def test_get_rules_for_user_9(self):
"""A normal user cannot list images on other hosts
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "DELETE",
"RequestUri": "/v1.32/images/abc123",
"Host": "other01",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('ReadOnly', rules)
def test_get_rules_for_user_10(self):
"""A normal user can list images on srv33
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "srv33",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('ReadOnly', rules)
def test_get_rules_for_admin_4(self):
"""Host srv33 is considered as other
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "srv33",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('Allow', rules)
def test_get_rules_for_user_5(self):
"""A normal user can list images on workstation
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "GET",
"RequestUri": "/v1.32/images/json",
"Host": "wks01",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('ReadOnly', rules)
def test_get_rules_for_admin_3(self):
"""An admin can create containers on other hosts
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "other01",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('Allow', rules)
def test_get_rules_for_anonymous_2(self):
"""An anonymous user cannot create containers on workstation
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": None,
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "wks01",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('ReadOnly', rules)
def test_get_rules_for_user_4(self):
"""A normal user can create images on workstation only with specific names
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/images/create",
"Host": "wks01",
})
expected = {"ImagesName": ["^foo-", "^$USER-"]}
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn(expected, rules)
def test_get_rules_for_user_3(self):
"""A normal user can only get logs for certain containers
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "GET",
"RequestUri": "/v1.32/containers/123/logs",
"Host": "wks01",
})
expected = {"ContainerName": ["^bar-", "^foo-", "^$USER-"]}
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn(expected, rules)
def test_get_rules_for_user_2(self):
"""A normal user can create containers on workstation
"""
config = Config(policies=MOCKED_POLICIES, groups=MOCKED_GROUPS)
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "wks01",
})
rules = config.get_rules(payload)
self.assertEqual(len(rules), 3)
self.assertIn('ContainerName', rules)
self.assertIn('ImagesName', rules)
self.assertIn('BindVolumes', rules)
def test_policyless_deny(self):
"""The most simple policy
"""
payload = Payload({
"User": "******",
"RequestMethod": "POST",
"RequestUri": "/v1.32/containers/create",
"Host": "srv33",
})
policy_deny = [{
"description": "Deny everything.",
"hosts": [r"+.*"],
"default": "Deny",
}]
config = Config(policies=policy_deny)
rules = config.get_rules(payload)
self.assertEqual(len(rules), 1)
self.assertIn('Deny', rules)