def test_check_make_public_block(self): # 1. Already public. brl_master = BRLBlock("goku/goku/block/master") bper_master = ElementPermissions(brl_master, private=False) self.store.upsert_block_permissions(bper_master) # 2. Bulma cant make it public even its already public ensure = Security("bulma", self.store) self._subscribe("bulma", "enterprise_275_50_x") self.assertRaises(ForbiddenException, ensure.check_make_private_a_block, "goku") # 3. Now block is public, so bulma cant make it public bper_master = ElementPermissions(brl_master, private=True) self.store.upsert_block_permissions(bper_master) self.assertRaises(ForbiddenException, ensure.check_make_public_a_block, "goku") # 4. Grant read and write, and bulma still cant make it public bper_master.read.grant("bulma") bper_master.write.grant("bulma") self.store.upsert_block_permissions(bper_master) self.assertRaises(ForbiddenException, ensure.check_make_public_a_block, "goku") # 5. Make bulma an admin, now bulma can make it public goku = self.store.read_user("goku") goku.administrators.grant("bulma") self.store.update_user(goku) ensure.check_make_public_a_block("goku") # 5. Bulma can make public the block even when suscription is not active self._subscribe("bulma", "free") goku = self.store.read_user("goku") self.store.update_user(goku) ensure.check_make_public_a_block("goku")
def test_delete_block(self): # First create master block permissions. Public brl = BRLBlock("goku/goku/block/master") bper_master = ElementPermissions(brl, private=True) self.store.upsert_block_permissions(bper_master) # 1. Owner can always delete a private block, even if i am not paying ensure = Security("goku", self.store) self._subscribe("goku", "enterprise_275_50_x") ensure.check_delete_block(brl) self._subscribe("freezer", "free") ensure.check_delete_block(brl) # 2. Other user can't delete block ensure = Security("freezer", self.store) self._subscribe("freezer", "enterprise_275_50_x") self.assertRaises(ForbiddenException, ensure.check_delete_block, brl) # 3. A user with read and write permissions cant delete ensure = Security("bulma", self.store) bper = ElementPermissions(brl, private=True) bper.write.grant("bulma") bper.read.grant("bulma") self.store.upsert_block_permissions(bper) self.assertRaises(ForbiddenException, ensure.check_delete_block, brl) # 3. But an admin user can delete it goku = self.store.read_user("goku") goku.administrators.grant("bulma") self.store.update_user(goku) ensure.check_delete_block(brl)
def test_element_permissions(self): elem = ElementPermissions(BRLBlock("user/user/block/master"), True) elem.read.grant("pepe") elem.write.grant("juan") serial = elem.serialize() deserial = ElementPermissions.deserialize(serial) self.assertEqual(elem, deserial)
def test_check_publish_block(self): # 1. Onwer can write the block if its private brl = BRLBlock("goku/goku/block/master") self._add_block_to_user("goku", brl, True) ensure = Security("goku", self.store) self._subscribe("goku", "enterprise_275_50_x") pack = PublishRequest(BlockVersion(brl, -1)) pack.cells.append(SimpleCell('user/block/r1.h')) pack.contents['r1.h'] = Content(id_=None, load=Blob('hola')) pack.versiontag = 'mytag' ensure.check_publish_block(brl, pack) # If the owner is not paying he can't write ensure = Security("goku", self.store) self._subscribe("goku", "free") self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack) self._subscribe("goku", "enterprise_275_50_x") # 1b. But other not granted user can't write ensure = Security("freezer", self.store) self._subscribe("freezer", "enterprise_275_50_x") self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack) # 2. If bulma is granted as administrator or write he can write ensure = Security("bulma", self.store) self._subscribe("bulma", "enterprise_275_50_x") goku = self.store.read_user("goku") goku.administrators.grant("bulma") self.store.update_user(goku) ensure.check_publish_block(brl, pack) goku.administrators.revoke("bulma") self.store.update_user(goku) self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack) bper = ElementPermissions(brl, private=True) bper.write.grant("bulma") self.store.upsert_block_permissions(bper) ensure.check_publish_block(brl, pack) bper.write.remove("bulma") self.store.upsert_block_permissions(bper) self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack) # 3. If we give read permissions only, user cant write bper = ElementPermissions(brl, private=True) bper.read.grant("bulma") self.store.upsert_block_permissions(bper) self.assertRaises(ForbiddenException, ensure.check_publish_block, brl, pack)
