def setUp(self):
zookeeper.set_debug_level(0)
self.client = yield SecurityPolicyConnection(
get_test_zookeeper_address()).connect()
admin = Principal("admin", "admin")
self.token_db = TokenDatabase(self.client)
yield self.token_db.add(admin)
self.policy = SecurityPolicy(self.client, self.token_db, owner=admin)
attach_defer = admin.attach(self.client)
# Trick to speed up the auth response processing (fixed in ZK trunk)
self.client.exists("/")
yield attach_defer
def test_acl_without_admin(self):
"""A client needs an attached principle with the admin perm to set acl.
"""
client = yield self.get_zookeeper_client().connect()
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
attach_deferred = principal.attach(client)
yield self.client.create(
"/abc", acls=[make_ace(self.admin.get_token(), all=True)])
yield attach_deferred
acl = ACL(client, "/abc")
yield self.assertFailure(acl.grant("zebra", all=True),
zookeeper.NoAuthException)
def setUp(self):
zookeeper.set_debug_level(0)
self.client = yield SecurityPolicyConnection(
get_test_zookeeper_address()).connect()
admin = Principal("admin", "admin")
self.token_db = TokenDatabase(self.client)
yield self.token_db.add(admin)
self.policy = SecurityPolicy(self.client, self.token_db, owner=admin)
attach_defer = admin.attach(self.client)
# Trick to speed up the auth response processing (fixed in ZK trunk)
self.client.exists("/")
yield attach_defer
def test_acl_without_admin(self):
"""A client needs an attached principle with the admin perm to set acl.
"""
client = yield self.get_zookeeper_client().connect()
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
attach_deferred = principal.attach(client)
yield self.client.create(
"/abc",
acls=[make_ace(self.admin.get_token(), all=True)])
yield attach_deferred
acl = ACL(client, "/abc")
yield self.assertFailure(
acl.grant("zebra", all=True),
zookeeper.NoAuthException)
def test_activate(self):
"""A principal can be used with a client connection."""
client = yield self.get_zookeeper_client().connect()
self.addCleanup(lambda: client.close())
admin_credentials = "admin:admin"
test_credentials = "test:test"
yield self.client.add_auth("digest", admin_credentials)
acl = [make_ace(make_identity(admin_credentials), all=True),
make_ace(make_identity(
test_credentials), read=True, create=True)]
yield client.create("/acl-test", "content", acls=acl)
# Verify the acl is active
yield self.assertFailure(
client.get("/acl-test"), zookeeper.NoAuthException)
# Attach the principal to the connection
principal = Principal("test", "test")
yield principal.attach(client)
content, stat = yield client.get("/acl-test")
self.assertEqual(content, "content")
def test_activate(self):
"""A principal can be used with a client connection."""
client = yield self.get_zookeeper_client().connect()
self.addCleanup(lambda: client.close())
admin_credentials = "admin:admin"
test_credentials = "test:test"
yield self.client.add_auth("digest", admin_credentials)
acl = [
make_ace(make_identity(admin_credentials), all=True),
make_ace(make_identity(test_credentials), read=True, create=True)
]
yield client.create("/acl-test", "content", acls=acl)
# Verify the acl is active
yield self.assertFailure(client.get("/acl-test"),
zookeeper.NoAuthException)
# Attach the principal to the connection
principal = Principal("test", "test")
yield principal.attach(client)
content, stat = yield client.get("/acl-test")
self.assertEqual(content, "content")
class ACLTest(TestCase):
@inlineCallbacks
def setUp(self):
zookeeper.set_debug_level(0)
self.client = yield self.get_zookeeper_client().connect()
self.tokens = TokenDatabase(self.client)
self.admin = Principal("admin", "admin")
yield self.tokens.add(self.admin)
self.policy = SecurityPolicy(self.client, self.tokens)
attach_deferred = self.admin.attach(self.client)
self.client.exists("/")
yield attach_deferred
def tearDown(self):
deleteTree(handle=self.client.handle)
self.client.close()
@inlineCallbacks
def test_acl_on_non_existant_node(self):
acl = ACL(self.client, "abc")
yield self.assertFailure(acl.grant("admin", all=True), StateNotFound)
@inlineCallbacks
def test_acl_without_admin(self):
"""A client needs an attached principle with the admin perm to set acl.
