示例#1
0
    def test_create_client_role_valid_role(self):
        client_def1 = 'def1'
        client_def2 = 'def2'

        role_id1, role_name1 = 1, 'name1'
        role_id2, role_name2 = 2, 'name2'
        role_id3, role_name3 = 3, 'name3'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)
        rbac.create_role(role_id3, role_name3, None)

        rbac.create_client_role(client_def1, role_id1)
        rbac.create_client_role(client_def1, role_id2)

        rbac.create_client_role(client_def2, role_id2)
        rbac.create_client_role(client_def2, role_id3)

        self.assertEquals(rbac.client_def_to_role_id[client_def1],
                          set([role_id1, role_id2]))
        self.assertEquals(rbac.client_def_to_role_id[client_def2],
                          set([role_id2, role_id3]))

        self.assertEquals(rbac.role_id_to_client_def[role_id1],
                          set([client_def1]))
        self.assertEquals(rbac.role_id_to_client_def[role_id2],
                          set([client_def1, client_def2]))
示例#2
0
    def test_delete_role_parent_hierarchy_delete_leaf(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        rbac.delete_role(id4, name4)

        self.assertIn(id1, rbac.role_id_to_name)
        self.assertIn(id2, rbac.role_id_to_name)
        self.assertIn(id3, rbac.role_id_to_name)
        self.assertNotIn(id4, rbac.role_id_to_name)

        self.assertIn(name1, rbac.role_name_to_id)
        self.assertIn(name2, rbac.role_name_to_id)
        self.assertIn(name3, rbac.role_name_to_id)
        self.assertNotIn(name4, rbac.role_name_to_id)

        self.assertIn(id1, rbac.registry._roles)
        self.assertIn(id2, rbac.registry._roles)
        self.assertIn(id3, rbac.registry._roles)
        self.assertNotIn(id4, rbac.registry._roles)
示例#3
0
    def test_edit_permission_does_not_exist(self):

        id, name = 1, 'name'

        rbac = RBAC()
        rbac.create_permission(id, name)
        self.assertRaises(ValueError, rbac.edit_permission, 1234, 'new_name')
示例#4
0
    def test_edit_permission_does_not_exist(self):

        id, name = 1, 'name'

        rbac = RBAC()
        rbac.create_permission(id, name)
        self.assertRaises(ValueError, rbac.edit_permission, 1234, 'new_name')
示例#5
0
    def test_create_resource(self):
        name1, name2 = 'name1', 'name2'

        rbac = RBAC()
        rbac.create_resource(name1)
        rbac.create_resource(name2)

        self.assertEquals(rbac.registry._resources[name1], set())
        self.assertEquals(rbac.registry._resources[name2], set())
示例#6
0
    def test_create_resource(self):
        name1, name2 = 'name1', 'name2'

        rbac = RBAC()
        rbac.create_resource(name1)
        rbac.create_resource(name2)

        self.assertEquals(rbac.registry._resources[name1], set())
        self.assertEquals(rbac.registry._resources[name2], set())
示例#7
0
    def test_delete_permission_no_client_permission(self):

        id, name = 1, 'name'

        rbac = RBAC()
        rbac.create_permission(id, name)
        rbac.delete_permission(id)

        self.assertTrue(id not in rbac.permissions)
示例#8
0
    def test_delete_resource_no_roles(self):
        name1, name2 = 'name1', 'name2'

        rbac = RBAC()
        rbac.create_resource(name1)
        rbac.create_resource(name2)
        rbac.delete_resource(name2)

        self.assertEquals(rbac.registry._resources[name1], set())
        self.assertNotIn(name2, rbac.registry._resources)
示例#9
0
    def test_create_client_role_valid_role(self):
        client_def1 = 'def1'
        client_def2 = 'def2'

        role_id1, role_name1 = 1, 'name1'
        role_id2, role_name2 = 2, 'name2'
        role_id3, role_name3 = 3, 'name3'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)
        rbac.create_role(role_id3, role_name3, None)

