Python SecurePermissionAPI 예제들

예제 #1

파일: permission.py 프로젝트: fluidinfo/fluiddb

 def run():
     permissions = SecurePermissionAPI(session.auth.user)
     try:
         permissions.set([(path, operation, policy, exceptions)])
     except UnknownPathError as error:
         session.log.exception(error)
         unknownPath = error.paths[0]
         if operation in Operation.TAG_OPERATIONS:
             raise TNonexistentTag(unknownPath.encode('utf-8'))
         if operation in Operation.NAMESPACE_OPERATIONS:
             raise TNonexistentNamespace(unknownPath.encode('utf-8'))
         raise
     except UnknownUserError as error:
         # FIXME There could be more than one unknown username, but
         # TNoSuchUser can only be passed a single username, so we'll
         # only pass the first one.  Ideally, we'd be able to pass all
         # of them.
         raise TNoSuchUser(error.usernames[0].encode('utf-8'))
     except UserNotAllowedInExceptionError as error:
         raise TInvalidUsername(str(error))
     except PermissionDeniedError as error:
         session.log.exception(error)
         deniedPath, deniedOperation = error.pathsAndOperations[0]
         deniedCategory, deniedAction = getCategoryAndAction(
             deniedOperation)
         raise TPathPermissionDenied(deniedPath, deniedCategory,
                                     deniedAction)

예제 #2

파일: permission.py 프로젝트: xanixon/fluiddb

 def run():
     permissions = SecurePermissionAPI(session.auth.user)
     try:
         permissions.set([(path, operation, policy, exceptions)])
     except UnknownPathError as error:
         session.log.exception(error)
         unknownPath = error.paths[0]
         if operation in Operation.TAG_OPERATIONS:
             raise TNonexistentTag(unknownPath.encode('utf-8'))
         if operation in Operation.NAMESPACE_OPERATIONS:
             raise TNonexistentNamespace(unknownPath.encode('utf-8'))
         raise
     except UnknownUserError as error:
         # FIXME There could be more than one unknown username, but
         # TNoSuchUser can only be passed a single username, so we'll
         # only pass the first one.  Ideally, we'd be able to pass all
         # of them.
         raise TNoSuchUser(error.usernames[0].encode('utf-8'))
     except UserNotAllowedInExceptionError as error:
         raise TInvalidUsername(str(error))
     except PermissionDeniedError as error:
         session.log.exception(error)
         deniedPath, deniedOperation = error.pathsAndOperations[0]
         deniedCategory, deniedAction = getCategoryAndAction(
             deniedOperation)
         raise TPathPermissionDenied(deniedPath, deniedCategory,
                                     deniedAction)

예제 #3

파일: test_permission.py 프로젝트: xanixon/fluiddb

 def setUp(self):
     super(SecurePermissionAPIWithNormalUserTest, self).setUp()
     createSystemData()
     UserAPI().create([(u'username', u'password', u'User',
                        u'*****@*****.**')])
     user = getUser(u'username')
     TagAPI(user).create([(u'username/tag', u'description')])
     self.permissions = SecurePermissionAPI(user)

예제 #4

파일: test_permission.py 프로젝트: xanixon/fluiddb

 def setUp(self):
     super(SecurePermissionAPIWithBrokenCacheTest, self).setUp()
     self.system = createSystemData()
     UserAPI().create([(u'username', u'password', u'User',
                        u'*****@*****.**')])
     self.user = getUser(u'username')
     self.permissions = SecurePermissionAPI(self.user)

예제 #5

파일: test_permission.py 프로젝트: fluidinfo/fluiddb

 def setUp(self):
     super(SecurePermissionAPIWithNormalUserTest, self).setUp()
     createSystemData()
     UserAPI().create([(u'username', u'password', u'User',
                        u'*****@*****.**')])
     user = getUser(u'username')
     TagAPI(user).create([(u'username/tag', u'description')])
     self.permissions = SecurePermissionAPI(user)

예제 #6

파일: test_permission.py 프로젝트: xanixon/fluiddb

 def setUp(self):
     super(SecurePermissionAPIWithAnonymousRoleTest, self).setUp()
     system = createSystemData()
     user = system.users[u'anon']
     self.permissions = SecurePermissionAPI(user)
     UserAPI().create([(u'username', u'password', u'User',
                        u'*****@*****.**')])
     user = getUser(u'username')
     TagAPI(user).create([(u'username/tag', u'description')])

