| OLD | NEW |
|---|
| 1 #!/usr/bin/env python | 1 #!/usr/bin/env python |
| 2 # Copyright 2016 The LUCI Authors. All rights reserved. | 2 # Copyright 2016 The LUCI Authors. All rights reserved. |
| 3 # Use of this source code is governed under the Apache License, Version 2.0 | 3 # Use of this source code is governed under the Apache License, Version 2.0 |
| 4 # that can be found in the LICENSE file. | 4 # that can be found in the LICENSE file. |
| 5 | 5 |
| 6 import logging | 6 import logging |
| 7 import sys | 7 import sys |
| 8 import unittest | 8 import unittest |
| 9 | 9 |
| 10 import test_env | 10 import test_env |
| 11 test_env.setup_test_env() | 11 test_env.setup_test_env() |
| 12 | 12 |
| 13 # from components.auth import api | 13 # from components.auth import api |
| 14 from components import auth | 14 from components import auth |
| 15 from components import auth_testing | 15 from components import auth_testing |
| 16 from components import utils | 16 from components import utils |
| 17 from server import config | 17 from server import config |
| 18 from test_support import test_case | 18 from test_support import test_case |
| 19 | 19 |
| 20 from proto import config_pb2 | 20 from proto import config_pb2 |
| 21 | 21 |
| 22 import acl | 22 from server import acl |
| 23 from server import task_request |
| 23 | 24 |
| 24 | 25 |
| 25 # Default names of authorization groups. | 26 # Default names of authorization groups. |
| 26 ADMINS_GROUP = 'administrators' | 27 ADMINS_GROUP = 'administrators' |
| 27 PRIVILEGED_USERS_GROUP = ADMINS_GROUP | 28 PRIVILEGED_USERS_GROUP = ADMINS_GROUP |
| 28 USERS_GROUP = ADMINS_GROUP | 29 USERS_GROUP = ADMINS_GROUP |
| 29 BOT_BOOTSTRAP_GROUP = ADMINS_GROUP | 30 BOT_BOOTSTRAP_GROUP = ADMINS_GROUP |
| 30 | 31 |
| 31 | 32 |
| 32 class AclTest(test_case.TestCase): | 33 class AclTest(test_case.TestCase): |
| 33 def setUp(self): | 34 def setUp(self): |
| 34 super(AclTest, self).setUp() | 35 super(AclTest, self).setUp() |
| 35 | 36 def settings(): |
| 37 return config_pb2.SettingsCfg( |
| 38 auth=config_pb2.AuthSettings( |
| 39 admins_group='admins', |
| 40 bot_bootstrap_group='bot_bootstrap', |
| 41 privileged_users_group='privileged_users', |
| 42 users_group='users', |
| 43 view_all_bots_group='view_all_bots', |
| 44 view_all_tasks_group='view_all_tasks')) |
| 45 self.mock(config, 'settings', settings) |
| 36 auth_testing.reset_local_state() | 46 auth_testing.reset_local_state() |
| 37 utils.clear_cache(config.settings) | 47 self._task_owned = task_request.TaskRequest( |
| 48 authenticated=auth.get_current_identity()) |
| 49 self._task_other = task_request.TaskRequest( |
| 50 authenticated=auth.Identity(auth.IDENTITY_USER, 'larry@localhost')) |
| 38 | 51 |
| 39 @staticmethod | 52 @staticmethod |
| 40 def add_to_group(group): | 53 def _add_to_group(group): |
| 41 auth.bootstrap_group(group, [auth.get_current_identity()]) | 54 auth.bootstrap_group(group, [auth.get_current_identity()]) |
| 55 auth_testing.reset_local_state() |
| 42 | 56 |
| 43 def add_to_admin(self): | 57 def test_nobody(self): |
| 58 self.mock(auth, 'get_current_identity', lambda: auth.IDENTITY_ANONYMOUS) |
| 59 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 60 self.assertFalse(acl.can_access()) |
| 61 self.assertFalse(acl.can_view_config()) |
| 62 self.assertFalse(acl.can_edit_config()) |
| 63 self.assertFalse(acl.can_create_bot()) |
| 64 self.assertFalse(acl.can_edit_bot()) |
| 65 self.assertFalse(acl.can_delete_bot()) |
| 66 self.assertFalse(acl.can_view_bot()) |
| 67 self.assertFalse(acl.can_create_task()) |
| 68 self.assertFalse(acl.can_schedule_high_priority_tasks()) |
| 69 self.assertFalse(acl.can_edit_task(self._task_owned)) |
| 70 self.assertFalse(acl.can_edit_task(self._task_other)) |
| 71 self.assertFalse(acl.can_edit_all_tasks()) |
| 72 self.assertFalse(acl.can_view_task(self._task_owned)) |
| 73 self.assertFalse(acl.can_view_task(self._task_other)) |