        rbac.create_client_role(client_def1, role_id1)
        rbac.create_client_role(client_def1, role_id2)

        rbac.create_client_role(client_def2, role_id2)
        rbac.create_client_role(client_def2, role_id3)

        self.assertEquals(rbac.client_def_to_role_id[client_def1], set([role_id1, role_id2]))
        self.assertEquals(rbac.client_def_to_role_id[client_def2], set([role_id2, role_id3]))

        self.assertEquals(rbac.role_id_to_client_def[role_id1], set([client_def1]))
        self.assertEquals(rbac.role_id_to_client_def[role_id2], set([client_def1, client_def2]))
示例#10
0
    def test_delete_role_parent_hierarchy_delete_leaf(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        rbac.delete_role(id4, name4)

        self.assertIn(id1, rbac.role_id_to_name)
        self.assertIn(id2, rbac.role_id_to_name)
        self.assertIn(id3, rbac.role_id_to_name)
        self.assertNotIn(id4, rbac.role_id_to_name)

        self.assertIn(name1, rbac.role_name_to_id)
        self.assertIn(name2, rbac.role_name_to_id)
        self.assertIn(name3, rbac.role_name_to_id)
        self.assertNotIn(name4, rbac.role_name_to_id)

        self.assertIn(id1, rbac.registry._roles)
        self.assertIn(id2, rbac.registry._roles)
        self.assertIn(id3, rbac.registry._roles)
        self.assertNotIn(id4, rbac.registry._roles)
示例#11
0
    def test_create_role_parent_not_given(self):

        id, name = rand_int(), rand_string()

        rbac = RBAC()
        rbac.create_role(id, name, None)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set())
示例#12
0
    def test_create_role_parent_not_given(self):

        id, name = rand_int(), rand_string()

        rbac = RBAC()
        rbac.create_role(id, name, None)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set())
示例#13
0
    def test_create_permission(self):

        id1, name1 = 1, 'name1'
        id2, name2 = 2, 'name2'

        rbac = RBAC()
        rbac.create_permission(id1, name1)
        rbac.create_permission(id2, name2)

        self.assertEquals(rbac.permissions[id1], name1)
        self.assertEquals(rbac.permissions[id2], name2)
示例#14
0
    def test_create_permission(self):

        id1, name1 = 1, 'name1'
        id2, name2 = 2, 'name2'

        rbac = RBAC()
        rbac.create_permission(id1, name1)
        rbac.create_permission(id2, name2)

        self.assertEquals(rbac.permissions[id1], name1)
        self.assertEquals(rbac.permissions[id2], name2)
示例#15
0
    def test_create_role_parent_different_than_id(self):

        id, parent_id = 1, 11
        name = rand_string()

        rbac = RBAC()
        rbac.create_role(id, name, parent_id)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([parent_id]))
示例#16
0
    def test_create_role_parent_different_than_id(self):

        id, parent_id = 1, 11
        name = rand_string()

        rbac = RBAC()
        rbac.create_role(id, name, parent_id)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([parent_id]))
示例#17
0
    def test_edit_role_change_name_only(self):

        id, parent_id = rand_int(count=2)
        old_name, new_name = rand_string(2)

        rbac = RBAC()
        rbac.create_role(id, old_name, parent_id)
        rbac.edit_role(id, old_name, new_name, parent_id)

        self.assertEqual(rbac.role_id_to_name[id], new_name)
        self.assertEqual(rbac.role_name_to_id[new_name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([parent_id]))
示例#18
0
    def test_edit_role_change_parent_id_only(self):

        id = rand_int()
        old_parent_id, new_parent_id = uuid4().int, uuid4().int # Using uuid4 to make sure they really are unique
        old_name = new_name = rand_string()

        rbac = RBAC()
        rbac.create_role(id, old_name, old_parent_id)
        rbac.edit_role(id, old_name, new_name, new_parent_id)

        self.assertEqual(rbac.role_id_to_name[id], new_name)
        self.assertEqual(rbac.role_name_to_id[new_name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([new_parent_id]))
示例#19
0
    def test_edit_permission_exists(self):

