示例#1
0
 def test_remove(self):
     principal = Principal("zebra", "zoo")
     yield self.db.add(principal)
     yield self.db.remove(principal)
     content, stat = yield self.client.get("/token-test")
     data = yaml.load(content)
     self.assertEqual(data, {"zebra": principal.get_token()})
示例#2
0
 def test_owner_ace(self):
     """If an owner is set, all nodes ACLs will have an owner ACE.
     """
     owner = Principal("john", "doe")
     self.policy.set_owner(owner)
     acl = yield self.policy("/random")
     self.assertIn(make_ace(owner.get_token(), all=True), acl)
示例#3
0
 def test_rule_match_suppress_open_access(self):
     """If a rule returns an acl, then no default access is given."""
     principal = Principal("foobar", "foobar")
     self.policy.add_rule(lambda policy, path: [
         make_ace(principal.get_token(), all=True)])
     acl = yield self.policy("/random")
     # Check for matched rule ACL
     self.assertIn(make_ace(principal.get_token(), all=True), acl)
     # Verify no default access
     self.assertNotIn(make_ace("auth", "world", all=True), acl)
示例#4
0
    def setUp(self):
        zookeeper.set_debug_level(0)
        self.client = yield self.get_zookeeper_client().connect()
        self.tokens = TokenDatabase(self.client)
        self.admin = Principal("admin", "admin")
        yield self.tokens.add(self.admin)
        self.policy = SecurityPolicy(self.client, self.tokens)
        attach_deferred = self.admin.attach(self.client)

        self.client.exists("/")
        yield attach_deferred
示例#5
0
 def test_rule_that_returns_deferred(self):
     """If a rule may do additional lookups, resulting in deferred values.
     """
     principal = Principal("foobar", "foobar")
     self.policy.add_rule(lambda policy, path: succeed(
         [make_ace(principal.get_token(), all=True)]))
     acl = yield self.policy("/random")
     # Check for matched rule ACL
     self.assertIn(make_ace(principal.get_token(), all=True), acl)
     # Verify no default access
     self.assertNotIn(make_ace("auth", "world", all=True), acl)
示例#6
0
 def test_rule_that_returns_deferred(self):
     """If a rule may do additional lookups, resulting in deferred values.
     """
     principal = Principal("foobar", "foobar")
     self.policy.add_rule(lambda policy, path: succeed([
         make_ace(principal.get_token(), all=True)]))
     acl = yield self.policy("/random")
     # Check for matched rule ACL
     self.assertIn(make_ace(principal.get_token(), all=True), acl)
     # Verify no default access
     self.assertNotIn(make_ace("auth", "world", all=True), acl)
示例#7
0
    def test_add_member(self):
        group = GroupPrincipal(self.client, "/group-a")
        yield group.create("group/a", "zebra")

        principal = Principal("aladdin", "genie")
        yield group.add_member(principal)
        acl, stat = yield self.client.get_acl("/group-a")
        self.assertEqual(
            acl[1:],
            [make_ace(principal.get_token(), read=True)])
        # Adding a member again is fine
        yield group.add_member(principal)
示例#8
0
    def setUp(self):
        zookeeper.set_debug_level(0)
        self.client = yield SecurityPolicyConnection(
            get_test_zookeeper_address()).connect()

        admin = Principal("admin", "admin")

        self.token_db = TokenDatabase(self.client)
        yield self.token_db.add(admin)
        self.policy = SecurityPolicy(self.client, self.token_db, owner=admin)
        attach_defer = admin.attach(self.client)
        # Trick to speed up the auth response processing (fixed in ZK trunk)
        self.client.exists("/")
        yield attach_defer
示例#9
0
    def test_acl_without_admin(self):
        """A client needs an attached principle with the admin perm to set acl.
        """
        client = yield self.get_zookeeper_client().connect()
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)
        attach_deferred = principal.attach(client)
        yield self.client.create(
            "/abc", acls=[make_ace(self.admin.get_token(), all=True)])
        yield attach_deferred

        acl = ACL(client, "/abc")
        yield self.assertFailure(acl.grant("zebra", all=True),
                                 zookeeper.NoAuthException)
示例#10
0
    def test_prohibit(self):
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)

        path = yield self.client.create("/abc", acls=[
            make_ace(self.admin.get_token(), all=True),
            make_ace(principal.get_token(), write=True)])

        acl = ACL(self.client, path)
        yield acl.prohibit("zebra")

        acl, stat = yield self.client.get_acl(path)
        self.assertEqual(
            acl, [make_ace(self.admin.get_token(), all=True)])
示例#11
0
    def setUp(self):
        zookeeper.set_debug_level(0)
        self.client = yield SecurityPolicyConnection(
            get_test_zookeeper_address()).connect()

