def test_custom_role_check():
rest_api = Role('rest_api')
rest_api.lockdown(Bicycle) \
.writeable_by((Bicycle.group == ContextParam('group')) &
(ContextParam('custom_role') == 'admin'))
with test_database(test_db, [Group, Bicycle]):
g = Group.create(name='test')
b = Bicycle.create(group=g)
lockdown_context.role = rest_api
try:
b.serial = '1'
assert False, 'should have failed'
except LockdownException:
pass
lockdown_context.group = g.id
try:
b.serial = '1'
assert False, 'should have failed'
except LockdownException:
pass
lockdown_context.custom_role = 'user'
try:
b.serial = '1'
assert False, 'should have failed'
except LockdownException:
pass
lockdown_context.custom_role = 'admin'
b.serial = '1'
def test_lockdown_user():
lockdown_context.role = None
lockdown_context.user = None
lockdown_context.group = None
rest_api = Role('rest_api')
rest_api.lockdown(Bicycle) \
.field_writeable_by(Bicycle.owner, Bicycle.owner == ContextParam('user'))
with test_database(test_db, [User, Group, Bicycle]):
u = User.create(username='******')
u2 = User.create(username='******')
g = Group.create(name='test')
b = Bicycle.create(owner=u, group=g)
lockdown_context.role = rest_api
assert b.is_field_writeable(Bicycle.owner) is False
lockdown_context.user = 10
assert b.is_field_writeable(Bicycle.owner) is False
try:
b.owner = u2
assert False, 'should have thrown'
except:
pass
lockdown_context.user = u.id
assert b.is_field_writeable(Bicycle.owner) is True
def test_combined_roles():
server_api = Role('server_api')
server_api.lockdown(Bicycle) \
.writeable_by((Bicycle.group == ContextParam('group')) &
(ContextParam('custom_role') == 'admin'))
rest_api = server_api.extend('rest_api')
rest_api.lockdown(BaseModel)\
.field_writeable_by(BaseModel.created, NO_ONE)\
.field_writeable_by(BaseModel.modified, NO_ONE)
with test_database(test_db, [Group, Bicycle]):
g1 = Group.create(name='test1')
g2 = Group.create(name='test2')
b = Bicycle.create(group=g1)
lockdown_context.role = rest_api
lockdown_context.group = g1.id
lockdown_context.custom_role = 'admin'
b.serial = '1'
# make sure the group rule was inherited from server_api
lockdown_context.group = g2.id
try:
b.serial = '1'
assert False, 'should have failed'
except:
pass
# set group to the correct group, but shouldn't be able to set created
# since this is still the rest_api role
lockdown_context.group = g1.id
try:
b.created = datetime.utcnow()
assert False, 'should have failed'
except:
pass
# server_api can set created
lockdown_context.role = server_api
b.created = datetime.utcnow()
def test_insert():
lockdown_context.role = None
lockdown_context.user = None
lockdown_context.group = None
rest_api = Role('rest_api')
rest_api.lockdown(BigWheel) \
.writeable_by(BigWheel.owner == ContextParam('user'))\
.validate(BigWheel.owner, BigWheel.owner == ContextParam('user')) \
.field_writeable_by(BigWheel.serial, BigWheel.owner == ContextParam('user'))
with test_database(test_db, [User, Group, BigWheel]):
u1 = User.create(username='******')
u2 = User.create(username='******')
g = Group.create(name='test')
# set the role/user before inserting
lockdown_context.role = rest_api
lockdown_context.user = u1.id
try:
bwheel = BigWheel()
bwheel.owner = u2
bwheel.group = g
bwheel.serial = '1'
assert False, 'should have failed'
except LockdownException:
pass
# insert should work fine since object validates
bwheel = BigWheel()
bwheel.owner = u1
bwheel.group = g
bwheel.serial = '1'
bwheel.save()
b = BigWheel.get()
assert b.modified is not None
assert b.created is not None
assert b.serial == '1'
assert b.owner == u1
assert b.group == g
def test_is_readable_writable_field():
lockdown_context.role = None
lockdown_context.user = None
lockdown_context.group = None
rest_api = Role('rest_api')
rest_api.lockdown(BaseModel)\
.field_writeable_by(BaseModel.created, NO_ONE)\
.field_writeable_by(BaseModel.modified, NO_ONE)
rest_api.lockdown(Bicycle) \
.field_readable_by(Bicycle.serial, Bicycle.group == ContextParam('group')) \
.field_writeable_by(Bicycle.serial, Bicycle.owner == ContextParam('user'))
with test_database(test_db, [User, Group, Bicycle]):
u = User.create(username='******')
g = Group.create(name='test')
b = Bicycle.create(owner=u, group=g)
lockdown_context.role = rest_api
assert b.is_field_readable(Bicycle.serial) is False
assert b.is_field_writeable(Bicycle.serial) is False
assert b.is_field_writeable(Bicycle.modified) is False
assert b.is_field_writeable(Bicycle.created) is False
