def test_firerole_ip_mask(self): """firerole - firerole core testing ip mask matching""" self.failUnless(acc_firerole_check_user(self.user_info, compile_role_definition("allow remote_ip '127.0.0.0/24'" "\ndeny any"))) self.failIf(acc_firerole_check_user(self.guest, compile_role_definition("allow remote_ip '127.0.0.0/24'" "\ndeny any")))
def test_compile_role_definition_with_date(self): """firerole - compiling date based role definitions""" self.failUnless(serialize(compile_role_definition("allow from '2010-11-11'"))) self.failUnless(serialize(compile_role_definition("allow until '2010-11-11'"))) self.assertRaises( InvenioWebAccessFireroleError, compile_role_definition, "allow from '2010-11-11','2010-11-23'" ) self.assertRaises(InvenioWebAccessFireroleError, compile_role_definition, "allow from '2010-11'")
def test_firerole_with_past_date(self): """firerole - firerole core testing with past date""" import time past_date = time.strftime('%Y-%m-%d', time.gmtime(time.time() - 24 * 3600 * 2)) self.failIf(acc_firerole_check_user(self.user_info, compile_role_definition("allow until '%s'\nallow any" % past_date))) self.failUnless(acc_firerole_check_user(self.user_info, compile_role_definition("allow from '%s'\nallow any" % past_date)))
def test_compile_role_definition_with_date(self): """firerole - compiling date based role definitions""" self.failUnless( serialize(compile_role_definition("allow from '2010-11-11'"))) self.failUnless( serialize(compile_role_definition("allow until '2010-11-11'"))) self.assertRaises(InvenioWebAccessFireroleError, compile_role_definition, "allow from '2010-11-11','2010-11-23'") self.assertRaises(InvenioWebAccessFireroleError, compile_role_definition, "allow from '2010-11'")
def test_firerole_ip_mask(self): """firerole - firerole core testing ip mask matching""" self.failUnless( acc_firerole_check_user( self.user_info, compile_role_definition("allow remote_ip '127.0.0.0/24'" "\ndeny any"))) self.failIf( acc_firerole_check_user( self.guest, compile_role_definition("allow remote_ip '127.0.0.0/24'" "\ndeny any")))
def test_firerole_uid(self): """firerole - firerole core testing with integer uid""" self.assertEqual( False, acc_firerole_check_user( self.guest, compile_role_definition("deny uid '-1'\nallow all"))) self.assertEqual( True, acc_firerole_check_user( self.user_info, compile_role_definition("deny uid '-1'\nallow all")))
def test_firerole_with_past_date(self): """firerole - firerole core testing with past date""" import time past_date = time.strftime('%Y-%m-%d', time.gmtime(time.time() - 24 * 3600 * 2)) self.failIf( acc_firerole_check_user( self.user_info, compile_role_definition("allow until '%s'\nallow any" % past_date))) self.failUnless( acc_firerole_check_user( self.user_info, compile_role_definition("allow from '%s'\nallow any" % past_date)))
def test_compile_role_definition_more_rows(self): """firerole - compiling more rows role definitions""" self.failUnless( serialize( compile_role_definition("allow email /.*@cern.ch/\nallow groups 'patata' " "# a comment\ndeny any") ) )
def test_compile_role_definition_complex(self): """firerole - compiling complex role definitions""" self.failUnless( serialize( compile_role_definition( "allow email /.*@cern.ch/\nallow groups 'patata' " "# a comment\ndeny remote_ip '127.0.0.0/24'\ndeny any")))
def _get_collection_restrictions(collection): """Get all restrictions for a given collection, users and fireroles.""" try: from invenio.dbquery import run_sql from invenio.access_control_firerole import compile_role_definition except ImportError: from invenio.modules.access.firerole import compile_role_definition from invenio.legacy.dbquery import run_sql res = run_sql( 'SELECT r.firerole_def_src, email ' 'FROM accROLE as r ' 'JOIN accROLE_accACTION_accARGUMENT ON r.id=id_accROLE ' 'JOIN accARGUMENT AS a ON a.id=id_accARGUMENT ' 'JOIN user_accROLE AS u ON r.id=u.id_accROLE ' 'JOIN user ON user.id=u.id_user ' 'WHERE a.keyword="collection" AND ' 'a.value=%s AND ' 'id_accACTION=(select id from accACTION where name="viewrestrcoll")', (collection, ), run_on_slave=True) fireroles = set() users = set() for f, u in res: fireroles.add(compile_role_definition(f)) users.add(u) return {'fireroles': list(fireroles), 'users': users}