| 74 self.assertFalse(acl.can_view_all_tasks()) |
| 75 |
| 76 def test_instance_admin(self): |
| 44 auth_testing.mock_is_admin(self, True) | 77 auth_testing.mock_is_admin(self, True) |
| 78 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 79 self.assertTrue(acl.can_access()) |
| 80 self.assertTrue(acl.can_view_config()) |
| 81 self.assertTrue(acl.can_edit_config()) |
| 82 self.assertTrue(acl.can_create_bot()) |
| 83 self.assertTrue(acl.can_edit_bot()) |
| 84 self.assertTrue(acl.can_delete_bot()) |
| 85 self.assertTrue(acl.can_view_bot()) |
| 86 self.assertTrue(acl.can_create_task()) |
| 87 self.assertTrue(acl.can_schedule_high_priority_tasks()) |
| 88 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 89 self.assertTrue(acl.can_edit_task(self._task_other)) |
| 90 self.assertTrue(acl.can_edit_all_tasks()) |
| 91 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 92 self.assertTrue(acl.can_view_task(self._task_other)) |
| 93 self.assertTrue(acl.can_view_all_tasks()) |
| 45 | 94 |
| 46 def mock_auth_config(self, **kwargs): | 95 def test_ip_whitelisted(self): |
| 47 cfg = config_pb2.SettingsCfg(auth=config_pb2.AuthSettings(**kwargs)) | 96 self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True) |
| 48 self.mock(config, '_get_settings', lambda: ('test_rev', cfg)) | 97 self.assertTrue(acl.is_ip_whitelisted_machine()) |
| 98 self.assertTrue(acl.can_access()) |
| 99 self.assertFalse(acl.can_view_config()) |
| 100 self.assertFalse(acl.can_edit_config()) |
| 101 self.assertFalse(acl.can_create_bot()) |
| 102 self.assertTrue(acl.can_edit_bot()) |
| 103 self.assertTrue(acl.can_delete_bot()) |
| 104 self.assertTrue(acl.can_view_bot()) |
| 105 self.assertTrue(acl.can_create_task()) |
| 106 self.assertTrue(acl.can_schedule_high_priority_tasks()) |
| 107 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 108 self.assertTrue(acl.can_edit_task(self._task_other)) |
| 109 self.assertFalse(acl.can_edit_all_tasks()) |
| 110 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 111 self.assertTrue(acl.can_view_task(self._task_other)) |
| 112 self.assertFalse(acl.can_view_all_tasks()) |
| 49 | 113 |
| 50 def test_is_admin_app_admin(self): | 114 def test_admins(self): |
| 51 self.add_to_admin() | 115 self._add_to_group('admins') |
| 52 self.assertTrue(acl.is_admin()) | 116 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 53 self.assertEqual(acl.get_user_type(), 'admin') | 117 self.assertTrue(acl.can_access()) |
| 118 self.assertTrue(acl.can_view_config()) |
| 119 self.assertTrue(acl.can_edit_config()) |
| 120 self.assertTrue(acl.can_create_bot()) |
| 121 self.assertTrue(acl.can_edit_bot()) |
| 122 self.assertTrue(acl.can_delete_bot()) |
| 123 self.assertTrue(acl.can_view_bot()) |
| 124 self.assertTrue(acl.can_create_task()) |
| 125 self.assertTrue(acl.can_schedule_high_priority_tasks()) |
| 126 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 127 self.assertTrue(acl.can_edit_task(self._task_other)) |
| 128 self.assertTrue(acl.can_edit_all_tasks()) |
| 129 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 130 self.assertTrue(acl.can_view_task(self._task_other)) |
| 131 self.assertTrue(acl.can_view_all_tasks()) |
| 54 | 132 |
| 55 def test_is_admin_not_app_admin(self): | 133 def test_bot_bootstrap(self): |
| 56 self.assertFalse(acl.is_admin()) | 134 self._add_to_group('bot_bootstrap') |
| 57 self.assertIsNone(acl.get_user_type()) | 135 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 136 self.assertFalse(acl.can_access()) |
| 137 self.assertFalse(acl.can_view_config()) |
| 138 self.assertFalse(acl.can_edit_config()) |
| 139 self.assertTrue(acl.can_create_bot()) |
| 140 self.assertFalse(acl.can_edit_bot()) |
| 141 self.assertFalse(acl.can_delete_bot()) |
| 142 self.assertFalse(acl.can_view_bot()) |
| 143 self.assertFalse(acl.can_create_task()) |
| 144 self.assertFalse(acl.can_schedule_high_priority_tasks()) |
| 145 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 146 self.assertFalse(acl.can_edit_task(self._task_other)) |
