def test_is_role_allowed_parent_hierarchy(self): role_id1, role_id2 = 1, 2 role_name1, role_name2 = 'role_name1', 'role_name2' res_name1, res_name2 = 'res_name1', 'res_name2' perm_id1 = 11 perm_name1 = 'perm_name1' rbac = RBAC() rbac.create_role(role_id1, role_name1, None) rbac.create_role(role_id2, role_name2, role_id1) rbac.create_resource(res_name1) rbac.create_resource(res_name2) rbac.create_permission(perm_id1, perm_name1) rbac.create_role_permission_allow(role_id2, perm_id1, res_name1) rbac.create_role_permission_deny(role_id2, perm_id1, res_name2) self.assertTrue(rbac.is_role_allowed(role_id2, perm_id1, res_name1)) self.assertFalse(rbac.is_role_allowed(role_id2, perm_id1, res_name2)) # Denied implicitly because there is no explicit 'allow' self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name1)) self.assertFalse(rbac.is_role_allowed(role_id1, perm_id1, res_name2))
def test_edit_permission_does_not_exist(self): id, name = 1, 'name' rbac = RBAC() rbac.create_permission(id, name) self.assertRaises(ValueError, rbac.edit_permission, 1234, 'new_name')
def test_create_role_permission_deny(self): role_id1, role_id2 = 1, 2 role_name1, role_name2 = 'role_name1', 'role_name2' res_name1, res_name2 = 'res_name1', 'res_name2' perm_id1, perm_id2 = 11, 22 perm_name1, perm_name2 = 'perm_name1', 'perm_name2' rbac = RBAC() rbac.create_role(role_id1, role_name1, None) rbac.create_role(role_id2, role_name2, None) rbac.create_resource(res_name1) rbac.create_resource(res_name2) rbac.create_permission(perm_id1, perm_name1) rbac.create_permission(perm_id2, perm_name2) rbac.create_role_permission_deny(role_id1, perm_id1, res_name1) rbac.create_role_permission_deny(role_id1, perm_id2, res_name1) rbac.create_role_permission_deny(role_id2, perm_id1, res_name2) rbac.create_role_permission_deny(role_id2, perm_id2, res_name2) self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._denied) self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._denied) self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._denied) self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._denied)
def test_delete_permission_no_client_permission(self): id, name = 1, 'name' rbac = RBAC() rbac.create_permission(id, name) rbac.delete_permission(id) self.assertTrue(id not in rbac.permissions)
def test_create_permission(self): id1, name1 = 1, 'name1' id2, name2 = 2, 'name2' rbac = RBAC() rbac.create_permission(id1, name1) rbac.create_permission(id2, name2) self.assertEquals(rbac.permissions[id1], name1) self.assertEquals(rbac.permissions[id2], name2)
def test_edit_permission_exists(self): id1, name1 = 1, 'name1' id2, name2 = 2, 'name2' new_name1 = 'new_name1' rbac = RBAC() rbac.create_permission(id1, name1) rbac.create_permission(id2, name2) rbac.edit_permission(id1, new_name1) self.assertEquals(rbac.permissions[id1], new_name1) self.assertEquals(rbac.permissions[id2], name2)
def test_delete_permission_has_role_permission(self): role_id1, role_name1 = 1, 'role_name1' role_id2, role_name2 = 2, 'role_name2' perm_id1, perm_name1 = 11, 'perm_name1' perm_id2, perm_name2 = 22, 'perm_name2' res_name1, res_name2 = 'res_name1', 'res_name2' rbac = RBAC() rbac.create_role(role_id1, role_name1, None) rbac.create_role(role_id2, role_name2, None) rbac.create_permission(perm_id1, perm_name1) rbac.create_permission(perm_id2, perm_name2) rbac.create_resource(res_name1) rbac.create_resource(res_name2) rbac.create_role_permission_allow(role_id1, perm_id1, res_name1) rbac.create_role_permission_allow(role_id1, perm_id2, res_name1) rbac.create_role_permission_allow(role_id2, perm_id1, res_name2) rbac.create_role_permission_allow(role_id2, perm_id2, res_name2) self.assertIn((role_id1, perm_id1, res_name1), rbac.registry._allowed) self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed) self.assertIn((role_id2, perm_id1, res_name2), rbac.registry._allowed) self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed) rbac.delete_permission(perm_id1) self.assertNotIn((role_id1, perm_id1, res_name1), rbac.registry._allowed) self.assertIn((role_id1, perm_id2, res_name1), rbac.registry._allowed) self.assertNotIn((role_id2, perm_id1, res_name2), rbac.registry._allowed) self.assertIn((role_id2, perm_id2, res_name2), rbac.registry._allowed)