summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/assignment.json12
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/perimeter.json12
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/rule.json24
-rw-r--r--keystone-moon/examples/moon/policies/policy_admin/scope.json12
-rw-r--r--keystone-moon/keystone/contrib/moon/algorithms.py9
-rw-r--r--keystone-moon/keystone/contrib/moon/backends/memory.py4
-rw-r--r--keystone-moon/keystone/contrib/moon/backends/sql.py44
-rw-r--r--keystone-moon/keystone/contrib/moon/core.py592
-rw-r--r--keystone-moon/keystone/contrib/moon/exception.py13
-rw-r--r--keystone-moon/keystone/tests/moon/backends/__init__.py1
-rw-r--r--keystone-moon/keystone/tests/moon/backends/test_sql_backend.py43
-rw-r--r--keystone-moon/keystone/tests/moon/unit/__init__.py81
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py56
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py3984
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py2749
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py11
-rw-r--r--keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py72
17 files changed, 4323 insertions, 3396 deletions
diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_admin/assignment.json
index b77bd810..2c339a39 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/assignment.json
@@ -18,9 +18,9 @@
"authz.subject_categories": ["authz.subject_categories"],
"authz.object_categories": ["authz.object_categories"],
"authz.action_categories": ["authz.action_categories"],
- "authz.subject_category_scopes": ["authz.subject_category_scopes"],
- "authz.object_category_scopes": ["authz.object_category_scopes"],
- "authz.action_category_scopes": ["authz.action_category_scopes"],
+ "authz.subject_scopes": ["authz.subject_scopes"],
+ "authz.object_scopes": ["authz.object_scopes"],
+ "authz.action_scopes": ["authz.action_scopes"],
"authz.subject_assignments": ["authz.subject_assignments"],
"authz.object_assignments": ["authz.object_assignments"],
"authz.action_assignments": ["authz.action_assignments"],
@@ -33,9 +33,9 @@
"admin.subject_categories": ["admin.subject_categories"],
"admin.object_categories": ["admin.object_categories"],
"admin.action_categories": ["admin.action_categories"],
- "admin.subject_category_scopes": ["admin.subject_category_scopes"],
- "admin.object_category_scopes": ["admin.object_category_scopes"],
- "admin.action_category_scopes": ["admin.action_category_scopes"],
+ "admin.subject_scopes": ["admin.subject_scopes"],
+ "admin.object_scopes": ["admin.object_scopes"],
+ "admin.action_scopes": ["admin.action_scopes"],
"admin.subject_assignments": ["admin.subject_assignments"],
"admin.object_assignments": ["admin.object_assignments"],
"admin.action_assignments": ["admin.action_assignments"],
diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
index a796dae9..3fe71bb5 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json
@@ -13,9 +13,9 @@
"authz.subject_categories",
"authz.object_categories",
"authz.action_categories",
- "authz.subject_category_scopes",
- "authz.object_category_scopes",
- "authz.action_category_scopes",
+ "authz.subject_scopes",
+ "authz.object_scopes",
+ "authz.action_scopes",
"authz.subject_assignments",
"authz.object_assignments",
"authz.action_assignments",
@@ -28,9 +28,9 @@
"admin.subject_categories",
"admin.object_categories",
"admin.action_categories",
- "admin.subject_category_scopes",
- "admin.object_category_scopes",
- "admin.action_category_scopes",
+ "admin.subject_scopes",
+ "admin.object_scopes",
+ "admin.action_scopes",
"admin.subject_assignments",
"admin.object_assignments",
"admin.action_assignments",
diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_admin/rule.json
index e80c61c1..020dac41 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/rule.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/rule.json
@@ -6,9 +6,9 @@
["root_role" , "read", "authz.subject_categories"],
["root_role" , "read", "authz.object_categories"],
["root_role" , "read", "authz.action_categories"],
- ["root_role" , "read", "authz.subject_category_scopes"],
- ["root_role" , "read", "authz.object_category_scopes"],
- ["root_role" , "read", "authz.action_category_scopes"],
+ ["root_role" , "read", "authz.subject_scopes"],
+ ["root_role" , "read", "authz.object_scopes"],
+ ["root_role" , "read", "authz.action_scopes"],
["root_role" , "read", "authz.subject_assignments"],
["root_role" , "read", "authz.object_assignments"],
["root_role" , "read", "authz.action_assignments"],
@@ -21,9 +21,9 @@
["root_role" , "write", "authz.subject_categories"],
["root_role" , "write", "authz.object_categories"],
["root_role" , "write", "authz.action_categories"],
- ["root_role" , "write", "authz.subject_category_scopes"],
- ["root_role" , "write", "authz.object_category_scopes"],
- ["root_role" , "write", "authz.action_category_scopes"],
+ ["root_role" , "write", "authz.subject_scopes"],
+ ["root_role" , "write", "authz.object_scopes"],
+ ["root_role" , "write", "authz.action_scopes"],
["root_role" , "write", "authz.subject_assignments"],
["root_role" , "write", "authz.object_assignments"],
["root_role" , "write", "authz.action_assignments"],
@@ -36,9 +36,9 @@
["root_role" , "read", "admin.subject_categories"],
["root_role" , "read", "admin.object_categories"],
["root_role" , "read", "admin.action_categories"],
- ["root_role" , "read", "admin.subject_category_scopes"],
- ["root_role" , "read", "admin.object_category_scopes"],
- ["root_role" , "read", "admin.action_category_scopes"],
+ ["root_role" , "read", "admin.subject_scopes"],
+ ["root_role" , "read", "admin.object_scopes"],
+ ["root_role" , "read", "admin.action_scopes"],
["root_role" , "read", "admin.subject_assignments"],
["root_role" , "read", "admin.object_assignments"],
["root_role" , "read", "admin.action_assignments"],
@@ -51,9 +51,9 @@
["root_role" , "write", "admin.subject_categories"],
["root_role" , "write", "admin.object_categories"],
["root_role" , "write", "admin.action_categories"],
- ["root_role" , "write", "admin.subject_category_scopes"],
- ["root_role" , "write", "admin.object_category_scopes"],
- ["root_role" , "write", "admin.action_category_scopes"],
+ ["root_role" , "write", "admin.subject_scopes"],
+ ["root_role" , "write", "admin.object_scopes"],
+ ["root_role" , "write", "admin.action_scopes"],
["root_role" , "write", "admin.subject_assignments"],
["root_role" , "write", "admin.object_assignments"],
["root_role" , "write", "admin.action_assignments"],
diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json
index 9de90206..c8b4908a 100644
--- a/keystone-moon/examples/moon/policies/policy_admin/scope.json
+++ b/keystone-moon/examples/moon/policies/policy_admin/scope.json
@@ -18,9 +18,9 @@
"authz.subject_categories",
"authz.object_categories",
"authz.action_categories",
- "authz.subject_category_scopes",
- "authz.object_category_scopes",
- "authz.action_category_scopes",
+ "authz.subject_scopes",
+ "authz.object_scopes",
+ "authz.action_scopes",
"authz.subject_assignments",
"authz.object_assignments",
"authz.action_assignments",
@@ -33,9 +33,9 @@
"admin.subject_categories",
"admin.object_categories",
"admin.action_categories",
- "admin.subject_category_scopes",
- "admin.object_category_scopes",
- "admin.action_category_scopes",
+ "admin.subject_scopes",
+ "admin.object_scopes",
+ "admin.action_scopes",
"admin.subject_assignments",
"admin.object_assignments",
"admin.action_assignments",
diff --git a/keystone-moon/keystone/contrib/moon/algorithms.py b/keystone-moon/keystone/contrib/moon/algorithms.py
index fe35b7ee..8644e02d 100644
--- a/keystone-moon/keystone/contrib/moon/algorithms.py
+++ b/keystone-moon/keystone/contrib/moon/algorithms.py
@@ -46,8 +46,15 @@ def inclusion(authz_buffer, sub_meta_rule_dict, rule_list):
if object_cat in authz_buffer['object_assignments']:
_cat.append(authz_buffer['object_assignments'][object_cat])
+ print("authz_buffer", authz_buffer)
+ print("rule_list", rule_list)
+ print("_cat", _cat)
for _element in itertools.product(*_cat):
- if list(_element) in rule_list:
+ # Add the boolean at the end
+ _element = list(_element)
+ _element.append(True)
+ print("_element", _element)
+ if _element in rule_list:
return True
return False
diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py
index b2efb723..f7fe5ef1 100644
--- a/keystone-moon/keystone/contrib/moon/backends/memory.py
+++ b/keystone-moon/keystone/contrib/moon/backends/memory.py
@@ -25,7 +25,7 @@ class ConfigurationConnector(ConfigurationDriver):
self.sub_meta_rule_algorithm_dict[uuid4().hex] = {'name': 'inclusion', 'description': 'inclusion'}
self.sub_meta_rule_algorithm_dict[uuid4().hex] = {'name': 'comparison', 'description': 'comparison'}
- def get_policy_template_dict(self):
+ def get_policy_templates_dict(self):
nodes = glob(os.path.join(CONF.moon.policy_directory, "*"))
return {
"authz_templates":
@@ -35,5 +35,5 @@ class ConfigurationConnector(ConfigurationDriver):
def get_aggregation_algorithm_dict(self):
return self.aggregation_algorithm_dict
- def get_sub_meta_rule_algorithm_dict(self):
+ def get_sub_meta_rule_algorithms_dict(self):
return self.sub_meta_rule_algorithm_dict \ No newline at end of file
diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py
index ceb057bd..ebc6a4d3 100644
--- a/keystone-moon/keystone/contrib/moon/backends/sql.py
+++ b/keystone-moon/keystone/contrib/moon/backends/sql.py
@@ -340,7 +340,7 @@ class TenantConnector(TenantDriver):
}
)
session.add(new_ref)
- return new_ref.to_dict()
+ return {new_ref.id: new_ref.tenant}
def del_tenant(self, tenant_id):
with sql.transaction() as session:
@@ -360,7 +360,7 @@ class TenantConnector(TenantDriver):
for attr in Tenant.attributes:
if attr != 'id':
setattr(ref, attr, getattr(new_tenant, attr))
- return Tenant.to_dict(ref)
+ return {ref.id: ref.tenant}
class IntraExtensionConnector(IntraExtensionDriver):
@@ -437,7 +437,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_subject_categories_dict(intra_extension_id)[subject_category_id]
+ return {subject_category_id: self.get_subject_categories_dict(intra_extension_id)[subject_category_id]}
def del_subject_category(self, intra_extension_id, subject_category_id):
with sql.transaction() as session:
@@ -474,7 +474,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_object_categories_dict(intra_extension_id)[object_category_id]
+ return {object_category_id: self.get_object_categories_dict(intra_extension_id)[object_category_id]}
def del_object_category(self, intra_extension_id, object_category_id):
with sql.transaction() as session:
@@ -511,7 +511,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_action_categories_dict(intra_extension_id)[action_category_id]
+ return {action_category_id: self.get_action_categories_dict(intra_extension_id)[action_category_id]}
def del_action_category(self, intra_extension_id, action_category_id):
with sql.transaction() as session:
@@ -534,6 +534,8 @@ class IntraExtensionConnector(IntraExtensionDriver):
query = session.query(Subject)
query = query.filter_by(intra_extension_id=intra_extension_id, id=subject_id)
ref = query.first()
+ # if 'id' in subject_dict:
+ # subject_dict['id'] = subject_id
new_ref = Subject.from_dict(
{
"id": subject_id,
@@ -548,7 +550,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_subjects_dict(intra_extension_id)[subject_id]
+ return {subject_id: self.get_subjects_dict(intra_extension_id)[subject_id]}
def del_subject(self, intra_extension_id, subject_id):
with sql.transaction() as session:
@@ -583,7 +585,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_objects_dict(intra_extension_id)[object_id]
+ return {object_id: self.get_objects_dict(intra_extension_id)[object_id]}
def del_object(self, intra_extension_id, object_id):
with sql.transaction() as session:
@@ -618,7 +620,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_actions_dict(intra_extension_id)[action_id]
+ return {action_id: self.get_actions_dict(intra_extension_id)[action_id]}
def del_action(self, intra_extension_id, action_id):
with sql.transaction() as session:
@@ -656,7 +658,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_subject_scopes_dict(intra_extension_id, subject_category_id)[subject_scope_id]
+ return {subject_scope_id: self.get_subject_scopes_dict(intra_extension_id, subject_category_id)[subject_scope_id]}
def del_subject_scope(self, intra_extension_id, subject_category_id, subject_scope_id):
with sql.transaction() as session:
@@ -694,7 +696,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_object_scopes_dict(intra_extension_id, object_category_id)[object_scope_id]
+ return {object_scope_id: self.get_object_scopes_dict(intra_extension_id, object_category_id)[object_scope_id]}
def del_object_scope(self, intra_extension_id, object_category_id, object_scope_id):
with sql.transaction() as session:
@@ -732,7 +734,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_action_scopes_dict(intra_extension_id, action_category_id)[action_scope_id]
+ return {action_scope_id: self.get_action_scopes_dict(intra_extension_id, action_category_id)[action_scope_id]}
def del_action_scope(self, intra_extension_id, action_category_id, action_scope_id):
with sql.transaction() as session:
@@ -748,7 +750,9 @@ class IntraExtensionConnector(IntraExtensionDriver):
query = session.query(SubjectAssignment)
query = query.filter_by(intra_extension_id=intra_extension_id, subject_id=subject_id, subject_category_id=subject_category_id)
ref = query.first()
- return ref.subject_assignment
+ if not ref:
+ return list()
+ return list(ref.subject_assignment)
def set_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id, subject_assignment_list=[]):
with sql.transaction() as session:
@@ -791,7 +795,9 @@ class IntraExtensionConnector(IntraExtensionDriver):
query = session.query(ObjectAssignment)
query = query.filter_by(intra_extension_id=intra_extension_id, object_id=object_id, object_category_id=object_category_id)
ref = query.first()
- return ref.object_assignment
+ if not ref:
+ return list()
+ return list(ref.object_assignment)
def set_object_assignment_list(self, intra_extension_id, object_id, object_category_id, object_assignment_list=[]):
with sql.transaction() as session:
@@ -834,7 +840,9 @@ class IntraExtensionConnector(IntraExtensionDriver):
query = session.query(ActionAssignment)
query = query.filter_by(intra_extension_id=intra_extension_id, action_id=action_id, action_category_id=action_category_id)
ref = query.first()
- return ref.action_assignment
+ if not ref:
+ return list()
+ return list(ref.action_assignment)
def set_action_assignment_list(self, intra_extension_id, action_id, action_category_id, action_assignment_list=[]):
with sql.transaction() as session:
@@ -872,7 +880,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
# Getter and Setter for sub_meta_rule
- def set_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
+ def set_aggregation_algorithm_dict(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
with sql.transaction() as session:
query = session.query(AggregationAlgorithm)
query = query.filter_by(intra_extension_id=intra_extension_id, id=aggregation_algorithm_id)
@@ -891,9 +899,9 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_aggregation_algorithm(intra_extension_id)
+ return self.get_aggregation_algorithm_dict(intra_extension_id)
- def get_aggregation_algorithm(self, intra_extension_id):
+ def get_aggregation_algorithm_dict(self, intra_extension_id):
with sql.transaction() as session:
query = session.query(AggregationAlgorithm)
query = query.filter_by(intra_extension_id=intra_extension_id)
@@ -973,7 +981,7 @@ class IntraExtensionConnector(IntraExtensionDriver):
if attr != 'id':
setattr(ref, attr, getattr(new_ref, attr))
session.flush()
- return self.get_rules_dict(intra_extension_id, sub_meta_rule_id)[rule_id]
+ return {rule_id: self.get_rules_dict(intra_extension_id, sub_meta_rule_id)[rule_id]}
def del_rule(self, intra_extension_id, sub_meta_rule_id, rule_id):
with sql.transaction() as session:
diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py
index d9a59ff3..455975a3 100644
--- a/keystone-moon/keystone/contrib/moon/core.py
+++ b/keystone-moon/keystone/contrib/moon/core.py
@@ -62,8 +62,9 @@ CONF.register_opts(_OPTS, group='moon')
def filter_input(func_or_str):
def __filter(string):
- if string:
- return "".join(re.findall("[\w\-+]*", string))
+ if string and type(string) in (str, unicode):
+ return "".join(re.findall("[\w\- +]*", string))
+ return string
def wrapped(*args, **kwargs):
_args = []
@@ -118,7 +119,6 @@ def enforce(action_names, object_name, **extra):
intra_extension_dict = kwargs['intra_extension_dict']
else:
intra_extension_dict = args[2]
- print(intra_extension_dict)
if isinstance(intra_extension_dict, dict) and \
"model" in intra_extension_dict and \
intra_extension_dict["model"] == "policy_root":
@@ -141,9 +141,13 @@ def enforce(action_names, object_name, **extra):
intra_admin_extension_id = None
try:
- intra_admin_extension_id = get_root_extension(self, args, kwargs)
+ intra_root_extension_id = get_root_extension(self, args, kwargs)
+ # FIXME (asteroide): intra_root_extension_id is not used at all...
except RootExtensionNotInitialized:
+ # Root extension is not initialized, the current requested function must be the creation
+ # of this root extension
returned_value_for_func = func(*args, **kwargs)
+ # after the creation, we must update ROOT_EXTENSION_ID and ADMIN_ID
intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict()
for ext in intra_extensions_dict:
if intra_extensions_dict[ext]["model"] == ROOT_EXTENSION_MODEL:
@@ -151,7 +155,6 @@ def enforce(action_names, object_name, **extra):
break
if not ROOT_EXTENSION_ID:
raise RootExtensionUnknown()
- print(returned_value_for_func)
subjects_dict = self.admin_api.driver.get_subjects_dict(returned_value_for_func['id'])
for subject_id in subjects_dict:
if subjects_dict[subject_id]["name"] == "admin":
@@ -159,66 +162,101 @@ def enforce(action_names, object_name, **extra):
break
if not ADMIN_ID:
raise RootExtensionUnknown()
+ # if all is OK, return values from func (creation of the root extension)
return returned_value_for_func
try:
intra_extension_id = args[2]
except IndexError:
+ print("IndexError", kwargs)
if 'intra_extension_id' in kwargs:
intra_extension_id = kwargs['intra_extension_id']
- # else:
- # intra_admin_extension_id = get_root_extension(self)
+ else:
+ print("in else", intra_root_extension_id)
+ intra_extension_id = intra_root_extension_id
if ADMIN_ID and user_id == ADMIN_ID:
# TODO: check if there is no security hole here
returned_value_for_func = func(*args, **kwargs)
else:
intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict()
+ print(intra_extension_id, intra_extensions_dict)
if intra_extension_id not in intra_extensions_dict:
raise IntraExtensionUnknown()
- tenants_dict = self.tenant_api.driver.get_tenants_dict(ADMIN_ID)
+ tenants_dict = self.tenant_api.driver.get_tenants_dict()
for _tenant_id in tenants_dict:
- if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \
- tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id:
+ if tenants_dict[_tenant_id]['intra_authz_extension_id'] == intra_extension_id or \
+ tenants_dict[_tenant_id]['intra_admin_extension_id'] == intra_extension_id:
intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id']
+ break
if not intra_admin_extension_id:
self.moonlog_api.driver.warning("No Intra_Admin_Extension found, authorization granted by default.")
returned_value_for_func = func(*args, **kwargs)
else:
- objects_dict = self.admin_api.driver.get_objects_dict(ADMIN_ID, intra_admin_extension_id)
+ # subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id)
+ # keystone_user_id = subjects_dict[subject_id]["keystone_id"]
+ objects_dict = self.admin_api.driver.get_objects_dict(intra_admin_extension_id)
object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name
object_id = None
for _object_id in objects_dict:
- if objects_dict[_object_id]['name'] is object_name:
+ if objects_dict[_object_id]['name'] == object_name:
object_id = _object_id
break
+ if not object_id:
+ objects_dict = self.admin_api.driver.get_objects_dict(intra_root_extension_id)
+ object_name = object_name.split(".")[-1]
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] == object_name:
+ object_id = _object_id
+ break
+ if not object_id:
+ raise ObjectUnknown("Unknown object name: {}".format(object_name))
+ # if we found the object in intra_root_extension_id, so we change the intra_admin_extension_id
+ # into intra_root_extension_id and we modify the ID of the subject
+ subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id)
+ subject_name = subjects_dict[user_id]["name"]
+ intra_admin_extension_id = intra_root_extension_id
+ subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id)
+ user_id = None
+ for _subject_id in subjects_dict:
+ if subjects_dict[_subject_id]["name"] == subject_name:
+ user_id = _subject_id
+ if not user_id:
+ raise SubjectUnknown("Subject Unknown for Root intraExtension...")
if type(_action_name_list) in (str, unicode):
action_name_list = (_action_name_list, )
else:
action_name_list = _action_name_list
- actions_dict = self.admin_api.driver.get_actions_dict(ADMIN_ID, intra_admin_extension_id)
+ actions_dict = self.admin_api.driver.get_actions_dict(intra_admin_extension_id)
action_id_list = list()
for _action_name in action_name_list:
for _action_id in actions_dict:
- if actions_dict[_action_id]['name'] is _action_name:
+ if actions_dict[_action_id]['name'] == _action_name:
action_id_list.append(_action_id)
break
authz_result = False
for action_id in action_id_list:
- if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id):
+ if self.admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id):
authz_result = True
else:
+ self.moonlog_api.authz("No authorization for ({} {}-{}-{})".format(
+ intra_admin_extension_id,
+ user_id,
+ object_name,
+ actions_dict[action_id]['name']))
authz_result = False
break
if authz_result:
returned_value_for_func = func(*args, **kwargs)
+ else:
+ raise AuthzException()
return returned_value_for_func
return wrapped
return wrap
@dependency.provider('configuration_api')
-@dependency.requires('moonlog_api', 'admin_api')
+@dependency.requires('moonlog_api', 'admin_api', 'tenant_api')
class ConfigurationManager(manager.Manager):
def __init__(self):
@@ -236,7 +274,7 @@ class ConfigurationManager(manager.Manager):
def get_policy_template_id_from_name(self, user_id, policy_template_name):
policy_template_dict = self.driver.get_policy_templates_dict()
for policy_template_id in policy_template_dict:
- if policy_template_dict[policy_template_id]['name'] is policy_template_name:
+ if policy_template_dict[policy_template_id]['name'] == policy_template_name:
return policy_template_id
return None
@@ -252,7 +290,7 @@ class ConfigurationManager(manager.Manager):
def get_aggregation_algorithm_id_from_name(self, user_id, aggregation_algorithm_name):
aggregation_algorithm_dict = self.driver.get_aggregation_algorithms_dict()
for aggregation_algorithm_id in aggregation_algorithm_dict:
- if aggregation_algorithm_dict[aggregation_algorithm_id]['name'] is aggregation_algorithm_name:
+ if aggregation_algorithm_dict[aggregation_algorithm_id]['name'] == aggregation_algorithm_name:
return aggregation_algorithm_id
return None
@@ -268,7 +306,7 @@ class ConfigurationManager(manager.Manager):
def get_sub_meta_rule_algorithm_id_from_name(self, sub_meta_rule_algorithm_name):
sub_meta_rule_algorithm_dict = self.driver.get_sub_meta_rule_algorithms_dict()
for sub_meta_rule_algorithm_id in sub_meta_rule_algorithm_dict:
- if sub_meta_rule_algorithm_dict[sub_meta_rule_algorithm_id]['name'] is sub_meta_rule_algorithm_name:
+ if sub_meta_rule_algorithm_dict[sub_meta_rule_algorithm_id]['name'] == sub_meta_rule_algorithm_name:
return sub_meta_rule_algorithm_id
return None
@@ -305,19 +343,20 @@ class TenantManager(manager.Manager):
if tenants_dict[tenant_id]['name'] == tenant_dict['name']:
raise TenantAddedNameExisting()
- # Sync users between intra_authz_extension and intra_admin_extension
- if tenant_dict['intra_admin_extension']:
- if not tenant_dict['intra_authz_extension']:
+ # Sync users between intra_authz_extension_id and intra_admin_extension_id
+ if tenant_dict['intra_admin_extension_id']:
+ if not tenant_dict['intra_authz_extension_id']:
raise TenantNoIntraAuthzExtension()
- else:
- authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
- admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
- for _subject_id in authz_subjects_dict:
- if _subject_id not in admin_subjects_dict:
- self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
- for _subject_id in admin_subjects_dict:
- if _subject_id not in authz_subjects_dict:
- self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
+ authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'])
+ admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'])
+ admin_subjects__name_list = [admin_subjects_dict[subject_id]["name"] for subject_id in admin_subjects_dict]
+ authz_subjects__name_list = [authz_subjects_dict[subject_id]["name"] for subject_id in authz_subjects_dict]
+ for _subject_id in authz_subjects_dict:
+ if authz_subjects_dict[_subject_id]["name"] not in authz_subjects__name_list:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id])
+ for _subject_id in admin_subjects_dict:
+ if admin_subjects_dict[_subject_id]["name"] not in admin_subjects__name_list:
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id])
return self.driver.add_tenant_dict(tenant_dict['id'], tenant_dict)
@@ -325,6 +364,7 @@ class TenantManager(manager.Manager):
@enforce("read", "tenants")
def get_tenant_dict(self, user_id, tenant_id):
tenants_dict = self.driver.get_tenants_dict()
+ print("get_tenant_dict", tenant_id, tenants_dict)
if tenant_id not in tenants_dict:
raise TenantUnknown()
return tenants_dict[tenant_id]
@@ -343,22 +383,52 @@ class TenantManager(manager.Manager):
if tenant_id not in tenants_dict:
raise TenantUnknown()
- # Sync users between intra_authz_extension and intra_admin_extension
- if tenant_dict['intra_admin_extension']:
- if not tenant_dict['intra_authz_extension']:
+ # Sync users between intra_authz_extension_id and intra_admin_extension_id
+ if tenant_dict['intra_admin_extension_id']:
+ if not tenant_dict['intra_authz_extension_id']:
raise TenantNoIntraAuthzExtension
else:
- authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension'])
- admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension'])
+ authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'])
+ admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'])
for _subject_id in authz_subjects_dict:
if _subject_id not in admin_subjects_dict:
- self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id])
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id])
for _subject_id in admin_subjects_dict:
if _subject_id not in authz_subjects_dict:
- self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id])
+ self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id])
return self.driver.set_tenant_dict(tenant_id, tenant_dict)
+ @filter_input
+ def get_subject_from_keystone_id(self, tenant_id, intra_extension_id, keystone_id):
+ tenants_dict = self.driver.get_tenants_dict()
+ if tenant_id not in tenants_dict:
+ raise TenantUnknown()
+ if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'],
+ tenants_dict[tenant_id]['intra_admin_extension_id'], ):
+ raise IntraExtensionUnknown()
+ # Note (asteroide): We used ADMIN_ID because the user requesting this information may only know his keystone_id
+ # and not the subject ID in the requested intra_extension.
+ subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, intra_extension_id)
+ for subject_id in subjects_dict:
+ if keystone_id == subjects_dict[subject_id]['keystone_id']:
+ return {subject_id: subjects_dict[subject_id]}
+
+ @filter_input
+ def get_subject_from_keystone_name(self, tenant_id, intra_extension_id, keystone_name):
+ tenants_dict = self.driver.get_tenants_dict()
+ if tenant_id not in tenants_dict:
+ raise TenantUnknown()
+ if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'],
+ tenants_dict[tenant_id]['intra_admin_extension_id'], ):
+ raise IntraExtensionUnknown()
+ # Note (asteroide): We used ADMIN_ID because the user requesting this information may only know his
+ # keystone_name and not the subject ID in the requested intra_extension.
+ subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, intra_extension_id)
+ for subject_id in subjects_dict:
+ if keystone_name == subjects_dict[subject_id]['keystone_name']:
+ return {subject_id: subjects_dict[subject_id]}
+
@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'moonlog_api')
class IntraExtensionManager(manager.Manager):
@@ -398,24 +468,24 @@ class IntraExtensionManager(manager.Manager):
subject_assignment_dict = dict()
for category in meta_data_dict["subject_categories"]:
subject_assignment_dict[category] = self.driver.get_subject_assignment_list(
- intra_extension_id, subject_id)[category]
+ intra_extension_id, subject_id, category)
object_assignment_dict = dict()
for category in meta_data_dict["object_categories"]:
object_assignment_dict[category] = self.driver.get_object_assignment_list(
- intra_extension_id, object_id)[category]
+ intra_extension_id, object_id, category)
action_assignment_dict = dict()
for category in meta_data_dict["action_categories"]:
action_assignment_dict[category] = self.driver.get_action_assignment_list(
- intra_extension_id, action_id)[category]
+ intra_extension_id, action_id, category)
authz_buffer['subject_assignments'] = dict()
authz_buffer['object_assignments'] = dict()
authz_buffer['action_assignments'] = dict()
for _subject_category in meta_data_dict['subject_categories']:
- authz_buffer['subject_assignments'][_subject_category] = subject_assignment_dict[_subject_category]
+ authz_buffer['subject_assignments'][_subject_category] = list(subject_assignment_dict[_subject_category])
for _object_category in meta_data_dict['object_categories']:
- authz_buffer['object_assignments'][_object_category] = object_assignment_dict[_object_category]
+ authz_buffer['object_assignments'][_object_category] = list(object_assignment_dict[_object_category])
for _action_category in meta_data_dict['action_categories']:
- authz_buffer['action_assignments'][_action_category] = action_assignment_dict[_action_category]
+ authz_buffer['action_assignments'][_action_category] = list(action_assignment_dict[_action_category])
return authz_buffer
def authz(self, intra_extension_id, subject_id, object_id, action_id):
@@ -441,22 +511,26 @@ class IntraExtensionManager(manager.Manager):
meta_rule_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id)
- for sub_meta_rule_id in meta_rule_dict['sub_meta_rules']:
- if meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'inclusion':
+ for sub_meta_rule_id in meta_rule_dict:
+ if meta_rule_dict[sub_meta_rule_id]['algorithm'] == 'inclusion':
decision_buffer[sub_meta_rule_id] = inclusion(
authz_buffer,
- meta_rule_dict['sub_meta_rules'][sub_meta_rule_id],
+ meta_rule_dict[sub_meta_rule_id],
self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values())
- elif meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'comparison':
+ elif meta_rule_dict[sub_meta_rule_id]['algorithm'] == 'comparison':
decision_buffer[sub_meta_rule_id] = comparison(
authz_buffer,
- meta_rule_dict['sub_meta_rules'][sub_meta_rule_id],
+ meta_rule_dict[sub_meta_rule_id],
self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values())
- if meta_rule_dict['aggregation'] == 'all_true':
+ aggregation = self.driver.get_aggregation_algorithm_dict(intra_extension_id)
+ # We suppose here that we have only one aggregation algorithm for one intra_extension
+ # TODO: need more work on this part of the model
+ aggregation_id = aggregation.keys()[0]
+ if aggregation[aggregation_id]['name'] == 'all_true':
decision = all_true(decision_buffer)
if not decision:
- raise AuthzException()
+ raise AuthzException("{} {}-{}-{}".format(intra_extension_id, subject_id, action_id, object_id))
return decision
@enforce("read", "intra_extensions")
@@ -539,7 +613,7 @@ class IntraExtensionManager(manager.Manager):
_id = uuid4().hex
action_dict[_id] = {"name": _action, "description": _action}
self.driver.set_action_dict(intra_extension_dict["id"], _id, action_dict[_id])
- intra_extension_dict["ations"] = action_dict
+ intra_extension_dict["actions"] = action_dict
def __load_scope_file(self, intra_extension_dict, policy_dir):
@@ -547,7 +621,7 @@ class IntraExtensionManager(manager.Manager):
f = open(metadata_path)
json_perimeter = json.load(f)
- intra_extension_dict['subject_category_scope'] = dict()
+ intra_extension_dict['subject_scopes'] = dict()
for category, scope in json_perimeter["subject_scopes"].iteritems():
category_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.SUBJECT_CATEGORY)
_scope_dict = dict()
@@ -555,9 +629,9 @@ class IntraExtensionManager(manager.Manager):
_id = uuid4().hex
_scope_dict[_id] = {"name": _scope, "description": _scope}
self.driver.set_subject_scope_dict(intra_extension_dict["id"], category_id, _id, _scope_dict[_id])
- intra_extension_dict['subject_category_scope'][category] = _scope_dict
+ intra_extension_dict['subject_scopes'][category] = _scope_dict
- intra_extension_dict['object_category_scope'] = dict()
+ intra_extension_dict['object_scopes'] = dict()
for category, scope in json_perimeter["object_scopes"].iteritems():
category_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.OBJECT_CATEGORY)
_scope_dict = dict()
@@ -565,9 +639,9 @@ class IntraExtensionManager(manager.Manager):
_id = uuid4().hex
_scope_dict[_id] = {"name": _scope, "description": _scope}
self.driver.set_object_scope_dict(intra_extension_dict["id"], category_id, _id, _scope_dict[_id])
- intra_extension_dict['object_category_scope'][category] = _scope_dict
+ intra_extension_dict['object_scopes'][category] = _scope_dict
- intra_extension_dict['action_category_scope'] = dict()
+ intra_extension_dict['action_scopes'] = dict()
for category, scope in json_perimeter["action_scopes"].iteritems():
category_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.ACTION_CATEGORY)
_scope_dict = dict()
@@ -575,7 +649,7 @@ class IntraExtensionManager(manager.Manager):
_id = uuid4().hex
_scope_dict[_id] = {"name": _scope, "description": _scope}
self.driver.set_action_scope_dict(intra_extension_dict["id"], category_id, _id, _scope_dict[_id])
- intra_extension_dict['action_category_scope'][category] = _scope_dict
+ intra_extension_dict['action_scopes'][category] = _scope_dict
def __load_assignment_file(self, intra_extension_dict, policy_dir):
@@ -666,7 +740,7 @@ class IntraExtensionManager(manager.Manager):
"aggregation": json_metarule["aggregation"],
"sub_meta_rules": metarule
}
- self.driver.set_aggregation_algorithm(intra_extension_dict["id"], uuid4().hex,
+ self.driver.set_aggregation_algorithm_dict(intra_extension_dict["id"], uuid4().hex,
{
"name": json_metarule["aggregation"],
"description": json_metarule["aggregation"],
@@ -716,7 +790,7 @@ class IntraExtensionManager(manager.Manager):
category_uuid=category_uuid)
subrule.append(scope_uuid)
# if a positive/negative value exists, all item of rule have not be consumed
- if len(rule) >= 1 and type(rule[0]) is bool:
+ if len(rule) >= 1 and isinstance(rule[0], bool):
subrule.append(rule[0])
else:
# if value doesn't exist add a default value
@@ -813,11 +887,11 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "subject_categories")
def add_subject_category(self, user_id, intra_extension_id, subject_category_dict):
- subject_category_dict = self.driver.get_subject_categories_dict(intra_extension_id)
- for subject_category_id in subject_category_dict:
- if subject_category_dict[subject_category_id]['name'] is subject_category_dict['name']:
+ subject_categories_dict = self.driver.get_subject_categories_dict(intra_extension_id)
+ for subject_category_id in subject_categories_dict:
+ if subject_categories_dict[subject_category_id]['name'] == subject_category_dict['name']:
raise SubjectCategoryNameExisting()
- return self.driver.set_subject_category(intra_extension_id, uuid4().hex, subject_category_dict)
+ return self.driver.set_subject_category_dict(intra_extension_id, uuid4().hex, subject_category_dict)
@filter_input
@enforce("read", "subject_categories")
@@ -835,7 +909,7 @@ class IntraExtensionManager(manager.Manager):
if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id):
raise SubjectCategoryUnknown()
# Destroy scopes related to this category
- for scope in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id):
+ for scope in self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id):
self.del_subject_scope(intra_extension_id, subject_category_id, scope)
# Destroy assignments related to this category
for subject_id in self.driver.get_subjects_dict(intra_extension_id):
@@ -848,7 +922,7 @@ class IntraExtensionManager(manager.Manager):
def set_subject_category(self, user_id, intra_extension_id, subject_category_id, subject_category_dict):
if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id):
raise SubjectCategoryUnknown()
- return self.driver.set_subject_category(intra_extension_id, subject_category_id, subject_category_dict)
+ return self.driver.set_subject_category_dict(intra_extension_id, subject_category_id, subject_category_dict)
@filter_input
@enforce("read", "object_categories")
@@ -863,12 +937,12 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "object_categories")
@enforce(("read", "write"), "object_scopes")
- def add_object_category(self, user_id, intra_extension_id, object_category_name):
- object_category_dict = self.driver.get_object_categories_dict(intra_extension_id)
- for object_category_id in object_category_dict:
- if object_category_dict[object_category_id]["name"] is object_category_name:
+ def add_object_category(self, user_id, intra_extension_id, object_category_dict):
+ object_categories_dict = self.driver.get_object_categories_dict(intra_extension_id)
+ for object_category_id in object_categories_dict:
+ if object_categories_dict[object_category_id]["name"] == object_category_dict['name']:
raise ObjectCategoryNameExisting()
- return self.driver.add_object_category(intra_extension_id, uuid4().hex, object_category_name)
+ return self.driver.set_object_category_dict(intra_extension_id, uuid4().hex, object_category_dict)
@filter_input
@enforce("read", "object_categories")
@@ -907,12 +981,12 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "action_categories")
@enforce(("read", "write"), "action_scopes")
- def add_action_category(self, user_id, intra_extension_id, action_category_name):
- action_category_dict = self.driver.get_action_categories_dict(intra_extension_id)
- for action_category_id in action_category_dict:
- if action_category_dict[action_category_id]['name'] is action_category_name:
+ def add_action_category(self, user_id, intra_extension_id, action_category_dict):
+ action_categories_dict = self.driver.get_action_categories_dict(intra_extension_id)
+ for action_category_id in action_categories_dict:
+ if action_categories_dict[action_category_id]['name'] == action_category_dict['name']:
raise ActionCategoryNameExisting()
- return self.driver.add_action_category(intra_extension_id, uuid4().hex, action_category_name)
+ return self.driver.set_action_category_dict(intra_extension_id, uuid4().hex, action_category_dict)
@filter_input
@enforce("read", "action_categories")
@@ -924,7 +998,7 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "action_categories")
- @enforce(("read", "write"), "action_category_scopes")
+ @enforce(("read", "write"), "action_scopes")
def del_action_category(self, user_id, intra_extension_id, action_category_id):
if action_category_id not in self.driver.get_action_categories_dict(intra_extension_id):
raise ActionCategoryUnknown()
@@ -949,7 +1023,7 @@ class IntraExtensionManager(manager.Manager):
def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
subjects_dict = self.driver.get_subjects_dict(intra_extension_id)
for subject_id in subjects_dict:
- if subjects_dict[subject_id]["name"] is subject_dict['name']:
+ if subjects_dict[subject_id]["name"] == subject_dict['name']:
raise SubjectNameExisting()
# Next line will raise an error if user is not present in Keystone database
subject_keystone_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default")
@@ -968,7 +1042,7 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "subjects")
def del_subject(self, user_id, intra_extension_id, subject_id):
- if subject_id in self.driver.get_subjects_dict(intra_extension_id):
+ if subject_id not in self.driver.get_subjects_dict(intra_extension_id):
raise SubjectUnknown()
# Destroy assignments related to this category
for subject_category_id in self.driver.get_subject_categories_dict(intra_extension_id):
@@ -982,7 +1056,7 @@ class IntraExtensionManager(manager.Manager):
def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
subjects_dict = self.driver.get_subjects_dict(intra_extension_id)
for subject_id in subjects_dict:
- if subjects_dict[subject_id]["name"] is subject_dict['name']:
+ if subjects_dict[subject_id]["name"] == subject_dict['name']:
raise SubjectNameExisting()
# Next line will raise an error if user is not present in Keystone database
subject_keystone_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default")
@@ -1000,7 +1074,7 @@ class IntraExtensionManager(manager.Manager):
def add_object_dict(self, user_id, intra_extension_id, object_name):
object_dict = self.driver.get_objects_dict(intra_extension_id)
for object_id in object_dict:
- if object_dict[object_id]["name"] is object_name:
+ if object_dict[object_id]["name"] == object_name:
raise ObjectNameExisting()
return self.driver.set_object_dict(intra_extension_id, uuid4().hex, object_name)
@@ -1009,7 +1083,7 @@ class IntraExtensionManager(manager.Manager):
def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict):
objects_dict = self.driver.get_objects_dict(intra_extension_id)
for object_id in objects_dict:
- if objects_dict[object_id]["name"] is object_dict['name']:
+ if objects_dict[object_id]["name"] == object_dict['name']:
raise ObjectNameExisting()
return self.driver.set_object_dict(intra_extension_id, object_id, object_dict)
@@ -1043,16 +1117,16 @@ class IntraExtensionManager(manager.Manager):
def add_action_dict(self, user_id, intra_extension_id, action_name):
action_dict = self.driver.get_actions_dict(intra_extension_id)
for action_id in action_dict:
- if action_dict[action_id]["name"] is action_name:
+ if action_dict[action_id]["name"] == action_name:
raise ActionNameExisting()
- return self.driver.add_action_dict(intra_extension_id, uuid4().hex, action_name)
+ return self.driver.set_action_dict(intra_extension_id, uuid4().hex, action_name)
@filter_input
@enforce(("read", "write"), "actions")
def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict):
actions_dict = self.driver.get_actions_dict(intra_extension_id)
for action_id in actions_dict:
- if actions_dict[action_id]["name"] is action_dict['name']:
+ if actions_dict[action_id]["name"] == action_dict['name']:
raise ActionNameExisting()
return self.driver.set_action_dict(intra_extension_id, action_id, action_dict)
@@ -1107,10 +1181,10 @@ class IntraExtensionManager(manager.Manager):
raise SubjectCategoryUnknown()
subject_scopes_dict = self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id)
for _subject_scope_id in subject_scopes_dict:
- if subject_scope_dict['name'] is subject_scopes_dict[_subject_scope_id]['name']:
+ if subject_scope_dict['name'] == subject_scopes_dict[_subject_scope_id]['name']:
raise SubjectScopeNameExisting()
subject_scope_id = uuid4().hex
- return self.driver.add_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict)
+ return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict)
@filter_input
@enforce("read", "subject_scopes")
@@ -1151,12 +1225,12 @@ class IntraExtensionManager(manager.Manager):
raise SubjectCategoryUnknown()
subject_scope_dict = self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id)
for _subject_scope_id in subject_scope_dict:
- if subject_scope_name is subject_scope_dict[_subject_scope_id]['name']:
+ if subject_scope_name == subject_scope_dict[_subject_scope_id]['name']:
raise SubjectScopeNameExisting()
- return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, uuid4().hex, subject_scope_dict)
+ return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict)
@filter_input
- @enforce("read", "object_category_scopes")
+ @enforce("read", "object_scopes")
@enforce("read", "object_categories")
def get_object_scopes_dict(self, user_id, intra_extension_id, object_category_id):
if object_category_id not in self.driver.get_object_categories_dict(intra_extension_id):
@@ -1171,10 +1245,10 @@ class IntraExtensionManager(manager.Manager):
raise ObjectCategoryUnknown()
object_scope_dict = self.driver.get_object_scopes_dict(intra_extension_id, object_category_id)
for _object_scope_id in object_scope_dict:
- if object_scope_name is object_scope_dict[_object_scope_id]['name']:
+ if object_scope_name == object_scope_dict[_object_scope_id]['name']:
raise ObjectScopeNameExisting()
object_scope_id = uuid4().hex
- return self.driver.add_subject_scope_dict(
+ return self.driver.set_object_scope_dict(
intra_extension_id,
object_category_id,
object_scope_id,
@@ -1219,15 +1293,15 @@ class IntraExtensionManager(manager.Manager):
raise ObjectCategoryUnknown()
object_scope_dict = self.driver.get_object_scopes_dict(intra_extension_id, object_category_id)
for _object_scope_id in object_scope_dict:
- if object_scope_name is object_scope_dict[_object_scope_id]['name']:
+ if object_scope_name == object_scope_dict[_object_scope_id]['name']:
raise ObjectScopeNameExisting()
- return self.driver.set_object_scope_dict(intra_extension_id, object_category_id, uuid4().hex, object_scope_dict)
+ return self.driver.set_object_scope_dict(intra_extension_id, object_category_id, object_scope_id, object_scope_dict)
@filter_input
- @enforce("read", "action_category_scopes")
+ @enforce("read", "action_scopes")
@enforce("read", "action_categories")
def get_action_scopes_dict(self, user_id, intra_extension_id, action_category_id):
- if action_category_id not in self.driver.get_object_categories_dict(intra_extension_id):
+ if action_category_id not in self.driver.get_action_categories_dict(intra_extension_id):
raise ActionCategoryUnknown()
return self.driver.get_action_scopes_dict(intra_extension_id, action_category_id)
@@ -1239,10 +1313,10 @@ class IntraExtensionManager(manager.Manager):
raise ActionCategoryUnknown()
action_scope_dict = self.driver.get_action_scopes_dict(intra_extension_id, action_category_id)
for _action_scope_id in action_scope_dict:
- if action_scope_name is action_scope_dict[_action_scope_id]['name']:
+ if action_scope_name == action_scope_dict[_action_scope_id]['name']:
raise ActionScopeNameExisting()
action_scope_id = uuid4().hex
- return self.driver.add_action_scope_dict(
+ return self.driver.set_action_scope_dict(
intra_extension_id,
action_category_id,
action_scope_id,
@@ -1279,6 +1353,22 @@ class IntraExtensionManager(manager.Manager):
self.driver.del_rule(intra_extension_id, sub_meta_rule_id, rule_id)
return self.driver.del_action_scope(intra_extension_id, action_category_id, action_scope_id)
+ @filter_input
+ @enforce(("read", "write"), "action_scopes")
+ @enforce("read", "action_categories")
+ def set_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_id, action_scope_name):
+ if action_category_id not in self.driver.get_action_categories_dict(intra_extension_id):
+ raise ActionCategoryUnknown()
+ action_scope_dict = self.driver.get_action_scopes_dict(intra_extension_id, action_category_id)
+ for _action_scope_id in action_scope_dict:
+ if action_scope_name == action_scope_dict[_action_scope_id]['name']:
+ raise ActionScopeNameExisting()
+ return self.driver.set_action_scope_dict(
+ intra_extension_id,
+ action_category_id,
+ action_scope_id,
+ action_scope_name)
+
# Assignment functions
@filter_input
@@ -1286,7 +1376,7 @@ class IntraExtensionManager(manager.Manager):
@enforce("read", "subjects")
@enforce("read", "subject_categories")
def get_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id):
- if subject_id not in self.driver.get_subjects_dict(user_id, intra_extension_id):
+ if subject_id not in self.driver.get_subjects_dict(intra_extension_id):
raise SubjectUnknown()
elif subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id):
raise SubjectCategoryUnknown()
@@ -1298,6 +1388,7 @@ class IntraExtensionManager(manager.Manager):
@enforce("read", "subject_categories")
@enforce("read", "subject_scopes")
def add_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id):
+ print(subject_id, self.driver.get_subjects_dict(intra_extension_id))
if subject_id not in self.driver.get_subjects_dict(intra_extension_id):
raise SubjectUnknown()
if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id):
@@ -1320,16 +1411,16 @@ class IntraExtensionManager(manager.Manager):
raise SubjectCategoryUnknown()
elif subject_scope_id not in self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id):
raise SubjectScopeUnknown()
- elif subject_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, subject_id)[subject_category_id]:
+ elif subject_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, subject_id, subject_category_id):
raise SubjectAssignmentUnknown()
- self.driver.del_subject_category_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id)
+ self.driver.del_subject_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id)
@filter_input
@enforce("read", "object_assignments")
@enforce("read", "objects")
@enforce("read", "object_categories")
def get_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id):
- if object_id not in self.driver.get_objects_dict(user_id, intra_extension_id):
+ if object_id not in self.driver.get_objects_dict(intra_extension_id):
raise ObjectUnknown()
elif object_category_id not in self.driver.get_object_categories_dict(intra_extension_id):
raise ObjectCategoryUnknown()
@@ -1346,7 +1437,7 @@ class IntraExtensionManager(manager.Manager):
raise ObjectCategoryUnknown()
elif object_scope_id not in self.driver.get_object_scopes_dict(intra_extension_id, object_category_id):
raise ObjectScopeUnknown()
- elif object_scope_id in self.driver.get_object_assignment_list(intra_extension_id, object_id)[object_category_id]:
+ elif object_scope_id in self.driver.get_object_assignment_list(intra_extension_id, object_id, object_category_id):
raise ObjectAssignmentExisting()
return self.driver.add_object_assignment_list(intra_extension_id, object_id, object_category_id, object_scope_id)
@@ -1362,16 +1453,16 @@ class IntraExtensionManager(manager.Manager):
raise ObjectCategoryUnknown()
elif object_scope_id not in self.driver.get_object_scopes_dict(intra_extension_id, object_category_id):
raise ObjectScopeUnknown()
- elif object_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, object_id)[object_category_id]:
+ elif object_scope_id not in self.driver.get_object_assignment_list(intra_extension_id, object_id, object_category_id):
raise ObjectAssignmentUnknown()
- return self.driver.del_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id)
+ self.driver.del_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id)
@filter_input
@enforce("read", "action_assignments")
@enforce("read", "actions")
@enforce("read", "action_categories")
def get_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id):
- if action_id not in self.driver.get_actions_dict(user_id, intra_extension_id):
+ if action_id not in self.driver.get_actions_dict(intra_extension_id):
raise ActionUnknown()
elif action_category_id not in self.driver.get_action_categories_dict(intra_extension_id):
raise ActionCategoryUnknown()
@@ -1388,7 +1479,7 @@ class IntraExtensionManager(manager.Manager):
raise ActionCategoryUnknown()
elif action_scope_id not in self.driver.get_action_scopes_dict(intra_extension_id, action_category_id):
raise ActionScopeUnknown()
- elif action_scope_id in self.driver.get_action_assignment_list(intra_extension_id, action_id)[action_category_id]:
+ elif action_scope_id in self.driver.get_action_assignment_list(intra_extension_id, action_id, action_category_id):
raise ObjectAssignmentExisting()
return self.driver.add_action_assignment_list(intra_extension_id, action_id, action_category_id, action_scope_id)
@@ -1404,7 +1495,7 @@ class IntraExtensionManager(manager.Manager):
raise ActionCategoryUnknown()
elif action_scope_id not in self.driver.get_action_scopes_dict(intra_extension_id, action_category_id):
raise ActionScopeUnknown()
- elif action_scope_id not in self.driver.get_action_assignment_list(intra_extension_id, action_id)[action_category_id]:
+ elif action_scope_id not in self.driver.get_action_assignment_list(intra_extension_id, action_id, action_category_id):
raise ActionAssignmentUnknown()
return self.driver.del_action_assignment(intra_extension_id, action_id, action_category_id, action_scope_id)
@@ -1414,7 +1505,7 @@ class IntraExtensionManager(manager.Manager):
@enforce(("read", "write"), "aggregation_algorithm")
def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
if aggregation_algorithm_id:
- if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(ADMIN_ID):
+ if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms_dict(ADMIN_ID):
raise AggregationAlgorithmUnknown()
else:
aggregation_algorithm_id = uuid4().hex
@@ -1433,9 +1524,10 @@ class IntraExtensionManager(manager.Manager):
}
}
"""
- if not self.driver.get_aggregation_algorithms_dict(intra_extension_id):
+ aggregation_algorithm_dict = self.driver.get_aggregation_algorithm_dict(intra_extension_id)
+ if not aggregation_algorithm_dict:
raise AggregationAlgorithmNotExisting()
- return self.driver.get_aggregation_algorithms_dict(intra_extension_id)
+ return aggregation_algorithm_dict
@filter_input
@enforce("read", "sub_meta_rules")
@@ -1458,17 +1550,20 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "sub_meta_rules")
- @enforce("write", "rule")
+ @enforce("write", "rules")
def add_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict):
sub_meta_rules_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id)
for _sub_meta_rule_id in sub_meta_rules_dict:
- if sub_meta_rule_dict['name'] is sub_meta_rules_dict[_sub_meta_rule_id]["name"]:
+ if sub_meta_rule_dict['name'] == sub_meta_rules_dict[_sub_meta_rule_id]["name"]:
raise SubMetaRuleNameExisting()
- elif sub_meta_rule_dict['subject_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["subject_categories"] and \
- sub_meta_rule_dict['object_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["object_categories"] and \
- sub_meta_rule_dict['action_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["action_categories"] and \
- sub_meta_rule_dict['algorithm'] is sub_meta_rules_dict[_sub_meta_rule_id]["algorithm"]:
+ elif sub_meta_rule_dict['subject_categories'] == sub_meta_rules_dict[_sub_meta_rule_id]["subject_categories"] and \
+ sub_meta_rule_dict['object_categories'] == sub_meta_rules_dict[_sub_meta_rule_id]["object_categories"] and \
+ sub_meta_rule_dict['action_categories'] == sub_meta_rules_dict[_sub_meta_rule_id]["action_categories"] and \
+ sub_meta_rule_dict['algorithm'] == sub_meta_rules_dict[_sub_meta_rule_id]["algorithm"]:
raise SubMetaRuleExisting()
+ algorithms = self.configuration_api.get_sub_meta_rule_algorithms_dict(user_id)
+ if sub_meta_rule_dict['algorithm'] not in algorithms.keys():
+ raise SubMetaRuleAlgorithmNotExisting()
sub_meta_rule_id = uuid4().hex
# TODO (dthom): add new sub-meta-rule to rule
# self.driver.add_rule(intra_extension_id, sub_meta_rule_id, [])
@@ -1484,7 +1579,7 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "sub_meta_rules")
- @enforce(("read", "write"), "rule")
+ @enforce(("read", "write"), "rules")
def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id):
if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id):
raise SubMetaRuleUnknown()
@@ -1494,7 +1589,7 @@ class IntraExtensionManager(manager.Manager):
@filter_input
@enforce(("read", "write"), "sub_meta_rules")
- @enforce("write", "rule")
+ @enforce("write", "rules")
def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict):
if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id):
raise SubMetaRuleUnknown()
@@ -1572,10 +1667,15 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
"""Check authorization for a particular action.
