def test_remove_user(self): u = self._create_user() r = self._create_role() authorization.add_user_to_role(r['name'], u['login']) authorization.remove_user_from_role(r['name'], u['login']) user_names = [u['login'] for u in authorization.list_users_in_role(r['name'])] self.assertFalse(u['login'] in user_names)
def test_consumer_user_permissions(self): u = self._create_user() s = '/consumers/' r = authorization.consumer_users_role authorization.add_user_to_role(r, u['name']) self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE)) self.assertTrue(authorization.is_authorized(s, u, authorization.READ)) self.assertFalse(authorization.is_authorized(s, u, authorization.UPDATE)) self.assertFalse(authorization.is_authorized(s, u, authorization.DELETE)) self.assertFalse(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_super_user_permissions(self): u = self._create_user() s = self._create_resource() r = authorization.super_user_role authorization.add_user_to_role(r, u['name']) self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE)) self.assertTrue(authorization.is_authorized(s, u, authorization.READ)) self.assertTrue(authorization.is_authorized(s, u, authorization.UPDATE)) self.assertTrue(authorization.is_authorized(s, u, authorization.DELETE)) self.assertTrue(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_role_permission_delete(self): u = self._create_user() r = self._create_role() s = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) authorization.add_user_to_role(r['name'], u['login']) authorization.grant_permission_to_role(s, r['name'], [n]) self.assertTrue(authorization.is_authorized(s, u, o)) authorization.delete_role(r['name']) self.assertFalse(authorization.is_authorized(s, u, o))
def test_role_execute(self): u1 = self._create_user() u2 = self._create_user() r = self._create_role() s = self._create_resource() o = authorization.EXECUTE n = authorization.operation_to_name(o) authorization.add_user_to_role(r['name'], u1['login']) authorization.grant_permission_to_role(s, r['name'], [n]) self.assertTrue(authorization.is_authorized(s, u1, o)) self.assertFalse(authorization.is_authorized(s, u2, o))
def test_non_unique_permission_remove(self): u = self._create_user() r1 = self._create_role() r2 = self._create_role() s = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) authorization.add_user_to_role(r1['name'], u['login']) authorization.add_user_to_role(r2['name'], u['login']) authorization.grant_permission_to_role(s, r1['name'], [n]) authorization.grant_permission_to_role(s, r2['name'], [n]) self.assertTrue(authorization.is_authorized(s, u, o)) authorization.remove_user_from_role(r1['name'], u['login']) self.assertTrue(authorization.is_authorized(s, u, o))
def test_role_order_of_permission_grant(self): u1 = self._create_user() u2 = self._create_user() r1 = self._create_role() r2 = self._create_role() s = self._create_resource() o = authorization.READ n = authorization.operation_to_name(o) # add first, grant second authorization.add_user_to_role(r1['name'], u1['name']) authorization.grant_permission_to_role(s, r1['name'], [n]) self.assertTrue(authorization.is_authorized(s, u1, o)) # grant first, add second authorization.grant_permission_to_role(s, r2['name'], [n]) authorization.add_user_to_role(r2['name'], u2['name']) self.assertTrue(authorization.is_authorized(s, u2, o))
def ensure_admin(): """ This function ensures that there is at least one super user for the system. If no super users are found, the default admin user (from the pulp config) is looked up or created and added to the super users role. """ super_users = authorization._get_users_belonging_to_role( authorization._get_role(authorization.super_user_role)) if super_users: return default_login = config.config.get('server', 'default_login') user_manager = UserManager() admin = user_manager.find_by_login(default_login) if admin is None: default_password = config.config.get('server', 'default_password') admin = user_manager.create_user(login=default_login, password=default_password) authorization.add_user_to_role(authorization.super_user_role, default_login)
def _add_from_ldap(self, username, userdata): """ @param username: Username to be added @param user: tuple of user data as returned by lookup_user Adds a user to the pulp user database with no password and returns a pulp.server.db.model.User object """ user = _user_manager.find_by_login(username) if user is None: attrs = userdata[1] try: name = attrs['gecos'] except KeyError: name = username user = _user_manager.create_user(login=username, name=name) if config.has_option('ldap', 'default_role'): role = config.get('ldap', 'default_role') rv = authorization.add_user_to_role(role, username) if not rv: log.error("Could not add user [%s] to role [%s]" % (username, role)) return user