def _get_collection_restrictions(collection): """Get all restrictions for a given collection, users and fireroles.""" try: from invenio.dbquery import run_sql from invenio.access_control_firerole import compile_role_definition except ImportError: from invenio.modules.access.firerole import compile_role_definition from invenio.legacy.dbquery import run_sql res = run_sql( 'SELECT r.firerole_def_src, email ' 'FROM accROLE as r ' 'JOIN accROLE_accACTION_accARGUMENT ON r.id=id_accROLE ' 'JOIN accARGUMENT AS a ON a.id=id_accARGUMENT ' 'JOIN user_accROLE AS u ON r.id=u.id_accROLE ' 'JOIN user ON user.id=u.id_user ' 'WHERE a.keyword="collection" AND ' 'a.value=%s AND ' 'id_accACTION=(select id from accACTION where name="viewrestrcoll")', (collection, ), run_on_slave=True ) fireroles = set() users = set() for f, u in res: fireroles.add(compile_role_definition(f)) users.add(u) return {'fireroles': list(fireroles), 'users': users}
def test_compile_role_definition_literal_list(self): """firerole - compiling literal list role definitions""" self.failUnless( serialize( compile_role_definition( "allow email '*****@*****.**', '*****@*****.**'" )))
def test_compile_role_definition_more_rows(self): """firerole - compiling more rows role definitions""" self.failUnless( serialize( compile_role_definition( "allow email /.*@cern.ch/\nallow groups 'patata' " "# a comment\ndeny any")))
def test_firerole_literal_email(self): """firerole - firerole core testing literal email matching""" self.failUnless( acc_firerole_check_user( self.user_info, compile_role_definition( "allow email '*****@*****.**'," "'*****@*****.**'\ndeny any")))
def test_firerole_literal_email(self): """firerole - firerole core testing literal email matching""" self.failUnless( acc_firerole_check_user( self.user_info, compile_role_definition("allow email '*****@*****.**'," "'*****@*****.**'\ndeny any"), ) )
def test_webaccess_firerole_serialization(self): """webaccess - firerole role definition correctly serialized""" from invenio.access_control_admin import acc_get_role_definition from invenio.access_control_firerole import compile_role_definition, \ deserialize def_ser = compile_role_definition(self.role_definition) tmp_def_ser = acc_get_role_definition(self.role_id) self.assertEqual(def_ser, deserialize(tmp_def_ser))
def setUp(self): """Create a fake role.""" self.role_name = 'test' self.role_description = 'test role' self.role_definition = 'allow email /.*@cern.ch/' self.role_id, dummy, dummy, dummy = acc_add_role( self.role_name, self.role_description, serialize(compile_role_definition(self.role_definition)), self.role_definition)
def setUp(self): """Create a fake role.""" self.role_name = 'test' self.role_description = 'test role' self.role_definition = 'allow email /.*@cern.ch/' self.role_id, dummy, dummy, dummy = acc_add_role(self.role_name, self.role_description, serialize(compile_role_definition(self.role_definition)), self.role_definition)
def test_compile_role_definition_complex(self): """firerole - compiling complex role definitions""" self.failUnless( serialize( compile_role_definition( "allow email /.*@cern.ch/\nallow groups 'patata' " "# a comment\ndeny remote_ip '127.0.0.0/24'\ndeny any" ) ) )
def setUp(self): """Create a fake role.""" from invenio.access_control_admin import acc_add_role from invenio.access_control_firerole import compile_role_definition, \ serialize self.role_name = 'test' self.role_description = 'test role' self.role_definition = 'allow email /.*@cern.ch/' self.role_id, dummy, dummy, dummy = acc_add_role( self.role_name, self.role_description, serialize(compile_role_definition(self.role_definition)), self.role_definition)
