def test_create_custom_role(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "Create custom role" role is ok""" is_allowed(user_sdk, BusinessRoles.ViewRoles) is_allowed(user_sdk, BusinessRoles.CreateCustomRoles) custom_role = user_sdk.role(name="Custom role") is_denied(custom_role, BusinessRoles.EditRoles) is_denied(custom_role, BusinessRoles.RemoveRoles) delete_policy(user_policy) sdk_client_fs.role(id=custom_role.id).delete() is_denied(user_sdk, BusinessRoles.CreateCustomRoles)
def create_action_policy( client: ADCMClient, adcm_object: Union[AnyADCMObject, List[AnyADCMObject]], *business_roles: BusinessRole, user=None, group=None, ) -> Policy: """Create policy based on business roles""" if not (user or group): raise ValueError( "Either user or group should be provided to create policy") user = user or [] group = group or [] child_roles = [{ 'id': client.role(name=role.role_name).id } for role in business_roles] role_name = f"Test Action Role {random_string(6)}" action_parent_role = client.role_create(name=role_name, display_name=role_name, child=child_roles) return client.policy_create( name=f"Test Action Policy {role_name[-6:]}", role=action_parent_role, objects=adcm_object if isinstance(adcm_object, list) else [adcm_object], user=user if isinstance(user, list) else [user], group=group if isinstance(group, list) else [group], )
def check_roles_are_not_added_to_rbac_roles(client: ADCMClient, rbac_roles: Iterable[RbacRoles], children_roles_ids: Set[int]): """Check that all given RBAC default roles doesn't have all given roles as its children""" for rbac_role in rbac_roles: with allure.step( f"Check roles weren't added to role '{rbac_role.value}'"): role: Role = client.role(name=rbac_role.value) does_not_intersect( set(r.id for r in role.child_list()), children_roles_ids, 'One or more roles was found (by id) in the child list', )
def check_roles_are_added_to_rbac_roles(client: ADCMClient, rbac_roles: Iterable[RbacRoles], children_roles_ids: Set[int]): """Check that all given RBAC default roles have all given roles as its children""" for rbac_role in rbac_roles: with allure.step( f'Check roles were added to role "{rbac_role.value}"'): role: Role = client.role(name=rbac_role.value) is_superset_of( set(r.id for r in role.child_list()), children_roles_ids, 'One or more roles not found (by id) in the child list', )
def test_edit_roles(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "Edit role" role is ok""" is_allowed(user_sdk, BusinessRoles.ViewRoles) is_denied(user_sdk, BusinessRoles.CreateCustomRoles) BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs) custom_role = user_sdk.role(name="Custom role") is_allowed(custom_role, BusinessRoles.EditRoles) is_denied(custom_role, BusinessRoles.RemoveRoles) delete_policy(user_policy) is_denied(custom_role, BusinessRoles.EditRoles)
def check_business_roles_children( client: ADCMClient, prototype: Prototype, actions: List[dict], actions_role_names: List[str] ) -> Tuple[Set[RoleShortInfo], Set[RoleShortInfo]]: """ Checks that "action" business roles have all newly created roles as its children. :returns: hidden and business roles as ShortRoleInfo set """ hidden_roles = set() business_roles = set() for action_display_name, hidden_role_name in zip( key_values_from('display_name', actions), actions_role_names): business_role_name = f'{prototype.type.capitalize()} Action: {action_display_name}' with allure.step( f'Check role "{hidden_role_name}" is a child of "{business_role_name}"' ): with catch_failed( ObjectNotFound, f'There should be a hidden role with name "{hidden_role_name}"' ): hidden_role = client.role(name=hidden_role_name, type=RoleType.HIDDEN.value) with catch_failed( ObjectNotFound, f'There should be a business role with name "{business_role_name}"' ): business_role = client.role(name=business_role_name, type=RoleType.BUSINESS.value) is_in_collection( hidden_role.id, (child.id for child in business_role.child_list()), f"Role wasn't found in children of '{hidden_role.name}'", ) hidden_roles.add(extract_role_short_info(hidden_role)) business_roles.add(extract_role_short_info(business_role)) return hidden_roles, business_roles
def test_view_policies(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "View policies" role is ok""" BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs) custom_role = sdk_client_fs.role(name="Custom role") user = sdk_client_fs.user(username="******") is_allowed(user_sdk, BusinessRoles.ViewPolicies) is_denied(user_sdk, BusinessRoles.CreatePolicy, role=custom_role, user=[user]) delete_policy(user_policy) is_denied(user_sdk, BusinessRoles.ViewPolicies)
def test_edit_policy(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "Edit policy" role is ok""" BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs) custom_role = sdk_client_fs.role(name="Custom role") user = sdk_client_fs.user(username="******") is_allowed(user_sdk, BusinessRoles.ViewPolicies) is_denied(user_sdk, BusinessRoles.CreatePolicy, role=custom_role, user=[user]) custom_policy = user_sdk.policy(id=sdk_client_fs.policy_create( name="Test policy", objects=[], role=custom_role, user=[user]).id) is_allowed(custom_policy, BusinessRoles.EditPolicy) is_denied(custom_policy, BusinessRoles.RemovePolicy) delete_policy(user_policy) is_denied(user_sdk, BusinessRoles.ViewPolicies) is_denied(custom_policy, BusinessRoles.EditPolicy)
def _form_children(admin_client: ADCMClient, *business_roles: BusinessRoles) -> List[Dict[str, int]]: """Create list of children for role based on business roles""" return [{"id": admin_client.role(name=role.value.role_name).id} for role in business_roles]
def grant_role(self, client: ADCMClient, user: User, role: RbacRoles, *objects: AnyADCMObject) -> Policy: """Grant RBAC default role to a user""" with allure.step(f'Grant role "{role.value}" to user {user.username}'): return client.policy_create( name=f'{user.username} is {role.value}', role=client.role(name=role.value), objects=objects, user=[user] )