def test_change_child_role(user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs): """ Test that user loses access if change policy role """ cluster_via_admin, *_ = prepare_objects cluster = user_sdk.cluster(id=cluster_via_admin.id) policy = create_policy(sdk_client_fs, BusinessRoles.ViewClusterConfigurations, objects=[cluster], users=[user], groups=[]) is_allowed(cluster, BusinessRoles.ViewClusterConfigurations) with allure.step( "Change role from 'View configuration' to 'View imports'"): role = sdk_client_fs.role_create( name="Another role", display_name="Another role", child=[{ "id": sdk_client_fs.role( name=BusinessRoles.ViewImports.value.role_name).id }], ) policy.update(role={"id": role.id}) is_allowed(cluster, BusinessRoles.ViewImports) is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def check_role_with_parametrization(clients, user, cluster_bundle: Bundle, provider_bundle: Bundle): """Check that update of role with parametrization leads to correct permissions update""" cluster, provider = cluster_bundle.cluster_create('clusteraster'), provider_bundle.provider_create('provideraider') role_name = "Role with parametrization" role = clients.admin.role_create( name=role_name, display_name=role_name, child=_form_children(clients.admin, BusinessRoles.EditClusterConfigurations), ) policy = clients.admin.policy_create(name="User policy", role=role, objects=[cluster], user=[user]) with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client: user_cluster, user_provider = as_user_objects(user_client, cluster, provider) is_allowed(user_cluster, BusinessRoles.EditClusterConfigurations) is_denied(user_provider, BusinessRoles.EditProviderConfigurations) role.update(child=_form_children(clients.admin, BusinessRoles.EditProviderConfigurations)) with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client: user_cluster, user_provider = as_user_objects(user_client, cluster, provider) is_denied(user_cluster, BusinessRoles.EditClusterConfigurations) is_denied(user_provider, BusinessRoles.EditProviderConfigurations) policy.update(object=[{'type': 'provider', 'id': provider.id}]) with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client: user_cluster, user_provider = as_user_objects(user_client, cluster, provider) is_denied(user_cluster, BusinessRoles.EditClusterConfigurations) is_allowed(user_provider, BusinessRoles.EditProviderConfigurations) policy.delete() role.delete()
def test_any_object_roles(clients, user, prepare_objects): """Test that ViewAnyObject... default roles works as expected with ADCM User""" cluster, *_ = user_objects = as_user_objects(clients.user, *prepare_objects) @allure.step("Check user has no access to any of objects") def check_has_no_rights(): is_denied(cluster, BR.ViewAnyObjectImport) is_denied(cluster, BR.ViewAnyObjectHostComponents) is_denied_to_view(*user_objects) is_denied_to_edit(*user_objects) check_has_no_rights() policy = clients.admin.policy_create( name="ADCM User for a User", role=clients.admin.role(name=RbacRoles.ADCMUser.value), objects=[], user=[user], ) is_allowed(cluster, BR.ViewAnyObjectImport) is_allowed(cluster, BR.ViewAnyObjectHostComponents) is_allowed_to_view(*user_objects) is_denied_to_edit(*user_objects) delete_policy(policy) check_has_no_rights()
def test_upload_bundle(user_policy, user_sdk: ADCMClient, sdk_client_fs): """Test that Upload bundle role is ok""" is_allowed(user_sdk, BR.UploadBundle) is_denied(user_sdk.bundle(), BR.RemoveBundle) delete_policy(user_policy) sdk_client_fs.bundle_list()[-1].delete() is_denied(user_sdk, BR.UploadBundle)
def check_roles_are_allowed( self, cluster_object_map: Dict[ClusterObjectClassName, ClusterRelatedObject], business_roles: Iterable[BusinessRole], ): """Check that given roles are allowed to be launched""" for role in business_roles: adcm_object = self._get_object_from_map_by_role_name( role.role_name, cluster_object_map) is_allowed(adcm_object, role).wait()
