def test_user_can():
myFactory = Faker()
content = myFactory.text()
# Create a new resource with a random name
do = DataObject.create(content.encode())
resc_name = uuid.uuid4().hex
resc = Resource.create('/',
resc_name,
url="{}{}".format(cfg.protocol_cassandra, do.uuid))
usr1 = User.find(USR1_NAME)
usr2 = User.find(USR2_NAME)
# usr1 should be admin
assert resc.user_can(usr1, "read")
# usr2 should not be admin, on root collection, only read
assert resc.user_can(usr2, "read")
assert not resc.user_can(usr2, "write")
resc.delete()
def authenticate_credentials(self, userid, password, request=None):
"""
Authenticate the userid and password against username and password.
"""
cass_user = User.find(userid)
if cass_user is None or not cass_user.is_active():
raise exceptions.AuthenticationFailed(_("User inactive or deleted."))
if not cass_user.authenticate(password) and not ldap_authenticate(
cass_user.uuid, password
):
raise exceptions.AuthenticationFailed(_("Invalid username/password."))
return (cass_user, None)
def rm_user(self, args):
"""Remove a user."""
if not args[ARG_NAME]:
name = input(MSG_PROMPT_USER)
else:
name = args[ARG_NAME]
user = User.find(name)
if not user:
self.print_error(MSG_USER_NOT_EXIST.format(name))
return
user.delete()
print(MSG_USER_DELETED.format(name))
def user_view(request, name):
"""Render the view page for users"""
# argument is the login name, not the uuid in Cassandra
user = User.find(name)
if not user:
return redirect("users:home")
ctx = {
"req_user": request.user,
"user_obj": user,
"groups": [Group.find(gname) for gname in user.groups],
}
return render(request, "users/view.html", ctx)
def process_request(self, request):
"""Process a request, add the user in the cache"""
username = request.session.get("user")
if not username:
return None
# Cache the user rather than hitting the database for
# each request. We can also invalidate the entry if the
# user is marked as inactive.
user = cache.get("user_{}".format(username), None)
if not user:
user = User.find(username)
request.user = user
cache.set("user_{}".format(username), user, 60)
return None
def test_update():
user_name = uuid.uuid4().hex
email = uuid.uuid4().hex
password = uuid.uuid4().hex
administrator = True
groups = ['grp1']
notification_username = uuid.uuid4().hex
# Simple create
user = User.create(name=user_name,
email=email,
password=password,
administrator=administrator,
groups=groups)
new_password = uuid.uuid4().hex
new_email = uuid.uuid4().hex
user.update(password=new_password)
user.update(email=new_email, username=notification_username)
user = User.find(user_name)
def mk_ldap_user(self, args):
"""Create a new ldap user. Ask in the terminal for mandatory fields"""
if not args[ARG_NAME]:
name = input("Please enter the user's username: "******"Username {} already exists".format(name))
return
admin = input("Is this an administrator? [y/N] ")
pwd = random_password(20)
User.create(
name=name,
password=pwd,
email="STORED_IN_LDAP",
ldap=True,
administrator=(admin.lower() in ["true", "y", "yes"]),
)
print(MSG_USER_CREATED.format(name))
def test_dict():
user_name = uuid.uuid4().hex
email = uuid.uuid4().hex
password = uuid.uuid4().hex
administrator = True
groups = ['grp1']
notification_username = uuid.uuid4().hex
# Simple create
user = User.create(name=user_name,
email=email,
password=password,
administrator=administrator,
groups=groups)
user = User.find(user_name)
user_dict = user.to_dict()
assert user_dict['uuid'] == user.uuid
assert user_dict['administrator'] == True
user.delete()
def rm_user(request, name, uname):
"""Remove a user from a group"""
group = Group.find(name)
user = User.find(uname)
if not request.user.administrator:
raise PermissionDenied
if user and group:
removed, not_there, not_exist = group.rm_user(
