def test_remove_user(self):
u = self._create_user()
r = self._create_role()
authorization.add_user_to_role(r['name'], u['login'])
authorization.remove_user_from_role(r['name'], u['login'])
user_names = [u['login'] for u in authorization.list_users_in_role(r['name'])]
self.assertFalse(u['login'] in user_names)
def test_consumer_user_permissions(self):
u = self._create_user()
s = '/consumers/'
r = authorization.consumer_users_role
authorization.add_user_to_role(r, u['name'])
self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE))
self.assertTrue(authorization.is_authorized(s, u, authorization.READ))
self.assertFalse(authorization.is_authorized(s, u, authorization.UPDATE))
self.assertFalse(authorization.is_authorized(s, u, authorization.DELETE))
self.assertFalse(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_super_user_permissions(self):
u = self._create_user()
s = self._create_resource()
r = authorization.super_user_role
authorization.add_user_to_role(r, u['name'])
self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE))
self.assertTrue(authorization.is_authorized(s, u, authorization.READ))
self.assertTrue(authorization.is_authorized(s, u, authorization.UPDATE))
self.assertTrue(authorization.is_authorized(s, u, authorization.DELETE))
self.assertTrue(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_role_permission_delete(self):
u = self._create_user()
r = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r['name'], u['login'])
authorization.grant_permission_to_role(s, r['name'], [n])
self.assertTrue(authorization.is_authorized(s, u, o))
authorization.delete_role(r['name'])
self.assertFalse(authorization.is_authorized(s, u, o))
def test_role_execute(self):
u1 = self._create_user()
u2 = self._create_user()
r = self._create_role()
s = self._create_resource()
o = authorization.EXECUTE
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r['name'], u1['login'])
authorization.grant_permission_to_role(s, r['name'], [n])
self.assertTrue(authorization.is_authorized(s, u1, o))
self.assertFalse(authorization.is_authorized(s, u2, o))
def test_non_unique_permission_remove(self):
u = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r1['name'], u['login'])
authorization.add_user_to_role(r2['name'], u['login'])
authorization.grant_permission_to_role(s, r1['name'], [n])
authorization.grant_permission_to_role(s, r2['name'], [n])
self.assertTrue(authorization.is_authorized(s, u, o))
authorization.remove_user_from_role(r1['name'], u['login'])
self.assertTrue(authorization.is_authorized(s, u, o))
def test_role_order_of_permission_grant(self):
u1 = self._create_user()
u2 = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
# add first, grant second
authorization.add_user_to_role(r1['name'], u1['name'])
authorization.grant_permission_to_role(s, r1['name'], [n])
self.assertTrue(authorization.is_authorized(s, u1, o))
# grant first, add second
authorization.grant_permission_to_role(s, r2['name'], [n])
authorization.add_user_to_role(r2['name'], u2['name'])
self.assertTrue(authorization.is_authorized(s, u2, o))
def ensure_admin():
"""
This function ensures that there is at least one super user for the system.
If no super users are found, the default admin user (from the pulp config)
is looked up or created and added to the super users role.
"""
super_users = authorization._get_users_belonging_to_role(
authorization._get_role(authorization.super_user_role))
if super_users:
return
default_login = config.config.get('server', 'default_login')
user_manager = UserManager()
admin = user_manager.find_by_login(default_login)
if admin is None:
default_password = config.config.get('server', 'default_password')
admin = user_manager.create_user(login=default_login, password=default_password)
authorization.add_user_to_role(authorization.super_user_role, default_login)
def _add_from_ldap(self, username, userdata):
"""
@param username: Username to be added
@param user: tuple of user data as returned by lookup_user
Adds a user to the pulp user database with no password and
returns a pulp.server.db.model.User object
"""
user = _user_manager.find_by_login(username)
if user is None:
attrs = userdata[1]
try:
name = attrs['gecos']
except KeyError:
name = username
user = _user_manager.create_user(login=username, name=name)
if config.has_option('ldap', 'default_role'):
role = config.get('ldap', 'default_role')
rv = authorization.add_user_to_role(role, username)
if not rv:
log.error("Could not add user [%s] to role [%s]" %
(username, role))
return user