        admin = Principal("admin", "admin")

        self.token_db = TokenDatabase(self.client)
        yield self.token_db.add(admin)
        self.policy = SecurityPolicy(self.client, self.token_db, owner=admin)
        attach_defer = admin.attach(self.client)
        # Trick to speed up the auth response processing (fixed in ZK trunk)
        self.client.exists("/")
        yield attach_defer
示例#12
0
    def test_create_with_policy(self):
        """If a policy is set ACL are determined by the policy."""
        def rule(policy, path):
            return [make_ace(Principal("magic", "not").get_token(), all=True)]

        self.policy.add_rule(rule)
        self.client.set_security_policy(self.policy)

        yield self.client.create("/xyz")
        acl, stat = yield self.client.get_acl("/xyz")

        self.assertEqual(acl, [
            make_ace(Principal("magic", "not").get_token(), all=True),
            make_ace(Principal("admin", "admin").get_token(), all=True)
        ])
示例#13
0
    def test_acl_without_admin(self):
        """A client needs an attached principle with the admin perm to set acl.
        """
        client = yield self.get_zookeeper_client().connect()
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)
        attach_deferred = principal.attach(client)
        yield self.client.create(
            "/abc",
            acls=[make_ace(self.admin.get_token(), all=True)])
        yield attach_deferred

        acl = ACL(client, "/abc")
        yield self.assertFailure(
            acl.grant("zebra", all=True),
            zookeeper.NoAuthException)
示例#14
0
    def test_prohibit(self):
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)

        path = yield self.client.create("/abc",
                                        acls=[
                                            make_ace(self.admin.get_token(),
                                                     all=True),
                                            make_ace(principal.get_token(),
                                                     write=True)
                                        ])

        acl = ACL(self.client, path)
        yield acl.prohibit("zebra")

        acl, stat = yield self.client.get_acl(path)
        self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])
示例#15
0
    def setUp(self):
        zookeeper.set_debug_level(0)
        self.client = yield self.get_zookeeper_client().connect()
        self.tokens = TokenDatabase(self.client)
        self.admin = Principal("admin", "admin")
        yield self.tokens.add(self.admin)
        self.policy = SecurityPolicy(self.client, self.tokens)
        attach_deferred = self.admin.attach(self.client)

        self.client.exists("/")
        yield attach_deferred
示例#16
0
    def test_remove_member(self):
        group = GroupPrincipal(self.client, "/group-a")
        yield group.create("group/a", "zebra")

        principal = Principal("aladdin", "genie")
        # Removing a member that doesn't exist is a no-op
        yield group.remove_member(principal)
        yield group.add_member(principal)
        yield group.remove_member(principal.name)

        acl, stat = yield self.client.get_acl("/group-a")
        self.assertEqual(acl[1:], [])
示例#17
0
    def test_prohibit_not_in_acl(self):
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)

        path = yield self.client.create(
            "/abc", acls=[make_ace(self.admin.get_token(), all=True)])

        acl = ACL(self.client, path)
        # We get to the same end state so its fine.
        yield acl.prohibit("zebra")

        acl, stat = yield self.client.get_acl(path)
        self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])
示例#18
0
    def test_activate(self):
        """A principal can be used with a client connection."""
        client = yield self.get_zookeeper_client().connect()
        self.addCleanup(lambda: client.close())
        admin_credentials = "admin:admin"
        test_credentials = "test:test"
        yield self.client.add_auth("digest", admin_credentials)

        acl = [make_ace(make_identity(admin_credentials), all=True),
               make_ace(make_identity(
                   test_credentials), read=True, create=True)]

        yield client.create("/acl-test", "content", acls=acl)

        # Verify the acl is active
        yield self.assertFailure(
            client.get("/acl-test"), zookeeper.NoAuthException)

        # Attach the principal to the connection
        principal = Principal("test", "test")
        yield principal.attach(client)
        content, stat = yield client.get("/acl-test")
        self.assertEqual(content, "content")
示例#19
0
    def test_activate(self):
        """A principal can be used with a client connection."""
        client = yield self.get_zookeeper_client().connect()
        self.addCleanup(lambda: client.close())
        admin_credentials = "admin:admin"
        test_credentials = "test:test"
        yield self.client.add_auth("digest", admin_credentials)

        acl = [
            make_ace(make_identity(admin_credentials), all=True),
            make_ace(make_identity(test_credentials), read=True, create=True)
        ]

        yield client.create("/acl-test", "content", acls=acl)

        # Verify the acl is active
        yield self.assertFailure(client.get("/acl-test"),
                                 zookeeper.NoAuthException)

