def Populate(do_it):
old_configs = config.GetAll()
for key, value in old_configs.iteritems():
if not key.startswith(ROLE_PREFIX):
continue
user = key[len(ROLE_PREFIX):]
if not re.search(r'^[\[email protected]]+$', user):
continue
print 'Translating perms for %s (%s)' % (user, value)
if '@' in user:
user = utils.NormalizeEmail(user)
for perm in value:
if isinstance(perm, basestring):
if perm == perms.Role.ADMIN:
print '...Granting %s admin permissions' % user
if do_it:
perms.Grant(user, perms.Role.ADMIN,
perms.GLOBAL_TARGET)
else:
print '...User %s had global permission %s; ignoring' % (
user, perm)
elif isinstance(perm, list) and len(perm) == 2:
print '...Granting %s permission %s to %s' % (user, perm[0],
perm[1])
if do_it:
perms.Grant(user, perm[0], perm[1])
else:
print '...User %s has unexpected permission %s; ignoring' % (
user, perm)
def testGetAccessibleDomains(self):
privileged = test_utils.SetupUser(test_utils.Login('privileged'))
outsider = test_utils.SetupUser(test_utils.Login('outsider'))
with test_utils.RootLogin():
perms.Grant('privileged', perms.Role.DOMAIN_REVIEWER,
'domain-rev.com')
perms.Grant('privileged', perms.Role.MAP_CREATOR,
'map-creator.com')
perms.Grant('privileged', perms.Role.CATALOG_EDITOR,
'catalog-editor.com')
perms.Grant('privileged', perms.Role.DOMAIN_ADMIN,
'domain-admin.com')
self.assertRaises(ValueError, perms.GetAccessibleDomains, outsider,
'not-a-domain-role')
self.assertEquals({'domain-admin.com'},
perms.GetAccessibleDomains(
privileged, perms.Role.DOMAIN_ADMIN))
self.assertEquals({'domain-admin.com', 'catalog-editor.com'},
perms.GetAccessibleDomains(
privileged, perms.Role.CATALOG_EDITOR))
self.assertEquals(
{'domain-admin.com', 'catalog-editor.com', 'map-creator.com'},
perms.GetAccessibleDomains(privileged, perms.Role.MAP_CREATOR))
self.assertEquals(
{
'domain-admin.com', 'catalog-editor.com',
'map-creator.com', 'domain-rev.com'
},
perms.GetAccessibleDomains(privileged,
perms.Role.DOMAIN_REVIEWER))
def testPost_SetDomainRole(self):
with test_utils.RootLogin():
perms.Grant('xyz.com', perms.Role.DOMAIN_ADMIN, 'xyz.com')
perms.Grant('xyz.com', perms.Role.MAP_CREATOR, 'xyz.com')
self.DoUserPermissionsPost(
'xyz.com', [], domain_role=perms.Role.CATALOG_EDITOR)
self.assertEqual({perms.Role.CATALOG_EDITOR},
perms.GetSubjectsForTarget('xyz.com')['xyz.com'])
def setUp(self):
super(AdminDomainTest, self).setUp()
test_utils.SetupUser(test_utils.Login('manager'))
test_utils.SetupUser(test_utils.DomainLogin('insider', 'xyz.com'))
test_utils.SetupUser(test_utils.DomainLogin('reviewer', 'xyz.com'))
test_utils.SetupUser(test_utils.DomainLogin('outsider', 'not-xyz.com'))
