def test_edit_requires_admin(self):
backend = MAASAuthorizationBackend()
pool = factory.make_ResourcePool()
user = factory.make_User()
admin = factory.make_admin()
self.assertFalse(
backend.has_perm(user, ResourcePoolPermission.edit, pool))
self.assertTrue(
backend.has_perm(admin, ResourcePoolPermission.edit, pool))
def test_view_always_viewable(self):
backend = MAASAuthorizationBackend()
pool = factory.make_ResourcePool()
user = factory.make_User()
admin = factory.make_admin()
self.assertTrue(
backend.has_perm(user, ResourcePoolPermission.view, pool))
self.assertTrue(
backend.has_perm(admin, ResourcePoolPermission.view, pool))
def test_unowned_interface_requires_admin(self):
backend = MAASAuthorizationBackend()
interface = factory.make_Interface(INTERFACE_TYPE.UNKNOWN)
admin = factory.make_admin()
user = factory.make_User()
for perm in [
NodePermission.view, NodePermission.edit, NodePermission.admin
]:
self.assertTrue(backend.has_perm(admin, perm, interface))
self.assertFalse(backend.has_perm(user, perm, interface))
def test_create_requires_rbac_edit_all_resources(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
pool = factory.make_ResourcePool()
self.rbac_store.add_pool(pool)
user1 = factory.make_User()
self.rbac_store.allow(user1.username, pool, 'edit')
user2 = factory.make_User()
self.rbac_store.allow(user2.username, ALL_RESOURCES, 'edit')
self.assertFalse(backend.has_perm(user1,
ResourcePoolPermission.create))
self.assertTrue(backend.has_perm(user2, ResourcePoolPermission.create))
def test_view_rbac_viewable(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
pool1 = factory.make_ResourcePool()
pool2 = factory.make_ResourcePool()
self.rbac_store.add_pool(pool1)
self.rbac_store.add_pool(pool2)
user = factory.make_User()
self.rbac_store.allow(user.username, pool2, 'view')
self.assertFalse(
backend.has_perm(user, ResourcePoolPermission.view, pool1))
self.assertTrue(
backend.has_perm(user, ResourcePoolPermission.view, pool2))
def test_owned_status(self):
# A non-admin user can access nodes he owns.
backend = MAASAuthorizationBackend()
node = make_allocated_node()
self.assertTrue(
backend.has_perm(
node.owner, NODE_PERMISSION.VIEW, node))
def test_admin_cannot_admin_locked_nodes(self):
backend = MAASAuthorizationBackend()
node = make_allocated_node()
node.locked = True
node.save()
self.assertFalse(
backend.has_perm(factory.make_admin(), NodePermission.admin, node))
def test_user_has_no_admin_permission_on_node(self):
# NODE_PERMISSION.ADMIN permission on nodes is granted to super users
# only.
backend = MAASAuthorizationBackend()
user = factory.make_user()
self.assertFalse(
backend.has_perm(user, NODE_PERMISSION.ADMIN, factory.make_node()))
def test_user_has_no_admin_permission_on_node(self):
# NodePermission.admin permission on nodes is granted to super users
# only.
backend = MAASAuthorizationBackend()
user = factory.make_User()
self.assertFalse(
backend.has_perm(user, NodePermission.admin, factory.make_Node()))
def test_user_can_view_FilesystemGroup_when_no_node_owner(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node()
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertTrue(
backend.has_perm(user, NODE_PERMISSION.VIEW, filesystem_group))
def test_user_can_lock_locked_node(self):
backend = MAASAuthorizationBackend()
owner = factory.make_User()
node = factory.make_Node(owner=owner,
status=NODE_STATUS.DEPLOYED,
locked=True)
self.assertTrue(backend.has_perm(owner, NodePermission.lock, node))
def test_user_cannot_view_when_no_owner_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
nic = factory.make_Interface(node=node)
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.view, nic))
def test_user_can_view_FilesystemGroup_when_node_owner(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node(owner=user)
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertTrue(
backend.has_perm(user, NodePermission.view, filesystem_group))
def test_user_cannot_edit_FilesystemGroup_when_not_node_owner(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertFalse(
backend.has_perm(user, NodePermission.edit, filesystem_group))
def test_admin_doesnt_have_admin_permission_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_admin()
node = factory.make_Node()
nic = factory.make_Interface(node=node)
self.assertFalse(backend.has_perm(user, NodePermission.admin, nic))
def test_user_can_view_locked_node(self):
backend = MAASAuthorizationBackend()
owner = factory.make_User()
node = factory.make_Node(owner=owner,
status=NODE_STATUS.DEPLOYED,
locked=True)
self.assertTrue(backend.has_perm(owner, NODE_PERMISSION.VIEW, node))
def test_admin_doesnt_have_admin_permission_on_BlockDevice_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_admin()
node = factory.make_Node()
device = factory.make_BlockDevice(node=node)
self.assertFalse(backend.has_perm(user, NodePermission.admin, device))
def test_owned_status(self):
