def test_has_role(self):
acl.PackageACL(
key=acl.package_acl_key('a', 'OWNER'),
users=[auth.Identity.from_bytes('user:[email protected]')]).put()
acl.PackageACL(
key=acl.package_acl_key('a/b/c', 'OWNER'),
groups=['mid-group']).put()
acl.PackageACL(
key=acl.package_acl_key('a/b/c/d/e', 'OWNER'),
groups=['leaf-group']).put()
# Verify get_package_acls works.
self.assertEqual(
[('a', 'OWNER'), ('a/b/c', 'OWNER'), ('a/b/c/d/e', 'OWNER')],
[
(e.package_path, e.role)
for e in acl.get_package_acls('a/b/c/d/e/f', 'OWNER')
])
# Mock groups.
def mocked_is_group_member(group, ident):
if group == 'mid-group' and ident.name == '*****@*****.**':
return True
if group == 'leaf-group' and ident.name == '*****@*****.**':
return True
return False
self.mock(acl.auth, 'is_group_member', mocked_is_group_member)
# Verify has_role works.
check = lambda p, i: acl.has_role(p, 'OWNER', auth.Identity.from_bytes(i))
self.assertTrue(check('a', 'user:[email protected]'))
self.assertFalse(check('b', 'user:[email protected]'))
self.assertTrue(check('a/b/c/d/e/f', 'user:[email protected]'))
self.assertFalse(check('a', 'user:[email protected]'))
self.assertTrue(check('a/b/c/d/e/f', 'user:[email protected]'))
self.assertFalse(check('a/b/c/d', 'user:[email protected]'))
self.assertTrue(check('a/b/c/d/e/f', 'user:[email protected]'))
def test_has_role(self):
acl.PackageACL(
key=acl.package_acl_key('a', 'OWNER'),
users=[auth.Identity.from_bytes('user:[email protected]')
]).put()
acl.PackageACL(key=acl.package_acl_key('a/b/c', 'OWNER'),
groups=['mid-group']).put()
acl.PackageACL(key=acl.package_acl_key('a/b/c/d/e', 'OWNER'),
groups=['leaf-group']).put()
# Verify get_package_acls works.
self.assertEqual(
[('a', 'OWNER'), ('a/b/c', 'OWNER'), ('a/b/c/d/e', 'OWNER')],
[(e.package_path, e.role)
for e in acl.get_package_acls('a/b/c/d/e/f', 'OWNER')])
# Mock groups.
def mocked_is_group_member(group, ident):
if group == 'mid-group' and ident.name == '*****@*****.**':
return True
if group == 'leaf-group' and ident.name == '*****@*****.**':
return True
return False
self.mock(acl.auth, 'is_group_member', mocked_is_group_member)
# Verify has_role works.
check = lambda p, i: acl.has_role(p, 'OWNER',
auth.Identity.from_bytes(i))
self.assertTrue(check('a', 'user:[email protected]'))
self.assertFalse(check('b', 'user:[email protected]'))
self.assertTrue(check('a/b/c/d/e/f', 'user:[email protected]'))
self.assertFalse(check('a', 'user:[email protected]'))
self.assertTrue(check('a/b/c/d/e/f', 'user:[email protected]'))
self.assertFalse(check('a/b/c/d', 'user:[email protected]'))
self.assertTrue(check('a/b/c/d/e/f', 'user:[email protected]'))
def test_package_acl_key(self):
self.assertEqual(
ndb.Key('PackageACLRoot', 'acls', 'PackageACL', 'OWNER:a/b/c'),
acl.package_acl_key('a/b/c', 'OWNER'))
def test_modify_roles(self):
ident_a = auth.Identity.from_bytes('user:[email protected]')
ident_b = auth.Identity.from_bytes('user:[email protected]')
# Modify a bunch of packages. Include some redundant and self-canceling
# changes to test all code paths.
acl.modify_roles(changes=[
acl.RoleChange(package_path='a',
revoke=False,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(package_path='a',
revoke=False,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(package_path='a',
revoke=False,
role='OWNER',
user=ident_b,
group=None),
acl.RoleChange(package_path='a/b',
revoke=False,
role='OWNER',
user=None,
group='some-group'),
acl.RoleChange(package_path='a/b',
revoke=False,
role='OWNER',
user=None,
group='some-group'),
acl.RoleChange(package_path='a/b/c',
revoke=False,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(package_path='a/b/c',
revoke=True,
role='OWNER',
user=ident_a,
group=None),
],
caller=ident_a,
now=datetime.datetime(2014, 1, 1))