:return: True or False or raise an exception
"""
+ print("AUTHZ", tenant_name, subject_name, object_name, action_name, genre)
+ if genre == "authz":
+ genre = "intra_authz_extension_id"
+ elif genre == "admin":
+ genre = "intra_admin_extension_id"
tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
tenant_id = None
for _tenant_id in tenants_dict:
- if tenants_dict[_tenant_id] is tenant_name:
+ if tenants_dict[_tenant_id]["name"] == tenant_name:
tenant_id = _tenant_id
break
@@ -1586,179 +1686,235 @@ class IntraExtensionAuthzManager(IntraExtensionManager):
subjects_dict = self.driver.get_subjects_dict(intra_extension_id)
subject_id = None
for _subject_id in subjects_dict:
- if subjects_dict[_subject_id]['keystone_name'] is subject_name:
- subject_id = _subject_id
+ if subjects_dict[_subject_id]['keystone_name'] == subject_name:
+ subject_id = subjects_dict[_subject_id]['keystone_id']
+ # subject_id = _subject_id
+ break
if not subject_id:
raise SubjectUnknown()
objects_dict = self.driver.get_objects_dict(intra_extension_id)
object_id = None
for _object_id in objects_dict:
- if objects_dict[_object_id]['name'] is object_name:
+ if objects_dict[_object_id]['name'] == object_name:
object_id = _object_id
+ break
if not object_id:
raise ObjectUnknown()
actions_dict = self.driver.get_actions_dict(intra_extension_id)
action_id = None
for _action_id in actions_dict:
- if actions_dict[_action_id] is action_name:
+ if actions_dict[_action_id]['name'] == action_name:
action_id = _action_id
+ break
if not action_id:
raise ActionUnknown()
return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id)
def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
- subject = super(IntraExtensionAuthzManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict)
+ subject = super(IntraExtensionAuthzManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict)
+ subject_id, subject_value = subject.iteritems().next()
tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict)
+ _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_admin_extension_id"])
+ if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]:
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value)
break
if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict)
+ _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_authz_extension_id"])
+ if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]:
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value)
break
return subject
def del_subject(self, user_id, intra_extension_id, subject_id):
+ subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"]
super(IntraExtensionAuthzManager, self).del_subject(user_id, intra_extension_id, subject_id)
tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id:
+ subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_admin_extension_id"],
+ subject_name,
+ self.driver.SUBJECT)
self.driver.del_subject(tenants_dict[tenant_id]["intra_admin_extension_id"], subject_id)
break
if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id:
+ subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_authz_extension_id"],
+ subject_name,
+ self.driver.SUBJECT)
self.driver.del_subject(tenants_dict[tenant_id]["intra_authz_extension_id"], subject_id)
break
def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
subject = super(IntraExtensionAuthzManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict)
+ subject_id, subject_value = subject.iteritems().next()
tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict)
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value)
break
if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict)
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value)
break
return subject
- def get_subject_categories_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_subject_category(self, user_id, intra_extension_id, subject_category_id):
- raise AuthzException()
-
- def get_object_category_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_object_category(self, user_id, intra_extension_id, object_category_id):
- raise AuthzException()
-
- def get_action_category_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_action_category(self, user_id, intra_extension_id, action_category_id):
- raise AuthzException()
-
- def get_subjects_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_subject_dict(self, user_id, intra_extension_id, subject_id):
- raise AuthzException()
-
- def get_objects_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_object_dict(self, user_id, intra_extension_id, object_id):
- raise AuthzException()
-
- def get_actions_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_action_dict(self, user_id, intra_extension_id, action_id):
- raise AuthzException()
-
- def get_subject_scopes_dict(self, user_id, intra_extension_id, subject_category_id):
- raise AuthzException()
-
- def get_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id):
- raise AuthzException()
-
- def get_object_scopes_dict(self, user_id, intra_extension_id, object_category_id):
- raise AuthzException()
-
- def get_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_id):
- raise AuthzException()
-
- def get_action_scopes_dict(self, user_id, intra_extension_id, action_category_id):
- raise AuthzException()
-
- def get_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_id):
- raise AuthzException()
-
- def get_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id):
- raise AuthzException()
-
- def get_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id):
- raise AuthzException()
-
- def get_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id):
- raise AuthzException()
-
- def get_aggregation_algorithm_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_sub_meta_rules_dict(self, user_id, intra_extension_id):
- raise AuthzException()
-
- def get_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id):
- raise AuthzException()
-
- def get_rules_dict(self, user_id, intra_extension_id, sub_meta_rule_id):
- raise AuthzException()
-
- def get_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id):
- raise AuthzException()
+ # def add_subject_category(self, user_id, intra_extension_id, subject_category_dict):
+ # raise AuthzException()
+ #
+ # def del_subject_category(self, user_id, intra_extension_id, subject_category_id):
+ # raise AuthzException()
+ #
+ # def set_subject_category(self, user_id, intra_extension_id, subject_category_id, subject_category_dict):
+ # raise AuthzException()
+ #
+ # def add_object_category(self, user_id, intra_extension_id, object_category_dict):
+ # raise AuthzException()
+ #
+ # def del_object_category(self, user_id, intra_extension_id, object_category_id):
+ # raise AuthzException()
+ #
+ # def add_action_category(self, user_id, intra_extension_id, action_category_name):
+ # raise AuthzException()
+ #
+ # def del_action_category(self, user_id, intra_extension_id, action_category_id):
+ # raise AuthzException()
+ #
+ # def add_object_dict(self, user_id, intra_extension_id, object_name):
+ # raise AuthzException()
+ #
+ # def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict):
+ # raise AuthzException()
+ #
+ # def del_object(self, user_id, intra_extension_id, object_id):
+ # raise AuthzException()
+ #
+ # def add_action_dict(self, user_id, intra_extension_id, action_name):
+ # raise AuthzException()
+ #
+ # def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict):
+ # raise AuthzException()
+ #
+ # def del_action(self, user_id, intra_extension_id, action_id):
+ # raise AuthzException()
+ #
+ # def add_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_dict):
+ # raise AuthzException()
+ #
+ # def del_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id):
+ # raise AuthzException()
+ #
+ # def set_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_name):
+ # raise AuthzException()
+ #
+ # def add_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_name):
+ # raise AuthzException()
+ #
+ # def del_object_scope(self, user_id, intra_extension_id, object_category_id, object_scope_id):
+ # raise AuthzException()
+ #
+ # def set_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_id, object_scope_name):
+ # raise AuthzException()
+ #
+ # def add_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_name):
+ # raise AuthzException()
+ #
+ # def del_action_scope(self, user_id, intra_extension_id, action_category_id, action_scope_id):
+ # raise AuthzException()
+ #
+ # def add_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id):
+ # raise AuthzException()
+ #
+ # def del_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id):
+ # raise AuthzException()
+ #
+ # def add_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id):
+ # raise AuthzException()
+ #
+ # def del_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id):
+ # raise AuthzException()
+ #
+ # def add_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id):
+ # raise AuthzException()
+ #
+ # def del_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id):
+ # raise AuthzException()
+ #
+ # def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
+ # raise AuthzException()
+ #
+ # def del_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id):
+ # raise AuthzException()
+ #
+ # def add_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict):
+ # raise AuthzException()
+ #
+ # def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id):
+ # raise AuthzException()
+ #
+ # def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict):
+ # raise AuthzException()
+ #
+ # def add_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list):
+ # raise AuthzException()
+ #
+ # def del_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id):
+ # raise AuthzException()
+ #
+ # def set_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id, rule_list):
+ # raise AuthzException()
@dependency.provider('admin_api')
-# @dependency.requires('configuration_api')
class IntraExtensionAdminManager(IntraExtensionManager):
def __init__(self):
super(IntraExtensionAdminManager, self).__init__()
def add_subject_dict(self, user_id, intra_extension_id, subject_dict):
- subject = super(IntraExtensionAdminManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict)
+ subject = super(IntraExtensionAdminManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict)
+ subject_id, subject_value = subject.iteritems().next()
tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict)
+ _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_admin_extension_id"])
+ if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]:
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value)
break
if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict)
+ _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_authz_extension_id"])
+ if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]:
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value)
break
return subject
def del_subject(self, user_id, intra_extension_id, subject_id):
+ subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"]
super(IntraExtensionAdminManager, self).del_subject(user_id, intra_extension_id, subject_id)
tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id:
+ subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_admin_extension_id"],
+ subject_name,
+ self.driver.SUBJECT)
self.driver.del_subject(tenants_dict[tenant_id]["intra_admin_extension_id"], subject_id)
break
if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id:
+ subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_authz_extension_id"],
+ subject_name,
+ self.driver.SUBJECT)
self.driver.del_subject(tenants_dict[tenant_id]["intra_authz_extension_id"], subject_id)
break
def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict):
subject = super(IntraExtensionAdminManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict)
+ subject_id, subject_value = subject.iteritems().next()
tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID)
for tenant_id in tenants_dict:
if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict)
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value)
break
if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id:
- self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict)
+ self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value)
break
return subject
@@ -1783,7 +1939,7 @@ class IntraExtensionAdminManager(IntraExtensionManager):
@dependency.provider('moonlog_api')
# Next line is mandatory in order to force keystone to process dependencies.
-@dependency.requires('admin_api')
+@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api')
class LogManager(manager.Manager):
def __init__(self):
@@ -1860,13 +2016,13 @@ class LogManager(manager.Manager):
class ConfigurationDriver(object):
- def get_policy_template_dict(self):
+ def get_policy_templates_dict(self):
raise exception.NotImplemented() # pragma: no cover
def get_aggregation_algorithm_dict(self):
raise exception.NotImplemented() # pragma: no cover
- def get_sub_meta_rule_algorithm_dict(self):
+ def get_sub_meta_rule_algorithms_dict(self):
raise exception.NotImplemented() # pragma: no cover
@@ -1984,8 +2140,6 @@ class IntraExtensionDriver(object):
return data_values
def get_uuid_from_name(self, intra_extension_uuid, name, data_name, category_name=None, category_uuid=None):
- # print("get_uuid_from_name name = {}".format(name))
- # print("get_uuid_from_name data_name = {}".format(data_name))
data_values = self.__get_data_from_type(
intra_extension_uuid=intra_extension_uuid,
name=name,
@@ -2149,10 +2303,10 @@ class IntraExtensionDriver(object):
# Meta_rule functions
- def set_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
+ def set_aggregation_algorithm_dict(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict):
raise exception.NotImplemented() # pragma: no cover
- def get_aggregation_algorithm(self, intra_extension_id):
+ def get_aggregation_algorithm_dict(self, intra_extension_id):
raise exception.NotImplemented() # pragma: no cover
def del_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id):
diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py
index 75ccd187..6242447f 100644
--- a/keystone-moon/keystone/contrib/moon/exception.py
+++ b/keystone-moon/keystone/contrib/moon/exception.py
@@ -354,6 +354,13 @@ class AggregationAlgorithmUnknown(AdminMetaRule):
logger = "ERROR"
+class SubMetaRuleAlgorithmNotExisting(AdminMetaRule):
+ message_format = _("The given sub_meta_rule algorithm is unknown.")
+ code = 400
+ title = 'Sub_meta_rule Algorithm Unknown'
+ logger = "ERROR"
+
+
class SubMetaRuleUnknown(AdminMetaRule):
message_format = _("The given sub meta rule is unknown.")
code = 400
@@ -362,21 +369,21 @@ class SubMetaRuleUnknown(AdminMetaRule):
class SubMetaRuleNameExisting(AdminMetaRule):
- message_format = _("The sub meta rule name is existing.")
+ message_format = _("The sub meta rule name already exists.")
code = 400
title = 'Sub Meta Rule Name Existing'
logger = "ERROR"
class SubMetaRuleExisting(AdminMetaRule):
- message_format = _("The sub meta rule is existing.")
+ message_format = _("The sub meta rule already exists.")
code = 400
title = 'Sub Meta Rule Existing'
logger = "ERROR"
class RuleExisting(AdminRule):
- message_format = _("The rule is existing.")
+ message_format = _("The rule already exists.")
code = 400
title = 'Rule Existing'
logger = "ERROR"
diff --git a/keystone-moon/keystone/tests/moon/backends/__init__.py b/keystone-moon/keystone/tests/moon/backends/__init__.py
new file mode 100644
index 00000000..5b02576c
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/backends/__init__.py
@@ -0,0 +1 @@
+__author__ = 'vdsq3226'
diff --git a/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py b/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py
new file mode 100644
index 00000000..27b8d3a0
--- /dev/null
+++ b/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py
@@ -0,0 +1,43 @@
+# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors
+# This software is distributed under the terms and conditions of the 'Apache-2.0'
+# license which can be found in the file 'LICENSE' in this package distribution
+# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+
+"""Unit tests for core configuration."""
+
+import uuid
+from oslo_config import cfg
+from keystone.tests import unit as tests
+from keystone.contrib.moon.backends import sql
+from keystone.tests.unit.ksfixtures import database
+from keystone.contrib.moon.exception import *
+from keystone.tests.unit import default_fixtures
+from keystone.contrib.moon.core import LogManager
+
+CONF = cfg.CONF
+
+
+class TestSQL(tests.TestCase):
+
+ def setUp(self):
+ self.useFixture(database.Database())
+ super(TestSQL, self).setUp()
+ self.load_backends()
+ self.load_fixtures(default_fixtures)
+ self.driver = sql.IntraExtensionConnector()
+
+ def load_extra_backends(self):
+ return {
+ "moonlog_api": LogManager()
+ }
+
+ def config_overrides(self):
+ super(TestSQL, self).config_overrides()
+ self.config_fixture.config(
+ group='moon',
+ tenant_driver='keystone.contrib.moon.backends.sql.ConfigurationConnector')
+
+ def test_intra_extensions(self):
+ result = self.driver.get_intra_extensions_dict()
+ print(type(result))
+ self.assertIn("toto", result)
diff --git a/keystone-moon/keystone/tests/moon/unit/__init__.py b/keystone-moon/keystone/tests/moon/unit/__init__.py
index 1b678d53..0cd835ce 100644
--- a/keystone-moon/keystone/tests/moon/unit/__init__.py
+++ b/keystone-moon/keystone/tests/moon/unit/__init__.py
@@ -2,3 +2,84 @@
# This software is distributed under the terms and conditions of the 'Apache-2.0'
# license which can be found in the file 'LICENSE' in this package distribution
# or at 'http://www.apache.org/licenses/LICENSE-2.0'.
+import uuid
+from keystone.contrib.moon.core import ADMIN_ID
+
+USER = {
+ 'name': 'admin',
+ 'domain_id': "default",
+ 'password': 'admin'
+}
+IE = {
+ "name": "test IE",
+ "policymodel": "policy_authz",
+ "description": "a simple description."
+}
+
+
+def create_intra_extension(self, policy_model="policy_authz"):
+
+ IE["model"] = policy_model
+ IE["name"] = uuid.uuid4().hex
+ genre = "admin"
+ if "authz" in policy_model:
+ genre = "authz"
+ IE["genre"] = genre
+ # force re-initialization of the ADMIN_ID variable
+ from keystone.contrib.moon.core import ADMIN_ID
+ self.ADMIN_ID = ADMIN_ID
+ ref = self.admin_api.load_intra_extension_dict(self.ADMIN_ID, intra_extension_dict=IE)
+ self.assertIsInstance(ref, dict)
+ return ref
+
+
+# def create_tenant(self, authz_uuid):
+# tenant = {
+# "id": uuid.uuid4().hex,
+# "name": "TestAuthzIntraExtensionManager",
+# "enabled": True,
+# "description": "",
+# "domain_id": "default"
+# }
+# project = self.resource_api.create_project(tenant["id"], tenant)
+# mapping = self.tenant_api.set_tenant_dict(project["id"], project["name"], authz_uuid, None)
+# self.assertIsInstance(mapping, dict)
+# self.assertIn("authz", mapping)
+# self.assertEqual(mapping["authz"], authz_uuid)
+# return mapping
+
+
+def create_user(self, username="TestAdminIntraExtensionManagerUser"):
+ user = {
+ "id": uuid.uuid4().hex,
+ "name": username,
+ "enabled": True,
+ "description": "",
+ "domain_id": "default"
+ }
+ _user = self.identity_api.create_user(user)
+ return _user
+
+def create_mapping(self, tenant_name=None, authz_id=None, admin_id=None):
+
+ from keystone.contrib.moon.core import ADMIN_ID
+ if not tenant_name:
+ tenant_name = uuid.uuid4().hex
+
+ tenant = {
+ "id": uuid.uuid4().hex,
+ "name": tenant_name,
+ "description": uuid.uuid4().hex,
+ "intra_authz_extension_id": authz_id,
+ "intra_admin_extension_id": admin_id,
+ "enabled": True,
+ "domain_id": "default"
+ }
+ keystone_tenant = self.resource_api.create_project(tenant["id"], tenant)
+ mapping = self.tenant_api.add_tenant_dict(ADMIN_ID, tenant)
+ self.assertIsInstance(mapping, dict)
+ self.assertIn("intra_authz_extension_id", mapping[tenant["id"]])
+ self.assertIn("intra_admin_extension_id", mapping[tenant["id"]])
+ self.assertEqual(mapping[tenant["id"]]["intra_authz_extension_id"], authz_id)
+ self.assertEqual(mapping[tenant["id"]]["intra_admin_extension_id"], admin_id)
+ return tenant, mapping
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py
index e6388559..1d612b7d 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py
@@ -12,11 +12,15 @@ from keystone.contrib.moon.core import ConfigurationManager
from keystone.tests.unit.ksfixtures import database
from keystone.contrib.moon.exception import *
from keystone.tests.unit import default_fixtures
+from keystone.contrib.moon.core import ADMIN_ID
from keystone.contrib.moon.core import LogManager
+from keystone.contrib.moon.core import IntraExtensionAdminManager
+from keystone.tests.moon.unit import *
CONF = cfg.CONF
+@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api')
class TestConfigurationManager(tests.TestCase):
def setUp(self):
@@ -24,34 +28,52 @@ class TestConfigurationManager(tests.TestCase):
super(TestConfigurationManager, self).setUp()
self.load_backends()
self.load_fixtures(default_fixtures)
- self.manager = ConfigurationManager()
+ self.admin = create_user(self, username="admin")
+ self.demo = create_user(self, username="demo")
+ self.root_intra_extension = create_intra_extension(self, policy_model="policy_root")
+ # force re-initialization of the ADMIN_ID variable
+ from keystone.contrib.moon.core import ADMIN_ID
+ self.ADMIN_ID = ADMIN_ID
+ self.manager = self.configuration_api
def load_extra_backends(self):
return {
- "moonlog_api": LogManager()
+ "moonlog_api": LogManager(),
+ "admin_api": IntraExtensionAdminManager()
}
def config_overrides(self):
super(TestConfigurationManager, self).config_overrides()
self.config_fixture.config(
group='moon',
- tenant_driver='keystone.contrib.moon.backends.sql.ConfigurationConnector')
+ configuration_driver='keystone.contrib.moon.backends.memory.ConfigurationConnector'
+ )
+ self.config_fixture.config(
+ group='moon',
+ tenant_driver='keystone.contrib.moon.backends.sql.TenantConnector')
+ self.policy_directory = 'examples/moon/policies'
+ self.config_fixture.config(
+ group='moon',
+ intraextension_driver='keystone.contrib.moon.backends.sql.IntraExtensionConnector')
+ self.config_fixture.config(
+ group='moon',
+ policy_directory=self.policy_directory)
def test_get_policy_template_dict(self):
- pass
-
- def test_get_policy_template_id_from_name(self):
- pass
-
- def test_get_aggregation_algorithm_dict(self):
- pass
-
- def test_get_aggregation_algorithm_id_from_name(self):
- pass
+ data = self.manager.get_policy_templates_dict(self.ADMIN_ID)
+ self.assertIsInstance(data, dict)
+ self.assertIn("authz_templates", data)
+ self.assertIn("policy_root", data["authz_templates"])
- def test_get_sub_meta_rule_algorithm_dict(self):
- pass
+ # def test_get_aggregation_algorithm_dict(self):
+ # admin_intra_extension = create_intra_extension(self, policy_model="policy_admin")
+ # print(admin_intra_extension)
+ # data = self.manager.get_aggregation_algorithm_dict(self.ADMIN_ID, admin_intra_extension['id'])
+ # print(data)
- def test_get_sub_meta_rule_algorithm_id_from_name(self):
- pass
+ # def test_get_sub_meta_rule_algorithm_dict(self):
+ # data = self.manager.get_sub_meta_rule_algorithm_dict(self.ADMIN_ID)
+ # print(data)
+ #
+ # self.assertEqual("", "ee")
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py
index 97442228..68e4a79a 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py
@@ -16,7 +16,8 @@ from keystone import resource
from keystone.contrib.moon.exception import *
from keystone.tests.unit import default_fixtures
from keystone.contrib.moon.core import LogManager, TenantManager
-from keystone.contrib.moon.core import DEFAULT_USER_ID
+from keystone.contrib.moon.core import ADMIN_ID
+from keystone.tests.moon.unit import *
CONF = cfg.CONF
@@ -32,14 +33,23 @@ IE = {
"description": "a simple description."
}
+@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api')
class TestIntraExtensionAdminManagerOK(tests.TestCase):
+ # TODO: must be reviewed because some tests are on the authz interface
def setUp(self):
self.useFixture(database.Database())
super(TestIntraExtensionAdminManagerOK, self).setUp()
self.load_backends()
self.load_fixtures(default_fixtures)
- self.manager = IntraExtensionAdminManager()
+ self.admin = create_user(self, username="admin")
+ self.demo = create_user(self, username="demo")
+ self.root_intra_extension = create_intra_extension(self, policy_model="policy_root")
+ # force re-initialization of the ADMIN_ID variable
+ from keystone.contrib.moon.core import ADMIN_ID
+ self.ADMIN_ID = ADMIN_ID
+ self.manager = self.authz_api
+ self.admin_manager = self.admin_api
def __get_key_from_value(self, value, values_dict):
return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0]
@@ -48,6 +58,8 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase):
return {
"moonlog_api": LogManager(),
"tenant_api": TenantManager(),
+ "admin_api": IntraExtensionAdminManager(),
+ "authz_api": IntraExtensionAuthzManager(),
# "resource_api": resource.Manager(),
}
@@ -61,1207 +73,921 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase):
group='moon',
policy_directory=self.policy_directory)
- def create_intra_extension(self, policy_model="policy_admin"):
- # Create the admin user because IntraExtension needs it
- #self.admin = self.identity_api.create_user(USER)
- IE["policymodel"] = policy_model
- IE["name"] = uuid.uuid4().hex
- self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE)
- self.assertIsInstance(self.ref, dict)
- self.create_tenant(self.ref["id"])
-
- def create_tenant(self, authz_uuid):
- tenant = {
- "id": uuid.uuid4().hex,
- "name": "TestAuthzIntraExtensionManager",
- "enabled": True,
- "description": "",
- "domain_id": "default"
- }
- project = self.resource_api.create_project(tenant["id"], tenant)
- mapping = self.tenant_api.set_tenant_dict(project["id"], project["name"], authz_uuid, None)
- self.assertIsInstance(mapping, dict)
- self.assertIn("authz", mapping)
- self.assertEqual(mapping["authz"], authz_uuid)
- return mapping
-
- def create_user(self, username="TestAdminIntraExtensionManagerUser"):
- user = {
- "id": uuid.uuid4().hex,
- "name": username,
- "enabled": True,
- "description": "",
- "domain_id": "default"
- }
- _user = self.identity_api.create_user(user)
- return _user
-
def delete_admin_intra_extension(self):
self.manager.del_intra_extension(self.ref["id"])
def test_subjects(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- subjects = self.manager.get_subjects_dict("admin", self.ref["id"])
- self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"])
- self.assertIsInstance(subjects["subjects"], dict)
-
- new_subject = self.create_user()
- new_subjects = dict()
- new_subjects[new_subject["id"]] = new_subject["name"]
- subjects = self.manager.set_subject_dict("admin", self.ref["id"], new_subjects)
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"])
- self.assertEqual(subjects["subjects"], new_subjects)
- self.assertIn(new_subject["id"], subjects["subjects"])
-
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+ self.assertIn("keystone_name", value)
+ self.assertIn("keystone_id", value)
+
+ create_user(self, "subject_test")
+ new_subject = {"name": "subject_test", "description": "subject_test"}
+
+ subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject)
+ _subjects = dict(subjects)
+ self.assertEqual(len(_subjects.keys()), 1)
+ new_subject["id"] = _subjects.keys()[0]
+ value = subjects[new_subject["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject["description"])
+
# Delete the new subject
- self.manager.del_subject("admin", self.ref["id"], new_subject["id"])
- subjects = self.manager.get_subjects_dict("admin", self.ref["id"])
- self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"])
- self.assertNotIn(new_subject["id"], subjects["subjects"])
-
- # Add a particular subject
- subjects = self.manager.add_subject_dict("admin", self.ref["id"], new_subject["id"])
- self.assertIsInstance(subjects, dict)
- self.assertIn("subject", subjects)
- self.assertIn("uuid", subjects["subject"])
- self.assertEqual(new_subject["name"], subjects["subject"]["name"])
- subjects = self.manager.get_subjects_dict("admin", self.ref["id"])
- self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"])
- self.assertIn(new_subject["id"], subjects["subjects"])
+ self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"])
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject["name"], value["name"])
+ self.assertIn("description", value)
def test_objects(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- objects = self.manager.get_objects_dict("admin", self.ref["id"])
- self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(self.ref["id"], objects["intra_extension_uuid"])
- self.assertIsInstance(objects["objects"], dict)
-
- new_object = {"id": uuid.uuid4().hex, "name": "my_object"}
- new_objects = dict()
- new_objects[new_object["id"]] = new_object["name"]
- objects = self.manager.set_object_dict("admin", self.ref["id"], new_objects)
- self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(self.ref["id"], objects["intra_extension_uuid"])
- self.assertEqual(objects["objects"], new_objects)
- self.assertIn(new_object["id"], objects["objects"])
-
- # Delete the new object
- self.manager.del_object("admin", self.ref["id"], new_object["id"])
- objects = self.manager.get_objects_dict("admin", self.ref["id"])
- self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(self.ref["id"], objects["intra_extension_uuid"])
- self.assertNotIn(new_object["id"], objects["objects"])
-
- # Add a particular object
- objects = self.manager.add_object_dict("admin", self.ref["id"], new_object["name"])
- self.assertIsInstance(objects, dict)
- self.assertIn("object", objects)
- self.assertIn("uuid", objects["object"])
- self.assertEqual(new_object["name"], objects["object"]["name"])
- new_object["id"] = objects["object"]["uuid"]
- objects = self.manager.get_objects_dict("admin", self.ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+ objects_id_list = []
self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(self.ref["id"], objects["intra_extension_uuid"])
- self.assertIn(new_object["id"], objects["objects"])
+ for key, value in objects.iteritems():
+ objects_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
def test_actions(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- actions = self.manager.get_actions_dict("admin", self.ref["id"])
- self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(self.ref["id"], actions["intra_extension_uuid"])
- self.assertIsInstance(actions["actions"], dict)
-
- new_action = {"id": uuid.uuid4().hex, "name": "my_action"}
- new_actions = dict()
- new_actions[new_action["id"]] = new_action["name"]
- actions = self.manager.set_action_dict("admin", self.ref["id"], new_actions)
- self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(self.ref["id"], actions["intra_extension_uuid"])
- self.assertEqual(actions["actions"], new_actions)
- self.assertIn(new_action["id"], actions["actions"])
-
- # Delete the new action
- self.manager.del_action("admin", self.ref["id"], new_action["id"])
- actions = self.manager.get_actions_dict("admin", self.ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+ actions_id_list = []
self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(self.ref["id"], actions["intra_extension_uuid"])
- self.assertNotIn(new_action["id"], actions["actions"])
-
- # Add a particular action
- actions = self.manager.add_action_dict("admin", self.ref["id"], new_action["name"])
- self.assertIsInstance(actions, dict)
- self.assertIn("action", actions)
- self.assertIn("uuid", actions["action"])
- self.assertEqual(new_action["name"], actions["action"]["name"])
- new_action["id"] = actions["action"]["uuid"]
- actions = self.manager.get_actions_dict("admin", self.ref["id"])
- self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(self.ref["id"], actions["intra_extension_uuid"])
- self.assertIn(new_action["id"], actions["actions"])
+ for key, value in actions.iteritems():
+ actions_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
def test_subject_categories(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIsInstance(subject_categories["subject_categories"], dict)
-
- new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"}
- new_subject_categories = dict()
- new_subject_categories[new_subject_category["id"]] = new_subject_category["name"]
- subject_categories = self.manager.set_subject_category_dict("admin", self.ref["id"], new_subject_categories)
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"])
- self.assertEqual(subject_categories["subject_categories"], new_subject_categories)
- self.assertIn(new_subject_category["id"], subject_categories["subject_categories"])
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"}
+
+ subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category)
+ _subject_categories = dict(subject_categories)
+ self.assertEqual(len(_subject_categories.keys()), 1)
+ new_subject_category["id"] = _subject_categories.keys()[0]
+ value = subject_categories[new_subject_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject_category["description"])
# Delete the new subject_category
- self.manager.del_subject_category("admin", self.ref["id"], new_subject_category["id"])
- subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"])
- self.assertNotIn(new_subject_category["id"], subject_categories["subject_categories"])
-
- # Add a particular subject_category
- subject_categories = self.manager.add_subject_category(
- "admin",
- self.ref["id"],
- new_subject_category["name"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_category", subject_categories)
- self.assertIn("uuid", subject_categories["subject_category"])
- self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"])
- new_subject_category["id"] = subject_categories["subject_category"]["uuid"]
- subject_categories = self.manager.get_subject_categories_dict(
- "admin",
- self.ref["id"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIn(new_subject_category["id"], subject_categories["subject_categories"])
+ self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"])
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject_category["name"], value["name"])
+ self.assertIn("description", value)
def test_object_categories(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- object_categories = self.manager.get_object_category_dict("admin", self.ref["id"])
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"])
- self.assertIsInstance(object_categories["object_categories"], dict)
-
- new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"}
- new_object_categories = dict()
- new_object_categories[new_object_category["id"]] = new_object_category["name"]
- object_categories = self.manager.set_object_category_dict("admin", self.ref["id"], new_object_categories)
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"])
- self.assertEqual(object_categories["object_categories"], new_object_categories)