        id1, name1 = 1, 'name1'
        id2, name2 = 2, 'name2'

        new_name1 = 'new_name1'

        rbac = RBAC()
        rbac.create_permission(id1, name1)
        rbac.create_permission(id2, name2)
        rbac.edit_permission(id1, new_name1)

        self.assertEquals(rbac.permissions[id1], new_name1)
        self.assertEquals(rbac.permissions[id2], name2)
示例#20
0
    def test_create_client_role_invalid_role(self):
        client_def = rand_string()
        role_id = rand_int()

        rbac = RBAC()
        self.assertRaises(ValueError, rbac.create_client_role, client_def,
                          role_id)
示例#21
0
    def test_create_role_parent_hierarchy(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        self.assertEqual(rbac.role_id_to_name[id1], name1)
        self.assertEqual(rbac.role_id_to_name[id2], name2)
        self.assertEqual(rbac.role_id_to_name[id3], name3)
        self.assertEqual(rbac.role_id_to_name[id4], name4)

        self.assertIn(id1, rbac.registry._roles)
        self.assertIn(id2, rbac.registry._roles)
        self.assertIn(id3, rbac.registry._roles)
        self.assertIn(id4, rbac.registry._roles)

        self.assertEquals(rbac.registry._roles[id1], set([parent_id1]))
        self.assertEquals(rbac.registry._roles[id2], set([id1]))
        self.assertEquals(rbac.registry._roles[id3], set([id1]))
        self.assertEquals(rbac.registry._roles[id4], set([id2]))

        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)), [None, id1, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id2)), [None, id1, id2, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id3)), [None, id1, id3, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id4)), [None, id1, id2, id4, parent_id1])
示例#22
0
    def test_delete_role_parent_not_given(self):

        id, name = rand_int(), rand_string()

        rbac = RBAC()

        # Create and confirm it was added
        rbac.create_role(id, name, None)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set())

        # Delete and confirm the action
        rbac.delete_role(id, name)

        self.assertNotIn(id, rbac.role_id_to_name)
        self.assertNotIn(name, rbac.role_name_to_id)
        self.assertNotIn(id, rbac.registry._roles)
示例#23
0
    def test_delete_permission_no_client_permission(self):

        id, name = 1, 'name'

        rbac = RBAC()
        rbac.create_permission(id, name)
        rbac.delete_permission(id)

        self.assertTrue(id not in rbac.permissions)
示例#24
0
    def test_delete_resource_no_roles(self):
        name1, name2 = 'name1', 'name2'

        rbac = RBAC()
        rbac.create_resource(name1)
        rbac.create_resource(name2)
        rbac.delete_resource(name2)

        self.assertEquals(rbac.registry._resources[name1], set())
        self.assertNotIn(name2, rbac.registry._resources)
示例#25
0
    def test_edit_role_change_name_only(self):

        id, parent_id = rand_int(count=2)
        old_name, new_name = rand_string(2)

        rbac = RBAC()
        rbac.create_role(id, old_name, parent_id)
        rbac.edit_role(id, old_name, new_name, parent_id)

        self.assertEqual(rbac.role_id_to_name[id], new_name)
        self.assertEqual(rbac.role_name_to_id[new_name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([parent_id]))
示例#26
0
    def test_edit_permission_exists(self):

        id1, name1 = 1, 'name1'
        id2, name2 = 2, 'name2'

        new_name1 = 'new_name1'

        rbac = RBAC()
        rbac.create_permission(id1, name1)
        rbac.create_permission(id2, name2)
        rbac.edit_permission(id1, new_name1)

        self.assertEquals(rbac.permissions[id1], new_name1)
        self.assertEquals(rbac.permissions[id2], name2)
示例#27
0
    def test_edit_role_change_parent_id_only(self):

        id = rand_int()
        old_parent_id, new_parent_id = uuid4().int, uuid4(
        ).int  # Using uuid4 to make sure they really are unique
        old_name = new_name = rand_string()

