view | history | commit | commitdiff
Michael Merickel
2018-10-18 f28dbb0ba8d276fad10a3cd25e4d60b298702d83
commit | author | age
a1a9fb 1 import unittest
CM 2
b60bdb 3 from pyramid.testing import cleanUp
a1a9fb 4
0c29cf 5
a1a9fb 6 class TestACLAuthorizationPolicy(unittest.TestCase):
CM 7     def setUp(self):
8         cleanUp()
9
10     def tearDown(self):
11         cleanUp()
12
13     def _getTargetClass(self):
b60bdb 14         from pyramid.authorization import ACLAuthorizationPolicy
0c29cf 15
a1a9fb 16         return ACLAuthorizationPolicy
CM 17
18     def _makeOne(self):
19         return self._getTargetClass()()
20
21     def test_class_implements_IAuthorizationPolicy(self):
22         from zope.interface.verify import verifyClass
b60bdb 23         from pyramid.interfaces import IAuthorizationPolicy
0c29cf 24
a1a9fb 25         verifyClass(IAuthorizationPolicy, self._getTargetClass())
CM 26
27     def test_instance_implements_IAuthorizationPolicy(self):
28         from zope.interface.verify import verifyObject
b60bdb 29         from pyramid.interfaces import IAuthorizationPolicy
0c29cf 30
a1a9fb 31         verifyObject(IAuthorizationPolicy, self._makeOne())
CM 32
33     def test_permits_no_acl(self):
34         context = DummyContext()
35         policy = self._makeOne()
36         self.assertEqual(policy.permits(context, [], 'view'), False)
0c29cf 37
a1a9fb 38     def test_permits(self):
b60bdb 39         from pyramid.security import Deny
CM 40         from pyramid.security import Allow
41         from pyramid.security import Everyone
42         from pyramid.security import Authenticated
43         from pyramid.security import ALL_PERMISSIONS
44         from pyramid.security import DENY_ALL
0c29cf 45
a1a9fb 46         root = DummyContext()
CM 47         community = DummyContext(__name__='community', __parent__=root)
48         blog = DummyContext(__name__='blog', __parent__=community)
0c29cf 49         root.__acl__ = [(Allow, Authenticated, VIEW)]
a1a9fb 50         community.__acl__ = [
CM 51             (Allow, 'fred', ALL_PERMISSIONS),
52             (Allow, 'wilma', VIEW),
53             DENY_ALL,
0c29cf 54         ]
a1a9fb 55         blog.__acl__ = [
CM 56             (Allow, 'barney', MEMBER_PERMS),
57             (Allow, 'wilma', VIEW),
0c29cf 58         ]
a1a9fb 59
CM 60         policy = self._makeOne()
61
0c29cf 62         result = policy.permits(
MM 63             blog, [Everyone, Authenticated, 'wilma'], 'view'
64         )
a1a9fb 65         self.assertEqual(result, True)
CM 66         self.assertEqual(result.context, blog)
67         self.assertEqual(result.ace, (Allow, 'wilma', VIEW))
e0162e 68         self.assertEqual(result.acl, blog.__acl__)
a1a9fb 69
0c29cf 70         result = policy.permits(
MM 71             blog, [Everyone, Authenticated, 'wilma'], 'delete'
72         )
a1a9fb 73         self.assertEqual(result, False)
CM 74         self.assertEqual(result.context, community)
75         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
e0162e 76         self.assertEqual(result.acl, community.__acl__)
a1a9fb 77
0c29cf 78         result = policy.permits(
MM 79             blog, [Everyone, Authenticated, 'fred'], 'view'
80         )
a1a9fb 81         self.assertEqual(result, True)
CM 82         self.assertEqual(result.context, community)
83         self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS))
0c29cf 84         result = policy.permits(
MM 85             blog, [Everyone, Authenticated, 'fred'], 'doesntevenexistyet'
86         )
a1a9fb 87         self.assertEqual(result, True)
CM 88         self.assertEqual(result.context, community)
89         self.assertEqual(result.ace, (Allow, 'fred', ALL_PERMISSIONS))
e0162e 90         self.assertEqual(result.acl, community.__acl__)
a1a9fb 91
0c29cf 92         result = policy.permits(
MM 93             blog, [Everyone, Authenticated, 'barney'], 'view'
94         )
a1a9fb 95         self.assertEqual(result, True)
CM 96         self.assertEqual(result.context, blog)
97         self.assertEqual(result.ace, (Allow, 'barney', MEMBER_PERMS))
