commit | author | age
|
a1a9fb
|
1 |
import unittest |
CM |
2 |
|
b60bdb
|
3 |
from pyramid.testing import cleanUp |
a1a9fb
|
4 |
|
0c29cf
|
5 |
|
a1a9fb
|
6 |
class TestACLAuthorizationPolicy(unittest.TestCase): |
CM |
7 |
def setUp(self): |
|
8 |
cleanUp() |
|
9 |
|
|
10 |
def tearDown(self): |
|
11 |
cleanUp() |
|
12 |
|
|
13 |
def _getTargetClass(self): |
b60bdb
|
14 |
from pyramid.authorization import ACLAuthorizationPolicy |
0c29cf
|
15 |
|
a1a9fb
|
16 |
return ACLAuthorizationPolicy |
CM |
17 |
|
|
18 |
def _makeOne(self): |
|
19 |
return self._getTargetClass()() |
|
20 |
|
|
21 |
def test_class_implements_IAuthorizationPolicy(self): |
|
22 |
from zope.interface.verify import verifyClass |
b60bdb
|
23 |
from pyramid.interfaces import IAuthorizationPolicy |
0c29cf
|
24 |
|
a1a9fb
|
25 |
verifyClass(IAuthorizationPolicy, self._getTargetClass()) |
CM |
26 |
|
|
27 |
def test_instance_implements_IAuthorizationPolicy(self): |
|
28 |
from zope.interface.verify import verifyObject |
b60bdb
|
29 |
from pyramid.interfaces import IAuthorizationPolicy |
0c29cf
|
30 |
|
a1a9fb
|
31 |
verifyObject(IAuthorizationPolicy, self._makeOne()) |
CM |
32 |
|
|
33 |
def test_permits_no_acl(self): |
|
34 |
context = DummyContext() |
|
35 |
policy = self._makeOne() |
|
36 |
self.assertEqual(policy.permits(context, [], 'view'), False) |
0c29cf
|
37 |
|
a1a9fb
|
38 |
def test_permits(self): |
b60bdb
|
39 |
from pyramid.security import Deny |
CM |
40 |
from pyramid.security import Allow |
|
41 |
from pyramid.security import Everyone |
|
42 |
from pyramid.security import Authenticated |
|
43 |
from pyramid.security import ALL_PERMISSIONS |
|
44 |
from pyramid.security import DENY_ALL |
0c29cf
|
45 |
|
a1a9fb
|
46 |
root = DummyContext() |
CM |
47 |
community = DummyContext(__name__='community', __parent__=root) |
|
48 |
blog = DummyContext(__name__='blog', __parent__=community) |
0c29cf
|
49 |
root.__acl__ = [(Allow, Authenticated, VIEW)] |
a1a9fb
|
50 |
community.__acl__ = [ |
CM |
51 |
(Allow, 'fred', ALL_PERMISSIONS), |
|
52 |
(Allow, 'wilma', VIEW), |
|
53 |
DENY_ALL, |
0c29cf
|
54 |
] |
a1a9fb
|
55 |
blog.__acl__ = [ |
CM |
56 |
(Allow, 'barney', MEMBER_PERMS), |
|
57 |
(Allow, 'wilma', VIEW), |
0c29cf
|
58 |
] |
a1a9fb
|
59 |
|
CM |
60 |
policy = self._makeOne() |
|
61 |
|
0c29cf
|
62 |
result = policy.permits( |
MM |
63 |
blog, [Everyone, Authenticated, 'wilma'], 'view' |
|
64 |
) |
a1a9fb
|
65 |
self.assertEqual(result, True) |
CM |
66 |
self.assertEqual(result.context, blog) |
|
67 |
self.assertEqual(result.ace, (Allow, 'wilma', VIEW)) |
e0162e
|
68 |
self.assertEqual(result.acl, blog.__acl__) |
a1a9fb
|
69 |
|
0c29cf
|
70 |
result = policy.permits( |
MM |
71 |
blog, [Everyone, Authenticated, 'wilma'], 'delete' |
|
72 |
) |
a1a9fb
|
73 |
self.assertEqual(result, False) |
CM |
74 |
self.assertEqual(result.context, community) |
|
75 |
self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
e0162e
|
76 |
self.assertEqual(result.acl, community.__acl__) |
a1a9fb
|
77 |
|
0c29cf
