def test_edit_requires_admin(self): backend = MAASAuthorizationBackend() pool = factory.make_ResourcePool() user = factory.make_User() admin = factory.make_admin() self.assertFalse( backend.has_perm(user, ResourcePoolPermission.edit, pool)) self.assertTrue( backend.has_perm(admin, ResourcePoolPermission.edit, pool))
def test_view_always_viewable(self): backend = MAASAuthorizationBackend() pool = factory.make_ResourcePool() user = factory.make_User() admin = factory.make_admin() self.assertTrue( backend.has_perm(user, ResourcePoolPermission.view, pool)) self.assertTrue( backend.has_perm(admin, ResourcePoolPermission.view, pool))
def test_unowned_interface_requires_admin(self): backend = MAASAuthorizationBackend() interface = factory.make_Interface(INTERFACE_TYPE.UNKNOWN) admin = factory.make_admin() user = factory.make_User() for perm in [ NodePermission.view, NodePermission.edit, NodePermission.admin ]: self.assertTrue(backend.has_perm(admin, perm, interface)) self.assertFalse(backend.has_perm(user, perm, interface))
def test_create_requires_rbac_edit_all_resources(self): self.enable_rbac() backend = MAASAuthorizationBackend() pool = factory.make_ResourcePool() self.rbac_store.add_pool(pool) user1 = factory.make_User() self.rbac_store.allow(user1.username, pool, 'edit') user2 = factory.make_User() self.rbac_store.allow(user2.username, ALL_RESOURCES, 'edit') self.assertFalse(backend.has_perm(user1, ResourcePoolPermission.create)) self.assertTrue(backend.has_perm(user2, ResourcePoolPermission.create))
def test_view_rbac_viewable(self): self.enable_rbac() backend = MAASAuthorizationBackend() pool1 = factory.make_ResourcePool() pool2 = factory.make_ResourcePool() self.rbac_store.add_pool(pool1) self.rbac_store.add_pool(pool2) user = factory.make_User() self.rbac_store.allow(user.username, pool2, 'view') self.assertFalse( backend.has_perm(user, ResourcePoolPermission.view, pool1)) self.assertTrue( backend.has_perm(user, ResourcePoolPermission.view, pool2))
def test_owned_status(self): # A non-admin user can access nodes he owns. backend = MAASAuthorizationBackend() node = make_allocated_node() self.assertTrue( backend.has_perm( node.owner, NODE_PERMISSION.VIEW, node))
def test_admin_cannot_admin_locked_nodes(self): backend = MAASAuthorizationBackend() node = make_allocated_node() node.locked = True node.save() self.assertFalse( backend.has_perm(factory.make_admin(), NodePermission.admin, node))
def test_user_has_no_admin_permission_on_node(self): # NODE_PERMISSION.ADMIN permission on nodes is granted to super users # only. backend = MAASAuthorizationBackend() user = factory.make_user() self.assertFalse( backend.has_perm(user, NODE_PERMISSION.ADMIN, factory.make_node()))
def test_user_has_no_admin_permission_on_node(self): # NodePermission.admin permission on nodes is granted to super users # only. backend = MAASAuthorizationBackend() user = factory.make_User() self.assertFalse( backend.has_perm(user, NodePermission.admin, factory.make_Node()))
def test_user_can_view_FilesystemGroup_when_no_node_owner(self): backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node() filesystem_group = factory.make_FilesystemGroup(node=node) self.assertTrue( backend.has_perm(user, NODE_PERMISSION.VIEW, filesystem_group))
def test_user_can_lock_locked_node(self): backend = MAASAuthorizationBackend() owner = factory.make_User() node = factory.make_Node(owner=owner, status=NODE_STATUS.DEPLOYED, locked=True) self.assertTrue(backend.has_perm(owner, NodePermission.lock, node))
def test_user_cannot_view_when_no_owner_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() nic = factory.make_Interface(node=node) backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.view, nic))
def test_user_can_view_FilesystemGroup_when_node_owner(self): backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node(owner=user) filesystem_group = factory.make_FilesystemGroup(node=node) self.assertTrue( backend.has_perm(user, NodePermission.view, filesystem_group))
def test_user_cannot_edit_FilesystemGroup_when_not_node_owner(self): backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) filesystem_group = factory.make_FilesystemGroup(node=node) self.assertFalse( backend.has_perm(user, NodePermission.edit, filesystem_group))
def test_admin_doesnt_have_admin_permission_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_admin() node = factory.make_Node() nic = factory.make_Interface(node=node) self.assertFalse(backend.has_perm(user, NodePermission.admin, nic))
def test_user_can_view_locked_node(self): backend = MAASAuthorizationBackend() owner = factory.make_User() node = factory.make_Node(owner=owner, status=NODE_STATUS.DEPLOYED, locked=True) self.assertTrue(backend.has_perm(owner, NODE_PERMISSION.VIEW, node))
def test_admin_doesnt_have_admin_permission_on_BlockDevice_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_admin() node = factory.make_Node() device = factory.make_BlockDevice(node=node) self.assertFalse(backend.has_perm(user, NodePermission.admin, device))