- self.assertIn(new_object_category["id"], object_categories["object_categories"])
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_object_category = {"name": "object_category_test", "description": "object_category_test"}
+
+ object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category)
+ _object_categories = dict(object_categories)
+ self.assertEqual(len(_object_categories.keys()), 1)
+ new_object_category["id"] = _object_categories.keys()[0]
+ value = object_categories[new_object_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_object_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_object_category["description"])
# Delete the new object_category
- self.manager.del_object_category("admin", self.ref["id"], new_object_category["id"])
- object_categories = self.manager.get_object_category_dict("admin", self.ref["id"])
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"])
- self.assertNotIn(new_object_category["id"], object_categories["object_categories"])
-
- # Add a particular object_category
- object_categories = self.manager.add_object_category(
- "admin",
- self.ref["id"],
- new_object_category["name"])
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_category", object_categories)
- self.assertIn("uuid", object_categories["object_category"])
- self.assertEqual(new_object_category["name"], object_categories["object_category"]["name"])
- new_object_category["id"] = object_categories["object_category"]["uuid"]
- object_categories = self.manager.get_object_category_dict(
- "admin",
- self.ref["id"])
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"])
- self.assertIn(new_object_category["id"], object_categories["object_categories"])
- def test_action_categories(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
+ self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"])
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_object_category["name"], value["name"])
+ self.assertIn("description", value)
- action_categories = self.manager.get_action_category_dict("admin", self.ref["id"])
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"])
- self.assertIsInstance(action_categories["action_categories"], dict)
-
- new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"}
- new_action_categories = dict()
- new_action_categories[new_action_category["id"]] = new_action_category["name"]
- action_categories = self.manager.set_action_category_dict("admin", self.ref["id"], new_action_categories)
+ def test_action_categories(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"])
- self.assertEqual(action_categories["action_categories"], new_action_categories)
- self.assertIn(new_action_category["id"], action_categories["action_categories"])
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_action_category = {"name": "action_category_test", "description": "action_category_test"}
+
+ action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category)
+ _action_categories = dict(action_categories)
+ self.assertEqual(len(_action_categories.keys()), 1)
+ new_action_category["id"] = _action_categories.keys()[0]
+ value = action_categories[new_action_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_action_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_action_category["description"])
# Delete the new action_category
- self.manager.del_action_category("admin", self.ref["id"], new_action_category["id"])
- action_categories = self.manager.get_action_category_dict("admin", self.ref["id"])
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"])
- self.assertNotIn(new_action_category["id"], action_categories["action_categories"])
-
- # Add a particular action_category
- action_categories = self.manager.add_action_category(
- "admin",
- self.ref["id"],
- new_action_category["name"])
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_category", action_categories)
- self.assertIn("uuid", action_categories["action_category"])
- self.assertEqual(new_action_category["name"], action_categories["action_category"]["name"])
- new_action_category["id"] = action_categories["action_category"]["uuid"]
- action_categories = self.manager.get_action_category_dict(
- "admin",
- self.ref["id"])
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"])
- self.assertIn(new_action_category["id"], action_categories["action_categories"])
- def test_subject_category_scope(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
+ self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"])
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_action_category["name"], value["name"])
+ self.assertIn("description", value)
- subject_categories = self.manager.set_subject_category_dict(
- "admin",
- self.ref["id"],
+ def test_subject_category_scope(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: "admin",
- uuid.uuid4().hex: "dev",
+ "name": "country",
+ "description": "country",
}
)
- for subject_category in subject_categories["subject_categories"]:
+ for subject_category_id in subject_categories:
+
subject_category_scope = self.manager.get_subject_scopes_dict(
- "admin",
- self.ref["id"],
- subject_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIsInstance(subject_category_scope["subject_category_scope"], dict)
-
- new_subject_category_scope = dict()
- new_subject_category_scope_uuid = uuid.uuid4().hex
- new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope"
- subject_category_scope = self.manager.set_subject_scope_dict(
- "admin",
- self.ref["id"],
- subject_category,
+ self.assertEqual({}, subject_category_scope)
+
+ new_subject_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
+
+ subject_category_scope = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
new_subject_category_scope)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
+ self.assertEqual(len(subject_category_scope.keys()), 1)
+ subject_category_scope_id = subject_category_scope.keys()[0]
+ subject_category_scope_value = subject_category_scope[subject_category_scope_id]
+ self.assertIn("name", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"])
+ self.assertIn("description", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"])
# Delete the new subject_category_scope
- self.manager.del_subject_scope(
- "admin",
- self.ref["id"],
- subject_category,
- new_subject_category_scope_uuid)
- subject_category_scope = self.manager.get_subject_scopes_dict(
- "admin",
- self.ref["id"],
- subject_category)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"])
-
- # Add a particular subject_category_scope
- subject_category_scope = self.manager.add_subject_scope_dict(
- "admin",
- self.ref["id"],
- subject_category,
- new_subject_category_scope[new_subject_category_scope_uuid])
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("uuid", subject_category_scope["subject_category_scope"])
- self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid],
- subject_category_scope["subject_category_scope"]["name"])
- subject_category_scope = self.manager.get_subject_scopes_dict(
- "admin",
- self.ref["id"],
- subject_category)
+
+ self.admin_manager.del_subject_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ subject_category_scope_id)
+ subject_category_scope = self.admin_manager.get_subject_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"])
+ self.assertNotIn(subject_category_scope_id, subject_category_scope.keys())
def test_object_category_scope(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- object_categories = self.manager.set_object_category_dict(
- "admin",
- self.ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: "id",
- uuid.uuid4().hex: "domain",
+ "name": "country",
+ "description": "country",
}
)
- for object_category in object_categories["object_categories"]:
+ for object_category_id in object_categories:
+
object_category_scope = self.manager.get_object_scopes_dict(
- "admin",
- self.ref["id"],
- object_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIsInstance(object_category_scope["object_category_scope"], dict)
-
- new_object_category_scope = dict()
- new_object_category_scope_uuid = uuid.uuid4().hex
- new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope"
- object_category_scope = self.manager.set_object_scope_dict(
- "admin",
- self.ref["id"],
- object_category,
+ self.assertEqual({}, object_category_scope)
+
+ new_object_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
+
+ object_category_scope = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
new_object_category_scope)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope[new_object_category_scope_uuid],
- object_category_scope["object_category_scope"][object_category].values())
+ self.assertEqual(len(object_category_scope.keys()), 1)
+ object_category_scope_id = object_category_scope.keys()[0]
+ object_category_scope_value = object_category_scope[object_category_scope_id]
+ self.assertIn("name", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"])
+ self.assertIn("description", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"])
# Delete the new object_category_scope
- self.manager.del_object_scope(
- "admin",
- self.ref["id"],
- object_category,
- new_object_category_scope_uuid)
- object_category_scope = self.manager.get_object_scopes_dict(
- "admin",
- self.ref["id"],
- object_category)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"])
-
- # Add a particular object_category_scope
- object_category_scope = self.manager.add_object_scope_dict(
- "admin",
- self.ref["id"],
- object_category,
- new_object_category_scope[new_object_category_scope_uuid])
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("uuid", object_category_scope["object_category_scope"])
- self.assertEqual(new_object_category_scope[new_object_category_scope_uuid],
- object_category_scope["object_category_scope"]["name"])
- object_category_scope = self.manager.get_object_scopes_dict(
- "admin",
- self.ref["id"],
- object_category)
+
+ self.admin_manager.del_object_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ object_category_scope_id)
+ object_category_scope = self.admin_manager.get_object_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"])
+ self.assertNotIn(object_category_scope_id, object_category_scope.keys())
def test_action_category_scope(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- action_categories = self.manager.set_action_category_dict(
- "admin",
- self.ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: "compute",
- uuid.uuid4().hex: "identity",
+ "name": "swift",
+ "description": "swift actions",
}
)
- for action_category in action_categories["action_categories"]:
+ for action_category_id in action_categories:
+
action_category_scope = self.manager.get_action_scopes_dict(
- "admin",
- self.ref["id"],
- action_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIsInstance(action_category_scope["action_category_scope"], dict)
-
- new_action_category_scope = dict()
- new_action_category_scope_uuid = uuid.uuid4().hex
- new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope"
- action_category_scope = self.manager.set_action_scope_dict(
- "admin",
- self.ref["id"],
- action_category,
+ self.assertEqual({}, action_category_scope)
+
+ new_action_category_scope = {
+ "name": "get",
+ "description": "get swift files",
+ }
+
+ action_category_scope = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
new_action_category_scope)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope[new_action_category_scope_uuid],
- action_category_scope["action_category_scope"][action_category].values())
+ self.assertEqual(len(action_category_scope.keys()), 1)
+ action_category_scope_id = action_category_scope.keys()[0]
+ action_category_scope_value = action_category_scope[action_category_scope_id]
+ self.assertIn("name", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"])
+ self.assertIn("description", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"])
# Delete the new action_category_scope
- self.manager.del_action_scope(
- "admin",
- self.ref["id"],
- action_category,
- new_action_category_scope_uuid)
- action_category_scope = self.manager.get_action_scopes_dict(
- "admin",
- self.ref["id"],
- action_category)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"])
-
- # Add a particular action_category_scope
- action_category_scope = self.manager.add_action_scope_dict(
- "admin",
- self.ref["id"],
- action_category,
- new_action_category_scope[new_action_category_scope_uuid])
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("uuid", action_category_scope["action_category_scope"])
- self.assertEqual(new_action_category_scope[new_action_category_scope_uuid],
- action_category_scope["action_category_scope"]["name"])
- action_category_scope = self.manager.get_action_scopes_dict(
- "admin",
- self.ref["id"],
- action_category)
+
+ self.admin_manager.del_action_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ action_category_scope_id)
+ action_category_scope = self.admin_manager.get_action_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"])
+ self.assertNotIn(action_category_scope_id, action_category_scope.keys())
def test_subject_category_assignment(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- new_subject = self.create_user()
- new_subjects = dict()
- new_subjects[new_subject["id"]] = new_subject["name"]
- subjects = self.manager.set_subject_dict("admin", self.ref["id"], new_subjects)
-
- new_subject_category_uuid = uuid.uuid4().hex
- new_subject_category_value = "role"
- subject_categories = self.manager.set_subject_category_dict(
- "admin",
- self.ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ admin_authz_subject_id, admin_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ demo_authz_subject_id, demo_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next()
+
+ subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_subject_category_uuid: new_subject_category_value
+ "name": "country",
+ "description": "country",
}
)
- for subject_category in subject_categories["subject_categories"]:
+ for subject_category_id in subject_categories:
subject_category_scope = self.manager.get_subject_scopes_dict(
- "admin",
- self.ref["id"],
- subject_category)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIsInstance(subject_category_scope["subject_category_scope"], dict)
-
- new_subject_category_scope = dict()
- new_subject_category_scope_uuid = uuid.uuid4().hex
- new_subject_category_scope[new_subject_category_scope_uuid] = "admin"
- subject_category_scope = self.manager.set_subject_scope_dict(
- "admin",
- self.ref["id"],
- subject_category,
- new_subject_category_scope)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
-
- new_subject_category_scope2 = dict()
- new_subject_category_scope2_uuid = uuid.uuid4().hex
- new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev"
- subject_category_scope = self.manager.set_subject_scope_dict(
- "admin",
- self.ref["id"],
- subject_category,
- new_subject_category_scope2)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
-
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- "admin",
- self.ref["id"],
- new_subject["id"]
+ self.assertEqual({}, subject_category_scope)
+
+ new_subject_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
+
+ subject_category_scope_1 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_1)
+ subject_category_scope_1_id = subject_category_scope_1.keys()[0]
+
+ new_subject_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ subject_category_scope_2 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_2)
+ subject_category_scope_2_id = subject_category_scope_2.keys()[0]
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id,
+ subject_category_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]])
-
- subject_category_assignments = self.manager.set_subject_assignment_dict(
- "admin",
- self.ref["id"],
- new_subject["id"],
- {
- new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid],
- }
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id,
+ subject_category_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- "admin",
- self.ref["id"],
- new_subject["id"]
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_1_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
-
- self.manager.del_subject_assignment(
- "admin",
- self.ref["id"],
- new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid
+ self.assertIsInstance(subject_category_assignments, list)
+
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
)
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- "admin",
- self.ref["id"],
- new_subject["id"]
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope2_uuid, ]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
-
- data = self.manager.add_subject_assignment_list(
- "admin",
- self.ref["id"],
- new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
)
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- "admin",
- self.ref["id"],
- new_subject["id"]
+ self.admin_manager.del_subject_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope2_uuid, new_subject_category_scope_uuid]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
def test_object_category_assignment(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- new_object = {"id": uuid.uuid4().hex, "name": "my_object"}
- new_objects = dict()
- new_objects[new_object["id"]] = new_object["name"]
- objects = self.manager.set_object_dict("admin", self.ref["id"], new_objects)
-
- new_object_category_uuid = uuid.uuid4().hex
- new_object_category_value = "role"
- object_categories = self.manager.set_object_category_dict(
- "admin",
- self.ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ object_vm1_id = None
+ object_vm2_id = None
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] == 'vm1':
+ object_vm1_id = _object_id
+ if objects_dict[_object_id]['name'] == 'vm2':
+ object_vm2_id = _object_id
+ if not object_vm1_id or not object_vm2_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)")
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_object_category_uuid: new_object_category_value
+ "name": "location",
+ "description": "location",
}
)
- for object_category in object_categories["object_categories"]:
+ for object_category_id in object_categories:
object_category_scope = self.manager.get_object_scopes_dict(
- "admin",
- self.ref["id"],
- object_category)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIsInstance(object_category_scope["object_category_scope"], dict)
-
- new_object_category_scope = dict()
- new_object_category_scope_uuid = uuid.uuid4().hex
- new_object_category_scope[new_object_category_scope_uuid] = "admin"
- object_category_scope = self.manager.set_object_scope_dict(
- "admin",
- self.ref["id"],
- object_category,
- new_object_category_scope)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope[new_object_category_scope_uuid],
- object_category_scope["object_category_scope"][object_category].values())
-
- new_object_category_scope2 = dict()
- new_object_category_scope2_uuid = uuid.uuid4().hex
- new_object_category_scope2[new_object_category_scope2_uuid] = "dev"
- object_category_scope = self.manager.set_object_scope_dict(
- "admin",
- self.ref["id"],
- object_category,
- new_object_category_scope2)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid],
- object_category_scope["object_category_scope"][object_category].values())
+ self.assertEqual({}, object_category_scope)
+
+ new_object_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
+
+ object_category_scope_1 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_1)
+ object_category_scope_1_id = object_category_scope_1.keys()[0]
+
+ new_object_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ object_category_scope_2 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_2)
+ object_category_scope_2_id = object_category_scope_2.keys()[0]
object_category_assignments = self.manager.get_object_assignment_list(
- "admin",
- self.ref["id"],
- new_object["id"]
- )
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]])
-
- object_category_assignments = self.manager.set_object_category_assignment_dict(
- "admin",
- self.ref["id"],
- new_object["id"],
- {
- new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid],
- }
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id,
+ object_category_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
+
object_category_assignments = self.manager.get_object_assignment_list(
- "admin",
- self.ref["id"],
- new_object["id"]
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id,
+ object_category_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
-
- self.manager.del_object_assignment(
- "admin",
- self.ref["id"],
- new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_1_id
)
- object_category_assignments = self.manager.get_object_assignment_list(
- "admin",
- self.ref["id"],
- new_object["id"]
+ self.assertIsInstance(object_category_assignments, list)
+
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope2_uuid, ]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
-
- self.manager.add_object_assignment_list(
- "admin",
- self.ref["id"],
- new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
)
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
- object_category_assignments = self.manager.get_object_assignment_list(
- "admin",
- self.ref["id"],
- new_object["id"]
+ self.admin_manager.del_object_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope2_uuid, new_object_category_scope_uuid]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
def test_action_category_assignment(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- new_action = {"id": uuid.uuid4().hex, "name": "my_action"}
- new_actions = dict()
- new_actions[new_action["id"]] = new_action["name"]
- actions = self.manager.set_action_dict("admin", self.ref["id"], new_actions)
-
- new_action_category_uuid = uuid.uuid4().hex
- new_action_category_value = "role"
- action_categories = self.manager.set_action_category_dict(
- "admin",
- self.ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+
+ action_upload_id = None
+ action_list_id = None
+ for _action_id in actions_dict:
+ if actions_dict[_action_id]['name'] == 'upload':
+ action_upload_id = _action_id
+ if actions_dict[_action_id]['name'] == 'list':
+ action_list_id = _action_id
+ if not action_upload_id or not action_list_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)")
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_action_category_uuid: new_action_category_value
+ "name": "swift",
+ "description": "swift actions",
}
)
- for action_category in action_categories["action_categories"]:
+ for action_category_id in action_categories:
action_category_scope = self.manager.get_action_scopes_dict(
- "admin",
- self.ref["id"],
- action_category)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIsInstance(action_category_scope["action_category_scope"], dict)
-
- new_action_category_scope = dict()
- new_action_category_scope_uuid = uuid.uuid4().hex
- new_action_category_scope[new_action_category_scope_uuid] = "admin"
- action_category_scope = self.manager.set_action_scope_dict(
- "admin",
- self.ref["id"],
- action_category,
- new_action_category_scope)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope[new_action_category_scope_uuid],
- action_category_scope["action_category_scope"][action_category].values())
-
- new_action_category_scope2 = dict()
- new_action_category_scope2_uuid = uuid.uuid4().hex
- new_action_category_scope2[new_action_category_scope2_uuid] = "dev"
- action_category_scope = self.manager.set_action_scope_dict(
- "admin",
- self.ref["id"],
- action_category,
- new_action_category_scope2)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid],
- action_category_scope["action_category_scope"][action_category].values())
+ self.assertEqual({}, action_category_scope)
+
+ new_action_category_scope_1 = {
+ "name": "swift_admin",
+ "description": "action require admin rights",
+ }
+
+ action_category_scope_1 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_1)
+ action_category_scope_1_id = action_category_scope_1.keys()[0]
+
+ new_action_category_scope_2 = {
+ "name": "swift_anonymous",
+ "description": "action require no right",
+ }
+
+ action_category_scope_2 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_2)
+ action_category_scope_2_id = action_category_scope_2.keys()[0]
action_category_assignments = self.manager.get_action_assignment_list(
- "admin",
- self.ref["id"],
- new_action["id"]
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id,
+ action_category_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]])
-
- action_category_assignments = self.manager.set_action_assignment_dict(
- "admin",
- self.ref["id"],
- new_action["id"],
- {
- new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid],
- }
- )
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
+
action_category_assignments = self.manager.get_action_assignment_list(
- "admin",
- self.ref["id"],
- new_action["id"]
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id,
+ action_category_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
-
- self.manager.del_action_assignment(
- "admin",
- self.ref["id"],
- new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_1_id
)
- action_category_assignments = self.manager.get_action_assignment_list(
- "admin",
- self.ref["id"],
- new_action["id"]
+ self.assertIsInstance(action_category_assignments, list)
+
+ self.assertEqual(len(action_category_assignments), 1)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope2_uuid, ]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
-
- self.manager.add_action_assignment_list(
- "admin",
- self.ref["id"],
- new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
)
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
- action_category_assignments = self.manager.get_action_assignment_list(
- "admin",
- self.ref["id"],
- new_action["id"]
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
+
+ self.admin_manager.del_action_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
+ )
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope2_uuid, new_action_category_scope_uuid]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
def test_sub_meta_rules(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- aggregation_algorithms = self.manager.get_aggregation_algorithms("admin", self.ref["id"])
- self.assertIsInstance(aggregation_algorithms, dict)
- self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list)
- self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"])
- self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"])
-
- aggregation_algorithm = self.manager.get_aggregation_algorithm_dict("admin", self.ref["id"])
- self.assertIsInstance(aggregation_algorithm, dict)
- self.assertIn("aggregation", aggregation_algorithm)
- self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"])
-
- _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"])
- _aggregation_algorithm.remove(aggregation_algorithm["aggregation"])
- aggregation_algorithm = self.manager.set_aggregation_algorithm_dict("admin", self.ref["id"], _aggregation_algorithm[0])
- self.assertIsInstance(aggregation_algorithm, dict)
- self.assertIn("aggregation", aggregation_algorithm)
- self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"])
-
- sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in aggregation_algorithms.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ # TODO: need more tests on aggregation_algorithms (set and del)
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(sub_meta_rules, dict)
- self.assertIn("sub_meta_rules", sub_meta_rules)
- sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, self.ref["model"], "metarule.json")))
- metarule = dict()
categories = {
- "subject_categories": self.manager.get_subject_categories_dict("admin", self.ref["id"]),
- "object_categories": self.manager.get_object_category_dict("admin", self.ref["id"]),
- "action_categories": self.manager.get_action_category_dict("admin", self.ref["id"])
+ "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]),
+ "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]),
+ "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
}
- for relation in sub_meta_rules_conf["sub_meta_rules"]:
- metarule[relation] = dict()
- for item in ("subject_categories", "object_categories", "action_categories"):
- metarule[relation][item] = list()
- for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]:
- metarule[relation][item].append(self.__get_key_from_value(
- element,
- categories[item][item]
- ))
-
- for relation in sub_meta_rules["sub_meta_rules"]:
- self.assertIn(relation, metarule)
- for item in ("subject_categories", "object_categories", "action_categories"):
- self.assertEqual(
- sub_meta_rules["sub_meta_rules"][relation][item],
- metarule[relation][item]
- )
-
- new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"}
- # Add a particular subject_category
- data = self.manager.add_subject_category(
- "admin",
- self.ref["id"],
- new_subject_category["name"])
- new_subject_category["id"] = data["subject_category"]["uuid"]
- subject_categories = self.manager.get_subject_categories_dict(
- "admin",
- self.ref["id"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIn(new_subject_category["id"], subject_categories["subject_categories"])
- metarule[relation]["subject_categories"].append(new_subject_category["id"])
- _sub_meta_rules = self.manager.del_sub_meta_rule("admin", self.ref["id"], metarule)
- self.assertIn(relation, metarule)
- for item in ("subject_categories", "object_categories", "action_categories"):
- self.assertEqual(
- _sub_meta_rules["sub_meta_rules"][relation][item],
- metarule[relation][item]
- )
+ for key, value in sub_meta_rules.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("action_categories", value)
+ self.assertIn("object_categories", value)
+ self.assertIn("subject_categories", value)
+ self.assertIn("algorithm", value)
+ self.assertIn("name", value)
+ for action_category_id in value["action_categories"]:
+ self.assertIn(action_category_id, categories["action_categories"])
+ for object_category_id in value["object_categories"]:
+ self.assertIn(object_category_id, categories["object_categories"])
+ for subject_category_id in value["subject_categories"]:
+ self.assertIn(subject_category_id, categories["subject_categories"])
+ # TODO: need more tests (set and del)
def test_sub_rules(self):
- self.create_user("demo")
- self.create_user("admin")
- self.create_intra_extension()
-
- sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(sub_meta_rules, dict)
- self.assertIn("sub_meta_rules", sub_meta_rules)
-
- sub_rules = self.manager.get_sub_rules("admin", self.ref["id"])
- self.assertIsInstance(sub_rules, dict)
- self.assertIn("rules", sub_rules)
- rules = dict()
- for relation in sub_rules["rules"]:
- self.assertIn(relation, self.manager.get_sub_meta_rule_relations("admin", self.ref["id"])["sub_meta_rule_relations"])
- rules[relation] = list()
- for rule in sub_rules["rules"][relation]:
+
+ for relation_id in sub_meta_rules:
+ rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id)
+ rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \
+ len(sub_meta_rules[relation_id]["object_categories"]) + \
+ len(sub_meta_rules[relation_id]["action_categories"]) + 1
+ for rule_id in rules:
+ self.assertEqual(rule_length, len(rules[rule_id]))
+ rule = list(rules[rule_id])
for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
+ for cat_value in sub_meta_rules[relation_id][cat]:
scope = cat_func(
- "admin",
- self.ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
cat_value
)
a_scope = rule.pop(0)
if type(a_scope) is not bool:
- self.assertIn(a_scope, scope[func_name][cat_value])
-
- # add a new subrule
-
- relation = sub_rules["rules"].keys()[0]
- sub_rule = []
- for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
- ):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
- scope = cat_func(
- "admin",
- self.ref["id"],
- cat_value
- )
- sub_rule.append(scope[func_name][cat_value].keys()[0])
-
- sub_rule.append(True)
- sub_rules = self.manager.set_sub_rule("admin", self.ref["id"], relation, sub_rule)
- self.assertIsInstance(sub_rules, dict)
- self.assertIn("rules", sub_rules)
- rules = dict()
- self.assertIn(sub_rule, sub_rules["rules"][relation])
- for relation in sub_rules["rules"]:
- self.assertIn(relation, self.manager.get_sub_meta_rule_relations("admin", self.ref["id"])["sub_meta_rule_relations"])
- rules[relation] = list()
- for rule in sub_rules["rules"][relation]:
+ self.assertIn(a_scope, scope.keys())
+
+ # add a new subrule
+
+ sub_rule = []
+ for cat, cat_func, func_name in (
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
+ ):
+ for cat_value in sub_meta_rules[relation_id][cat]:
+ scope = cat_func(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ cat_value
+ )
+ sub_rule.append(scope.keys()[0])
+
+ sub_rule.append(False)
+
+ sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule)
+ self.assertIsInstance(sub_rules, dict)
+ self.assertIn(sub_rule, sub_rules.values())
+
+ for rule_id, rule_value in sub_rules.iteritems():
for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"),
):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
+ for cat_value in sub_meta_rules[relation_id][cat]:
scope = cat_func(
- "admin",
- self.ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
cat_value
)
- a_scope = rule.pop(0)
- self.assertIn(a_scope, scope[func_name][cat_value])
+ a_scope = rule_value.pop(0)
+ self.assertIn(a_scope, scope.keys())
+
+ # TODO: add test for the delete function
+@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api')
class TestIntraExtensionAdminManagerKO(tests.TestCase):
+ # TODO: must be reviewed because some tests are on the authz interface
def setUp(self):
self.useFixture(database.Database())
super(TestIntraExtensionAdminManagerKO, self).setUp()
self.load_backends()
self.load_fixtures(default_fixtures)
- self.manager = IntraExtensionAuthzManager()
- self.admin_manager = IntraExtensionAdminManager()
+ self.admin = create_user(self, username="admin")
+ self.demo = create_user(self, username="demo")
+ self.root_intra_extension = create_intra_extension(self, policy_model="policy_root")
+ # force re-initialization of the ADMIN_ID variable
+ from keystone.contrib.moon.core import ADMIN_ID
+ self.ADMIN_ID = ADMIN_ID
+ self.manager = self.authz_api
+ self.admin_manager = self.admin_api
def __get_key_from_value(self, value, values_dict):
return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0]
@@ -1270,6 +996,8 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase):
return {
"moonlog_api": LogManager(),
"tenant_api": TenantManager(),
+ "admin_api": IntraExtensionAdminManager(),
+ "authz_api": IntraExtensionAuthzManager(),
# "resource_api": resource.Manager(),
}
@@ -1283,1519 +1011,1117 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase):
group='moon',
policy_directory=self.policy_directory)
- def create_tenant(self):
- tenant = {