# TODO(kpy): Consider moving this setup into the tests that use it.
perms.Grant('xyz.com', perms.Role.MAP_CREATOR, 'xyz.com')
perms.Grant('manager', perms.Role.DOMAIN_ADMIN, 'xyz.com')
perms.Grant('reviewer', perms.Role.DOMAIN_REVIEWER, 'xyz.com')
perms.Grant('insider', perms.Role.CATALOG_EDITOR, 'xyz.com')
perms.Grant('outsider', perms.Role.MAP_CREATOR, 'xyz.com')
def testRevoke(self):
subject, role, target = 'subject', perms.Role.CATALOG_EDITOR, 'xyz.com'
perms.Grant(subject, role, target)
with test_utils.Login('subject'):
self.assertTrue(perms.CheckAccess(role, target))
perms.Revoke(subject, role, target)
self.assertFalse(perms.CheckAccess(role, target))
def CreateDomain(self, domain_name, user):
if domains.Domain.Get(domain_name):
raise base_handler.Error(403,
'Domain %r already exists.' % domain_name)
domains.Domain.Put(domain_name)
utils.SetAndTest(
lambda: perms.Grant(user.id, perms.Role.DOMAIN_ADMIN, domain_name),
lambda: perms.CheckAccess(perms.Role.DOMAIN_ADMIN, domain_name,
user))
def testDomainAdminRole(self):
with test_utils.RootLogin():
perms.Grant('xyz.com', perms.Role.DOMAIN_ADMIN, 'xyz.com')
perms.Grant('outside_friend', perms.Role.DOMAIN_ADMIN, 'xyz.com')
with test_utils.DomainLogin('insider', 'xyz.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.DomainLogin('outside_friend', 'not-xyz.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.Login('stranger'):
self.assertFalse(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.DomainLogin('stranger_with_ga_domain', 'not-xyz.com'):
self.assertFalse(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
with test_utils.RootLogin():
self.assertTrue(
perms.CheckAccess(perms.Role.DOMAIN_ADMIN, 'xyz.com'))
def AddNewUserIfPresent(self, inputs, domain):
"""Grants domain roles to a new user."""
new_email = inputs.pop('new_user').strip()
new_role = inputs.pop('new_user.permission')
if not new_email or not new_role:
return
if not utils.IsValidEmail(new_email):
raise base_handler.Error(400,
'Invalid e-mail address: %r.' % new_email)
user = users.GetForEmail(new_email)
perms.Grant(user.id, new_role, domain)
def testDomainSettingsPost(self):
domains.Domain.Put(
'foo.com', has_sticky_catalog_entries=True, default_label='label-a',
initial_domain_role=perms.Role.MAP_VIEWER)
perms.Grant('manager', perms.Role.DOMAIN_ADMIN, 'foo.com')
with test_utils.Login('manager'):
self.DoDomainSettingsPost(
'foo.com', 'label-b', False, perms.Role.MAP_EDITOR)
domain = domains.Domain.Get('foo.com')
self.assertEqual('label-b', domain.default_label)
self.assertFalse(domain.has_sticky_catalog_entries)
self.assertEqual(perms.Role.MAP_EDITOR, domain.initial_domain_role)
def testMapCreatorDomains(self):
"""Verifies that the map_creator_domains setting is respected."""
perms.Grant('foo.com', perms.Role.MAP_CREATOR, 'xyz.com')
# All users at foo.com have the CREATOR role for xyz.com.
with test_utils.DomainLogin('insider', 'foo.com'):
self.assertTrue(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
self.assertFalse(perms.CheckAccess(perms.Role.ADMIN))
model.Map.Create({}, 'xyz.com')
# Users in bar.com don't have the CREATOR role.
with test_utils.DomainLogin('outsider', 'bar.com'):
self.assertFalse(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'xyz.com'))
self.assertRaises(perms.AuthorizationError, model.Map.Create, {},
'xyz.com')
# All users in gmail.test get MAP_CREATOR.
perms.Grant('gmail.test', perms.Role.MAP_CREATOR, 'gmail.test')
with test_utils.Login('gmail_user'):
self.assertTrue(
perms.CheckAccess(perms.Role.MAP_CREATOR, 'gmail.test'))
def testCreate(self):
perms.Grant('creator', perms.Role.MAP_CREATOR, 'xyz.com')
self.CaptureLog()
with test_utils.Login('creator'):
response = self.DoPost('/xyz.com/.create', 'xsrf_token=XSRF', 302)
map_object = model.Map.Get(
response.headers['Location'].split('/')[-1])
# Confirm that a map was created.
self.assertTrue(map_object)
self.assertEquals('xyz.com', map_object.domain)
self.assertTrue('Untitled' in map_object.map_root['title'])
self.AssertLog(logs.Event.MAP_CREATED,
uid='creator',
map_id=map_object.id,
domain_name='xyz.com')
def SetRolesForDomain(subject_roles, domain_name):
"""Gives each user exactly the specified set of roles to the given domain.