def test_remove_bundle(user_policy, user_sdk: ADCMClient, sdk_client_fs): """Test that Remove bundle role is ok""" is_denied(user_sdk, BR.UploadBundle) BR.UploadBundle.value.method_call(sdk_client_fs) is_allowed(user_sdk.bundle_list()[-1], BR.RemoveBundle) delete_policy(user_policy) BR.UploadBundle.value.method_call(sdk_client_fs) is_denied(user_sdk.bundle_list()[-1], BR.RemoveBundle)
def test_create_cluster(user_policy, user_sdk: ADCMClient, prepare_objects, second_objects): """Test that Create cluster role is ok""" cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects) is_allowed(cluster.bundle(), BR.CreateCluster) is_denied(provider.bundle(), BR.CreateHostProvider) is_denied(cluster, BR.RemoveCluster) delete_policy(user_policy) is_denied(cluster.bundle(), BR.CreateCluster)
def test_view_adcm_settings(user_policy, user_sdk: ADCMClient, prepare_objects): """Test that View ADCM Settings role is ok""" (cluster, ) = as_user_objects(user_sdk, prepare_objects[0]) is_allowed(user_sdk.adcm(), BusinessRoles.ViewADCMSettings) is_denied(user_sdk.adcm(), BusinessRoles.EditADCMSettings) is_denied(cluster, BusinessRoles.ViewClusterConfigurations) delete_policy(user_policy) is_denied(user_sdk.adcm(), BusinessRoles.ViewADCMSettings)
def check_permissions( self, message: str, allowed: Iterable[Tuple[AnyADCMObject, BusinessRole]], denied: Iterable[Tuple[Cluster, BusinessRole]], ): """Check that permissions on actions works as expected""" with allure.step(message): for adcm_object, role in allowed: is_allowed(adcm_object, role).wait() for adcm_object, role in denied: is_denied(adcm_object, role)
def check_single_action_is_allowed_on_object( action_display_name: str, adcm_object: AnyADCMObject, user_sdk: ADCMClient, business_role: Optional[BusinessRole] = None, ): """Check that only one action is allowed on object and the access to others is denied""" (allowed_object,) = as_user_objects(user_sdk, adcm_object) business_role = business_role or action_business_role(allowed_object, action_display_name) is_allowed(allowed_object, business_role).wait() for action_name in (a.display_name for a in adcm_object.action_list() if a.display_name != action_display_name): is_denied(allowed_object, action_business_role(allowed_object, action_name))
def check_new_action_can_be_launched(self, clients, user, upgraded_cluster: Cluster): """Check that policy can be created to run new action from cluster bundle and action actually can be launched""" service = upgraded_cluster.service() component = service.component() for adcm_object in as_user_objects(clients.user, upgraded_cluster, service, component): business_role = action_business_role(adcm_object, NEW_ACTION) create_action_policy(clients.admin, adcm_object, business_role, user=user) is_allowed(adcm_object, business_role).wait()
def test_view_users(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "View users" role is ok""" is_allowed(user_sdk, BusinessRoles.ViewUsers) is_denied(user_sdk, BusinessRoles.CreateUser) simple_user = user_sdk.user( id=sdk_client_fs.user_create(username="******", password="******").id) is_denied(simple_user, BusinessRoles.EditUser) is_denied(simple_user, BusinessRoles.RemoveUser) delete_policy(user_policy) is_denied(user_sdk, BusinessRoles.ViewUsers)
def test_remove_groups(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "Remove groups" role is ok""" is_allowed(user_sdk, BusinessRoles.ViewGroups) is_denied(user_sdk, BusinessRoles.CreateGroup) simple_group = user_sdk.group(id=sdk_client_fs.group_create( name="test").id) is_denied(simple_group, BusinessRoles.EditGroup) is_allowed(simple_group, BusinessRoles.RemoveGroup) delete_policy(user_policy) is_denied(user_sdk, BusinessRoles.ViewGroups)
