def test_delete_role(acl): acl.add_role('nonspy') # our control who should remain unaffected acl.allow('nonspy', 'view', 'news') acl.deny('nonspy', 'edit', 'news') acl.add_role('spy') acl.allow('spy', 'view', 'news') acl.deny('spy', 'edit', 'news') assert acl.is_allowed('spy', 'view', 'news') assert not acl.is_allowed('spy', 'edit', 'news') # oh no! we found a spy! remove them! acl.delete_role('spy') # as the role no longer exists it should raise an assertion with pytest.raises(AssertionError): assert not acl.is_allowed('spy', 'view', 'news') with pytest.raises(AssertionError): assert not acl.is_allowed('spy', 'edit', 'news') # as an extra check let's make sure we don't see any orphaned # rules for 'spy' in _allowed or _denied for rule_list in (acl._allowed, acl._denied): for rule in rule_list: assert rule[0] != 'spy' # nonspy should be unaffected by all this assert acl.is_allowed('nonspy', 'view', 'news') assert not acl.is_allowed('nonspy', 'edit', 'news')
def test_remove_deny(acl): acl.add_role('spy') only_default_denied = dict(acl._denied) acl.deny('spy', 'view', 'news') denied_after_denying_spy = dict(acl._denied) assert only_default_denied != denied_after_denying_spy assert not acl.is_allowed('spy', 'view', 'news') acl.remove_deny('spy', 'view', 'news') denied_after_removing_deny_spy = dict(acl._denied) assert denied_after_removing_deny_spy == only_default_denied assert not acl.is_allowed('spy', 'view', 'news') # this should still not be allowed
def acl(): # create context acl = rbac.acl.Registry() # self.denied_error = rbac.context.PermissionDenied # register roles and resources acl.add_role('staff') acl.add_role('editor', parents=['staff']) acl.add_role('badguy', parents=['staff']) acl.add_resource('article') # add rules acl.allow('staff', 'view', 'article') acl.allow('editor', 'edit', 'article') acl.deny('badguy', None, 'article') return acl
def test_delete_role_with_child_roles_fails(acl): acl.add_role('nonspy') # our control who should remain unaffected acl.allow('nonspy', 'view', 'news') acl.deny('nonspy', 'edit', 'news') acl.add_role('spy') acl.add_role('childspy', ['spy']) # should prevent deletion acl.allow('spy', 'view', 'news') acl.deny('spy', 'edit', 'news') assert acl.is_allowed('spy', 'view', 'news') assert not acl.is_allowed('spy', 'edit', 'news') # as it has a child role it should assert with pytest.raises(AssertionError): acl.delete_role('spy') # nonspy should be unaffected by all this assert acl.is_allowed('nonspy', 'view', 'news') assert not acl.is_allowed('nonspy', 'edit', 'news')
def test_deny(acl): # add allowed rule and denied rule acl.allow('actived_user', 'new', 'comment') acl.deny('manager', 'new', 'comment') # test allowed rules roles = ['actived_user', 'writer'] for role in roles: assert acl.is_allowed(role, 'new', 'comment') assert acl.is_any_allowed(roles, 'new', 'comment') # test denied rules roles = ['manager', 'editor'] for role in roles: assert not acl.is_allowed(role, 'new', 'comment') assert not acl.is_any_allowed(roles, 'new', 'comment')
def test_short_circuit_skip_deny(acl, context, evaluated_roles): """ If no remaining role could grant access, don't bother checking """ # track which roles are evaluated setattr(acl, 'is_allowed', _FunctionProxy(acl.is_allowed, evaluated_roles)) acl.add_resource('the dinosaurs') roles = ['tourist', 'scientist', 'intern'] for role in roles: acl.add_role(role) context.set_roles_loader(lambda: roles) # explicitly deny one role and don't allow any permissions to others acl.deny('intern', 'feed', 'the dinosaurs') context.has_permission('feed', 'the dinosaurs') # no roles checked, since all are deny-only assert evaluated_roles == [] acl.allow('scientist', 'study', 'the dinosaurs') context.has_permission('feed', 'the dinosaurs') # since scientist is no longer deny-only, # only the intern check will be skipped assert evaluated_roles == ['tourist', 'scientist']
