Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(270)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: appengine/config_service/acl_test.py

Issue 1224913002: luci-config: fine-grained acls (Closed) Base URL: git@github.com:luci/luci-py.git@master
Patch Set: identities in configs Created 5 years, 5 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « appengine/config_service/acl.py ('k') | appengine/config_service/api.py » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 #!/usr/bin/env python 1 #!/usr/bin/env python
2 # Copyright 2015 The Swarming Authors. All rights reserved. 2 # Copyright 2015 The Swarming Authors. All rights reserved.
3 # Use of this source code is governed by the Apache v2.0 license that can be 3 # Use of this source code is governed by the Apache v2.0 license that can be
4 # found in the LICENSE file. 4 # found in the LICENSE file.
5 5
6 import wsgiref.headers
7
8 from test_env import future 6 from test_env import future
9 import test_env 7 import test_env
10 test_env.setup_test_env() 8 test_env.setup_test_env()
11 9
12 from test_support import test_case 10 from test_support import test_case
13 import mock 11 import mock
14 12
15 from components import auth 13 from components import auth
16 14
15 from proto import project_config_pb2
17 from proto import service_config_pb2 16 from proto import service_config_pb2
18 import acl 17 import acl
18 import projects
19 import services
19 import storage 20 import storage
20 21
21 22
22 class AclTestCase(test_case.TestCase): 23 class AclTestCase(test_case.TestCase):
23 def setUp(self): 24 def setUp(self):
24 super(AclTestCase, self).setUp() 25 super(AclTestCase, self).setUp()
26 self.mock(auth, 'get_current_identity', mock.Mock())
27 auth.get_current_identity.return_value = auth.Anonymous
25 self.mock(auth, 'is_admin', lambda *_: False) 28 self.mock(auth, 'is_admin', lambda *_: False)
26 self.mock(auth, 'is_group_member', mock.Mock(return_value=False)) 29 self.mock(auth, 'is_group_member', mock.Mock(return_value=False))
30 self.mock(services, 'get_service_async', mock.Mock())
31 services.get_service_async.side_effect = lambda sid: future(None)
27 32
28 acl_cfg = service_config_pb2.AclCfg( 33 acl_cfg = service_config_pb2.AclCfg(
29 service_access_group='service-admins',
30 project_access_group='project-admins', 34 project_access_group='project-admins',
31 ) 35 )
32 self.mock(storage, 'get_self_config_async', lambda *_: future(acl_cfg)) 36 self.mock(storage, 'get_self_config_async', lambda *_: future(acl_cfg))
33 37
34 def test_admin_can_read_all(self): 38 def test_admin_can_read_all(self):
35 self.mock(auth, 'is_admin', mock.Mock(return_value=True)) 39 self.mock(auth, 'is_admin', mock.Mock(return_value=True))
36 self.assertTrue(acl.can_read_config_set('services/swarming')) 40 self.assertTrue(acl.can_read_config_set('services/swarming'))
37 self.assertTrue(acl.can_read_config_set('projects/chromium')) 41 self.assertTrue(acl.can_read_config_set('projects/chromium'))
38 self.assertTrue(acl.can_read_project_list()) 42 self.assertTrue(acl.has_project_access('chromium'))
39 43
40 def test_can_read_service_config(self): 44 def test_has_service_access(self):
41 auth.is_group_member.return_value = True
42 self.assertTrue(acl.can_read_config_set('services/swarming'))
43 auth.is_group_member.access_called_once_with('service-admins')
44
45 def test_can_read_service_config_header(self):
46 headers = wsgiref.headers.Headers([
47 ('X-Appengine-Inbound-Appid', 'swarming'),
48 ])
49 self.assertTrue(
50 acl.can_read_config_set('services/swarming', headers=headers))
51
52 def test_can_read_service_config_no_access(self):
53 self.assertFalse(acl.can_read_config_set('services/swarming')) 45 self.assertFalse(acl.can_read_config_set('services/swarming'))
54 46
55 def test_can_read_project_config(self): 47 service_cfg = service_config_pb2.Service(
56 auth.is_group_member.return_value = True 48 id='swarming', access=['group:swarming-app'])
57 self.assertTrue(acl.can_read_config_set('projects/swarming')) 49 services.get_service_async.side_effect = lambda sid: future(service_cfg)
58 auth.is_group_member.access_called_once_with('project-admins') 50 auth.is_group_member.side_effect = lambda g: g == 'swarming-app'
51
52 self.assertTrue(acl.can_read_config_set('services/swarming'))
53
54 def test_has_service_access_no_access(self):
55 self.assertFalse(acl.can_read_config_set('services/swarming'))
56
57 def test_has_project_access_group(self):
58 self.mock(projects, 'get_metadata', mock.Mock())
59 projects.get_metadata.return_value = project_config_pb2.ProjectCfg(
60 access=['group:googlers', 'a@a.com']
61 )
62
63 self.assertFalse(acl.can_read_config_set('projects/secret'))
64
65 auth.is_group_member.side_effect = lambda name: name == 'googlers'
66 self.assertTrue(acl.can_read_config_set('projects/secret'))
67
68 auth.is_group_member.side_effect = lambda name: name == 'project-admins'
69 self.assertTrue(acl.can_read_config_set('projects/secret'))
70
71 def test_has_project_access_identity(self):
72 self.mock(projects, 'get_metadata', mock.Mock())
73 projects.get_metadata.return_value = project_config_pb2.ProjectCfg(
74 access=['group:googlers', 'a@a.com']
75 )
76
77 self.assertFalse(acl.can_read_config_set('projects/secret'))
78
79 auth.get_current_identity.return_value = auth.Identity('user', 'a@a.com')
80 self.assertTrue(acl.can_read_config_set('projects/secret'))
59 81
60 def test_can_read_project_config_no_access(self): 82 def test_can_read_project_config_no_access(self):
61 self.assertFalse(acl.can_read_config_set('projects/swarming')) 83 self.assertFalse(acl.has_project_access('projects/swarming'))
62 self.assertFalse(acl.can_read_config_set('projects/swarming/refs/heads/x')) 84 self.assertFalse(acl.can_read_config_set('projects/swarming/refs/heads/x'))
63 85
64 def test_malformed_config_set(self): 86 def test_malformed_config_set(self):
65 with self.assertRaises(ValueError): 87 with self.assertRaises(ValueError):
66 acl.can_read_config_set('invalid config set') 88 acl.can_read_config_set('invalid config set')
67 89
68 90
69 if __name__ == '__main__': 91 if __name__ == '__main__':
70 test_env.main() 92 test_env.main()
OLDNEW
« no previous file with comments | « appengine/config_service/acl.py ('k') | appengine/config_service/api.py » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698