"""
client = yield self.get_zookeeper_client().connect()
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
attach_deferred = principal.attach(client)
yield self.client.create(
"/abc",
acls=[make_ace(self.admin.get_token(), all=True)])
yield attach_deferred
acl = ACL(client, "/abc")
yield self.assertFailure(
acl.grant("zebra", all=True),
zookeeper.NoAuthException)
@inlineCallbacks
def test_grant(self):
path = yield self.client.create("/abc")
acl = ACL(self.client, path)
yield acl.grant("admin", all=True)
node_acl, stat = yield self.client.get_acl(path)
self.assertEqual(
node_acl,
[ZOO_OPEN_ACL_UNSAFE,
make_ace(self.admin.get_token(), all=True)])
@inlineCallbacks
def test_grant_additive(self):
path = yield self.client.create("/abc")
acl = ACL(self.client, "/abc")
yield acl.grant("admin", read=True)
yield acl.grant("admin", write=True)
test_ace = make_ace(":", read=True, write=True)
node_acl, stat = yield self.client.get_acl(path)
self.assertEqual(node_acl[-1]["perms"], test_ace["perms"])
@inlineCallbacks
def test_grant_not_in_token_database(self):
path = yield self.client.create("/abc")
acl = ACL(self.client, path)
yield self.assertFailure(acl.grant("zebra"), PrincipalNotFound)
@inlineCallbacks
def test_prohibit(self):
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
path = yield self.client.create("/abc", acls=[
make_ace(self.admin.get_token(), all=True),
make_ace(principal.get_token(), write=True)])
acl = ACL(self.client, path)
yield acl.prohibit("zebra")
acl, stat = yield self.client.get_acl(path)
self.assertEqual(
acl, [make_ace(self.admin.get_token(), all=True)])
@inlineCallbacks
def test_prohibit_non_existant_node(self):
acl = ACL(self.client, "/abc")
yield self.assertFailure(
acl.prohibit("zebra"), StateNotFound)
@inlineCallbacks
def test_prohibit_not_in_acl(self):
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
path = yield self.client.create("/abc", acls=[
make_ace(self.admin.get_token(), all=True)])
acl = ACL(self.client, path)
# We get to the same end state so its fine.
yield acl.prohibit("zebra")
acl, stat = yield self.client.get_acl(path)
self.assertEqual(
acl, [make_ace(self.admin.get_token(), all=True)])
class ACLTest(TestCase):
@inlineCallbacks
def setUp(self):
zookeeper.set_debug_level(0)
self.client = yield self.get_zookeeper_client().connect()
self.tokens = TokenDatabase(self.client)
self.admin = Principal("admin", "admin")
yield self.tokens.add(self.admin)
self.policy = SecurityPolicy(self.client, self.tokens)
attach_deferred = self.admin.attach(self.client)
self.client.exists("/")
yield attach_deferred
def tearDown(self):
deleteTree(handle=self.client.handle)
self.client.close()
@inlineCallbacks
def test_acl_on_non_existant_node(self):
acl = ACL(self.client, "abc")
yield self.assertFailure(acl.grant("admin", all=True), StateNotFound)
@inlineCallbacks
def test_acl_without_admin(self):
"""A client needs an attached principle with the admin perm to set acl.
"""
client = yield self.get_zookeeper_client().connect()
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
attach_deferred = principal.attach(client)
yield self.client.create(
"/abc", acls=[make_ace(self.admin.get_token(), all=True)])
yield attach_deferred
acl = ACL(client, "/abc")
yield self.assertFailure(acl.grant("zebra", all=True),
zookeeper.NoAuthException)
@inlineCallbacks
def test_grant(self):
path = yield self.client.create("/abc")
acl = ACL(self.client, path)
yield acl.grant("admin", all=True)
node_acl, stat = yield self.client.get_acl(path)
self.assertEqual(
node_acl,
[ZOO_OPEN_ACL_UNSAFE,
make_ace(self.admin.get_token(), all=True)])
@inlineCallbacks
def test_grant_additive(self):
path = yield self.client.create("/abc")
acl = ACL(self.client, "/abc")
yield acl.grant("admin", read=True)
yield acl.grant("admin", write=True)
test_ace = make_ace(":", read=True, write=True)
node_acl, stat = yield self.client.get_acl(path)
self.assertEqual(node_acl[-1]["perms"], test_ace["perms"])
@inlineCallbacks
def test_grant_not_in_token_database(self):
path = yield self.client.create("/abc")
acl = ACL(self.client, path)
yield self.assertFailure(acl.grant("zebra"), PrincipalNotFound)
@inlineCallbacks
def test_prohibit(self):
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
path = yield self.client.create("/abc",
acls=[
make_ace(self.admin.get_token(),
all=True),
make_ace(principal.get_token(),
write=True)
])
acl = ACL(self.client, path)
yield acl.prohibit("zebra")
acl, stat = yield self.client.get_acl(path)
self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])
@inlineCallbacks
def test_prohibit_non_existant_node(self):
acl = ACL(self.client, "/abc")
yield self.assertFailure(acl.prohibit("zebra"), StateNotFound)
@inlineCallbacks
def test_prohibit_not_in_acl(self):
principal = Principal("zebra", "stripes")
yield self.tokens.add(principal)
path = yield self.client.create(
"/abc", acls=[make_ace(self.admin.get_token(), all=True)])
acl = ACL(self.client, path)
# We get to the same end state so its fine.
yield acl.prohibit("zebra")
acl, stat = yield self.client.get_acl(path)
self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])
