def setUp(self):
super(SecureTagAPIWithNormalUserTest, self).setUp()
createSystemData()
UserAPI().create([(u'user', u'password', u'User', u'*****@*****.**')
])
self.user = getUser(u'user')
self.permissions = CachingPermissionAPI(self.user)
self.tags = SecureTagAPI(self.user)
def run():
tags = SecureTagAPI(session.auth.user)
result = tags.get([path], withDescriptions=returnDescription)
if not result:
raise TNonexistentTag()
else:
tag = TTag()
tag.objectId = str(result[path]['id'])
tag.path = path
tag.indexed = True
if returnDescription:
tag.description = result[path]['description']
return tag
def run():
tags = SecureTagAPI(session.auth.user)
result = tags.get([path], withDescriptions=returnDescription)
if not result:
raise TNonexistentTag()
else:
tag = TTag()
tag.objectId = str(result[path]['id'])
tag.path = path
tag.indexed = True
if returnDescription:
tag.description = result[path]['description']
return tag
def testGetObjectAllPathsAreDenied(self):
"""
L{FacadeObjectAPI.getObject} returns a L{TObjectInfo} with the
L{Tag.path}s for which the L{User} has L{Operation.READ_TAG_VALUE}, if
all of them are denied, L{FacadeObjectAPI.getObject} must return an
empty L{TObjectInfo}.
"""
SecureTagAPI(self.user).create([(u'username/tag1', u'description'),
(u'username/tag2', u'description')])
objectID = uuid4()
values = {
objectID: {
u'username/tag1': 16
},
objectID: {
u'username/tag2': 16
}
}
SecureTagValueAPI(self.user).set(values)
self.permissions.set([
(u'username/tag1', Operation.READ_TAG_VALUE, Policy.CLOSED, []),
(u'username/tag2', Operation.READ_TAG_VALUE, Policy.CLOSED, [])
])
self.store.commit()
with login(self.user.username, uuid4(), self.transact) as session:
objectInfo = yield self.facade.getObject(session, str(objectID))
self.assertEqual([], objectInfo.tagPaths)
self.assertEqual(None, objectInfo.about)
def setUp(self):
super(SecureTagAPIWithNormalUserTest, self).setUp()
createSystemData()
UserAPI().create([(u'user', u'password', u'User',
u'*****@*****.**')])
self.user = getUser(u'user')
self.permissions = CachingPermissionAPI(self.user)
self.tags = SecureTagAPI(self.user)
def setUp(self):
super(SecureTagAPIWithAnonymousRoleTest, self).setUp()
system = createSystemData()
self.anon = system.users[u'anon']
UserAPI().create([(u'username', u'password', u'User',
u'*****@*****.**')])
self.user = getUser(u'username')
self.tags = SecureTagAPI(self.anon)
def setUp(self):
super(FacadePermissionTest, self).setUp()
self.transact = Transact(FakeThreadPool())
factory = FluidinfoSessionFactory('API-9000')
self.facade = Facade(self.transact, factory)
createSystemData()
UserAPI().create([(u'username', u'password', u'User',
u'*****@*****.**')])
user = getUser(u'username')
self.permissions = CachingPermissionAPI(user)
SecureTagAPI(user).create([(u'username/tag', u'description')])
def run():
try:
SecureTagAPI(session.auth.user).delete([path])
except UnknownPathError as error:
session.log.exception(error)
raise TNonexistentTag(path.encode('utf-8'))
except PermissionDeniedError as error:
session.log.exception(error)
deniedPath, operation = error.pathsAndOperations[0]
deniedPath = deniedPath.encode('utf-8')
category, action = getCategoryAndAction(operation)
raise TPathPermissionDenied(category, action, deniedPath)
def run():
tags = SecureTagAPI(session.auth.user)
path = u'/'.join([parentNamespace, name])
try:
[(objectID, _)] = tags.create([(path, description)])
except DuplicatePathError as error:
session.log.exception(error)
raise TTagAlreadyExists(path.encode('utf-8'))
except UnknownPathError as error:
session.log.exception(error)
path = error.paths[0]
raise TNonexistentTag(path.encode('utf-8'))
except PermissionDeniedError as error:
session.log.exception(error)
deniedPath, operation = error.pathsAndOperations[0]
deniedPath = deniedPath.encode('utf-8')
category, action = getCategoryAndAction(operation)
raise TPathPermissionDenied(category, action, deniedPath)
except MalformedPathError as error:
session.log.exception(error)
