def test_can_not_manage(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:无集群管理权限(同时无项目查看权限)"""
username = roles.ANONYMOUS_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
manage_cluster(perm_ctx)
assert exec.value.data['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ClusterAction.MANAGE,
resource_type=ClusterPermission.resource_type,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ClusterPermission.resource_type,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ProjectPermission.resource_type,
resources=[project_id]),
],
)
def test_can_not_instantiate(self, templateset_permission_obj, project_id,
template_id):
"""测试场景:无模板集实例化权限(同时无项目查看权限)"""
username = roles.ANONYMOUS_USER
perm_ctx = TemplatesetPermCtx(username=username,
project_id=project_id,
template_id=template_id)
with pytest.raises(PermissionDeniedError) as exec:
templateset_permission_obj.can_instantiate(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
TemplatesetAction.INSTANTIATE,
resource_type=ResourceType.Templateset,
resources=[template_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
TemplatesetAction.VIEW,
resource_type=ResourceType.Templateset,
resources=[template_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_create_but_no_cluster(self, cluster_scoped_permission_obj,
project_id, cluster_id):
"""测试场景:有集群域资源创建权限(但是无集群权限)"""
perm_ctx = ClusterScopedPermCtx(
username=roles.CLUSTER_SCOPED_NO_CLUSTER_USER,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_scoped_permission_obj.can_create(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
roles.CLUSTER_SCOPED_NO_CLUSTER_USER,
[
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_manage_but_no_view(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:有集群管理权限(但是无集群查看权限)"""
username = roles.CLUSTER_MANAGE_NOT_VIEW_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_manage(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_not_view_but_project(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:无集群查看权限(同时有项目查看权限)"""
self._test_can_not_view(
roles.PROJECT_NO_CLUSTER_USER,
cluster_permission_obj,
project_id,
cluster_id,
expected_action_list=[
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_not_view(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:无集群查看权限(同时无项目查看权限)"""
self._test_can_not_view(
roles.ANONYMOUS_USER,
cluster_permission_obj,
project_id,
cluster_id,
expected_action_list=[
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=cluster_permission_obj.resource_type,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ProjectPermission.resource_type,
resources=[project_id],
),
],
)
def get_parent_chain(self) -> List[IAMResource]:
return [
IAMResource(ResourceType.Project, self.project_id),
IAMResource(ResourceType.Cluster, self.cluster_id),
]
def get_parent_chain(self,
perm_ctx: TemplatesetPermCtx) -> List[IAMResource]:
return [IAMResource(ResourceType.Project, perm_ctx.project_id)]
def test_can_not_instantiate_in_ns(
self,
templateset_permission_obj,
namespace_scoped_permission_obj,
project_id,
template_id,
cluster_id,
namespace,
):
"""测试场景:有模板集实例化权限(但是无实例化到命名空间的权限)"""
username = roles.PROJECT_TEMPLATESET_USER
perm_ctx = TemplatesetPermCtx(username=username,
project_id=project_id,
template_id=template_id)
with pytest.raises(PermissionDeniedError) as exec:
templateset_permission_obj.can_instantiate_in_ns(
perm_ctx, cluster_id, namespace)
iam_ns_id = calc_iam_ns_id(cluster_id, namespace)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
NamespaceScopedAction.CREATE,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceScopedAction.VIEW,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceScopedAction.UPDATE,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceScopedAction.DELETE,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
NamespaceAction.VIEW,
ResourceType.Namespace,
resources=[iam_ns_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id),
IAMResource(ResourceType.Cluster, cluster_id),
],
),
ActionResourcesRequest(
ClusterAction.VIEW,
ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
ResourceType.Project,
resources=[project_id]),
],
)
def get_parent_chain(self, perm_ctx: NamespacePermCtx) -> List[IAMResource]:
return [
IAMResource(ResourceType.Project, perm_ctx.project_id),
IAMResource(ResourceType.Cluster, perm_ctx.cluster_id),
]