예제 #7

파일: permission.py 프로젝트: xanixon/fluiddb

        def run():
            permissions = SecurePermissionAPI(session.auth.user)
            try:
                result = permissions.get([(path, operation)])
            except UnknownPathError as error:
                session.log.exception(error)
                unknownPath = error.paths[0]
                if operation in Operation.TAG_OPERATIONS:
                    raise TNonexistentTag(unknownPath.encode('utf-8'))
                if operation in Operation.NAMESPACE_OPERATIONS:
                    raise TNonexistentNamespace(unknownPath.encode('utf-8'))
                raise
            except PermissionDeniedError as error:
                session.log.exception(error)
                deniedPath, deniedOperation = error.pathsAndOperations[0]
                deniedCategory, deniedAction = getCategoryAndAction(
                    deniedOperation)
                raise TPathPermissionDenied(deniedPath, deniedCategory,
                                            deniedAction)

            policy, exceptions = result[(path, operation)]
            policy = str(policy).lower()
            return TPolicyAndExceptions(policy=policy, exceptions=exceptions)

예제 #8

파일: permission.py 프로젝트: fluidinfo/fluiddb

        def run():
            permissions = SecurePermissionAPI(session.auth.user)
            try:
                result = permissions.get([(path, operation)])
            except UnknownPathError as error:
                session.log.exception(error)
                unknownPath = error.paths[0]
                if operation in Operation.TAG_OPERATIONS:
                    raise TNonexistentTag(unknownPath.encode('utf-8'))
                if operation in Operation.NAMESPACE_OPERATIONS:
                    raise TNonexistentNamespace(unknownPath.encode('utf-8'))
                raise
            except PermissionDeniedError as error:
                session.log.exception(error)
                deniedPath, deniedOperation = error.pathsAndOperations[0]
                deniedCategory, deniedAction = getCategoryAndAction(
                    deniedOperation)
                raise TPathPermissionDenied(deniedPath, deniedCategory,
                                            deniedAction)

            policy, exceptions = result[(path, operation)]
            policy = str(policy).lower()
            return TPolicyAndExceptions(policy=policy, exceptions=exceptions)

예제 #9

파일: test_permission.py 프로젝트: fluidinfo/fluiddb

 def setUp(self):
     super(SecurePermissionAPIWithSuperUserRoleTest, self).setUp()
     system = createSystemData()
     user = system.users[u'fluiddb']
     self.permissions = SecurePermissionAPI(user)
     TagAPI(user).create([(u'fluiddb/tag', u'description')])

예제 #10

파일: test_permission.py 프로젝트: fluidinfo/fluiddb

class SecurePermissionAPIWithSuperUserRoleTest(FluidinfoTestCase):

    resources = [('cache', CacheResource()),
                 ('config', ConfigResource()),
                 ('store', DatabaseResource())]

    def setUp(self):
        super(SecurePermissionAPIWithSuperUserRoleTest, self).setUp()
        system = createSystemData()
        user = system.users[u'fluiddb']
        self.permissions = SecurePermissionAPI(user)
        TagAPI(user).create([(u'fluiddb/tag', u'description')])

    def testGetNamespacePermissionsIsAlwaysAllowed(self):
        """
        Getting namespace permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        result = self.permissions.get([(u'fluiddb',
                                        Operation.CREATE_NAMESPACE)])
        self.assertEqual(1, len(result))

    def testGetTagPermissionsIsAllowed(self):
        """
        Getting tag permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        result = self.permissions.get([(u'fluiddb/tag',
                                        Operation.UPDATE_TAG)])
        self.assertEqual(1, len(result))

    def testGetTagValuePermissionsIsAllowed(self):
        """
        Getting tag-value permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        result = self.permissions.get([(u'fluiddb/tag',
                                        Operation.READ_TAG_VALUE)])
        self.assertEqual(1, len(result))

    def testSetNamespacePermissionsIsAlwaysAllowed(self):
        """
        Updating namespace permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        values = [(u'fluiddb', Operation.CREATE_NAMESPACE, Policy.OPEN, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'fluiddb', Operation.CREATE_NAMESPACE)]
        expected = {
            (u'fluiddb', Operation.CREATE_NAMESPACE): (Policy.OPEN, [])}
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagPermissionsIsAllowed(self):
        """
        Updating tag permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        values = [(u'fluiddb/tag', Operation.UPDATE_TAG, Policy.OPEN, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'fluiddb/tag', Operation.UPDATE_TAG)]
        expected = {
            (u'fluiddb/tag', Operation.UPDATE_TAG): (Policy.OPEN, [])}
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagValuePermissionsIsAllowed(self):
        """
        Updating tag-value permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        values = [(u'fluiddb/tag', Operation.READ_TAG_VALUE, Policy.OPEN, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'fluiddb/tag', Operation.READ_TAG_VALUE)]
        expected = {
            (u'fluiddb/tag', Operation.READ_TAG_VALUE): (Policy.OPEN, [])}
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

