def testGettingAccessButDenyingAttributesOnSelf(extendedConfigDataBackend):
backend = extendedConfigDataBackend
configServer, depotServer, clients = fillBackendWithHosts(backend)
createdHosts = list(depotServer) + list(clients) + [configServer]
denyAttributes = set(['opsiHostKey', 'description'])
backend = BackendAccessControl(backend=backend,
username=configServer.id,
password=configServer.opsiHostKey,
acl=[[
'.*',
[{
'type': u'opsi_depotserver',
'ids': [],
'denyAttributes': denyAttributes,
'allowAttributes': []
}, {
'type': u'self',
'ids': [],
'denyAttributes': [],
'allowAttributes': []
}]
]])
hosts = backend.host_getObjects()
assert len(createdHosts) == len(hosts)
for host in hosts:
if host.id == configServer.id:
assert configServer.opsiHostKey == host.opsiHostKey
else:
for attribute, value in host.toHash().items():
if attribute in denyAttributes:
assert value is None
def testGettingAccessAndOnlyAllowingSomeAttributes(extendedConfigDataBackend):
backend = extendedConfigDataBackend
configServer, depotServer, clients = fillBackendWithHosts(backend)
createdHosts = list(depotServer) + list(clients) + [configServer]
allowAttributes = set(['type', 'id', 'description', 'notes'])
backend = BackendAccessControl(backend=backend,
username=configServer.id,
password=configServer.opsiHostKey,
acl=[[
'.*',
[{
'type': u'opsi_depotserver',
'ids': [],
'denyAttributes': [],
'allowAttributes': allowAttributes
}]
]])
hosts = backend.host_getObjects()
assert len(createdHosts) == len(hosts)
for host in hosts:
for attribute, value in host.toHash().items():
if attribute not in allowAttributes:
assert value is None
def testGettingFullAccess(extendedConfigDataBackend):
backend = extendedConfigDataBackend
configServer, depotServer, clients = fillBackendWithHosts(backend)
createdHosts = list(depotServer) + list(clients) + [configServer]
backend = BackendAccessControl(backend=backend,
username=configServer.id,
password=configServer.opsiHostKey,
acl=[[
'.*',
[{
'type': u'opsi_depotserver',
'ids': [],
'denyAttributes': [],
'allowAttributes': []
}]
]])
hosts = backend.host_getObjects()
assert len(createdHosts) == len(hosts)
for host in hosts:
for h in createdHosts:
if h.id != host.id:
continue
assert h.opsiHostKey == host.opsiHostKey
def testAllowingMethodsForSpecificClient(extendedConfigDataBackend):
"""
Access to methods can be limited to specific clients.
In this example client1 can access host_getObjects but not
config_getObjects.
"""
backend = extendedConfigDataBackend
_, _, clients = fillBackendWithHosts(backend)
client1, client2 = clients[:2]
backendAccessControl = BackendAccessControl(
username=client1.id,
password=client1.opsiHostKey,
backend=backend,
acl=[
[
'host_getObjects',
[{
'type': u'opsi_client',
'ids': [client1.id],
'denyAttributes': [],
'allowAttributes': []
}]
],
[
'config_getObjects',
[{
'type': u'opsi_client',
'ids': [client2.id],
'denyAttributes': [],
'allowAttributes': []
}]
],
])
backendAccessControl.host_getObjects()
with pytest.raises(BackendPermissionDeniedError):
backendAccessControl.config_getObjects()
def testDenyingAttributes(extendedConfigDataBackend):
"""
Access to attributes can be denied.
In this case the backend can only access its own opsiHostKey and
for other clients no value is given.
"""
backend = extendedConfigDataBackend
_, _, clients = fillBackendWithHosts(backend)
client1 = clients[0]
backendAccessControl = BackendAccessControl(username=client1.id,
password=client1.opsiHostKey,
backend=backend,
acl=[
[
'host_getObjects',
[{
'type': u'self',
'ids': [],
'denyAttributes':
[],
'allowAttributes':
[]
}]
],
[
'host_getObjects',
[{
'type':
u'opsi_client',
'ids': [],
'denyAttributes':
['opsiHostKey'],
'allowAttributes':
[]
}]
],
])
for host in backendAccessControl.host_getObjects():
if host.id == client1.id:
assert host.opsiHostKey == client1.opsiHostKey
else:
assert host.opsiHostKey is None
def testOnlyAccessingSelfIsPossible(extendedConfigDataBackend):
backend = extendedConfigDataBackend
configServer, _, _ = fillBackendWithHosts(backend)
backend = BackendAccessControl(backend=backend,
username=configServer.id,
password=configServer.opsiHostKey,
acl=[[
'.*',
[{
'type': u'self',
'ids': [],
'denyAttributes': [],
'allowAttributes': []
}]
]])
hosts = backend.host_getObjects()
assert 1 == len(hosts)