def test_firerole_guest(self): """firerole - firerole core testing with guest""" self.assertEqual( False, acc_firerole_check_user( self.guest, compile_role_definition("deny guest '1'\nallow all"))) self.assertEqual( True, acc_firerole_check_user( self.guest, compile_role_definition("deny guest '0'\nallow all"))) self.assertEqual( True, acc_firerole_check_user( self.user_info, compile_role_definition("deny guest '1'\nallow all"))) self.assertEqual( False, acc_firerole_check_user( self.user_info, compile_role_definition("deny guest '0'\nallow all"))) self.assertEqual( False, acc_firerole_check_user( self.user_info, compile_role_definition("deny guest '1'\ndeny all"))) self.assertEqual( False, acc_firerole_check_user( self.user_info, compile_role_definition("deny guest '0'\ndeny all")))
def create_needed_roles(restrictions, apache_group): """Create a role for the corresponding apache_group.""" role_name = CFG_PROPOSED_ROLE_NAME % apache_group role_description = CFG_PROPOSED_ROLE_DESCRIPTION % ', '.join(get_collections_for_group(restrictions, apache_group)) role_definition_src = 'allow apache_group "%s"' % apache_group print "Creating role '%s' ('%s') with firerole '%s'..." % (role_name, role_description, role_definition_src), res = acc_add_role(role_name, role_description, serialize(compile_role_definition(role_definition_src)), role_definition_src) if res == 0: print "Already existed!" else: print "OK!" return role_name
def create_needed_roles(restrictions, apache_group): """Create a role for the corresponding apache_group.""" role_name = CFG_PROPOSED_ROLE_NAME % apache_group role_description = CFG_PROPOSED_ROLE_DESCRIPTION % ', '.join( get_collections_for_group(restrictions, apache_group)) role_definition_src = 'allow apache_group "%s"' % apache_group print "Creating role '%s' ('%s') with firerole '%s'..." % ( role_name, role_description, role_definition_src), res = acc_add_role(role_name, role_description, serialize(compile_role_definition(role_definition_src)), role_definition_src) if res == 0: print "Already existed!" else: print "OK!" return role_name
def test_firerole_guest(self): """firerole - firerole core testing with guest""" self.assertEqual(False, acc_firerole_check_user(self.guest, compile_role_definition("deny guest '1'\nallow all"))) self.assertEqual(True, acc_firerole_check_user(self.guest, compile_role_definition("deny guest '0'\nallow all"))) self.assertEqual(True, acc_firerole_check_user(self.user_info, compile_role_definition("deny guest '1'\nallow all"))) self.assertEqual(False, acc_firerole_check_user(self.user_info, compile_role_definition("deny guest '0'\nallow all"))) self.assertEqual(False, acc_firerole_check_user(self.user_info, compile_role_definition("deny guest '1'\ndeny all"))) self.assertEqual(False, acc_firerole_check_user(self.user_info, compile_role_definition("deny guest '0'\ndeny all")))
def test_compile_role_definition_group_field(self): """firerole - compiling group field role definitions""" self.failUnless(serialize(compile_role_definition( "allow groups 'patata'")))
def test_compile_role_definition_literal_field(self): """firerole - compiling literal field role definitions""" self.failUnless(serialize(compile_role_definition( "allow email '*****@*****.**'")))
def test_compile_role_definition_allow_any(self): """firerole - compiling allow any role definitions""" self.failUnless(serialize(compile_role_definition("allow any")))
def test_firerole_empty(self): """firerole - firerole core testing empty matching""" self.assertEqual(False, acc_firerole_check_user(self.user_info, compile_role_definition(None)))
def test_firerole_non_existant_group(self): """firerole - firerole core testing non existant group matching""" self.failIf(acc_firerole_check_user(self.user_info, compile_role_definition("allow groups 'patat'\ndeny any")))
def test_firerole_literal_group(self): """firerole - firerole core testing literal group matching""" self.failUnless( acc_firerole_check_user( self.user_info, compile_role_definition("allow groups 'patata'\ndeny any")))