        # Attach the principal to the connection
        principal = Principal("test", "test")
        yield principal.attach(client)
        content, stat = yield client.get("/acl-test")
        self.assertEqual(content, "content")
示例#20
0
 def test_get(self):
     principal = Principal("zebra", "zoo")
     yield self.db.add(principal)
     token = yield self.db.get(principal.name)
     self.assertEqual(token, principal.get_token())
示例#21
0
class ACLTest(TestCase):
    @inlineCallbacks
    def setUp(self):
        zookeeper.set_debug_level(0)
        self.client = yield self.get_zookeeper_client().connect()
        self.tokens = TokenDatabase(self.client)
        self.admin = Principal("admin", "admin")
        yield self.tokens.add(self.admin)
        self.policy = SecurityPolicy(self.client, self.tokens)
        attach_deferred = self.admin.attach(self.client)

        self.client.exists("/")
        yield attach_deferred

    def tearDown(self):
        deleteTree(handle=self.client.handle)
        self.client.close()

    @inlineCallbacks
    def test_acl_on_non_existant_node(self):
        acl = ACL(self.client, "abc")
        yield self.assertFailure(acl.grant("admin", all=True), StateNotFound)

    @inlineCallbacks
    def test_acl_without_admin(self):
        """A client needs an attached principle with the admin perm to set acl.
        """
        client = yield self.get_zookeeper_client().connect()
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)
        attach_deferred = principal.attach(client)
        yield self.client.create(
            "/abc", acls=[make_ace(self.admin.get_token(), all=True)])
        yield attach_deferred

        acl = ACL(client, "/abc")
        yield self.assertFailure(acl.grant("zebra", all=True),
                                 zookeeper.NoAuthException)

    @inlineCallbacks
    def test_grant(self):
        path = yield self.client.create("/abc")
        acl = ACL(self.client, path)
        yield acl.grant("admin", all=True)
        node_acl, stat = yield self.client.get_acl(path)
        self.assertEqual(
            node_acl,
            [ZOO_OPEN_ACL_UNSAFE,
             make_ace(self.admin.get_token(), all=True)])

    @inlineCallbacks
    def test_grant_additive(self):
        path = yield self.client.create("/abc")
        acl = ACL(self.client, "/abc")
        yield acl.grant("admin", read=True)
        yield acl.grant("admin", write=True)
        test_ace = make_ace(":", read=True, write=True)
        node_acl, stat = yield self.client.get_acl(path)
        self.assertEqual(node_acl[-1]["perms"], test_ace["perms"])

    @inlineCallbacks
    def test_grant_not_in_token_database(self):
        path = yield self.client.create("/abc")
        acl = ACL(self.client, path)
        yield self.assertFailure(acl.grant("zebra"), PrincipalNotFound)

    @inlineCallbacks
    def test_prohibit(self):
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)

        path = yield self.client.create("/abc",
                                        acls=[
                                            make_ace(self.admin.get_token(),
                                                     all=True),
                                            make_ace(principal.get_token(),
                                                     write=True)
                                        ])

        acl = ACL(self.client, path)
        yield acl.prohibit("zebra")

        acl, stat = yield self.client.get_acl(path)
        self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])

    @inlineCallbacks
    def test_prohibit_non_existant_node(self):
        acl = ACL(self.client, "/abc")
        yield self.assertFailure(acl.prohibit("zebra"), StateNotFound)

    @inlineCallbacks
    def test_prohibit_not_in_acl(self):
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)

        path = yield self.client.create(
            "/abc", acls=[make_ace(self.admin.get_token(), all=True)])

        acl = ACL(self.client, path)
        # We get to the same end state so its fine.
        yield acl.prohibit("zebra")

        acl, stat = yield self.client.get_acl(path)
        self.assertEqual(acl, [make_ace(self.admin.get_token(), all=True)])
示例#22
0
class ACLTest(TestCase):

    @inlineCallbacks
    def setUp(self):
        zookeeper.set_debug_level(0)
        self.client = yield self.get_zookeeper_client().connect()
        self.tokens = TokenDatabase(self.client)
        self.admin = Principal("admin", "admin")
        yield self.tokens.add(self.admin)
        self.policy = SecurityPolicy(self.client, self.tokens)
        attach_deferred = self.admin.attach(self.client)

        self.client.exists("/")
        yield attach_deferred

    def tearDown(self):
        deleteTree(handle=self.client.handle)
        self.client.close()

    @inlineCallbacks
    def test_acl_on_non_existant_node(self):
        acl = ACL(self.client, "abc")
        yield self.assertFailure(acl.grant("admin", all=True), StateNotFound)