        rbac = RBAC()
        rbac.create_role(id, old_name, old_parent_id)
        rbac.edit_role(id, old_name, new_name, new_parent_id)

        self.assertEqual(rbac.role_id_to_name[id], new_name)
        self.assertEqual(rbac.role_name_to_id[new_name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set([new_parent_id]))
示例#28
0
    def test_create_role_parent_hierarchy(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        self.assertEqual(rbac.role_id_to_name[id1], name1)
        self.assertEqual(rbac.role_id_to_name[id2], name2)
        self.assertEqual(rbac.role_id_to_name[id3], name3)
        self.assertEqual(rbac.role_id_to_name[id4], name4)

        self.assertIn(id1, rbac.registry._roles)
        self.assertIn(id2, rbac.registry._roles)
        self.assertIn(id3, rbac.registry._roles)
        self.assertIn(id4, rbac.registry._roles)

        self.assertEquals(rbac.registry._roles[id1], set([parent_id1]))
        self.assertEquals(rbac.registry._roles[id2], set([id1]))
        self.assertEquals(rbac.registry._roles[id3], set([id1]))
        self.assertEquals(rbac.registry._roles[id4], set([id2]))

        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)),
                          [None, id1, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id2)),
                          [None, id1, id2, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id3)),
                          [None, id1, id3, parent_id1])
        self.assertEquals(sorted(get_family(rbac.registry._roles, id4)),
                          [None, id1, id2, id4, parent_id1])
示例#29
0
    def test_delete_role_parent_not_given(self):

        id, name = rand_int(), rand_string()

        rbac = RBAC()

        # Create and confirm it was added
        rbac.create_role(id, name, None)

        self.assertEqual(rbac.role_id_to_name[id], name)
        self.assertEqual(rbac.role_name_to_id[name], id)
        self.assertIn(id, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id], set())

        # Delete and confirm the action
        rbac.delete_role(id, name)

        self.assertNotIn(id, rbac.role_id_to_name)
        self.assertNotIn(name, rbac.role_name_to_id)
        self.assertNotIn(id, rbac.registry._roles)
示例#30
0
    def test_delete_role_permission_deny(self):

        role_id1, role_id2 = 1, 2
        role_name1, role_name2 = 'role_name1', 'role_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        perm_id1, perm_id2 = 11, 22
        perm_name1, perm_name2 = 'perm_name1', 'perm_name2'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_permission(perm_id1, perm_name1)
        rbac.create_permission(perm_id2, perm_name2)

        rbac.create_role_permission_deny(role_id1, perm_id1, res_name1)
        rbac.create_role_permission_deny(role_id1, perm_id2, res_name1)

        rbac.create_role_permission_deny(role_id2, perm_id1, res_name2)
        rbac.create_role_permission_deny(role_id2, perm_id2, res_name2)

        self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._denied)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._denied)

        self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._denied)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._denied)

        rbac.delete_role_permission_deny(role_id1, perm_id1, res_name1)
        rbac.delete_role_permission_deny(role_id2, perm_id1, res_name2)

        self.assertNotIn((role_id1, perm_id1, res_name1), rbac.registry._denied)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._denied)

        self.assertNotIn((role_id2, perm_id1, res_name2), rbac.registry._denied)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._denied)
示例#31
0
    def test_edit_role_parent_hierarchy(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        parent_id1_new, parent_id2_new, parent_id3_new = 111, 222, 333

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'
        name1_new, name3_new, name4_new = 'name1_new', 'name3_new', 'name4_new'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        # Changing only the name here
        rbac.edit_role(id1, name1, name1_new, parent_id1)
        self.assertEqual(rbac.role_id_to_name[id1], name1_new)
        self.assertIn(id1, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id1], set([parent_id1]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)),
                          [None, id1, parent_id1])

        # Changing the id1's parent ID here
        rbac.edit_role(id1, name1_new, name1_new, parent_id1_new)
        self.assertEqual(rbac.role_id_to_name[id1], name1_new)
        self.assertIn(id1, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id1], set([parent_id1_new]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)),
                          [None, id1, parent_id1_new])

