def test_batch_resource_multi_actions_allowed():
# any
data = [{
"condition": {
"field": "flow.id",
"value": [],
"op": "any"
},
"action": {
"id": "flow_edit"
}
}, {
"condition": {
"field": "flow.id",
"value": [],
"op": "any"
},
"action": {
"id": "flow_view"
}
}, {
"condition": None,
"action": {
"id": "flow_delete"
}
}]
with patch.object(IAM, "_do_policy_query_by_actions", return_value=data):
subject = Subject("user", "admin")
action1 = Action("flow_edit")
action2 = Action("flow_view")
action3 = Action("flow_delete")
resource1 = Resource("bk_sops", "flow", "1", {})
resource2 = Resource("bk_sops", "flow", "2", {})
resource3 = Resource("bk_sops", "flow", "3", {})
r = MultiActionRequest("bk_sops", subject, [action1, action2, action3],
[], None)
iam = new_mock_iam()
result = iam.batch_resource_multi_actions_allowed(
r, [[resource1], [resource2], [resource3]])
# {'1': {'flow_edit': True, 'flow_view': True, 'flow_delete': False},
# '2': {'flow_edit': True, 'flow_view': True, 'flow_delete': False},
# '3': {'flow_edit': True, 'flow_view': True, 'flow_delete': False}}
assert len(result) == 3
assert "1" in result
assert "2" in result
assert "3" in result
assert result["1"]["flow_edit"]
assert result["1"]["flow_view"]
assert not result["1"]["flow_delete"]
def test_batch_is_allowed():
# any
with patch.object(IAM, "_do_policy_query", return_value={"op": "any", "field": "", "value": ""}):
r = new_valid_request()
iam = new_mock_iam()
resource1 = Resource("test", "flow", "1", {})
resource2 = Resource("test", "flow", "2", {})
resources_list = [[resource1], [resource2]]
result = iam.batch_is_allowed(r, resources_list)
assert "1" in result and result["1"]
assert "2" in result and result["2"]
def test_multi_action_request():
s = Subject("user", "tom")
a = Action("edit")
actions = [a]
r = Resource("bk_paas", "app", "bk-test", {})
rs = [r]
# invalid
isubject = Subject(1, "tom")
iaction = Action(1)
iactions = [iaction]
iresource = Resource("", "app", "bk-test", {})
iresources = [iresource]
with pytest.raises(TypeError):
MultiActionRequest(1, s, actions, rs, None).validate()
with pytest.raises(TypeError):
MultiActionRequest("bk_paas", 1, actions, rs, None).validate()
with pytest.raises(TypeError):
MultiActionRequest("bk_paas", s, 1, rs, None).validate()
with pytest.raises(TypeError):
MultiActionRequest("bk_paas", s, actions, 1, None).validate()
with pytest.raises(TypeError):
MultiActionRequest("bk_paas", s, actions, rs, [1, 2]).validate()
with pytest.raises(ValueError):
MultiActionRequest("", s, actions, rs, None).validate()
with pytest.raises(ValueError):
MultiActionRequest("bk_paas", isubject, actions, rs, None).validate()
with pytest.raises(ValueError):
MultiActionRequest("bk_paas", s, iactions, rs, None).validate()
with pytest.raises(ValueError):
MultiActionRequest("bk_paas", s, actions, iresources, None).validate()
r = MultiActionRequest("bk_paas", s, actions, rs, None)
assert r.system == "bk_paas"
assert r.subject == s
assert r.actions == actions
assert r.resources == rs
assert r.environment is None
assert r.to_dict()["system"] == "bk_paas"
def test_iam_validate_resource_list_same_local_only():
iam = new_mock_iam()
resource1 = Resource("bk_sops", "flow", "1", {})
# invalid, with resources of other system
resource2 = Resource("bk_cmdb", "host", "1", {})
resources = [resource1, resource2]
resources_list = [resources]
with pytest.raises(AuthInvalidParam):
iam._validate_resources_list_same_local_only("bk_sops", resources_list)
# invalid, with different type resources
resource2 = Resource("bk_sops", "task", "2", {})