def test_read_block(self): # 1. Check we can always access a public block brl = BRLBlock("goku/goku/block/master") bper = ElementPermissions(brl, private=False) self.store.upsert_block_permissions(bper) ensure = Security("freezer", self.store) self._subscribe("freezer", "enterprise_275_50_x") ensure.check_read_block(brl) # Even owner is not paying self._subscribe("freezer", "free") ensure.check_read_block(brl) self._subscribe("freezer", "enterprise_275_50_x") # 2. Check we can read a private block due to being the owner bper = ElementPermissions(brl, private=True) self.store.upsert_block_permissions(bper) ensure = Security("goku", self.store) self._subscribe("freezer", "enterprise_275_50_x") ensure.check_read_block(brl) # 4. Check we can read the block even subscription is not valid self._subscribe("freezer", "free") ensure.check_read_block(brl) # 5. A user without read permissions cant read the block ensure = Security("bulma", self.store) self._subscribe("bulma", "enterprise_275_50_x") self.assertRaises(ForbiddenException, ensure.check_read_block, brl) # 6. Until is granted as administrator or read granted goku = self.store.read_user("goku") goku.administrators.grant("bulma") self.store.update_user(goku) ensure.check_read_block(brl) goku.administrators.revoke("bulma") self.store.update_user(goku) self.assertRaises(ForbiddenException, ensure.check_read_block, brl) bper = ElementPermissions(brl, private=True) bper.read.grant("bulma") self.store.upsert_block_permissions(bper) ensure.check_read_block(brl) bper.read.remove("bulma") self.store.upsert_block_permissions(bper) self.assertRaises(ForbiddenException, ensure.check_read_block, brl)
def test_create_block(self): brl = BRLBlock("goku/goku/block/master") # Always can make a block if its public ensure = Security("goku", self.store) self._subscribe("goku", "free") ensure.check_create_block(brl.owner, private=False) # Only can make a private block if subscription is ok self.assertRaises(ForbiddenException, ensure.check_create_block, brl.owner, private=True) self._subscribe("goku", "enterprise_275_50_x") ensure.check_create_block(brl.owner, private=True) # Other user can create a block in my namespace if its an admin, not write and read is enought ensure = Security("bulma", self.store) self._subscribe("bulma", "enterprise_275_50_x") self.assertRaises(ForbiddenException, ensure.check_create_block, brl.owner, private=True) bper = ElementPermissions(brl.owner, private=True) bper.write.grant("bulma") bper.read.grant("bulma") self.store.upsert_block_permissions(bper) self.assertRaises(ForbiddenException, ensure.check_create_block, brl.owner, private=True) # 3. But an admin user can delete it goku = self.store.read_user("goku") goku.administrators.grant("bulma") self.store.update_user(goku) ensure.check_create_block(brl.owner, private=True) ensure.check_create_block(brl.owner, private=False)
def test_publish_dev_with_tag(self, enqueuer): brl = BRLBlock('owner/user/block/branch') store = Mock(MongoServerStore) store.read_block_permissions = Mock( return_value=ElementPermissions(brl, private=False)) user = Mock() user.blocks = {} store.read_user = Mock(return_value=user) block = Mock(Block) block.add_publication.return_value = (['mock_id'], [], [], []) block.deltas = [] ensure = Security('authUser', store) ensure.check_read_block = Mock(return_value=True) ensure.check_create_block = Mock(return_value=True) ensure.check_write_block = Mock(return_value=True) ensure.check_publish_block = Mock(return_value=True) store.read_block.return_value = block store.read_published_cells.return_value = {} p = PublishService(store, 'authUser') p.security = ensure pack = PublishRequest(BlockVersion(brl, -1)) pack.cells.append(SimpleCell('user/block/r1.h')) pack.deptable = BlockVersionTable() p.publish(pack)