raise TInvalidPath(path.encode('utf-8'))
return str(objectID)
def run():
tags = SecureTagAPI(session.auth.user)
path = u'/'.join([parentNamespace, name])
try:
[(objectID, _)] = tags.create([(path, description)])
except DuplicatePathError as error:
session.log.exception(error)
raise TTagAlreadyExists(path.encode('utf-8'))
except UnknownPathError as error:
session.log.exception(error)
path = error.paths[0]
raise TNonexistentTag(path.encode('utf-8'))
except PermissionDeniedError as error:
session.log.exception(error)
deniedPath, operation = error.pathsAndOperations[0]
deniedPath = deniedPath.encode('utf-8')
category, action = getCategoryAndAction(operation)
raise TPathPermissionDenied(category, action, deniedPath)
except MalformedPathError as error:
session.log.exception(error)
raise TInvalidPath(path.encode('utf-8'))
return str(objectID)
class SecureTagAPIWithSuperuserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()), ('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureTagAPIWithSuperuserTest, self).setUp()
system = createSystemData()
user = system.users[u'fluiddb']
self.tags = SecureTagAPI(user)
self.permissions = CachingPermissionAPI(user)
def testCreateIsAllowed(self):
"""
Creating a new L{Tag} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
values = [(u'fluiddb', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
result = self.tags.create([(u'fluiddb/test', u'description')])
self.assertEqual(1, len(result))
def testDeleteIsAllowed(self):
"""
Deleting a L{Tag} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
result1 = self.tags.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.DELETE_TAG, Policy.CLOSED, [])]
self.permissions.set(values)
result2 = self.tags.delete([u'fluiddb/test'])
self.assertEqual(result1, result2)
def testSetIsAllowed(self):
"""
Updating a L{Tag} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
result = self.tags.create([(u'fluiddb/test', u'A description')])
[(objectID, _)] = result
values = [(u'fluiddb/test', Operation.UPDATE_TAG, Policy.CLOSED, [])]
self.permissions.set(values)
self.tags.set({u'fluiddb/test': u'A new description'})
result = self.tags.get([u'fluiddb/test'], withDescriptions=True)
expected = {
u'fluiddb/test': {
'id': objectID,
'description': u'A new description'
}
}
self.assertEqual(expected, result)
def testGetObject(self):
"""
L{FacadeObjectAPI.getObject} returns a L{TObjectInfo} with the
L{Tag.path}s for which the L{User} has L{Operation.READ_TAG_VALUE}.
"""
objectID = uuid4()
SecureTagAPI(self.user).create([(u'username/foo', u'A description')])
values = {objectID: {u'username/foo': u'bar'}}
SecureTagValueAPI(self.user).set(values)
self.store.commit()
with login(self.user.username, uuid4(), self.transact) as session:
objectInfo = yield self.facade.getObject(session, str(objectID))
self.assertEqual([u'username/foo'], objectInfo.tagPaths)
self.assertEqual(None, objectInfo.about)
class SecureTagAPIWithSuperuserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()),
('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureTagAPIWithSuperuserTest, self).setUp()
system = createSystemData()
user = system.users[u'fluiddb']
self.tags = SecureTagAPI(user)
self.permissions = CachingPermissionAPI(user)
def testCreateIsAllowed(self):
"""
Creating a new L{Tag} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
values = [(u'fluiddb', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
result = self.tags.create([(u'fluiddb/test', u'description')])
self.assertEqual(1, len(result))
def testDeleteIsAllowed(self):
"""
Deleting a L{Tag} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
result1 = self.tags.create([(u'fluiddb/test', u'description')])
values = [(u'fluiddb/test', Operation.DELETE_TAG, Policy.CLOSED, [])]
self.permissions.set(values)
result2 = self.tags.delete([u'fluiddb/test'])
self.assertEqual(result1, result2)
def testSetIsAllowed(self):
"""
Updating a L{Tag} should be allowed if we're a user with a
L{Role.SUPERUSER} no matter what permissions we have.