Args:
subject_roles: A dictionary mapping subjects (user IDs or domain names)
to sets of perms.Role constants. For each subject, all roles in the
set will be granted, and all roles not in the set will be revoked.
domain_name: A domain name.
"""
# TODO(kpy): Simplify this to take subject_roles in the form {subject: role},
# as this is never called with role sets that have more than one element.
old_subject_roles = perms.GetSubjectsForTarget(domain_name)
for subject, new_roles in subject_roles.items():
old_roles = old_subject_roles.get(subject, set())
for role in old_roles - new_roles:
perms.Revoke(subject, role, domain_name)
for role in new_roles - old_roles:
perms.Grant(subject, role, domain_name)
def testModify(self):
# Overwriting a domain should require DOMAIN_ADMIN access.
self.assertTrue(domains.Domain.Get('xyz.com'))
self.assertRaises(perms.AuthorizationError, domains.Domain.Put, 'xyz.com')
# After Put(), the domain should come back with the new values.
perms.Grant('manager', perms.Role.DOMAIN_ADMIN, 'xyz.com')
with test_utils.Login('manager'):
domains.Domain.Put('xyz.com', default_label='fancy-map',
has_sticky_catalog_entries=True,
initial_domain_role=perms.Role.MAP_EDITOR)
self.AssertDomain('xyz.com', 'fancy-map', True, perms.Role.MAP_EDITOR)
# TODO(kpy): Check that DOMAIN_CREATED is not logged in this case.
# Specifying just one property should leave the rest unchanged.
with test_utils.Login('manager'):
domains.Domain.Put('xyz.com', default_label='another-map')
self.AssertDomain('xyz.com', 'another-map', True, perms.Role.MAP_EDITOR)
def testInitialDomainRole(self):
# Start with no initial_domain_role for our domain.
with test_utils.RootLogin():
domains.Domain.Put('xyz.com', initial_domain_role=perms.Role.NONE)
perms.Grant('creator', perms.Role.MAP_CREATOR, 'xyz.com')
# Newly created maps should get a domain_role of perms.Role.NONE.
with test_utils.Login('creator'):
response = self.DoPost('/xyz.com/.create', 'xsrf_token=XSRF', 302)
map_object = model.Map.Get(
response.headers['Location'].split('/')[-1])
self.assertEquals(perms.Role.NONE, map_object.domain_role)
# Now set the initial_domain_role for xyz.com.
with test_utils.RootLogin():
domains.Domain.Put('xyz.com',
initial_domain_role=perms.Role.MAP_EDITOR)
# Newly created maps should pick up the new domain_role.
with test_utils.Login('creator'):
response = self.DoPost('/xyz.com/.create', 'xsrf_token=XSRF', 302)
map_object = model.Map.Get(
response.headers['Location'].split('/')[-1])
self.assertEquals(perms.Role.MAP_EDITOR, map_object.domain_role)
def CreateOpenDomain(domain_name):
domains.Domain.Put(domain_name, has_sticky_catalog_entries=True,
initial_domain_role=perms.Role.NONE)
perms.Grant(domain_name, 'CATALOG_EDITOR', domain_name)
def testGetFromDomainReviewer(self):
perms.Grant('domainreviewer', perms.Role.DOMAIN_REVIEWER, 'xyz.com')
with test_utils.DomainLogin('domainreviewer', 'xyz.com'):
self.DoGet('/.maps/%s/review' % self.map_id)
def setUp(self):
super(PublishTest, self).setUp()
perms.Grant('owner', perms.Role.CATALOG_EDITOR, 'xyz.com')
self.map_object = test_utils.CreateMap(owners=['owner'])
self.map_id = self.map_object.id
def testPost_SetDomainRoleNone(self):
with test_utils.RootLogin():
perms.Grant('xyz.com', perms.Role.CATALOG_EDITOR, 'xyz.com')
self.DoUserPermissionsPost('xyz.com', [], domain_role=perms.Role.NONE)
self.assertNotIn('xyz.com', perms.GetSubjectsForTarget('xyz.com'))