def get_version_info_test(self): store = Mock(GenericServerStore) # Block doesn't exist and user is other p = PublishService(store, 'any_user') block_brl = BRLBlock("user/user/theblock/master") store.read_block_permissions = Mock(side_effect=NotInStoreException()) block_info = p.get_block_info(block_brl) self.assertFalse(block_info.can_write) # Now block exists store.read_block_permissions = Mock( return_value=ElementPermissions(block_brl)) # Block exists and user is the authorized one p = PublishService(store, 'theuser') block_brl = BRLBlock("theuser/theuser/theblock/master") block_info = p.get_block_info(block_brl) self.assertTrue(block_info.can_write) # No authorized write to an existing block p = PublishService(store, 'wronguser') user = Mock(User) user.administrators = Permissions() store.read_user = Mock(return_value=user) block_info = p.get_block_info(block_brl) self.assertFalse(block_info.can_write) # Authorized user with an existing block p = PublishService(store, 'theuser') block_brl = BRLBlock("theuser/theuser/theblock/master") block_info = p.get_block_info(block_brl) self.assertTrue(block_info.can_write)
def test_grant(self): perm = ElementPermissions(1, True) self.assertFalse(perm.read.is_granted("espartaco")) perm.read.grant("espartaco") self.assertTrue(perm.read.is_granted("espartaco")) self.assertFalse(perm.write.is_granted("espartaco")) perm.read.grant("tiopepe") perm.write.grant("tiopepe") self.assertTrue(perm.write.is_granted("tiopepe")) self.assertTrue(perm.read.is_granted("tiopepe")) perm = ElementPermissions(1, True) perm.read.grant("espartaco") self.assertTrue(perm.read.is_granted("espartaco")) self.assertFalse(perm.write.is_granted("espartaco")) perm.read.revoke("espartaco") self.assertFalse(perm.read.is_granted("espartaco")) self.assertFalse(perm.write.is_granted("espartaco")) #Revoke read, revoke all perm.write.grant("espartaco") perm.read.grant("espartaco") self.assertTrue(perm.read.is_granted("espartaco")) self.assertTrue(perm.write.is_granted("espartaco")) perm.read.revoke("espartaco") self.assertFalse(perm.read.is_granted("espartaco")) self.assertTrue(perm.write.is_granted("espartaco")) #Revoke write, keep read perm.read.grant("espartaco") perm.write.revoke("espartaco") self.assertTrue(perm.read.is_granted("espartaco")) self.assertFalse(perm.write.is_granted("espartaco")) perm.write.revoke("espartaco") self.assertTrue(perm.read.is_granted("espartaco")) self.assertFalse(perm.write.is_granted("espartaco")) #Revoke read and write perm.write.grant("espartaco") self.assertTrue(perm.read.is_granted("espartaco")) self.assertTrue(perm.write.is_granted("espartaco")) perm.write.revoke("espartaco") perm.read.revoke("espartaco") self.assertFalse(perm.read.is_granted("espartaco")) self.assertFalse(perm.write.is_granted("espartaco"))
def _add_block_to_user(self, brl_user, brl_block, private): brl_block = BRLBlock(brl_block) user = self.store.read_user(brl_user) user.add_block(brl_block) self.store.update_user(user) bper_master = ElementPermissions(brl_block, private) self.store.upsert_block_permissions(bper_master)
def test_write_block(self): # 1. Onwer can write the block if its private brl = BRLBlock("goku/goku/block/master") self._add_block_to_user("goku", brl, True) ensure = Security("goku", self.store) self._subscribe("goku", "enterprise_275_50_x") ensure.check_write_block(brl) # If the owner is not paying he can't write ensure = Security("goku", self.store) self._subscribe("goku", "free") self.assertRaises(ForbiddenException, ensure.check_write_block, brl) self._subscribe("goku", "enterprise_275_50_x") # 1b. But other not granted user can't write ensure = Security("freezer", self.store) self._subscribe("freezer", "enterprise_275_50_x") self.assertRaises(ForbiddenException, ensure.check_write_block, brl) # 2. If bulma is granted as administrator or write he can write ensure = Security("bulma", self.store) self._subscribe("bulma", "enterprise_275_50_x") goku = self.store.read_user("goku") goku.administrators.grant("bulma") self.store.update_user(goku) ensure.check_write_block(brl) goku.administrators.revoke("bulma") self.store.update_user(goku) self.assertRaises(ForbiddenException, ensure.check_write_block, brl) bper = ElementPermissions(brl, private=True) bper.write.grant("bulma") self.store.upsert_block_permissions(bper) ensure.check_write_block(brl) bper.write.remove("bulma") self.store.upsert_block_permissions(bper) self.assertRaises(ForbiddenException, ensure.check_write_block, brl) # 3. If we give read permissions only, user cant write bper = ElementPermissions(brl, private=True) bper.read.grant("bulma") self.store.upsert_block_permissions(bper) self.assertRaises(ForbiddenException, ensure.check_write_block, brl)