        # Changing both name and parent ID of id3
        rbac.edit_role(id3, name3, name3_new, parent_id3_new)
        self.assertEqual(rbac.role_id_to_name[id3], name3_new)
        self.assertIn(id3, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id3], set([parent_id3_new]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id3)),
                          [None, id3, parent_id3_new])

        # id4 should have parent_id2_new as one of its predecessors as a result of the first edit
        # whereas the second one should update id4's name.
        rbac.edit_role(id2, name2, name2, parent_id2_new)
        rbac.edit_role(id4, name4, name4_new, id2)

        self.assertEquals(sorted(get_family(rbac.registry._roles, id4)),
                          [None, id2, id4, parent_id2_new])
        self.assertEqual(rbac.role_id_to_name[id4], name4_new)
示例#32
0
    def test_delete_permission_has_role_permission(self):

        role_id1, role_name1 = 1, 'role_name1'
        role_id2, role_name2 = 2, 'role_name2'

        perm_id1, perm_name1 = 11, 'perm_name1'
        perm_id2, perm_name2 = 22, 'perm_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)

        rbac.create_permission(perm_id1, perm_name1)
        rbac.create_permission(perm_id2, perm_name2)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_role_permission_allow(role_id1, perm_id1, res_name1)
        rbac.create_role_permission_allow(role_id1, perm_id2, res_name1)

        rbac.create_role_permission_allow(role_id2, perm_id1, res_name2)
        rbac.create_role_permission_allow(role_id2, perm_id2, res_name2)

        self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._allowed)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed)

        self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._allowed)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed)

        rbac.delete_permission(perm_id1)

        self.assertNotIn((role_id1, perm_id1, res_name1),
                         rbac.registry._allowed)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed)

        self.assertNotIn((role_id2, perm_id1, res_name2),
                         rbac.registry._allowed)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed)
示例#33
0
    def test_delete_role_permission_deny(self):

        role_id1, role_id2 = 1, 2
        role_name1, role_name2 = 'role_name1', 'role_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        perm_id1, perm_id2 = 11, 22
        perm_name1, perm_name2 = 'perm_name1', 'perm_name2'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_permission(perm_id1, perm_name1)
        rbac.create_permission(perm_id2, perm_name2)

        rbac.create_role_permission_deny(role_id1, perm_id1, res_name1)
        rbac.create_role_permission_deny(role_id1, perm_id2, res_name1)

        rbac.create_role_permission_deny(role_id2, perm_id1, res_name2)
        rbac.create_role_permission_deny(role_id2, perm_id2, res_name2)

        self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._denied)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._denied)

        self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._denied)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._denied)

        rbac.delete_role_permission_deny(role_id1, perm_id1, res_name1)
        rbac.delete_role_permission_deny(role_id2, perm_id1, res_name2)

        self.assertNotIn((role_id1, perm_id1, res_name1),
                         rbac.registry._denied)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._denied)

        self.assertNotIn((role_id2, perm_id1, res_name2),
                         rbac.registry._denied)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._denied)
示例#34
0
    def test_delete_permission_has_role_permission(self):

        role_id1, role_name1 = 1, 'role_name1'
        role_id2, role_name2 = 2, 'role_name2'

        perm_id1, perm_name1 = 11, 'perm_name1'
        perm_id2, perm_name2 = 22, 'perm_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, None)

        rbac.create_permission(perm_id1, perm_name1)
        rbac.create_permission(perm_id2, perm_name2)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_role_permission_allow(role_id1, perm_id1, res_name1)
        rbac.create_role_permission_allow(role_id1, perm_id2, res_name1)

        rbac.create_role_permission_allow(role_id2, perm_id1, res_name2)
        rbac.create_role_permission_allow(role_id2, perm_id2, res_name2)

        self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._allowed)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed)

        self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._allowed)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed)

        rbac.delete_permission(perm_id1)

        self.assertNotIn((role_id1, perm_id1, res_name1), rbac.registry._allowed)
        self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed)