- "id": uuid.uuid4().hex,
- "name": "TestIntraExtensionAuthzManager",
- "enabled": True,
- "description": "",
- "domain_id": "default"
- }
- return self.resource_api.create_project(tenant["id"], tenant)
-
- def create_mapping(self, tenant, authz_uuid=None, admin_uuid=None):
-
- mapping = self.tenant_api.set_tenant_dict(tenant["id"], tenant["name"], authz_uuid, admin_uuid)
- self.assertIsInstance(mapping, dict)
- self.assertIn("authz", mapping)
- self.assertEqual(mapping["authz"], authz_uuid)
- return mapping
-
- def create_user(self, username="admin"):
-
- _USER = dict(USER)
- _USER["name"] = username
- return self.identity_api.create_user(_USER)
-
- def create_intra_extension(self, policy_model="policy_authz"):
-
- IE["policymodel"] = policy_model
- IE["name"] = uuid.uuid4().hex
- ref = self.admin_manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE)
- self.assertIsInstance(ref, dict)
- return ref
-
def test_subjects(self):
- admin_user = self.create_user("admin")
- demo_user = self.create_user("demo")
- ref = self.create_intra_extension()
-
- self.assertRaises(
- AuthzException,
- self.manager.get_subjects_dict,
- demo_user["id"], ref["id"])
-
- subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(ref["id"], subjects["intra_extension_uuid"])
- self.assertIsInstance(subjects["subjects"], dict)
-
- new_subject = self.create_user("new_user")
- new_subjects = dict()
- new_subjects[new_subject["id"]] = new_subject["name"]
-
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+ self.assertIn("keystone_name", value)
+ self.assertIn("keystone_id", value)
+
+ create_user(self, "subject_test")
+ new_subject = {"name": "subject_test", "description": "subject_test"}
self.assertRaises(
AuthzException,
- self.manager.set_subject_dict,
- demo_user["id"], ref["id"], new_subjects)
-
- subjects = self.manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects)
- self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(ref["id"], subjects["intra_extension_uuid"])
- self.assertEqual(subjects["subjects"], new_subjects)
- self.assertIn(new_subject["id"], subjects["subjects"])
+ self.manager.add_subject_dict,
+ demo_subject_id, admin_ie_dict["id"], new_subject)
+
+ subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject)
+ _subjects = dict(subjects)
+ self.assertEqual(len(_subjects.keys()), 1)
+ new_subject["id"] = _subjects.keys()[0]
+ value = subjects[new_subject["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject["description"])
# Delete the new subject
self.assertRaises(
AuthzException,
- self.manager.del_subject_dict,
- demo_user["id"], ref["id"], new_subject["id"])
-
- self.manager.del_subject(admin_user["id"], ref["id"], new_subject["id"])
- subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(ref["id"], subjects["intra_extension_uuid"])
- self.assertNotIn(new_subject["id"], subjects["subjects"])
-
- # Add a particular subject
- self.assertRaises(
- AuthzException,
- self.manager.add_subject_dict,
- demo_user["id"], ref["id"], new_subject["id"])
+ self.manager.del_subject,
+ demo_subject_id, authz_ie_dict["id"], new_subject["id"])
- subjects = self.manager.add_subject_dict(admin_user["id"], ref["id"], new_subject["id"])
- self.assertIsInstance(subjects, dict)
- self.assertIn("subject", subjects)
- self.assertIn("uuid", subjects["subject"])
- self.assertEqual(new_subject["name"], subjects["subject"]["name"])
- subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(ref["id"], subjects["intra_extension_uuid"])
- self.assertIn(new_subject["id"], subjects["subjects"])
+ self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"])
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject["name"], value["name"])
+ self.assertIn("description", value)
def test_objects(self):
- admin_user = self.create_user("admin")
- demo_user = self.create_user("demo")
- ref = self.create_intra_extension()
-
- self.assertRaises(
- AuthzException,
- self.manager.get_objects_dict,
- demo_user["id"], ref["id"])
-
- objects = self.manager.get_objects_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+ objects_id_list = []
self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(ref["id"], objects["intra_extension_uuid"])
- self.assertIsInstance(objects["objects"], dict)
-
- new_object = {"id": uuid.uuid4().hex, "name": "my_object"}
- new_objects = dict()
- new_objects[new_object["id"]] = new_object["name"]
-
+ for key, value in objects.iteritems():
+ objects_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ create_user(self, "subject_test")
+ new_object = {"name": "object_test", "description": "object_test"}
self.assertRaises(
AuthzException,
- self.manager.set_object_dict,
- demo_user["id"], ref["id"], new_objects)
-
- objects = self.manager.set_object_dict(admin_user["id"], ref["id"], new_objects)
- self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(ref["id"], objects["intra_extension_uuid"])
- self.assertEqual(objects["objects"], new_objects)
- self.assertIn(new_object["id"], objects["objects"])
+ self.manager.add_object_dict,
+ demo_subject_id, admin_ie_dict["id"], new_object)
- # Delete the new object
self.assertRaises(
- AuthzException,
- self.manager.del_object_dict,
- demo_user["id"], ref["id"], new_object["id"])
-
- self.manager.del_object(admin_user["id"], ref["id"], new_object["id"])
- objects = self.manager.get_objects_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(ref["id"], objects["intra_extension_uuid"])
- self.assertNotIn(new_object["id"], objects["objects"])
+ ObjectsWriteNoAuthorized,
+ self.admin_manager.add_object_dict,
+ admin_subject_id, authz_ie_dict["id"], new_object
+ )
- # Add a particular object
- self.assertRaises(
- AuthzException,
- self.manager.add_object_dict,
- demo_user["id"], ref["id"], new_object["name"])
+ # Delete the new object
+ for key in objects_id_list:
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_object,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_object,
+ admin_subject_id, authz_ie_dict["id"], key)
- objects = self.manager.add_object_dict(admin_user["id"], ref["id"], new_object["name"])
- self.assertIsInstance(objects, dict)
- self.assertIn("object", objects)
- self.assertIn("uuid", objects["object"])
- self.assertEqual(new_object["name"], objects["object"]["name"])
- new_object["id"] = objects["object"]["uuid"]
- objects = self.manager.get_objects_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(ref["id"], objects["intra_extension_uuid"])
- self.assertIn(new_object["id"], objects["objects"])
+ for key in objects_id_list:
+ self.assertRaises(
+ ObjectsWriteNoAuthorized,
+ self.admin_manager.del_object,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ ObjectsWriteNoAuthorized,
+ self.admin_manager.del_object,
+ admin_subject_id, authz_ie_dict["id"], key)
def test_actions(self):
- admin_user = self.create_user("admin")
- demo_user = self.create_user("demo")
- ref = self.create_intra_extension()
-
- self.assertRaises(
- AuthzException,
- self.manager.get_actions_dict,
- demo_user["id"], ref["id"])
-
- actions = self.manager.get_actions_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+ actions_id_list = []
self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(ref["id"], actions["intra_extension_uuid"])
- self.assertIsInstance(actions["actions"], dict)
-
- new_action = {"id": uuid.uuid4().hex, "name": "my_action"}
- new_actions = dict()
- new_actions[new_action["id"]] = new_action["name"]
-
+ for key, value in actions.iteritems():
+ actions_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ create_user(self, "subject_test")
+ new_action = {"name": "action_test", "description": "action_test"}
self.assertRaises(
AuthzException,
- self.manager.set_action_dict,
- demo_user["id"], ref["id"], new_actions)
+ self.manager.add_action_dict,
+ demo_subject_id, admin_ie_dict["id"], new_action)
- actions = self.manager.set_action_dict(admin_user["id"], ref["id"], new_actions)
- self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(ref["id"], actions["intra_extension_uuid"])
- self.assertEqual(actions["actions"], new_actions)
- self.assertIn(new_action["id"], actions["actions"])
-
- # Delete the new action
self.assertRaises(
- AuthzException,
- self.manager.del_action_dict,
- demo_user["id"], ref["id"], new_action["id"])
-
- self.manager.del_action(admin_user["id"], ref["id"], new_action["id"])
- actions = self.manager.get_actions_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(ref["id"], actions["intra_extension_uuid"])
- self.assertNotIn(new_action["id"], actions["actions"])
+ ActionsWriteNoAuthorized,
+ self.admin_manager.add_action_dict,
+ admin_subject_id, authz_ie_dict["id"], new_action
+ )
- # Add a particular action
- self.assertRaises(
- AuthzException,
- self.manager.add_action_dict,
- demo_user["id"], ref["id"], new_action["name"])
+ # Delete all actions
+ for key in actions_id_list:
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_action,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_action,
+ admin_subject_id, authz_ie_dict["id"], key)
- actions = self.manager.add_action_dict(admin_user["id"], ref["id"], new_action["name"])
- self.assertIsInstance(actions, dict)
- self.assertIn("action", actions)
- self.assertIn("uuid", actions["action"])
- self.assertEqual(new_action["name"], actions["action"]["name"])
- new_action["id"] = actions["action"]["uuid"]
- actions = self.manager.get_actions_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(ref["id"], actions["intra_extension_uuid"])
- self.assertIn(new_action["id"], actions["actions"])
+ for key in actions_id_list:
+ self.assertRaises(
+ ActionsWriteNoAuthorized,
+ self.admin_manager.del_action,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ ActionsWriteNoAuthorized,
+ self.admin_manager.del_action,
+ admin_subject_id, authz_ie_dict["id"], key)
def test_subject_categories(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- self.assertRaises(
- AuthzException,
- self.manager.get_subject_categories_dict,
- demo_user["id"], ref["id"])
-
- subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIsInstance(subject_categories["subject_categories"], dict)
-
- new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"}
- new_subject_categories = dict()
- new_subject_categories[new_subject_category["id"]] = new_subject_category["name"]
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+ new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"}
self.assertRaises(
AuthzException,
- self.manager.set_subject_category_dict,
- demo_user["id"], ref["id"], new_subject_categories)
-
- subject_categories = self.manager.set_subject_category_dict(admin_user["id"], ref["id"], new_subject_categories)
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"])
- self.assertEqual(subject_categories["subject_categories"], new_subject_categories)
- self.assertIn(new_subject_category["id"], subject_categories["subject_categories"])
+ self.manager.add_subject_category,
+ demo_subject_id, admin_ie_dict["id"], new_subject_category)
+
+ subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category)
+ _subject_categories = dict(subject_categories)
+ self.assertEqual(len(_subject_categories.keys()), 1)
+ new_subject_category["id"] = _subject_categories.keys()[0]
+ value = subject_categories[new_subject_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject_category["description"])
# Delete the new subject_category
self.assertRaises(
AuthzException,
- self.manager.del_subject_category_dict,
- demo_user["id"], ref["id"], new_subject_category["id"])
-
- self.manager.del_subject_category(admin_user["id"], ref["id"], new_subject_category["id"])
- subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"])
- self.assertNotIn(new_subject_category["id"], subject_categories["subject_categories"])
+ self.manager.del_subject_category,
+ demo_subject_id, authz_ie_dict["id"], new_subject_category["id"])
- # Add a particular subject_category
- self.assertRaises(
- AuthzException,
- self.manager.add_subject_category,
- demo_user["id"], ref["id"], new_subject_category["name"])
-
- subject_categories = self.manager.add_subject_category(
- admin_user["id"],
- ref["id"],
- new_subject_category["name"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_category", subject_categories)
- self.assertIn("uuid", subject_categories["subject_category"])
- self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"])
- new_subject_category["id"] = subject_categories["subject_category"]["uuid"]
- subject_categories = self.manager.get_subject_categories_dict(
- admin_user["id"],
- ref["id"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIn(new_subject_category["id"], subject_categories["subject_categories"])
+ self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"])
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject_category["name"], value["name"])
+ self.assertIn("description", value)
def test_object_categories(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- self.assertRaises(
- AuthzException,
- self.manager.get_object_category_dict,
- demo_user["id"], ref["id"])
-
- object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(ref["id"], object_categories["intra_extension_uuid"])
- self.assertIsInstance(object_categories["object_categories"], dict)
-
- new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"}
- new_object_categories = dict()
- new_object_categories[new_object_category["id"]] = new_object_category["name"]
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+ new_object_category = {"name": "object_category_test", "description": "object_category_test"}
self.assertRaises(
AuthzException,
- self.manager.set_object_category_dict,
- demo_user["id"], ref["id"], new_object_categories)
-
- object_categories = self.manager.set_object_category_dict(admin_user["id"], ref["id"], new_object_categories)
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(ref["id"], object_categories["intra_extension_uuid"])
- self.assertEqual(object_categories["object_categories"], new_object_categories)
- self.assertIn(new_object_category["id"], object_categories["object_categories"])
+ self.manager.add_object_category,
+ demo_subject_id, admin_ie_dict["id"], new_object_category)
+
+ object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category)
+ _object_categories = dict(object_categories)
+ self.assertEqual(len(_object_categories.keys()), 1)
+ new_object_category["id"] = _object_categories.keys()[0]
+ value = object_categories[new_object_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_object_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_object_category["description"])
# Delete the new object_category
self.assertRaises(
AuthzException,
self.manager.del_object_category,
- demo_user["id"], ref["id"], new_object_category["id"])
-
- self.manager.del_object_category(admin_user["id"], ref["id"], new_object_category["id"])
- object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(ref["id"], object_categories["intra_extension_uuid"])
- self.assertNotIn(new_object_category["id"], object_categories["object_categories"])
+ demo_subject_id, authz_ie_dict["id"], new_object_category["id"])
- # Add a particular object_category
- self.assertRaises(
- AuthzException,
- self.manager.add_object_category,
- demo_user["id"], ref["id"], new_object_category["name"])
-
- object_categories = self.manager.add_object_category(
- admin_user["id"],
- ref["id"],
- new_object_category["name"])
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_category", object_categories)
- self.assertIn("uuid", object_categories["object_category"])
- self.assertEqual(new_object_category["name"], object_categories["object_category"]["name"])
- new_object_category["id"] = object_categories["object_category"]["uuid"]
- object_categories = self.manager.get_object_category_dict(
- admin_user["id"],
- ref["id"])
- self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(ref["id"], object_categories["intra_extension_uuid"])
- self.assertIn(new_object_category["id"], object_categories["object_categories"])
+ self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"])
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_object_category["name"], value["name"])
+ self.assertIn("description", value)
def test_action_categories(self):
- admin_user = self.create_user()
- demo_user = self.create_user("demo")
- tenant = self.create_tenant()
- ie_authz = self.create_intra_extension("policy_authz")
- ie_admin = self.create_intra_extension("policy_admin")
- mapping = self.create_mapping(tenant, ie_authz["id"], ie_admin["id"])
- ref = ie_authz
- # admin_user = self.create_user("admin")
- # ref = self.create_intra_extension()
-
- self.assertRaises(
- AuthzException,
- self.manager.get_action_category_dict,
- demo_user["id"], ref["id"])
-
- action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(ref["id"], action_categories["intra_extension_uuid"])
- self.assertIsInstance(action_categories["action_categories"], dict)
-
- new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"}
- new_action_categories = dict()
- new_action_categories[new_action_category["id"]] = new_action_category["name"]
- self.assertRaises(
- AuthzException,
- self.manager.set_action_category_dict,
- demo_user["id"], ref["id"], new_action_categories)
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
- action_categories = self.manager.set_action_category_dict(admin_user["id"], ref["id"], new_action_categories)
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(ref["id"], action_categories["intra_extension_uuid"])
- self.assertEqual(action_categories["action_categories"], new_action_categories)
- self.assertIn(new_action_category["id"], action_categories["action_categories"])
-
- # Delete the new action_category
+ new_action_category = {"name": "action_category_test", "description": "action_category_test"}
self.assertRaises(
AuthzException,
- self.manager.del_action_category_dict,
- demo_user["id"], ref["id"], new_action_category["id"])
-
- self.manager.del_action_category(admin_user["id"], ref["id"], new_action_category["id"])
- action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(ref["id"], action_categories["intra_extension_uuid"])
- self.assertNotIn(new_action_category["id"], action_categories["action_categories"])
+ self.manager.add_action_category,
+ demo_subject_id, admin_ie_dict["id"], new_action_category)
+
+ action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category)
+ _action_categories = dict(action_categories)
+ self.assertEqual(len(_action_categories.keys()), 1)
+ new_action_category["id"] = _action_categories.keys()[0]
+ value = action_categories[new_action_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_action_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_action_category["description"])
- # Add a particular action_category
+ # Delete the new action_category
self.assertRaises(
AuthzException,
- self.manager.add_action_category,
- demo_user["id"], ref["id"], new_action_category["name"])
+ self.manager.del_action_category,
+ demo_subject_id, authz_ie_dict["id"], new_action_category["id"])
- action_categories = self.manager.add_action_category(
- admin_user["id"],
- ref["id"],
- new_action_category["name"])
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_category", action_categories)
- self.assertIn("uuid", action_categories["action_category"])
- self.assertEqual(new_action_category["name"], action_categories["action_category"]["name"])
- new_action_category["id"] = action_categories["action_category"]["uuid"]
- action_categories = self.manager.get_action_category_dict(
- admin_user["id"],
- ref["id"])
- self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(ref["id"], action_categories["intra_extension_uuid"])
- self.assertIn(new_action_category["id"], action_categories["action_categories"])
+ self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"])
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_action_category["name"], value["name"])
+ self.assertIn("description", value)
def test_subject_category_scope(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- subject_categories = self.manager.set_subject_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: admin_user["id"],
- uuid.uuid4().hex: "dev",
+ "name": "country",
+ "description": "country",
}
)
- for subject_category in subject_categories["subject_categories"]:
- self.assertRaises(
- AuthzException,
- self.manager.get_subject_scopes_dict,
- demo_user["id"], ref["id"], subject_category)
+ for subject_category_id in subject_categories:
subject_category_scope = self.manager.get_subject_scopes_dict(
- admin_user["id"],
- ref["id"],
- subject_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIsInstance(subject_category_scope["subject_category_scope"], dict)
+ self.assertEqual({}, subject_category_scope)
- new_subject_category_scope = dict()
- new_subject_category_scope_uuid = uuid.uuid4().hex
- new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope"
+ new_subject_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
self.assertRaises(
AuthzException,
- self.manager.set_subject_scope_dict,
- demo_user["id"], ref["id"], subject_category, new_subject_category_scope)
+ self.admin_manager.add_subject_scope_dict,
+ demo_subject_id, authz_ie_dict["id"], subject_category_id, new_subject_category_scope)
- subject_category_scope = self.manager.set_subject_scope_dict(
- admin_user["id"],
- ref["id"],
- subject_category,
+ subject_category_scope = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
new_subject_category_scope)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
+ self.assertEqual(len(subject_category_scope.keys()), 1)
+ subject_category_scope_id = subject_category_scope.keys()[0]
+ subject_category_scope_value = subject_category_scope[subject_category_scope_id]
+ self.assertIn("name", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"])
+ self.assertIn("description", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"])
# Delete the new subject_category_scope
self.assertRaises(
AuthzException,
- self.manager.del_subject_category_scope_dict,
- demo_user["id"], ref["id"], subject_category, new_subject_category_scope_uuid)
-
- self.manager.del_subject_scope(
- admin_user["id"],
- ref["id"],
- subject_category,
- new_subject_category_scope_uuid)
- subject_category_scope = self.manager.get_subject_scopes_dict(
- admin_user["id"],
- ref["id"],
- subject_category)
+ self.admin_manager.del_subject_scope,
+ demo_subject_id, authz_ie_dict["id"], subject_category_id, subject_category_scope_id)
+
+ self.admin_manager.del_subject_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ subject_category_scope_id)
+ subject_category_scope = self.admin_manager.get_subject_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"])
-
- # Add a particular subject_category_scope
- self.assertRaises(
- AuthzException,
- self.manager.add_subject_scope_dict,
- demo_user["id"], ref["id"], subject_category,
- new_subject_category_scope[new_subject_category_scope_uuid])
-
- subject_category_scope = self.manager.add_subject_scope_dict(
- admin_user["id"],
- ref["id"],
- subject_category,
- new_subject_category_scope[new_subject_category_scope_uuid])
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("uuid", subject_category_scope["subject_category_scope"])
- self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid],
- subject_category_scope["subject_category_scope"]["name"])
- subject_category_scope = self.manager.get_subject_scopes_dict(
- admin_user["id"],
- ref["id"],
- subject_category)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"])
+ self.assertNotIn(subject_category_scope_id, subject_category_scope.keys())
def test_object_category_scope(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- object_categories = self.manager.set_object_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: "id",
- uuid.uuid4().hex: "domain",
+ "name": "country",
+ "description": "country",
}
)
- for object_category in object_categories["object_categories"]:
- self.assertRaises(
- AuthzException,
- self.manager.get_object_scopes_dict,
- demo_user["id"], ref["id"], object_category)
+ for object_category_id in object_categories:
object_category_scope = self.manager.get_object_scopes_dict(
- admin_user["id"],
- ref["id"],
- object_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIsInstance(object_category_scope["object_category_scope"], dict)
+ self.assertEqual({}, object_category_scope)
- new_object_category_scope = dict()
- new_object_category_scope_uuid = uuid.uuid4().hex
- new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope"
+ new_object_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
self.assertRaises(
AuthzException,
- self.manager.set_object_scope_dict,
- demo_user["id"], ref["id"], object_category, new_object_category_scope)
+ self.admin_manager.add_object_scope_dict,
+ demo_subject_id, authz_ie_dict["id"], object_category_id, new_object_category_scope)
- object_category_scope = self.manager.set_object_scope_dict(
- admin_user["id"],
- ref["id"],
- object_category,
+ object_category_scope = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
new_object_category_scope)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope[new_object_category_scope_uuid],
- object_category_scope["object_category_scope"][object_category].values())
+ self.assertEqual(len(object_category_scope.keys()), 1)
+ object_category_scope_id = object_category_scope.keys()[0]
+ object_category_scope_value = object_category_scope[object_category_scope_id]
+ self.assertIn("name", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"])
+ self.assertIn("description", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"])
# Delete the new object_category_scope
self.assertRaises(
AuthzException,
- self.manager.del_object_category_scope_dict,
- demo_user["id"], ref["id"], object_category, new_object_category_scope)
-
- self.manager.del_object_scope(
- admin_user["id"],
- ref["id"],
- object_category,
- new_object_category_scope_uuid)
- object_category_scope = self.manager.get_object_scopes_dict(
- admin_user["id"],
- ref["id"],
- object_category)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"])
-
- # Add a particular object_category_scope
- self.assertRaises(
- AuthzException,
- self.manager.add_object_scope_dict,
- demo_user["id"], ref["id"], object_category,
- new_object_category_scope[new_object_category_scope_uuid]
- )
-
- object_category_scope = self.manager.add_object_scope_dict(
- admin_user["id"],
- ref["id"],
- object_category,
- new_object_category_scope[new_object_category_scope_uuid])
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("uuid", object_category_scope["object_category_scope"])
- self.assertEqual(new_object_category_scope[new_object_category_scope_uuid],
- object_category_scope["object_category_scope"]["name"])
- object_category_scope = self.manager.get_object_scopes_dict(
- admin_user["id"],
- ref["id"],
- object_category)
+ self.admin_manager.del_object_scope,
+ demo_subject_id, authz_ie_dict["id"], object_category_id, object_category_scope_id)
+
+ self.admin_manager.del_object_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ object_category_scope_id)
+ object_category_scope = self.admin_manager.get_object_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"])
+ self.assertNotIn(object_category_scope_id, object_category_scope.keys())
def test_action_category_scope(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- action_categories = self.manager.set_action_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: "compute",
- uuid.uuid4().hex: "identity",
+ "name": "swift",
+ "description": "swift actions",
}
)
- for action_category in action_categories["action_categories"]:
- self.assertRaises(
- AuthzException,
- self.manager.get_object_scopes_dict,
- demo_user["id"], ref["id"], action_category)
+ for action_category_id in action_categories:
action_category_scope = self.manager.get_action_scopes_dict(
- admin_user["id"],
- ref["id"],
- action_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIsInstance(action_category_scope["action_category_scope"], dict)
+ self.assertEqual({}, action_category_scope)
- new_action_category_scope = dict()
- new_action_category_scope_uuid = uuid.uuid4().hex
- new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope"
+ new_action_category_scope = {
+ "name": "get",
+ "description": "get swift files",
+ }
self.assertRaises(
AuthzException,
- self.manager.set_action_scope_dict,
- demo_user["id"], ref["id"], action_category, new_action_category_scope)
+ self.admin_manager.add_action_scope_dict,
+ demo_subject_id, authz_ie_dict["id"], action_category_id, new_action_category_scope)
- action_category_scope = self.manager.set_action_scope_dict(
- admin_user["id"],
- ref["id"],
- action_category,
+ action_category_scope = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
new_action_category_scope)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope[new_action_category_scope_uuid],
- action_category_scope["action_category_scope"][action_category].values())
+ self.assertEqual(len(action_category_scope.keys()), 1)
+ action_category_scope_id = action_category_scope.keys()[0]
+ action_category_scope_value = action_category_scope[action_category_scope_id]
+ self.assertIn("name", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"])
+ self.assertIn("description", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"])
# Delete the new action_category_scope
self.assertRaises(
AuthzException,
- self.manager.del_action_category_scope_dict,
- demo_user["id"], ref["id"], action_category,
- new_action_category_scope_uuid
- )
-
- self.manager.del_action_scope(
- admin_user["id"],
- ref["id"],
- action_category,
- new_action_category_scope_uuid)
- action_category_scope = self.manager.get_action_scopes_dict(
- admin_user["id"],
- ref["id"],
- action_category)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"])
-
- # Add a particular action_category_scope
- self.assertRaises(
- AuthzException,
- self.manager.add_action_scope_dict,
- demo_user["id"], ref["id"], action_category,
- new_action_category_scope[new_action_category_scope_uuid]
- )
-
- action_category_scope = self.manager.add_action_scope_dict(
- admin_user["id"],
- ref["id"],
- action_category,
- new_action_category_scope[new_action_category_scope_uuid])
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("uuid", action_category_scope["action_category_scope"])
- self.assertEqual(new_action_category_scope[new_action_category_scope_uuid],
- action_category_scope["action_category_scope"]["name"])
- action_category_scope = self.manager.get_action_scopes_dict(
- admin_user["id"],
- ref["id"],
- action_category)
+ self.admin_manager.del_action_scope,
+ demo_subject_id, authz_ie_dict["id"], action_category_id, action_category_scope_id)
+
+ self.admin_manager.del_action_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ action_category_scope_id)
+ action_category_scope = self.admin_manager.get_action_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"])
+ self.assertNotIn(action_category_scope_id, action_category_scope.keys())
def test_subject_category_assignment(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- new_subject = self.create_user()
- new_subjects = dict()
- new_subjects[new_subject["id"]] = new_subject["name"]
- subjects = self.manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects)
-
- new_subject_category_uuid = uuid.uuid4().hex
- new_subject_category_value = "role"
- subject_categories = self.manager.set_subject_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ admin_authz_subject_id, admin_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ demo_authz_subject_id, demo_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next()
+
+ subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_subject_category_uuid: new_subject_category_value
+ "name": "country",
+ "description": "country",
}
)
- for subject_category in subject_categories["subject_categories"]:
+ for subject_category_id in subject_categories:
subject_category_scope = self.manager.get_subject_scopes_dict(
- admin_user["id"],
- ref["id"],
- subject_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIsInstance(subject_category_scope["subject_category_scope"], dict)
-
- new_subject_category_scope = dict()
- new_subject_category_scope_uuid = uuid.uuid4().hex
- new_subject_category_scope[new_subject_category_scope_uuid] = admin_user["id"]
- subject_category_scope = self.manager.set_subject_scope_dict(
- admin_user["id"],
- ref["id"],
- subject_category,
- new_subject_category_scope)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
-
- new_subject_category_scope2 = dict()
- new_subject_category_scope2_uuid = uuid.uuid4().hex
- new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev"
- subject_category_scope = self.manager.set_subject_scope_dict(
- admin_user["id"],
- ref["id"],
- subject_category,
- new_subject_category_scope2)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
+ self.assertEqual({}, subject_category_scope)
- self.assertRaises(
- AuthzException,
- self.manager.get_subject_assignment_dict,
- demo_user["id"], ref["id"], new_subject["id"])
+ new_subject_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_subject["id"]
+ subject_category_scope_1 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_1)
+ subject_category_scope_1_id = subject_category_scope_1.keys()[0]
+
+ new_subject_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ subject_category_scope_2 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_2)
+ subject_category_scope_2_id = subject_category_scope_2.keys()[0]
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id,
+ subject_category_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]])
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id,
+ subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
self.assertRaises(
AuthzException,
- self.manager.set_subject_assignment_dict,
- demo_user["id"], ref["id"], new_subject["id"],
- {
- new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid],
- }
+ self.manager.add_subject_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_1_id
)
- subject_category_assignments = self.manager.set_subject_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_subject["id"],
- {
- new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid],
- }
+ self.assertRaises(
+ AuthzException,
+ self.manager.add_subject_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_subject["id"]
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_1_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
+ self.assertIsInstance(subject_category_assignments, list)
- self.assertRaises(
- AuthzException,
- self.manager.del_subject_category_assignment_dict,
- demo_user["id"], ref["id"], new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
)
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
- self.manager.del_subject_assignment(
- admin_user["id"],
- ref["id"],
- new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
)