def test_compile_role_definition_literal_field(self): """firerole - compiling literal field role definitions""" self.failUnless( serialize( compile_role_definition( "allow email '*****@*****.**'")))
def test_deserialize(self): """firerole - deserializing""" self.assertEqual(compile_role_definition("allow any"), (True, ()))
def test_compile_role_definition_empty(self): """firerole - compiling empty role definitions""" self.assertEqual(compile_role_definition(None), deserialize(CFG_ACC_EMPTY_ROLE_DEFINITION_SER))
def test_firerole_regexp_email(self): """firerole - firerole core testing regexp email matching""" self.failUnless( acc_firerole_check_user( self.user_info, compile_role_definition("allow email /.*@cern.ch/\ndeny any")))
def test_firerole_empty(self): """firerole - firerole core testing empty matching""" self.assertEqual( False, acc_firerole_check_user(self.user_info, compile_role_definition(None)))
def test_compile_role_definition_literal_list(self): """firerole - compiling literal list role definitions""" self.failUnless(serialize(compile_role_definition( "allow email '*****@*****.**', '*****@*****.**'")))
def test_compile_role_definition_not(self): """firerole - compiling not role definitions""" self.failUnless( serialize( compile_role_definition( "allow not email '*****@*****.**'")))
def test_compile_role_definition_group_field(self): """firerole - compiling group field role definitions""" self.failUnless( serialize(compile_role_definition("allow groups 'patata'")))
def test_firerole_literal_group(self): """firerole - firerole core testing literal group matching""" self.failUnless(acc_firerole_check_user(self.user_info, compile_role_definition("allow groups 'patata'\ndeny any")))
def test_compile_role_definition_regexp_field(self): """firerole - compiling regexp field role definitions""" self.failUnless( serialize(compile_role_definition("allow email /.*@cern.ch/")))
def test_compile_role_definition_guest_field(self): """firerole - compiling guest field role definitions""" self.failUnless(serialize(compile_role_definition("allow guest '1'")))
def test_webaccess_firerole_serialization(self): """webaccess - firerole role definition correctly serialized""" def_ser = compile_role_definition(self.role_definition) tmp_def_ser = acc_get_role_definition(self.role_id) self.assertEqual(def_ser, deserialize(tmp_def_ser))
def test_firerole_uid(self): """firerole - firerole core testing with integer uid""" self.assertEqual(False, acc_firerole_check_user(self.guest, compile_role_definition("deny uid '-1'\nallow all"))) self.assertEqual(True, acc_firerole_check_user(self.user_info, compile_role_definition("deny uid '-1'\nallow all")))
def test_compile_role_definition_not(self): """firerole - compiling not role definitions""" self.failUnless(serialize(compile_role_definition( "allow not email '*****@*****.**'")))
def test_compile_role_definition_deny_any(self): """firerole - compiling deny any role definitions""" self.failIf(serialize(compile_role_definition("deny any")))
def test_firerole_literal_email(self): """firerole - firerole core testing literal email matching""" self.failUnless(acc_firerole_check_user(self.user_info, compile_role_definition("allow email '*****@*****.**'," "'*****@*****.**'\ndeny any")))
def test_compile_role_definition_regexp_field(self): """firerole - compiling regexp field role definitions""" self.failUnless(serialize(compile_role_definition( "allow email /.*@cern.ch/")))
def test_compile_role_definition_guest_field(self): """firerole - compiling guest field role definitions""" self.failUnless(serialize(compile_role_definition( "allow guest '1'")))
def test_firerole_regexp_email(self): """firerole - firerole core testing regexp email matching""" self.failUnless(acc_firerole_check_user(self.user_info, compile_role_definition("allow email /.*@cern.ch/\ndeny any")))
def test_firerole_non_existant_group(self): """firerole - firerole core testing non existant group matching""" self.failIf( acc_firerole_check_user( self.user_info, compile_role_definition("allow groups 'patat'\ndeny any")))