uname, username=request.user.name)
if removed:
msg = "'{}' has been removed from the group '{}'".format(
uname, name)
elif not_there:
msg = "'{}' isn't in the group '{}'".format(uname, name)
elif not_exist:
msg = "'{}' doesn't exist".format(uname)
messages.add_message(request, messages.INFO, msg)
else:
raise Http404
return redirect("groups:view", name=name)
def delete_user(request, name):
"""Delete a user"""
user = User.find(name)
if not user:
raise Http404
if not request.user.administrator:
raise PermissionDenied
if request.method == "POST":
user.delete(username=request.user.name)
messages.add_message(
request, messages.INFO, "The user '{}' has been deleted".format(user.name)
)
return redirect("users:home")
# Requires delete on user
ctx = {
"user": user,
}
return render(request, "users/delete.html", ctx)
def edit_user(request, name):
"""Modify a user"""
# Requires edit on user
user = User.find(name)
if not user:
raise Http404()
if not request.user.administrator:
raise PermissionDenied
if request.method == "POST":
form = UserForm(request.POST)
if form.is_valid():
data = form.cleaned_data
user.update(
email=data["email"],
administrator=data["administrator"],
active=data["active"],
username=request.user.name,
)
if data["password"] != user.password:
user.update(password=data["password"], username=request.user.name)
return redirect("users:home")
else:
initial_data = {
"username": user.name,
"email": user.email,
"administrator": user.administrator,
"active": user.active,
"password": user.password,
}
form = UserForm(initial=initial_data)
ctx = {
"form": form,
"user": user,
}
return render(request, "users/edit.html", ctx)
def test_create_acl_fail(mocker):
list_read = ['grp1']
list_write = ['grp1']
user2 = User.find("user2")
# Create a new collection with a random name
coll_name = uuid.uuid4().hex + "/"
coll = Collection.create('/', coll_name)
mocker.patch('radon.model.collection.acemask_to_str',
return_value="wrong_oper")
coll.create_acl_list(list_read, list_write)
coll = Collection.find('/{}'.format(coll_name))
# Test get_acl_list wrong operation name
acl_list = coll.get_acl_list()
assert acl_list == ([], [])
coll.delete()
# Check authorized actions for root
coll = Collection.find("/")
mocker.patch.object(Collection, 'get_acl_dict', return_value=None)
assert coll.get_authorized_actions(user2) == set([])
def mk_user(self, args):
"""Create a new user. Ask in the terminal for mandatory fields"""
if not args[ARG_NAME]:
name = input("Please enter the user's username: "******"Username {} already exists".format(name))
return
admin = input("Is this an administrator? [y/N] ")
email = ""
while not email:
email = input("Please enter the user's email address: ")
pwd = ""
while not pwd:
pwd = getpass("Please enter the user's password: "******"true", "y", "yes"]),
)
print(MSG_USER_CREATED.format(name))
def test_create_acl():
list_read = ['grp1']
list_write = ['grp1']
user1 = User.find("user1")
user2 = User.find("user2")
# Create a new collection with a random name
coll_name = uuid.uuid4().hex + "/"
coll = Collection.create('/', coll_name)
# Test Read/Write ACL
coll.create_acl_list(list_read, list_write)
coll = Collection.find('/{}'.format(coll_name))
acl = coll.get_acl_dict()
assert acl['grp1'].acemask == 95
acl_list = coll.get_acl_list()
assert acl_list == (list_read, list_write)
assert coll.get_authorized_actions(user2) == {
'edit', 'write', 'delete', 'read'
}
cdmi_acl = coll.get_acl_metadata()
assert 'cdmi_acl' in cdmi_acl
# Test Read ACL
coll.create_acl_list(list_read, [])
coll = Collection.find('/{}'.format(coll_name))
acl = coll.get_acl_dict()
assert acl['grp1'].acemask == 9
acl_list = coll.get_acl_list()
assert acl_list == (list_read, [])
assert coll.get_authorized_actions(user2) == {'read'}