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_subject["id"]
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope2_uuid, ]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
self.assertRaises(
AuthzException,
- self.manager.add_subject_assignment_list,
- demo_user["id"], ref["id"], new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid
+ self.admin_manager.del_subject_assignment,
+ demo_subject_id, authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
)
- data = self.manager.add_subject_assignment_list(
- admin_user["id"],
- ref["id"],
- new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid
+ self.admin_manager.del_subject_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
)
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_subject["id"]
+ self.assertRaises(
+ SubjectAssignmentUnknown,
+ self.admin_manager.del_subject_assignment,
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_subject_category_uuid: [new_subject_category_scope2_uuid, new_subject_category_scope_uuid]},
- subject_category_assignments["subject_category_assignments"][new_subject["id"]])
def test_object_category_assignment(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- new_object = {"id": uuid.uuid4().hex, "name": "my_object"}
- new_objects = dict()
- new_objects[new_object["id"]] = new_object["name"]
- objects = self.manager.set_object_dict(admin_user["id"], ref["id"], new_objects)
-
- new_object_category_uuid = uuid.uuid4().hex
- new_object_category_value = "role"
- object_categories = self.manager.set_object_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ object_vm1_id = None
+ object_vm2_id = None
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] == 'vm1':
+ object_vm1_id = _object_id
+ if objects_dict[_object_id]['name'] == 'vm2':
+ object_vm2_id = _object_id
+ if not object_vm1_id or not object_vm2_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)")
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_object_category_uuid: new_object_category_value
+ "name": "location",
+ "description": "location",
}
)
- for object_category in object_categories["object_categories"]:
+ for object_category_id in object_categories:
object_category_scope = self.manager.get_object_scopes_dict(
- admin_user["id"],
- ref["id"],
- object_category)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIsInstance(object_category_scope["object_category_scope"], dict)
-
- new_object_category_scope = dict()
- new_object_category_scope_uuid = uuid.uuid4().hex
- new_object_category_scope[new_object_category_scope_uuid] = admin_user["id"]
- object_category_scope = self.manager.set_object_scope_dict(
- admin_user["id"],
- ref["id"],
- object_category,
- new_object_category_scope)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope[new_object_category_scope_uuid],
- object_category_scope["object_category_scope"][object_category].values())
-
- new_object_category_scope2 = dict()
- new_object_category_scope2_uuid = uuid.uuid4().hex
- new_object_category_scope2[new_object_category_scope2_uuid] = "dev"
- object_category_scope = self.manager.set_object_scope_dict(
- admin_user["id"],
- ref["id"],
- object_category,
- new_object_category_scope2)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid],
- object_category_scope["object_category_scope"][object_category].values())
+ self.assertEqual({}, object_category_scope)
- self.assertRaises(
- AuthzException,
- self.manager.get_object_assignment_list,
- demo_user["id"], ref["id"], new_object["id"]
+ new_object_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
+
+ object_category_scope_1 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_1)
+ object_category_scope_1_id = object_category_scope_1.keys()[0]
+
+ new_object_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ object_category_scope_2 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_2)
+ object_category_scope_2_id = object_category_scope_2.keys()[0]
+
+ object_category_assignments = self.manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id,
+ object_category_id
)
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
object_category_assignments = self.manager.get_object_assignment_list(
- admin_user["id"],
- ref["id"],
- new_object["id"]
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id,
+ object_category_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]])
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
self.assertRaises(
AuthzException,
- self.manager.set_object_category_assignment_dict,
- demo_user["id"], ref["id"], new_object["id"],
- {
- new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid],
- }
+ self.manager.add_object_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_1_id
)
- object_category_assignments = self.manager.set_object_category_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_object["id"],
- {
- new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid],
- }
+ self.assertRaises(
+ AuthzException,
+ self.manager.add_object_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
- object_category_assignments = self.manager.get_object_assignment_list(
- admin_user["id"],
- ref["id"],
- new_object["id"]
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_1_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
+ self.assertIsInstance(object_category_assignments, list)
- self.assertRaises(
- AuthzException,
- self.manager.del_object_category_assignment_dict,
- demo_user["id"], ref["id"], new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
)
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
- self.manager.del_object_assignment(
- admin_user["id"],
- ref["id"],
- new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
)
- object_category_assignments = self.manager.get_object_assignment_list(
- admin_user["id"],
- ref["id"],
- new_object["id"]
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope2_uuid, ]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
self.assertRaises(
AuthzException,
- self.manager.add_object_assignment_list,
- demo_user["id"], ref["id"], new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid
+ self.admin_manager.del_object_assignment,
+ demo_subject_id, authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
)
- self.manager.add_object_assignment_list(
- admin_user["id"],
- ref["id"],
- new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid
+ self.admin_manager.del_object_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
+ )
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
)
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
- object_category_assignments = self.manager.get_object_assignment_list(
- admin_user["id"],
- ref["id"],
- new_object["id"]
+ self.assertRaises(
+ ObjectAssignmentUnknown,
+ self.admin_manager.del_object_assignment,
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_object_category_uuid: [new_object_category_scope2_uuid, new_object_category_scope_uuid]},
- object_category_assignments["object_category_assignments"][new_object["id"]])
def test_action_category_assignment(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- new_action = {"id": uuid.uuid4().hex, "name": "my_action"}
- new_actions = dict()
- new_actions[new_action["id"]] = new_action["name"]
- actions = self.manager.set_action_dict(admin_user["id"], ref["id"], new_actions)
-
- new_action_category_uuid = uuid.uuid4().hex
- new_action_category_value = "role"
- action_categories = self.manager.set_action_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+
+ action_upload_id = None
+ action_list_id = None
+ for _action_id in actions_dict:
+ if actions_dict[_action_id]['name'] == 'upload':
+ action_upload_id = _action_id
+ if actions_dict[_action_id]['name'] == 'list':
+ action_list_id = _action_id
+ if not action_upload_id or not action_list_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)")
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_action_category_uuid: new_action_category_value
+ "name": "swift",
+ "description": "swift actions",
}
)
- for action_category in action_categories["action_categories"]:
+ for action_category_id in action_categories:
action_category_scope = self.manager.get_action_scopes_dict(
- admin_user["id"],
- ref["id"],
- action_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIsInstance(action_category_scope["action_category_scope"], dict)
-
- new_action_category_scope = dict()
- new_action_category_scope_uuid = uuid.uuid4().hex
- new_action_category_scope[new_action_category_scope_uuid] = admin_user["id"]
- action_category_scope = self.manager.set_action_scope_dict(
- admin_user["id"],
- ref["id"],
- action_category,
- new_action_category_scope)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope[new_action_category_scope_uuid],
- action_category_scope["action_category_scope"][action_category].values())
-
- new_action_category_scope2 = dict()
- new_action_category_scope2_uuid = uuid.uuid4().hex
- new_action_category_scope2[new_action_category_scope2_uuid] = "dev"
- action_category_scope = self.manager.set_action_scope_dict(
- admin_user["id"],
- ref["id"],
- action_category,
- new_action_category_scope2)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid],
- action_category_scope["action_category_scope"][action_category].values())
+ self.assertEqual({}, action_category_scope)
- self.assertRaises(
- AuthzException,
- self.manager.get_action_assignment_list,
- demo_user["id"], ref["id"], new_action["id"]
+ new_action_category_scope_1 = {
+ "name": "swift_admin",
+ "description": "action require admin rights",
+ }
+
+ action_category_scope_1 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_1)
+ action_category_scope_1_id = action_category_scope_1.keys()[0]
+
+ new_action_category_scope_2 = {
+ "name": "swift_anonymous",
+ "description": "action require no right",
+ }
+
+ action_category_scope_2 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_2)
+ action_category_scope_2_id = action_category_scope_2.keys()[0]
+
+ action_category_assignments = self.manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id,
+ action_category_id
)
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
action_category_assignments = self.manager.get_action_assignment_list(
- admin_user["id"],
- ref["id"],
- new_action["id"]
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id,
+ action_category_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]])
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
self.assertRaises(
AuthzException,
- self.manager.set_action_assignment_dict,
- demo_user["id"], ref["id"], new_action["id"],
- {
- new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid],
- }
+ self.manager.add_action_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_1_id
)
- action_category_assignments = self.manager.set_action_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_action["id"],
- {
- new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid],
- }
+ self.assertRaises(
+ AuthzException,
+ self.manager.add_action_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
- action_category_assignments = self.manager.get_action_assignment_list(
- admin_user["id"],
- ref["id"],
- new_action["id"]
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_1_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
+ self.assertIsInstance(action_category_assignments, list)
- self.assertRaises(
- AuthzException,
- self.manager.del_action_category_assignment_dict,
- demo_user["id"], ref["id"], new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid
+ self.assertEqual(len(action_category_assignments), 1)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
)
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
- self.manager.del_action_assignment(
- admin_user["id"],
- ref["id"],
- new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
)
- action_category_assignments = self.manager.get_action_assignment_list(
- admin_user["id"],
- ref["id"],
- new_action["id"]
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
+
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope2_uuid, ]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
self.assertRaises(
AuthzException,
- self.manager.add_action_assignment_list,
- demo_user["id"], ref["id"], new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid
+ self.admin_manager.del_action_assignment,
+ demo_subject_id, authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
)
- self.manager.add_action_assignment_list(
- admin_user["id"],
- ref["id"],
- new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid
+ self.admin_manager.del_action_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
+ )
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
)
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
- action_category_assignments = self.manager.get_action_assignment_list(
- admin_user["id"],
- ref["id"],
- new_action["id"]
+ self.assertRaises(
+ ActionAssignmentUnknown,
+ self.admin_manager.del_action_assignment,
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual(
- {new_action_category_uuid: [new_action_category_scope2_uuid, new_action_category_scope_uuid]},
- action_category_assignments["action_category_assignments"][new_action["id"]])
def test_sub_meta_rules(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- aggregation_algorithms = self.manager.get_aggregation_algorithms(admin_user["id"], ref["id"])
- self.assertIsInstance(aggregation_algorithms, dict)
- self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list)
- self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"])
- self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"])
-
- self.assertRaises(
- AuthzException,
- self.manager.get_aggregation_algorithm_dict,
- demo_user["id"], ref["id"]
- )
-
- aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(aggregation_algorithm, dict)
- self.assertIn("aggregation", aggregation_algorithm)
- self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"])
-
- _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"])
- _aggregation_algorithm.remove(aggregation_algorithm["aggregation"])
-
- self.assertRaises(
- AuthzException,
- self.manager.set_aggregation_algorithms,
- demo_user["id"], ref["id"], _aggregation_algorithm[0]
- )
-
- aggregation_algorithm = self.manager.set_aggregation_algorithm_dict(admin_user["id"], ref["id"], _aggregation_algorithm[0])
- self.assertIsInstance(aggregation_algorithm, dict)
- self.assertIn("aggregation", aggregation_algorithm)
- self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"])
-
- self.assertRaises(
- AuthzException,
- self.manager.get_sub_meta_rules_dict,
- demo_user["id"], ref["id"]
- )
-
- sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in aggregation_algorithms.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ # TODO: need more tests on aggregation_algorithms (set and del)
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(sub_meta_rules, dict)
- self.assertIn("sub_meta_rules", sub_meta_rules)
- sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json")))
- metarule = dict()
categories = {
- "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]),
- "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]),
- "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"])
+ "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]),
+ "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]),
+ "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
}
- for relation in sub_meta_rules_conf["sub_meta_rules"]:
- metarule[relation] = dict()
- for item in ("subject_categories", "object_categories", "action_categories"):
- metarule[relation][item] = list()
- for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]:
- metarule[relation][item].append(self.__get_key_from_value(
- element,
- categories[item][item]
- ))
-
- for relation in sub_meta_rules["sub_meta_rules"]:
- self.assertIn(relation, metarule)
- for item in ("subject_categories", "object_categories", "action_categories"):
- self.assertEqual(
- sub_meta_rules["sub_meta_rules"][relation][item],
- metarule[relation][item]
- )
-
- new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"}
- # Add a particular subject_category
- data = self.manager.add_subject_category(
- admin_user["id"],
- ref["id"],
- new_subject_category["name"])
- new_subject_category["id"] = data["subject_category"]["uuid"]
- subject_categories = self.manager.get_subject_categories_dict(
- admin_user["id"],
- ref["id"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIn(new_subject_category["id"], subject_categories["subject_categories"])
- metarule[relation]["subject_categories"].append(new_subject_category["id"])
-
- self.assertRaises(
- AuthzException,
- self.manager.get_sub_meta_rule_dict,
- demo_user["id"], ref["id"], metarule
- )
-
- _sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"], metarule)
- self.assertIn(relation, metarule)
- for item in ("subject_categories", "object_categories", "action_categories"):
- self.assertEqual(
- _sub_meta_rules["sub_meta_rules"][relation][item],
- metarule[relation][item]
- )
+ for key, value in sub_meta_rules.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("action_categories", value)
+ self.assertIn("object_categories", value)
+ self.assertIn("subject_categories", value)
+ self.assertIn("algorithm", value)
+ self.assertIn("name", value)
+ for action_category_id in value["action_categories"]:
+ self.assertIn(action_category_id, categories["action_categories"])
+ for object_category_id in value["object_categories"]:
+ self.assertIn(object_category_id, categories["object_categories"])
+ for subject_category_id in value["subject_categories"]:
+ self.assertIn(subject_category_id, categories["subject_categories"])
+ # TODO: need more tests (set and del)
def test_sub_rules(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user("admin")
- ref = self.create_intra_extension()
-
- sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(sub_meta_rules, dict)
- self.assertIn("sub_meta_rules", sub_meta_rules)
- self.assertRaises(
- AuthzException,
- self.manager.get_sub_rules,
- demo_user["id"], ref["id"]
- )
-
- sub_rules = self.manager.get_sub_rules(admin_user["id"], ref["id"])
- self.assertIsInstance(sub_rules, dict)
- self.assertIn("rules", sub_rules)
- rules = dict()
- for relation in sub_rules["rules"]:
- self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"])
- rules[relation] = list()
- for rule in sub_rules["rules"][relation]:
+ for relation_id in sub_meta_rules:
+ rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id)
+ rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \
+ len(sub_meta_rules[relation_id]["object_categories"]) + \
+ len(sub_meta_rules[relation_id]["action_categories"]) + 1
+ for rule_id in rules:
+ self.assertEqual(rule_length, len(rules[rule_id]))
+ rule = list(rules[rule_id])
for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
+ for cat_value in sub_meta_rules[relation_id][cat]:
scope = cat_func(
- admin_user["id"],
- ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
cat_value
)
a_scope = rule.pop(0)
if type(a_scope) is not bool:
- self.assertIn(a_scope, scope[func_name][cat_value])
-
- # add a new subrule
-
- relation = sub_rules["rules"].keys()[0]
- sub_rule = []
- for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
- ):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
- scope = cat_func(
- admin_user["id"],
- ref["id"],
- cat_value
- )
- sub_rule.append(scope[func_name][cat_value].keys()[0])
-
- sub_rule.append(True)
- self.assertRaises(
- AuthzException,
- self.manager.set_sub_rules,
- demo_user["id"], ref["id"], relation, sub_rule
- )
+ self.assertIn(a_scope, scope.keys())
+
+ # add a new subrule
+
+ sub_rule = []
+ for cat, cat_func, func_name in (
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
+ ):
+ for cat_value in sub_meta_rules[relation_id][cat]:
+ scope = cat_func(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ cat_value
+ )
+ sub_rule.append(scope.keys()[0])
+
+ sub_rule.append(False)
+ self.assertRaises(
+ AuthzException,
+ self.admin_manager.add_rule_dict,
+ demo_subject_id, authz_ie_dict["id"], relation_id, sub_rule
+ )
+
+ sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule)
+ self.assertIsInstance(sub_rules, dict)
+ self.assertIn(sub_rule, sub_rules.values())
- sub_rules = self.manager.set_sub_rule(admin_user["id"], ref["id"], relation, sub_rule)
- self.assertIsInstance(sub_rules, dict)
- self.assertIn("rules", sub_rules)
- rules = dict()
- self.assertIn(sub_rule, sub_rules["rules"][relation])
- for relation in sub_rules["rules"]:
- self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"])
- rules[relation] = list()
- for rule in sub_rules["rules"][relation]:
+ for rule_id, rule_value in sub_rules.iteritems():
for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"),
):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
+ for cat_value in sub_meta_rules[relation_id][cat]:
scope = cat_func(
- admin_user["id"],
- ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
cat_value
)
- a_scope = rule.pop(0)
- self.assertIn(a_scope, scope[func_name][cat_value])
+ a_scope = rule_value.pop(0)
+ self.assertIn(a_scope, scope.keys())
+ # TODO: add test for the delete function
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py
index 0e22a1b4..705aea8a 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py
@@ -16,6 +16,7 @@ from keystone import resource
from keystone.contrib.moon.exception import *
from keystone.tests.unit import default_fixtures
from keystone.contrib.moon.core import LogManager, TenantManager, ADMIN_ID
+from keystone.tests.moon.unit import *
CONF = cfg.CONF
@@ -31,15 +32,22 @@ IE = {
"description": "a simple description."
}
-class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
+@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api')
+class TestIntraExtensionAuthzManagerAuthzOK(tests.TestCase):
def setUp(self):
self.useFixture(database.Database())
- super(TestIntraExtensionAuthzManagerAuthz, self).setUp()
+ super(TestIntraExtensionAuthzManagerAuthzOK, self).setUp()
self.load_backends()
self.load_fixtures(default_fixtures)
- self.manager = IntraExtensionAuthzManager()
- self.admin_manager = IntraExtensionAdminManager()
+ self.admin = create_user(self, username="admin")
+ self.demo = create_user(self, username="demo")
+ self.root_intra_extension = create_intra_extension(self, policy_model="policy_root")
+ # force re-initialization of the ADMIN_ID variable
+ from keystone.contrib.moon.core import ADMIN_ID
+ self.ADMIN_ID = ADMIN_ID
+ self.manager = self.authz_api
+ self.admin_manager = self.admin_api
def __get_key_from_value(self, value, values_dict):
return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0]
@@ -48,11 +56,13 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
return {
"moonlog_api": LogManager(),
"tenant_api": TenantManager(),
+ "admin_api": IntraExtensionAdminManager(),
+ "authz_api": IntraExtensionAuthzManager(),
# "resource_api": resource.Manager(),
}
def config_overrides(self):
- super(TestIntraExtensionAuthzManagerAuthz, self).config_overrides()
+ super(TestIntraExtensionAuthzManagerAuthzOK, self).config_overrides()
self.policy_directory = 'examples/moon/policies'
self.config_fixture.config(
group='moon',
@@ -61,37 +71,942 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
group='moon',
policy_directory=self.policy_directory)
- def create_tenant(self):
- tenant = {
- "id": uuid.uuid4().hex,
- "name": "TestIntraExtensionAuthzManager",
- "enabled": True,
- "description": "",
- "domain_id": "default"
+ def delete_admin_intra_extension(self):
+ self.manager.del_intra_extension(self.ref["id"])
+
+ def test_subjects(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+ self.assertIsInstance(subjects, dict)
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+ self.assertIn("keystone_name", value)
+ self.assertIn("keystone_id", value)
+
+ create_user(self, "subject_test")
+ new_subject = {"name": "subject_test", "description": "subject_test"}
+
+ subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject)
+ _subjects = dict(subjects)
+ self.assertEqual(len(_subjects.keys()), 1)
+ new_subject["id"] = _subjects.keys()[0]
+ value = subjects[new_subject["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject["description"])
+
+ # Delete the new subject
+ self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"])
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject["name"], value["name"])
+ self.assertIn("description", value)
+
+ def test_objects(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+ objects_id_list = []
+ self.assertIsInstance(objects, dict)
+ for key, value in objects.iteritems():
+ objects_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ def test_actions(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+ actions_id_list = []
+ self.assertIsInstance(actions, dict)
+ for key, value in actions.iteritems():
+ actions_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ def test_subject_categories(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
+ self.assertIsInstance(subject_categories, dict)
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"}
+
+ subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category)
+ _subject_categories = dict(subject_categories)
+ self.assertEqual(len(_subject_categories.keys()), 1)
+ new_subject_category["id"] = _subject_categories.keys()[0]
+ value = subject_categories[new_subject_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject_category["description"])
+
+ # Delete the new subject_category
+ self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"])
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject_category["name"], value["name"])
+ self.assertIn("description", value)
+
+ def test_object_categories(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
+ self.assertIsInstance(object_categories, dict)
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_object_category = {"name": "object_category_test", "description": "object_category_test"}
+
+ object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category)
+ _object_categories = dict(object_categories)
+ self.assertEqual(len(_object_categories.keys()), 1)
+ new_object_category["id"] = _object_categories.keys()[0]
+ value = object_categories[new_object_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_object_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_object_category["description"])
+
+ # Delete the new object_category
+
+ self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"])
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_object_category["name"], value["name"])
+ self.assertIn("description", value)
+
+ def test_action_categories(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
+ self.assertIsInstance(action_categories, dict)
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_action_category = {"name": "action_category_test", "description": "action_category_test"}
+
+ action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category)
+ _action_categories = dict(action_categories)
+ self.assertEqual(len(_action_categories.keys()), 1)
+ new_action_category["id"] = _action_categories.keys()[0]
+ value = action_categories[new_action_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_action_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_action_category["description"])
+
+ # Delete the new action_category
+
+ self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"])
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_action_category["name"], value["name"])
+ self.assertIn("description", value)
+
+ def test_subject_category_scope(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ {
+ "name": "country",
+ "description": "country",
+ }
+ )
+
+ for subject_category_id in subject_categories:
+
+ subject_category_scope = self.manager.get_subject_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
+ self.assertIsInstance(subject_category_scope, dict)
+ self.assertEqual({}, subject_category_scope)
+
+ new_subject_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
+
+ subject_category_scope = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope)
+ self.assertIsInstance(subject_category_scope, dict)
+ self.assertEqual(len(subject_category_scope.keys()), 1)
+ subject_category_scope_id = subject_category_scope.keys()[0]
+ subject_category_scope_value = subject_category_scope[subject_category_scope_id]
+ self.assertIn("name", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"])
+ self.assertIn("description", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"])
+
+ # Delete the new subject_category_scope
+
+ self.admin_manager.del_subject_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ subject_category_scope_id)
+ subject_category_scope = self.admin_manager.get_subject_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
+ self.assertIsInstance(subject_category_scope, dict)
+ self.assertNotIn(subject_category_scope_id, subject_category_scope.keys())
+
+ def test_object_category_scope(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ {
+ "name": "country",
+ "description": "country",
+ }
+ )
+
+ for object_category_id in object_categories:
+
+ object_category_scope = self.manager.get_object_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
+ self.assertIsInstance(object_category_scope, dict)
+ self.assertEqual({}, object_category_scope)
+
+ new_object_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
+
+ object_category_scope = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope)
+ self.assertIsInstance(object_category_scope, dict)
+ self.assertEqual(len(object_category_scope.keys()), 1)
+ object_category_scope_id = object_category_scope.keys()[0]
+ object_category_scope_value = object_category_scope[object_category_scope_id]
+ self.assertIn("name", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"])
+ self.assertIn("description", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"])
+
+ # Delete the new object_category_scope
+
+ self.admin_manager.del_object_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ object_category_scope_id)
+ object_category_scope = self.admin_manager.get_object_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
+ self.assertIsInstance(object_category_scope, dict)
+ self.assertNotIn(object_category_scope_id, object_category_scope.keys())
+
+ def test_action_category_scope(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ {
+ "name": "swift",
+ "description": "swift actions",
+ }
+ )
+
+ for action_category_id in action_categories:
+
+ action_category_scope = self.manager.get_action_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
+ self.assertIsInstance(action_category_scope, dict)
+ self.assertEqual({}, action_category_scope)
+
+ new_action_category_scope = {
+ "name": "get",
+ "description": "get swift files",
+ }
+
+ action_category_scope = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope)
+ self.assertIsInstance(action_category_scope, dict)
+ self.assertEqual(len(action_category_scope.keys()), 1)
+ action_category_scope_id = action_category_scope.keys()[0]
+ action_category_scope_value = action_category_scope[action_category_scope_id]
+ self.assertIn("name", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"])
+ self.assertIn("description", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"])
+
+ # Delete the new action_category_scope
+
+ self.admin_manager.del_action_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ action_category_scope_id)
+ action_category_scope = self.admin_manager.get_action_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
+ self.assertIsInstance(action_category_scope, dict)
+ self.assertNotIn(action_category_scope_id, action_category_scope.keys())
+
+ def test_subject_category_assignment(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ admin_authz_subject_id, admin_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ demo_authz_subject_id, demo_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next()
+
+ subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ {
+ "name": "country",
+ "description": "country",
+ }
+ )
+
+ for subject_category_id in subject_categories:
+ subject_category_scope = self.manager.get_subject_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
+ self.assertIsInstance(subject_category_scope, dict)
+ self.assertEqual({}, subject_category_scope)
+
+ new_subject_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
+
+ subject_category_scope_1 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_1)
+ subject_category_scope_1_id = subject_category_scope_1.keys()[0]
+
+ new_subject_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ subject_category_scope_2 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_2)
+ subject_category_scope_2_id = subject_category_scope_2.keys()[0]
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id,
+ subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id,
+ subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_1_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
+
+ self.admin_manager.del_subject_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ def test_object_category_assignment(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ object_vm1_id = None
+ object_vm2_id = None
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] == 'vm1':
+ object_vm1_id = _object_id
+ if objects_dict[_object_id]['name'] == 'vm2':
+ object_vm2_id = _object_id
+ if not object_vm1_id or not object_vm2_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)")
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ {
+ "name": "location",
+ "description": "location",
+ }
+ )
+
+ for object_category_id in object_categories:
+ object_category_scope = self.manager.get_object_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
+ self.assertIsInstance(object_category_scope, dict)
+ self.assertEqual({}, object_category_scope)
+
+ new_object_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
+
+ object_category_scope_1 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_1)
+ object_category_scope_1_id = object_category_scope_1.keys()[0]
+
+ new_object_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ object_category_scope_2 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_2)
+ object_category_scope_2_id = object_category_scope_2.keys()[0]
+
+ object_category_assignments = self.manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id,
+ object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
+
+ object_category_assignments = self.manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id,
+ object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_1_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
+
+ self.admin_manager.del_object_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
+ )
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
+
+ def test_action_category_assignment(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+
+ action_upload_id = None
+ action_list_id = None