0c29cf 98         result = policy.permits(
MM 99             blog, [Everyone, Authenticated, 'barney'], 'administer'
100         )
a1a9fb 101         self.assertEqual(result, False)
CM 102         self.assertEqual(result.context, community)
103         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
e0162e 104         self.assertEqual(result.acl, community.__acl__)
0c29cf 105
MM 106         result = policy.permits(
107             root, [Everyone, Authenticated, 'someguy'], 'view'
108         )
a1a9fb 109         self.assertEqual(result, True)
CM 110         self.assertEqual(result.context, root)
111         self.assertEqual(result.ace, (Allow, Authenticated, VIEW))
0c29cf 112         result = policy.permits(
MM 113             blog, [Everyone, Authenticated, 'someguy'], 'view'
114         )
a1a9fb 115         self.assertEqual(result, False)
CM 116         self.assertEqual(result.context, community)
117         self.assertEqual(result.ace, (Deny, Everyone, ALL_PERMISSIONS))
e0162e 118         self.assertEqual(result.acl, community.__acl__)
a1a9fb 119
CM 120         result = policy.permits(root, [Everyone], 'view')
121         self.assertEqual(result, False)
122         self.assertEqual(result.context, root)
e0162e 123         self.assertEqual(result.ace, '<default deny>')
CM 124         self.assertEqual(result.acl, root.__acl__)
a1a9fb 125
CM 126         context = DummyContext()
127         result = policy.permits(context, [Everyone], 'view')
128         self.assertEqual(result, False)
e0162e 129         self.assertEqual(result.ace, '<default deny>')
CM 130         self.assertEqual(
0c29cf 131             result.acl, '<No ACL found on any object in resource lineage>'
MM 132         )
a1a9fb 133
52ca12 134     def test_permits_string_permissions_in_acl(self):
CM 135         from pyramid.security import Allow
0c29cf 136
52ca12 137         root = DummyContext()
0c29cf 138         root.__acl__ = [(Allow, 'wilma', 'view_stuff')]
52ca12 139
CM 140         policy = self._makeOne()
141
142         result = policy.permits(root, ['wilma'], 'view')
143         # would be True if matching against 'view_stuff' instead of against
144         # ['view_stuff']
0c29cf 145         self.assertEqual(result, False)
52ca12 146
a1a9fb 147     def test_principals_allowed_by_permission_direct(self):
b60bdb 148         from pyramid.security import Allow
CM 149         from pyramid.security import DENY_ALL
0c29cf 150
a1a9fb 151         context = DummyContext()
0c29cf 152         acl = [
MM 153             (Allow, 'chrism', ('read', 'write')),
154             DENY_ALL,
155             (Allow, 'other', 'read'),
156         ]
a1a9fb 157         context.__acl__ = acl
CM 158         policy = self._makeOne()
159         result = sorted(
0c29cf 160             policy.principals_allowed_by_permission(context, 'read')
MM 161         )
a1a9fb 162         self.assertEqual(result, ['chrism'])
CM 163
678f49 164     def test_principals_allowed_by_permission_callable_acl(self):
CM 165         from pyramid.security import Allow
166         from pyramid.security import DENY_ALL
0c29cf 167
678f49 168         context = DummyContext()
0c29cf 169         acl = lambda: [
MM 170             (Allow, 'chrism', ('read', 'write')),
171             DENY_ALL,
172             (Allow, 'other', 'read'),
173         ]
678f49 174         context.__acl__ = acl
CM 175         policy = self._makeOne()
176         result = sorted(
0c29cf 177             policy.principals_allowed_by_permission(context, 'read')
MM 178         )
678f49 179         self.assertEqual(result, ['chrism'])
0c29cf 180
52ca12 181     def test_principals_allowed_by_permission_string_permission(self):
CM 182         from pyramid.security import Allow
0c29cf 183
52ca12 184         context = DummyContext()
0c29cf 185         acl = [(Allow, 'chrism', 'read_it')]
52ca12 186         context.__acl__ = acl
CM 187         policy = self._makeOne()
188         result = policy.principals_allowed_by_permission(context, 'read')
189         # would be ['chrism'] if 'read' were compared against 'read_it' instead
190         # of against ['read_it']
