageUsers', '*', False)]) acl2 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['editor']) acl3 = Acl(area='my_area', user='******') AclRules.insert_or_update(area='my_area', user='******', roles=['contributor'], rules=[ ('design', '*', True), ]) acl4 = Acl(area='my_area', user='******') self.assertEqual(acl1.has_access('ApproveUsers', 'save'), True) self.assertEqual(acl1.has_access('ManageUsers', 'edit'), True) self.assertEqual(acl1.has_access('ManageUsers', 'delete'), True) self.assertEqual(acl1.has_access('ApproveUsers', 'save'), True) self.assertEqual(acl2.has_access('ManageUsers', 'edit'), False) self.assertEqual(acl2.has_access('ManageUsers', 'delete'), False) self.assertEqual(acl3.has_access('ApproveUsers', 'save'), False) self.assertEqual(acl3.has_access('ManageUsers', 'edit'), False) self.assertEqual(acl3.has_access('ManageUsers', 'delete'), False) self.assertEqual(acl3.has_access('content', 'edit'), True) self.assertEqual(acl3.has_access('content', 'delete'), True) self.assertEqual(acl3.has_access('content', 'save'), True) self.assertEqual(acl3.has_access('design', 'edit'), False) self.assertEqual(acl3.has_access('design', 'delete'), False) self.assertEqual(acl4.has_access('ApproveUsers', 'save'), False) self.assertEqual(acl4.has_access('ManageUsers', 'edit'), False) self.assertEqual(acl4.has_access('ManageUsers', 'delete'), False) self.assertEqual(acl4.has_access('content', 'edit'), True) self.assertEqual(acl4.has_access('content', 'delete'), False) self.assertEqual(acl4.has_access('content', 'save'), True) self.assertEqual(acl4.has_access('design', 'edit'), True) self.assertEqual(acl4.has_access('design', 'delete'), True)