def test_create_custom_role(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "Create custom role" role is ok""" is_allowed(user_sdk, BusinessRoles.ViewRoles) is_allowed(user_sdk, BusinessRoles.CreateCustomRoles) custom_role = user_sdk.role(name="Custom role") is_denied(custom_role, BusinessRoles.EditRoles) is_denied(custom_role, BusinessRoles.RemoveRoles) delete_policy(user_policy) sdk_client_fs.role(id=custom_role.id).delete() is_denied(user_sdk, BusinessRoles.CreateCustomRoles)
def test_edit_roles(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "Edit role" role is ok""" is_allowed(user_sdk, BusinessRoles.ViewRoles) is_denied(user_sdk, BusinessRoles.CreateCustomRoles) BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs) custom_role = user_sdk.role(name="Custom role") is_allowed(custom_role, BusinessRoles.EditRoles) is_denied(custom_role, BusinessRoles.RemoveRoles) delete_policy(user_policy) is_denied(custom_role, BusinessRoles.EditRoles)
def test_add_service(user_policy: Policy, user_sdk: ADCMClient, prepare_objects, second_objects): """Test that Add service role is ok""" cluster, *_ = as_user_objects(user_sdk, *prepare_objects) cluster_via_admin, *_ = prepare_objects second_cluster, *_ = as_user_objects(user_sdk, *second_objects) is_allowed(cluster, BR.AddService) added_service = cluster.service(name="new_service") is_denied(cluster, BR.RemoveService, added_service) is_denied(second_cluster, BR.AddService) cluster_via_admin.service(name="new_service").delete() delete_policy(user_policy) is_denied(cluster, BR.AddService)
def test_view_hostcomponents(user_policy: Policy, user_sdk: ADCMClient, prepare_objects, second_objects): """Test that View host-components role is ok""" cluster, _, component, _, host = as_user_objects(user_sdk, *prepare_objects) cluster_via_admin, *_, host_via_admin = prepare_objects second_cluster, *_ = as_user_objects(user_sdk, *second_objects) cluster_via_admin.host_add(host_via_admin) is_allowed(cluster, BR.ViewHostComponents) is_denied(second_cluster, BR.ViewHostComponents) is_denied(cluster, BR.EditHostComponents, (host, component)) delete_policy(user_policy) is_denied(cluster, BR.ViewHostComponents)
def test_view_imports(user_policy: Policy, user_sdk: ADCMClient, prepare_objects, second_objects): """Test that View imports role is ok""" cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects) second_cluster, second_service, *_ = as_user_objects( user_sdk, *second_objects) for base_object in [cluster, service]: is_allowed(base_object, BR.ViewImports) is_denied(base_object, BR.ManageImports, second_service) for base_object in [second_cluster, second_service]: is_denied(base_object, BR.ViewImports) delete_policy(user_policy) for base_object in [cluster, service]: is_denied(base_object, BR.ViewImports)
def test_create_host(user_policy, user_sdk: ADCMClient, prepare_objects, second_objects): """Test that Create host role is ok""" cluster, *_, provider, host = as_user_objects(user_sdk, *prepare_objects) *_, second_provider, second_host = as_user_objects(user_sdk, *second_objects) is_allowed(provider, BR.CreateHost) is_denied(host, BR.RemoveHosts) is_denied(cluster, BR.MapHosts, host) is_denied(second_provider, BR.CreateHost) is_denied(second_host, BR.RemoveHosts) delete_policy(user_policy) is_denied(provider, BR.CreateHost)
def test_action_on_host_available_with_cluster_parametrization(clients, actions_cluster, actions_provider, user): """Test that host owned action is still available""" admin_host = actions_provider.host() actions_cluster.host_add(admin_host) user_cluster, user_host = as_user_objects(clients.user, actions_cluster, admin_host) cluster_business_role, host_business_role = action_business_role( user_cluster, DO_NOTHING_ACTION ), action_business_role(user_host, DO_NOTHING_ACTION) policy = create_action_policy(clients.admin, user_cluster, cluster_business_role, host_business_role, user=user) is_allowed(user_cluster, cluster_business_role).wait() is_allowed(user_host, host_business_role).wait() delete_policy(policy) is_denied(user_cluster, cluster_business_role) is_denied(user_host, host_business_role)
