def test_user_can_view_locked_node(self): backend = MAASAuthorizationBackend() owner = factory.make_User() node = factory.make_Node(owner=owner, status=NODE_STATUS.DEPLOYED, locked=True) self.assertTrue(backend.has_perm(owner, NODE_PERMISSION.VIEW, node))
def test_user_can_view_FilesystemGroup_when_no_node_owner(self): backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node() filesystem_group = factory.make_FilesystemGroup(node=node) self.assertTrue( backend.has_perm(user, NODE_PERMISSION.VIEW, filesystem_group))
def test_user_has_no_admin_permission_on_node(self): # NODE_PERMISSION.ADMIN permission on nodes is granted to super users # only. backend = MAASAuthorizationBackend() user = factory.make_user() self.assertFalse( backend.has_perm(user, NODE_PERMISSION.ADMIN, factory.make_node()))
def test_owned_status(self): # A non-admin user can access nodes he owns. backend = MAASAuthorizationBackend() node = make_allocated_node() self.assertTrue( backend.has_perm( node.owner, NODE_PERMISSION.VIEW, node))
def test_user_has_no_admin_permission_on_node(self): # NodePermission.admin permission on nodes is granted to super users # only. backend = MAASAuthorizationBackend() user = factory.make_User() self.assertFalse( backend.has_perm(user, NodePermission.admin, factory.make_Node()))
def test_user_cannot_edit_FilesystemGroup_when_not_node_owner(self): backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) filesystem_group = factory.make_FilesystemGroup(node=node) self.assertFalse( backend.has_perm(user, NodePermission.edit, filesystem_group))
def test_user_cannot_view_when_no_owner_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() nic = factory.make_Interface(node=node) backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.view, nic))
def test_admin_cannot_admin_locked_nodes(self): backend = MAASAuthorizationBackend() node = make_allocated_node() node.locked = True node.save() self.assertFalse( backend.has_perm(factory.make_admin(), NodePermission.admin, node))
def test_user_can_lock_locked_node(self): backend = MAASAuthorizationBackend() owner = factory.make_User() node = factory.make_Node(owner=owner, status=NODE_STATUS.DEPLOYED, locked=True) self.assertTrue(backend.has_perm(owner, NodePermission.lock, node))
def test_admin_doesnt_have_admin_permission_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_admin() node = factory.make_Node() nic = factory.make_Interface(node=node) self.assertFalse(backend.has_perm(user, NodePermission.admin, nic))
def test_user_can_view_FilesystemGroup_when_node_owner(self): backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node(owner=user) filesystem_group = factory.make_FilesystemGroup(node=node) self.assertTrue( backend.has_perm(user, NodePermission.view, filesystem_group))
def test_admin_doesnt_have_admin_permission_on_BlockDevice_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_admin() node = factory.make_Node() device = factory.make_BlockDevice(node=node) self.assertFalse(backend.has_perm(user, NodePermission.admin, device))
def test_user_has_no_admin_permission_on_BlockDevice(self): # NODE_PERMISSION.ADMIN permission on block devices is granted to super # user only. backend = MAASAuthorizationBackend() user = factory.make_User() self.assertFalse( backend.has_perm(user, NODE_PERMISSION.ADMIN, factory.make_BlockDevice()))
def test_user_has_admin_permission_on_node_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machines') self.assertTrue(backend.has_perm(user, NodePermission.admin, node))
def test_user_cannot_lock_node_rbac_owner_other_user(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) backend = MAASAuthorizationBackend() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') self.assertFalse(backend.has_perm(user, NodePermission.lock, node))
def test_user_cannot_edit_node_rbac_if_locked(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(locked=True) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machine') backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_edit_node_rbac_deploy_machines(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'deploy-machines') backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_view_unowned_node_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm(user, NodePermission.view, node))
def test_admin_no_admin_permission_on_FilesystemGroup_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_admin() node = factory.make_Node() filesystem_group = factory.make_FilesystemGroup(node=node) self.assertFalse( backend.has_perm(user, NodePermission.admin, filesystem_group))
def test_owner_can_edit_device_interface(self): backend = MAASAuthorizationBackend() user = factory.make_User() parent = factory.make_Node() device = factory.make_Device(owner=user, parent=parent) interface = factory.make_Interface(INTERFACE_TYPE.PHYSICAL, node=device) self.assertTrue(backend.has_perm(user, NodePermission.edit, interface))
def test_user_has_no_admin_permission_on_FilesystemGroup(self): # NodePermission.admin permission on block devices is granted to super # user only. backend = MAASAuthorizationBackend() user = factory.make_User() self.assertFalse( backend.has_perm(user, NodePermission.admin, factory.make_FilesystemGroup()))
def test_user_cannot_view_FilesystemGroup_when_no_owner_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() filesystem_group = factory.make_FilesystemGroup(node=node) backend = MAASAuthorizationBackend() self.assertFalse( backend.has_perm(user, NodePermission.view, filesystem_group))
def test_user_cannot_edit_BlockDevice_rbac_vith_view(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() device = factory.make_BlockDevice(node=node) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.edit, device))
def test_user_cannot_edit_node_rbac_with_view_or_view_all(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') self.rbac_store.allow(user.username, node.pool, 'view-all') backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_edit_owned_rbac_with_admin(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) nic = factory.make_Interface(node=node) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machines') backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm(user, NodePermission.edit, nic))
def test_owner_cannot_edit_rbac_vith_view(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=user) nic = factory.make_Interface(node=node) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.edit, nic))
def test_user_can_lock_owned_node_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=user) backend = MAASAuthorizationBackend() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') self.rbac_store.allow(user.username, node.pool, 'deploy-machines') self.assertTrue(backend.has_perm(user, NodePermission.lock, node))
def test_authenticate_external_user_denied(self): password = factory.make_string() user = factory.make_User(password=password, is_local=False) backend = MAASAuthorizationBackend() request = factory.make_fake_request('/') self.assertIsNone( backend.authenticate(request, username=user.username, password=password))
def test_user_can_lock_BlockDevice_node_rbac_owner_other_user(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) device = factory.make_BlockDevice(node=node) backend = MAASAuthorizationBackend() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machines') self.assertTrue(backend.has_perm(user, NodePermission.lock, device))
def test_user_can_view_owned_by_another_node_when_admin_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') self.rbac_store.allow(user.username, node.pool, 'admin-machines') backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm(user, NodePermission.view, node))