+ for _action_id in actions_dict:
+ if actions_dict[_action_id]['name'] == 'upload':
+ action_upload_id = _action_id
+ if actions_dict[_action_id]['name'] == 'list':
+ action_list_id = _action_id
+ if not action_upload_id or not action_list_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)")
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ {
+ "name": "swift",
+ "description": "swift actions",
+ }
+ )
+
+ for action_category_id in action_categories:
+ action_category_scope = self.manager.get_action_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
+ self.assertIsInstance(action_category_scope, dict)
+ self.assertEqual({}, action_category_scope)
+
+ new_action_category_scope_1 = {
+ "name": "swift_admin",
+ "description": "action require admin rights",
+ }
+
+ action_category_scope_1 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_1)
+ action_category_scope_1_id = action_category_scope_1.keys()[0]
+
+ new_action_category_scope_2 = {
+ "name": "swift_anonymous",
+ "description": "action require no right",
+ }
+
+ action_category_scope_2 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_2)
+ action_category_scope_2_id = action_category_scope_2.keys()[0]
+
+ action_category_assignments = self.manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id,
+ action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
+
+ action_category_assignments = self.manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id,
+ action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_1_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+
+ self.assertEqual(len(action_category_assignments), 1)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
+
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
+
+ self.admin_manager.del_action_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
+ )
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
+
+ def test_sub_meta_rules(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in aggregation_algorithms.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ # TODO: need more tests on aggregation_algorithms (set and del)
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
+ self.assertIsInstance(sub_meta_rules, dict)
+ categories = {
+ "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]),
+ "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]),
+ "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
}
- return self.resource_api.create_project(tenant["id"], tenant)
+ for key, value in sub_meta_rules.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("action_categories", value)
+ self.assertIn("object_categories", value)
+ self.assertIn("subject_categories", value)
+ self.assertIn("algorithm", value)
+ self.assertIn("name", value)
+ for action_category_id in value["action_categories"]:
+ self.assertIn(action_category_id, categories["action_categories"])
+ for object_category_id in value["object_categories"]:
+ self.assertIn(object_category_id, categories["object_categories"])
+ for subject_category_id in value["subject_categories"]:
+ self.assertIn(subject_category_id, categories["subject_categories"])
+ # TODO: need more tests (set and del)
- def create_mapping(self, tenant, authz_uuid=None, admin_uuid=None):
+ def test_sub_rules(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
+ self.assertIsInstance(sub_meta_rules, dict)
+
+ for relation_id in sub_meta_rules:
+ rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id)
+ rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \
+ len(sub_meta_rules[relation_id]["object_categories"]) + \
+ len(sub_meta_rules[relation_id]["action_categories"]) + 1
+ for rule_id in rules:
+ self.assertEqual(rule_length, len(rules[rule_id]))
+ rule = list(rules[rule_id])
+ for cat, cat_func, func_name in (
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
+ ):
+ for cat_value in sub_meta_rules[relation_id][cat]:
+ scope = cat_func(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ cat_value
+ )
+ a_scope = rule.pop(0)
+ if type(a_scope) is not bool:
+ self.assertIn(a_scope, scope.keys())
+
+ # add a new subrule
+
+ sub_rule = []
+ for cat, cat_func, func_name in (
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
+ ):
+ for cat_value in sub_meta_rules[relation_id][cat]:
+ scope = cat_func(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ cat_value
+ )
+ sub_rule.append(scope.keys()[0])
+
+ sub_rule.append(False)
+
+ sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule)
+ self.assertIsInstance(sub_rules, dict)
+ self.assertIn(sub_rule, sub_rules.values())
+
+ for rule_id, rule_value in sub_rules.iteritems():
+ for cat, cat_func, func_name in (
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"),
+ ):
+ for cat_value in sub_meta_rules[relation_id][cat]:
+ scope = cat_func(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ cat_value
+ )
+ a_scope = rule_value.pop(0)
+ self.assertIn(a_scope, scope.keys())
+
+ # TODO: add test for the delete function
- mapping = self.tenant_api.set_tenant_dict(tenant["id"], tenant["name"], authz_uuid, admin_uuid)
- self.assertIsInstance(mapping, dict)
- self.assertIn("authz", mapping)
- self.assertEqual(mapping["authz"], authz_uuid)
- return mapping
- def create_user(self, username="admin"):
+@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api')
+class TestIntraExtensionAuthzManagerAuthzKO(tests.TestCase):
+
+ def setUp(self):
+ self.useFixture(database.Database())
+ super(TestIntraExtensionAuthzManagerAuthzKO, self).setUp()
+ self.load_backends()
+ self.load_fixtures(default_fixtures)
+ self.admin = create_user(self, username="admin")
+ self.demo = create_user(self, username="demo")
+ self.root_intra_extension = create_intra_extension(self, policy_model="policy_root")
+ # force re-initialization of the ADMIN_ID variable
+ from keystone.contrib.moon.core import ADMIN_ID
+ self.ADMIN_ID = ADMIN_ID
+ self.manager = self.authz_api
+ self.admin_manager = self.admin_api
- _USER = dict(USER)
- _USER["name"] = username
- return self.identity_api.create_user(_USER)
+ def __get_key_from_value(self, value, values_dict):
+ return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0]
- def create_intra_extension(self, policy_model="policy_authz"):
+ def load_extra_backends(self):
+ return {
+ "moonlog_api": LogManager(),
+ "tenant_api": TenantManager(),
+ "admin_api": IntraExtensionAdminManager(),
+ "authz_api": IntraExtensionAuthzManager(),
+ # "resource_api": resource.Manager(),
+ }
- IE["model"] = policy_model
- IE["name"] = uuid.uuid4().hex
- ref = self.admin_manager.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE)
- self.assertIsInstance(ref, dict)
- return ref
+ def config_overrides(self):
+ super(TestIntraExtensionAuthzManagerAuthzKO, self).config_overrides()
+ self.policy_directory = 'examples/moon/policies'
+ self.config_fixture.config(
+ group='moon',
+ intraextension_driver='keystone.contrib.moon.backends.sql.IntraExtensionConnector')
+ self.config_fixture.config(
+ group='moon',
+ policy_directory=self.policy_directory)
def test_tenant_exceptions(self):
self.assertRaises(
@@ -142,137 +1057,149 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
def test_authz_exceptions(self):
self.assertRaises(
- IntraExtensionUnknown,
+ TenantUnknown,
self.manager.authz,
uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex
)
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ie_authz = self.create_intra_extension("policy_authz")
- ie_admin = self.create_intra_extension("policy_admin")
- mapping = self.create_mapping(tenant, ie_authz["id"], ie_admin["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
# Test when subject is unknown
self.assertRaises(
- AuthzException,
+ SubjectUnknown,
self.manager.authz,
- ie_authz["id"], uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex
+ tenant["name"], uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex
)
# Test when subject is known but not the object
- demo_user = self.create_user("demo")
- self.manager.add_subject_dict(
- admin_user['id'],
- self.ref["id"],
- demo_user["id"]
- )
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next()
+
+ # self.manager.add_subject_dict(
+ # admin_subject_id,
+ # ie_authz["id"],
+ # demo_user["id"]
+ # )
self.assertRaises(
- AuthzException,
+ ObjectUnknown,
self.manager.authz,
- ie_authz["id"], demo_user["id"], uuid.uuid4().hex, uuid.uuid4().hex
+ tenant["name"], demo_subject_dict["name"], uuid.uuid4().hex, uuid.uuid4().hex
)
# Test when subject and object are known but not the action
+ my_object = {"name": "my_object", "description": "my_object description"}
_tmp = self.manager.add_object_dict(
- admin_user['id'],
- self.ref["id"],
- "my_object"
- ).items()[0]
- my_object = {"id": _tmp[0], "name": _tmp[1]}
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_object
+ )
+ my_object["id"] = _tmp.keys()[0]
self.assertRaises(
- AuthzException,
+ ActionUnknown,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], uuid.uuid4().hex
+ tenant["name"], demo_subject_dict["name"], my_object["name"], uuid.uuid4().hex
)
# Test when subject and object and action are known
+ my_action = {"name": "my_action", "description": "my_action description"}
_tmp = self.manager.add_action_dict(
- admin_user['id'],
- self.ref["id"],
- "my_action"
- ).items()[0]
- my_action = {"id": _tmp[0], "name": _tmp[1]}
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_action
+ )
+ my_action["id"] = _tmp.keys()[0]
self.assertRaises(
AuthzException,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]
+ tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]
)
# Add a subject scope and test ObjectCategoryAssignmentOutOfScope
+ my_subject_category = {"name": "my_subject_category", "description": "my_subject_category description"}
_tmp = self.manager.add_subject_category(
- admin_user['id'],
- self.ref["id"],
- "my_subject_category"
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_subject_category
)
- my_subject_category = {"id": _tmp[0], "name": _tmp[1]}
+ my_subject_category["id"] = _tmp.keys()[0]
+ my_subject_scope = {"name": "my_subject_scope", "description": "my_subject_scope description"}
_tmp = self.manager.add_subject_scope_dict(
- admin_user['id'],
- self.ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
my_subject_category["id"],
- "my_subject_scope",
+ my_subject_scope
)
- my_subject_scope = {"id": _tmp[0], "name": _tmp[1]}
+ my_subject_scope["id"] = _tmp.keys()[0]
self.assertRaises(
AuthzException,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]
+ tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]
)
# Add an object scope and test ActionCategoryAssignmentOutOfScope
+ my_object_category = {"name": "my_object_category", "description": "my_object_category description"}
_tmp = self.manager.add_object_category(
- admin_user['id'],
- self.ref["id"],
- "my_object_category"
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_object_category
)
- my_object_category = {"id": _tmp[0], "name": _tmp[1]}
+ my_object_category["id"] = _tmp.keys()[0]
+ my_object_scope = {"name": "my_object_scope", "description": "my_object_scope description"}
_tmp = self.manager.add_object_scope_dict(
- admin_user['id'],
- self.ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
my_object_category["id"],
- "my_object_scope",
+ my_object_scope
)
- my_object_scope = {"id": _tmp[0], "name": _tmp[1]}
+ my_object_scope["id"] = _tmp.keys()[0]
self.assertRaises(
AuthzException,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]
+ tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]
)
# Add an action scope and test SubjectCategoryAssignmentUnknown
+ my_action_category = {"name": "my_action_category", "description": "my_action_category description"}
_tmp = self.manager.add_action_category(
- admin_user['id'],
- self.ref["id"],
- "my_action_category"
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_action_category
)
- my_action_category = {"id": _tmp[0], "name": _tmp[1]}
+ my_action_category["id"] = _tmp.keys()[0]
+ my_action_scope = {"name": "my_action_scope", "description": "my_action_scope description"}
_tmp = self.manager.add_action_scope_dict(
- admin_user['id'],
- self.ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
my_action_category["id"],
- "my_action_scope",
+ my_action_scope
)
- my_action_scope = {"id": _tmp[0], "name": _tmp[1]}
+ my_action_scope["id"] = _tmp.keys()[0]
self.assertRaises(
AuthzException,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]
+ tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]
)
# Add a subject assignment and test ObjectCategoryAssignmentUnknown
self.manager.add_subject_assignment_list(
- admin_user['id'],
- self.ref["id"],
- demo_user["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_subject_id,
my_subject_category["id"],
my_subject_scope["id"]
)
@@ -280,14 +1207,14 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
self.assertRaises(
AuthzException,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]
+ tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]
)
# Add an object assignment and test ActionCategoryAssignmentUnknown
self.manager.add_object_assignment_list(
- admin_user['id'],
- self.ref["id"],
- demo_user["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_object["id"],
my_object_category["id"],
my_object_scope["id"]
)
@@ -295,14 +1222,14 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
self.assertRaises(
AuthzException,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]
+ tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]
)
# Add an action assignment and test RuleUnknown
self.manager.add_action_assignment_list(
- admin_user['id'],
- self.ref["id"],
- demo_user["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_action["id"],
my_action_category["id"],
my_action_scope["id"]
)
@@ -310,828 +1237,1172 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase):
self.assertRaises(
AuthzException,
self.manager.authz,
- ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]
+ tenant["name"], admin_subject_dict["name"], my_object["name"], my_action["name"]
)
# Add the correct rule and test that no exception is raised
my_meta_rule = {
- "relation_super": {
- "subject_categories": [my_subject_category["id"], ],
- "action_categories": [my_object_category["id"], ],
- "object_categories": [my_action_category["id"], ],
- "relation": "relation_super"
- }
+ "name": "my_meta_rule",
+ "algorithm": "test",
+ "subject_categories": [my_subject_category["id"], ],
+ "action_categories": [my_action_category["id"], ],
+ "object_categories": [my_object_category["id"], ]
}
- self.manager.get_sub_meta_rule_dict(
- admin_user['id'],
- self.ref["id"],
+ print("my_meta_rule", my_meta_rule)
+ sub_meta_rules_dict = self.manager.get_sub_meta_rules_dict(
+ admin_subject_id,
+ authz_ie_dict["id"]
+ )
+
+ self.assertRaises(
+ SubMetaRuleAlgorithmNotExisting,
+ self.manager.add_sub_meta_rule_dict,
+ admin_subject_id,
+ authz_ie_dict["id"],
my_meta_rule
)
- self.manager.set_sub_rule(
- admin_user['id'],
- self.ref["id"],
- "relation_super",
- [my_subject_scope, my_object_scope, my_action_scope]
+
+ # TODO: the next request should be called with demo_subject_id
+ # but the demo user has no right in the root intra_extension
+ algorithms = self.configuration_api.get_sub_meta_rule_algorithms_dict(admin_subject_id)
+ for algorithm_id in algorithms:
+ if algorithms[algorithm_id]["name"] == "inclusion":
+ my_meta_rule["algorithm"] = algorithm_id
+
+ sub_meta_rule = self.manager.add_sub_meta_rule_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ my_meta_rule
)
+ sub_meta_rule_id, sub_meta_rule_dict = sub_meta_rule.iteritems().next()
- result = self.manager.authz(ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"])
+ rule = self.manager.add_rule_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ sub_meta_rule_id,
+ [my_subject_scope["id"], my_action_scope["id"], my_object_scope["id"], True]
+ )
+
+ self.assertRaises(
+ AuthzException,
+ self.manager.authz,
+ tenant["name"], admin_subject_dict["name"], my_object["name"], my_action["name"]
+ )
+
+ result = self.manager.authz(tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"])
self.assertEqual(True, result)
def test_subjects(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- subjects = self.manager.get_subjects_dict(admin_user["id"], tenant["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(subjects, dict)
- self.assertIn("subjects", subjects)
- self.assertIn("id", subjects)
- self.assertIn("intra_extension_uuid", subjects)
- self.assertEqual(ref["id"], subjects["intra_extension_uuid"])
- self.assertIsInstance(subjects["subjects"], dict)
-
- new_subject = self.create_user("my_user")
- new_subjects = dict()
- new_subjects[new_subject["id"]] = new_subject["name"]
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+ self.assertIn("keystone_name", value)
+ self.assertIn("keystone_id", value)
+
+ create_user(self, "subject_test")
+ new_subject = {"name": "subject_test", "description": "subject_test"}
self.assertRaises(
AuthzException,
- self.manager.set_subject_dict,
- admin_user["id"], ref["id"], new_subjects)
+ self.manager.add_subject_dict,
+ demo_subject_id, admin_ie_dict["id"], new_subject)
+
+ subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject)
+ _subjects = dict(subjects)
+ self.assertEqual(len(_subjects.keys()), 1)
+ new_subject["id"] = _subjects.keys()[0]
+ value = subjects[new_subject["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject["description"])
# Delete the new subject
self.assertRaises(
AuthzException,
self.manager.del_subject,
- admin_user["id"], ref["id"], new_subject["id"])
+ demo_subject_id, authz_ie_dict["id"], new_subject["id"])
- # Add a particular subject
- self.assertRaises(
- AuthzException,
- self.manager.add_subject_dict,
- admin_user["id"], ref["id"], new_subject["id"])
+ self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"])
+ subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subjects.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject["name"], value["name"])
+ self.assertIn("description", value)
def test_objects(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- objects = self.manager.get_objects_dict(admin_user["id"], tenant["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+ objects_id_list = []
self.assertIsInstance(objects, dict)
- self.assertIn("objects", objects)
- self.assertIn("id", objects)
- self.assertIn("intra_extension_uuid", objects)
- self.assertEqual(ref["id"], objects["intra_extension_uuid"])
- self.assertIsInstance(objects["objects"], dict)
-
- new_object = {"id": uuid.uuid4().hex, "name": "my_object"}
- new_objects = dict()
- new_objects[new_object["id"]] = new_object["name"]
+ for key, value in objects.iteritems():
+ objects_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ create_user(self, "subject_test")
+ new_object = {"name": "object_test", "description": "object_test"}
self.assertRaises(
AuthzException,
- self.manager.set_object_dict,
- admin_user["id"], ref["id"], new_object["id"])
+ self.manager.add_object_dict,
+ demo_subject_id, admin_ie_dict["id"], new_object)
- # Delete the new object
self.assertRaises(
- AuthzException,
- self.manager.del_object,
- admin_user["id"], ref["id"], new_object["id"])
+ ObjectsWriteNoAuthorized,
+ self.admin_manager.add_object_dict,
+ admin_subject_id, authz_ie_dict["id"], new_object
+ )
- # Add a particular object
- self.assertRaises(
- AuthzException,
- self.manager.add_object_dict,
- admin_user["id"], ref["id"], new_object["name"])
+ # Delete the new object
+ for key in objects_id_list:
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_object,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_object,
+ admin_subject_id, authz_ie_dict["id"], key)
- def test_actions(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
+ for key in objects_id_list:
+ self.assertRaises(
+ ObjectsWriteNoAuthorized,
+ self.admin_manager.del_object,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ ObjectsWriteNoAuthorized,
+ self.admin_manager.del_object,
+ admin_subject_id, authz_ie_dict["id"], key)
- actions = self.manager.get_actions_dict(admin_user["id"], tenant["id"])
+ def test_actions(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+ actions_id_list = []
self.assertIsInstance(actions, dict)
- self.assertIn("actions", actions)
- self.assertIn("id", actions)
- self.assertIn("intra_extension_uuid", actions)
- self.assertEqual(ref["id"], actions["intra_extension_uuid"])
- self.assertIsInstance(actions["actions"], dict)
-
- new_action = {"id": uuid.uuid4().hex, "name": "my_action"}
- new_actions = dict()
- new_actions[new_action["id"]] = new_action["name"]
+ for key, value in actions.iteritems():
+ actions_id_list.append(key)
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ create_user(self, "subject_test")
+ new_action = {"name": "action_test", "description": "action_test"}
self.assertRaises(
AuthzException,
- self.manager.set_action_dict,
- admin_user["id"], ref["id"], new_actions)
+ self.manager.add_action_dict,
+ demo_subject_id, admin_ie_dict["id"], new_action)
- # Delete the new action
self.assertRaises(
- AuthzException,
- self.manager.del_action,
- admin_user["id"], ref["id"], new_action["id"])
+ ActionsWriteNoAuthorized,
+ self.admin_manager.add_action_dict,
+ admin_subject_id, authz_ie_dict["id"], new_action
+ )
- # Add a particular action
- self.assertRaises(
- AuthzException,
- self.manager.add_action_dict,
- admin_user["id"], ref["id"], new_action["id"])
+ # Delete all actions
+ for key in actions_id_list:
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_action,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ AuthzException,
+ self.manager.del_action,
+ admin_subject_id, authz_ie_dict["id"], key)
- def test_subject_categories(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
+ for key in actions_id_list:
+ self.assertRaises(
+ ActionsWriteNoAuthorized,
+ self.admin_manager.del_action,
+ demo_subject_id, authz_ie_dict["id"], key)
+ self.assertRaises(
+ ActionsWriteNoAuthorized,
+ self.admin_manager.del_action,
+ admin_subject_id, authz_ie_dict["id"], key)
- subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"])
+ def test_subject_categories(self):
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIsInstance(subject_categories["subject_categories"], dict)
-
- new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"}
- new_subject_categories = dict()
- new_subject_categories[new_subject_category["id"]] = new_subject_category["name"]
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"}
self.assertRaises(
AuthzException,
- self.manager.set_subject_category_dict,
- admin_user["id"], ref["id"], new_subject_categories)
+ self.manager.add_subject_category,
+ demo_subject_id, admin_ie_dict["id"], new_subject_category)
+
+ subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category)
+ _subject_categories = dict(subject_categories)
+ self.assertEqual(len(_subject_categories.keys()), 1)
+ new_subject_category["id"] = _subject_categories.keys()[0]
+ value = subject_categories[new_subject_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_subject_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_subject_category["description"])
# Delete the new subject_category
self.assertRaises(
AuthzException,
self.manager.del_subject_category,
- admin_user["id"], ref["id"], new_subject_category["id"])
+ demo_subject_id, authz_ie_dict["id"], new_subject_category["id"])
- # Add a particular subject_category
- self.assertRaises(
- AuthzException,
- self.manager.add_subject_category,
- admin_user["id"], ref["id"], new_subject_category["name"])
+ self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"])
+ subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in subject_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_subject_category["name"], value["name"])
+ self.assertIn("description", value)
def test_object_categories(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(object_categories, dict)
- self.assertIn("object_categories", object_categories)
- self.assertIn("id", object_categories)
- self.assertIn("intra_extension_uuid", object_categories)
- self.assertEqual(ref["id"], object_categories["intra_extension_uuid"])
- self.assertIsInstance(object_categories["object_categories"], dict)
-
- new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"}
- new_object_categories = dict()
- new_object_categories[new_object_category["id"]] = new_object_category["name"]
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_object_category = {"name": "object_category_test", "description": "object_category_test"}
self.assertRaises(
AuthzException,
- self.manager.set_object_category_dict,
- admin_user["id"], ref["id"], new_object_categories)
+ self.manager.add_object_category,
+ demo_subject_id, admin_ie_dict["id"], new_object_category)
+
+ object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category)
+ _object_categories = dict(object_categories)
+ self.assertEqual(len(_object_categories.keys()), 1)
+ new_object_category["id"] = _object_categories.keys()[0]
+ value = object_categories[new_object_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_object_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_object_category["description"])
# Delete the new object_category
self.assertRaises(
AuthzException,
self.manager.del_object_category,
- admin_user["id"], ref["id"], new_object_category["id"])
+ demo_subject_id, authz_ie_dict["id"], new_object_category["id"])
- # Add a particular object_category
- self.assertRaises(
- AuthzException,
- self.manager.add_object_category,
- admin_user["id"], ref["id"], new_object_category["name"])
+ self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"])
+ object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in object_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_object_category["name"], value["name"])
+ self.assertIn("description", value)
def test_action_categories(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(action_categories, dict)
- self.assertIn("action_categories", action_categories)
- self.assertIn("id", action_categories)
- self.assertIn("intra_extension_uuid", action_categories)
- self.assertEqual(ref["id"], action_categories["intra_extension_uuid"])
- self.assertIsInstance(action_categories["action_categories"], dict)
-
- new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"}
- new_action_categories = dict()
- new_action_categories[new_action_category["id"]] = new_action_category["name"]
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ new_action_category = {"name": "action_category_test", "description": "action_category_test"}
self.assertRaises(
AuthzException,
- self.manager.set_action_category_dict,
- admin_user["id"], ref["id"], new_action_categories)
+ self.manager.add_action_category,
+ demo_subject_id, admin_ie_dict["id"], new_action_category)
+
+ action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category)
+ _action_categories = dict(action_categories)
+ self.assertEqual(len(_action_categories.keys()), 1)
+ new_action_category["id"] = _action_categories.keys()[0]
+ value = action_categories[new_action_category["id"]]
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertEqual(value["name"], new_action_category["name"])
+ self.assertIn("description", value)
+ self.assertEqual(value["description"], new_action_category["description"])
# Delete the new action_category
self.assertRaises(
AuthzException,
self.manager.del_action_category,
- admin_user["id"], ref["id"], new_action_category["id"])
+ demo_subject_id, authz_ie_dict["id"], new_action_category["id"])
- # Add a particular action_category
- self.assertRaises(
- AuthzException,
- self.manager.add_action_category,
- admin_user["id"], ref["id"], new_action_category["name"])
+ self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"])
+ action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in action_categories.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIsNot(new_action_category["name"], value["name"])
+ self.assertIn("description", value)
def test_subject_category_scope(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- subject_categories = self.admin_manager.set_subject_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: admin_user["id"],
- uuid.uuid4().hex: "dev",
+ "name": "country",
+ "description": "country",
}
)
- for subject_category in subject_categories["subject_categories"]:
+ for subject_category_id in subject_categories:
+
subject_category_scope = self.manager.get_subject_scopes_dict(
- admin_user["id"],
- ref["id"],
- subject_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIsInstance(subject_category_scope["subject_category_scope"], dict)
-
- new_subject_category_scope = dict()
- new_subject_category_scope_uuid = uuid.uuid4().hex
- new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope"
- self.assertRaises(
- AuthzException,
- self.manager.set_subject_scope_dict,
- admin_user["id"], ref["id"], subject_category, new_subject_category_scope)
+ self.assertEqual({}, subject_category_scope)
+
+ new_subject_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
- # Delete the new subject_category_scope
self.assertRaises(
AuthzException,
- self.manager.del_subject_scope,
- admin_user["id"], ref["id"], subject_category, new_subject_category_scope_uuid)
+ self.admin_manager.add_subject_scope_dict,
+ demo_subject_id, authz_ie_dict["id"], subject_category_id, new_subject_category_scope)
- # Add a particular subject_category_scope
+ subject_category_scope = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope)
+ self.assertIsInstance(subject_category_scope, dict)
+ self.assertEqual(len(subject_category_scope.keys()), 1)
+ subject_category_scope_id = subject_category_scope.keys()[0]
+ subject_category_scope_value = subject_category_scope[subject_category_scope_id]
+ self.assertIn("name", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"])
+ self.assertIn("description", subject_category_scope_value)
+ self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"])
+
+ # Delete the new subject_category_scope
self.assertRaises(
AuthzException,
- self.manager.add_subject_scope_dict,
- admin_user["id"], ref["id"], subject_category, new_subject_category_scope[new_subject_category_scope_uuid])
+ self.admin_manager.del_subject_scope,
+ demo_subject_id, authz_ie_dict["id"], subject_category_id, subject_category_scope_id)
+
+ self.admin_manager.del_subject_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ subject_category_scope_id)
+ subject_category_scope = self.admin_manager.get_subject_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
+ self.assertIsInstance(subject_category_scope, dict)
+ self.assertNotIn(subject_category_scope_id, subject_category_scope.keys())
def test_object_category_scope(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- object_categories = self.admin_manager.set_object_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: "id",
- uuid.uuid4().hex: "domain",
+ "name": "country",
+ "description": "country",
}
)
- for object_category in object_categories["object_categories"]:
+ for object_category_id in object_categories:
+
object_category_scope = self.manager.get_object_scopes_dict(
- admin_user["id"],
- ref["id"],
- object_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIsInstance(object_category_scope["object_category_scope"], dict)
-
- new_object_category_scope = dict()
- new_object_category_scope_uuid = uuid.uuid4().hex
- new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope"
- self.assertRaises(
- AuthzException,
- self.manager.set_object_scope_dict,
- admin_user["id"], ref["id"], object_category, new_object_category_scope)
+ self.assertEqual({}, object_category_scope)
+
+ new_object_category_scope = {
+ "name": "france",
+ "description": "france",
+ }
- # Delete the new object_category_scope
self.assertRaises(
AuthzException,
- self.manager.del_object_scope,
- admin_user["id"], ref["id"], object_category, new_object_category_scope_uuid)
+ self.admin_manager.add_object_scope_dict,
+ demo_subject_id, authz_ie_dict["id"], object_category_id, new_object_category_scope)
+
+ object_category_scope = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope)
+ self.assertIsInstance(object_category_scope, dict)
+ self.assertEqual(len(object_category_scope.keys()), 1)
+ object_category_scope_id = object_category_scope.keys()[0]
+ object_category_scope_value = object_category_scope[object_category_scope_id]
+ self.assertIn("name", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"])
+ self.assertIn("description", object_category_scope_value)
+ self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"])
- # Add a particular object_category_scope
+ # Delete the new object_category_scope
self.assertRaises(
AuthzException,
- self.manager.add_object_scope_dict,
- admin_user["id"], ref["id"], object_category, new_object_category_scope[new_object_category_scope_uuid])
+ self.admin_manager.del_object_scope,
+ demo_subject_id, authz_ie_dict["id"], object_category_id, object_category_scope_id)
+
+ self.admin_manager.del_object_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ object_category_scope_id)
+ object_category_scope = self.admin_manager.get_object_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
+ self.assertIsInstance(object_category_scope, dict)
+ self.assertNotIn(object_category_scope_id, object_category_scope.keys())
def test_action_category_scope(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- action_categories = self.admin_manager.set_action_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- uuid.uuid4().hex: "compute",
- uuid.uuid4().hex: "identity",
+ "name": "swift",
+ "description": "swift actions",
}
)
- for action_category in action_categories["action_categories"]:
+ for action_category_id in action_categories:
+
action_category_scope = self.manager.get_action_scopes_dict(
- admin_user["id"],
- ref["id"],
- action_category)
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIsInstance(action_category_scope["action_category_scope"], dict)
-
- new_action_category_scope = dict()
- new_action_category_scope_uuid = uuid.uuid4().hex
- new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope"
- self.assertRaises(
- AuthzException,
- self.manager.set_action_scope_dict,
- admin_user["id"], ref["id"], action_category, new_action_category_scope)
+ self.assertEqual({}, action_category_scope)
+
+ new_action_category_scope = {
+ "name": "get",
+ "description": "get swift files",
+ }
- # Delete the new action_category_scope
self.assertRaises(
AuthzException,
- self.manager.del_action_scope,
- admin_user["id"], ref["id"], action_category, new_action_category_scope_uuid)
+ self.admin_manager.add_action_scope_dict,
+ demo_subject_id, authz_ie_dict["id"], action_category_id, new_action_category_scope)
- # Add a particular action_category_scope
+ action_category_scope = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope)
+ self.assertIsInstance(action_category_scope, dict)
+ self.assertEqual(len(action_category_scope.keys()), 1)