# Ensure modification have been applied correctly.
self.assertEqual(
{
'groups': [],
'modified_by': ident_a,
'modified_ts': datetime.datetime(2014, 1, 1, 0, 0),
'rev': 1,
'users': [ident_a, ident_b],
},
acl.package_acl_key('a', 'OWNER').get().to_dict())
self.assertEqual(
{
'groups': ['some-group'],
'modified_by': ident_a,
'modified_ts': datetime.datetime(2014, 1, 1, 0, 0),
'rev': 1,
'users': [],
},
acl.package_acl_key('a/b', 'OWNER').get().to_dict())
self.assertEqual(None, acl.package_acl_key('a/b/c', 'OWNER').get())
# Modify same ACLs again.
acl.modify_roles(changes=[
acl.RoleChange(package_path='a',
revoke=True,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(package_path='a',
revoke=False,
role='OWNER',
user=None,
group='some-group'),
acl.RoleChange(package_path='a/b',
revoke=True,
role='OWNER',
user=None,
group='some-group'),
],
caller=ident_b,
now=datetime.datetime(2015, 1, 1))
# Ensure modification have been applied correctly.
self.assertEqual(
{
'groups': ['some-group'],
'modified_by': ident_b,
'modified_ts': datetime.datetime(2015, 1, 1, 0, 0),
'rev': 2,
'users': [ident_b],
},
acl.package_acl_key('a', 'OWNER').get().to_dict())
# Ensure previous version has been saved in the revision log.
rev_key = ndb.Key(acl.PackageACLRevision,
1,
parent=acl.package_acl_key('a', 'OWNER'))
self.assertEqual(
{
'groups': [],
'modified_by': ident_a,
'modified_ts': datetime.datetime(2014, 1, 1, 0, 0),
'users': [ident_a, ident_b],
},
rev_key.get().to_dict())
def test_package_acl_key(self):
self.assertEqual(
ndb.Key('PackageACLRoot', 'acls', 'PackageACL', 'OWNER:a/b/c'),
acl.package_acl_key('a/b/c', 'OWNER'))
def test_modify_roles(self):
ident_a = auth.Identity.from_bytes('user:[email protected]')
ident_b = auth.Identity.from_bytes('user:[email protected]')
# Modify a bunch of packages. Include some redundant and self-canceling
# changes to test all code paths.
acl.modify_roles(
changes=[
acl.RoleChange(
package_path='a',
revoke=False,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(
package_path='a',
revoke=False,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(
package_path='a',
revoke=False,
role='OWNER',
user=ident_b,
group=None),
acl.RoleChange(
package_path='a/b',
revoke=False,
role='OWNER',
user=None,
group='some-group'),
acl.RoleChange(
package_path='a/b',
revoke=False,
role='OWNER',
user=None,
group='some-group'),
acl.RoleChange(
package_path='a/b/c',
revoke=False,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(
package_path='a/b/c',
revoke=True,
role='OWNER',
user=ident_a,
group=None),
],
caller=ident_a,
now=datetime.datetime(2014, 1, 1))
# Ensure modification have been applied correctly.
self.assertEqual({
'groups': [],
'modified_by': ident_a,
'modified_ts': datetime.datetime(2014, 1, 1, 0, 0),
'rev': 1,
'users': [ident_a, ident_b],
}, acl.package_acl_key('a', 'OWNER').get().to_dict())
self.assertEqual({
'groups': ['some-group'],
'modified_by': ident_a,
'modified_ts': datetime.datetime(2014, 1, 1, 0, 0),
'rev': 1,
'users': [],
}, acl.package_acl_key('a/b', 'OWNER').get().to_dict())
self.assertEqual(None, acl.package_acl_key('a/b/c', 'OWNER').get())
# Modify same ACLs again.
acl.modify_roles(
changes=[
acl.RoleChange(
package_path='a',
revoke=True,
role='OWNER',
user=ident_a,
group=None),
acl.RoleChange(
package_path='a',
revoke=False,
role='OWNER',
user=None,
group='some-group'),
acl.RoleChange(
package_path='a/b',
revoke=True,
role='OWNER',
user=None,
group='some-group'),
],
caller=ident_b,
now=datetime.datetime(2015, 1, 1))
# Ensure modification have been applied correctly.
self.assertEqual({
'groups': ['some-group'],
'modified_by': ident_b,
'modified_ts': datetime.datetime(2015, 1, 1, 0, 0),
'rev': 2,
'users': [ident_b],
}, acl.package_acl_key('a', 'OWNER').get().to_dict())
# Ensure previous version has been saved in the revision log.
rev_key = ndb.Key(
acl.PackageACLRevision, 1, parent=acl.package_acl_key('a', 'OWNER'))
self.assertEqual({
'groups': [],
'modified_by': ident_a,
'modified_ts': datetime.datetime(2014, 1, 1, 0, 0),
'users': [ident_a, ident_b],
}, rev_key.get().to_dict())