def test_provider_hierarchy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Parametrize role with provider related objects
"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
policy = create_policy(sdk_client_fs,
PROVIDER_VIEW_CONFIG_ROLES,
objects=[provider],
users=[user],
groups=[])
is_allowed(provider, BusinessRoles.ViewProviderConfigurations)
is_allowed(host, BusinessRoles.ViewHostConfigurations)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_denied(component, BusinessRoles.ViewComponentConfigurations)
delete_policy(policy)
create_policy(sdk_client_fs,
PROVIDER_VIEW_CONFIG_ROLES,
objects=[host],
users=[user],
groups=[])
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_allowed(host, BusinessRoles.ViewHostConfigurations)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_denied(component, BusinessRoles.ViewComponentConfigurations)
def test_change_child_role(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if change policy role
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step(
"Change role from 'View configuration' to 'View imports'"):
role = sdk_client_fs.role_create(
name="Another role",
display_name="Another role",
child=[{
"id":
sdk_client_fs.role(
name=BusinessRoles.ViewImports.value.role_name).id
}],
)
policy.update(role={"id": role.id})
is_allowed(cluster, BusinessRoles.ViewImports)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def test_remove_user_from_group(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if user removed from group with policy
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}])
create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[],
groups=[group])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove user from group"):
group.update(user=[])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def test_lower_cluster_hierarchy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that cluster role can be applied to lower cluster objects - services and components
"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
policy = create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
is_allowed(component, BusinessRoles.ViewComponentConfigurations)
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_denied(host, BusinessRoles.ViewHostConfigurations)
delete_policy(policy)
policy = create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[service],
users=[user],
groups=[])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
is_allowed(component, BusinessRoles.ViewComponentConfigurations)
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_denied(host, BusinessRoles.ViewHostConfigurations)
delete_policy(policy)
create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[component],
users=[user],
groups=[])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_allowed(component, BusinessRoles.ViewComponentConfigurations)
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_denied(host, BusinessRoles.ViewHostConfigurations)
def test_remove_policy_but_exists_same_policy(user_sdk: ADCMClient, user,
prepare_objects, sdk_client_fs):
"""
Test that user is still have access if removed policy, but we still have another policy with the same rights
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
second_policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove second policy"):
second_policy.delete()
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
def test_remove_user_from_policy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if user removed from policy user list
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewComponentConfigurations)
with allure.step("Remove user from policy"):
policy.update(user=[{"id": sdk_client_fs.user(username="******").id}])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def test_remove_cluster(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects, sdk_client_fs, user):
"""Test that Remove cluster role is ok"""
cluster, *_ = as_user_objects(user_sdk, *prepare_objects)
second_cluster, *_ = as_user_objects(user_sdk, *second_objects)
is_denied(cluster.bundle(), BR.CreateCluster)
is_allowed(cluster, BR.RemoveCluster)
is_denied(second_cluster, BR.RemoveCluster)
new_policy = create_policy(sdk_client_fs,
BR.RemoveCluster,
objects=[second_cluster],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_cluster, BR.RemoveCluster)
def test_remove_hosts(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects, sdk_client_fs, user):
"""Test that Remove hosts role is ok"""
*_, host = as_user_objects(user_sdk, *prepare_objects)
*_, second_host = as_user_objects(user_sdk, *second_objects)
is_allowed(host, BR.RemoveHosts)
is_denied(second_host, BR.RemoveHosts)
with allure.step("Assert that policy is valid after object removing"):
user_policy.reread()
new_policy = create_policy(sdk_client_fs,
BR.RemoveHosts,
objects=[second_host],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_host, BR.RemoveHosts)
def test_remove_user_from_policy_but_still_in_group(user_sdk: ADCMClient, user,
prepare_objects,
sdk_client_fs):
"""
Test that user is still have access if user removed from policy but is in group
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}])
policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[group])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove user from policy"):
policy.update(user=[{"id": sdk_client_fs.user(username="******").id}])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
def test_upgrade_application_bundle(user_policy, user_sdk: ADCMClient,
prepare_objects, sdk_client_fs, user):
"""Test that Upgrade application bundle role is ok"""
cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_cluster = user_sdk.cluster(
id=cluster_via_admin.bundle().cluster_create(name="Second cluster").id)
is_allowed(cluster, BR.UpgradeClusterBundle)
is_denied(provider, BR.UpgradeClusterBundle)
is_denied(second_cluster, BR.UpgradeClusterBundle)
new_policy = create_policy(sdk_client_fs,
BR.UpgradeClusterBundle,
objects=[second_cluster],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_cluster, BR.UpgradeClusterBundle)
def test_remove_another_object_from_policy(user_sdk: ADCMClient, user,
prepare_objects, sdk_client_fs):
"""
Test that user is still have access if object removed from policy but exists high-level object
"""
cluster_via_admin, service_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
service = user_sdk.service(id=service_via_admin.id)
policy = create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[cluster, service],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
with allure.step("Remove object from policy"):
policy.update(object=[{"id": cluster.id, "type": "cluster"}])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
def test_remove_provider(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects, sdk_client_fs, user):
"""Test that Remove provider role is ok"""
*_, provider, host = as_user_objects(user_sdk, *prepare_objects)
*_, host_via_admin = prepare_objects
*_, second_provider, _ = as_user_objects(user_sdk, *second_objects)
*_, second_host_via_admin = second_objects
is_denied(host, BR.RemoveHosts)
host_via_admin.delete()
second_host_via_admin.delete()
is_allowed(provider, BR.RemoveHostProvider)
is_denied(second_provider, BR.RemoveHostProvider)
new_policy = create_policy(sdk_client_fs,
BR.RemoveHostProvider,
objects=[second_provider],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_provider, BR.RemoveHostProvider)
def test_remove_object_from_policy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if object changed from policy
"""
cluster_via_admin, service_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
service = user_sdk.service(id=service_via_admin.id)
policy = create_policy(
sdk_client_fs,
[
BusinessRoles.ViewClusterConfigurations,
BusinessRoles.ViewServiceConfigurations
],
objects=[cluster],
users=[user],
groups=[],
)
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Change policy object from cluster to service"):
policy.update(object=[{"id": service_via_admin.id, "type": "service"}])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewClusterConfigurations)
def test_remove_group_with_user_but_still_in_another_group(
user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs):
"""
Test that user is still have access if removed group with user but user is in another group
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}])
another_group = sdk_client_fs.group_create("another_group",
user=[{
"id": user.id
}])
policy = create_policy(
sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[],
groups=[group, another_group],
)
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove user from group"):
policy.update(group=[{"id": another_group.id}])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)