def test_context_wired_properly(self):
ctx = checkers.AuthContext({'a': 'aval'})
class Visited:
in_f = False
in_allow = False
in_get_acl = False
def f(ctx, identity, op):
self.assertEqual(ctx.get('a'), 'aval')
Visited.in_f = True
return False, None
bakery.AuthorizerFunc(f).authorize(ctx, bakery.SimpleIdentity('bob'),
['op1'])
self.assertTrue(Visited.in_f)
class TestIdentity(SimplestIdentity, bakery.ACLIdentity):
def allow(other, ctx, acls):
self.assertEqual(ctx.get('a'), 'aval')
Visited.in_allow = True
return False
def get_acl(ctx, acl):
self.assertEqual(ctx.get('a'), 'aval')
Visited.in_get_acl = True
return []
bakery.ACLAuthorizer(
allow_public=False,
get_acl=get_acl,
).authorize(ctx, TestIdentity('bob'), ['op1'])
self.assertTrue(Visited.in_get_acl)
self.assertTrue(Visited.in_allow)
def _setup_bakery(self, auth_endpoint, request):
return bakery.Bakery(
key=_get_macaroon_oven_key(),
root_key_store=KeyStore(MACAROON_LIFESPAN),
location=request.build_absolute_uri('/'),
locator=httpbakery.ThirdPartyLocator(
allow_insecure=not auth_endpoint.startswith('https:')),
identity_client=IDClient(auth_endpoint),
authorizer=bakery.ACLAuthorizer(
get_acl=lambda ctx, op: [bakery.EVERYONE]))
def test_acl_authorizer(self):
ctx = checkers.AuthContext()
tests = [
('no ops, no problem',
bakery.ACLAuthorizer(allow_public=True,
get_acl=lambda x, y: []), None, [], []),
('identity that does not implement ACLIdentity; '
'user should be denied except for everyone group',
bakery.ACLAuthorizer(
allow_public=True,
get_acl=lambda ctx, op: [bakery.EVERYONE]
if op.entity == 'a' else ['alice'],
), SimplestIdentity('bob'), [
bakery.Op(entity='a', action='a'),
bakery.Op(entity='b', action='b')
], [True, False]),
('identity that does not implement ACLIdentity with user == Id; '
'user should be denied except for everyone group',
bakery.ACLAuthorizer(
allow_public=True,
get_acl=lambda ctx, op: [bakery.EVERYONE]
if op.entity == 'a' else ['bob'],
), SimplestIdentity('bob'), [
bakery.Op(entity='a', action='a'),
bakery.Op(entity='b', action='b')
], [True, False]),
('permission denied for everyone without AllowPublic',
bakery.ACLAuthorizer(
allow_public=False,
get_acl=lambda x, y: [bakery.EVERYONE],
), SimplestIdentity('bob'), [bakery.Op(entity='a',
action='a')], [False]),
('permission granted to anyone with no identity with AllowPublic',
bakery.ACLAuthorizer(
allow_public=True,
get_acl=lambda x, y: [bakery.EVERYONE],
), None, [bakery.Op(entity='a', action='a')], [True])
]
for test in tests:
allowed, caveats = test[1].authorize(ctx, test[2], test[3])
self.assertEqual(len(caveats), 0)
self.assertEqual(allowed, test[4])
def _get_bakery(request):
auth_endpoint = request.external_auth_info.url
auth_domain = request.external_auth_info.domain
return bakery.Bakery(
key=_get_macaroon_oven_key(),
root_key_store=KeyStore(MACAROON_LIFESPAN),
location=request.build_absolute_uri("/"),
locator=httpbakery.ThirdPartyLocator(
allow_insecure=not auth_endpoint.startswith("https:")),
identity_client=_IDClient(auth_endpoint, auth_domain=auth_domain),
authorizer=bakery.ACLAuthorizer(
get_acl=lambda ctx, op: [bakery.EVERYONE]),
)
def authorize(self, ctx, id, ops):
return bakery.ACLAuthorizer(
allow_public=True,
get_acl=lambda ctx, op: self._auth.get(op, [])).authorize(
ctx, id, ops)