def test_publish_no_contents(self, enqueuer): brl = BRLBlock('owner/user/block/branch') store = Mock(MongoServerStore) store.read_block_permissions = Mock( return_value=ElementPermissions(brl, private=False)) p = PublishService(store, 'authUser') pack = PublishRequest(BlockVersion(brl, -1)) pack.cells.append(SimpleCell('user/block/r1.h')) pack.contents['r1.h'] = Content(id_=None, load=Blob('hola')) pack.versiontag = 'mytag' with self.assertRaisesRegexp(PublishException, 'DEV'): p.publish(pack)
def test_equals(self): perm1 = ElementPermissions(1, True) perm2 = ElementPermissions(1, False) self.assertNotEqual(perm1, perm2) perm1.is_private = False perm1.read.grant(BRLUser("laso")) perm2.read.grant(BRLUser("laso")) self.assertEqual(perm1, perm2) perm1.read.grant(BRLUser("laso2")) perm2.read.grant(BRLUser("laso3")) self.assertNotEqual(perm1, perm2) perm1.read.grant(BRLUser("laso3")) perm2.read.grant(BRLUser("laso2")) self.assertEqual(perm1, perm2) perm1.write.grant(BRLUser("laso")) self.assertNotEqual(perm1, perm2) perm2.write.grant(BRLUser("laso")) self.assertEqual(perm1, perm2)
def setUp(self): unittest.TestCase.setUp(self) self.store = TestingMemServerStore() self.store.create_user(User("goku")) self.store.create_user(User("krilin")) self.store.create_user(User("freezer")) self.store.create_user(User("bulma")) self.public_brl = BRLBlock("goku/goku/block/ballno1") bper = ElementPermissions(self.public_brl, private=False) self.store.upsert_block_permissions(bper) goku = self.store.read_user("goku") goku.add_block(self.public_brl) self.store.update_user(goku)
def test_update_permissions(self): myblock = self.mother.make_block(self.user) # Check default permissions access = self.store.read_block_permissions(myblock.ID) perm = ElementPermissions(False) self.assertTrue(access, perm) # Update permissions access.read.grant("pepe") access.read.grant("jaunito") access.write.grant("jaunito") self.store.update_block_permissions(access) perms = self.store.read_block_permissions(myblock.ID) self.assertTrue(perms.read.is_granted("pepe")) self.assertFalse(perms.write.is_granted("pepe")) self.assertTrue(perms.read.is_granted("jaunito")) self.assertTrue(perms.write.is_granted("jaunito"))
def test_publish(self, enqueuer): brl = BRLBlock('owner/user/block/branch') # moduleID=BlockID(UserID(123),456) store = Mock(MongoServerStore) store.read_block_permissions = Mock( return_value=ElementPermissions(brl, private=False)) user = User("owner") user.numeric_id = 1 user.blocks = {} store.read_user = Mock(return_value=user) block = Mock(Block) block.last_version.return_value = Mock(BlockVersion) block.add_publication.return_value = (Mock(list), Mock(list), Mock(list), Mock(list)) block.deltas = [] ensure = Security('authUser', store) ensure.check_create_block = Mock(return_value=True) ensure.check_write_block = Mock(return_value=True) ensure.check_read_block = Mock(return_value=True) store.read_block.return_value = block store.read_published_cells.return_value = {} p = PublishService(store, 'authUser') p.security = ensure pack = PublishRequest(BlockVersion(brl, -1)) pack.cells.append(SimpleCell('user/block/r1.h')) pack.contents['r1.h'] = Content(id_=None, load=Blob('hola')) pack.cells.append(SimpleCell('user/block/r2.h')) pack.contents['r2.h'] = Content(id_=None, load=Blob('hola')) pack.cells.append(SimpleCell('user/block/r3.h')) pack.contents['r3.h'] = Content(id_=None, load=Blob('hola')) pack.deptable = BlockVersionTable() p.publish(pack) block.add_publication.assert_called_once_with(pack, p.auth_user) store.update_block.assert_called_once_with(block) self.assertEqual(1, store.create_published_cells.call_count) self.assertEqual(1, store.create_published_contents.call_count) # Check sizes self.assertEquals(user.blocks_bytes, 12) # 12 bytes "hola" * 3 # Publish again, see the size incremented pack._bytes = None # Lazy computed p.publish(pack) self.assertEquals(user.blocks_bytes, 24) # 24 bytes: "hola" * 3 * 2 publications # Max size exceeded for user user.max_workspace_size = 25 self.assertRaises(ForbiddenException, p.publish, pack) # Try to publish only 1 byte pack._bytes = None # Lazy computed pack.cells = [] pack.contents = {} pack.cells.append(SimpleCell('user/block/r1.h')) pack.contents['r1.h'] = Content(id_=None, load=Blob('h')) p.publish(pack)
def create_block(self, value, private=False): '''Insert a block. Value is a Block instance''' # Create default permissions self.create(ElementPermissions(value.ID, private), GenericServerStore.BLOCK_PERMISSIONS_ST) return self.create(value, GenericServerStore.BLOCK_ST)