예제 #11

파일: test_permission.py 프로젝트: fluidinfo/fluiddb

class SecurePermissionAPIWithNormalUserTest(FluidinfoTestCase):

    resources = [('cache', CacheResource()),
                 ('config', ConfigResource()),
                 ('store', DatabaseResource())]

    def setUp(self):
        super(SecurePermissionAPIWithNormalUserTest, self).setUp()
        createSystemData()
        UserAPI().create([(u'username', u'password', u'User',
                           u'*****@*****.**')])
        user = getUser(u'username')
        TagAPI(user).create([(u'username/tag', u'description')])
        self.permissions = SecurePermissionAPI(user)

    def testGetNamespacePermissionsIsAllowed(self):
        """
        Getting namespace permissions is allowed if the user has
        C{Operation.CONTROL_NAMESPACE} permissions.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.OPEN, [])])
        result = self.permissions.get([(u'username',
                                        Operation.CREATE_NAMESPACE)])
        self.assertEqual(1, len(result))

    def testGetNamespacePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_NAMESPACE} permissions on the
        given path.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        values = [(u'username', Operation.DELETE_NAMESPACE)]
        error = self.assertRaises(PermissionDeniedError,
                                  self.permissions.get, values)
        self.assertEqual([(u'username', Operation.CONTROL_NAMESPACE)],
                         sorted(error.pathsAndOperations))

    def testGetTagPermissionsIsAllowed(self):
        """
        Getting tag permissions is allowed if the user has
        C{Operation.CONTROL_TAG} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.OPEN, [])])
        result = self.permissions.get([(u'username/tag',
                                        Operation.UPDATE_TAG)])
        self.assertEqual(1, len(result))

    def testGetTagPermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.DELETE_TAG)]
        error = self.assertRaises(PermissionDeniedError,
                                  self.permissions.get, values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG)],
                         sorted(error.pathsAndOperations))

    def testGetTagValuePermissionsIsAllowed(self):
        """
        Getting tag value permissions is allowed if the user has
        C{Operation.CONTROL_TAG_VALUE} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.OPEN, [])])
        result = self.permissions.get([(u'username/tag',
                                        Operation.READ_TAG_VALUE)])
        self.assertEqual(1, len(result))

    def testGetTagValuePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.get} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG_VALUE} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.WRITE_TAG_VALUE)]
        error = self.assertRaises(PermissionDeniedError,
                                  self.permissions.get, values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG_VALUE)],
                         sorted(error.pathsAndOperations))

    def testSetNamespacePermissionsIsAllowed(self):
        """
        Updating namespace permissions is allowed if the user has
        C{Operation.CONTROL_NAMESPACE} permissions.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.OPEN, [])])
        values = [(u'username', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'username', Operation.CREATE_NAMESPACE)]
        expected = {
            (u'username', Operation.CREATE_NAMESPACE): (Policy.CLOSED, [])}
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetNamespacePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_NAMESPACE} permissions on the
        given path.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        values = [(u'username', Operation.DELETE_NAMESPACE, Policy.OPEN, [])]
        error = self.assertRaises(PermissionDeniedError,
                                  self.permissions.set, values)
        self.assertEqual([(u'username', Operation.CONTROL_NAMESPACE)],
                         sorted(error.pathsAndOperations))

    def testSetTagPermissionsIsAllowed(self):
        """
        Updating tag permissions is allowed if the user has
        C{Operation.CONTROL_TAG} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.OPEN, [])])
        values = [(u'username/tag', Operation.UPDATE_TAG, Policy.CLOSED, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'username/tag', Operation.UPDATE_TAG)]
        expected = {
            (u'username/tag', Operation.UPDATE_TAG): (Policy.CLOSED, [])}
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagPermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.DELETE_TAG,
                  Policy.OPEN, [])]
        error = self.assertRaises(PermissionDeniedError,
                                  self.permissions.set, values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG)],
                         sorted(error.pathsAndOperations))

    def testSetTagValuePermissionsIsAllowed(self):
        """
        Updating tag value permissions is allowed if the user has
        C{Operation.CONTROL_TAG_VALUE} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.OPEN, [])])
        values = [(u'username/tag', Operation.READ_TAG_VALUE,
                   Policy.CLOSED, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'username/tag', Operation.READ_TAG_VALUE)]
        expected = {
            (u'username/tag', Operation.READ_TAG_VALUE): (Policy.CLOSED, [])}
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagValuePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG_VALUE} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.WRITE_TAG_VALUE,
                   Policy.CLOSED, [])]
        error = self.assertRaises(PermissionDeniedError,
                                  self.permissions.set, values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG_VALUE)],
                         sorted(error.pathsAndOperations))