resources = [resource1, resource2]
resources_list = [resources]
with pytest.raises(AuthInvalidParam):
iam._validate_resources_list_same_local_only("bk_sops", resources_list)
# valid
resource2 = Resource("bk_sops", "flow", "2", {})
resources = [resource1, resource2]
resources_list = [resources]
assert iam._validate_resources_list_same_local_only("bk_sops", resources_list) is None
def test_iam_validate_resource_list():
iam = new_mock_iam()
# invalid
with pytest.raises(AuthInvalidParam):
iam._validate_resources_list(None)
with pytest.raises(AuthInvalidParam):
iam._validate_resources_list({})
# empty
assert iam._validate_resources_list([]) is None
# not empty
# wrong list
with pytest.raises(AuthInvalidParam):
iam._validate_resources_list([1, 2, 3]) is None
with pytest.raises(AuthInvalidParam):
iam._validate_resources_list([[1], [2], [3]]) is None
# right list
resource1 = Resource("bk_sops", "flow", "1", {})
resources = [resource1]
resources_list = [resources]
assert iam._validate_resources_list(resources_list) is None
def test_resource():
with pytest.raises(TypeError):
Resource(1, "type", "id", {}).validate()
with pytest.raises(TypeError):
Resource("system", 1, "id", {}).validate()
with pytest.raises(TypeError):
Resource("system", "type", 1, {}).validate()
with pytest.raises(TypeError):
Resource("system", "type", "id", [1, 2]).validate()
with pytest.raises(ValueError):
Resource("", "type", "id", {}).validate()
with pytest.raises(ValueError):
Resource("system", "", "id", {}).validate()
with pytest.raises(ValueError):
Resource("system", "type", "", {}).validate()
r = Resource("system", "type", "id", {})
assert r.system == "system"
assert r.type == "type"
assert r.id == "id"
assert r.attribute == {}
assert r.to_dict()["system"] == "system"
with pytest.raises(AttributeError):
r.invalidattr = "aaa"
def test_request():
s = Subject("user", "tom")
a = Action("edit")
r = Resource("bk_paas", "app", "bk-test", {})
rs = [r]
# invalid
isubject = Subject(1, "tom")
iaction = Action(1)
iresource = Resource("", "app", "bk-test", {})
iresources = [iresource]
with pytest.raises(TypeError):
Request(1, s, a, rs, None).validate()
with pytest.raises(TypeError):
Request("bk_paas", 1, a, rs, None).validate()
with pytest.raises(TypeError):
Request("bk_paas", s, 1, rs, None).validate()
with pytest.raises(TypeError):
Request("bk_paas", s, a, 1, None).validate()
with pytest.raises(TypeError):
Request("bk_paas", s, a, rs, [1, 2]).validate()
with pytest.raises(ValueError):
Request("", s, a, rs, None).validate()
# with pytest.raises(ValueError):
# Request("bk_paas", s, a, [], None).validate()
with pytest.raises(ValueError):
Request("bk_paas", isubject, a, rs, None).validate()
with pytest.raises(ValueError):
Request("bk_paas", s, iaction, rs, None).validate()
# with pytest.raises(ValueError):
# Request("bk_paas", s, a, [], None).validate()
with pytest.raises(ValueError):
Request("bk_paas", s, a, iresources, None).validate()
r = Request("bk_paas", s, a, rs, None)
assert r.system == "bk_paas"
assert r.subject == s
assert r.action == a
assert r.resources == rs
assert r.environment is None
assert r.to_dict()["system"] == "bk_paas"
# hash
r1 = Request(
"demo",
Subject("user", "tom"),
Action("access_developer_center"),
rs,
None,
)
r2 = Request(
"demo",
Subject("user", "tom"),
Action("access_developer_center"),
rs,
None,
)
r3 = Request(
"demo",
Subject("user", "tom1"),
Action("access_developer_center"),
rs,
None,
)
assert hash(r1) == hash(r1)
assert hash(r1) == hash(r2)
assert hash(r1) != hash(r3)
assert hash(r2) != hash(r3)