def edit_role(user): role = input("which role you want to edit ") if acl.is_valid_role(role): allowed, denied = acl.get_role_permissions(role) print( f" Current permissions for {role} are: Allowed: {allowed}, Denied: {denied}" ) print(f" All available resources are: {acl.get_all_resources()}") resource = input(" Enter resource name ") if acl.is_valid_resource(resource): operation = input( " Enter permission name like read, write or delete ") allow_or_deny = input( " Enter permission Type, Press 1 for Allow, 2 for deny ") if allow_or_deny == "1": acl.allow(role, operation, resource) elif allow_or_deny == "2": acl.deny(role, operation, resource) else: print("Wrong input {allow_or_deny}") start_intracting(user) allowed, denied = acl.get_role_permissions(role) print( f" Updated permissions for {role} are: Allowed: {allowed}, Denied: {denied}" ) else: print( f" This {resource} is not a valid resource, you can try again") edit_role(user) else: print(f"{role} is not valid role") print(" Valid roles are: ", acl.get_all_roles()) print(" Press X for restart: ") if role.lower() == "x": start_intracting(user) edit_role(user)
# create access control list acl = rbac.acl.Registry() # add roles acl.add_role("member") acl.add_role("student", ["member"]) acl.add_role("teacher", ["member"]) acl.add_role("junior-student", ["student"]) # add resources acl.add_resource("course") acl.add_resource("senior-course", ["course"]) # set rules acl.allow("member", "view", "course") acl.allow("student", "learn", "course") acl.allow("teacher", "teach", "course") acl.deny("junior-student", "learn", "senior-course") # use acl to check permission if acl.is_allowed("student", "view", "course"): print("Students chould view courses.") else: print("Students chould not view courses.") # use acl to check permission again if acl.is_allowed("junior-student", "learn", "senior-course"): print("Junior students chould learn senior courses.") else: print("Junior students chould not learn senior courses.")
# -*- coding: utf-8 -*- # __author__: musibii # __file__ : test1.py # __time__ : 2020/4/29 11:05 上午 import rbac.acl acl = rbac.acl.Registry() acl.add_role() acl.add_resource(acl) acl.allow() acl.deny() acl.is_allowed()
acl.add_resource("resource-2") # set rules # Admin have all permissions acl.allow("admin", "read", "resource-1") acl.allow("admin", "write", "resource-1") acl.allow("admin", "delete", "resource-1") acl.allow("admin", "read", "resource-2") acl.allow("admin", "write", "resource-2") acl.allow("admin", "delete", "resource-2") # Developer have read, write permission but not delete acl.allow("developer", "read", "resource-1") acl.allow("developer", "write", "resource-1") acl.deny("developer", "delete", "resource-1") def edit_role(user): role = input("which role you want to edit ") if acl.is_valid_role(role): allowed, denied = acl.get_role_permissions(role) print( f" Current permissions for {role} are: Allowed: {allowed}, Denied: {denied}" ) print(f" All available resources are: {acl.get_all_resources()}") resource = input(" Enter resource name ") if acl.is_valid_resource(resource): operation = input( " Enter permission name like read, write or delete ") allow_or_deny = input(
# add roles acl.add_role("member") acl.add_role("student", ["member"]) acl.add_role("teacher", ["member"]) acl.add_role("junior-student", ["student"]) # add resources acl.add_resource("course") acl.add_resource("senior-course", ["course"]) # set rules acl.allow("member", "view", "course") acl.allow("student", "learn", "course") acl.allow("teacher", "teach", "course") acl.deny("junior-student", "learn", "senior-course") # use acl to check permission if acl.is_allowed("student", "view", "course"): print ("Students chould view courses.") else: print ("Students chould not view courses.") # use acl to check permission again if acl.is_allowed("junior-student", "learn", "senior-course"): print ("Junior students chould learn senior courses.") else: print ("Junior students chould not learn senior courses.") ########NEW FILE######## __FILENAME__ = context
# add roles