def test_user_can_view_locked_node(self):
backend = MAASAuthorizationBackend()
owner = factory.make_User()
node = factory.make_Node(owner=owner,
status=NODE_STATUS.DEPLOYED,
locked=True)
self.assertTrue(backend.has_perm(owner, NODE_PERMISSION.VIEW, node))
def test_user_can_view_FilesystemGroup_when_no_node_owner(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node()
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertTrue(
backend.has_perm(user, NODE_PERMISSION.VIEW, filesystem_group))
def test_user_has_no_admin_permission_on_node(self):
# NODE_PERMISSION.ADMIN permission on nodes is granted to super users
# only.
backend = MAASAuthorizationBackend()
user = factory.make_user()
self.assertFalse(
backend.has_perm(user, NODE_PERMISSION.ADMIN, factory.make_node()))
def test_owned_status(self):
# A non-admin user can access nodes he owns.
backend = MAASAuthorizationBackend()
node = make_allocated_node()
self.assertTrue(
backend.has_perm(
node.owner, NODE_PERMISSION.VIEW, node))
def test_user_has_no_admin_permission_on_node(self):
# NodePermission.admin permission on nodes is granted to super users
# only.
backend = MAASAuthorizationBackend()
user = factory.make_User()
self.assertFalse(
backend.has_perm(user, NodePermission.admin, factory.make_Node()))
def test_user_cannot_edit_FilesystemGroup_when_not_node_owner(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertFalse(
backend.has_perm(user, NodePermission.edit, filesystem_group))
def test_user_cannot_view_when_no_owner_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
nic = factory.make_Interface(node=node)
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.view, nic))
def test_admin_cannot_admin_locked_nodes(self):
backend = MAASAuthorizationBackend()
node = make_allocated_node()
node.locked = True
node.save()
self.assertFalse(
backend.has_perm(factory.make_admin(), NodePermission.admin, node))
def test_user_can_lock_locked_node(self):
backend = MAASAuthorizationBackend()
owner = factory.make_User()
node = factory.make_Node(owner=owner,
status=NODE_STATUS.DEPLOYED,
locked=True)
self.assertTrue(backend.has_perm(owner, NodePermission.lock, node))
def test_admin_doesnt_have_admin_permission_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_admin()
node = factory.make_Node()
nic = factory.make_Interface(node=node)
self.assertFalse(backend.has_perm(user, NodePermission.admin, nic))
def test_user_can_view_FilesystemGroup_when_node_owner(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node(owner=user)
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertTrue(
backend.has_perm(user, NodePermission.view, filesystem_group))
def test_admin_doesnt_have_admin_permission_on_BlockDevice_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_admin()
node = factory.make_Node()
device = factory.make_BlockDevice(node=node)
self.assertFalse(backend.has_perm(user, NodePermission.admin, device))
def test_user_has_no_admin_permission_on_BlockDevice(self):
# NODE_PERMISSION.ADMIN permission on block devices is granted to super
# user only.
backend = MAASAuthorizationBackend()
user = factory.make_User()
self.assertFalse(
backend.has_perm(user, NODE_PERMISSION.ADMIN,
factory.make_BlockDevice()))
def test_user_has_admin_permission_on_node_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machines')
self.assertTrue(backend.has_perm(user, NodePermission.admin, node))
def test_user_cannot_lock_node_rbac_owner_other_user(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
backend = MAASAuthorizationBackend()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
self.assertFalse(backend.has_perm(user, NodePermission.lock, node))
def test_user_cannot_edit_node_rbac_if_locked(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(locked=True)
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machine')
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_edit_node_rbac_deploy_machines(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'deploy-machines')
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_view_unowned_node_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(user, NodePermission.view, node))
def test_admin_no_admin_permission_on_FilesystemGroup_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_admin()
node = factory.make_Node()
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertFalse(
backend.has_perm(user, NodePermission.admin, filesystem_group))
def test_owner_can_edit_device_interface(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
parent = factory.make_Node()
device = factory.make_Device(owner=user, parent=parent)
interface = factory.make_Interface(INTERFACE_TYPE.PHYSICAL,
node=device)
self.assertTrue(backend.has_perm(user, NodePermission.edit, interface))
def test_user_has_no_admin_permission_on_FilesystemGroup(self):
# NodePermission.admin permission on block devices is granted to super
# user only.
backend = MAASAuthorizationBackend()
user = factory.make_User()
self.assertFalse(
backend.has_perm(user, NodePermission.admin,
factory.make_FilesystemGroup()))
def test_user_cannot_view_FilesystemGroup_when_no_owner_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
filesystem_group = factory.make_FilesystemGroup(node=node)
backend = MAASAuthorizationBackend()
self.assertFalse(
backend.has_perm(user, NodePermission.view, filesystem_group))
def test_user_cannot_edit_BlockDevice_rbac_vith_view(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
device = factory.make_BlockDevice(node=node)
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.edit, device))
def test_user_cannot_edit_node_rbac_with_view_or_view_all(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
self.rbac_store.allow(user.username, node.pool, 'view-all')
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_edit_owned_rbac_with_admin(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
nic = factory.make_Interface(node=node)
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machines')
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(user, NodePermission.edit, nic))
def test_owner_cannot_edit_rbac_vith_view(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=user)
nic = factory.make_Interface(node=node)
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.edit, nic))
def test_user_can_lock_owned_node_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=user)
backend = MAASAuthorizationBackend()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
self.rbac_store.allow(user.username, node.pool, 'deploy-machines')
self.assertTrue(backend.has_perm(user, NodePermission.lock, node))
def test_authenticate_external_user_denied(self):
password = factory.make_string()
user = factory.make_User(password=password, is_local=False)
backend = MAASAuthorizationBackend()
request = factory.make_fake_request('/')
self.assertIsNone(
backend.authenticate(request,
username=user.username,
password=password))
def test_user_can_lock_BlockDevice_node_rbac_owner_other_user(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
device = factory.make_BlockDevice(node=node)
backend = MAASAuthorizationBackend()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machines')
self.assertTrue(backend.has_perm(user, NodePermission.lock, device))
def test_user_can_view_owned_by_another_node_when_admin_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
self.rbac_store.allow(user.username, node.pool, 'admin-machines')
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(user, NodePermission.view, node))
