def test_view_application_configurations(user_policy: Policy, user_sdk: ADCMClient, prepare_objects, second_objects): """Test that View application configuration role is ok""" cluster, service, component, provider, host = as_user_objects( user_sdk, *prepare_objects) cluster_via_admin, *_ = prepare_objects user_second_objects = as_user_objects(user_sdk, *second_objects) second_service_on_first_cluster = user_sdk.service( id=cluster_via_admin.service_add(name="new_service").id) second_component_on_first_cluster = second_service_on_first_cluster.component( name="test_component") objects_affected_by_policy = ( cluster, service, component, second_service_on_first_cluster, second_component_on_first_cluster, ) is_allowed_to_view(*objects_affected_by_policy) is_denied_to_edit(*objects_affected_by_policy) is_denied_to_view(provider, host, *user_second_objects) delete_policy(user_policy) is_denied_to_view(*objects_affected_by_policy)
def test_service_administrator(user, user_sdk: ADCMClient, sdk_client_fs, prepare_objects, second_objects): """Test that service administrator role grants access to single service and its components""" cluster, service, component, *provider_objects = as_user_objects( user_sdk, *prepare_objects) cluster_via_admin, *_ = prepare_objects second_service_on_first_cluster = user_sdk.service( id=cluster_via_admin.service_add(name="new_service").id) second_cluster, second_service, second_component, *second_provider_objects = as_user_objects( user_sdk, *second_objects) role = sdk_client_fs.role(name=RbacRoles.ServiceAdministrator.value) sdk_client_fs.policy_create(name=f"Policy with role {role.name}", role=role, objects=[service], user=[user], group=[]) is_allowed_to_view(service, component) is_allowed_to_edit(service, component) is_denied_to_view( cluster, second_cluster, second_service, second_component, second_service_on_first_cluster, *provider_objects, *second_provider_objects, )
def __check_components( adcm_client: ADCMClient, comparator: Callable, components: Dict[int, ADCMObjectField], service_ids: Collection[int], ): """Check components config is intact since .component is not implemented""" component_ids = components.keys() for service in (adcm_client.service(id=sid) for sid in service_ids): for component in get_objects_via_pagination(service.component_list): if (component_id := component.id) in component_ids: comparator(component, components[component_id])
def test_remove_another_object_from_policy(user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs): """ Test that user is still have access if object removed from policy but exists high-level object """ cluster_via_admin, service_via_admin, *_ = prepare_objects cluster = user_sdk.cluster(id=cluster_via_admin.id) service = user_sdk.service(id=service_via_admin.id) policy = create_policy(sdk_client_fs, CLUSTER_VIEW_CONFIG_ROLES, objects=[cluster, service], users=[user], groups=[]) is_allowed(cluster, BusinessRoles.ViewClusterConfigurations) is_allowed(service, BusinessRoles.ViewServiceConfigurations) with allure.step("Remove object from policy"): policy.update(object=[{"id": cluster.id, "type": "cluster"}]) is_allowed(cluster, BusinessRoles.ViewClusterConfigurations) is_allowed(service, BusinessRoles.ViewServiceConfigurations)
def test_remove_object_from_policy(user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs): """ Test that user loses access if object changed from policy """ cluster_via_admin, service_via_admin, *_ = prepare_objects cluster = user_sdk.cluster(id=cluster_via_admin.id) service = user_sdk.service(id=service_via_admin.id) policy = create_policy( sdk_client_fs, [ BusinessRoles.ViewClusterConfigurations, BusinessRoles.ViewServiceConfigurations ], objects=[cluster], users=[user], groups=[], ) is_allowed(cluster, BusinessRoles.ViewClusterConfigurations) with allure.step("Change policy object from cluster to service"): policy.update(object=[{"id": service_via_admin.id, "type": "service"}]) is_denied(cluster, BusinessRoles.ViewClusterConfigurations) is_allowed(service, BusinessRoles.ViewClusterConfigurations)