From 51f7872f4902093cb0f0d445737c5892dd784191 Mon Sep 17 00:00:00 2001 From: asteroide Date: Fri, 31 Jul 2015 16:49:31 +0200 Subject: Play unit tests and modify code accordingly. (some tests are still not OK). Change-Id: I021081710411be12ffbbb0a3c8192626dbf9f8ce --- .../moon/policies/policy_admin/assignment.json | 12 +- .../moon/policies/policy_admin/perimeter.json | 12 +- .../examples/moon/policies/policy_admin/rule.json | 24 +- .../examples/moon/policies/policy_admin/scope.json | 12 +- keystone-moon/keystone/contrib/moon/algorithms.py | 9 +- .../keystone/contrib/moon/backends/memory.py | 4 +- .../keystone/contrib/moon/backends/sql.py | 44 +- keystone-moon/keystone/contrib/moon/core.py | 592 +-- keystone-moon/keystone/contrib/moon/exception.py | 13 +- .../keystone/tests/moon/backends/__init__.py | 1 + .../tests/moon/backends/test_sql_backend.py | 43 + keystone-moon/keystone/tests/moon/unit/__init__.py | 81 + .../moon/unit/test_unit_core_configuration.py | 56 +- .../unit/test_unit_core_intra_extension_admin.py | 3984 ++++++++------------ .../unit/test_unit_core_intra_extension_authz.py | 2749 ++++++++++---- .../keystone/tests/moon/unit/test_unit_core_log.py | 11 +- .../tests/moon/unit/test_unit_core_tenant.py | 72 +- 17 files changed, 4323 insertions(+), 3396 deletions(-) create mode 100644 keystone-moon/keystone/tests/moon/backends/__init__.py create mode 100644 keystone-moon/keystone/tests/moon/backends/test_sql_backend.py (limited to 'keystone-moon') diff --git a/keystone-moon/examples/moon/policies/policy_admin/assignment.json b/keystone-moon/examples/moon/policies/policy_admin/assignment.json index b77bd810..2c339a39 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/assignment.json +++ b/keystone-moon/examples/moon/policies/policy_admin/assignment.json @@ -18,9 +18,9 @@ "authz.subject_categories": ["authz.subject_categories"], "authz.object_categories": ["authz.object_categories"], "authz.action_categories": ["authz.action_categories"], - "authz.subject_category_scopes": ["authz.subject_category_scopes"], - "authz.object_category_scopes": ["authz.object_category_scopes"], - "authz.action_category_scopes": ["authz.action_category_scopes"], + "authz.subject_scopes": ["authz.subject_scopes"], + "authz.object_scopes": ["authz.object_scopes"], + "authz.action_scopes": ["authz.action_scopes"], "authz.subject_assignments": ["authz.subject_assignments"], "authz.object_assignments": ["authz.object_assignments"], "authz.action_assignments": ["authz.action_assignments"], @@ -33,9 +33,9 @@ "admin.subject_categories": ["admin.subject_categories"], "admin.object_categories": ["admin.object_categories"], "admin.action_categories": ["admin.action_categories"], - "admin.subject_category_scopes": ["admin.subject_category_scopes"], - "admin.object_category_scopes": ["admin.object_category_scopes"], - "admin.action_category_scopes": ["admin.action_category_scopes"], + "admin.subject_scopes": ["admin.subject_scopes"], + "admin.object_scopes": ["admin.object_scopes"], + "admin.action_scopes": ["admin.action_scopes"], "admin.subject_assignments": ["admin.subject_assignments"], "admin.object_assignments": ["admin.object_assignments"], "admin.action_assignments": ["admin.action_assignments"], diff --git a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json index a796dae9..3fe71bb5 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/perimeter.json +++ b/keystone-moon/examples/moon/policies/policy_admin/perimeter.json @@ -13,9 +13,9 @@ "authz.subject_categories", "authz.object_categories", "authz.action_categories", - "authz.subject_category_scopes", - "authz.object_category_scopes", - "authz.action_category_scopes", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", "authz.subject_assignments", "authz.object_assignments", "authz.action_assignments", @@ -28,9 +28,9 @@ "admin.subject_categories", "admin.object_categories", "admin.action_categories", - "admin.subject_category_scopes", - "admin.object_category_scopes", - "admin.action_category_scopes", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", "admin.subject_assignments", "admin.object_assignments", "admin.action_assignments", diff --git a/keystone-moon/examples/moon/policies/policy_admin/rule.json b/keystone-moon/examples/moon/policies/policy_admin/rule.json index e80c61c1..020dac41 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/rule.json +++ b/keystone-moon/examples/moon/policies/policy_admin/rule.json @@ -6,9 +6,9 @@ ["root_role" , "read", "authz.subject_categories"], ["root_role" , "read", "authz.object_categories"], ["root_role" , "read", "authz.action_categories"], - ["root_role" , "read", "authz.subject_category_scopes"], - ["root_role" , "read", "authz.object_category_scopes"], - ["root_role" , "read", "authz.action_category_scopes"], + ["root_role" , "read", "authz.subject_scopes"], + ["root_role" , "read", "authz.object_scopes"], + ["root_role" , "read", "authz.action_scopes"], ["root_role" , "read", "authz.subject_assignments"], ["root_role" , "read", "authz.object_assignments"], ["root_role" , "read", "authz.action_assignments"], @@ -21,9 +21,9 @@ ["root_role" , "write", "authz.subject_categories"], ["root_role" , "write", "authz.object_categories"], ["root_role" , "write", "authz.action_categories"], - ["root_role" , "write", "authz.subject_category_scopes"], - ["root_role" , "write", "authz.object_category_scopes"], - ["root_role" , "write", "authz.action_category_scopes"], + ["root_role" , "write", "authz.subject_scopes"], + ["root_role" , "write", "authz.object_scopes"], + ["root_role" , "write", "authz.action_scopes"], ["root_role" , "write", "authz.subject_assignments"], ["root_role" , "write", "authz.object_assignments"], ["root_role" , "write", "authz.action_assignments"], @@ -36,9 +36,9 @@ ["root_role" , "read", "admin.subject_categories"], ["root_role" , "read", "admin.object_categories"], ["root_role" , "read", "admin.action_categories"], - ["root_role" , "read", "admin.subject_category_scopes"], - ["root_role" , "read", "admin.object_category_scopes"], - ["root_role" , "read", "admin.action_category_scopes"], + ["root_role" , "read", "admin.subject_scopes"], + ["root_role" , "read", "admin.object_scopes"], + ["root_role" , "read", "admin.action_scopes"], ["root_role" , "read", "admin.subject_assignments"], ["root_role" , "read", "admin.object_assignments"], ["root_role" , "read", "admin.action_assignments"], @@ -51,9 +51,9 @@ ["root_role" , "write", "admin.subject_categories"], ["root_role" , "write", "admin.object_categories"], ["root_role" , "write", "admin.action_categories"], - ["root_role" , "write", "admin.subject_category_scopes"], - ["root_role" , "write", "admin.object_category_scopes"], - ["root_role" , "write", "admin.action_category_scopes"], + ["root_role" , "write", "admin.subject_scopes"], + ["root_role" , "write", "admin.object_scopes"], + ["root_role" , "write", "admin.action_scopes"], ["root_role" , "write", "admin.subject_assignments"], ["root_role" , "write", "admin.object_assignments"], ["root_role" , "write", "admin.action_assignments"], diff --git a/keystone-moon/examples/moon/policies/policy_admin/scope.json b/keystone-moon/examples/moon/policies/policy_admin/scope.json index 9de90206..c8b4908a 100644 --- a/keystone-moon/examples/moon/policies/policy_admin/scope.json +++ b/keystone-moon/examples/moon/policies/policy_admin/scope.json @@ -18,9 +18,9 @@ "authz.subject_categories", "authz.object_categories", "authz.action_categories", - "authz.subject_category_scopes", - "authz.object_category_scopes", - "authz.action_category_scopes", + "authz.subject_scopes", + "authz.object_scopes", + "authz.action_scopes", "authz.subject_assignments", "authz.object_assignments", "authz.action_assignments", @@ -33,9 +33,9 @@ "admin.subject_categories", "admin.object_categories", "admin.action_categories", - "admin.subject_category_scopes", - "admin.object_category_scopes", - "admin.action_category_scopes", + "admin.subject_scopes", + "admin.object_scopes", + "admin.action_scopes", "admin.subject_assignments", "admin.object_assignments", "admin.action_assignments", diff --git a/keystone-moon/keystone/contrib/moon/algorithms.py b/keystone-moon/keystone/contrib/moon/algorithms.py index fe35b7ee..8644e02d 100644 --- a/keystone-moon/keystone/contrib/moon/algorithms.py +++ b/keystone-moon/keystone/contrib/moon/algorithms.py @@ -46,8 +46,15 @@ def inclusion(authz_buffer, sub_meta_rule_dict, rule_list): if object_cat in authz_buffer['object_assignments']: _cat.append(authz_buffer['object_assignments'][object_cat]) + print("authz_buffer", authz_buffer) + print("rule_list", rule_list) + print("_cat", _cat) for _element in itertools.product(*_cat): - if list(_element) in rule_list: + # Add the boolean at the end + _element = list(_element) + _element.append(True) + print("_element", _element) + if _element in rule_list: return True return False diff --git a/keystone-moon/keystone/contrib/moon/backends/memory.py b/keystone-moon/keystone/contrib/moon/backends/memory.py index b2efb723..f7fe5ef1 100644 --- a/keystone-moon/keystone/contrib/moon/backends/memory.py +++ b/keystone-moon/keystone/contrib/moon/backends/memory.py @@ -25,7 +25,7 @@ class ConfigurationConnector(ConfigurationDriver): self.sub_meta_rule_algorithm_dict[uuid4().hex] = {'name': 'inclusion', 'description': 'inclusion'} self.sub_meta_rule_algorithm_dict[uuid4().hex] = {'name': 'comparison', 'description': 'comparison'} - def get_policy_template_dict(self): + def get_policy_templates_dict(self): nodes = glob(os.path.join(CONF.moon.policy_directory, "*")) return { "authz_templates": @@ -35,5 +35,5 @@ class ConfigurationConnector(ConfigurationDriver): def get_aggregation_algorithm_dict(self): return self.aggregation_algorithm_dict - def get_sub_meta_rule_algorithm_dict(self): + def get_sub_meta_rule_algorithms_dict(self): return self.sub_meta_rule_algorithm_dict \ No newline at end of file diff --git a/keystone-moon/keystone/contrib/moon/backends/sql.py b/keystone-moon/keystone/contrib/moon/backends/sql.py index ceb057bd..ebc6a4d3 100644 --- a/keystone-moon/keystone/contrib/moon/backends/sql.py +++ b/keystone-moon/keystone/contrib/moon/backends/sql.py @@ -340,7 +340,7 @@ class TenantConnector(TenantDriver): } ) session.add(new_ref) - return new_ref.to_dict() + return {new_ref.id: new_ref.tenant} def del_tenant(self, tenant_id): with sql.transaction() as session: @@ -360,7 +360,7 @@ class TenantConnector(TenantDriver): for attr in Tenant.attributes: if attr != 'id': setattr(ref, attr, getattr(new_tenant, attr)) - return Tenant.to_dict(ref) + return {ref.id: ref.tenant} class IntraExtensionConnector(IntraExtensionDriver): @@ -437,7 +437,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_subject_categories_dict(intra_extension_id)[subject_category_id] + return {subject_category_id: self.get_subject_categories_dict(intra_extension_id)[subject_category_id]} def del_subject_category(self, intra_extension_id, subject_category_id): with sql.transaction() as session: @@ -474,7 +474,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_object_categories_dict(intra_extension_id)[object_category_id] + return {object_category_id: self.get_object_categories_dict(intra_extension_id)[object_category_id]} def del_object_category(self, intra_extension_id, object_category_id): with sql.transaction() as session: @@ -511,7 +511,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_action_categories_dict(intra_extension_id)[action_category_id] + return {action_category_id: self.get_action_categories_dict(intra_extension_id)[action_category_id]} def del_action_category(self, intra_extension_id, action_category_id): with sql.transaction() as session: @@ -534,6 +534,8 @@ class IntraExtensionConnector(IntraExtensionDriver): query = session.query(Subject) query = query.filter_by(intra_extension_id=intra_extension_id, id=subject_id) ref = query.first() + # if 'id' in subject_dict: + # subject_dict['id'] = subject_id new_ref = Subject.from_dict( { "id": subject_id, @@ -548,7 +550,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_subjects_dict(intra_extension_id)[subject_id] + return {subject_id: self.get_subjects_dict(intra_extension_id)[subject_id]} def del_subject(self, intra_extension_id, subject_id): with sql.transaction() as session: @@ -583,7 +585,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_objects_dict(intra_extension_id)[object_id] + return {object_id: self.get_objects_dict(intra_extension_id)[object_id]} def del_object(self, intra_extension_id, object_id): with sql.transaction() as session: @@ -618,7 +620,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_actions_dict(intra_extension_id)[action_id] + return {action_id: self.get_actions_dict(intra_extension_id)[action_id]} def del_action(self, intra_extension_id, action_id): with sql.transaction() as session: @@ -656,7 +658,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_subject_scopes_dict(intra_extension_id, subject_category_id)[subject_scope_id] + return {subject_scope_id: self.get_subject_scopes_dict(intra_extension_id, subject_category_id)[subject_scope_id]} def del_subject_scope(self, intra_extension_id, subject_category_id, subject_scope_id): with sql.transaction() as session: @@ -694,7 +696,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_object_scopes_dict(intra_extension_id, object_category_id)[object_scope_id] + return {object_scope_id: self.get_object_scopes_dict(intra_extension_id, object_category_id)[object_scope_id]} def del_object_scope(self, intra_extension_id, object_category_id, object_scope_id): with sql.transaction() as session: @@ -732,7 +734,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_action_scopes_dict(intra_extension_id, action_category_id)[action_scope_id] + return {action_scope_id: self.get_action_scopes_dict(intra_extension_id, action_category_id)[action_scope_id]} def del_action_scope(self, intra_extension_id, action_category_id, action_scope_id): with sql.transaction() as session: @@ -748,7 +750,9 @@ class IntraExtensionConnector(IntraExtensionDriver): query = session.query(SubjectAssignment) query = query.filter_by(intra_extension_id=intra_extension_id, subject_id=subject_id, subject_category_id=subject_category_id) ref = query.first() - return ref.subject_assignment + if not ref: + return list() + return list(ref.subject_assignment) def set_subject_assignment_list(self, intra_extension_id, subject_id, subject_category_id, subject_assignment_list=[]): with sql.transaction() as session: @@ -791,7 +795,9 @@ class IntraExtensionConnector(IntraExtensionDriver): query = session.query(ObjectAssignment) query = query.filter_by(intra_extension_id=intra_extension_id, object_id=object_id, object_category_id=object_category_id) ref = query.first() - return ref.object_assignment + if not ref: + return list() + return list(ref.object_assignment) def set_object_assignment_list(self, intra_extension_id, object_id, object_category_id, object_assignment_list=[]): with sql.transaction() as session: @@ -834,7 +840,9 @@ class IntraExtensionConnector(IntraExtensionDriver): query = session.query(ActionAssignment) query = query.filter_by(intra_extension_id=intra_extension_id, action_id=action_id, action_category_id=action_category_id) ref = query.first() - return ref.action_assignment + if not ref: + return list() + return list(ref.action_assignment) def set_action_assignment_list(self, intra_extension_id, action_id, action_category_id, action_assignment_list=[]): with sql.transaction() as session: @@ -872,7 +880,7 @@ class IntraExtensionConnector(IntraExtensionDriver): # Getter and Setter for sub_meta_rule - def set_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): + def set_aggregation_algorithm_dict(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): with sql.transaction() as session: query = session.query(AggregationAlgorithm) query = query.filter_by(intra_extension_id=intra_extension_id, id=aggregation_algorithm_id) @@ -891,9 +899,9 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_aggregation_algorithm(intra_extension_id) + return self.get_aggregation_algorithm_dict(intra_extension_id) - def get_aggregation_algorithm(self, intra_extension_id): + def get_aggregation_algorithm_dict(self, intra_extension_id): with sql.transaction() as session: query = session.query(AggregationAlgorithm) query = query.filter_by(intra_extension_id=intra_extension_id) @@ -973,7 +981,7 @@ class IntraExtensionConnector(IntraExtensionDriver): if attr != 'id': setattr(ref, attr, getattr(new_ref, attr)) session.flush() - return self.get_rules_dict(intra_extension_id, sub_meta_rule_id)[rule_id] + return {rule_id: self.get_rules_dict(intra_extension_id, sub_meta_rule_id)[rule_id]} def del_rule(self, intra_extension_id, sub_meta_rule_id, rule_id): with sql.transaction() as session: diff --git a/keystone-moon/keystone/contrib/moon/core.py b/keystone-moon/keystone/contrib/moon/core.py index d9a59ff3..455975a3 100644 --- a/keystone-moon/keystone/contrib/moon/core.py +++ b/keystone-moon/keystone/contrib/moon/core.py @@ -62,8 +62,9 @@ CONF.register_opts(_OPTS, group='moon') def filter_input(func_or_str): def __filter(string): - if string: - return "".join(re.findall("[\w\-+]*", string)) + if string and type(string) in (str, unicode): + return "".join(re.findall("[\w\- +]*", string)) + return string def wrapped(*args, **kwargs): _args = [] @@ -118,7 +119,6 @@ def enforce(action_names, object_name, **extra): intra_extension_dict = kwargs['intra_extension_dict'] else: intra_extension_dict = args[2] - print(intra_extension_dict) if isinstance(intra_extension_dict, dict) and \ "model" in intra_extension_dict and \ intra_extension_dict["model"] == "policy_root": @@ -141,9 +141,13 @@ def enforce(action_names, object_name, **extra): intra_admin_extension_id = None try: - intra_admin_extension_id = get_root_extension(self, args, kwargs) + intra_root_extension_id = get_root_extension(self, args, kwargs) + # FIXME (asteroide): intra_root_extension_id is not used at all... except RootExtensionNotInitialized: + # Root extension is not initialized, the current requested function must be the creation + # of this root extension returned_value_for_func = func(*args, **kwargs) + # after the creation, we must update ROOT_EXTENSION_ID and ADMIN_ID intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() for ext in intra_extensions_dict: if intra_extensions_dict[ext]["model"] == ROOT_EXTENSION_MODEL: @@ -151,7 +155,6 @@ def enforce(action_names, object_name, **extra): break if not ROOT_EXTENSION_ID: raise RootExtensionUnknown() - print(returned_value_for_func) subjects_dict = self.admin_api.driver.get_subjects_dict(returned_value_for_func['id']) for subject_id in subjects_dict: if subjects_dict[subject_id]["name"] == "admin": @@ -159,66 +162,101 @@ def enforce(action_names, object_name, **extra): break if not ADMIN_ID: raise RootExtensionUnknown() + # if all is OK, return values from func (creation of the root extension) return returned_value_for_func try: intra_extension_id = args[2] except IndexError: + print("IndexError", kwargs) if 'intra_extension_id' in kwargs: intra_extension_id = kwargs['intra_extension_id'] - # else: - # intra_admin_extension_id = get_root_extension(self) + else: + print("in else", intra_root_extension_id) + intra_extension_id = intra_root_extension_id if ADMIN_ID and user_id == ADMIN_ID: # TODO: check if there is no security hole here returned_value_for_func = func(*args, **kwargs) else: intra_extensions_dict = self.admin_api.driver.get_intra_extensions_dict() + print(intra_extension_id, intra_extensions_dict) if intra_extension_id not in intra_extensions_dict: raise IntraExtensionUnknown() - tenants_dict = self.tenant_api.driver.get_tenants_dict(ADMIN_ID) + tenants_dict = self.tenant_api.driver.get_tenants_dict() for _tenant_id in tenants_dict: - if tenants_dict[_tenant_id]['intra_authz_extension_id'] is intra_extension_id or \ - tenants_dict[_tenant_id]['intra_admin_extension_id'] is intra_extension_id: + if tenants_dict[_tenant_id]['intra_authz_extension_id'] == intra_extension_id or \ + tenants_dict[_tenant_id]['intra_admin_extension_id'] == intra_extension_id: intra_admin_extension_id = tenants_dict[_tenant_id]['intra_admin_extension_id'] + break if not intra_admin_extension_id: self.moonlog_api.driver.warning("No Intra_Admin_Extension found, authorization granted by default.") returned_value_for_func = func(*args, **kwargs) else: - objects_dict = self.admin_api.driver.get_objects_dict(ADMIN_ID, intra_admin_extension_id) + # subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) + # keystone_user_id = subjects_dict[subject_id]["keystone_id"] + objects_dict = self.admin_api.driver.get_objects_dict(intra_admin_extension_id) object_name = intra_extensions_dict[intra_extension_id]['genre'] + '.' + _object_name object_id = None for _object_id in objects_dict: - if objects_dict[_object_id]['name'] is object_name: + if objects_dict[_object_id]['name'] == object_name: object_id = _object_id break + if not object_id: + objects_dict = self.admin_api.driver.get_objects_dict(intra_root_extension_id) + object_name = object_name.split(".")