        self.assertNotIn((role_id2, perm_id1, res_name2), rbac.registry._allowed)
        self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed)
示例#35
0
    def test_edit_role_parent_hierarchy(self):

        id1, parent_id1 = 1, 11
        id2, id3, id4 = 2, 3, 4

        parent_id1_new, parent_id2_new, parent_id3_new = 111, 222, 333

        name1, name2, name3, name4 = 'name1', 'name2', 'name3', 'name4'
        name1_new, name3_new, name4_new = 'name1_new', 'name3_new', 'name4_new'

        rbac = RBAC()
        rbac.create_role(id1, name1, parent_id1)
        rbac.create_role(id2, name2, id1)
        rbac.create_role(id3, name3, id1)
        rbac.create_role(id4, name4, id2)

        # Changing only the name here
        rbac.edit_role(id1, name1, name1_new, parent_id1)
        self.assertEqual(rbac.role_id_to_name[id1], name1_new)
        self.assertIn(id1, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id1], set([parent_id1]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)), [None, id1, parent_id1])

        # Changing the id1's parent ID here
        rbac.edit_role(id1, name1_new, name1_new, parent_id1_new)
        self.assertEqual(rbac.role_id_to_name[id1], name1_new)
        self.assertIn(id1, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id1], set([parent_id1_new]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id1)), [None, id1, parent_id1_new])

        # Changing both name and parent ID of id3
        rbac.edit_role(id3, name3, name3_new, parent_id3_new)
        self.assertEqual(rbac.role_id_to_name[id3], name3_new)
        self.assertIn(id3, rbac.registry._roles)
        self.assertEquals(rbac.registry._roles[id3], set([parent_id3_new]))
        self.assertEquals(sorted(get_family(rbac.registry._roles, id3)), [None, id3, parent_id3_new])

        # id4 should have parent_id2_new as one of its predecessors as a result of the first edit
        # whereas the second one should update id4's name.
        rbac.edit_role(id2, name2, name2, parent_id2_new)
        rbac.edit_role(id4, name4, name4_new, id2)

        self.assertEquals(sorted(get_family(rbac.registry._roles, id4)), [None, id2, id4, parent_id2_new])
        self.assertEqual(rbac.role_id_to_name[id4], name4_new)
示例#36
0
    def test_is_role_allowed_parent_hierarchy(self):

        role_id1, role_id2 = 1, 2
        role_name1, role_name2 = 'role_name1', 'role_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        perm_id1 = 11
        perm_name1 = 'perm_name1'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, role_id1)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_permission(perm_id1, perm_name1)

        rbac.create_role_permission_allow(role_id2, perm_id1, res_name1)
        rbac.create_role_permission_deny(role_id2, perm_id1, res_name2)

        self.assertTrue(rbac.is_role_allowed(role_id2, perm_id1, res_name1))
        self.assertFalse(rbac.is_role_allowed(role_id2, perm_id1, res_name2))

        # Denied implicitly because there is no explicit 'allow'
        self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name1))
        self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name2))
示例#37
0
    def test_is_role_allowed_parent_hierarchy(self):

        role_id1, role_id2 = 1, 2
        role_name1, role_name2 = 'role_name1', 'role_name2'

        res_name1, res_name2 = 'res_name1', 'res_name2'

        perm_id1 = 11
        perm_name1 = 'perm_name1'

        rbac = RBAC()

        rbac.create_role(role_id1, role_name1, None)
        rbac.create_role(role_id2, role_name2, role_id1)

        rbac.create_resource(res_name1)
        rbac.create_resource(res_name2)

        rbac.create_permission(perm_id1, perm_name1)

        rbac.create_role_permission_allow(role_id2, perm_id1, res_name1)
        rbac.create_role_permission_deny(role_id2, perm_id1, res_name2)

        self.assertTrue(rbac.is_role_allowed(role_id2, perm_id1, res_name1))
        self.assertFalse(rbac.is_role_allowed(role_id2, perm_id1, res_name2))

        # Denied implicitly because there is no explicit 'allow'
        self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name1))
        self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name2))