def test_get_path_parents(self): for path, parents in [ ("", [""]), ("one", ["", "one"]), ("one/two", ["", "one", "one/two"]), ("one/two/", ["", "one", "one/two"]), ("one/two/three", ["", "one", "one/two", "one/two/three"]), ]: self.assertEqual(parents, PermissionsManager.get_path_parents(path))
def test_get_path_parents(self): for path, parents in [ ('', ['']), ('one', ['', 'one']), ('one/two', ['', 'one', 'one/two']), ('one/two/', ['', 'one', 'one/two']), ('one/two/three', ['', 'one', 'one/two', 'one/two/three']), ]: self.assertEqual(parents, PermissionsManager.get_path_parents(path))
class TestDirectoryPermissions(unittest.TestCase): permissions = { 'dir_1': set(['group_1']), 'dir_1/subdir_2': set(['group_2']), 'dir_2': set(['group_2']), 'shared': set(['group_1', 'group_2']), } users = { 'no_privs': ['no_priv_group'], 'min_privs': ['staff'], 'user_1': ['staff', 'group_1'], 'user_2': ['staff', 'group_2'], 'admin': ['staff', 'group_1', 'group_2'] } def authenticate(self, username, password): try: return self.users[username] except KeyError: return None def setUp(self): self.manager = PermissionsManager(self.permissions, required_group='staff', authenticate=self.authenticate) def test_get_path_parents(self): for path, parents in [ ('', ['']), ('one', ['', 'one']), ('one/two', ['', 'one', 'one/two']), ('one/two/', ['', 'one', 'one/two']), ('one/two/three', ['', 'one', 'one/two', 'one/two/three']), ]: self.assertEqual(parents, PermissionsManager.get_path_parents(path)) def test_unknown_user_returns_falsey(self): self.assertFalse(self.manager.get_user('unknown', 'nopass')) def test_user_to_string_contains_id(self): user = self.manager.get_user('min_privs', 'password') self.assertIn('min_privs', '%s' % user) def test_non_staff_user_rejected(self): self.assertFalse(self.manager.get_user('no_privs', 'password')) def test_staff_users_have_read_access_to_all(self): for username in self.users.keys(): if username == 'no_privs': continue user = self.manager.get_user(username, 'password') for path in self.permissions.keys(): self.assertTrue(user.has_read_access(path)) def test_correct_users_have_write_access(self): write_access = { 'dir_1': set(['user_1', 'admin']), 'dir_1/subdir_2': set(['user_1', 'user_2', 'admin']), 'dir_2': set(['user_2', 'admin']), 'shared': set(['user_1', 'user_2', 'admin']), } for path, users_with_write_access in write_access.items(): for username in self.users.keys(): user = self.manager.get_user(username, 'password') has_write = (user and user.has_write_access(path)) if username in users_with_write_access: self.assertTrue(has_write, msg='%s should have write access to %s' % (username, path)) else: self.assertFalse( has_write, msg='%s should not have write access to %s' % (username, path))
def setUp(self): self.manager = PermissionsManager(self.permissions, required_group='staff', authenticate=self.authenticate)
class TestDirectoryPermissions(unittest.TestCase): permissions = { "dir_1": set(["group_1"]), "dir_1/subdir_2": set(["group_2"]), "dir_2": set(["group_2"]), "shared": set(["group_1", "group_2"]), } users = { "no_privs": ["no_priv_group"], "min_privs": ["staff"], "user_1": ["staff", "group_1"], "user_2": ["staff", "group_2"], "admin": ["staff", "group_1", "group_2"], } def authenticate(self, username, password): try: return self.users[username] except KeyError: return None def setUp(self): self.manager = PermissionsManager(self.permissions, required_group="staff", authenticate=self.authenticate) def test_get_path_parents(self): for path, parents in [ ("", [""]), ("one", ["", "one"]), ("one/two", ["", "one", "one/two"]), ("one/two/", ["", "one", "one/two"]), ("one/two/three", ["", "one", "one/two", "one/two/three"]), ]: self.assertEqual(parents, PermissionsManager.get_path_parents(path)) def test_unknown_user_returns_falsey(self): self.assertFalse(self.manager.get_user("unknown", "nopass")) def test_user_to_string_contains_id(self): user = self.manager.get_user("min_privs", "password") self.assertIn("min_privs", "%s" % user) def test_non_staff_user_rejected(self): self.assertFalse(self.manager.get_user("no_privs", "password")) def test_staff_users_have_read_access_to_all(self): for username in self.users.keys(): if username == "no_privs": continue user = self.manager.get_user(username, "password") for path in self.permissions.keys(): self.assertTrue(user.has_read_access(path)) def test_correct_users_have_write_access(self): write_access = { "dir_1": set(["user_1", "admin"]), "dir_1/subdir_2": set(["user_1", "user_2", "admin"]), "dir_2": set(["user_2", "admin"]), "shared": set(["user_1", "user_2", "admin"]), } for path, users_with_write_access in write_access.items(): for username in self.users.keys(): user = self.manager.get_user(username, "password") has_write = user and user.has_write_access(path) if username in users_with_write_access: self.assertTrue(has_write, msg="%s should have write access to %s" % (username, path)) else: self.assertFalse(has_write, msg="%s should not have write access to %s" % (username, path))
def setUp(self): self.manager = PermissionsManager(self.permissions, required_group="staff", authenticate=self.authenticate)
development_root = os.path.join(os.path.dirname(__file__), 'tmp') FILE_ROOT = os.path.realpath( os.environ.get('FILESERVER_ROOT', development_root)) # Note, you can generate a new host key like this: # ssh-keygen -t rsa -N '' -f host_key HOST_KEY = os.path.join(os.path.dirname(__file__), 'config/host_key') PERMISSIONS_FILE = os.path.join(os.path.dirname(__file__), 'config/permissions.ini') AUTH_LDAP_SERVER_URI = "ldap://ldap-server.example.com" AUTH_LDAP_BIND_DN = "cn=Directory Manager" AUTH_LDAP_BIND_PASSWORD = "******" LDAP_ROOT_DN = 'dc=timetric,dc=com' LDAP_GROUP_ROOT_DN = 'ou=timetric,ou=groups,%s' % LDAP_ROOT_DN REQUIRED_GROUP = 'staff' if __name__ == '__main__': logging.basicConfig(level=logging.INFO) permissions = read_permissions_file(PERMISSIONS_FILE) ldap_auth = LDAPAuth(AUTH_LDAP_SERVER_URI, bind_dn=AUTH_LDAP_BIND_DN, bind_password=AUTH_LDAP_BIND_PASSWORD, base_dn=LDAP_ROOT_DN, group_dn=LDAP_GROUP_ROOT_DN) manager = PermissionsManager(permissions, required_group=REQUIRED_GROUP, authenticate=ldap_auth) server = SFTPServer(FILE_ROOT, HOST_KEY, get_user=manager.get_user) server.serve_forever('0.0.0.0', SSH_PORT)