|
78 |
result = policy.permits( |
MM |
79 |
blog, [Everyone, Authenticated, 'fred'], 'view' |
|
80 |
) |
a1a9fb
|
81 |
self.assertEqual(result, True) |
CM |
82 |
self.assertEqual(result.context, community) |
|
83 |
self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS)) |
0c29cf
|
84 |
result = policy.permits( |
MM |
85 |
blog, [Everyone, Authenticated, 'fred'], 'doesntevenexistyet' |
|
86 |
) |
a1a9fb
|
87 |
self.assertEqual(result, True) |
CM |
88 |
self.assertEqual(result.context, community) |
|
89 |
self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS)) |
e0162e
|
90 |
self.assertEqual(result.acl, community.__acl__) |
a1a9fb
|
91 |
|
0c29cf
|
92 |
result = policy.permits( |
MM |
93 |
blog, [Everyone, Authenticated, 'barney'], 'view' |
|
94 |
) |
a1a9fb
|
95 |
self.assertEqual(result, True) |
CM |
96 |
self.assertEqual(result.context, blog) |
|
97 |
self.assertEqual(result.ace, (Allow, 'barney', MEMBER_PERMS)) |
0c29cf
|
98 |
result = policy.permits( |
MM |
99 |
blog, [Everyone, Authenticated, 'barney'], 'administer' |
|
100 |
) |
a1a9fb
|
101 |
self.assertEqual(result, False) |
CM |
102 |
self.assertEqual(result.context, community) |
|
103 |
self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
e0162e
|
104 |
self.assertEqual(result.acl, community.__acl__) |
0c29cf
|
105 |
|
MM |
106 |
result = policy.permits( |
|
107 |
root, [Everyone, Authenticated, 'someguy'], 'view' |
|
108 |
) |
a1a9fb
|
109 |
self.assertEqual(result, True) |
CM |
110 |
self.assertEqual(result.context, root) |
|
111 |
self.assertEqual(result.ace, (Allow, Authenticated, VIEW)) |
0c29cf
|
112 |
result = policy.permits( |
MM |
113 |
blog, [Everyone, Authenticated, 'someguy'], 'view' |
|
114 |
) |
a1a9fb
|
115 |
self.assertEqual(result, False) |
CM |
116 |
self.assertEqual(result.context, community) |
|
117 |
self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS)) |
e0162e
|
118 |
self.assertEqual(result.acl, community.__acl__) |
a1a9fb
|
119 |
|
CM |
120 |
result = policy.permits(root, [Everyone], 'view') |
|
121 |
self.assertEqual(result, False) |
|
122 |
self.assertEqual(result.context, root) |
e0162e
|
123 |
self.assertEqual(result.ace, '<default deny>') |
CM |
124 |
self.assertEqual(result.acl, root.__acl__) |
a1a9fb
|
125 |
|
CM |
126 |
context = DummyContext() |
|
127 |
result = policy.permits(context, [Everyone], 'view') |
|
128 |
self.assertEqual(result, False) |
e0162e
|
129 |
self.assertEqual(result.ace, '<default deny>') |
CM |
130 |
self.assertEqual( |
0c29cf
|
131 |
result.acl, '<No ACL found on any object in resource lineage>' |
MM |
132 |
) |
a1a9fb
|
133 |
|
52ca12
|
134 |
def test_permits_string_permissions_in_acl(self): |
CM |
135 |
from pyramid.security import Allow |
0c29cf
|
136 |
|
52ca12
|
137 |
root = DummyContext() |
0c29cf
|
138 |
root.__acl__ = [(Allow, 'wilma', 'view_stuff')] |
52ca12
|
139 |
|
CM |
140 |
policy = self._makeOne() |
|
141 |
|
|
142 |
result = policy.permits(root, ['wilma'], 'view') |
|
143 |
# would be True if matching against 'view_stuff' instead of against |
|