191         self.assertEqual(list(result), [])
0c29cf 192
a1a9fb 193     def test_principals_allowed_by_permission(self):
b60bdb 194         from pyramid.security import Allow
CM 195         from pyramid.security import Deny
196         from pyramid.security import DENY_ALL
197         from pyramid.security import ALL_PERMISSIONS
0c29cf 198
a1a9fb 199         root = DummyContext(__name__='', __parent__=None)
CM 200         community = DummyContext(__name__='community', __parent__=root)
201         blog = DummyContext(__name__='blog', __parent__=community)
0c29cf 202         root.__acl__ = [
MM 203             (Allow, 'chrism', ('read', 'write')),
204             (Allow, 'other', ('read',)),
205             (Allow, 'jim', ALL_PERMISSIONS),
206         ]
207         community.__acl__ = [
208             (Deny, 'flooz', 'read'),
209             (Allow, 'flooz', 'read'),
210             (Allow, 'mork', 'read'),
211             (Deny, 'jim', 'read'),
212             (Allow, 'someguy', 'manage'),
213         ]
214         blog.__acl__ = [(Allow, 'fred', 'read'), DENY_ALL]
a1a9fb 215
CM 216         policy = self._makeOne()
0c29cf 217
a1a9fb 218         result = sorted(policy.principals_allowed_by_permission(blog, 'read'))
CM 219         self.assertEqual(result, ['fred'])
0c29cf 220         result = sorted(
MM 221             policy.principals_allowed_by_permission(community, 'read')
222         )
a1a9fb 223         self.assertEqual(result, ['chrism', 'mork', 'other'])
0c29cf 224         result = sorted(
MM 225             policy.principals_allowed_by_permission(community, 'read')
226         )
a1a9fb 227         result = sorted(policy.principals_allowed_by_permission(root, 'read'))
CM 228         self.assertEqual(result, ['chrism', 'jim', 'other'])
229
230     def test_principals_allowed_by_permission_no_acls(self):
231         context = DummyContext()
232         policy = self._makeOne()
0c29cf 233         result = sorted(
MM 234             policy.principals_allowed_by_permission(context, 'read')
235         )
a1a9fb 236         self.assertEqual(result, [])
CM 237
729c91 238     def test_principals_allowed_by_permission_deny_not_permission_in_acl(self):
CM 239         from pyramid.security import Deny
240         from pyramid.security import Everyone
0c29cf 241
729c91 242         context = DummyContext()
0c29cf 243         acl = [(Deny, Everyone, 'write')]
729c91 244         context.__acl__ = acl
CM 245         policy = self._makeOne()
246         result = sorted(
0c29cf 247             policy.principals_allowed_by_permission(context, 'read')
MM 248         )
729c91 249         self.assertEqual(result, [])
CM 250
251     def test_principals_allowed_by_permission_deny_permission_in_acl(self):
252         from pyramid.security import Deny
253         from pyramid.security import Everyone
0c29cf 254
729c91 255         context = DummyContext()
0c29cf 256         acl = [(Deny, Everyone, 'read')]
729c91 257         context.__acl__ = acl
CM 258         policy = self._makeOne()
259         result = sorted(
0c29cf 260             policy.principals_allowed_by_permission(context, 'read')
MM 261         )
729c91 262         self.assertEqual(result, [])
038dcb 263
MM 264     def test_callable_acl(self):
265         from pyramid.security import Allow
0c29cf 266
038dcb 267         context = DummyContext()
MM 268         fn = lambda self: [(Allow, 'bob', 'read')]
269         context.__acl__ = fn.__get__(context, context.__class__)
270         policy = self._makeOne()
271         result = policy.permits(context, ['bob'], 'read')
272         self.assertTrue(result)
0c29cf 273
729c91 274
a1a9fb 275 class DummyContext:
CM 276     def __init__(self, *arg, **kw):
277         self.__dict__.update(kw)
278
279
280 VIEW = 'view'
281 EDIT = 'edit'
282 CREATE = 'create'
283 DELETE = 'delete'
284 MODERATE = 'moderate'
285 ADMINISTER = 'administer'
286 COMMENT = 'comment'
287
288 GUEST_PERMS = (VIEW, COMMENT)
289 MEMBER_PERMS = GUEST_PERMS + (EDIT, CREATE, DELETE)
290 MODERATOR_PERMS = MEMBER_PERMS + (MODERATE,)
291 ADMINISTRATOR_PERMS = MODERATOR_PERMS + (ADMINISTER,)