def test_service_in_cluster_hierarchy(user, prepare_objects, sdk_client_fs,
second_objects):
"""
Test that service related role can be parametrized by cluster
"""
cluster_via_admin, *_ = prepare_objects
cluster_via_admin.service_add(name="new_service")
service_role = {
"id":
sdk_client_fs.role(name=BusinessRoles.RemoveService.value.role_name).id
}
cluster_role = {
"id":
sdk_client_fs.role(name=BusinessRoles.AddService.value.role_name).id
}
common_role = sdk_client_fs.role_create("Common role",
display_name="Common role",
child=[service_role, cluster_role])
sdk_client_fs.policy_create(name="Common policy",
role=common_role,
objects=[cluster_via_admin],
user=[user],
group=[])
username, password = TEST_USER_CREDENTIALS
user_sdk = ADCMClient(url=sdk_client_fs.url,
user=username,
password=password)
cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects)
second_cluster, *_ = as_user_objects(user_sdk, *second_objects)
for service in cluster.service_list():
is_allowed(cluster, BusinessRoles.RemoveService, service)
for service in second_cluster.service_list():
is_denied(second_cluster, BusinessRoles.RemoveService, service)
def test_view_adcm_settings(user_policy, user_sdk: ADCMClient,
prepare_objects):
"""Test that View ADCM Settings role is ok"""
(cluster, ) = as_user_objects(user_sdk, prepare_objects[0])
is_allowed(user_sdk.adcm(), BusinessRoles.ViewADCMSettings)
is_denied(user_sdk.adcm(), BusinessRoles.EditADCMSettings)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
delete_policy(user_policy)
is_denied(user_sdk.adcm(), BusinessRoles.ViewADCMSettings)
def test_create_cluster(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects):
"""Test that Create cluster role is ok"""
cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects)
is_allowed(cluster.bundle(), BR.CreateCluster)
is_denied(provider.bundle(), BR.CreateHostProvider)
is_denied(cluster, BR.RemoveCluster)
delete_policy(user_policy)
is_denied(cluster.bundle(), BR.CreateCluster)
def test_edit_policy(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Edit policy" role is ok"""
BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs)
custom_role = sdk_client_fs.role(name="Custom role")
user = sdk_client_fs.user(username="******")
is_allowed(user_sdk, BusinessRoles.ViewPolicies)
is_denied(user_sdk,
BusinessRoles.CreatePolicy,
role=custom_role,
user=[user])
custom_policy = user_sdk.policy(id=sdk_client_fs.policy_create(
name="Test policy", objects=[], role=custom_role, user=[user]).id)
is_allowed(custom_policy, BusinessRoles.EditPolicy)
is_denied(custom_policy, BusinessRoles.RemovePolicy)
delete_policy(user_policy)
is_denied(user_sdk, BusinessRoles.ViewPolicies)
is_denied(custom_policy, BusinessRoles.EditPolicy)
def test_create_custom_role(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Create custom role" role is ok"""
is_allowed(user_sdk, BusinessRoles.ViewRoles)
is_allowed(user_sdk, BusinessRoles.CreateCustomRoles)
custom_role = user_sdk.role(name="Custom role")
is_denied(custom_role, BusinessRoles.EditRoles)
is_denied(custom_role, BusinessRoles.RemoveRoles)
delete_policy(user_policy)
sdk_client_fs.role(id=custom_role.id).delete()
is_denied(user_sdk, BusinessRoles.CreateCustomRoles)
def test_remove_users(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Remove users" role is ok"""
is_allowed(user_sdk, BusinessRoles.ViewUsers)
is_denied(user_sdk, BusinessRoles.CreateUser)
simple_user = user_sdk.user(
id=sdk_client_fs.user_create(username="******", password="******").id)
is_denied(simple_user, BusinessRoles.EditUser)
is_allowed(simple_user, BusinessRoles.RemoveUser)
delete_policy(user_policy)
is_denied(user_sdk, BusinessRoles.ViewUsers)
def test_remove_service(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that Remove service role is ok"""
cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_cluster, second_service, *_ = as_user_objects(
user_sdk, *second_objects)
second_cluster_via_admin, *_ = second_objects
is_denied(cluster, BR.AddService)
is_allowed(cluster, BR.RemoveService, service)
is_denied(second_cluster, BR.RemoveService, second_service)
added_second_service = second_cluster_via_admin.service_add(