| 147 self.assertFalse(acl.can_edit_all_tasks()) |
| 148 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 149 self.assertFalse(acl.can_view_task(self._task_other)) |
| 150 self.assertFalse(acl.can_view_all_tasks()) |
| 58 | 151 |
| 59 def test_is_admin_default_group(self): | 152 def test_privileged_users(self): |
| 60 self.add_to_group(ADMINS_GROUP) | 153 self._add_to_group('privileged_users') |
| 61 self.assertTrue(acl.is_admin()) | 154 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 62 self.assertEqual(acl.get_user_type(), 'admin') | 155 self.assertTrue(acl.can_access()) |
| 156 self.assertFalse(acl.can_view_config()) |
| 157 self.assertFalse(acl.can_edit_config()) |
| 158 self.assertFalse(acl.can_create_bot()) |
| 159 self.assertTrue(acl.can_edit_bot()) |
| 160 self.assertFalse(acl.can_delete_bot()) |
| 161 self.assertTrue(acl.can_view_bot()) |
| 162 self.assertTrue(acl.can_create_task()) |
| 163 self.assertTrue(acl.can_schedule_high_priority_tasks()) |
| 164 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 165 self.assertTrue(acl.can_edit_task(self._task_other)) |
| 166 self.assertFalse(acl.can_edit_all_tasks()) |
| 167 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 168 self.assertTrue(acl.can_view_task(self._task_other)) |
| 169 self.assertTrue(acl.can_view_all_tasks()) |
| 63 | 170 |
| 64 def test_is_admin_custom_group(self): | 171 def test_users(self): |
| 65 self.mock_auth_config(admins_group='test_group') | 172 self._add_to_group('users') |
| 66 self.add_to_group('test_group') | 173 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 67 self.assertTrue(acl.is_admin()) | 174 self.assertTrue(acl.can_access()) |
| 68 self.assertEqual(acl.get_user_type(), 'admin') | 175 self.assertFalse(acl.can_view_config()) |
| 176 self.assertFalse(acl.can_edit_config()) |
| 177 self.assertFalse(acl.can_create_bot()) |
| 178 self.assertFalse(acl.can_edit_bot()) |
| 179 self.assertFalse(acl.can_delete_bot()) |
| 180 self.assertFalse(acl.can_view_bot()) |
| 181 self.assertTrue(acl.can_create_task()) |
| 182 self.assertFalse(acl.can_schedule_high_priority_tasks()) |
| 183 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 184 self.assertFalse(acl.can_edit_task(self._task_other)) |
| 185 self.assertFalse(acl.can_edit_all_tasks()) |
| 186 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 187 self.assertFalse(acl.can_view_task(self._task_other)) |
| 188 self.assertFalse(acl.can_view_all_tasks()) |
| 69 | 189 |
| 70 def test_is_privileged_user_admin(self): | 190 def test_view_all_bots(self): |
| 71 self.add_to_admin() | 191 self._add_to_group('view_all_bots') |
| 72 self.assertTrue(acl.is_privileged_user()) | 192 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 73 self.assertEqual(acl.get_user_type(), 'admin') | 193 self.assertTrue(acl.can_access()) |
| 194 self.assertFalse(acl.can_view_config()) |
| 195 self.assertFalse(acl.can_edit_config()) |
| 196 self.assertFalse(acl.can_create_bot()) |
| 197 self.assertFalse(acl.can_edit_bot()) |
| 198 self.assertFalse(acl.can_delete_bot()) |
| 199 self.assertTrue(acl.can_view_bot()) |
| 200 self.assertFalse(acl.can_create_task()) |
| 201 self.assertFalse(acl.can_schedule_high_priority_tasks()) |
| 202 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 203 self.assertFalse(acl.can_edit_task(self._task_other)) |
| 204 self.assertFalse(acl.can_edit_all_tasks()) |
| 205 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 206 self.assertFalse(acl.can_view_task(self._task_other)) |
| 207 self.assertFalse(acl.can_view_all_tasks()) |
| 74 | 208 |
| 75 def test_is_privileged_user_default_group(self): | 209 def test_view_all_tasks(self): |
| 76 self.add_to_group(PRIVILEGED_USERS_GROUP) | 210 self._add_to_group('view_all_tasks') |
| 77 self.assertTrue(acl.is_privileged_user()) | 211 self.assertFalse(acl.is_ip_whitelisted_machine()) |