"""
result = self.tags.create([(u'fluiddb/test', u'A description')])
[(objectID, _)] = result
values = [(u'fluiddb/test', Operation.UPDATE_TAG, Policy.CLOSED, [])]
self.permissions.set(values)
self.tags.set({u'fluiddb/test': u'A new description'})
result = self.tags.get([u'fluiddb/test'], withDescriptions=True)
expected = {u'fluiddb/test': {'id': objectID,
'description': u'A new description'}}
self.assertEqual(expected, result)
def testGetObjectWithAboutValue(self):
"""
L{FacadeObjectAPI.getObject} returns a L{TObjectInfo} with the
L{Tag.path}s for which the L{User} has L{Operation.READ_TAG_VALUE},
and the L{AboutTagValue.value} if it has one and C{showAbout} is
C{True}.
"""
objectID = uuid4()
SecureTagAPI(self.user).create([(u'username/foo', u'A description')])
values = {objectID: {u'username/foo': u'bar'}}
SecureTagValueAPI(self.user).set(values)
aboutTag = self.system.tags[u'fluiddb/about']
createAboutTagValue(objectID, u'bar')
createTagValue(self.user.id, aboutTag.id, objectID, u'about value')
self.store.commit()
with login(self.user.username, uuid4(), self.transact) as session:
objectInfo = yield self.facade.getObject(session,
str(objectID),
showAbout=True)
self.assertEqual([u'fluiddb/about', u'username/foo'],
sorted(objectInfo.tagPaths))
self.assertEqual('about value', objectInfo.about)
def setUp(self):
super(SecureTagAPIWithSuperuserTest, self).setUp()
system = createSystemData()
user = system.users[u'fluiddb']
self.tags = SecureTagAPI(user)
self.permissions = CachingPermissionAPI(user)
class SecureTagAPIWithNormalUserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()),
('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureTagAPIWithNormalUserTest, self).setUp()
createSystemData()
UserAPI().create([(u'user', u'password', u'User',
u'*****@*****.**')])
self.user = getUser(u'user')
self.permissions = CachingPermissionAPI(self.user)
self.tags = SecureTagAPI(self.user)
def testCreateIsAllowed(self):
"""
L{SecureTagAPI.create} should allow the creation of tags whose parent
namespace has open C{Operation.CREATE_NAMESPACE} permissions.
"""
result = self.tags.create([(u'user/test', u'description')])
self.assertEqual(1, len(result))
def testCreateIsDenied(self):
"""
L{SecureTagAPI.create} should raise L{PermissonDeniedError} if
the user doesn't have C{Operation.CREATE_NAMESPACE} permissions on the
parent namespace.
"""
values = [(u'user', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.tags.create,
[(u'user/test', u'description')])
self.assertEqual([(u'user', Operation.CREATE_NAMESPACE)],
sorted(error.pathsAndOperations))
def testDeleteIsAllowed(self):
"""
L{SecureTagAPI.delete} should allow the deletion of a tag if the user
has C{Operation.DELETE_TAG} permissions.
"""
result1 = self.tags.create([(u'user/test', u'description')])
result2 = self.tags.delete([u'user/test'])
self.assertEqual(result1, result2)
def testDeleteIsDenied(self):
"""
L{SecureTagAPI.delete} should raise L{PermissonDeniedError} if the
user doesn't have C{Operation.DELETE_TAG} permissions.
"""
self.tags.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.DELETE_TAG, Policy.OPEN, [u'user'])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.tags.delete, [(u'user/test')])
self.assertEqual([(u'user/test', Operation.DELETE_TAG)],
sorted(error.pathsAndOperations))
def testSetIsAllowed(self):
"""
L{SecureTagAPI.get} should allow updating the description of a tag if
the user has permissions.