def test_view_policies(user_policy, user_sdk: ADCMClient, sdk_client_fs: ADCMClient): """Test that "View policies" role is ok""" BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs) custom_role = sdk_client_fs.role(name="Custom role") user = sdk_client_fs.user(username="******") is_allowed(user_sdk, BusinessRoles.ViewPolicies) is_denied(user_sdk, BusinessRoles.CreatePolicy, role=custom_role, user=[user]) delete_policy(user_policy) is_denied(user_sdk, BusinessRoles.ViewPolicies)
def test_map_hosts(user_policy: Policy, user_sdk: ADCMClient, prepare_objects, second_objects): """Test that Map hosts role is ok""" cluster, *_, host = as_user_objects(user_sdk, *prepare_objects) *_, provider_via_admin, _ = prepare_objects second_cluster, *_, second_host = as_user_objects(user_sdk, *second_objects) new_host = provider_via_admin.host_create(fqdn="new_host") is_allowed(cluster, BR.MapHosts, host) is_denied(cluster, BR.UnmapHosts, host) is_denied(second_cluster, BR.MapHosts, second_host) delete_policy(user_policy) is_denied(cluster, BR.MapHosts, new_host)
def test_remove_user_from_policy(user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs): """ Test that user loses access if user removed from policy user list """ cluster_via_admin, *_ = prepare_objects cluster = user_sdk.cluster(id=cluster_via_admin.id) policy = create_policy(sdk_client_fs, BusinessRoles.ViewClusterConfigurations, objects=[cluster], users=[user], groups=[]) is_allowed(cluster, BusinessRoles.ViewComponentConfigurations) with allure.step("Remove user from policy"): policy.update(user=[{"id": sdk_client_fs.user(username="******").id}]) is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def test_host_actions(clients, actions_cluster, actions_cluster_bundle, actions_provider, user): """Test permissions on host actions""" host_action_template = '{object_type} ready for host' service_name, component_name = 'actions_service', 'single_component' actions_service = actions_cluster.service(name=service_name) single_component = actions_service.component(name=component_name) second_cluster = actions_cluster_bundle.cluster_create(name='Test Second Cluster') second_cluster.service_add(name=service_name) with allure.step('Add hosts to clusters'): first_host = actions_provider.host() second_host = actions_provider.host_create(fqdn='test-new-host') for cluster, host in ((actions_cluster, first_host), (second_cluster, second_host)): cluster.host_add(host) service = cluster.service(name=service_name) component = service.component(name=component_name) cluster.hostcomponent_set((host, component)) host, second_host = as_user_objects(clients.user, first_host, second_host) cluster, _, _ = user_cluster_objects = as_user_objects( clients.user, actions_cluster, actions_service, single_component ) with allure.step('Grant permission to run host actions on cluster, service and component'): business_roles = [ action_business_role(obj, host_action_template.format(object_type=obj.__class__.__name__)) for obj in user_cluster_objects ] policy = create_action_policy( clients.admin, cluster, *business_roles, user=user, ) with allure.step('Run host actions from cluster, service and component on host in and out of cluster'): for role in business_roles: is_allowed(host, role).wait() is_denied(second_host, role) with allure.step('Check policy deletion leads to denial of host action execution'): delete_policy(policy) for role in business_roles: is_denied(host, role) is_denied(second_host, role)
def test_remove_cluster(user_policy, user_sdk: ADCMClient, prepare_objects, second_objects, sdk_client_fs, user): """Test that Remove cluster role is ok""" cluster, *_ = as_user_objects(user_sdk, *prepare_objects) second_cluster, *_ = as_user_objects(user_sdk, *second_objects) is_denied(cluster.bundle(), BR.CreateCluster) is_allowed(cluster, BR.RemoveCluster) is_denied(second_cluster, BR.RemoveCluster) new_policy = create_policy(sdk_client_fs, BR.RemoveCluster, objects=[second_cluster], users=[user], groups=[]) delete_policy(new_policy) is_denied(second_cluster, BR.RemoveCluster)