name="new_service")
is_denied(cluster, BR.RemoveService, added_second_service)
delete_policy(user_policy)
added_service = cluster_via_admin.service_add(name="test_service")
is_denied(cluster, BR.RemoveService, added_service)
def test_remove_groups(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Remove groups" role is ok"""
is_allowed(user_sdk, BusinessRoles.ViewGroups)
is_denied(user_sdk, BusinessRoles.CreateGroup)
simple_group = user_sdk.group(id=sdk_client_fs.group_create(
name="test").id)
is_denied(simple_group, BusinessRoles.EditGroup)
is_allowed(simple_group, BusinessRoles.RemoveGroup)
delete_policy(user_policy)
is_denied(user_sdk, BusinessRoles.ViewGroups)
def test_edit_hostcomponents(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that Edit host-components role is ok"""
cluster, _, component, _, host = as_user_objects(user_sdk,
*prepare_objects)
cluster_via_admin, *_, host_via_admin = prepare_objects
second_cluster, _, second_component, _, second_host = as_user_objects(
user_sdk, *second_objects)
second_cluster_via_admin, *_, second_host_via_admin = second_objects
cluster_via_admin.host_add(host_via_admin)
second_cluster_via_admin.host_add(second_host_via_admin)
is_allowed(cluster, BR.ViewHostComponents)
is_allowed(cluster, BR.EditHostComponents, (host, component))
is_denied(second_cluster, BR.ViewHostComponents)
is_denied(second_cluster, BR.EditHostComponents,
(second_host, second_component))
delete_policy(user_policy)
is_denied(cluster, BR.ViewHostComponents)
is_denied(cluster, BR.EditHostComponents)
def test_view_imports(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that View imports role is ok"""
cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects)
second_cluster, second_service, *_ = as_user_objects(
user_sdk, *second_objects)
for base_object in [cluster, service]:
is_allowed(base_object, BR.ViewImports)
is_denied(base_object, BR.ManageImports, second_service)
for base_object in [second_cluster, second_service]:
is_denied(base_object, BR.ViewImports)
delete_policy(user_policy)
for base_object in [cluster, service]:
is_denied(base_object, BR.ViewImports)
def test_edit_roles(user_policy, user_sdk: ADCMClient,
sdk_client_fs: ADCMClient):
"""Test that "Edit role" role is ok"""
is_allowed(user_sdk, BusinessRoles.ViewRoles)
is_denied(user_sdk, BusinessRoles.CreateCustomRoles)
BusinessRoles.CreateCustomRoles.value.method_call(sdk_client_fs)
custom_role = user_sdk.role(name="Custom role")
is_allowed(custom_role, BusinessRoles.EditRoles)
is_denied(custom_role, BusinessRoles.RemoveRoles)
delete_policy(user_policy)
is_denied(custom_role, BusinessRoles.EditRoles)
def test_unmap_hosts(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that Unmap hosts role is ok"""
cluster, *_, host = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, *_, provider_via_admin, _ = prepare_objects
second_cluster, *_, second_host = as_user_objects(user_sdk,
*second_objects)
second_cluster_via_admin, *_ = second_objects
is_denied(cluster, BR.MapHosts, host)
is_denied(host, BR.RemoveHosts)
cluster_via_admin.host_add(host)
is_allowed(cluster, BR.UnmapHosts, host)
second_cluster_via_admin.host_add(second_host)
is_denied(second_cluster, BR.UnmapHosts, second_host)
delete_policy(user_policy)
new_host = provider_via_admin.host_create(fqdn="new_host")
cluster_via_admin.host_add(new_host)
is_denied(cluster, BR.UnmapHosts, new_host)
def test_host_actions(clients, actions_cluster, actions_cluster_bundle, actions_provider, user):
"""Test permissions on host actions"""
host_action_template = '{object_type} ready for host'
service_name, component_name = 'actions_service', 'single_component'
actions_service = actions_cluster.service(name=service_name)
single_component = actions_service.component(name=component_name)
second_cluster = actions_cluster_bundle.cluster_create(name='Test Second Cluster')
second_cluster.service_add(name=service_name)
with allure.step('Add hosts to clusters'):
first_host = actions_provider.host()
second_host = actions_provider.host_create(fqdn='test-new-host')
for cluster, host in ((actions_cluster, first_host), (second_cluster, second_host)):