예제 #12

파일: test_permission.py 프로젝트: xanixon/fluiddb

 def setUp(self):
     super(SecurePermissionAPIWithSuperUserRoleTest, self).setUp()
     system = createSystemData()
     user = system.users[u'fluiddb']
     self.permissions = SecurePermissionAPI(user)
     TagAPI(user).create([(u'fluiddb/tag', u'description')])

예제 #13

파일: test_permission.py 프로젝트: xanixon/fluiddb

class SecurePermissionAPIWithSuperUserRoleTest(FluidinfoTestCase):

    resources = [('cache', CacheResource()), ('config', ConfigResource()),
                 ('store', DatabaseResource())]

    def setUp(self):
        super(SecurePermissionAPIWithSuperUserRoleTest, self).setUp()
        system = createSystemData()
        user = system.users[u'fluiddb']
        self.permissions = SecurePermissionAPI(user)
        TagAPI(user).create([(u'fluiddb/tag', u'description')])

    def testGetNamespacePermissionsIsAlwaysAllowed(self):
        """
        Getting namespace permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        result = self.permissions.get([(u'fluiddb', Operation.CREATE_NAMESPACE)
                                       ])
        self.assertEqual(1, len(result))

    def testGetTagPermissionsIsAllowed(self):
        """
        Getting tag permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        result = self.permissions.get([(u'fluiddb/tag', Operation.UPDATE_TAG)])
        self.assertEqual(1, len(result))

    def testGetTagValuePermissionsIsAllowed(self):
        """
        Getting tag-value permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        result = self.permissions.get([(u'fluiddb/tag',
                                        Operation.READ_TAG_VALUE)])
        self.assertEqual(1, len(result))

    def testSetNamespacePermissionsIsAlwaysAllowed(self):
        """
        Updating namespace permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        values = [(u'fluiddb', Operation.CREATE_NAMESPACE, Policy.OPEN, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'fluiddb', Operation.CREATE_NAMESPACE)]
        expected = {
            (u'fluiddb', Operation.CREATE_NAMESPACE): (Policy.OPEN, [])
        }
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagPermissionsIsAllowed(self):
        """
        Updating tag permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        values = [(u'fluiddb/tag', Operation.UPDATE_TAG, Policy.OPEN, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'fluiddb/tag', Operation.UPDATE_TAG)]
        expected = {(u'fluiddb/tag', Operation.UPDATE_TAG): (Policy.OPEN, [])}
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagValuePermissionsIsAllowed(self):
        """
        Updating tag-value permissions is always allowed for the superuser.
        """
        self.permissions.set([(u'fluiddb/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        values = [(u'fluiddb/tag', Operation.READ_TAG_VALUE, Policy.OPEN, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'fluiddb/tag', Operation.READ_TAG_VALUE)]
        expected = {
            (u'fluiddb/tag', Operation.READ_TAG_VALUE): (Policy.OPEN, [])
        }
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

예제 #14

파일: test_permission.py 프로젝트: xanixon/fluiddb

class SecurePermissionAPIWithNormalUserTest(FluidinfoTestCase):

    resources = [('cache', CacheResource()), ('config', ConfigResource()),
                 ('store', DatabaseResource())]

    def setUp(self):
        super(SecurePermissionAPIWithNormalUserTest, self).setUp()
        createSystemData()
        UserAPI().create([(u'username', u'password', u'User',
                           u'*****@*****.**')])
        user = getUser(u'username')
        TagAPI(user).create([(u'username/tag', u'description')])
        self.permissions = SecurePermissionAPI(user)

    def testGetNamespacePermissionsIsAllowed(self):
        """
        Getting namespace permissions is allowed if the user has
        C{Operation.CONTROL_NAMESPACE} permissions.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.OPEN, [])])
        result = self.permissions.get([(u'username',
                                        Operation.CREATE_NAMESPACE)])
        self.assertEqual(1, len(result))