    @inlineCallbacks
    def test_acl_without_admin(self):
        """A client needs an attached principle with the admin perm to set acl.
        """
        client = yield self.get_zookeeper_client().connect()
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)
        attach_deferred = principal.attach(client)
        yield self.client.create(
            "/abc",
            acls=[make_ace(self.admin.get_token(), all=True)])
        yield attach_deferred

        acl = ACL(client, "/abc")
        yield self.assertFailure(
            acl.grant("zebra", all=True),
            zookeeper.NoAuthException)

    @inlineCallbacks
    def test_grant(self):
        path = yield self.client.create("/abc")
        acl = ACL(self.client, path)
        yield acl.grant("admin", all=True)
        node_acl, stat = yield self.client.get_acl(path)
        self.assertEqual(
            node_acl,
            [ZOO_OPEN_ACL_UNSAFE,
             make_ace(self.admin.get_token(), all=True)])

    @inlineCallbacks
    def test_grant_additive(self):
        path = yield self.client.create("/abc")
        acl = ACL(self.client, "/abc")
        yield acl.grant("admin", read=True)
        yield acl.grant("admin", write=True)
        test_ace = make_ace(":", read=True, write=True)
        node_acl, stat = yield self.client.get_acl(path)
        self.assertEqual(node_acl[-1]["perms"], test_ace["perms"])

    @inlineCallbacks
    def test_grant_not_in_token_database(self):
        path = yield self.client.create("/abc")
        acl = ACL(self.client, path)
        yield self.assertFailure(acl.grant("zebra"), PrincipalNotFound)

    @inlineCallbacks
    def test_prohibit(self):
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)

        path = yield self.client.create("/abc", acls=[
            make_ace(self.admin.get_token(), all=True),
            make_ace(principal.get_token(), write=True)])

        acl = ACL(self.client, path)
        yield acl.prohibit("zebra")

        acl, stat = yield self.client.get_acl(path)
        self.assertEqual(
            acl, [make_ace(self.admin.get_token(), all=True)])

    @inlineCallbacks
    def test_prohibit_non_existant_node(self):
        acl = ACL(self.client, "/abc")
        yield self.assertFailure(
            acl.prohibit("zebra"), StateNotFound)

    @inlineCallbacks
    def test_prohibit_not_in_acl(self):
        principal = Principal("zebra", "stripes")
        yield self.tokens.add(principal)

        path = yield self.client.create("/abc", acls=[
            make_ace(self.admin.get_token(), all=True)])

        acl = ACL(self.client, path)
        # We get to the same end state so its fine.
        yield acl.prohibit("zebra")

        acl, stat = yield self.client.get_acl(path)
        self.assertEqual(
            acl, [make_ace(self.admin.get_token(), all=True)])
示例#23
0
 def test_get_token(self):
     """An identity token can be gotten from a Principal."""
     principal = Principal("foobar", "secret")
     self.assertEqual(principal.get_token(), make_identity("foobar:secret"))
示例#24
0
 def test_get(self):
     principal = Principal("zebra", "zoo")
     yield self.db.add(principal)
     token = yield self.db.get(principal.name)
     self.assertEqual(token, principal.get_token())
示例#25
0
 def test_get_token(self):
     """An identity token can be gotten from a Principal."""
     principal = Principal("foobar", "secret")
     self.assertEqual(principal.get_token(),
                      make_identity("foobar:secret"))
示例#26
0
 def test_get_nonexistant(self):
     principal = Principal("zebra", "zoo")
     error = yield self.assertFailure(self.db.get(principal.name),
                                      PrincipalNotFound)
     self.assertEquals(str(error), "Principal 'zebra' not found")
示例#27
0
 def test_name(self):
     """Principals have names."""
     principal = Principal("foobar", "secret")
     self.assertEqual(principal.name, "foobar")
示例#28
0
 def rule(policy, path):
     return [make_ace(Principal("magic", "not").get_token(), all=True)]
示例#29
0
 def setUp(self):
     zookeeper.set_debug_level(0)
     self.client = yield self.get_zookeeper_client().connect()
     self.tokens = TokenDatabase(self.client)
     yield self.tokens.add(Principal("admin", "admin"))
     self.policy = SecurityPolicy(self.client, self.tokens)
示例#30
0
 def test_default_no_owner_no_rules_gives_admin_access(self):
     """By default the policy setups a global access for the cli admins.
     """
     acl = yield self.policy("/random")
     self.assertIn(
         make_ace(Principal("admin", "admin").get_token(), all=True), acl)
示例#31
0
 def test_add(self):
     principal = Principal("zebra", "zoo")
     yield self.db.add(principal)
     content, stat = yield self.client.get("/token-test")
     data = yaml.load(content)
     self.assertEqual(data, {"zebra": principal.get_token()})