+ action_category_scope_id = action_category_scope.keys()[0]
+ action_category_scope_value = action_category_scope[action_category_scope_id]
+ self.assertIn("name", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"])
+ self.assertIn("description", action_category_scope_value)
+ self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"])
+
+ # Delete the new action_category_scope
self.assertRaises(
AuthzException,
- self.manager.add_action_scope_dict,
- admin_user["id"], ref["id"], action_category, new_action_category_scope[new_action_category_scope_uuid])
+ self.admin_manager.del_action_scope,
+ demo_subject_id, authz_ie_dict["id"], action_category_id, action_category_scope_id)
+
+ self.admin_manager.del_action_scope(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ action_category_scope_id)
+ action_category_scope = self.admin_manager.get_action_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
+ self.assertIsInstance(action_category_scope, dict)
+ self.assertNotIn(action_category_scope_id, action_category_scope.keys())
def test_subject_category_assignment(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- new_subject = self.create_user()
- new_subjects = dict()
- new_subjects[new_subject["id"]] = new_subject["name"]
- subjects = self.admin_manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects)
-
- new_subject_category_uuid = uuid.uuid4().hex
- new_subject_category_value = "role"
- subject_categories = self.admin_manager.set_subject_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ admin_authz_subject_id, admin_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+ demo_authz_subject_id, demo_authz_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next()
+
+ subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ subject_categories = self.admin_manager.add_subject_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_subject_category_uuid: new_subject_category_value
+ "name": "country",
+ "description": "country",
}
)
- for subject_category in subject_categories["subject_categories"]:
- subject_category_scope = self.admin_manager.get_subject_scopes_dict(
- admin_user["id"],
- ref["id"],
- subject_category)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIsInstance(subject_category_scope["subject_category_scope"], dict)
-
- new_subject_category_scope = dict()
- new_subject_category_scope_uuid = uuid.uuid4().hex
- new_subject_category_scope[new_subject_category_scope_uuid] = admin_user["id"]
- subject_category_scope = self.admin_manager.set_subject_scope_dict(
- admin_user["id"],
- ref["id"],
- subject_category,
- new_subject_category_scope)
- self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
-
- new_subject_category_scope2 = dict()
- new_subject_category_scope2_uuid = uuid.uuid4().hex
- new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev"
- subject_category_scope = self.admin_manager.set_subject_scope_dict(
- admin_user["id"],
- ref["id"],
- subject_category,
- new_subject_category_scope2)
+ for subject_category_id in subject_categories:
+ subject_category_scope = self.manager.get_subject_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id)
self.assertIsInstance(subject_category_scope, dict)
- self.assertIn("subject_category_scope", subject_category_scope)
- self.assertIn("id", subject_category_scope)
- self.assertIn("intra_extension_uuid", subject_category_scope)
- self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"])
- self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid],
- subject_category_scope["subject_category_scope"][subject_category].values())
-
- subject_category_assignments = self.manager.get_subject_assignment_dict(
- admin_user["id"],
- ref["id"],
- new_subject["id"]
+ self.assertEqual({}, subject_category_scope)
+
+ new_subject_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
+
+ subject_category_scope_1 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_1)
+ subject_category_scope_1_id = subject_category_scope_1.keys()[0]
+
+ new_subject_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ subject_category_scope_2 = self.admin_manager.add_subject_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ subject_category_id,
+ new_subject_category_scope_2)
+ subject_category_scope_2_id = subject_category_scope_2.keys()[0]
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id,
+ subject_category_id
)
- self.assertIsInstance(subject_category_assignments, dict)
- self.assertIn("subject_category_assignments", subject_category_assignments)
- self.assertIn("id", subject_category_assignments)
- self.assertIn("intra_extension_uuid", subject_category_assignments)
- self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]])
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
+
+ subject_category_assignments = self.manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id,
+ subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual([], subject_category_assignments)
self.assertRaises(
AuthzException,
- self.manager.set_subject_assignment_dict,
- admin_user["id"], ref["id"], new_subject["id"],
- {
- new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid],
- })
+ self.manager.add_subject_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_1_id
+ )
self.assertRaises(
AuthzException,
- self.manager.del_subject_assignment,
- admin_user["id"], ref["id"], new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid)
+ self.manager.add_subject_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_1_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
+
+ subject_category_assignments = self.admin_manager.add_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 2)
self.assertRaises(
AuthzException,
- self.manager.add_subject_assignment_list,
- admin_user["id"], ref["id"], new_subject["id"],
- new_subject_category_uuid,
- new_subject_category_scope_uuid)
+ self.admin_manager.del_subject_assignment,
+ demo_subject_id, authz_ie_dict["id"],
+ demo_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+
+ self.admin_manager.del_subject_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
+ subject_category_assignments = self.admin_manager.get_subject_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id
+ )
+ self.assertIsInstance(subject_category_assignments, list)
+ self.assertEqual(len(subject_category_assignments), 1)
+
+ self.assertRaises(
+ SubjectAssignmentUnknown,
+ self.admin_manager.del_subject_assignment,
+ admin_subject_id,
+ authz_ie_dict["id"],
+ admin_authz_subject_id, subject_category_id, subject_category_scope_2_id
+ )
def test_object_category_assignment(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- new_object = {"id": uuid.uuid4().hex, "name": "my_object"}
- new_objects = dict()
- new_objects[new_object["id"]] = new_object["name"]
- objects = self.admin_manager.set_object_dict(admin_user["id"], ref["id"], new_objects)
-
- new_object_category_uuid = uuid.uuid4().hex
- new_object_category_value = "role"
- object_categories = self.admin_manager.set_object_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"])
+
+ object_vm1_id = None
+ object_vm2_id = None
+ for _object_id in objects_dict:
+ if objects_dict[_object_id]['name'] == 'vm1':
+ object_vm1_id = _object_id
+ if objects_dict[_object_id]['name'] == 'vm2':
+ object_vm2_id = _object_id
+ if not object_vm1_id or not object_vm2_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)")
+
+ object_categories = self.admin_manager.add_object_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_object_category_uuid: new_object_category_value
+ "name": "location",
+ "description": "location",
}
)
- for object_category in object_categories["object_categories"]:
- object_category_scope = self.admin_manager.get_object_scopes_dict(
- admin_user["id"],
- ref["id"],
- object_category)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIsInstance(object_category_scope["object_category_scope"], dict)
-
- new_object_category_scope = dict()
- new_object_category_scope_uuid = uuid.uuid4().hex
- new_object_category_scope[new_object_category_scope_uuid] = admin_user["id"]
- object_category_scope = self.admin_manager.set_object_scope_dict(
- admin_user["id"],
- ref["id"],
- object_category,
- new_object_category_scope)
- self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope[new_object_category_scope_uuid],
- object_category_scope["object_category_scope"][object_category].values())
-
- new_object_category_scope2 = dict()
- new_object_category_scope2_uuid = uuid.uuid4().hex
- new_object_category_scope2[new_object_category_scope2_uuid] = "dev"
- object_category_scope = self.admin_manager.set_object_scope_dict(
- admin_user["id"],
- ref["id"],
- object_category,
- new_object_category_scope2)
+ for object_category_id in object_categories:
+ object_category_scope = self.manager.get_object_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id)
self.assertIsInstance(object_category_scope, dict)
- self.assertIn("object_category_scope", object_category_scope)
- self.assertIn("id", object_category_scope)
- self.assertIn("intra_extension_uuid", object_category_scope)
- self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"])
- self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid],
- object_category_scope["object_category_scope"][object_category].values())
+ self.assertEqual({}, object_category_scope)
+
+ new_object_category_scope_1 = {
+ "name": "france",
+ "description": "france",
+ }
+
+ object_category_scope_1 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_1)
+ object_category_scope_1_id = object_category_scope_1.keys()[0]
+
+ new_object_category_scope_2 = {
+ "name": "china",
+ "description": "china",
+ }
+
+ object_category_scope_2 = self.admin_manager.add_object_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_category_id,
+ new_object_category_scope_2)
+ object_category_scope_2_id = object_category_scope_2.keys()[0]
object_category_assignments = self.manager.get_object_assignment_list(
- admin_user["id"],
- ref["id"],
- new_object["id"]
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id,
+ object_category_id
)
- self.assertIsInstance(object_category_assignments, dict)
- self.assertIn("object_category_assignments", object_category_assignments)
- self.assertIn("id", object_category_assignments)
- self.assertIn("intra_extension_uuid", object_category_assignments)
- self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]])
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
+
+ object_category_assignments = self.manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id,
+ object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual([], object_category_assignments)
self.assertRaises(
AuthzException,
- self.manager.set_object_category_assignment_dict,
- admin_user["id"], ref["id"], new_object["id"],
- {
- new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid],
- })
+ self.manager.add_object_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_1_id
+ )
self.assertRaises(
AuthzException,
- self.manager.del_object_assignment,
- admin_user["id"], ref["id"], new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid)
+ self.manager.add_object_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
+ )
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_1_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
+
+ object_category_assignments = self.admin_manager.add_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
+
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 2)
self.assertRaises(
AuthzException,
- self.manager.add_object_assignment_list,
- admin_user["id"], ref["id"], new_object["id"],
- new_object_category_uuid,
- new_object_category_scope_uuid)
+ self.admin_manager.del_object_assignment,
+ demo_subject_id, authz_ie_dict["id"],
+ object_vm2_id, object_category_id, object_category_scope_2_id
+ )
+
+ self.admin_manager.del_object_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
+ )
+ object_category_assignments = self.admin_manager.get_object_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id
+ )
+ self.assertIsInstance(object_category_assignments, list)
+ self.assertEqual(len(object_category_assignments), 1)
+
+ self.assertRaises(
+ ObjectAssignmentUnknown,
+ self.admin_manager.del_object_assignment,
+ admin_subject_id,
+ authz_ie_dict["id"],
+ object_vm1_id, object_category_id, object_category_scope_2_id
+ )
def test_action_category_assignment(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- new_action = {"id": uuid.uuid4().hex, "name": "my_action"}
- new_actions = dict()
- new_actions[new_action["id"]] = new_action["name"]
- actions = self.admin_manager.set_action_dict(admin_user["id"], ref["id"], new_actions)
-
- new_action_category_uuid = uuid.uuid4().hex
- new_action_category_value = "role"
- action_categories = self.admin_manager.set_action_category_dict(
- admin_user["id"],
- ref["id"],
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"])
+
+ action_upload_id = None
+ action_list_id = None
+ for _action_id in actions_dict:
+ if actions_dict[_action_id]['name'] == 'upload':
+ action_upload_id = _action_id
+ if actions_dict[_action_id]['name'] == 'list':
+ action_list_id = _action_id
+ if not action_upload_id or not action_list_id:
+ raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)")
+
+ action_categories = self.admin_manager.add_action_category(
+ admin_subject_id,
+ authz_ie_dict["id"],
{
- new_action_category_uuid: new_action_category_value
+ "name": "swift",
+ "description": "swift actions",
}
)
- for action_category in action_categories["action_categories"]:
- action_category_scope = self.admin_manager.get_action_scopes_dict(
- admin_user["id"],
- ref["id"],
- action_category)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIsInstance(action_category_scope["action_category_scope"], dict)
-
- new_action_category_scope = dict()
- new_action_category_scope_uuid = uuid.uuid4().hex
- new_action_category_scope[new_action_category_scope_uuid] = admin_user["id"]
- action_category_scope = self.admin_manager.set_action_scope_dict(
- admin_user["id"],
- ref["id"],
- action_category,
- new_action_category_scope)
- self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope[new_action_category_scope_uuid],
- action_category_scope["action_category_scope"][action_category].values())
-
- new_action_category_scope2 = dict()
- new_action_category_scope2_uuid = uuid.uuid4().hex
- new_action_category_scope2[new_action_category_scope2_uuid] = "dev"
- action_category_scope = self.admin_manager.set_action_scope_dict(
- admin_user["id"],
- ref["id"],
- action_category,
- new_action_category_scope2)
+ for action_category_id in action_categories:
+ action_category_scope = self.manager.get_action_scopes_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id)
self.assertIsInstance(action_category_scope, dict)
- self.assertIn("action_category_scope", action_category_scope)
- self.assertIn("id", action_category_scope)
- self.assertIn("intra_extension_uuid", action_category_scope)
- self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"])
- self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid],
- action_category_scope["action_category_scope"][action_category].values())
+ self.assertEqual({}, action_category_scope)
+
+ new_action_category_scope_1 = {
+ "name": "swift_admin",
+ "description": "action require admin rights",
+ }
+
+ action_category_scope_1 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_1)
+ action_category_scope_1_id = action_category_scope_1.keys()[0]
+
+ new_action_category_scope_2 = {
+ "name": "swift_anonymous",
+ "description": "action require no right",
+ }
+
+ action_category_scope_2 = self.admin_manager.add_action_scope_dict(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_category_id,
+ new_action_category_scope_2)
+ action_category_scope_2_id = action_category_scope_2.keys()[0]
action_category_assignments = self.manager.get_action_assignment_list(
- admin_user["id"],
- ref["id"],
- new_action["id"]
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id,
+ action_category_id
)
- self.assertIsInstance(action_category_assignments, dict)
- self.assertIn("action_category_assignments", action_category_assignments)
- self.assertIn("id", action_category_assignments)
- self.assertIn("intra_extension_uuid", action_category_assignments)
- self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"])
- self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]])
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
+
+ action_category_assignments = self.manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id,
+ action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual([], action_category_assignments)
self.assertRaises(
AuthzException,
- self.manager.set_action_assignment_dict,
- admin_user["id"], ref["id"], new_action["id"],
- {
- new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid],
- })
+ self.manager.add_action_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_1_id
+ )
+
+ self.assertRaises(
+ AuthzException,
+ self.manager.add_action_assignment_list,
+ demo_subject_id, authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
+ )
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_1_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+
+ self.assertEqual(len(action_category_assignments), 1)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
+
+ action_category_assignments = self.admin_manager.add_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
+
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 2)
self.assertRaises(
AuthzException,
- self.manager.del_action_assignment,
- admin_user["id"], ref["id"], new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid)
+ self.admin_manager.del_action_assignment,
+ demo_subject_id, authz_ie_dict["id"],
+ action_list_id, action_category_id, action_category_scope_2_id
+ )
+
+ self.admin_manager.del_action_assignment(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
+ )
+ action_category_assignments = self.admin_manager.get_action_assignment_list(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id
+ )
+ self.assertIsInstance(action_category_assignments, list)
+ self.assertEqual(len(action_category_assignments), 1)
self.assertRaises(
- ActionCategoryAssignmentAddNotAuthorized,
- self.manager.add_action_assignment_list,
- admin_user["id"], ref["id"], new_action["id"],
- new_action_category_uuid,
- new_action_category_scope_uuid)
+ ActionAssignmentUnknown,
+ self.admin_manager.del_action_assignment,
+ admin_subject_id,
+ authz_ie_dict["id"],
+ action_upload_id, action_category_id, action_category_scope_2_id
+ )
def test_sub_meta_rules(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- aggregation_algorithms = self.manager.get_aggregation_algorithms(admin_user["id"], ref["id"])
- self.assertIsInstance(aggregation_algorithms, dict)
- self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list)
- self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"])
- self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"])
-
- aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"])
- self.assertIsInstance(aggregation_algorithm, dict)
- self.assertIn("aggregation", aggregation_algorithm)
- self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"])
-
- _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"])
- _aggregation_algorithm.remove(aggregation_algorithm["aggregation"])
- self.assertRaises(
- AuthzException,
- self.manager.set_aggregation_algorithm_dict,
- admin_user["id"], ref["id"], _aggregation_algorithm[0])
-
- sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"])
+ for key, value in aggregation_algorithms.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("name", value)
+ self.assertIn("description", value)
+
+ # TODO: need more tests on aggregation_algorithms (set and del)
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(sub_meta_rules, dict)
- self.assertIn("sub_meta_rules", sub_meta_rules)
- sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json")))
- metarule = dict()
categories = {
- "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]),
- "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]),
- "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"])
+ "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]),
+ "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]),
+ "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"])
}
- for relation in sub_meta_rules_conf["sub_meta_rules"]:
- metarule[relation] = dict()
- for item in ("subject_categories", "object_categories", "action_categories"):
- metarule[relation][item] = list()
- for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]:
- metarule[relation][item].append(self.__get_key_from_value(
- element,
- categories[item][item]
- ))
-
- for relation in sub_meta_rules["sub_meta_rules"]:
- self.assertIn(relation, metarule)
- for item in ("subject_categories", "object_categories", "action_categories"):
- self.assertEqual(
- sub_meta_rules["sub_meta_rules"][relation][item],
- metarule[relation][item]
- )
-
- new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"}
- # Add a particular subject_category
- data = self.admin_manager.add_subject_category(
- admin_user["id"],
- ref["id"],
- new_subject_category["name"])
- new_subject_category["id"] = data["subject_category"]["uuid"]
- subject_categories = self.manager.get_subject_categories_dict(
- admin_user["id"],
- ref["id"])
- self.assertIsInstance(subject_categories, dict)
- self.assertIn("subject_categories", subject_categories)
- self.assertIn("id", subject_categories)
- self.assertIn("intra_extension_uuid", subject_categories)
- self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"])
- self.assertIn(new_subject_category["id"], subject_categories["subject_categories"])
- metarule[relation]["subject_categories"].append(new_subject_category["id"])
- self.assertRaises(
- AuthzException,
- self.manager.get_sub_meta_rule_dict,
- admin_user["id"], ref["id"], metarule)
+ for key, value in sub_meta_rules.iteritems():
+ self.assertIsInstance(value, dict)
+ self.assertIn("action_categories", value)
+ self.assertIn("object_categories", value)
+ self.assertIn("subject_categories", value)
+ self.assertIn("algorithm", value)
+ self.assertIn("name", value)
+ for action_category_id in value["action_categories"]:
+ self.assertIn(action_category_id, categories["action_categories"])
+ for object_category_id in value["object_categories"]:
+ self.assertIn(object_category_id, categories["object_categories"])
+ for subject_category_id in value["subject_categories"]:
+ self.assertIn(subject_category_id, categories["subject_categories"])
+ # TODO: need more tests (set and del)
def test_sub_rules(self):
- demo_user = self.create_user("demo")
- admin_user = self.create_user()
- tenant = self.create_tenant()
- ref = self.create_intra_extension("policy_authz")
- ref_admin = self.create_intra_extension("policy_admin")
- self.create_mapping(tenant, ref["id"], ref_admin["id"])
-
- sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"])
+ authz_ie_dict = create_intra_extension(self, "policy_authz")
+ admin_ie_dict = create_intra_extension(self, "policy_admin")
+ tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id'])
+
+ admin_subject_id, admin_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next()
+ demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"],
+ {"name": "demo", "description": "demo"})
+ demo_subject_id, demo_subject_dict = \
+ self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next()
+
+ sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"])
self.assertIsInstance(sub_meta_rules, dict)
- self.assertIn("sub_meta_rules", sub_meta_rules)
-
- sub_rules = self.manager.get_sub_rules(admin_user["id"], ref["id"])
- self.assertIsInstance(sub_rules, dict)
- self.assertIn("rules", sub_rules)
- rules = dict()
- for relation in sub_rules["rules"]:
- self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"])
- rules[relation] = list()
- for rule in sub_rules["rules"][relation]:
+
+ for relation_id in sub_meta_rules:
+ rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id)
+ rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \
+ len(sub_meta_rules[relation_id]["object_categories"]) + \
+ len(sub_meta_rules[relation_id]["action_categories"]) + 1
+ for rule_id in rules:
+ self.assertEqual(rule_length, len(rules[rule_id]))
+ rule = list(rules[rule_id])
for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
+ for cat_value in sub_meta_rules[relation_id][cat]:
scope = cat_func(
- admin_user["id"],
- ref["id"],
+ admin_subject_id,
+ authz_ie_dict["id"],
cat_value
)
a_scope = rule.pop(0)
- self.assertIn(a_scope, scope[func_name][cat_value])
-
- # add a new subrule
-
- relation = sub_rules["rules"].keys()[0]
- sub_rule = []
- for cat, cat_func, func_name in (
- ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"),
- ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"),
- ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"),
- ):
- for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]:
- scope = cat_func(
- admin_user["id"],
- ref["id"],
- cat_value
- )
- sub_rule.append(scope[func_name][cat_value].keys()[0])
+ if type(a_scope) is not bool:
+ self.assertIn(a_scope, scope.keys())
+
+ # add a new subrule
+
+ sub_rule = []
+ for cat, cat_func, func_name in (
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"),
+ ):
+ for cat_value in sub_meta_rules[relation_id][cat]:
+ scope = cat_func(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ cat_value
+ )
+ sub_rule.append(scope.keys()[0])
+
+ sub_rule.append(False)
+ self.assertRaises(
+ AuthzException,
+ self.admin_manager.add_rule_dict,
+ demo_subject_id, authz_ie_dict["id"], relation_id, sub_rule
+ )
- self.assertRaises(
- AuthzException,
- self.manager.set_sub_rule,
- admin_user["id"], ref["id"], relation, sub_rule)
+ sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule)
+ self.assertIsInstance(sub_rules, dict)
+ self.assertIn(sub_rule, sub_rules.values())
+
+ for rule_id, rule_value in sub_rules.iteritems():
+ for cat, cat_func, func_name in (
+ ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"),
+ ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"),
+ ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"),
+ ):
+ for cat_value in sub_meta_rules[relation_id][cat]:
+ scope = cat_func(
+ admin_subject_id,
+ authz_ie_dict["id"],
+ cat_value
+ )
+ a_scope = rule_value.pop(0)
+ self.assertIn(a_scope, scope.keys())
+ # TODO: add test for the delete function
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py
index aa584a65..17e70018 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py
@@ -17,7 +17,7 @@ from keystone import resource
from keystone.contrib.moon.exception import *
from keystone.tests.unit import default_fixtures
from keystone.contrib.moon.core import LogManager, TenantManager
-from keystone.contrib.moon.core import DEFAULT_USER_ID
+from keystone.contrib.moon.core import ADMIN_ID
CONF = cfg.CONF
@@ -35,6 +35,7 @@ IE = {
TIME_FORMAT = '%Y-%m-%d-%H:%M:%S'
+@dependency.requires('admin_api', 'tenant_api', 'configuration_api')
class TestIntraExtensionAdminManager(tests.TestCase):
def setUp(self):
@@ -42,6 +43,12 @@ class TestIntraExtensionAdminManager(tests.TestCase):
super(TestIntraExtensionAdminManager, self).setUp()
self.load_backends()
self.load_fixtures(default_fixtures)
+ self.admin = self.create_user(username="admin")
+ self.demo = self.create_user(username="demo")
+ self.root_intra_extension = self.create_intra_extension(policy_model="policy_root")
+ # force re-initialization of the ADMIN_ID variable
+ from keystone.contrib.moon.core import ADMIN_ID
+ self.ADMIN_ID = ADMIN_ID
self.manager = IntraExtensionAdminManager()
def __get_key_from_value(self, value, values_dict):
@@ -68,7 +75,7 @@ class TestIntraExtensionAdminManager(tests.TestCase):
# Create the admin user because IntraExtension needs it
self.admin = self.identity_api.create_user(USER_ADMIN)
IE["policymodel"] = policy_model
- self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE)
+ self.ref = self.manager.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE)
self.assertIsInstance(self.ref, dict)
self.create_tenant(self.ref["id"])
diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py
index 6d656488..995b6a54 100644
--- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py
+++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py
@@ -30,7 +30,7 @@ IE = {
"description": "a simple description."
}
-@dependency.requires('admin_api')
+@dependency.requires('admin_api', 'tenant_api', 'configuration_api')
class TestTenantManager(tests.TestCase):
ADMIN_ID = None
@@ -45,8 +45,8 @@ class TestTenantManager(tests.TestCase):
# force re-initialization of the ADMIN_ID variable
from keystone.contrib.moon.core import ADMIN_ID
self.ADMIN_ID = ADMIN_ID
- self.manager = TenantManager()
- self.configuration_api = ConfigurationManager()
+ self.manager = self.tenant_api
+ # self.configuration_api = self.configuration_api
# self.configuration_api.init_default_variables()
def load_extra_backends(self):
@@ -95,20 +95,20 @@ class TestTenantManager(tests.TestCase):
"id": uuid.uuid4().hex,
"name": "demo",
"description": uuid.uuid4().hex,
- "intra_authz_extension": authz_intra_extension['id'],
- "intra_admin_extension": admin_intra_extension['id'],
+ "intra_authz_extension_id": authz_intra_extension['id'],
+ "intra_admin_extension_id": admin_intra_extension['id'],
}
data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant)
self.assertEquals(new_tenant["id"], data["id"])
self.assertEquals(new_tenant["name"], data['tenant']["name"])
- self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"])
data = self.manager.get_tenants_dict(self.ADMIN_ID)
self.assertNotEqual(data, {})
- data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_authz_extension"], data["id"])
- data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_admin_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data["id"])
+ data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data["id"])
+ data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_admin_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data["id"])
def test_del_tenant(self):
authz_intra_extension = self.create_intra_extension(policy_model="policy_authz")
@@ -117,14 +117,14 @@ class TestTenantManager(tests.TestCase):
"id": uuid.uuid4().hex,
"name": "demo",
"description": uuid.uuid4().hex,
- "intra_authz_extension": authz_intra_extension['id'],
- "intra_admin_extension": admin_intra_extension['id'],
+ "intra_authz_extension_id": authz_intra_extension['id'],
+ "intra_admin_extension_id": admin_intra_extension['id'],
}
data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant)
self.assertEquals(new_tenant["id"], data["id"])
self.assertEquals(new_tenant["name"], data['tenant']["name"])
- self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"])
data = self.manager.get_tenants_dict(self.ADMIN_ID)
self.assertNotEqual(data, {})
self.manager.del_tenant(self.ADMIN_ID, new_tenant["id"])
@@ -138,14 +138,14 @@ class TestTenantManager(tests.TestCase):
"id": uuid.uuid4().hex,
"name": "demo",
"description": uuid.uuid4().hex,
- "intra_authz_extension": authz_intra_extension['id'],
- "intra_admin_extension": admin_intra_extension['id'],
+ "intra_authz_extension_id": authz_intra_extension['id'],
+ "intra_admin_extension_id": admin_intra_extension['id'],
}
data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant)
self.assertEquals(new_tenant["id"], data["id"])
self.assertEquals(new_tenant["name"], data['tenant']["name"])
- self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"])
data = self.manager.get_tenants_dict(self.ADMIN_ID)
self.assertNotEqual(data, {})
@@ -153,8 +153,8 @@ class TestTenantManager(tests.TestCase):
data = self.manager.set_tenant_dict(user_id=self.ADMIN_ID, tenant_id=new_tenant["id"], tenant_dict=new_tenant)
self.assertEquals(new_tenant["id"], data["id"])
self.assertEquals(new_tenant["name"], data['tenant']["name"])
- self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"])
def test_exception_tenant_unknown(self):
self.assertRaises(TenantUnknown, self.manager.get_tenant_dict, self.ADMIN_ID, uuid.uuid4().hex)
@@ -167,14 +167,14 @@ class TestTenantManager(tests.TestCase):
"id": uuid.uuid4().hex,
"name": "demo",
"description": uuid.uuid4().hex,
- "intra_authz_extension": authz_intra_extension['id'],
- "intra_admin_extension": admin_intra_extension['id'],
+ "intra_authz_extension_id": authz_intra_extension['id'],
+ "intra_admin_extension_id": admin_intra_extension['id'],
}
data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant)
self.assertEquals(new_tenant["id"], data["id"])
self.assertEquals(new_tenant["name"], data['tenant']["name"])
- self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"])
data = self.manager.get_tenants_dict(self.ADMIN_ID)
self.assertNotEqual(data, {})
@@ -187,14 +187,14 @@ class TestTenantManager(tests.TestCase):
"id": uuid.uuid4().hex,
"name": "demo",
"description": uuid.uuid4().hex,
- "intra_authz_extension": authz_intra_extension['id'],
- "intra_admin_extension": admin_intra_extension['id'],
+ "intra_authz_extension_id": authz_intra_extension['id'],
+ "intra_admin_extension_id": admin_intra_extension['id'],
}
data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant)
self.assertEquals(new_tenant["id"], data["id"])
self.assertEquals(new_tenant["name"], data['tenant']["name"])
- self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"])
data = self.manager.get_tenants_dict(self.ADMIN_ID)
self.assertNotEqual(data, {})
@@ -207,20 +207,20 @@ class TestTenantManager(tests.TestCase):
"id": uuid.uuid4().hex,
"name": "demo",
"description": uuid.uuid4().hex,
- "intra_authz_extension": authz_intra_extension['id'],
- "intra_admin_extension": admin_intra_extension['id'],
+ "intra_authz_extension_id": authz_intra_extension['id'],
+ "intra_admin_extension_id": admin_intra_extension['id'],
}
- new_tenant['intra_authz_extension'] = None
+ new_tenant['intra_authz_extension_id'] = None
self.assertRaises(TenantNoIntraAuthzExtension, self.manager.add_tenant_dict, self.ADMIN_ID, new_tenant)
- new_tenant['intra_authz_extension'] = authz_intra_extension['id']
+ new_tenant['intra_authz_extension_id'] = authz_intra_extension['id']
data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant)
self.assertEquals(new_tenant["id"], data["id"])
self.assertEquals(new_tenant["name"], data['tenant']["name"])
- self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"])
- self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"])
+ self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"])
+ self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"])
data = self.manager.get_tenants_dict(self.ADMIN_ID)
self.assertNotEqual(data, {})
- new_tenant['intra_authz_extension'] = None
+ new_tenant['intra_authz_extension_id'] = None
new_tenant['name'] = "demo2"
self.assertRaises(TenantNoIntraAuthzExtension, self.manager.set_tenant_dict, self.ADMIN_ID, new_tenant["id"], new_tenant)