    def testGetNamespacePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_NAMESPACE} permissions on the
        given path.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        values = [(u'username', Operation.DELETE_NAMESPACE)]
        error = self.assertRaises(PermissionDeniedError, self.permissions.get,
                                  values)
        self.assertEqual([(u'username', Operation.CONTROL_NAMESPACE)],
                         sorted(error.pathsAndOperations))

    def testGetTagPermissionsIsAllowed(self):
        """
        Getting tag permissions is allowed if the user has
        C{Operation.CONTROL_TAG} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.OPEN, [])])
        result = self.permissions.get([(u'username/tag', Operation.UPDATE_TAG)
                                       ])
        self.assertEqual(1, len(result))

    def testGetTagPermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.DELETE_TAG)]
        error = self.assertRaises(PermissionDeniedError, self.permissions.get,
                                  values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG)],
                         sorted(error.pathsAndOperations))

    def testGetTagValuePermissionsIsAllowed(self):
        """
        Getting tag value permissions is allowed if the user has
        C{Operation.CONTROL_TAG_VALUE} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.OPEN, [])])
        result = self.permissions.get([(u'username/tag',
                                        Operation.READ_TAG_VALUE)])
        self.assertEqual(1, len(result))

    def testGetTagValuePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.get} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG_VALUE} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.WRITE_TAG_VALUE)]
        error = self.assertRaises(PermissionDeniedError, self.permissions.get,
                                  values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG_VALUE)],
                         sorted(error.pathsAndOperations))

    def testSetNamespacePermissionsIsAllowed(self):
        """
        Updating namespace permissions is allowed if the user has
        C{Operation.CONTROL_NAMESPACE} permissions.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.OPEN, [])])
        values = [(u'username', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'username', Operation.CREATE_NAMESPACE)]
        expected = {
            (u'username', Operation.CREATE_NAMESPACE): (Policy.CLOSED, [])
        }
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetNamespacePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_NAMESPACE} permissions on the
        given path.
        """
        self.permissions.set([(u'username', Operation.CONTROL_NAMESPACE,
                               Policy.CLOSED, [])])
        values = [(u'username', Operation.DELETE_NAMESPACE, Policy.OPEN, [])]
        error = self.assertRaises(PermissionDeniedError, self.permissions.set,
                                  values)
        self.assertEqual([(u'username', Operation.CONTROL_NAMESPACE)],
                         sorted(error.pathsAndOperations))

    def testSetTagPermissionsIsAllowed(self):
        """
        Updating tag permissions is allowed if the user has
        C{Operation.CONTROL_TAG} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.OPEN, [])])
        values = [(u'username/tag', Operation.UPDATE_TAG, Policy.CLOSED, [])]
        self.permissions.set(values)
        pathAndOperations = [(u'username/tag', Operation.UPDATE_TAG)]
        expected = {
            (u'username/tag', Operation.UPDATE_TAG): (Policy.CLOSED, [])
        }
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagPermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.DELETE_TAG, Policy.OPEN, [])]
        error = self.assertRaises(PermissionDeniedError, self.permissions.set,
                                  values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG)],
                         sorted(error.pathsAndOperations))

    def testSetTagValuePermissionsIsAllowed(self):
        """
        Updating tag value permissions is allowed if the user has
        C{Operation.CONTROL_TAG_VALUE} permissions.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.OPEN, [])])
        values = [(u'username/tag', Operation.READ_TAG_VALUE, Policy.CLOSED,
                   [])]
        self.permissions.set(values)
        pathAndOperations = [(u'username/tag', Operation.READ_TAG_VALUE)]
        expected = {
            (u'username/tag', Operation.READ_TAG_VALUE): (Policy.CLOSED, [])
        }
        self.assertEqual(expected, self.permissions.get(pathAndOperations))

    def testSetTagValuePermissionsIsDenied(self):
        """
        L{SecurePermissionAPI.set} should raise a L{PermissionDeniedError} if
        the user doesn't have C{Operation.CONTROL_TAG_VALUE} permissions on the
        given path.
        """
        self.permissions.set([(u'username/tag', Operation.CONTROL_TAG_VALUE,
                               Policy.CLOSED, [])])
        values = [(u'username/tag', Operation.WRITE_TAG_VALUE, Policy.CLOSED,
                   [])]
        error = self.assertRaises(PermissionDeniedError, self.permissions.set,
                                  values)
        self.assertEqual([(u'username/tag', Operation.CONTROL_TAG_VALUE)],
                         sorted(error.pathsAndOperations))