# A non-admin user can access nodes he owns.
backend = MAASAuthorizationBackend()
node = make_allocated_node()
self.assertTrue(
backend.has_perm(
node.owner, NODE_PERMISSION.VIEW, node))
def test_user_cannot_lock_node_rbac_owner_other_user(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
backend = MAASAuthorizationBackend()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
self.assertFalse(backend.has_perm(user, NodePermission.lock, node))
def test_user_cannot_edit_node_rbac_if_locked(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(locked=True)
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machine')
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_edit_node_rbac_deploy_machines(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'deploy-machines')
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_view_unowned_node_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(user, NodePermission.view, node))
def test_user_has_no_admin_permission_on_node(self):
# NODE_PERMISSION.ADMIN permission on nodes is granted to super users
# only.
backend = MAASAuthorizationBackend()
user = factory.make_user()
self.assertFalse(
backend.has_perm(
user, NODE_PERMISSION.ADMIN, factory.make_node()))
def test_user_has_admin_permission_on_node_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_User()
node = factory.make_Node()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machines')
self.assertTrue(backend.has_perm(user, NodePermission.admin, node))
def test_owner_can_edit_device_interface(self):
backend = MAASAuthorizationBackend()
user = factory.make_User()
parent = factory.make_Node()
device = factory.make_Device(owner=user, parent=parent)
interface = factory.make_Interface(INTERFACE_TYPE.PHYSICAL,
node=device)
self.assertTrue(backend.has_perm(user, NodePermission.edit, interface))
def test_user_has_no_admin_permission_on_BlockDevice(self):
# NODE_PERMISSION.ADMIN permission on block devices is granted to super
# user only.
backend = MAASAuthorizationBackend()
user = factory.make_User()
self.assertFalse(
backend.has_perm(user, NODE_PERMISSION.ADMIN,
factory.make_BlockDevice()))
def test_admin_no_admin_permission_on_FilesystemGroup_with_rbac(self):
self.enable_rbac()
backend = MAASAuthorizationBackend()
user = factory.make_admin()
node = factory.make_Node()
filesystem_group = factory.make_FilesystemGroup(node=node)
self.assertFalse(
backend.has_perm(user, NodePermission.admin, filesystem_group))
def test_user_has_no_admin_permission_on_FilesystemGroup(self):
# NodePermission.admin permission on block devices is granted to super
# user only.
backend = MAASAuthorizationBackend()
user = factory.make_User()
self.assertFalse(
backend.has_perm(user, NodePermission.admin,
factory.make_FilesystemGroup()))
def test_user_cannot_view_FilesystemGroup_when_no_owner_rbac(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node()
filesystem_group = factory.make_FilesystemGroup(node=node)
backend = MAASAuthorizationBackend()
self.assertFalse(
backend.has_perm(user, NodePermission.view, filesystem_group))
def test_user_can_edit_owned_rbac_with_admin(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
nic = factory.make_Interface(node=node)
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machines')
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(user, NodePermission.edit, nic))
def test_owner_cannot_edit_rbac_vith_view(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=user)
nic = factory.make_Interface(node=node)
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'view')
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(user, NodePermission.edit, nic))
def test_user_can_lock_BlockDevice_node_rbac_owner_other_user(self):
self.enable_rbac()
user = factory.make_User()
node = factory.make_Node(owner=factory.make_User())
device = factory.make_BlockDevice(node=node)
backend = MAASAuthorizationBackend()
self.rbac_store.add_pool(node.pool)
self.rbac_store.allow(user.username, node.pool, 'admin-machines')
self.assertTrue(backend.has_perm(user, NodePermission.lock, device))
def test_user_can_access_unowned_node(self):
backend = MAASAuthorizationBackend()
self.assertTrue(backend.has_perm(
factory.make_user(), NODE_PERMISSION.VIEW,
make_unallocated_node()))
def test_node_init_user_cannot_access(self):
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(
get_node_init_user(), NODE_PERMISSION.VIEW,
make_unallocated_node()))
def test_user_cannot_edit_unowned_node(self):
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(
factory.make_user(), NODE_PERMISSION.EDIT,
make_unallocated_node()))
def test_user_can_edit_his_own_nodes(self):
backend = MAASAuthorizationBackend()
user = factory.make_user()
self.assertTrue(backend.has_perm(
user, NODE_PERMISSION.EDIT, make_allocated_node(owner=user)))
def test_user_cannot_access_nodes_owned_by_others(self):
backend = MAASAuthorizationBackend()
self.assertFalse(backend.has_perm(
factory.make_user(), NODE_PERMISSION.VIEW, make_allocated_node()))
