def test_user_permission_revoke(self):
u = self._create_user()
r = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user(r, u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
authorization.revoke_permission_from_user(r, u['login'], [n])
self.assertFalse(authorization.is_authorized(r, u, o))
def test_consumer_user_permissions(self):
u = self._create_user()
s = '/consumers/'
r = authorization.consumer_users_role
authorization.add_user_to_role(r, u['name'])
self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE))
self.assertTrue(authorization.is_authorized(s, u, authorization.READ))
self.assertFalse(authorization.is_authorized(s, u, authorization.UPDATE))
self.assertFalse(authorization.is_authorized(s, u, authorization.DELETE))
self.assertFalse(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_super_user_permissions(self):
u = self._create_user()
s = self._create_resource()
r = authorization.super_user_role
authorization.add_user_to_role(r, u['name'])
self.assertTrue(authorization.is_authorized(s, u, authorization.CREATE))
self.assertTrue(authorization.is_authorized(s, u, authorization.READ))
self.assertTrue(authorization.is_authorized(s, u, authorization.UPDATE))
self.assertTrue(authorization.is_authorized(s, u, authorization.DELETE))
self.assertTrue(authorization.is_authorized(s, u, authorization.EXECUTE))
def test_role_permission_delete(self):
u = self._create_user()
r = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r['name'], u['login'])
authorization.grant_permission_to_role(s, r['name'], [n])
self.assertTrue(authorization.is_authorized(s, u, o))
authorization.delete_role(r['name'])
self.assertFalse(authorization.is_authorized(s, u, o))
def test_role_execute(self):
u1 = self._create_user()
u2 = self._create_user()
r = self._create_role()
s = self._create_resource()
o = authorization.EXECUTE
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r['name'], u1['login'])
authorization.grant_permission_to_role(s, r['name'], [n])
self.assertTrue(authorization.is_authorized(s, u1, o))
self.assertFalse(authorization.is_authorized(s, u2, o))
def test_non_unique_permission_remove(self):
u = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.add_user_to_role(r1['name'], u['login'])
authorization.add_user_to_role(r2['name'], u['login'])
authorization.grant_permission_to_role(s, r1['name'], [n])
authorization.grant_permission_to_role(s, r2['name'], [n])
self.assertTrue(authorization.is_authorized(s, u, o))
authorization.remove_user_from_role(r1['name'], u['login'])
self.assertTrue(authorization.is_authorized(s, u, o))
def test_user_update_success(self):
u = self._create_user()
r = self._create_resource()
o = authorization.UPDATE
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user(r, u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
def test_role_order_of_permission_grant(self):
u1 = self._create_user()
u2 = self._create_user()
r1 = self._create_role()
r2 = self._create_role()
s = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
# add first, grant second
authorization.add_user_to_role(r1['name'], u1['name'])
authorization.grant_permission_to_role(s, r1['name'], [n])
self.assertTrue(authorization.is_authorized(s, u1, o))
# grant first, add second
authorization.grant_permission_to_role(s, r2['name'], [n])
authorization.add_user_to_role(r2['name'], u2['name'])
self.assertTrue(authorization.is_authorized(s, u2, o))
def test_root_permissions(self):
u = self._create_user()
r = self._create_resource()
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user('/', u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
def test_parent_permissions(self):
u = self._create_user()
r = self._create_resource()
p = r.rsplit('/', 2)[0] + '/'
o = authorization.READ
n = authorization.operation_to_name(o)
authorization.grant_permission_to_user(p, u['login'], [n])
self.assertTrue(authorization.is_authorized(r, u, o))
def _auth_decorator(self, *args, **kwargs):
# XXX jesus h christ: is this some god awful shit
# please, please refactor this into ... something ... anything!
user = None
is_consumer = False
permissions = {'/v2/consumers/' : [0, 1]}
# first, try username:password authentication
username, password = http.username_password()
if username is not None:
user = check_username_password(username, password)
if user is None:
return self.unauthorized(user_pass_fail_msg)
# second, try certificate authentication
if user is None:
cert_pem = http.ssl_client_cert()
if cert_pem is not None:
# first, check user certificate
user = check_user_cert(cert_pem)
if user is None:
# second, check consumer certificate
# This is temporary solution to solve authorization failure for consumers
# because of no associated users. We would likely be going with a similar approach
# for v2 with static permissions for consumers instead of associates users. Once we
# have users and permissions flushed out for v2, this code will look much better.
# user = check_consumer_cert(cert_pem)
user = check_consumer_cert_no_user(cert_pem)
if user:
is_consumer = True
consumer_base_url = '/v2/consumers/%s' % user + '/'
permissions[consumer_base_url] = [0, 1, 2, 3, 4]
# third, check oauth credentials
if user is None:
auth = http.http_authorization()
username = http.request_info('HTTP_PULP_USER')
if None in (auth, username):
if cert_pem is not None:
return self.unauthorized(cert_fail_msg)
else:
meth = http.request_info('REQUEST_METHOD')
url = http.request_url()
query = http.request_info('QUERY_STRING')
user = check_oauth(username, meth, url, auth, query)
if user is None:
return self.unauthorized(oauth_fail_msg)
# authentication has failed
if user is None:
return self.unauthorized(authen_fail_msg)
# procedure to check consumer permissions - part of the temporary solution described above
def is_consumer_authorized(resource, consumer, operation):
if consumer_base_url in resource and operation in permissions[consumer_base_url]:
return True
else:
return False
# forth, check authorization
if super_user_only and not is_superuser(user):
return self.unauthorized(author_fail_msg)
# if the operation is None, don't check authorization
elif operation is not None:
if is_consumer and is_consumer_authorized(http.resource_path(), user, operation):
value = method(self, *args, **kwargs)
clear_principal()
return value
elif is_authorized(http.resource_path(), user, operation):
pass
else:
return self.unauthorized(author_fail_msg)
# everything ok, manage the principal and call the method
set_principal(user)
value = method(self, *args, **kwargs)
clear_principal()
return value
def test_user_update_failure(self):
u = self._create_user()
r = self._create_resource()
o = authorization.UPDATE
self.assertFalse(authorization.is_authorized(r, u, o))
