def test_get_rules_for_user_3(self):
"""A normal user can only get logs for certain containers
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "GET",
"RequestUri": "/v1.32/containers/123/logs",
"Host": "wks01",
})
expected = {"ContainerName": ["^bar-", "^foo-", "^$USER-"]}
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn(expected, rules)
def test_get_rules_for_user_2(self):
"""A normal user can create containers on workstation
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "wks01",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 3)
self.assertIn('ContainerName', rules)
self.assertIn('ImagesName', rules)
self.assertIn('BindVolumes', rules)
def test_with_flag_true(self):
"""Validate Privileged with flag as true
"""
config = Config(policies=POLICIES, groups=GROUPS)
privileged = Privileged()
with self.assertRaises(UnauthorizedException):
privileged.run(config, Payload(MOCKED_PRIVILEGED_TRUE))
def test_init_with_values(self):
"""Store and read arbitrary config
"""
policies = {"foo": "foo"}
groups = {"bar": "bar"}
config = Config(policies=policies, groups=groups)
self.assertEqual(config.policies, policies)
self.assertEqual(config.groups, groups)
def test_override_config(self):
"""Change processor config once for all
"""
processor = Processor()
self.assertIsNone(processor.config.groups)
self.assertIsNone(processor.config.policies)
processor.config = Config(GROUPS, POLICIES_ALLOW)
self.assertEqual(len(processor.config.groups), 1)
self.assertEqual(len(processor.config.policies), 1)
def test_config_is_not_shared(self):
"""Config objects must not share config
"""
policies1 = {"foo": "foo"}
policies2 = {"bar": "bar"}
groups1 = {"foo": "foo"}
groups2 = {"bar": "bar"}
config1 = Config(policies=policies1, groups=groups1)
self.assertEqual(policies1, config1.policies)
self.assertEqual(groups1, config1.groups)
config2 = Config(policies=policies2, groups=groups2)
self.assertEqual(policies2, config2.policies)
self.assertEqual(groups2, config2.groups)
self.assertNotEqual(policies1, config2.policies)
self.assertNotEqual(groups1, config2.groups)
def test_policyless_deny(self):
"""The most simple policy
"""
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "srv33",
})
policy_deny = [{
"description": "Deny everything.",
"hosts": [r"+.*"],
"default": "Deny",
}]
config = Config(policies=policy_deny)
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('Deny', rules)
def test_get_policy_by_member(self):
"""Retrieve policy group by member
"""
policies = [
{
"members": ["admins"],
"rules": "_administrators"
},
{
"members": ["anonymous"],
"rules": "_anonymous"
},
]
groups = {
"admins": ["rda", "mal"],
"anonymous": ["Anonymous"],
}
config = Config(groups=groups)
self.assertEqual(config._get_policy_by_member(None, policies),
"_anonymous")
self.assertEqual(config._get_policy_by_member("mal", policies),
"_administrators")
self.assertEqual(config._get_policy_by_member("jre", policies), None)
def test_run_simple_allow(cls):
"""Validate Allow
"""
processor = Processor()
processor.config = Config(GROUPS, POLICIES_ALLOW)
processor.run(body=mocked_body)
def test_init(self):
"""Validate Deny initialization
"""
deny = Deny()
with self.assertRaises(UnauthorizedException):
deny.run(Config(), {})
def test_init(cls):
"""Validate Allow initialization
"""
allow = Allow()
allow.run(Config(), {})
def test_read_operation():
"""Validate ReadOnly on read operations
"""
readonly = ReadOnly()
readonly.run(Config(), Payload(MOCKED_GET_BODY))
readonly.run(Config(), Payload(MOCKED_HEAD_BODY))
def do_test(self):
"""Verify host matcher
"""
getattr(self,
'assert{}'.format(expect))(Config._match_host(host, hosts))
def test_match_host(self):
"""Verify host matcher
"""
with self.assertRaises(ConfigurationException):
self.assertTrue(Config._match_host("srv01", [r".*"]))
def test_run_simple_allow_as_string(cls):
"""Validate Allow from string
"""
processor = Processor()
processor.config = Config(GROUPS, POLICIES_ALLOW)
processor.run(body=json.dumps(mocked_body))
def do_test(self):
"""Verify rules matcher
"""
result = len(Config._match_rules(action_name, actions))
self.assertEqual(result, expected,
'expected: {!r}, got: {!r}'.format(expect, result))
def test_init(self):
"""Empty config should not raise any error
"""
config = Config()
self.assertEqual(config.policies, None)
self.assertEqual(config.groups, None)