lockdown_context.group = 10
lockdown_context.user = 10
assert b.is_field_readable(Bicycle.serial) is False
assert b.is_field_writeable(Bicycle.serial) is False
lockdown_context.group = g.id
assert b.is_field_readable(Bicycle.serial) is True
assert b.is_field_writeable(Bicycle.serial) is False
lockdown_context.user = u.id
assert b.is_field_readable(Bicycle.serial) is True
assert b.is_field_writeable(Bicycle.serial) is True
def test_readable_writable():
lockdown_context.role = None
lockdown_context.user = None
lockdown_context.group = None
rest_api = Role('rest_api')
ldown = rest_api.lockdown(Bicycle) \
.readable_by(Bicycle.group == ContextParam('group')) \
.writeable_by(Bicycle.owner == ContextParam('user'))
with test_database(test_db, [User, Group, Bicycle]):
u = User.create(username='******')
g = Group.create(name='test')
b = Bicycle.create(owner=u, group=g)
assert b.is_readable() is True
assert b.is_writable() is True
lockdown_context.role = rest_api
assert b.is_readable() is False
assert b.is_writable() is False
lockdown_context.group = 10
lockdown_context.user = 10
assert b.is_readable() is False
assert b.is_writable() is False
lockdown_context.group = g.id
assert b.is_readable() is True
assert b.is_writable() is False
lockdown_context.user = u.id
assert b.is_readable() is True
assert b.is_writable() is True
def test_save():
lockdown_context.role = None
lockdown_context.user = None
lockdown_context.group = None
rest_api = Role('rest_api')
rest_api.lockdown(Bicycle) \
.field_readable_by(Bicycle.serial, Bicycle.group == ContextParam('group')) \
.field_writeable_by(Bicycle.serial, Bicycle.owner == ContextParam('user'))
with test_database(test_db, [User, Group, Bicycle]):
u = User.create(username='******')
g = Group.create(name='test')
b = Bicycle.create(owner=u, group=g, serial='1')
lockdown_context.role = rest_api
try:
b.serial = '10'
assert False, 'should have thrown'
except:
pass
assert b.serial == '1'
b = Bicycle.get()
assert b.serial is None, 'cant read this field, no group'
lockdown_context.group = g.id
b = Bicycle.get()
assert b.serial == '1', 'now this field can be read, should be 1 still'
lockdown_context.user = u.id
b.serial = '10'
b.save()
b = Bicycle.get()
assert b.serial == '10'
def test_no_one():
lockdown_context.role = None
lockdown_context.user = None
lockdown_context.group = None
rest_api = Role('rest_api')
rest_api.lockdown(Bicycle).readable_by(NO_ONE).writeable_by(NO_ONE)
with test_database(test_db, [User, Group, Bicycle]):
u = User.create(username='******')
g = Group.create(name='test')
b = Bicycle.create(owner=u, group=g)
lockdown_context.role = rest_api
assert b.is_readable() is False
assert b.is_writable() is False
lockdown_context.group = g.id
lockdown_context.user = u.id
assert b.is_readable() is False
assert b.is_writable() is False
param(
[{
"user": "******"
}, {
"user": Group
}],
{"user": Group},
id="merge_into_missing_node",
),
param(
[{
"admin": {
"name": "joe",
"age": 42
}
}, Group(admin=None)],
{"admin": None},
id="merge_none_into_existing_node",
),
param(
[{
"user": User()
}, {
"user": {
"foo": "bar"
}
}],
raises(ConfigKeyError),
id="merge_unknown_key_into_structured_node",
),
# DictConfig with element_type of Structured Config
}],
),
# ListConfig
(
lambda value, is_optional, key=None: ListConfig(
is_optional=is_optional, content=value, key=key),
[[], [1, 2, 3]],
),
# dataclass
(
lambda value, is_optional, key=None: DictConfig(ref_type=Group,
is_optional=
is_optional,
content=value,
key=key),
[Group, Group()],
),
],
ids=(
"BooleanNode",
"BytesNode",
"FloatNode",
"IntegerNode",
"StringNode",
"EnumNode",
"DictConfig",
"ListConfig",
"dataclass",
),
)
class TestNodeTypesMatrix:
),
pytest.param(
[{"user": User}, {"user": Group}],
pytest.raises(ValidationError),
id="merge_group_onto_user_error",
),
pytest.param(
[Plugin, ConcretePlugin], ConcretePlugin, id="merge_subclass_on_superclass"
),
pytest.param(
[{"user": "******"}, {"user": Group}],
{"user": Group},
id="merge_into_missing_node",
),
pytest.param(
[{"admin": {"name": "joe", "age": 42}}, Group(admin=None)],
{"admin": None},
id="merge_none_into_existing_node",
),
pytest.param(
[{"user": User()}, {"user": {"foo": "bar"}}],
pytest.raises(ConfigKeyError),
id="merge_unknown_key_into_structured_node",
),
# DictConfig with element_type of Structured Config
pytest.param(
(
DictConfig({}, element_type=User),
{"user007": {"age": 99}},
),
{"user007": {"name": "???", "age": 99}},