cluster.host_add(host)
service = cluster.service(name=service_name)
component = service.component(name=component_name)
cluster.hostcomponent_set((host, component))
host, second_host = as_user_objects(clients.user, first_host, second_host)
cluster, _, _ = user_cluster_objects = as_user_objects(
clients.user, actions_cluster, actions_service, single_component
)
with allure.step('Grant permission to run host actions on cluster, service and component'):
business_roles = [
action_business_role(obj, host_action_template.format(object_type=obj.__class__.__name__))
for obj in user_cluster_objects
]
policy = create_action_policy(
clients.admin,
cluster,
*business_roles,
user=user,
)
with allure.step('Run host actions from cluster, service and component on host in and out of cluster'):
for role in business_roles:
is_allowed(host, role).wait()
is_denied(second_host, role)
with allure.step('Check policy deletion leads to denial of host action execution'):
delete_policy(policy)
for role in business_roles:
is_denied(host, role)
is_denied(second_host, role)
def test_remove_cluster(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects, sdk_client_fs, user):
"""Test that Remove cluster role is ok"""
cluster, *_ = as_user_objects(user_sdk, *prepare_objects)
second_cluster, *_ = as_user_objects(user_sdk, *second_objects)
is_denied(cluster.bundle(), BR.CreateCluster)
is_allowed(cluster, BR.RemoveCluster)
is_denied(second_cluster, BR.RemoveCluster)
new_policy = create_policy(sdk_client_fs,
BR.RemoveCluster,
objects=[second_cluster],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_cluster, BR.RemoveCluster)
def test_upgrade_application_bundle(user_policy, user_sdk: ADCMClient,
prepare_objects, sdk_client_fs, user):
"""Test that Upgrade application bundle role is ok"""
cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_cluster = user_sdk.cluster(
id=cluster_via_admin.bundle().cluster_create(name="Second cluster").id)
is_allowed(cluster, BR.UpgradeClusterBundle)
is_denied(provider, BR.UpgradeClusterBundle)
is_denied(second_cluster, BR.UpgradeClusterBundle)
new_policy = create_policy(sdk_client_fs,
BR.UpgradeClusterBundle,
objects=[second_cluster],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_cluster, BR.UpgradeClusterBundle)
def test_manage_imports(user_policy: Policy, user_sdk: ADCMClient,
prepare_objects, second_objects):
"""Test that Manage imports role is ok"""
cluster, service, *_ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, service_via_admin, *_ = prepare_objects
second_cluster, second_service, *_ = as_user_objects(
user_sdk, *second_objects)
for base_object in [cluster, service]:
is_allowed(base_object, BR.ViewImports)
is_allowed(base_object, BR.ManageImports, second_service)
for base_object in [second_cluster, second_service]:
is_denied(base_object, BR.ViewImports)
delete_policy(user_policy)
_ = (bind.delete() for bind in cluster_via_admin.bind_list())
_ = (bind.delete() for bind in service_via_admin.bind_list())
for base_object in [cluster, service]:
is_denied(base_object, BR.ViewImports)
is_denied(base_object, BR.ManageImports, second_service)
def test_remove_provider(user_policy, user_sdk: ADCMClient, prepare_objects,
second_objects, sdk_client_fs, user):
"""Test that Remove provider role is ok"""
*_, provider, host = as_user_objects(user_sdk, *prepare_objects)
*_, host_via_admin = prepare_objects
*_, second_provider, _ = as_user_objects(user_sdk, *second_objects)
*_, second_host_via_admin = second_objects
is_denied(host, BR.RemoveHosts)
host_via_admin.delete()
second_host_via_admin.delete()
is_allowed(provider, BR.RemoveHostProvider)
is_denied(second_provider, BR.RemoveHostProvider)
new_policy = create_policy(sdk_client_fs,
BR.RemoveHostProvider,
objects=[second_provider],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_provider, BR.RemoveHostProvider)
def _check_host_configs(allowed_on: Collection[Host] = (), denied_on: Collection[Host] = ()):
with new_client_instance(*TEST_USER_CREDENTIALS, clients.user.url) as user_client:
for obj in as_user_objects(user_client, *allowed_on):
is_allowed(obj, BusinessRoles.ViewHostConfigurations)