# Test Write ACL
coll.create_acl_list([], list_write)
coll = Collection.find('/{}'.format(coll_name))
acl = coll.get_acl_dict()
assert acl['grp1'].acemask == 86
acl_list = coll.get_acl_list()
assert acl_list == ([], list_write)
assert coll.get_authorized_actions(user2) == {'edit', 'write', 'delete'}
# # Test the ACL metadata returned as a dictionary
# acl = coll.get_acl_metadata()
# assert acl['cdmi_acl'][0]['acetype'] == "ALLOW"
# assert acl['cdmi_acl'][0]['identifier'] == "grp1"
# assert acl['cdmi_acl'][0]['aceflags'] == 'CONTAINER_INHERIT, OBJECT_INHERIT'
# assert acl['cdmi_acl'][0]['acemask'] == 'DELETE_SUBCONTAINER, WRITE_METADATA, ADD_SUBCONTAINER, ADD_OBJECT'
coll.delete()
# Check authorized actions for root
coll = Collection.find("/")
assert coll.get_authorized_actions(user1) == {
'edit', 'write', 'delete', 'read'
}
# Check the inheritance of the ACL
# (from a collection to its parents, root in this test)
coll = Collection.create('/', coll_name)
assert coll.get_authorized_actions(user2) == {'read'}
coll.delete()
def test_acl():
list_read = [GRP1_NAME]
list_write = [GRP1_NAME]
coll_name = uuid.uuid4().hex
coll = Collection.create('/', coll_name)
myFactory = Faker()
content = myFactory.text()
# Read/Write resource stored in Cassandra
do = DataObject.create(content.encode())
resc_name = uuid.uuid4().hex
resc = Resource.create(coll.path,
resc_name,
url="{}{}".format(cfg.protocol_cassandra, do.uuid))
resc.create_acl_list(list_read, list_write)
resc = Resource.find(resc.path)
assert resc.get_acl_dict()[GRP1_NAME].acemask == 95 # read/write
assert resc.get_authorized_actions(
User.find(USR2_NAME)) == {'delete', 'read', 'edit', 'write'}
read_access, write_access = resc.get_acl_list()
assert read_access == [GRP1_NAME]
assert write_access == [GRP1_NAME]
cdmi_acl = resc.get_acl_metadata()
assert 'cdmi_acl' in cdmi_acl
cdmi_acl = [{
'identifier': GRP1_NAME,
'acetype': 'ALLOW',
'aceflags': "INHERITED",
'acemask': "READ"
}]
resc.update_acl_cdmi(cdmi_acl)
resc.delete()
# Read resource stored in Cassandra
do = DataObject.create(content.encode())
resc_name = uuid.uuid4().hex
resc = Resource.create(coll.path,
resc_name,
url="{}{}".format(cfg.protocol_cassandra, do.uuid))
resc.create_acl_list(list_read, [])
resc = Resource.find(resc.path)
assert resc.get_acl_dict()[GRP1_NAME].acemask == 9 # read
assert resc.get_authorized_actions(User.find(USR2_NAME)) == {'read'}
read_access, write_access = resc.get_acl_list()
assert read_access == [GRP1_NAME]
assert write_access == []
resc.delete()
# Write resource stored in Cassandra
do = DataObject.create(content.encode())
resc_name = uuid.uuid4().hex
resc = Resource.create(coll.path,
resc_name,
url="{}{}".format(cfg.protocol_cassandra, do.uuid))
resc.create_acl_list([], list_write)
resc = Resource.find(resc.path)
assert resc.get_acl_dict()[GRP1_NAME].acemask == 86 # write
assert resc.get_authorized_actions(
User.find(USR2_NAME)) == {'edit', 'delete', 'write'}
read_access, write_access = resc.get_acl_list()
assert read_access == []
assert write_access == [GRP1_NAME]
resc.delete()
# Resource stored in Cassandra, acl inherited from root
do = DataObject.create(content.encode())
resc_name = uuid.uuid4().hex
resc = Resource.create(coll.path,
resc_name,
url="{}{}".format(cfg.protocol_cassandra, do.uuid))
assert resc.get_authorized_actions(User.find(USR2_NAME)) == {"read"}
resc.delete()
# Read/Write resource stored as a reference
resc_name = uuid.uuid4().hex
resc = Resource.create(coll.path, resc_name, url="http://www.google.fr")
resc.create_acl_list(list_read, list_write)
resc = Resource.find(resc.path)
assert resc.get_acl_dict()[GRP1_NAME].acemask == 95
assert resc.get_authorized_actions(
User.find(USR2_NAME)) == {'delete', 'read', 'edit', 'write'}
resc.delete()
coll.delete()