def test_get_statements_matching_action(self):
cooks = Group.objects.create(name="cooks")
user = User.objects.create(id=5)
user.groups.add(cooks)
statements = [
{
"principal": ["id:5"],
"action": ["create"]
},
{
"principal": ["group:dev"],
"action": ["delete"]
},
{
"principal": ["group:cooks"],
"action": ["do_something"]
},
{
"principal": ["*"],
"action": ["*"]
},
{
"principal": ["id:79"],
"action": ["vote"]
},
]
policy = AccessPolicy()
result = policy._get_statements_matching_action("delete", statements)
self.assertEqual(len(result), 2)
self.assertEqual(result[0]["action"], ["delete"])
self.assertEqual(result[1]["action"], ["*"])
def test_get_statements_matching_action_when_method_safe(self):
cooks = Group.objects.create(name="cooks")
user = User.objects.create(id=5)
user.groups.add(cooks)
statements = [
{
"principal": ["*"],
"action": ["list"]
},
{
"principal": ["id:5"],
"action": ["*"]
},
{
"principal": ["group:cooks"],
"action": ["<safe_methods>"]
},
{
"principal": ["group:devs"],
"action": ["destroy"]
},
]
policy = AccessPolicy()
result = policy._get_statements_matching_action(
FakeRequest(user, method="GET"), "list", statements)
self.assertEqual(len(result), 3)
self.assertEqual(result[0]["principal"], ["*"])
self.assertEqual(result[1]["principal"], ["id:5"])
self.assertEqual(result[2]["principal"], ["group:cooks"])
def test_get_statements_matching_principal_if_user_is_anonymous(self):
user = AnonymousUser()
statements = [
{
"principal": ["id:5"],
"action": ["create"]
},
{
"principal": ["*"],
"action": ["list"]
},
{
"principal": ["authenticated"],
"action": ["authenticated_action"]
},
{
"principal": ["anonymous"],
"action": ["anonymous_action"]
},
]
policy = AccessPolicy()
result = policy._get_statements_matching_principal(
FakeRequest(user), statements)
self.assertEqual(len(result), 2)
self.assertEqual(result[0]["action"], ["list"])
self.assertEqual(result[1]["action"], ["anonymous_action"])
def test_get_statements_matching_action_when_using_http_method_placeholder(
self):
cooks = Group.objects.create(name="cooks")
user = User.objects.create(id=5)
user.groups.add(cooks)
statements = [
{
"principal": ["*"],
"action": ["create"]
},
{
"principal": ["group:cooks"],
"action": ["<method:post>"]
},
{
"principal": ["group:devs"],
"action": ["destroy"]
},
]
policy = AccessPolicy()
result = policy._get_statements_matching_action(
FakeRequest(user, method="POST"), "an action that won't match",
statements)
self.assertEqual(len(result), 1)
self.assertEqual(result[0]["principal"], ["group:cooks"])
def test_get_statements_matching_principalif_user_is_authenticated(self):
cooks = Group.objects.create(name="cooks")
user = User.objects.create(id=5)
user.groups.add(cooks)
statements = [
{"principal": ["id:5"], "action": ["create"]},
{"principal": ["group:dev"], "action": ["delete"]},
{"principal": ["group:cooks"], "action": ["do_something"]},
{"principal": ["*"], "action": ["*"]},
{"principal": ["id:79"], "action": ["vote"]},
{"principal": ["anonymous"], "action": ["anonymous_action"]},
{"principal": ["authenticated"], "action": ["authenticated_action"]},
]
policy = AccessPolicy()
result = policy._get_statements_matching_principal(
FakeRequest(user), statements
)
self.assertEqual(len(result), 4)
self.assertEqual(result[0]["action"], ["create"])
self.assertEqual(result[1]["action"], ["do_something"])
self.assertEqual(result[2]["action"], ["*"])
self.assertEqual(result[3]["action"], ["authenticated_action"])
def test_get_invoked_action_from_class_based_view(self):
class UserViewSet(ModelViewSet):
pass
policy = AccessPolicy()
view_instance = UserViewSet()
view_instance.action = "create"
result = policy._get_invoked_action(view_instance)
self.assertEqual(result, "create")
def test_get_invoked_action_from_function_based_view(self):
@api_view(["GET"])
def my_view(request):
return ""
policy = AccessPolicy()
view_instance = my_view.cls()
result = policy._get_invoked_action(view_instance)
self.assertEqual(result, "my_view")
def test_get_user_group_values(self):
group1 = Group.objects.create(name="admin")
group2 = Group.objects.create(name="ceo")
user = User.objects.create(username="******")
user.groups.add(group1, group2)
policy = AccessPolicy()
result = sorted(policy.get_user_group_values(user))
self.assertEqual(result, ["admin", "ceo"])
def test_evaluate_statements_false_any_deny(self,):
policy = AccessPolicy()
user = User.objects.create(username="******")
statements = [
{"principal": "*", "action": "*", "effect": "deny"},
{"principal": "*", "action": "*", "effect": "allow"},
]
result = policy._evaluate_statements([], FakeRequest(user), None, "create")
self.assertFalse(result)
def test_evaluate_statements_true_if_any_allow_and_none_deny(self,):
policy = AccessPolicy()
user = User.objects.create(username="******")
statements = [
{"principal": "*", "action": "create", "effect": "allow"},
{"principal": "*", "action": "take_out_the_trash", "effect": "allow"},
]
result = policy._evaluate_statements(
statements, FakeRequest(user), None, "create"
)
self.assertTrue(result)
def test_normalize_statements(self):
policy = AccessPolicy()
result = policy._normalize_statements([{
"principal": "group:admin",
"action": "delete",
"condition": "is_nice_day",
}])
self.assertEqual(
result,
[{
"principal": ["group:admin"],
"action": ["delete"],
"condition": ["is_nice_day"],
}],
)
def test_get_statements_matching_action_when_method_unsafe(self):
cooks = Group.objects.create(name="cooks")
user = User.objects.create(id=5)
user.groups.add(cooks)
statements = [
{
"principal": ["id:5"],
"action": ["create"]
},
{
"principal": ["group:dev"],
"action": ["destroy"]
},
{
"principal": ["group:cooks"],
"action": ["do_something"]
},
{
"principal": ["*"],
"action": ["*"]
},
{
"principal": ["id:79"],
"action": ["vote"]
},
{
"principal": ["id:900"],
"action": ["<safe_methods>"]
},
]
policy = AccessPolicy()
result = policy._get_statements_matching_action(
FakeRequest(user, method="DELETE"), "destroy", statements)
self.assertEqual(len(result), 2)
self.assertEqual(result[0]["action"], ["destroy"])
self.assertEqual(result[1]["action"], ["*"])
def test_get_user_group_values_empty_if_user_is_anonymous(self):
user = AnonymousUser()
policy = AccessPolicy()
result = sorted(policy.get_user_group_values(user))
self.assertEqual(result, [])