acl.add_role("member") acl.add_role("student", ["member"]) acl.add_role("teacher", ["member"]) acl.add_role("junior-student", ["student"]) # add resources acl.add_resource("course") acl.add_resource("senior-course", ["course"]) # set rules acl.allow("member", "view", "course") acl.allow("student", "learn", "course") acl.allow("teacher", "teach", "course") acl.deny("junior-student", "learn", "senior-course") # use acl to check permission if acl.is_allowed("student", "view", "course"): print("Students chould view courses.") else: print("Students chould not view courses.") # use acl to check permission again if acl.is_allowed("junior-student", "learn", "senior-course"): print("Junior students chould learn senior courses.") else: print("Junior students chould not learn senior courses.") ########NEW FILE######## __FILENAME__ = context
def get(self, request, action, *args, **kwargs): acl = rbac.acl.Registry() if action == 'generate-roles': print 'Generating roles...' acl.add_role("InternUsers") print "\t Added Role: InternUsers" acl.add_role("Directors",["InternUsers"]) print "\t Added Role: Directors" acl.add_role("Writers",["InternUsers"]) print "\t Added Role: Writers" acl.add_role("Auditors",["InternUsers"]) print "\t Added Role: Auditors" acl.add_role("ExternUsers") print "\t Added Role: ExternUsers" print "\t\t[Done]" #TODO [POM] Agregar usuarios creados a roles como hojas del arbol elif action == 'generate-resources': print 'Generating resources...' acl.add_resource("noticia") print "\t Added Resource: Noticia" noticias = Noticia.objects.all() for noticia in noticias: acl.add_resource("noticia-"+noticia.title, ["noticia"]) print "\t Added Resource: noticia-%s" % noticia.title print "\t\t[Done]" elif action == 'generate-rules': print 'Generating rules...' acl.allow("InternUsers","read","noticia") print "\tInternUsers can read noticia" acl.allow("Writers","write","noticia") print "\tWriters can write noticia" acl.allow("Auditors","update","noticia") print "\tAuditors can update noticia" acl.allow("Auditors","delete","noticia") print "\tAuditors can delete noticia" acl.deny("ExternUsers","write","noticia") print "\tExternUsers can not write noticia" acl.deny("ExternUsers","update","noticia") print "\tExternUsers can not update noticia" acl.deny("ExternUsers","delete","noticia") print "\tExternUsers can not delete noticia" print "\t\t[Done]" #TODO [POM] Permitir a usuarios que compartan la misma revista, que compartan el mismo permiso elif action == 'test-onthefly': print 'Generating roles...' acl.add_role("InternUsers") print "\t Added Role: InternUsers" acl.add_role("Directors",["InternUsers"]) print "\t Added Role: Directors" acl.add_role("Writers",["InternUsers"]) print "\t Added Role: Writers" acl.add_role("Auditors",["InternUsers"]) print "\t Added Role: Auditors" acl.add_role("ExternUsers") print "\t Added Role: ExternUsers" print "\t\t[Done]" print 'Generating resources...' acl.add_resource("noticia") print "\t Added Resource: Noticia" noticias = Noticia.objects.all() for noticia in noticias: acl.add_resource("noticia-"+noticia.title, ["noticia"]) print "\t Added Resource: noticia-%s" % noticia.title print "\t\t[Done]" print 'Generating rules...' acl.allow("InternUsers","read","noticia") print "\tInternUsers can read noticia" acl.allow("Writers","write","noticia") print "\tWriters can write noticia" acl.allow("Auditors","update","noticia") print "\tAuditors can update noticia" acl.allow("Auditors","delete","noticia") print "\tAuditors can delete noticia" acl.deny("ExternUsers","write","noticia") print "\tExternUsers can not write noticia" acl.deny("ExternUsers","update","noticia") print "\tExternUsers can not update noticia" acl.deny("ExternUsers","delete","noticia") print "\tExternUsers can not delete noticia" print "\t\t[Done]" if acl.is_allowed("Auditors","write","noticia"): print "Auditors can write noticia" else: print "Auditors can not write noticia" else: print 'Command unknown.' return super(RoleManager,self).get(self,request,*args,**kwargs)