def test_create_custom_role(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Create custom role" role is ok"""
is_allowed(user_sdk, BusinessRoles.ViewRoles)
is_allowed(user_sdk, BusinessRoles.CreateCustomRoles)
custom_role = user_sdk.role(name="Custom role")
is_denied(custom_role, BusinessRoles.EditRoles)
is_denied(custom_role, BusinessRoles.RemoveRoles)
delete_policy(user_policy)
sdk_client_fs.role(id=custom_role.id).delete()
is_denied(user_sdk, BusinessRoles.CreateCustomRoles)
def create_action_policy(
client: ADCMClient,
adcm_object: Union[AnyADCMObject, List[AnyADCMObject]],
*business_roles: BusinessRole,
user=None,
group=None,
) -> Policy:
"""Create policy based on business roles"""
if not (user or group):
raise ValueError(
"Either user or group should be provided to create policy")
user = user or []
group = group or []
child_roles = [{
'id': client.role(name=role.role_name).id
} for role in business_roles]
role_name = f"Test Action Role {random_string(6)}"
action_parent_role = client.role_create(name=role_name,
display_name=role_name,
child=child_roles)
return client.policy_create(
name=f"Test Action Policy {role_name[-6:]}",
role=action_parent_role,
objects=adcm_object
if isinstance(adcm_object, list) else [adcm_object],
user=user if isinstance(user, list) else [user],
group=group if isinstance(group, list) else [group],
)
def check_roles_are_not_added_to_rbac_roles(client: ADCMClient,
rbac_roles: Iterable[RbacRoles],
children_roles_ids: Set[int]):
"""Check that all given RBAC default roles doesn't have all given roles as its children"""
for rbac_role in rbac_roles:
with allure.step(
f"Check roles weren't added to role '{rbac_role.value}'"):
role: Role = client.role(name=rbac_role.value)
does_not_intersect(
set(r.id for r in role.child_list()),
children_roles_ids,
'One or more roles was found (by id) in the child list',
)
def check_roles_are_added_to_rbac_roles(client: ADCMClient,
rbac_roles: Iterable[RbacRoles],
children_roles_ids: Set[int]):
"""Check that all given RBAC default roles have all given roles as its children"""
for rbac_role in rbac_roles:
with allure.step(
f'Check roles were added to role "{rbac_role.value}"'):
role: Role = client.role(name=rbac_role.value)
is_superset_of(
set(r.id for r in role.child_list()),
children_roles_ids,
'One or more roles not found (by id) in the child list',
)
def test_edit_roles(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Edit role" role is ok"""
is_allowed(user_sdk, BusinessRoles.ViewRoles)
is_denied(user_sdk, BusinessRoles.CreateCustomRoles)
BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs)
custom_role = user_sdk.role(name="Custom role")
is_allowed(custom_role, BusinessRoles.EditRoles)
is_denied(custom_role, BusinessRoles.RemoveRoles)
delete_policy(user_policy)
is_denied(custom_role, BusinessRoles.EditRoles)
def check_business_roles_children(
client: ADCMClient, prototype: Prototype, actions: List[dict],
actions_role_names: List[str]
) -> Tuple[Set[RoleShortInfo], Set[RoleShortInfo]]:
"""
Checks that "action" business roles have all newly created roles as its children.
:returns: hidden and business roles as ShortRoleInfo set
"""
hidden_roles = set()
business_roles = set()
for action_display_name, hidden_role_name in zip(
key_values_from('display_name', actions), actions_role_names):
business_role_name = f'{prototype.type.capitalize()} Action: {action_display_name}'
with allure.step(
f'Check role "{hidden_role_name}" is a child of "{business_role_name}"'
):
with catch_failed(
ObjectNotFound,
f'There should be a hidden role with name "{hidden_role_name}"'
):
hidden_role = client.role(name=hidden_role_name,
type=RoleType.HIDDEN.value)
with catch_failed(
ObjectNotFound,
f'There should be a business role with name "{business_role_name}"'
):
business_role = client.role(name=business_role_name,
type=RoleType.BUSINESS.value)
is_in_collection(
hidden_role.id,
(child.id for child in business_role.child_list()),
f"Role wasn't found in children of '{hidden_role.name}'",
)
hidden_roles.add(extract_role_short_info(hidden_role))
business_roles.add(extract_role_short_info(business_role))
return hidden_roles, business_roles
def test_view_policies(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "View policies" role is ok"""
BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs)
custom_role = sdk_client_fs.role(name="Custom role")
user = sdk_client_fs.user(username="******")
is_allowed(user_sdk, BusinessRoles.ViewPolicies)
is_denied(user_sdk,
BusinessRoles.CreatePolicy,
role=custom_role,
user=[user])
delete_policy(user_policy)
is_denied(user_sdk, BusinessRoles.ViewPolicies)
def test_edit_policy(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Edit policy" role is ok"""
BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs)
custom_role = sdk_client_fs.role(name="Custom role")
user = sdk_client_fs.user(username="******")
is_allowed(user_sdk, BusinessRoles.ViewPolicies)
is_denied(user_sdk,
BusinessRoles.CreatePolicy,
role=custom_role,
user=[user])
custom_policy = user_sdk.policy(id=sdk_client_fs.policy_create(
name="Test policy", objects=[], role=custom_role, user=[user]).id)
is_allowed(custom_policy, BusinessRoles.EditPolicy)
is_denied(custom_policy, BusinessRoles.RemovePolicy)
delete_policy(user_policy)
is_denied(user_sdk, BusinessRoles.ViewPolicies)
is_denied(custom_policy, BusinessRoles.EditPolicy)
def _form_children(admin_client: ADCMClient, *business_roles: BusinessRoles) -> List[Dict[str, int]]:
"""Create list of children for role based on business roles"""
return [{"id": admin_client.role(name=role.value.role_name).id} for role in business_roles]
def grant_role(self, client: ADCMClient, user: User, role: RbacRoles, *objects: AnyADCMObject) -> Policy:
"""Grant RBAC default role to a user"""
with allure.step(f'Grant role "{role.value}" to user {user.username}'):
return client.policy_create(
name=f'{user.username} is {role.value}', role=client.role(name=role.value), objects=objects, user=[user]
)