for obj in as_user_objects(user_client, *denied_on):
is_denied(obj, BusinessRoles.ViewHostConfigurations)
def test_add_remove_host_from_cluster(self, clients, prepare_objects, user):
"""Test that policies are applied after host add/remove after the policy was assigned at first"""
*_, admin_provider, _ = prepare_objects
another_host = admin_provider.host_create(fqdn='another-host')
cluster, *_, host, another_host = as_user_objects(clients.user, *prepare_objects, another_host)
is_denied(host, BusinessRoles.EditHostConfigurations)
is_denied(another_host, BusinessRoles.EditHostConfigurations)
is_denied(cluster, BusinessRoles.MapHosts, host)
self.grant_role(clients.admin, user, RbacRoles.ClusterAdministrator, cluster)
is_denied(host, BusinessRoles.EditHostConfigurations)
is_allowed(cluster, BusinessRoles.MapHosts, host)
is_allowed(host, BusinessRoles.EditHostConfigurations)
is_denied(another_host, BusinessRoles.EditHostConfigurations)
is_allowed(cluster, BusinessRoles.MapHosts, another_host)
is_allowed(another_host, BusinessRoles.EditHostConfigurations)
is_allowed(cluster, BusinessRoles.UnmapHosts, host)
is_denied(host, BusinessRoles.EditHostConfigurations)
is_allowed(another_host, BusinessRoles.EditHostConfigurations)
def check_action_is_not_allowed_on_objects(action_display_name: str, objects_to_deny: Dict[Type, Dict[int, object]]):
"""Check that provided action (by display name) is not allowed to run on any of provided objects"""
for object_map in objects_to_deny.values():
for adcm_object in object_map.values():
is_denied(adcm_object, action_business_role(adcm_object, action_display_name))
def test_lower_cluster_hierarchy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that cluster role can be applied to lower cluster objects - services and components
"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
policy = create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
is_allowed(component, BusinessRoles.ViewComponentConfigurations)
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_denied(host, BusinessRoles.ViewHostConfigurations)
delete_policy(policy)
policy = create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[service],
users=[user],
groups=[])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
is_allowed(component, BusinessRoles.ViewComponentConfigurations)
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_denied(host, BusinessRoles.ViewHostConfigurations)
delete_policy(policy)
create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[component],
users=[user],
groups=[])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_allowed(component, BusinessRoles.ViewComponentConfigurations)
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_denied(host, BusinessRoles.ViewHostConfigurations)
def test_provider_hierarchy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Parametrize role with provider related objects
"""
cluster, service, component, provider, host = as_user_objects(
user_sdk, *prepare_objects)
policy = create_policy(sdk_client_fs,
PROVIDER_VIEW_CONFIG_ROLES,
objects=[provider],
users=[user],
groups=[])
is_allowed(provider, BusinessRoles.ViewProviderConfigurations)
is_allowed(host, BusinessRoles.ViewHostConfigurations)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_denied(component, BusinessRoles.ViewComponentConfigurations)
delete_policy(policy)
create_policy(sdk_client_fs,
PROVIDER_VIEW_CONFIG_ROLES,
objects=[host],
users=[user],
groups=[])
is_denied(provider, BusinessRoles.ViewProviderConfigurations)
is_allowed(host, BusinessRoles.ViewHostConfigurations)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_denied(service, BusinessRoles.ViewServiceConfigurations)
is_denied(component, BusinessRoles.ViewComponentConfigurations)
def check_has_no_rights():
is_denied(cluster, BR.ViewAnyObjectImport)
is_denied(cluster, BR.ViewAnyObjectHostComponents)
is_denied_to_view(*user_objects)
is_denied_to_edit(*user_objects)
def check_edit_is_denied(self, user_client, *objects):
"""Check edit is denied"""
for obj in as_user_objects(user_client, *objects):
is_denied(obj, BusinessRoles.edit_config_of(obj))