| 78 self.assertEqual(acl.get_user_type(), 'admin') | 212 self.assertTrue(acl.can_access()) |
| 79 | 213 self.assertFalse(acl.can_view_config()) |
| 80 def test_is_privileged_user_custom_group(self): | 214 self.assertFalse(acl.can_edit_config()) |
| 81 self.mock_auth_config(privileged_users_group='test_group') | 215 self.assertFalse(acl.can_create_bot()) |
| 82 self.add_to_group('test_group') | 216 self.assertFalse(acl.can_edit_bot()) |
| 83 self.assertTrue(acl.is_privileged_user()) | 217 self.assertFalse(acl.can_delete_bot()) |
| 84 self.assertEqual(acl.get_user_type(), 'privileged user') | 218 self.assertFalse(acl.can_view_bot()) |
| 85 | 219 self.assertFalse(acl.can_create_task()) |
| 86 def test_is_privileged_user_wrong_group(self): | 220 self.assertFalse(acl.can_schedule_high_priority_tasks()) |
| 87 self.mock_auth_config(privileged_users_group='test_group') | 221 self.assertTrue(acl.can_edit_task(self._task_owned)) |
| 88 self.add_to_group('wrong_test_group') | 222 self.assertFalse(acl.can_edit_task(self._task_other)) |
| 89 self.assertFalse(acl.is_privileged_user()) | 223 self.assertFalse(acl.can_edit_all_tasks()) |
| 90 self.assertIsNone(acl.get_user_type()) | 224 self.assertTrue(acl.can_view_task(self._task_owned)) |
| 91 | 225 self.assertTrue(acl.can_view_task(self._task_other)) |
| 92 def test_is_user_privileged(self): | 226 self.assertTrue(acl.can_view_all_tasks()) |
| 93 self.mock_auth_config(privileged_users_group='test_group') | |
| 94 self.add_to_group('test_group') | |
| 95 self.assertTrue(acl.is_user()) | |
| 96 self.assertEqual(acl.get_user_type(), 'privileged user') | |
| 97 | |
| 98 def test_is_user_default_group(self): | |
| 99 self.add_to_group(USERS_GROUP) | |
| 100 self.assertTrue(acl.is_user()) | |
| 101 self.assertEqual(acl.get_user_type(), 'admin') | |
| 102 | |
| 103 def test_is_user_custom_group(self): | |
| 104 self.mock_auth_config(users_group='test_group') | |
| 105 self.add_to_group('test_group') | |
| 106 self.assertTrue(acl.is_user()) | |
| 107 self.assertEqual(acl.get_user_type(), 'user') | |
| 108 | |
| 109 def test_is_user_wrong_group(self): | |
| 110 self.mock_auth_config(users_group='test_group') | |
| 111 self.add_to_group('wrong_test_group') | |
| 112 self.assertFalse(acl.is_user()) | |
| 113 self.assertIsNone(acl.get_user_type()) | |
| 114 | |
| 115 def test_is_bootstrapper_admin(self): | |
| 116 self.add_to_admin() | |
| 117 self.assertTrue(acl.is_bootstrapper()) | |
| 118 self.assertEqual(acl.get_user_type(), 'admin') | |
| 119 | |
| 120 def test_is_bootstrapper_default_group(self): | |
| 121 self.add_to_group(BOT_BOOTSTRAP_GROUP) | |
| 122 self.assertTrue(acl.is_bootstrapper()) | |
| 123 self.assertEqual(acl.get_user_type(), 'admin') | |
| 124 | |
| 125 def test_is_bootstrapper_custom_group(self): | |
| 126 self.mock_auth_config(bot_bootstrap_group='test_group') | |
| 127 self.add_to_group('test_group') | |
| 128 self.assertTrue(acl.is_bootstrapper()) | |
| 129 self.assertIsNone(acl.get_user_type()) | |
| 130 | |
| 131 def test_is_bootstrapper_wrong_group(self): | |
| 132 self.mock_auth_config(privileged_users_group='test_wrong_group', | |
| 133 bot_bootstrap_group='test_correct_group') | |
| 134 self.add_to_group('test_wrong_group') | |
| 135 self.assertFalse(acl.is_bootstrapper()) | |
| 136 self.assertEqual(acl.get_user_type(), 'privileged user') | |
| 137 | 227 |
| 138 | 228 |
| 139 if __name__ == '__main__': | 229 if __name__ == '__main__': |
| 140 if '-v' in sys.argv: | 230 if '-v' in sys.argv: |
| 141 unittest.TestCase.maxDiff = None | 231 unittest.TestCase.maxDiff = None |
| 142 logging.basicConfig( | 232 logging.basicConfig( |
| 143 level=logging.DEBUG if '-v' in sys.argv else logging.CRITICAL) | 233 level=logging.DEBUG if '-v' in sys.argv else logging.CRITICAL) |
| 144 unittest.main() | 234 unittest.main() |
| 145 | 235 |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2984843002:
swarming: switch to a 'capability focused' ACL system (Closed)