[-1] + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == object_name: + object_id = _object_id + break + if not object_id: + raise ObjectUnknown("Unknown object name: {}".format(object_name)) + # if we found the object in intra_root_extension_id, so we change the intra_admin_extension_id + # into intra_root_extension_id and we modify the ID of the subject + subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) + subject_name = subjects_dict[user_id]["name"] + intra_admin_extension_id = intra_root_extension_id + subjects_dict = self.admin_api.driver.get_subjects_dict(intra_admin_extension_id) + user_id = None + for _subject_id in subjects_dict: + if subjects_dict[_subject_id]["name"] == subject_name: + user_id = _subject_id + if not user_id: + raise SubjectUnknown("Subject Unknown for Root intraExtension...") if type(_action_name_list) in (str, unicode): action_name_list = (_action_name_list, ) else: action_name_list = _action_name_list - actions_dict = self.admin_api.driver.get_actions_dict(ADMIN_ID, intra_admin_extension_id) + actions_dict = self.admin_api.driver.get_actions_dict(intra_admin_extension_id) action_id_list = list() for _action_name in action_name_list: for _action_id in actions_dict: - if actions_dict[_action_id]['name'] is _action_name: + if actions_dict[_action_id]['name'] == _action_name: action_id_list.append(_action_id) break authz_result = False for action_id in action_id_list: - if self.driver.authz(intra_admin_extension_id, user_id, object_id, action_id): + if self.admin_api.authz(intra_admin_extension_id, user_id, object_id, action_id): authz_result = True else: + self.moonlog_api.authz("No authorization for ({} {}-{}-{})".format( + intra_admin_extension_id, + user_id, + object_name, + actions_dict[action_id]['name'])) authz_result = False break if authz_result: returned_value_for_func = func(*args, **kwargs) + else: + raise AuthzException() return returned_value_for_func return wrapped return wrap @dependency.provider('configuration_api') -@dependency.requires('moonlog_api', 'admin_api') +@dependency.requires('moonlog_api', 'admin_api', 'tenant_api') class ConfigurationManager(manager.Manager): def __init__(self): @@ -236,7 +274,7 @@ class ConfigurationManager(manager.Manager): def get_policy_template_id_from_name(self, user_id, policy_template_name): policy_template_dict = self.driver.get_policy_templates_dict() for policy_template_id in policy_template_dict: - if policy_template_dict[policy_template_id]['name'] is policy_template_name: + if policy_template_dict[policy_template_id]['name'] == policy_template_name: return policy_template_id return None @@ -252,7 +290,7 @@ class ConfigurationManager(manager.Manager): def get_aggregation_algorithm_id_from_name(self, user_id, aggregation_algorithm_name): aggregation_algorithm_dict = self.driver.get_aggregation_algorithms_dict() for aggregation_algorithm_id in aggregation_algorithm_dict: - if aggregation_algorithm_dict[aggregation_algorithm_id]['name'] is aggregation_algorithm_name: + if aggregation_algorithm_dict[aggregation_algorithm_id]['name'] == aggregation_algorithm_name: return aggregation_algorithm_id return None @@ -268,7 +306,7 @@ class ConfigurationManager(manager.Manager): def get_sub_meta_rule_algorithm_id_from_name(self, sub_meta_rule_algorithm_name): sub_meta_rule_algorithm_dict = self.driver.get_sub_meta_rule_algorithms_dict() for sub_meta_rule_algorithm_id in sub_meta_rule_algorithm_dict: - if sub_meta_rule_algorithm_dict[sub_meta_rule_algorithm_id]['name'] is sub_meta_rule_algorithm_name: + if sub_meta_rule_algorithm_dict[sub_meta_rule_algorithm_id]['name'] == sub_meta_rule_algorithm_name: return sub_meta_rule_algorithm_id return None @@ -305,19 +343,20 @@ class TenantManager(manager.Manager): if tenants_dict[tenant_id]['name'] == tenant_dict['name']: raise TenantAddedNameExisting() - # Sync users between intra_authz_extension and intra_admin_extension - if tenant_dict['intra_admin_extension']: - if not tenant_dict['intra_authz_extension']: + # Sync users between intra_authz_extension_id and intra_admin_extension_id + if tenant_dict['intra_admin_extension_id']: + if not tenant_dict['intra_authz_extension_id']: raise TenantNoIntraAuthzExtension() - else: - authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension']) - admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension']) - for _subject_id in authz_subjects_dict: - if _subject_id not in admin_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id]) - for _subject_id in admin_subjects_dict: - if _subject_id not in authz_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id]) + authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id']) + admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id']) + admin_subjects__name_list = [admin_subjects_dict[subject_id]["name"] for subject_id in admin_subjects_dict] + authz_subjects__name_list = [authz_subjects_dict[subject_id]["name"] for subject_id in authz_subjects_dict] + for _subject_id in authz_subjects_dict: + if authz_subjects_dict[_subject_id]["name"] not in authz_subjects__name_list: + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) + for _subject_id in admin_subjects_dict: + if admin_subjects_dict[_subject_id]["name"] not in admin_subjects__name_list: + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) return self.driver.add_tenant_dict(tenant_dict['id'], tenant_dict) @@ -325,6 +364,7 @@ class TenantManager(manager.Manager): @enforce("read", "tenants") def get_tenant_dict(self, user_id, tenant_id): tenants_dict = self.driver.get_tenants_dict() + print("get_tenant_dict", tenant_id, tenants_dict) if tenant_id not in tenants_dict: raise TenantUnknown() return tenants_dict[tenant_id] @@ -343,22 +383,52 @@ class TenantManager(manager.Manager): if tenant_id not in tenants_dict: raise TenantUnknown() - # Sync users between intra_authz_extension and intra_admin_extension - if tenant_dict['intra_admin_extension']: - if not tenant_dict['intra_authz_extension']: + # Sync users between intra_authz_extension_id and intra_admin_extension_id + if tenant_dict['intra_admin_extension_id']: + if not tenant_dict['intra_authz_extension_id']: raise TenantNoIntraAuthzExtension else: - authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension']) - admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension']) + authz_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id']) + admin_subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id']) for _subject_id in authz_subjects_dict: if _subject_id not in admin_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension'], authz_subjects_dict[_subject_id]) + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_admin_extension_id'], authz_subjects_dict[_subject_id]) for _subject_id in admin_subjects_dict: if _subject_id not in authz_subjects_dict: - self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension'], admin_subjects_dict[_subject_id]) + self.admin_api.add_subject_dict(ADMIN_ID, tenant_dict['intra_authz_extension_id'], admin_subjects_dict[_subject_id]) return self.driver.set_tenant_dict(tenant_id, tenant_dict) + @filter_input + def get_subject_from_keystone_id(self, tenant_id, intra_extension_id, keystone_id): + tenants_dict = self.driver.get_tenants_dict() + if tenant_id not in tenants_dict: + raise TenantUnknown() + if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], + tenants_dict[tenant_id]['intra_admin_extension_id'], ): + raise IntraExtensionUnknown() + # Note (asteroide): We used ADMIN_ID because the user requesting this information may only know his keystone_id + # and not the subject ID in the requested intra_extension. + subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, intra_extension_id) + for subject_id in subjects_dict: + if keystone_id == subjects_dict[subject_id]['keystone_id']: + return {subject_id: subjects_dict[subject_id]} + + @filter_input + def get_subject_from_keystone_name(self, tenant_id, intra_extension_id, keystone_name): + tenants_dict = self.driver.get_tenants_dict() + if tenant_id not in tenants_dict: + raise TenantUnknown() + if intra_extension_id not in (tenants_dict[tenant_id]['intra_authz_extension_id'], + tenants_dict[tenant_id]['intra_admin_extension_id'], ): + raise IntraExtensionUnknown() + # Note (asteroide): We used ADMIN_ID because the user requesting this information may only know his + # keystone_name and not the subject ID in the requested intra_extension. + subjects_dict = self.admin_api.get_subjects_dict(ADMIN_ID, intra_extension_id) + for subject_id in subjects_dict: + if keystone_name == subjects_dict[subject_id]['keystone_name']: + return {subject_id: subjects_dict[subject_id]} + @dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api', 'moonlog_api') class IntraExtensionManager(manager.Manager): @@ -398,24 +468,24 @@ class IntraExtensionManager(manager.Manager): subject_assignment_dict = dict() for category in meta_data_dict["subject_categories"]: subject_assignment_dict[category] = self.driver.get_subject_assignment_list( - intra_extension_id, subject_id)[category] + intra_extension_id, subject_id, category) object_assignment_dict = dict() for category in meta_data_dict["object_categories"]: object_assignment_dict[category] = self.driver.get_object_assignment_list( - intra_extension_id, object_id)[category] + intra_extension_id, object_id, category) action_assignment_dict = dict() for category in meta_data_dict["action_categories"]: action_assignment_dict[category] = self.driver.get_action_assignment_list( - intra_extension_id, action_id)[category] + intra_extension_id, action_id, category) authz_buffer['subject_assignments'] = dict() authz_buffer['object_assignments'] = dict() authz_buffer['action_assignments'] = dict() for _subject_category in meta_data_dict['subject_categories']: - authz_buffer['subject_assignments'][_subject_category] = subject_assignment_dict[_subject_category] + authz_buffer['subject_assignments'][_subject_category] = list(subject_assignment_dict[_subject_category]) for _object_category in meta_data_dict['object_categories']: - authz_buffer['object_assignments'][_object_category] = object_assignment_dict[_object_category] + authz_buffer['object_assignments'][_object_category] = list(object_assignment_dict[_object_category]) for _action_category in meta_data_dict['action_categories']: - authz_buffer['action_assignments'][_action_category] = action_assignment_dict[_action_category] + authz_buffer['action_assignments'][_action_category] = list(action_assignment_dict[_action_category]) return authz_buffer def authz(self, intra_extension_id, subject_id, object_id, action_id): @@ -441,22 +511,26 @@ class IntraExtensionManager(manager.Manager): meta_rule_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id) - for sub_meta_rule_id in meta_rule_dict['sub_meta_rules']: - if meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'inclusion': + for sub_meta_rule_id in meta_rule_dict: + if meta_rule_dict[sub_meta_rule_id]['algorithm'] == 'inclusion': decision_buffer[sub_meta_rule_id] = inclusion( authz_buffer, - meta_rule_dict['sub_meta_rules'][sub_meta_rule_id], + meta_rule_dict[sub_meta_rule_id], self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values()) - elif meta_rule_dict['sub_meta_rules'][sub_meta_rule_id]['algorithm'] == 'comparison': + elif meta_rule_dict[sub_meta_rule_id]['algorithm'] == 'comparison': decision_buffer[sub_meta_rule_id] = comparison( authz_buffer, - meta_rule_dict['sub_meta_rules'][sub_meta_rule_id], + meta_rule_dict[sub_meta_rule_id], self.driver.get_rules_dict(intra_extension_id, sub_meta_rule_id).values()) - if meta_rule_dict['aggregation'] == 'all_true': + aggregation = self.driver.get_aggregation_algorithm_dict(intra_extension_id) + # We suppose here that we have only one aggregation algorithm for one intra_extension + # TODO: need more work on this part of the model + aggregation_id = aggregation.keys()[0] + if aggregation[aggregation_id]['name'] == 'all_true': decision = all_true(decision_buffer) if not decision: - raise AuthzException() + raise AuthzException("{} {}-{}-{}".format(intra_extension_id, subject_id, action_id, object_id)) return decision @enforce("read", "intra_extensions") @@ -539,7 +613,7 @@ class IntraExtensionManager(manager.Manager): _id = uuid4().hex action_dict[_id] = {"name": _action, "description": _action} self.driver.set_action_dict(intra_extension_dict["id"], _id, action_dict[_id]) - intra_extension_dict["ations"] = action_dict + intra_extension_dict["actions"] = action_dict def __load_scope_file(self, intra_extension_dict, policy_dir): @@ -547,7 +621,7 @@ class IntraExtensionManager(manager.Manager): f = open(metadata_path) json_perimeter = json.load(f) - intra_extension_dict['subject_category_scope'] = dict() + intra_extension_dict['subject_scopes'] = dict() for category, scope in json_perimeter["subject_scopes"].iteritems(): category_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.SUBJECT_CATEGORY) _scope_dict = dict() @@ -555,9 +629,9 @@ class IntraExtensionManager(manager.Manager): _id = uuid4().hex _scope_dict[_id] = {"name": _scope, "description": _scope} self.driver.set_subject_scope_dict(intra_extension_dict["id"], category_id, _id, _scope_dict[_id]) - intra_extension_dict['subject_category_scope'][category] = _scope_dict + intra_extension_dict['subject_scopes'][category] = _scope_dict - intra_extension_dict['object_category_scope'] = dict() + intra_extension_dict['object_scopes'] = dict() for category, scope in json_perimeter["object_scopes"].iteritems(): category_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.OBJECT_CATEGORY) _scope_dict = dict() @@ -565,9 +639,9 @@ class IntraExtensionManager(manager.Manager): _id = uuid4().hex _scope_dict[_id] = {"name": _scope, "description": _scope} self.driver.set_object_scope_dict(intra_extension_dict["id"], category_id, _id, _scope_dict[_id]) - intra_extension_dict['object_category_scope'][category] = _scope_dict + intra_extension_dict['object_scopes'][category] = _scope_dict - intra_extension_dict['action_category_scope'] = dict() + intra_extension_dict['action_scopes'] = dict() for category, scope in json_perimeter["action_scopes"].iteritems(): category_id = self.driver.get_uuid_from_name(intra_extension_dict["id"], category, self.driver.ACTION_CATEGORY) _scope_dict = dict() @@ -575,7 +649,7 @@ class IntraExtensionManager(manager.Manager): _id = uuid4().hex _scope_dict[_id] = {"name": _scope, "description": _scope} self.driver.set_action_scope_dict(intra_extension_dict["id"], category_id, _id, _scope_dict[_id]) - intra_extension_dict['action_category_scope'][category] = _scope_dict + intra_extension_dict['action_scopes'][category] = _scope_dict def __load_assignment_file(self, intra_extension_dict, policy_dir): @@ -666,7 +740,7 @@ class IntraExtensionManager(manager.Manager): "aggregation": json_metarule["aggregation"], "sub_meta_rules": metarule } - self.driver.set_aggregation_algorithm(intra_extension_dict["id"], uuid4().hex, + self.driver.set_aggregation_algorithm_dict(intra_extension_dict["id"], uuid4().hex, { "name": json_metarule["aggregation"], "description": json_metarule["aggregation"], @@ -716,7 +790,7 @@ class IntraExtensionManager(manager.Manager): category_uuid=category_uuid) subrule.append(scope_uuid) # if a positive/negative value exists, all item of rule have not be consumed - if len(rule) >= 1 and type(rule[0]) is bool: + if len(rule) >= 1 and isinstance(rule[0], bool): subrule.append(rule[0]) else: # if value doesn't exist add a default value @@ -813,11 +887,11 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "subject_categories") def add_subject_category(self, user_id, intra_extension_id, subject_category_dict): - subject_category_dict = self.driver.get_subject_categories_dict(intra_extension_id) - for subject_category_id in subject_category_dict: - if subject_category_dict[subject_category_id]['name'] is subject_category_dict['name']: + subject_categories_dict = self.driver.get_subject_categories_dict(intra_extension_id) + for subject_category_id in subject_categories_dict: + if subject_categories_dict[subject_category_id]['name'] == subject_category_dict['name']: raise SubjectCategoryNameExisting() - return self.driver.set_subject_category(intra_extension_id, uuid4().hex, subject_category_dict) + return self.driver.set_subject_category_dict(intra_extension_id, uuid4().hex, subject_category_dict) @filter_input @enforce("read", "subject_categories") @@ -835,7 +909,7 @@ class IntraExtensionManager(manager.Manager): if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() # Destroy scopes related to this category - for scope in self.driver.get_subject_scope_dict(intra_extension_id, subject_category_id): + for scope in self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id): self.del_subject_scope(intra_extension_id, subject_category_id, scope) # Destroy assignments related to this category for subject_id in self.driver.get_subjects_dict(intra_extension_id): @@ -848,7 +922,7 @@ class IntraExtensionManager(manager.Manager): def set_subject_category(self, user_id, intra_extension_id, subject_category_id, subject_category_dict): if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() - return self.driver.set_subject_category(intra_extension_id, subject_category_id, subject_category_dict) + return self.driver.set_subject_category_dict(intra_extension_id, subject_category_id, subject_category_dict) @filter_input @enforce("read", "object_categories") @@ -863,12 +937,12 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "object_categories") @enforce(("read", "write"), "object_scopes") - def add_object_category(self, user_id, intra_extension_id, object_category_name): - object_category_dict = self.driver.get_object_categories_dict(intra_extension_id) - for object_category_id in object_category_dict: - if object_category_dict[object_category_id]["name"] is object_category_name: + def add_object_category(self, user_id, intra_extension_id, object_category_dict): + object_categories_dict = self.driver.get_object_categories_dict(intra_extension_id) + for object_category_id in object_categories_dict: + if object_categories_dict[object_category_id]["name"] == object_category_dict['name']: raise ObjectCategoryNameExisting() - return self.driver.add_object_category(intra_extension_id, uuid4().hex, object_category_name) + return self.driver.set_object_category_dict(intra_extension_id, uuid4().hex, object_category_dict) @filter_input @enforce("read", "object_categories") @@ -907,12 +981,12 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "action_categories") @enforce(("read", "write"), "action_scopes") - def add_action_category(self, user_id, intra_extension_id, action_category_name): - action_category_dict = self.driver.get_action_categories_dict(intra_extension_id) - for action_category_id in action_category_dict: - if action_category_dict[action_category_id]['name'] is action_category_name: + def add_action_category(self, user_id, intra_extension_id, action_category_dict): + action_categories_dict = self.driver.get_action_categories_dict(intra_extension_id) + for action_category_id in action_categories_dict: + if action_categories_dict[action_category_id]['name'] == action_category_dict['name']: raise ActionCategoryNameExisting() - return self.driver.add_action_category(intra_extension_id, uuid4().hex, action_category_name) + return self.driver.set_action_category_dict(intra_extension_id, uuid4().hex, action_category_dict) @filter_input @enforce("read", "action_categories") @@ -924,7 +998,7 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "action_categories") - @enforce(("read", "write"), "action_category_scopes") + @enforce(("read", "write"), "action_scopes") def del_action_category(self, user_id, intra_extension_id, action_category_id): if action_category_id not in self.driver.get_action_categories_dict(intra_extension_id): raise ActionCategoryUnknown() @@ -949,7 +1023,7 @@ class IntraExtensionManager(manager.Manager): def add_subject_dict(self, user_id, intra_extension_id, subject_dict): subjects_dict = self.driver.get_subjects_dict(intra_extension_id) for subject_id in subjects_dict: - if subjects_dict[subject_id]["name"] is subject_dict['name']: + if subjects_dict[subject_id]["name"] == subject_dict['name']: raise SubjectNameExisting() # Next line will raise an error if user is not present in Keystone database subject_keystone_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default") @@ -968,7 +1042,7 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "subjects") def del_subject(self, user_id, intra_extension_id, subject_id): - if subject_id in self.driver.get_subjects_dict(intra_extension_id): + if subject_id not in self.driver.get_subjects_dict(intra_extension_id): raise SubjectUnknown() # Destroy assignments related to this category for subject_category_id in self.driver.get_subject_categories_dict(intra_extension_id): @@ -982,7 +1056,7 @@ class IntraExtensionManager(manager.Manager): def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): subjects_dict = self.driver.get_subjects_dict(intra_extension_id) for subject_id in subjects_dict: - if subjects_dict[subject_id]["name"] is subject_dict['name']: + if subjects_dict[subject_id]["name"] == subject_dict['name']: raise SubjectNameExisting() # Next line will raise an error if user is not present in Keystone database subject_keystone_dict = self.identity_api.get_user_by_name(subject_dict['name'], "default") @@ -1000,7 +1074,7 @@ class IntraExtensionManager(manager.Manager): def add_object_dict(self, user_id, intra_extension_id, object_name): object_dict = self.driver.get_objects_dict(intra_extension_id) for object_id in object_dict: - if object_dict[object_id]["name"] is object_name: + if object_dict[object_id]["name"] == object_name: raise ObjectNameExisting() return self.driver.set_object_dict(intra_extension_id, uuid4().hex, object_name) @@ -1009,7 +1083,7 @@ class IntraExtensionManager(manager.Manager): def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict): objects_dict = self.driver.get_objects_dict(intra_extension_id) for object_id in objects_dict: - if objects_dict[object_id]["name"] is object_dict['name']: + if objects_dict[object_id]["name"] == object_dict['name']: raise ObjectNameExisting() return self.driver.set_object_dict(intra_extension_id, object_id, object_dict) @@ -1043,16 +1117,16 @@ class IntraExtensionManager(manager.Manager): def add_action_dict(self, user_id, intra_extension_id, action_name): action_dict = self.driver.get_actions_dict(intra_extension_id) for action_id in action_dict: - if action_dict[action_id]["name"] is action_name: + if action_dict[action_id]["name"] == action_name: raise ActionNameExisting() - return self.driver.add_action_dict(intra_extension_id, uuid4().hex, action_name) + return self.driver.set_action_dict(intra_extension_id, uuid4().hex, action_name) @filter_input @enforce(("read", "write"), "actions") def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict): actions_dict = self.driver.get_actions_dict(intra_extension_id) for action_id in actions_dict: - if actions_dict[action_id]["name"] is action_dict['name']: + if actions_dict[action_id]["name"] == action_dict['name']: raise ActionNameExisting() return self.driver.set_action_dict(intra_extension_id, action_id, action_dict) @@ -1107,10 +1181,10 @@ class IntraExtensionManager(manager.Manager): raise SubjectCategoryUnknown() subject_scopes_dict = self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id) for _subject_scope_id in subject_scopes_dict: - if subject_scope_dict['name'] is subject_scopes_dict[_subject_scope_id]['name']: + if subject_scope_dict['name'] == subject_scopes_dict[_subject_scope_id]['name']: raise SubjectScopeNameExisting() subject_scope_id = uuid4().hex - return self.driver.add_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict) + return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict) @filter_input @enforce("read", "subject_scopes") @@ -1151,12 +1225,12 @@ class IntraExtensionManager(manager.Manager): raise SubjectCategoryUnknown() subject_scope_dict = self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id) for _subject_scope_id in subject_scope_dict: - if subject_scope_name is subject_scope_dict[_subject_scope_id]['name']: + if subject_scope_name == subject_scope_dict[_subject_scope_id]['name']: raise SubjectScopeNameExisting() - return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, uuid4().hex, subject_scope_dict) + return self.driver.set_subject_scope_dict(intra_extension_id, subject_category_id, subject_scope_id, subject_scope_dict) @filter_input - @enforce("read", "object_category_scopes") + @enforce("read", "object_scopes") @enforce("read", "object_categories") def get_object_scopes_dict(self, user_id, intra_extension_id, object_category_id): if object_category_id not in self.driver.get_object_categories_dict(intra_extension_id): @@ -1171,10 +1245,10 @@ class IntraExtensionManager(manager.Manager): raise ObjectCategoryUnknown() object_scope_dict = self.driver.get_object_scopes_dict(intra_extension_id, object_category_id) for _object_scope_id in object_scope_dict: - if object_scope_name is object_scope_dict[_object_scope_id]['name']: + if object_scope_name == object_scope_dict[_object_scope_id]['name']: raise ObjectScopeNameExisting() object_scope_id = uuid4().hex - return self.driver.add_subject_scope_dict( + return self.driver.set_object_scope_dict( intra_extension_id, object_category_id, object_scope_id, @@ -1219,15 +1293,15 @@ class IntraExtensionManager(manager.Manager): raise ObjectCategoryUnknown() object_scope_dict = self.driver.get_object_scopes_dict(intra_extension_id, object_category_id) for _object_scope_id in object_scope_dict: - if object_scope_name is object_scope_dict[_object_scope_id]['name']: + if object_scope_name == object_scope_dict[_object_scope_id]['name']: raise ObjectScopeNameExisting() - return self.driver.set_object_scope_dict(intra_extension_id, object_category_id, uuid4().hex, object_scope_dict) + return self.driver.set_object_scope_dict(intra_extension_id, object_category_id, object_scope_id, object_scope_dict) @filter_input - @enforce("read", "action_category_scopes") + @enforce("read", "action_scopes") @enforce("read", "action_categories") def get_action_scopes_dict(self, user_id, intra_extension_id, action_category_id): - if action_category_id not in self.driver.get_object_categories_dict(intra_extension_id): + if action_category_id not in self.driver.get_action_categories_dict(intra_extension_id): raise ActionCategoryUnknown() return self.driver.get_action_scopes_dict(intra_extension_id, action_category_id) @@ -1239,10 +1313,10 @@ class IntraExtensionManager(manager.Manager): raise ActionCategoryUnknown() action_scope_dict = self.driver.get_action_scopes_dict(intra_extension_id, action_category_id) for _action_scope_id in action_scope_dict: - if action_scope_name is action_scope_dict[_action_scope_id]['name']: + if action_scope_name == action_scope_dict[_action_scope_id]['name']: raise ActionScopeNameExisting() action_scope_id = uuid4().hex - return self.driver.add_action_scope_dict( + return self.driver.set_action_scope_dict( intra_extension_id, action_category_id, action_scope_id, @@ -1279,6 +1353,22 @@ class IntraExtensionManager(manager.Manager): self.driver.del_rule(intra_extension_id, sub_meta_rule_id, rule_id) return self.driver.del_action_scope(intra_extension_id, action_category_id, action_scope_id) + @filter_input + @enforce(("read", "write"), "action_scopes") + @enforce("read", "action_categories") + def set_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_id, action_scope_name): + if action_category_id not in self.driver.get_action_categories_dict(intra_extension_id): + raise ActionCategoryUnknown() + action_scope_dict = self.driver.get_action_scopes_dict(intra_extension_id, action_category_id) + for _action_scope_id in action_scope_dict: + if action_scope_name == action_scope_dict[_action_scope_id]['name']: + raise ActionScopeNameExisting() + return self.driver.set_action_scope_dict( + intra_extension_id, + action_category_id, + action_scope_id, + action_scope_name) + # Assignment functions @filter_input @@ -1286,7 +1376,7 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "subjects") @enforce("read", "subject_categories") def get_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id): - if subject_id not in self.driver.get_subjects_dict(user_id, intra_extension_id): + if subject_id not in self.driver.get_subjects_dict(intra_extension_id): raise SubjectUnknown() elif subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): raise SubjectCategoryUnknown() @@ -1298,6 +1388,7 @@ class IntraExtensionManager(manager.Manager): @enforce("read", "subject_categories") @enforce("read", "subject_scopes") def add_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): + print(subject_id, self.driver.get_subjects_dict(intra_extension_id)) if subject_id not in self.driver.get_subjects_dict(intra_extension_id): raise SubjectUnknown() if subject_category_id not in self.driver.get_subject_categories_dict(intra_extension_id): @@ -1320,16 +1411,16 @@ class IntraExtensionManager(manager.Manager): raise SubjectCategoryUnknown() elif subject_scope_id not in self.driver.get_subject_scopes_dict(intra_extension_id, subject_category_id): raise SubjectScopeUnknown() - elif subject_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, subject_id)[subject_category_id]: + elif subject_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, subject_id, subject_category_id): raise SubjectAssignmentUnknown() - self.driver.del_subject_category_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) + self.driver.del_subject_assignment(intra_extension_id, subject_id, subject_category_id, subject_scope_id) @filter_input @enforce("read", "object_assignments") @enforce("read", "objects") @enforce("read", "object_categories") def get_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id): - if object_id not in self.driver.get_objects_dict(user_id, intra_extension_id): + if object_id not in self.driver.get_objects_dict(intra_extension_id): raise ObjectUnknown() elif object_category_id not in self.driver.get_object_categories_dict(intra_extension_id): raise ObjectCategoryUnknown() @@ -1346,7 +1437,7 @@ class IntraExtensionManager(manager.Manager): raise ObjectCategoryUnknown() elif object_scope_id not in self.driver.get_object_scopes_dict(intra_extension_id, object_category_id): raise ObjectScopeUnknown() - elif object_scope_id in self.driver.get_object_assignment_list(intra_extension_id, object_id)[object_category_id]: + elif object_scope_id in self.driver.get_object_assignment_list(intra_extension_id, object_id, object_category_id): raise ObjectAssignmentExisting() return self.driver.add_object_assignment_list(intra_extension_id, object_id, object_category_id, object_scope_id) @@ -1362,16 +1453,16 @@ class IntraExtensionManager(manager.Manager): raise ObjectCategoryUnknown() elif object_scope_id not in self.driver.get_object_scopes_dict(intra_extension_id, object_category_id): raise ObjectScopeUnknown() - elif object_scope_id not in self.driver.get_subject_assignment_list(intra_extension_id, object_id)[object_category_id]: + elif object_scope_id not in self.driver.get_object_assignment_list(intra_extension_id, object_id, object_category_id): raise ObjectAssignmentUnknown() - return self.driver.del_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id) + self.driver.del_object_assignment(intra_extension_id, object_id, object_category_id, object_scope_id) @filter_input @enforce("read", "action_assignments") @enforce("read", "actions") @enforce("read", "action_categories") def get_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id): - if action_id not in self.driver.get_actions_dict(user_id, intra_extension_id): + if action_id not in self.driver.get_actions_dict(intra_extension_id): raise ActionUnknown() elif action_category_id not in self.driver.get_action_categories_dict(intra_extension_id): raise ActionCategoryUnknown() @@ -1388,7 +1479,7 @@ class IntraExtensionManager(manager.Manager): raise ActionCategoryUnknown() elif action_scope_id not in self.driver.get_action_scopes_dict(intra_extension_id, action_category_id): raise ActionScopeUnknown() - elif action_scope_id in self.driver.get_action_assignment_list(intra_extension_id, action_id)[action_category_id]: + elif action_scope_id in self.driver.get_action_assignment_list(intra_extension_id, action_id, action_category_id): raise ObjectAssignmentExisting() return self.driver.add_action_assignment_list(intra_extension_id, action_id, action_category_id, action_scope_id) @@ -1404,7 +1495,7 @@ class IntraExtensionManager(manager.Manager): raise ActionCategoryUnknown() elif action_scope_id not in self.driver.get_action_scopes_dict(intra_extension_id, action_category_id): raise ActionScopeUnknown() - elif action_scope_id not in self.driver.get_action_assignment_list(intra_extension_id, action_id)[action_category_id]: + elif action_scope_id not in self.driver.get_action_assignment_list(intra_extension_id, action_id, action_category_id): raise ActionAssignmentUnknown() return self.driver.del_action_assignment(intra_extension_id, action_id, action_category_id, action_scope_id) @@ -1414,7 +1505,7 @@ class IntraExtensionManager(manager.Manager): @enforce(("read", "write"), "aggregation_algorithm") def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): if aggregation_algorithm_id: - if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms(ADMIN_ID): + if aggregation_algorithm_id not in self.configuration_api.get_aggregation_algorithms_dict(ADMIN_ID): raise AggregationAlgorithmUnknown() else: aggregation_algorithm_id = uuid4().hex @@ -1433,9 +1524,10 @@ class IntraExtensionManager(manager.Manager): } } """ - if not self.driver.get_aggregation_algorithms_dict(intra_extension_id): + aggregation_algorithm_dict = self.driver.get_aggregation_algorithm_dict(intra_extension_id) + if not aggregation_algorithm_dict: raise AggregationAlgorithmNotExisting() - return self.driver.get_aggregation_algorithms_dict(intra_extension_id) + return aggregation_algorithm_dict @filter_input @enforce("read", "sub_meta_rules") @@ -1458,17 +1550,20 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "sub_meta_rules") - @enforce("write", "rule") + @enforce("write", "rules") def add_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict): sub_meta_rules_dict = self.driver.get_sub_meta_rules_dict(intra_extension_id) for _sub_meta_rule_id in sub_meta_rules_dict: - if sub_meta_rule_dict['name'] is sub_meta_rules_dict[_sub_meta_rule_id]["name"]: + if sub_meta_rule_dict['name'] == sub_meta_rules_dict[_sub_meta_rule_id]["name"]: raise SubMetaRuleNameExisting() - elif sub_meta_rule_dict['subject_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["subject_categories"] and \ - sub_meta_rule_dict['object_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["object_categories"] and \ - sub_meta_rule_dict['action_categories'] is sub_meta_rules_dict[_sub_meta_rule_id]["action_categories"] and \ - sub_meta_rule_dict['algorithm'] is sub_meta_rules_dict[_sub_meta_rule_id]["algorithm"]: + elif sub_meta_rule_dict['subject_categories'] == sub_meta_rules_dict[_sub_meta_rule_id]["subject_categories"] and \ + sub_meta_rule_dict['object_categories'] == sub_meta_rules_dict[_sub_meta_rule_id]["object_categories"] and \ + sub_meta_rule_dict['action_categories'] == sub_meta_rules_dict[_sub_meta_rule_id]["action_categories"] and \ + sub_meta_rule_dict['algorithm'] == sub_meta_rules_dict[_sub_meta_rule_id]["algorithm"]: raise SubMetaRuleExisting() + algorithms = self.configuration_api.get_sub_meta_rule_algorithms_dict(user_id) + if sub_meta_rule_dict['algorithm'] not in algorithms.keys(): + raise SubMetaRuleAlgorithmNotExisting() sub_meta_rule_id = uuid4().hex # TODO (dthom): add new sub-meta-rule to rule # self.driver.add_rule(intra_extension_id, sub_meta_rule_id, []) @@ -1484,7 +1579,7 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "sub_meta_rules") - @enforce(("read", "write"), "rule") + @enforce(("read", "write"), "rules") def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): raise SubMetaRuleUnknown() @@ -1494,7 +1589,7 @@ class IntraExtensionManager(manager.Manager): @filter_input @enforce(("read", "write"), "sub_meta_rules") - @enforce("write", "rule") + @enforce("write", "rules") def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict): if sub_meta_rule_id not in self.driver.get_sub_meta_rules_dict(intra_extension_id): raise SubMetaRuleUnknown() @@ -1572,10 +1667,15 @@ class IntraExtensionAuthzManager(IntraExtensionManager): """Check authorization for a particular action. :return: True or False or raise an exception """ + print("AUTHZ", tenant_name, subject_name, object_name, action_name, genre) + if genre == "authz": + genre = "intra_authz_extension_id" + elif genre == "admin": + genre = "intra_admin_extension_id" tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) tenant_id = None for _tenant_id in tenants_dict: - if tenants_dict[_tenant_id] is tenant_name: + if tenants_dict[_tenant_id]["name"] == tenant_name: tenant_id = _tenant_id break @@ -1586,179 +1686,235 @@ class IntraExtensionAuthzManager(IntraExtensionManager): subjects_dict = self.driver.get_subjects_dict(intra_extension_id) subject_id = None for _subject_id in subjects_dict: - if subjects_dict[_subject_id]['keystone_name'] is subject_name: - subject_id = _subject_id + if subjects_dict[_subject_id]['keystone_name'] == subject_name: + subject_id = subjects_dict[_subject_id]['keystone_id'] + # subject_id = _subject_id + break if not subject_id: raise SubjectUnknown() objects_dict = self.driver.get_objects_dict(intra_extension_id) object_id = None for _object_id in objects_dict: - if objects_dict[_object_id]['name'] is object_name: + if objects_dict[_object_id]['name'] == object_name: object_id = _object_id + break if not object_id: raise ObjectUnknown() actions_dict = self.driver.get_actions_dict(intra_extension_id) action_id = None for _action_id in actions_dict: - if actions_dict[_action_id] is action_name: + if actions_dict[_action_id]['name'] == action_name: action_id = _action_id + break if not action_id: raise ActionUnknown() return super(IntraExtensionAuthzManager, self).authz(intra_extension_id, subject_id, object_id, action_id) def add_subject_dict(self, user_id, intra_extension_id, subject_dict): - subject = super(IntraExtensionAuthzManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) + subject = super(IntraExtensionAuthzManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict) + subject_id, subject_value = subject.iteritems().next() tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict) + _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_admin_extension_id"]) + if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]: + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) break if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict) + _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_authz_extension_id"]) + if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]: + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value) break return subject def del_subject(self, user_id, intra_extension_id, subject_id): + subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"] super(IntraExtensionAuthzManager, self).del_subject(user_id, intra_extension_id, subject_id) tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: + subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_admin_extension_id"], + subject_name, + self.driver.SUBJECT) self.driver.del_subject(tenants_dict[tenant_id]["intra_admin_extension_id"], subject_id) break if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id: + subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_authz_extension_id"], + subject_name, + self.driver.SUBJECT) self.driver.del_subject(tenants_dict[tenant_id]["intra_authz_extension_id"], subject_id) break def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): subject = super(IntraExtensionAuthzManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) + subject_id, subject_value = subject.iteritems().next() tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict) + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) break if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict) + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value) break return subject - def get_subject_categories_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_subject_category(self, user_id, intra_extension_id, subject_category_id): - raise AuthzException() - - def get_object_category_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_object_category(self, user_id, intra_extension_id, object_category_id): - raise AuthzException() - - def get_action_category_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_action_category(self, user_id, intra_extension_id, action_category_id): - raise AuthzException() - - def get_subjects_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_subject_dict(self, user_id, intra_extension_id, subject_id): - raise AuthzException() - - def get_objects_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_object_dict(self, user_id, intra_extension_id, object_id): - raise AuthzException() - - def get_actions_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_action_dict(self, user_id, intra_extension_id, action_id): - raise AuthzException() - - def get_subject_scopes_dict(self, user_id, intra_extension_id, subject_category_id): - raise AuthzException() - - def get_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): - raise AuthzException() - - def get_object_scopes_dict(self, user_id, intra_extension_id, object_category_id): - raise AuthzException() - - def get_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_id): - raise AuthzException() - - def get_action_scopes_dict(self, user_id, intra_extension_id, action_category_id): - raise AuthzException() - - def get_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_id): - raise AuthzException() - - def get_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id): - raise AuthzException() - - def get_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id): - raise AuthzException() - - def get_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id): - raise AuthzException() - - def get_aggregation_algorithm_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_sub_meta_rules_dict(self, user_id, intra_extension_id): - raise AuthzException() - - def get_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id): - raise AuthzException() - - def get_rules_dict(self, user_id, intra_extension_id, sub_meta_rule_id): - raise AuthzException() - - def get_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): - raise AuthzException() + # def add_subject_category(self, user_id, intra_extension_id, subject_category_dict): + # raise AuthzException() + # + # def del_subject_category(self, user_id, intra_extension_id, subject_category_id): + # raise AuthzException() + # + # def set_subject_category(self, user_id, intra_extension_id, subject_category_id, subject_category_dict): + # raise AuthzException() + # + # def add_object_category(self, user_id, intra_extension_id, object_category_dict): + # raise AuthzException() + # + # def del_object_category(self, user_id, intra_extension_id, object_category_id): + # raise AuthzException() + # + # def add_action_category(self, user_id, intra_extension_id, action_category_name): + # raise AuthzException() + # + # def del_action_category(self, user_id, intra_extension_id, action_category_id): + # raise AuthzException() + # + # def add_object_dict(self, user_id, intra_extension_id, object_name): + # raise AuthzException() + # + # def set_object_dict(self, user_id, intra_extension_id, object_id, object_dict): + # raise AuthzException() + # + # def del_object(self, user_id, intra_extension_id, object_id): + # raise AuthzException() + # + # def add_action_dict(self, user_id, intra_extension_id, action_name): + # raise AuthzException() + # + # def set_action_dict(self, user_id, intra_extension_id, action_id, action_dict): + # raise AuthzException() + # + # def del_action(self, user_id, intra_extension_id, action_id): + # raise AuthzException() + # + # def add_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_dict): + # raise AuthzException() + # + # def del_subject_scope(self, user_id, intra_extension_id, subject_category_id, subject_scope_id): + # raise AuthzException() + # + # def set_subject_scope_dict(self, user_id, intra_extension_id, subject_category_id, subject_scope_id, subject_scope_name): + # raise AuthzException() + # + # def add_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_name): + # raise AuthzException() + # + # def del_object_scope(self, user_id, intra_extension_id, object_category_id, object_scope_id): + # raise AuthzException() + # + # def set_object_scope_dict(self, user_id, intra_extension_id, object_category_id, object_scope_id, object_scope_name): + # raise AuthzException() + # + # def add_action_scope_dict(self, user_id, intra_extension_id, action_category_id, action_scope_name): + # raise AuthzException() + # + # def del_action_scope(self, user_id, intra_extension_id, action_category_id, action_scope_id): + # raise AuthzException() + # + # def add_subject_assignment_list(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): + # raise AuthzException() + # + # def del_subject_assignment(self, user_id, intra_extension_id, subject_id, subject_category_id, subject_scope_id): + # raise AuthzException() + # + # def add_object_assignment_list(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): + # raise AuthzException() + # + # def del_object_assignment(self, user_id, intra_extension_id, object_id, object_category_id, object_scope_id): + # raise AuthzException() + # + # def add_action_assignment_list(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): + # raise AuthzException() + # + # def del_action_assignment(self, user_id, intra_extension_id, action_id, action_category_id, action_scope_id): + # raise AuthzException() + # + # def set_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): + # raise AuthzException() + # + # def del_aggregation_algorithm_dict(self, user_id, intra_extension_id, aggregation_algorithm_id): + # raise AuthzException() + # + # def add_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_dict): + # raise AuthzException() + # + # def del_sub_meta_rule(self, user_id, intra_extension_id, sub_meta_rule_id): + # raise AuthzException() + # + # def set_sub_meta_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, sub_meta_rule_dict): + # raise AuthzException() + # + # def add_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_list): + # raise AuthzException() + # + # def del_rule(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id): + # raise AuthzException() + # + # def set_rule_dict(self, user_id, intra_extension_id, sub_meta_rule_id, rule_id, rule_list): + # raise AuthzException() @dependency.provider('admin_api') -# @dependency.requires('configuration_api') class IntraExtensionAdminManager(IntraExtensionManager): def __init__(self): super(IntraExtensionAdminManager, self).__init__() def add_subject_dict(self, user_id, intra_extension_id, subject_dict): - subject = super(IntraExtensionAdminManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) + subject = super(IntraExtensionAdminManager, self).add_subject_dict(user_id, intra_extension_id, subject_dict) + subject_id, subject_value = subject.iteritems().next() tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict) + _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_admin_extension_id"]) + if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]: + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) break if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict) + _subjects = self.driver.get_subjects_dict(tenants_dict[tenant_id]["intra_authz_extension_id"]) + if subject_value["name"] not in [_subjects[_id]["name"] for _id in _subjects]: + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value) break return subject def del_subject(self, user_id, intra_extension_id, subject_id): + subject_name = self.driver.get_subjects_dict(intra_extension_id)[subject_id]["name"] super(IntraExtensionAdminManager, self).del_subject(user_id, intra_extension_id, subject_id) tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: + subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_admin_extension_id"], + subject_name, + self.driver.SUBJECT) self.driver.del_subject(tenants_dict[tenant_id]["intra_admin_extension_id"], subject_id) break if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id: + subject_id = self.driver.get_uuid_from_name(tenants_dict[tenant_id]["intra_authz_extension_id"], + subject_name, + self.driver.SUBJECT) self.driver.del_subject(tenants_dict[tenant_id]["intra_authz_extension_id"], subject_id) break def set_subject_dict(self, user_id, intra_extension_id, subject_id, subject_dict): subject = super(IntraExtensionAdminManager, self).set_subject_dict(user_id, intra_extension_id, subject_dict) + subject_id, subject_value = subject.iteritems().next() tenants_dict = self.tenant_api.get_tenants_dict(ADMIN_ID) for tenant_id in tenants_dict: if tenants_dict[tenant_id]["intra_authz_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], subject['id'], subject_dict) + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_admin_extension_id"], uuid4().hex, subject_value) break if tenants_dict[tenant_id]["intra_admin_extension_id"] == intra_extension_id: - self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], subject['id'], subject_dict) + self.driver.set_subject_dict(tenants_dict[tenant_id]["intra_authz_extension_id"], uuid4().hex, subject_value) break return subject @@ -1783,7 +1939,7 @@ class IntraExtensionAdminManager(IntraExtensionManager): @dependency.provider('moonlog_api') # Next line is mandatory in order to force keystone to process dependencies. -@dependency.requires('admin_api') +@dependency.requires('identity_api', 'tenant_api', 'configuration_api', 'authz_api', 'admin_api') class LogManager(manager.Manager): def __init__(self): @@ -1860,13 +2016,13 @@ class LogManager(manager.Manager): class ConfigurationDriver(object): - def get_policy_template_dict(self): + def get_policy_templates_dict(self): raise exception.NotImplemented() # pragma: no cover def get_aggregation_algorithm_dict(self): raise exception.NotImplemented() # pragma: no cover - def get_sub_meta_rule_algorithm_dict(self): + def get_sub_meta_rule_algorithms_dict(self): raise exception.NotImplemented() # pragma: no cover @@ -1984,8 +2140,6 @@ class IntraExtensionDriver(object): return data_values def get_uuid_from_name(self, intra_extension_uuid, name, data_name, category_name=None, category_uuid=None): - # print("get_uuid_from_name name = {}".format(name)) - # print("get_uuid_from_name data_name = {}".format(data_name)) data_values = self.__get_data_from_type( intra_extension_uuid=intra_extension_uuid, name=name, @@ -2149,10 +2303,10 @@ class IntraExtensionDriver(object): # Meta_rule functions - def set_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): + def set_aggregation_algorithm_dict(self, intra_extension_id, aggregation_algorithm_id, aggregation_algorithm_dict): raise exception.NotImplemented() # pragma: no cover - def get_aggregation_algorithm(self, intra_extension_id): + def get_aggregation_algorithm_dict(self, intra_extension_id): raise exception.NotImplemented() # pragma: no cover def del_aggregation_algorithm(self, intra_extension_id, aggregation_algorithm_id): diff --git a/keystone-moon/keystone/contrib/moon/exception.py b/keystone-moon/keystone/contrib/moon/exception.py index 75ccd187..6242447f 100644 --- a/keystone-moon/keystone/contrib/moon/exception.py +++ b/keystone-moon/keystone/contrib/moon/exception.py @@ -354,6 +354,13 @@ class AggregationAlgorithmUnknown(AdminMetaRule): logger = "ERROR" +class SubMetaRuleAlgorithmNotExisting(AdminMetaRule): + message_format = _("The given sub_meta_rule algorithm is unknown.") + code = 400 + title = 'Sub_meta_rule Algorithm Unknown' + logger = "ERROR" + + class SubMetaRuleUnknown(AdminMetaRule): message_format = _("The given sub meta rule is unknown.") code = 400 @@ -362,21 +369,21 @@ class SubMetaRuleUnknown(AdminMetaRule): class SubMetaRuleNameExisting(AdminMetaRule): - message_format = _("The sub meta rule name is existing.") + message_format = _("The sub meta rule name already exists.") code = 400 title = 'Sub Meta Rule Name Existing' logger = "ERROR" class SubMetaRuleExisting(AdminMetaRule): - message_format = _("The sub meta rule is existing.") + message_format = _("The sub meta rule already exists.") code = 400 title = 'Sub Meta Rule Existing' logger = "ERROR" class RuleExisting(AdminRule): - message_format = _("The rule is existing.") + message_format = _("The rule already exists.") code = 400 title = 'Rule Existing' logger = "ERROR" diff --git a/keystone-moon/keystone/tests/moon/backends/__init__.py b/keystone-moon/keystone/tests/moon/backends/__init__.py new file mode 100644 index 00000000..5b02576c --- /dev/null +++ b/keystone-moon/keystone/tests/moon/backends/__init__.py @@ -0,0 +1 @@ +__author__ = 'vdsq3226' diff --git a/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py b/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py new file mode 100644 index 00000000..27b8d3a0 --- /dev/null +++ b/keystone-moon/keystone/tests/moon/backends/test_sql_backend.py @@ -0,0 +1,43 @@ +# Copyright 2015 Open Platform for NFV Project, Inc. and its contributors +# This software is distributed under the terms and conditions of the 'Apache-2.0' +# license which can be found in the file 'LICENSE' in this package distribution +# or at 'http://www.apache.org/licenses/LICENSE-2.0'. + +"""Unit tests for core configuration.""" + +import uuid +from oslo_config import cfg +from keystone.tests import unit as tests +from keystone.contrib.moon.backends import sql +from keystone.tests.unit.ksfixtures import database +from keystone.contrib.moon.exception import * +from keystone.tests.unit import default_fixtures +from keystone.contrib.moon.core import LogManager + +CONF = cfg.CONF + + +class TestSQL(tests.TestCase): + + def setUp(self): + self.useFixture(database.Database()) + super(TestSQL, self).setUp() + self.load_backends() + self.load_fixtures(default_fixtures) + self.driver = sql.IntraExtensionConnector() + + def load_extra_backends(self): + return { + "moonlog_api": LogManager() + } + + def config_overrides(self): + super(TestSQL, self).config_overrides() + self.config_fixture.config( + group='moon', + tenant_driver='keystone.contrib.moon.backends.sql.ConfigurationConnector') + + def test_intra_extensions(self): + result = self.driver.get_intra_extensions_dict() + print(type(result)) + self.assertIn("toto", result) diff --git a/keystone-moon/keystone/tests/moon/unit/__init__.py b/keystone-moon/keystone/tests/moon/unit/__init__.py index 1b678d53..0cd835ce 100644 --- a/keystone-moon/keystone/tests/moon/unit/__init__.py +++ b/keystone-moon/keystone/tests/moon/unit/__init__.py @@ -2,3 +2,84 @@ # This software is distributed under the terms and conditions of the 'Apache-2.0' # license which can be found in the file 'LICENSE' in this package distribution # or at 'http://www.apache.org/licenses/LICENSE-2.0'. +import uuid +from keystone.contrib.moon.core import ADMIN_ID + +USER = { + 'name': 'admin', + 'domain_id': "default", + 'password': 'admin' +} +IE = { + "name": "test IE", + "policymodel": "policy_authz", + "description": "a simple description." +} + + +def create_intra_extension(self, policy_model="policy_authz"): + + IE["model"] = policy_model + IE["name"] = uuid.uuid4().hex + genre = "admin" + if "authz" in policy_model: + genre = "authz" + IE["genre"] = genre + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + ref = self.admin_api.load_intra_extension_dict(self.ADMIN_ID, intra_extension_dict=IE) + self.assertIsInstance(ref, dict) + return ref + + +# def create_tenant(self, authz_uuid): +# tenant = { +# "id": uuid.uuid4().hex, +# "name": "TestAuthzIntraExtensionManager", +# "enabled": True, +# "description": "", +# "domain_id": "default" +# } +# project = self.resource_api.create_project(tenant["id"], tenant) +# mapping = self.tenant_api.set_tenant_dict(project["id"], project["name"], authz_uuid, None) +# self.assertIsInstance(mapping, dict) +# self.assertIn("authz", mapping) +# self.assertEqual(mapping["authz"], authz_uuid) +# return mapping + + +def create_user(self, username="TestAdminIntraExtensionManagerUser"): + user = { + "id": uuid.uuid4().hex, + "name": username, + "enabled": True, + "description": "", + "domain_id": "default" + } + _user = self.identity_api.create_user(user) + return _user + +def create_mapping(self, tenant_name=None, authz_id=None, admin_id=None): + + from keystone.contrib.moon.core import ADMIN_ID + if not tenant_name: + tenant_name = uuid.uuid4().hex + + tenant = { + "id": uuid.uuid4().hex, + "name": tenant_name, + "description": uuid.uuid4().hex, + "intra_authz_extension_id": authz_id, + "intra_admin_extension_id": admin_id, + "enabled": True, + "domain_id": "default" + } + keystone_tenant = self.resource_api.create_project(tenant["id"], tenant) + mapping = self.tenant_api.add_tenant_dict(ADMIN_ID, tenant) + self.assertIsInstance(mapping, dict) + self.assertIn("intra_authz_extension_id", mapping[tenant["id"]]) + self.assertIn("intra_admin_extension_id", mapping[tenant["id"]]) + self.assertEqual(mapping[tenant["id"]]["intra_authz_extension_id"], authz_id) + self.assertEqual(mapping[tenant["id"]]["intra_admin_extension_id"], admin_id) + return tenant, mapping diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py index e6388559..1d612b7d 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_configuration.py @@ -12,11 +12,15 @@ from keystone.contrib.moon.core import ConfigurationManager from keystone.tests.unit.ksfixtures import database from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures +from keystone.contrib.moon.core import ADMIN_ID from keystone.contrib.moon.core import LogManager +from keystone.contrib.moon.core import IntraExtensionAdminManager +from keystone.tests.moon.unit import * CONF = cfg.CONF +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') class TestConfigurationManager(tests.TestCase): def setUp(self): @@ -24,34 +28,52 @@ class TestConfigurationManager(tests.TestCase): super(TestConfigurationManager, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = ConfigurationManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.configuration_api def load_extra_backends(self): return { - "moonlog_api": LogManager() + "moonlog_api": LogManager(), + "admin_api": IntraExtensionAdminManager() } def config_overrides(self): super(TestConfigurationManager, self).config_overrides() self.config_fixture.config( group='moon', - tenant_driver='keystone.contrib.moon.backends.sql.ConfigurationConnector') + configuration_driver='keystone.contrib.moon.backends.memory.ConfigurationConnector' + ) + self.config_fixture.config( + group='moon', + tenant_driver='keystone.contrib.moon.backends.sql.TenantConnector') + self.policy_directory = 'examples/moon/policies' + self.config_fixture.config( + group='moon', + intraextension_driver='keystone.contrib.moon.backends.sql.IntraExtensionConnector') + self.config_fixture.config( + group='moon', + policy_directory=self.policy_directory) def test_get_policy_template_dict(self): - pass - - def test_get_policy_template_id_from_name(self): - pass - - def test_get_aggregation_algorithm_dict(self): - pass - - def test_get_aggregation_algorithm_id_from_name(self): - pass + data = self.manager.get_policy_templates_dict(self.ADMIN_ID) + self.assertIsInstance(data, dict) + self.assertIn("authz_templates", data) + self.assertIn("policy_root", data["authz_templates"]) - def test_get_sub_meta_rule_algorithm_dict(self): - pass + # def test_get_aggregation_algorithm_dict(self): + # admin_intra_extension = create_intra_extension(self, policy_model="policy_admin") + # print(admin_intra_extension) + # data = self.manager.get_aggregation_algorithm_dict(self.ADMIN_ID, admin_intra_extension['id']) + # print(data) - def test_get_sub_meta_rule_algorithm_id_from_name(self): - pass + # def test_get_sub_meta_rule_algorithm_dict(self): + # data = self.manager.get_sub_meta_rule_algorithm_dict(self.ADMIN_ID) + # print(data) + # + # self.assertEqual("", "ee") diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py index 97442228..68e4a79a 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_admin.py @@ -16,7 +16,8 @@ from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager -from keystone.contrib.moon.core import DEFAULT_USER_ID +from keystone.contrib.moon.core import ADMIN_ID +from keystone.tests.moon.unit import * CONF = cfg.CONF @@ -32,14 +33,23 @@ IE = { "description": "a simple description." } +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') class TestIntraExtensionAdminManagerOK(tests.TestCase): + # TODO: must be reviewed because some tests are on the authz interface def setUp(self): self.useFixture(database.Database()) super(TestIntraExtensionAdminManagerOK, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = IntraExtensionAdminManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api def __get_key_from_value(self, value, values_dict): return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] @@ -48,6 +58,8 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): return { "moonlog_api": LogManager(), "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), # "resource_api": resource.Manager(), } @@ -61,1207 +73,921 @@ class TestIntraExtensionAdminManagerOK(tests.TestCase): group='moon', policy_directory=self.policy_directory) - def create_intra_extension(self, policy_model="policy_admin"): - # Create the admin user because IntraExtension needs it - #self.admin = self.identity_api.create_user(USER) - IE["policymodel"] = policy_model - IE["name"] = uuid.uuid4().hex - self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE) - self.assertIsInstance(self.ref, dict) - self.create_tenant(self.ref["id"]) - - def create_tenant(self, authz_uuid): - tenant = { - "id": uuid.uuid4().hex, - "name": "TestAuthzIntraExtensionManager", - "enabled": True, - "description": "", - "domain_id": "default" - } - project = self.resource_api.create_project(tenant["id"], tenant) - mapping = self.tenant_api.set_tenant_dict(project["id"], project["name"], authz_uuid, None) - self.assertIsInstance(mapping, dict) - self.assertIn("authz", mapping) - self.assertEqual(mapping["authz"], authz_uuid) - return mapping - - def create_user(self, username="TestAdminIntraExtensionManagerUser"): - user = { - "id": uuid.uuid4().hex, - "name": username, - "enabled": True, - "description": "", - "domain_id": "default" - } - _user = self.identity_api.create_user(user) - return _user - def delete_admin_intra_extension(self): self.manager.del_intra_extension(self.ref["id"]) def test_subjects(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertIsInstance(subjects["subjects"], dict) - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.manager.set_subject_dict("admin", self.ref["id"], new_subjects) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertEqual(subjects["subjects"], new_subjects) - self.assertIn(new_subject["id"], subjects["subjects"]) - + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) + # Delete the new subject - self.manager.del_subject("admin", self.ref["id"], new_subject["id"]) - subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertNotIn(new_subject["id"], subjects["subjects"]) - - # Add a particular subject - subjects = self.manager.add_subject_dict("admin", self.ref["id"], new_subject["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subject", subjects) - self.assertIn("uuid", subjects["subject"]) - self.assertEqual(new_subject["name"], subjects["subject"]["name"]) - subjects = self.manager.get_subjects_dict("admin", self.ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(self.ref["id"], subjects["intra_extension_uuid"]) - self.assertIn(new_subject["id"], subjects["subjects"]) + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) def test_objects(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - objects = self.manager.get_objects_dict("admin", self.ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertIsInstance(objects["objects"], dict) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.manager.set_object_dict("admin", self.ref["id"], new_objects) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertEqual(objects["objects"], new_objects) - self.assertIn(new_object["id"], objects["objects"]) - - # Delete the new object - self.manager.del_object("admin", self.ref["id"], new_object["id"]) - objects = self.manager.get_objects_dict("admin", self.ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertNotIn(new_object["id"], objects["objects"]) - - # Add a particular object - objects = self.manager.add_object_dict("admin", self.ref["id"], new_object["name"]) - self.assertIsInstance(objects, dict) - self.assertIn("object", objects) - self.assertIn("uuid", objects["object"]) - self.assertEqual(new_object["name"], objects["object"]["name"]) - new_object["id"] = objects["object"]["uuid"] - objects = self.manager.get_objects_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(self.ref["id"], objects["intra_extension_uuid"]) - self.assertIn(new_object["id"], objects["objects"]) + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) def test_actions(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - actions = self.manager.get_actions_dict("admin", self.ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertIsInstance(actions["actions"], dict) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.manager.set_action_dict("admin", self.ref["id"], new_actions) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertEqual(actions["actions"], new_actions) - self.assertIn(new_action["id"], actions["actions"]) - - # Delete the new action - self.manager.del_action("admin", self.ref["id"], new_action["id"]) - actions = self.manager.get_actions_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertNotIn(new_action["id"], actions["actions"]) - - # Add a particular action - actions = self.manager.add_action_dict("admin", self.ref["id"], new_action["name"]) - self.assertIsInstance(actions, dict) - self.assertIn("action", actions) - self.assertIn("uuid", actions["action"]) - self.assertEqual(new_action["name"], actions["action"]["name"]) - new_action["id"] = actions["action"]["uuid"] - actions = self.manager.get_actions_dict("admin", self.ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(self.ref["id"], actions["intra_extension_uuid"]) - self.assertIn(new_action["id"], actions["actions"]) + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) def test_subject_categories(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIsInstance(subject_categories["subject_categories"], dict) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - new_subject_categories = dict() - new_subject_categories[new_subject_category["id"]] = new_subject_category["name"] - subject_categories = self.manager.set_subject_category_dict("admin", self.ref["id"], new_subject_categories) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertEqual(subject_categories["subject_categories"], new_subject_categories) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) # Delete the new subject_category - self.manager.del_subject_category("admin", self.ref["id"], new_subject_category["id"]) - subject_categories = self.manager.get_subject_categories_dict("admin", self.ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertNotIn(new_subject_category["id"], subject_categories["subject_categories"]) - - # Add a particular subject_category - subject_categories = self.manager.add_subject_category( - "admin", - self.ref["id"], - new_subject_category["name"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_category", subject_categories) - self.assertIn("uuid", subject_categories["subject_category"]) - self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"]) - new_subject_category["id"] = subject_categories["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) def test_object_categories(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - object_categories = self.manager.get_object_category_dict("admin", self.ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertIsInstance(object_categories["object_categories"], dict) - - new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"} - new_object_categories = dict() - new_object_categories[new_object_category["id"]] = new_object_category["name"] - object_categories = self.manager.set_object_category_dict("admin", self.ref["id"], new_object_categories) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertEqual(object_categories["object_categories"], new_object_categories) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_object_category = {"name": "object_category_test", "description": "object_category_test"} + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) # Delete the new object_category - self.manager.del_object_category("admin", self.ref["id"], new_object_category["id"]) - object_categories = self.manager.get_object_category_dict("admin", self.ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertNotIn(new_object_category["id"], object_categories["object_categories"]) - - # Add a particular object_category - object_categories = self.manager.add_object_category( - "admin", - self.ref["id"], - new_object_category["name"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_category", object_categories) - self.assertIn("uuid", object_categories["object_category"]) - self.assertEqual(new_object_category["name"], object_categories["object_category"]["name"]) - new_object_category["id"] = object_categories["object_category"]["uuid"] - object_categories = self.manager.get_object_category_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(self.ref["id"], object_categories["intra_extension_uuid"]) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) - def test_action_categories(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) - action_categories = self.manager.get_action_category_dict("admin", self.ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertIsInstance(action_categories["action_categories"], dict) - - new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"} - new_action_categories = dict() - new_action_categories[new_action_category["id"]] = new_action_category["name"] - action_categories = self.manager.set_action_category_dict("admin", self.ref["id"], new_action_categories) + def test_action_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertEqual(action_categories["action_categories"], new_action_categories) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_action_category = {"name": "action_category_test", "description": "action_category_test"} + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) # Delete the new action_category - self.manager.del_action_category("admin", self.ref["id"], new_action_category["id"]) - action_categories = self.manager.get_action_category_dict("admin", self.ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertNotIn(new_action_category["id"], action_categories["action_categories"]) - - # Add a particular action_category - action_categories = self.manager.add_action_category( - "admin", - self.ref["id"], - new_action_category["name"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_category", action_categories) - self.assertIn("uuid", action_categories["action_category"]) - self.assertEqual(new_action_category["name"], action_categories["action_category"]["name"]) - new_action_category["id"] = action_categories["action_category"]["uuid"] - action_categories = self.manager.get_action_category_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(self.ref["id"], action_categories["intra_extension_uuid"]) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) - def test_subject_category_scope(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) - subject_categories = self.manager.set_subject_category_dict( - "admin", - self.ref["id"], + def test_subject_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "admin", - uuid.uuid4().hex: "dev", + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope" - subject_category_scope = self.manager.set_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope = { + "name": "france", + "description": "france", + } + + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, new_subject_category_scope) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) # Delete the new subject_category_scope - self.manager.del_subject_scope( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope_uuid) - subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) - - # Add a particular subject_category_scope - subject_category_scope = self.manager.add_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope[new_subject_category_scope_uuid]) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("uuid", subject_category_scope["subject_category_scope"]) - self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"]["name"]) - subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) def test_object_category_scope(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - object_categories = self.manager.set_object_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "id", - uuid.uuid4().hex: "domain", + "name": "country", + "description": "country", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope" - object_category_scope = self.manager.set_object_scope_dict( - "admin", - self.ref["id"], - object_category, + self.assertEqual({}, object_category_scope) + + new_object_category_scope = { + "name": "france", + "description": "france", + } + + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, new_object_category_scope) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) # Delete the new object_category_scope - self.manager.del_object_scope( - "admin", - self.ref["id"], - object_category, - new_object_category_scope_uuid) - object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) - - # Add a particular object_category_scope - object_category_scope = self.manager.add_object_scope_dict( - "admin", - self.ref["id"], - object_category, - new_object_category_scope[new_object_category_scope_uuid]) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("uuid", object_category_scope["object_category_scope"]) - self.assertEqual(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"]["name"]) - object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) def test_action_category_scope(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - action_categories = self.manager.set_action_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "compute", - uuid.uuid4().hex: "identity", + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope" - action_category_scope = self.manager.set_action_scope_dict( - "admin", - self.ref["id"], - action_category, + self.assertEqual({}, action_category_scope) + + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } + + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, new_action_category_scope) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) # Delete the new action_category_scope - self.manager.del_action_scope( - "admin", - self.ref["id"], - action_category, - new_action_category_scope_uuid) - action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) - - # Add a particular action_category_scope - action_category_scope = self.manager.add_action_scope_dict( - "admin", - self.ref["id"], - action_category, - new_action_category_scope[new_action_category_scope_uuid]) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("uuid", action_category_scope["action_category_scope"]) - self.assertEqual(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"]["name"]) - action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) def test_subject_category_assignment(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.manager.set_subject_dict("admin", self.ref["id"], new_subjects) - - new_subject_category_uuid = uuid.uuid4().hex - new_subject_category_value = "role" - subject_categories = self.manager.set_subject_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - new_subject_category_uuid: new_subject_category_value + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: subject_category_scope = self.manager.get_subject_scopes_dict( - "admin", - self.ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "admin" - subject_category_scope = self.manager.set_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - new_subject_category_scope2 = dict() - new_subject_category_scope2_uuid = uuid.uuid4().hex - new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev" - subject_category_scope = self.manager.set_subject_scope_dict( - "admin", - self.ref["id"], - subject_category, - new_subject_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(self.ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } + + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - - subject_category_assignments = self.manager.set_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - } + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - - self.manager.del_subject_assignment( - "admin", - self.ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.assertIsInstance(subject_category_assignments, list) + + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, ]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - - data = self.manager.add_subject_assignment_list( - "admin", - self.ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) - subject_category_assignments = self.manager.get_subject_assignment_dict( - "admin", - self.ref["id"], - new_subject["id"] + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(self.ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, new_subject_category_scope_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) def test_object_category_assignment(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.manager.set_object_dict("admin", self.ref["id"], new_objects) - - new_object_category_uuid = uuid.uuid4().hex - new_object_category_value = "role" - object_categories = self.manager.set_object_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - new_object_category_uuid: new_object_category_value + "name": "location", + "description": "location", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: object_category_scope = self.manager.get_object_scopes_dict( - "admin", - self.ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "admin" - object_category_scope = self.manager.set_object_scope_dict( - "admin", - self.ref["id"], - object_category, - new_object_category_scope) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) - - new_object_category_scope2 = dict() - new_object_category_scope2_uuid = uuid.uuid4().hex - new_object_category_scope2[new_object_category_scope2_uuid] = "dev" - object_category_scope = self.manager.set_object_scope_dict( - "admin", - self.ref["id"], - object_category, - new_object_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(self.ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual({}, object_category_scope) + + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] - ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]]) - - object_category_assignments = self.manager.set_object_category_assignment_dict( - "admin", - self.ref["id"], - new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - } + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) - - self.manager.del_object_assignment( - "admin", - self.ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id ) - object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] + self.assertIsInstance(object_category_assignments, list) + + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, ]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) - - self.manager.add_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) - object_category_assignments = self.manager.get_object_assignment_list( - "admin", - self.ref["id"], - new_object["id"] + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(self.ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, new_object_category_scope_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) def test_action_category_assignment(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.manager.set_action_dict("admin", self.ref["id"], new_actions) - - new_action_category_uuid = uuid.uuid4().hex - new_action_category_value = "role" - action_categories = self.manager.set_action_category_dict( - "admin", - self.ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - new_action_category_uuid: new_action_category_value + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: action_category_scope = self.manager.get_action_scopes_dict( - "admin", - self.ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "admin" - action_category_scope = self.manager.set_action_scope_dict( - "admin", - self.ref["id"], - action_category, - new_action_category_scope) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) - - new_action_category_scope2 = dict() - new_action_category_scope2_uuid = uuid.uuid4().hex - new_action_category_scope2[new_action_category_scope2_uuid] = "dev" - action_category_scope = self.manager.set_action_scope_dict( - "admin", - self.ref["id"], - action_category, - new_action_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(self.ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual({}, action_category_scope) + + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]]) - - action_category_assignments = self.manager.set_action_assignment_dict( - "admin", - self.ref["id"], - new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - } - ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) - - self.manager.del_action_assignment( - "admin", - self.ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id ) - action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + self.assertIsInstance(action_category_assignments, list) + + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, ]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) - - self.manager.add_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) - action_category_assignments = self.manager.get_action_assignment_list( - "admin", - self.ref["id"], - new_action["id"] + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(self.ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, new_action_category_scope_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) def test_sub_meta_rules(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - aggregation_algorithms = self.manager.get_aggregation_algorithms("admin", self.ref["id"]) - self.assertIsInstance(aggregation_algorithms, dict) - self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list) - self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) - self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - - aggregation_algorithm = self.manager.get_aggregation_algorithm_dict("admin", self.ref["id"]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"]) - _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) - aggregation_algorithm = self.manager.set_aggregation_algorithm_dict("admin", self.ref["id"], _aggregation_algorithm[0]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, self.ref["model"], "metarule.json"))) - metarule = dict() categories = { - "subject_categories": self.manager.get_subject_categories_dict("admin", self.ref["id"]), - "object_categories": self.manager.get_object_category_dict("admin", self.ref["id"]), - "action_categories": self.manager.get_action_category_dict("admin", self.ref["id"]) + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - for relation in sub_meta_rules_conf["sub_meta_rules"]: - metarule[relation] = dict() - for item in ("subject_categories", "object_categories", "action_categories"): - metarule[relation][item] = list() - for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]: - metarule[relation][item].append(self.__get_key_from_value( - element, - categories[item][item] - )) - - for relation in sub_meta_rules["sub_meta_rules"]: - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - # Add a particular subject_category - data = self.manager.add_subject_category( - "admin", - self.ref["id"], - new_subject_category["name"]) - new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - "admin", - self.ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(self.ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) - metarule[relation]["subject_categories"].append(new_subject_category["id"]) - _sub_meta_rules = self.manager.del_sub_meta_rule("admin", self.ref["id"], metarule) - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - _sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) def test_sub_rules(self): - self.create_user("demo") - self.create_user("admin") - self.create_intra_extension() - - sub_meta_rules = self.manager.get_sub_meta_rules_dict("admin", self.ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - - sub_rules = self.manager.get_sub_rules("admin", self.ref["id"]) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations("admin", self.ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - "admin", - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) a_scope = rule.pop(0) if type(a_scope) is not bool: - self.assertIn(a_scope, scope[func_name][cat_value]) - - # add a new subrule - - relation = sub_rules["rules"].keys()[0] - sub_rule = [] - for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), - ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: - scope = cat_func( - "admin", - self.ref["id"], - cat_value - ) - sub_rule.append(scope[func_name][cat_value].keys()[0]) - - sub_rule.append(True) - sub_rules = self.manager.set_sub_rule("admin", self.ref["id"], relation, sub_rule) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - self.assertIn(sub_rule, sub_rules["rules"][relation]) - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations("admin", self.ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) + + for rule_id, rule_value in sub_rules.iteritems(): for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - "admin", - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) - a_scope = rule.pop(0) - self.assertIn(a_scope, scope[func_name][cat_value]) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + + # TODO: add test for the delete function +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') class TestIntraExtensionAdminManagerKO(tests.TestCase): + # TODO: must be reviewed because some tests are on the authz interface def setUp(self): self.useFixture(database.Database()) super(TestIntraExtensionAdminManagerKO, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = IntraExtensionAuthzManager() - self.admin_manager = IntraExtensionAdminManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api def __get_key_from_value(self, value, values_dict): return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] @@ -1270,6 +996,8 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): return { "moonlog_api": LogManager(), "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), # "resource_api": resource.Manager(), } @@ -1283,1519 +1011,1117 @@ class TestIntraExtensionAdminManagerKO(tests.TestCase): group='moon', policy_directory=self.policy_directory) - def create_tenant(self): - tenant = { - "id": uuid.uuid4().hex, - "name": "TestIntraExtensionAuthzManager", - "enabled": True, - "description": "", - "domain_id": "default" - } - return self.resource_api.create_project(tenant["id"], tenant) - - def create_mapping(self, tenant, authz_uuid=None, admin_uuid=None): - - mapping = self.tenant_api.set_tenant_dict(tenant["id"], tenant["name"], authz_uuid, admin_uuid) - self.assertIsInstance(mapping, dict) - self.assertIn("authz", mapping) - self.assertEqual(mapping["authz"], authz_uuid) - return mapping - - def create_user(self, username="admin"): - - _USER = dict(USER) - _USER["name"] = username - return self.identity_api.create_user(_USER) - - def create_intra_extension(self, policy_model="policy_authz"): - - IE["policymodel"] = policy_model - IE["name"] = uuid.uuid4().hex - ref = self.admin_manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE) - self.assertIsInstance(ref, dict) - return ref - def test_subjects(self): - admin_user = self.create_user("admin") - demo_user = self.create_user("demo") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_subjects_dict, - demo_user["id"], ref["id"]) - - subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertIsInstance(subjects["subjects"], dict) - - new_subject = self.create_user("new_user") - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} self.assertRaises( AuthzException, - self.manager.set_subject_dict, - demo_user["id"], ref["id"], new_subjects) - - subjects = self.manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertEqual(subjects["subjects"], new_subjects) - self.assertIn(new_subject["id"], subjects["subjects"]) + self.manager.add_subject_dict, + demo_subject_id, admin_ie_dict["id"], new_subject) + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) # Delete the new subject self.assertRaises( AuthzException, - self.manager.del_subject_dict, - demo_user["id"], ref["id"], new_subject["id"]) - - self.manager.del_subject(admin_user["id"], ref["id"], new_subject["id"]) - subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertNotIn(new_subject["id"], subjects["subjects"]) - - # Add a particular subject - self.assertRaises( - AuthzException, - self.manager.add_subject_dict, - demo_user["id"], ref["id"], new_subject["id"]) + self.manager.del_subject, + demo_subject_id, authz_ie_dict["id"], new_subject["id"]) - subjects = self.manager.add_subject_dict(admin_user["id"], ref["id"], new_subject["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subject", subjects) - self.assertIn("uuid", subjects["subject"]) - self.assertEqual(new_subject["name"], subjects["subject"]["name"]) - subjects = self.manager.get_subjects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertIn(new_subject["id"], subjects["subjects"]) + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) def test_objects(self): - admin_user = self.create_user("admin") - demo_user = self.create_user("demo") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_objects_dict, - demo_user["id"], ref["id"]) - - objects = self.manager.get_objects_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertIsInstance(objects["objects"], dict) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_object = {"name": "object_test", "description": "object_test"} self.assertRaises( AuthzException, - self.manager.set_object_dict, - demo_user["id"], ref["id"], new_objects) - - objects = self.manager.set_object_dict(admin_user["id"], ref["id"], new_objects) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertEqual(objects["objects"], new_objects) - self.assertIn(new_object["id"], objects["objects"]) + self.manager.add_object_dict, + demo_subject_id, admin_ie_dict["id"], new_object) - # Delete the new object self.assertRaises( - AuthzException, - self.manager.del_object_dict, - demo_user["id"], ref["id"], new_object["id"]) - - self.manager.del_object(admin_user["id"], ref["id"], new_object["id"]) - objects = self.manager.get_objects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertNotIn(new_object["id"], objects["objects"]) + ObjectsWriteNoAuthorized, + self.admin_manager.add_object_dict, + admin_subject_id, authz_ie_dict["id"], new_object + ) - # Add a particular object - self.assertRaises( - AuthzException, - self.manager.add_object_dict, - demo_user["id"], ref["id"], new_object["name"]) + # Delete the new object + for key in objects_id_list: + self.assertRaises( + AuthzException, + self.manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) - objects = self.manager.add_object_dict(admin_user["id"], ref["id"], new_object["name"]) - self.assertIsInstance(objects, dict) - self.assertIn("object", objects) - self.assertIn("uuid", objects["object"]) - self.assertEqual(new_object["name"], objects["object"]["name"]) - new_object["id"] = objects["object"]["uuid"] - objects = self.manager.get_objects_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertIn(new_object["id"], objects["objects"]) + for key in objects_id_list: + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) def test_actions(self): - admin_user = self.create_user("admin") - demo_user = self.create_user("demo") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_actions_dict, - demo_user["id"], ref["id"]) - - actions = self.manager.get_actions_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertIsInstance(actions["actions"], dict) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_action = {"name": "action_test", "description": "action_test"} self.assertRaises( AuthzException, - self.manager.set_action_dict, - demo_user["id"], ref["id"], new_actions) + self.manager.add_action_dict, + demo_subject_id, admin_ie_dict["id"], new_action) - actions = self.manager.set_action_dict(admin_user["id"], ref["id"], new_actions) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertEqual(actions["actions"], new_actions) - self.assertIn(new_action["id"], actions["actions"]) - - # Delete the new action self.assertRaises( - AuthzException, - self.manager.del_action_dict, - demo_user["id"], ref["id"], new_action["id"]) - - self.manager.del_action(admin_user["id"], ref["id"], new_action["id"]) - actions = self.manager.get_actions_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertNotIn(new_action["id"], actions["actions"]) + ActionsWriteNoAuthorized, + self.admin_manager.add_action_dict, + admin_subject_id, authz_ie_dict["id"], new_action + ) - # Add a particular action - self.assertRaises( - AuthzException, - self.manager.add_action_dict, - demo_user["id"], ref["id"], new_action["name"]) + # Delete all actions + for key in actions_id_list: + self.assertRaises( + AuthzException, + self.manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) - actions = self.manager.add_action_dict(admin_user["id"], ref["id"], new_action["name"]) - self.assertIsInstance(actions, dict) - self.assertIn("action", actions) - self.assertIn("uuid", actions["action"]) - self.assertEqual(new_action["name"], actions["action"]["name"]) - new_action["id"] = actions["action"]["uuid"] - actions = self.manager.get_actions_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertIn(new_action["id"], actions["actions"]) + for key in actions_id_list: + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) def test_subject_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_subject_categories_dict, - demo_user["id"], ref["id"]) - - subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIsInstance(subject_categories["subject_categories"], dict) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - new_subject_categories = dict() - new_subject_categories[new_subject_category["id"]] = new_subject_category["name"] + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} self.assertRaises( AuthzException, - self.manager.set_subject_category_dict, - demo_user["id"], ref["id"], new_subject_categories) - - subject_categories = self.manager.set_subject_category_dict(admin_user["id"], ref["id"], new_subject_categories) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertEqual(subject_categories["subject_categories"], new_subject_categories) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.manager.add_subject_category, + demo_subject_id, admin_ie_dict["id"], new_subject_category) + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) # Delete the new subject_category self.assertRaises( AuthzException, - self.manager.del_subject_category_dict, - demo_user["id"], ref["id"], new_subject_category["id"]) - - self.manager.del_subject_category(admin_user["id"], ref["id"], new_subject_category["id"]) - subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertNotIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.manager.del_subject_category, + demo_subject_id, authz_ie_dict["id"], new_subject_category["id"]) - # Add a particular subject_category - self.assertRaises( - AuthzException, - self.manager.add_subject_category, - demo_user["id"], ref["id"], new_subject_category["name"]) - - subject_categories = self.manager.add_subject_category( - admin_user["id"], - ref["id"], - new_subject_category["name"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_category", subject_categories) - self.assertIn("uuid", subject_categories["subject_category"]) - self.assertEqual(new_subject_category["name"], subject_categories["subject_category"]["name"]) - new_subject_category["id"] = subject_categories["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) def test_object_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_object_category_dict, - demo_user["id"], ref["id"]) - - object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertIsInstance(object_categories["object_categories"], dict) - - new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"} - new_object_categories = dict() - new_object_categories[new_object_category["id"]] = new_object_category["name"] + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + new_object_category = {"name": "object_category_test", "description": "object_category_test"} self.assertRaises( AuthzException, - self.manager.set_object_category_dict, - demo_user["id"], ref["id"], new_object_categories) - - object_categories = self.manager.set_object_category_dict(admin_user["id"], ref["id"], new_object_categories) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertEqual(object_categories["object_categories"], new_object_categories) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) + self.manager.add_object_category, + demo_subject_id, admin_ie_dict["id"], new_object_category) + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) # Delete the new object_category self.assertRaises( AuthzException, self.manager.del_object_category, - demo_user["id"], ref["id"], new_object_category["id"]) - - self.manager.del_object_category(admin_user["id"], ref["id"], new_object_category["id"]) - object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertNotIn(new_object_category["id"], object_categories["object_categories"]) + demo_subject_id, authz_ie_dict["id"], new_object_category["id"]) - # Add a particular object_category - self.assertRaises( - AuthzException, - self.manager.add_object_category, - demo_user["id"], ref["id"], new_object_category["name"]) - - object_categories = self.manager.add_object_category( - admin_user["id"], - ref["id"], - new_object_category["name"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_category", object_categories) - self.assertIn("uuid", object_categories["object_category"]) - self.assertEqual(new_object_category["name"], object_categories["object_category"]["name"]) - new_object_category["id"] = object_categories["object_category"]["uuid"] - object_categories = self.manager.get_object_category_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertIn(new_object_category["id"], object_categories["object_categories"]) + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) def test_action_categories(self): - admin_user = self.create_user() - demo_user = self.create_user("demo") - tenant = self.create_tenant() - ie_authz = self.create_intra_extension("policy_authz") - ie_admin = self.create_intra_extension("policy_admin") - mapping = self.create_mapping(tenant, ie_authz["id"], ie_admin["id"]) - ref = ie_authz - # admin_user = self.create_user("admin") - # ref = self.create_intra_extension() - - self.assertRaises( - AuthzException, - self.manager.get_action_category_dict, - demo_user["id"], ref["id"]) - - action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertIsInstance(action_categories["action_categories"], dict) - - new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"} - new_action_categories = dict() - new_action_categories[new_action_category["id"]] = new_action_category["name"] - self.assertRaises( - AuthzException, - self.manager.set_action_category_dict, - demo_user["id"], ref["id"], new_action_categories) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) - action_categories = self.manager.set_action_category_dict(admin_user["id"], ref["id"], new_action_categories) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertEqual(action_categories["action_categories"], new_action_categories) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) - - # Delete the new action_category + new_action_category = {"name": "action_category_test", "description": "action_category_test"} self.assertRaises( AuthzException, - self.manager.del_action_category_dict, - demo_user["id"], ref["id"], new_action_category["id"]) - - self.manager.del_action_category(admin_user["id"], ref["id"], new_action_category["id"]) - action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertNotIn(new_action_category["id"], action_categories["action_categories"]) + self.manager.add_action_category, + demo_subject_id, admin_ie_dict["id"], new_action_category) + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) - # Add a particular action_category + # Delete the new action_category self.assertRaises( AuthzException, - self.manager.add_action_category, - demo_user["id"], ref["id"], new_action_category["name"]) + self.manager.del_action_category, + demo_subject_id, authz_ie_dict["id"], new_action_category["id"]) - action_categories = self.manager.add_action_category( - admin_user["id"], - ref["id"], - new_action_category["name"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_category", action_categories) - self.assertIn("uuid", action_categories["action_category"]) - self.assertEqual(new_action_category["name"], action_categories["action_category"]["name"]) - new_action_category["id"] = action_categories["action_category"]["uuid"] - action_categories = self.manager.get_action_category_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertIn(new_action_category["id"], action_categories["action_categories"]) + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) def test_subject_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - subject_categories = self.manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: admin_user["id"], - uuid.uuid4().hex: "dev", + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: - self.assertRaises( - AuthzException, - self.manager.get_subject_scopes_dict, - demo_user["id"], ref["id"], subject_category) + for subject_category_id in subject_categories: subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) + self.assertEqual({}, subject_category_scope) - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope" + new_subject_category_scope = { + "name": "france", + "description": "france", + } self.assertRaises( AuthzException, - self.manager.set_subject_scope_dict, - demo_user["id"], ref["id"], subject_category, new_subject_category_scope) + self.admin_manager.add_subject_scope_dict, + demo_subject_id, authz_ie_dict["id"], subject_category_id, new_subject_category_scope) - subject_category_scope = self.manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, new_subject_category_scope) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) # Delete the new subject_category_scope self.assertRaises( AuthzException, - self.manager.del_subject_category_scope_dict, - demo_user["id"], ref["id"], subject_category, new_subject_category_scope_uuid) - - self.manager.del_subject_scope( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope_uuid) - subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + self.admin_manager.del_subject_scope, + demo_subject_id, authz_ie_dict["id"], subject_category_id, subject_category_scope_id) + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) - - # Add a particular subject_category_scope - self.assertRaises( - AuthzException, - self.manager.add_subject_scope_dict, - demo_user["id"], ref["id"], subject_category, - new_subject_category_scope[new_subject_category_scope_uuid]) - - subject_category_scope = self.manager.add_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope[new_subject_category_scope_uuid]) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("uuid", subject_category_scope["subject_category_scope"]) - self.assertEqual(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"]["name"]) - subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_subject_category_scope_uuid, subject_category_scope["subject_category_scope"]) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) def test_object_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - object_categories = self.manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "id", - uuid.uuid4().hex: "domain", + "name": "country", + "description": "country", } ) - for object_category in object_categories["object_categories"]: - self.assertRaises( - AuthzException, - self.manager.get_object_scopes_dict, - demo_user["id"], ref["id"], object_category) + for object_category_id in object_categories: object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) + self.assertEqual({}, object_category_scope) - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope" + new_object_category_scope = { + "name": "france", + "description": "france", + } self.assertRaises( AuthzException, - self.manager.set_object_scope_dict, - demo_user["id"], ref["id"], object_category, new_object_category_scope) + self.admin_manager.add_object_scope_dict, + demo_subject_id, authz_ie_dict["id"], object_category_id, new_object_category_scope) - object_category_scope = self.manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, new_object_category_scope) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) # Delete the new object_category_scope self.assertRaises( AuthzException, - self.manager.del_object_category_scope_dict, - demo_user["id"], ref["id"], object_category, new_object_category_scope) - - self.manager.del_object_scope( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope_uuid) - object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) - - # Add a particular object_category_scope - self.assertRaises( - AuthzException, - self.manager.add_object_scope_dict, - demo_user["id"], ref["id"], object_category, - new_object_category_scope[new_object_category_scope_uuid] - ) - - object_category_scope = self.manager.add_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope[new_object_category_scope_uuid]) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("uuid", object_category_scope["object_category_scope"]) - self.assertEqual(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"]["name"]) - object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) + self.admin_manager.del_object_scope, + demo_subject_id, authz_ie_dict["id"], object_category_id, object_category_scope_id) + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_object_category_scope_uuid, object_category_scope["object_category_scope"]) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) def test_action_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - action_categories = self.manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "compute", - uuid.uuid4().hex: "identity", + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: - self.assertRaises( - AuthzException, - self.manager.get_object_scopes_dict, - demo_user["id"], ref["id"], action_category) + for action_category_id in action_categories: action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) + self.assertEqual({}, action_category_scope) - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope" + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } self.assertRaises( AuthzException, - self.manager.set_action_scope_dict, - demo_user["id"], ref["id"], action_category, new_action_category_scope) + self.admin_manager.add_action_scope_dict, + demo_subject_id, authz_ie_dict["id"], action_category_id, new_action_category_scope) - action_category_scope = self.manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, new_action_category_scope) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) # Delete the new action_category_scope self.assertRaises( AuthzException, - self.manager.del_action_category_scope_dict, - demo_user["id"], ref["id"], action_category, - new_action_category_scope_uuid - ) - - self.manager.del_action_scope( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope_uuid) - action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) - - # Add a particular action_category_scope - self.assertRaises( - AuthzException, - self.manager.add_action_scope_dict, - demo_user["id"], ref["id"], action_category, - new_action_category_scope[new_action_category_scope_uuid] - ) - - action_category_scope = self.manager.add_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope[new_action_category_scope_uuid]) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("uuid", action_category_scope["action_category_scope"]) - self.assertEqual(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"]["name"]) - action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + self.admin_manager.del_action_scope, + demo_subject_id, authz_ie_dict["id"], action_category_id, action_category_scope_id) + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertNotIn(new_action_category_scope_uuid, action_category_scope["action_category_scope"]) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) def test_subject_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects) - - new_subject_category_uuid = uuid.uuid4().hex - new_subject_category_value = "role" - subject_categories = self.manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - new_subject_category_uuid: new_subject_category_value + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = admin_user["id"] - subject_category_scope = self.manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - new_subject_category_scope2 = dict() - new_subject_category_scope2_uuid = uuid.uuid4().hex - new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev" - subject_category_scope = self.manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope2) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) + self.assertEqual({}, subject_category_scope) - self.assertRaises( - AuthzException, - self.manager.get_subject_assignment_dict, - demo_user["id"], ref["id"], new_subject["id"]) + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) self.assertRaises( AuthzException, - self.manager.set_subject_assignment_dict, - demo_user["id"], ref["id"], new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - } + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id ) - subject_category_assignments = self.manager.set_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - } + self.assertRaises( + AuthzException, + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) - self.assertRaises( - AuthzException, - self.manager.del_subject_category_assignment_dict, - demo_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) - self.manager.del_subject_assignment( - admin_user["id"], - ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, ]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_subject_assignment_list, - demo_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.admin_manager.del_subject_assignment, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - data = self.manager.add_subject_assignment_list( - admin_user["id"], - ref["id"], - new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + self.assertRaises( + SubjectAssignmentUnknown, + self.admin_manager.del_subject_assignment, + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_subject_category_uuid: [new_subject_category_scope2_uuid, new_subject_category_scope_uuid]}, - subject_category_assignments["subject_category_assignments"][new_subject["id"]]) def test_object_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.manager.set_object_dict(admin_user["id"], ref["id"], new_objects) - - new_object_category_uuid = uuid.uuid4().hex - new_object_category_value = "role" - object_categories = self.manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - new_object_category_uuid: new_object_category_value + "name": "location", + "description": "location", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = admin_user["id"] - object_category_scope = self.manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) - - new_object_category_scope2 = dict() - new_object_category_scope2_uuid = uuid.uuid4().hex - new_object_category_scope2[new_object_category_scope2_uuid] = "dev" - object_category_scope = self.manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope2) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual({}, object_category_scope) - self.assertRaises( - AuthzException, - self.manager.get_object_assignment_list, - demo_user["id"], ref["id"], new_object["id"] + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) self.assertRaises( AuthzException, - self.manager.set_object_category_assignment_dict, - demo_user["id"], ref["id"], new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - } + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id ) - object_category_assignments = self.manager.set_object_category_assignment_dict( - admin_user["id"], - ref["id"], - new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - } + self.assertRaises( + AuthzException, + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) - object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) - self.assertRaises( - AuthzException, - self.manager.del_object_category_assignment_dict, - demo_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) - self.manager.del_object_assignment( - admin_user["id"], - ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, ]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_object_assignment_list, - demo_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.admin_manager.del_object_assignment, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id ) - self.manager.add_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) - object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + self.assertRaises( + ObjectAssignmentUnknown, + self.admin_manager.del_object_assignment, + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_object_category_uuid: [new_object_category_scope2_uuid, new_object_category_scope_uuid]}, - object_category_assignments["object_category_assignments"][new_object["id"]]) def test_action_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.manager.set_action_dict(admin_user["id"], ref["id"], new_actions) - - new_action_category_uuid = uuid.uuid4().hex - new_action_category_value = "role" - action_categories = self.manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - new_action_category_uuid: new_action_category_value + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = admin_user["id"] - action_category_scope = self.manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) - - new_action_category_scope2 = dict() - new_action_category_scope2_uuid = uuid.uuid4().hex - new_action_category_scope2[new_action_category_scope2_uuid] = "dev" - action_category_scope = self.manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope2) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual({}, action_category_scope) - self.assertRaises( - AuthzException, - self.manager.get_action_assignment_list, - demo_user["id"], ref["id"], new_action["id"] + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) self.assertRaises( AuthzException, - self.manager.set_action_assignment_dict, - demo_user["id"], ref["id"], new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - } + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id ) - action_category_assignments = self.manager.set_action_assignment_dict( - admin_user["id"], - ref["id"], - new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - } + self.assertRaises( + AuthzException, + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) - action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) - self.assertRaises( - AuthzException, - self.manager.del_action_category_assignment_dict, - demo_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) - self.manager.del_action_assignment( - admin_user["id"], - ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) - action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, ]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_action_assignment_list, - demo_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.admin_manager.del_action_assignment, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id ) - self.manager.add_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) - action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + self.assertRaises( + ActionAssignmentUnknown, + self.admin_manager.del_action_assignment, + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual( - {new_action_category_uuid: [new_action_category_scope2_uuid, new_action_category_scope_uuid]}, - action_category_assignments["action_category_assignments"][new_action["id"]]) def test_sub_meta_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - aggregation_algorithms = self.manager.get_aggregation_algorithms(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithms, dict) - self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list) - self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) - self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - - self.assertRaises( - AuthzException, - self.manager.get_aggregation_algorithm_dict, - demo_user["id"], ref["id"] - ) - - aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"]) - _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) - - self.assertRaises( - AuthzException, - self.manager.set_aggregation_algorithms, - demo_user["id"], ref["id"], _aggregation_algorithm[0] - ) - - aggregation_algorithm = self.manager.set_aggregation_algorithm_dict(admin_user["id"], ref["id"], _aggregation_algorithm[0]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - self.assertRaises( - AuthzException, - self.manager.get_sub_meta_rules_dict, - demo_user["id"], ref["id"] - ) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json"))) - metarule = dict() categories = { - "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]), - "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]), - "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - for relation in sub_meta_rules_conf["sub_meta_rules"]: - metarule[relation] = dict() - for item in ("subject_categories", "object_categories", "action_categories"): - metarule[relation][item] = list() - for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]: - metarule[relation][item].append(self.