def test02_user_roles(self):
"""
Test the user_roles & is_user_in_role method
"""
print_ln('test user_roles')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
session = access.create_session(entity, False)
if session is None:
self.fail('test_user_roles failed ' + entity.uid)
if session.user.roles is not None and len(
session.user.roles) > 0:
roles = access.session_roles(session)
for role in roles:
result = access.is_user_in_role(session, role.name)
if not result:
self.fail('test_user_roles failed uid=' +
entity.uid + ', role=' + role)
print()
except Exception as e:
self.fail('test_user_roles exception=' + e)
def test04_session_permissions(self):
"""
Test the session_perms & check_access method
"""
print_ln('test session_perms')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
session = access.create_session(entity, False)
if session is None:
self.fail('test_session_permissions failed ' + entity.uid)
if session.user.roles is not None and len(
session.user.roles) > 0:
perms = access.session_perms(session)
for idx2, perm in enumerate(perms):
if idx2 % 10 == 0:
sys.stdout.write('`')
sys.stdout.flush()
result = access.check_access(session, perm)
if not result:
self.fail('test_session_permissions failed uid=' +
entity.uid + ', perm obj name=' +
perm.obj_name + ', op name=' +
perm.op_name + ', obj id=' + perm.obj_id)
print()
except Exception as e:
self.fail('test_session_permissions exception=' + e.msg)
def test26_create_session(self):
"""
Called when beginning an RBAC session. Requires uid and password if trusted is False, in which case it will authenticate in addition to activating roles into session.
Throws exception if user is not found, or if authentication fails.
"""
print_test_name()
try:
session = access.create_session(User(uid='foo1', password='******'), False)
if not session:
print_test_msg('fail')
self.fail()
else:
print_test_msg('sucess')
pass
except RbacError as e:
print_exception(e)
self.fail()
def test28_session_perms(self):
"""
Return all permission authorized for user per their set of activated roles in the session. Note this means that set could be a subset of assigned permissions, if any assigned roles are not activated.
"""
print_test_name()
try:
session = access.create_session(User(uid='foo1', password='******'), False)
perms = access.session_perms(session)
if not perms:
print_test_msg('failed')
self.fail()
for perm in perms:
print_perm(perm)
pass
except RbacError as e:
print_exception(e)
self.fail()
def test27_check_access(self):
"""
Called to perform an RBAC permmission check. Requires a valid session (returned from create_session) and a permission with required attrs obj_name, op_name, and optional obj_id.
Returns true if user is allowed to perform the specified operation on object.
"""
print_test_name()
try:
session = access.create_session(User(uid='foo1', password='******'), False)
result = access.check_access(session, Perm(obj_name='ShoppingCart', op_name='add'))
if not result:
print_test_msg('fail')
self.fail()
else:
print_test_msg('success')
pass
except RbacError as e:
print_exception(e)
self.fail()
def test01_create_sessions(self):
"""
Test the create_session method
"""
print_ln('test create sessions')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
loop_cnt = len(uList)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
try:
session = access.create_session(entity, False)
if session is None:
self.fail('test create sessions failed ' + entity.uid)
except InvalidCredentials as e:
print_ln(e.msg)
print()
except Exception as e:
self.fail('user create_session exception=' + e.msg)
def test03_active_roles(self):
"""
Test the add_active_role & drop_active_role methods
"""
print_ln('test active_roles')
try:
usr = User(uid="py-user*")
uList = review.find_users(usr)
for idx, entity in enumerate(uList):
if idx % 10 == 0:
sys.stdout.write('')
sys.stdout.flush()
entity.password = '******'
session = access.create_session(entity, False)
if session is None:
self.fail('test_active_roles failed ' + entity.uid)
if session.user.roles is not None and len(
session.user.roles) > 0:
roles = access.session_roles(session)
active_roles = list(roles)
# now deactivate all of the roles:
for idx2, role in enumerate(active_roles):
if idx2 % 10 == 0:
sys.stdout.write('`')
sys.stdout.flush()
result = access.is_user_in_role(session, role.name)
if not result:
self.fail('test_active_roles failed uid=' +
entity.uid + ', role=' + role)
access.drop_active_role(session, role.name)
result = access.is_user_in_role(session, role.name)
if result:
self.fail(
'test_active_roles negative failed uid=' +
entity.uid + ', role=' + role)
if session.user.roles is None or len(
session.user.roles) > 0:
self.fail(
'test_active_roles did not inactivate all roles in session for uid='
+ entity.uid)
# now activate all of the roles once again:
for idx2, role in enumerate(active_roles):
if idx2 % 10 == 0:
sys.stdout.write('`')
sys.stdout.flush()
result = access.is_user_in_role(session, role.name)
if result:
self.fail(
'test_active_roles failed inactive negative check uid='
+ entity.uid + ', role=' + role)
access.add_active_role(session, role.name)
result = access.is_user_in_role(session, role.name)
if not result:
self.fail(
'test_active_roles failed inactive positive check uid='
+ entity.uid + ', role=' + role)
if session.user.roles is None or len(
session.user.roles) != len(active_roles):
self.fail(
'test_active_roles did not activate all roles in session for uid='
+ entity.uid)
print()
except Exception as e:
self.fail('test_active_roles exception=' + e.msg)
def process(args):
sess = None
result = False
user = load_entity(User(), args)
perm = load_entity(Perm(), args)
print(args.operation)
try:
if args.operation == AUTH:
sess = access.create_session(user, False)
result = True
elif args.operation == CHCK:
sess = un_pickle()
result = access.check_access(sess, perm)
elif args.operation == ROLES:
sess = un_pickle()
roles = access.session_roles(sess)
for idx, role in enumerate(roles):
print_entity(role, role.name + ':' + str(idx))
result = True
elif args.operation == PERMS:
sess = un_pickle()
perms = access.session_perms(sess)
for idx, perm in enumerate(perms):
print_entity(
perm, perm.obj_name + '.' + perm.op_name + ':' + str(idx))
result = True
elif args.operation == SHOW:
sess = un_pickle()
print_entity(sess, 'session')
print_user(sess.user, 'user')
result = True
elif args.operation == ADD:
sess = un_pickle()
if not args.role:
print("error --role required for this op")
return False
print('role=' + args.role)
access.add_active_role(sess, args.role)
result = True
elif args.operation == DROP:
sess = un_pickle()
if not args.role:
print("error --role required for this op")
return False
print('role=' + args.role)
access.drop_active_role(sess, args.role)
result = True
else:
print('process failed, invalid operation=' + args.operation)
if result:
print('success')
else:
print('failed')
pickle_it(sess)
except RbacError as e:
if e.id == global_ids.ACTV_FAILED_DAY:
print('failed day of week, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_DATE:
print('failed for date, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_TIME:
print('failed for time of day, id=' + str(e.id) + ', msg=' + e.msg)
elif e.id == global_ids.ACTV_FAILED_TIMEOUT:
print('failed inactivity timeout, id=' + str(e.id) + ', msg=' +
e.msg)
elif e.id == global_ids.ACTV_FAILED_LOCK:
print('failed locked date')
else:
print('RbacError id=' + str(e.id) + ', ' + e.msg)