"""
[(objectID, _)] = self.tags.create([(u'user/test', u'A description')])
self.tags.set({u'user/test': u'A new description'})
result = self.tags.get([u'user/test'], withDescriptions=True)
expected = {u'user/test': {'id': objectID,
'description': u'A new description'}}
self.assertEqual(expected, result)
def testSetIsDenied(self):
"""
L{SecureTagAPI.get} should raise L{PermissonDeniedError} if the user
doesn't have C{Operation.UPDATE_TAG} permissions when trying to update
a tag's description.
"""
self.tags.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.UPDATE_TAG, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError,
self.tags.set,
{u'user/test': u'description'})
self.assertEqual([(u'user/test', Operation.UPDATE_TAG)],
sorted(error.pathsAndOperations))
class SecureTagAPIWithNormalUserTest(FluidinfoTestCase):
resources = [('cache', CacheResource()), ('config', ConfigResource()),
('store', DatabaseResource())]
def setUp(self):
super(SecureTagAPIWithNormalUserTest, self).setUp()
createSystemData()
UserAPI().create([(u'user', u'password', u'User', u'*****@*****.**')
])
self.user = getUser(u'user')
self.permissions = CachingPermissionAPI(self.user)
self.tags = SecureTagAPI(self.user)
def testCreateIsAllowed(self):
"""
L{SecureTagAPI.create} should allow the creation of tags whose parent
namespace has open C{Operation.CREATE_NAMESPACE} permissions.
"""
result = self.tags.create([(u'user/test', u'description')])
self.assertEqual(1, len(result))
def testCreateIsDenied(self):
"""
L{SecureTagAPI.create} should raise L{PermissonDeniedError} if
the user doesn't have C{Operation.CREATE_NAMESPACE} permissions on the
parent namespace.
"""
values = [(u'user', Operation.CREATE_NAMESPACE, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError, self.tags.create,
[(u'user/test', u'description')])
self.assertEqual([(u'user', Operation.CREATE_NAMESPACE)],
sorted(error.pathsAndOperations))
def testDeleteIsAllowed(self):
"""
L{SecureTagAPI.delete} should allow the deletion of a tag if the user
has C{Operation.DELETE_TAG} permissions.
"""
result1 = self.tags.create([(u'user/test', u'description')])
result2 = self.tags.delete([u'user/test'])
self.assertEqual(result1, result2)
def testDeleteIsDenied(self):
"""
L{SecureTagAPI.delete} should raise L{PermissonDeniedError} if the
user doesn't have C{Operation.DELETE_TAG} permissions.
"""
self.tags.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.DELETE_TAG, Policy.OPEN, [u'user'])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError, self.tags.delete,
[(u'user/test')])
self.assertEqual([(u'user/test', Operation.DELETE_TAG)],
sorted(error.pathsAndOperations))
def testSetIsAllowed(self):
"""
L{SecureTagAPI.get} should allow updating the description of a tag if
the user has permissions.
"""
[(objectID, _)] = self.tags.create([(u'user/test', u'A description')])
self.tags.set({u'user/test': u'A new description'})
result = self.tags.get([u'user/test'], withDescriptions=True)
expected = {
u'user/test': {
'id': objectID,
'description': u'A new description'
}
}
self.assertEqual(expected, result)
def testSetIsDenied(self):
"""
L{SecureTagAPI.get} should raise L{PermissonDeniedError} if the user
doesn't have C{Operation.UPDATE_TAG} permissions when trying to update
a tag's description.
"""
self.tags.create([(u'user/test', u'description')])
values = [(u'user/test', Operation.UPDATE_TAG, Policy.CLOSED, [])]
self.permissions.set(values)
error = self.assertRaises(PermissionDeniedError, self.tags.set,
{u'user/test': u'description'})
self.assertEqual([(u'user/test', Operation.UPDATE_TAG)],
sorted(error.pathsAndOperations))
def setUp(self):
super(SecureTagAPIWithSuperuserTest, self).setUp()
system = createSystemData()
user = system.users[u'fluiddb']
self.tags = SecureTagAPI(user)
self.permissions = CachingPermissionAPI(user)