def test_remove_user_from_group(user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs): """ Test that user loses access if user removed from group with policy """ cluster_via_admin, *_ = prepare_objects cluster = user_sdk.cluster(id=cluster_via_admin.id) group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}]) create_policy(sdk_client_fs, BusinessRoles.ViewClusterConfigurations, objects=[cluster], users=[], groups=[group]) is_allowed(cluster, BusinessRoles.ViewClusterConfigurations) with allure.step("Remove user from group"): group.update(user=[]) is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def check_role_wo_parametrization(clients, user, cluster_bundle, provider_bundle): """Check that update of role without parametrization leads to correct permissions update""" role_name = "Role without parametrization" role = clients.admin.role_create( name=role_name, display_name=role_name, child=_form_children(clients.admin, BusinessRoles.CreateCluster) ) policy = clients.admin.policy_create(name="User policy", role=role, user=[user]) with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client: cluster_bundle, provider_bundle = as_user_objects(user_client, cluster_bundle, provider_bundle) is_allowed(cluster_bundle, BusinessRoles.CreateCluster) is_denied(provider_bundle, BusinessRoles.CreateHostProvider) role.update(child=_form_children(clients.admin, BusinessRoles.CreateHostProvider)) with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client: cluster_bundle, provider_bundle = as_user_objects(user_client, cluster_bundle, provider_bundle) is_denied(cluster_bundle, BusinessRoles.CreateCluster) is_allowed(provider_bundle, BusinessRoles.CreateHostProvider) policy.delete() role.delete()
def test_remove_hosts(user_policy: Policy, user_sdk: ADCMClient, prepare_objects, second_objects, sdk_client_fs, user): """Test that Remove hosts role is ok""" *_, host = as_user_objects(user_sdk, *prepare_objects) *_, second_host = as_user_objects(user_sdk, *second_objects) is_allowed(host, BR.RemoveHosts) is_denied(second_host, BR.RemoveHosts) with allure.step("Assert that policy is valid after object removing"): user_policy.reread() new_policy = create_policy(sdk_client_fs, BR.RemoveHosts, objects=[second_host], users=[user], groups=[]) delete_policy(new_policy) is_denied(second_host, BR.RemoveHosts)
def test_remove_user_from_policy_but_still_in_group(user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs): """ Test that user is still have access if user removed from policy but is in group """ cluster_via_admin, *_ = prepare_objects cluster = user_sdk.cluster(id=cluster_via_admin.id) group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}]) policy = create_policy(sdk_client_fs, BusinessRoles.ViewClusterConfigurations, objects=[cluster], users=[user], groups=[group]) is_allowed(cluster, BusinessRoles.ViewClusterConfigurations) with allure.step("Remove user from policy"): policy.update(user=[{"id": sdk_client_fs.user(username="******").id}]) is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
def test_upgrade_application_bundle(user_policy, user_sdk: ADCMClient, prepare_objects, sdk_client_fs, user): """Test that Upgrade application bundle role is ok""" cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects) cluster_via_admin, *_ = prepare_objects second_cluster = user_sdk.cluster( id=cluster_via_admin.bundle().cluster_create(name="Second cluster").id) is_allowed(cluster, BR.UpgradeClusterBundle) is_denied(provider, BR.UpgradeClusterBundle) is_denied(second_cluster, BR.UpgradeClusterBundle) new_policy = create_policy(sdk_client_fs, BR.UpgradeClusterBundle, objects=[second_cluster], users=[user], groups=[]) delete_policy(new_policy) is_denied(second_cluster, BR.UpgradeClusterBundle)