def test_user_cannot_lock_node_rbac_owner_other_user(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) backend = MAASAuthorizationBackend() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') self.assertFalse(backend.has_perm(user, NodePermission.lock, node))
def test_user_cannot_edit_node_rbac_if_locked(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(locked=True) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machine') backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_edit_node_rbac_deploy_machines(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'deploy-machines') backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm(user, NodePermission.edit, node))
def test_user_can_view_unowned_node_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm(user, NodePermission.view, node))
def test_user_has_no_admin_permission_on_node(self): # NODE_PERMISSION.ADMIN permission on nodes is granted to super users # only. backend = MAASAuthorizationBackend() user = factory.make_user() self.assertFalse( backend.has_perm( user, NODE_PERMISSION.ADMIN, factory.make_node()))
def test_user_has_admin_permission_on_node_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_User() node = factory.make_Node() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machines') self.assertTrue(backend.has_perm(user, NodePermission.admin, node))
def test_owner_can_edit_device_interface(self): backend = MAASAuthorizationBackend() user = factory.make_User() parent = factory.make_Node() device = factory.make_Device(owner=user, parent=parent) interface = factory.make_Interface(INTERFACE_TYPE.PHYSICAL, node=device) self.assertTrue(backend.has_perm(user, NodePermission.edit, interface))
def test_user_has_no_admin_permission_on_BlockDevice(self): # NODE_PERMISSION.ADMIN permission on block devices is granted to super # user only. backend = MAASAuthorizationBackend() user = factory.make_User() self.assertFalse( backend.has_perm(user, NODE_PERMISSION.ADMIN, factory.make_BlockDevice()))
def test_admin_no_admin_permission_on_FilesystemGroup_with_rbac(self): self.enable_rbac() backend = MAASAuthorizationBackend() user = factory.make_admin() node = factory.make_Node() filesystem_group = factory.make_FilesystemGroup(node=node) self.assertFalse( backend.has_perm(user, NodePermission.admin, filesystem_group))
def test_user_has_no_admin_permission_on_FilesystemGroup(self): # NodePermission.admin permission on block devices is granted to super # user only. backend = MAASAuthorizationBackend() user = factory.make_User() self.assertFalse( backend.has_perm(user, NodePermission.admin, factory.make_FilesystemGroup()))
def test_user_cannot_view_FilesystemGroup_when_no_owner_rbac(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node() filesystem_group = factory.make_FilesystemGroup(node=node) backend = MAASAuthorizationBackend() self.assertFalse( backend.has_perm(user, NodePermission.view, filesystem_group))
def test_user_can_edit_owned_rbac_with_admin(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) nic = factory.make_Interface(node=node) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machines') backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm(user, NodePermission.edit, nic))
def test_owner_cannot_edit_rbac_vith_view(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=user) nic = factory.make_Interface(node=node) self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'view') backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm(user, NodePermission.edit, nic))
def test_user_can_lock_BlockDevice_node_rbac_owner_other_user(self): self.enable_rbac() user = factory.make_User() node = factory.make_Node(owner=factory.make_User()) device = factory.make_BlockDevice(node=node) backend = MAASAuthorizationBackend() self.rbac_store.add_pool(node.pool) self.rbac_store.allow(user.username, node.pool, 'admin-machines') self.assertTrue(backend.has_perm(user, NodePermission.lock, device))
def test_user_can_access_unowned_node(self): backend = MAASAuthorizationBackend() self.assertTrue(backend.has_perm( factory.make_user(), NODE_PERMISSION.VIEW, make_unallocated_node()))
def test_node_init_user_cannot_access(self): backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm( get_node_init_user(), NODE_PERMISSION.VIEW, make_unallocated_node()))
def test_user_cannot_edit_unowned_node(self): backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm( factory.make_user(), NODE_PERMISSION.EDIT, make_unallocated_node()))
def test_user_can_edit_his_own_nodes(self): backend = MAASAuthorizationBackend() user = factory.make_user() self.assertTrue(backend.has_perm( user, NODE_PERMISSION.EDIT, make_allocated_node(owner=user)))
def test_user_cannot_access_nodes_owned_by_others(self): backend = MAASAuthorizationBackend() self.assertFalse(backend.has_perm( factory.make_user(), NODE_PERMISSION.VIEW, make_allocated_node()))