def test_can_not_manage(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:无集群管理权限(同时无项目查看权限)"""
username = roles.ANONYMOUS_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
manage_cluster(perm_ctx)
assert exec.value.data['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ClusterAction.MANAGE,
resource_type=ClusterPermission.resource_type,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ClusterPermission.resource_type,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(
ProjectAction.VIEW,
resource_type=ProjectPermission.resource_type,
resources=[project_id]),
],
)
def test_can_view_but_no_project(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:有集群查看权限"""
perm_ctx = ClusterPermCtx(username=roles.CLUSTER_NO_PROJECT_USER,
project_id=project_id,
cluster_id=cluster_id)
assert cluster_permission_obj.can_view(perm_ctx)
def test_can_manage_but_no_view(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:有集群管理权限(但是无集群查看权限)"""
username = roles.CLUSTER_MANAGE_NOT_VIEW_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_manage(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(
ClusterAction.VIEW,
resource_type=ResourceType.Cluster,
resources=[cluster_id],
parent_chain=[
IAMResource(ResourceType.Project, project_id)
],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def check_cluster_perm(user,
project_id,
cluster_id,
raise_exception=True,
request=None):
perm_ctx = ClusterPermCtx(username=user.username,
project_id=project_id,
cluster_id=cluster_id)
ClusterPermission().can_view(perm_ctx)
def _test_can_not_view(self, username, cluster_permission_obj, project_id,
cluster_id, expected_action_list):
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_view(perm_ctx)
assert exec.value.data['apply_url'] == generate_apply_url(
username, expected_action_list)
def list(self, request, project_id, cluster_id):
# 需要集群的查看权限
# TODO: 后面支持权限中心V3后,使用新的权限校验
perm_ctx = ClusterPermCtx(username=request.user.username, project_id=project_id, cluster_id=cluster_id)
ClusterPermission().can_view(perm_ctx)
# 获取master详情
masters = node.BcsClusterMaster(
ctx_cluster=request.ctx_cluster, biz_id=request.project.cc_app_id
).list_masters()
return Response(masters)
def test_can_manage_but_no_project(self, cluster_permission_obj,
project_id, cluster_id):
"""测试场景:有集群管理权限(但是无项目权限)"""
username = roles.CLUSTER_NO_PROJECT_USER
perm_ctx = ClusterPermCtx(username=username,
project_id=project_id,
cluster_id=cluster_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_manage(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
username,
[
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id])
],
)
def test_can_not_create(self, cluster_permission_obj, project_id,
cluster_id):
"""测试场景:无集群创建权限(同时无项目查看权限)"""
perm_ctx = ClusterPermCtx(username=roles.ANONYMOUS_USER,
project_id=project_id)
with pytest.raises(PermissionDeniedError) as exec:
cluster_permission_obj.can_create(perm_ctx)
assert exec.value.data['perms']['apply_url'] == generate_apply_url(
roles.ANONYMOUS_USER,
[
ActionResourcesRequest(
ClusterAction.CREATE,
resource_type=ResourceType.Project,
resources=[project_id],
),
ActionResourcesRequest(ProjectAction.VIEW,
resource_type=ResourceType.Project,
resources=[project_id]),
],
)
def test_can_view(self, cluster_permission_obj, project_id, cluster_id):
"""测试场景:有集群查看权限(同时有项目查看权限)"""
perm_ctx = ClusterPermCtx(username=roles.ADMIN_USER,
project_id=project_id,
cluster_id=cluster_id)
assert cluster_permission_obj.can_view(perm_ctx)
def test_can_manage(self, cluster_permission_obj, project_id, cluster_id):
"""测试场景:有集群管理权限(同时有项目查看权限)"""
perm_ctx = ClusterPermCtx(username=roles.ADMIN_USER,
project_id=project_id,
cluster_id=cluster_id)
manage_cluster(perm_ctx)
def can_view_cluster(self, request, project_id, cluster_id):
perm_ctx = ClusterPermCtx(username=request.user.username,
project_id=project_id,
cluster_id=cluster_id)
ClusterPermission().can_view(perm_ctx)
def detail(self, request, project_id, cluster_id, name):
"""节点详情"""
# 需要集群的查看权限
perm_ctx = ClusterPermCtx(username=request.user.username, project_id=project_id, cluster_id=cluster_id)
ClusterPermission().can_view(perm_ctx)
return Response(node.NodeDetailQuerier(name, request.ctx_cluster).detail())