144 |
# ['view_stuff'] |
0c29cf
|
145 |
self.assertEqual(result, False) |
52ca12
|
146 |
|
a1a9fb
|
147 |
def test_principals_allowed_by_permission_direct(self): |
b60bdb
|
148 |
from pyramid.security import Allow |
CM |
149 |
from pyramid.security import DENY_ALL |
0c29cf
|
150 |
|
a1a9fb
|
151 |
context = DummyContext() |
0c29cf
|
152 |
acl = [ |
MM |
153 |
(Allow, 'chrism', ('read', 'write')), |
|
154 |
DENY_ALL, |
|
155 |
(Allow, 'other', 'read'), |
|
156 |
] |
a1a9fb
|
157 |
context.__acl__ = acl |
CM |
158 |
policy = self._makeOne() |
|
159 |
result = sorted( |
0c29cf
|
160 |
policy.principals_allowed_by_permission(context, 'read') |
MM |
161 |
) |
a1a9fb
|
162 |
self.assertEqual(result, ['chrism']) |
CM |
163 |
|
678f49
|
164 |
def test_principals_allowed_by_permission_callable_acl(self): |
CM |
165 |
from pyramid.security import Allow |
|
166 |
from pyramid.security import DENY_ALL |
0c29cf
|
167 |
|
678f49
|
168 |
context = DummyContext() |
0c29cf
|
169 |
acl = lambda: [ |
MM |
170 |
(Allow, 'chrism', ('read', 'write')), |
|
171 |
DENY_ALL, |
|
172 |
(Allow, 'other', 'read'), |
|
173 |
] |
678f49
|
174 |
context.__acl__ = acl |
CM |
175 |
policy = self._makeOne() |
|
176 |
result = sorted( |
0c29cf
|
177 |
policy.principals_allowed_by_permission(context, 'read') |
MM |
178 |
) |
678f49
|
179 |
self.assertEqual(result, ['chrism']) |
0c29cf
|
180 |
|
52ca12
|
181 |
def test_principals_allowed_by_permission_string_permission(self): |
CM |
182 |
from pyramid.security import Allow |
0c29cf
|
183 |
|
52ca12
|
184 |
context = DummyContext() |
0c29cf
|
185 |
acl = [(Allow, 'chrism', 'read_it')] |
52ca12
|
186 |
context.__acl__ = acl |
CM |
187 |
policy = self._makeOne() |
|
188 |
result = policy.principals_allowed_by_permission(context, 'read') |
|
189 |
# would be ['chrism'] if 'read' were compared against 'read_it' instead |
|
190 |
# of against ['read_it'] |
|
191 |
self.assertEqual(list(result), []) |
0c29cf
|
192 |
|
a1a9fb
|
193 |
def test_principals_allowed_by_permission(self): |
b60bdb
|
194 |
from pyramid.security import Allow |
CM |
195 |
from pyramid.security import Deny |
|
196 |
from pyramid.security import DENY_ALL |
|
197 |
from pyramid.security import ALL_PERMISSIONS |
0c29cf
|
198 |
|
a1a9fb
|
199 |
root = DummyContext(__name__='', __parent__=None) |
CM |
200 |
community = DummyContext(__name__='community', __parent__=root) |
|
201 |
blog = DummyContext(__name__='blog', __parent__=community) |
0c29cf
|
202 |
root.__acl__ = [ |
MM |
203 |
(Allow, 'chrism', ('read', 'write')), |
|
204 |
(Allow, 'other', ('read',)), |
|
205 |
(Allow, 'jim', ALL_PERMISSIONS), |
|
206 |
] |
|
207 |
community.__acl__ = [ |
|
208 |
(Deny, 'flooz', 'read'), |
|
209 |
(Allow, 'flooz', 'read'), |
|
210 |
(Allow, 'mork', 'read'), |
|
211 |
(Deny, 'jim', 'read'), |
|
212 |
(Allow, 'someguy', 'manage'), |
|
213 |
] |
|
214 |
blog.__acl__ = [(Allow, 'fred', 'read'), DENY_ALL] |
a1a9fb
|
215 |
|
CM |
216 |
policy = self._makeOne() |
0c29cf
|
217 |
|
a1a9fb
|
218 |
result = sorted(policy.principals_allowed_by_permission(blog, 'read')) |
CM |
219 |
self.assertEqual(result, ['fred']) |
0c29cf
|
220 |
result = sorted( |
MM |
221 |
policy.principals_allowed_by_permission(community, 'read') |
|
222 |
) |
a1a9fb
|
223 |
self.assertEqual(result, ['chrism', 'mork', 'other']) |
0c29cf
|
224 |
result = sorted( |
MM |
225 |
policy.principals_allowed_by_permission(community, 'read') |
|
226 |
) |
a1a9fb
|
227 |
result = sorted(policy.principals_allowed_by_permission(root, 'read')) |
CM |
228 |
self.assertEqual(result, ['chrism', 'jim', 'other']) |
|
229 |
|
|
230 |
def test_principals_allowed_by_permission_no_acls(self): |
|
231 |
context = DummyContext() |
|
232 |
policy = self._makeOne() |
0c29cf
|
233 |
result = sorted( |
MM |
234 |
policy.principals_allowed_by_permission(context, 'read') |
|
235 |
) |
a1a9fb
|
236 |
self.assertEqual(result, []) |
CM |
237 |
|
729c91
|
238 |
def test_principals_allowed_by_permission_deny_not_permission_in_acl(self): |
CM |
239 |
from pyramid.security import Deny |
|
240 |
from pyramid.security import Everyone |
0c29cf
|
241 |
|
729c91
|
242 |
context = DummyContext() |
0c29cf
|
243 |
acl = [(Deny, Everyone, 'write')] |
729c91
|
244 |
context.__acl__ = acl |
CM |
245 |
policy = self._makeOne() |
|
246 |
result = sorted( |
0c29cf
|
247 |
policy.principals_allowed_by_permission(context, 'read') |
MM |
248 |
) |
729c91
|
249 |
self.assertEqual(result, []) |
CM |
250 |
|
|
251 |
def test_principals_allowed_by_permission_deny_permission_in_acl(self): |
|
252 |
from pyramid.security import Deny |
|
253 |
from pyramid.security import Everyone |
0c29cf
|
254 |
|
729c91
|
255 |
context = DummyContext() |
0c29cf
|
256 |
acl = [(Deny, Everyone, 'read')] |
729c91
|
257 |
context.__acl__ = acl |
CM |
258 |
policy = self._makeOne() |
|
259 |
result = sorted( |
0c29cf
|
260 |
policy.principals_allowed_by_permission(context, 'read') |
MM |
261 |
) |
729c91
|
262 |
self.assertEqual(result, []) |
038dcb
|
263 |
|
MM |
264 |
def test_callable_acl(self): |
|
265 |
from pyramid.security import Allow |
0c29cf
|
266 |
|
038dcb
|
267 |
context = DummyContext() |
MM |
268 |
fn = lambda self: [(Allow, 'bob', 'read')] |
|
269 |
context.__acl__ = fn.__get__(context, context.__class__) |
|
270 |
policy = self._makeOne() |
|
271 |
result = policy.permits(context, ['bob'], 'read') |
|
272 |
self.assertTrue(result) |
0c29cf
|
273 |
|
729c91
|
274 |
|
a1a9fb
|
275 |
class DummyContext: |
CM |
276 |
def __init__(self, *arg, **kw): |
|
277 |
self.__dict__.update(kw) |
|
278 |
|
|
279 |
|
|
280 |
VIEW = 'view' |
|
281 |
EDIT = 'edit' |
|
282 |
CREATE = 'create' |
|
283 |
DELETE = 'delete' |
|
284 |
MODERATE = 'moderate' |
|
285 |
ADMINISTER = 'administer' |
|
286 |
COMMENT = 'comment' |
|
287 |
|
|
288 |
GUEST_PERMS = (VIEW, COMMENT) |
|
289 |
MEMBER_PERMS = GUEST_PERMS + (EDIT, CREATE, DELETE) |
|
290 |
MODERATOR_PERMS = MEMBER_PERMS + (MODERATE,) |
|
291 |
ADMINISTRATOR_PERMS = MODERATOR_PERMS + (ADMINISTER,) |