__get_key_from_value( - element, - categories[item][item] - )) - - for relation in sub_meta_rules["sub_meta_rules"]: - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - # Add a particular subject_category - data = self.manager.add_subject_category( - admin_user["id"], - ref["id"], - new_subject_category["name"]) - new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) - metarule[relation]["subject_categories"].append(new_subject_category["id"]) - - self.assertRaises( - AuthzException, - self.manager.get_sub_meta_rule_dict, - demo_user["id"], ref["id"], metarule - ) - - _sub_meta_rules = self.manager.get_sub_meta_rule_dict(admin_user["id"], ref["id"], metarule) - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - _sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) def test_sub_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user("admin") - ref = self.create_intra_extension() - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - self.assertRaises( - AuthzException, - self.manager.get_sub_rules, - demo_user["id"], ref["id"] - ) - - sub_rules = self.manager.get_sub_rules(admin_user["id"], ref["id"]) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - admin_user["id"], - ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) a_scope = rule.pop(0) if type(a_scope) is not bool: - self.assertIn(a_scope, scope[func_name][cat_value]) - - # add a new subrule - - relation = sub_rules["rules"].keys()[0] - sub_rule = [] - for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), - ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: - scope = cat_func( - admin_user["id"], - ref["id"], - cat_value - ) - sub_rule.append(scope[func_name][cat_value].keys()[0]) - - sub_rule.append(True) - self.assertRaises( - AuthzException, - self.manager.set_sub_rules, - demo_user["id"], ref["id"], relation, sub_rule - ) + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + self.assertRaises( + AuthzException, + self.admin_manager.add_rule_dict, + demo_subject_id, authz_ie_dict["id"], relation_id, sub_rule + ) + + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) - sub_rules = self.manager.set_sub_rule(admin_user["id"], ref["id"], relation, sub_rule) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - self.assertIn(sub_rule, sub_rules["rules"][relation]) - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + for rule_id, rule_value in sub_rules.iteritems(): for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - admin_user["id"], - ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) - a_scope = rule.pop(0) - self.assertIn(a_scope, scope[func_name][cat_value]) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + # TODO: add test for the delete function diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py index 0e22a1b4..705aea8a 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_intra_extension_authz.py @@ -16,6 +16,7 @@ from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager, ADMIN_ID +from keystone.tests.moon.unit import * CONF = cfg.CONF @@ -31,15 +32,22 @@ IE = { "description": "a simple description." } -class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') +class TestIntraExtensionAuthzManagerAuthzOK(tests.TestCase): def setUp(self): self.useFixture(database.Database()) - super(TestIntraExtensionAuthzManagerAuthz, self).setUp() + super(TestIntraExtensionAuthzManagerAuthzOK, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) - self.manager = IntraExtensionAuthzManager() - self.admin_manager = IntraExtensionAdminManager() + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api def __get_key_from_value(self, value, values_dict): return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] @@ -48,11 +56,13 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): return { "moonlog_api": LogManager(), "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), # "resource_api": resource.Manager(), } def config_overrides(self): - super(TestIntraExtensionAuthzManagerAuthz, self).config_overrides() + super(TestIntraExtensionAuthzManagerAuthzOK, self).config_overrides() self.policy_directory = 'examples/moon/policies' self.config_fixture.config( group='moon', @@ -61,37 +71,942 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): group='moon', policy_directory=self.policy_directory) - def create_tenant(self): - tenant = { - "id": uuid.uuid4().hex, - "name": "TestIntraExtensionAuthzManager", - "enabled": True, - "description": "", - "domain_id": "default" + def delete_admin_intra_extension(self): + self.manager.del_intra_extension(self.ref["id"]) + + def test_subjects(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(subjects, dict) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) + + # Delete the new subject + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) + + def test_objects(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] + self.assertIsInstance(objects, dict) + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + def test_actions(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] + self.assertIsInstance(actions, dict) + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + def test_subject_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(subject_categories, dict) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) + + # Delete the new subject_category + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) + + def test_object_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(object_categories, dict) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_object_category = {"name": "object_category_test", "description": "object_category_test"} + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) + + # Delete the new object_category + + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) + + def test_action_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(action_categories, dict) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_action_category = {"name": "action_category_test", "description": "action_category_test"} + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) + + # Delete the new action_category + + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) + + def test_subject_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "country", + "description": "country", + } + ) + + for subject_category_id in subject_categories: + + subject_category_scope = self.manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope = { + "name": "france", + "description": "france", + } + + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) + + # Delete the new subject_category_scope + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) + + def test_object_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "country", + "description": "country", + } + ) + + for object_category_id in object_categories: + + object_category_scope = self.manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual({}, object_category_scope) + + new_object_category_scope = { + "name": "france", + "description": "france", + } + + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) + + # Delete the new object_category_scope + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) + + def test_action_category_scope(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "swift", + "description": "swift actions", + } + ) + + for action_category_id in action_categories: + + action_category_scope = self.manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual({}, action_category_scope) + + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } + + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) + + # Delete the new action_category_scope + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) + + def test_subject_category_assignment(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "country", + "description": "country", + } + ) + + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } + + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id + ) + self.assertIsInstance(subject_category_assignments, list) + + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + def test_object_category_assignment(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "location", + "description": "location", + } + ) + + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual({}, object_category_scope) + + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id + ) + self.assertIsInstance(object_category_assignments, list) + + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + def test_action_category_assignment(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], + { + "name": "swift", + "description": "swift actions", + } + ) + + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual({}, action_category_scope) + + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id + ) + self.assertIsInstance(action_category_assignments, list) + + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + def test_sub_meta_rules(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(sub_meta_rules, dict) + categories = { + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - return self.resource_api.create_project(tenant["id"], tenant) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) - def create_mapping(self, tenant, authz_uuid=None, admin_uuid=None): + def test_sub_rules(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) + self.assertIsInstance(sub_meta_rules, dict) + + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + a_scope = rule.pop(0) + if type(a_scope) is not bool: + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) + + for rule_id, rule_value in sub_rules.iteritems(): + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + + # TODO: add test for the delete function - mapping = self.tenant_api.set_tenant_dict(tenant["id"], tenant["name"], authz_uuid, admin_uuid) - self.assertIsInstance(mapping, dict) - self.assertIn("authz", mapping) - self.assertEqual(mapping["authz"], authz_uuid) - return mapping - def create_user(self, username="admin"): +@dependency.requires('admin_api', 'authz_api', 'tenant_api', 'configuration_api', 'moonlog_api') +class TestIntraExtensionAuthzManagerAuthzKO(tests.TestCase): + + def setUp(self): + self.useFixture(database.Database()) + super(TestIntraExtensionAuthzManagerAuthzKO, self).setUp() + self.load_backends() + self.load_fixtures(default_fixtures) + self.admin = create_user(self, username="admin") + self.demo = create_user(self, username="demo") + self.root_intra_extension = create_intra_extension(self, policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID + self.manager = self.authz_api + self.admin_manager = self.admin_api - _USER = dict(USER) - _USER["name"] = username - return self.identity_api.create_user(_USER) + def __get_key_from_value(self, value, values_dict): + return filter(lambda v: v[1] == value, values_dict.iteritems())[0][0] - def create_intra_extension(self, policy_model="policy_authz"): + def load_extra_backends(self): + return { + "moonlog_api": LogManager(), + "tenant_api": TenantManager(), + "admin_api": IntraExtensionAdminManager(), + "authz_api": IntraExtensionAuthzManager(), + # "resource_api": resource.Manager(), + } - IE["model"] = policy_model - IE["name"] = uuid.uuid4().hex - ref = self.admin_manager.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE) - self.assertIsInstance(ref, dict) - return ref + def config_overrides(self): + super(TestIntraExtensionAuthzManagerAuthzKO, self).config_overrides() + self.policy_directory = 'examples/moon/policies' + self.config_fixture.config( + group='moon', + intraextension_driver='keystone.contrib.moon.backends.sql.IntraExtensionConnector') + self.config_fixture.config( + group='moon', + policy_directory=self.policy_directory) def test_tenant_exceptions(self): self.assertRaises( @@ -142,137 +1057,149 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): def test_authz_exceptions(self): self.assertRaises( - IntraExtensionUnknown, + TenantUnknown, self.manager.authz, uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex ) - admin_user = self.create_user() - tenant = self.create_tenant() - ie_authz = self.create_intra_extension("policy_authz") - ie_admin = self.create_intra_extension("policy_admin") - mapping = self.create_mapping(tenant, ie_authz["id"], ie_admin["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() # Test when subject is unknown self.assertRaises( - AuthzException, + SubjectUnknown, self.manager.authz, - ie_authz["id"], uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex + tenant["name"], uuid.uuid4().hex, uuid.uuid4().hex, uuid.uuid4().hex ) # Test when subject is known but not the object - demo_user = self.create_user("demo") - self.manager.add_subject_dict( - admin_user['id'], - self.ref["id"], - demo_user["id"] - ) + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + # self.manager.add_subject_dict( + # admin_subject_id, + # ie_authz["id"], + # demo_user["id"] + # ) self.assertRaises( - AuthzException, + ObjectUnknown, self.manager.authz, - ie_authz["id"], demo_user["id"], uuid.uuid4().hex, uuid.uuid4().hex + tenant["name"], demo_subject_dict["name"], uuid.uuid4().hex, uuid.uuid4().hex ) # Test when subject and object are known but not the action + my_object = {"name": "my_object", "description": "my_object description"} _tmp = self.manager.add_object_dict( - admin_user['id'], - self.ref["id"], - "my_object" - ).items()[0] - my_object = {"id": _tmp[0], "name": _tmp[1]} + admin_subject_id, + authz_ie_dict["id"], + my_object + ) + my_object["id"] = _tmp.keys()[0] self.assertRaises( - AuthzException, + ActionUnknown, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], uuid.uuid4().hex + tenant["name"], demo_subject_dict["name"], my_object["name"], uuid.uuid4().hex ) # Test when subject and object and action are known + my_action = {"name": "my_action", "description": "my_action description"} _tmp = self.manager.add_action_dict( - admin_user['id'], - self.ref["id"], - "my_action" - ).items()[0] - my_action = {"id": _tmp[0], "name": _tmp[1]} + admin_subject_id, + authz_ie_dict["id"], + my_action + ) + my_action["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add a subject scope and test ObjectCategoryAssignmentOutOfScope + my_subject_category = {"name": "my_subject_category", "description": "my_subject_category description"} _tmp = self.manager.add_subject_category( - admin_user['id'], - self.ref["id"], - "my_subject_category" + admin_subject_id, + authz_ie_dict["id"], + my_subject_category ) - my_subject_category = {"id": _tmp[0], "name": _tmp[1]} + my_subject_category["id"] = _tmp.keys()[0] + my_subject_scope = {"name": "my_subject_scope", "description": "my_subject_scope description"} _tmp = self.manager.add_subject_scope_dict( - admin_user['id'], - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], my_subject_category["id"], - "my_subject_scope", + my_subject_scope ) - my_subject_scope = {"id": _tmp[0], "name": _tmp[1]} + my_subject_scope["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an object scope and test ActionCategoryAssignmentOutOfScope + my_object_category = {"name": "my_object_category", "description": "my_object_category description"} _tmp = self.manager.add_object_category( - admin_user['id'], - self.ref["id"], - "my_object_category" + admin_subject_id, + authz_ie_dict["id"], + my_object_category ) - my_object_category = {"id": _tmp[0], "name": _tmp[1]} + my_object_category["id"] = _tmp.keys()[0] + my_object_scope = {"name": "my_object_scope", "description": "my_object_scope description"} _tmp = self.manager.add_object_scope_dict( - admin_user['id'], - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], my_object_category["id"], - "my_object_scope", + my_object_scope ) - my_object_scope = {"id": _tmp[0], "name": _tmp[1]} + my_object_scope["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an action scope and test SubjectCategoryAssignmentUnknown + my_action_category = {"name": "my_action_category", "description": "my_action_category description"} _tmp = self.manager.add_action_category( - admin_user['id'], - self.ref["id"], - "my_action_category" + admin_subject_id, + authz_ie_dict["id"], + my_action_category ) - my_action_category = {"id": _tmp[0], "name": _tmp[1]} + my_action_category["id"] = _tmp.keys()[0] + my_action_scope = {"name": "my_action_scope", "description": "my_action_scope description"} _tmp = self.manager.add_action_scope_dict( - admin_user['id'], - self.ref["id"], + admin_subject_id, + authz_ie_dict["id"], my_action_category["id"], - "my_action_scope", + my_action_scope ) - my_action_scope = {"id": _tmp[0], "name": _tmp[1]} + my_action_scope["id"] = _tmp.keys()[0] self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add a subject assignment and test ObjectCategoryAssignmentUnknown self.manager.add_subject_assignment_list( - admin_user['id'], - self.ref["id"], - demo_user["id"], + admin_subject_id, + authz_ie_dict["id"], + demo_subject_id, my_subject_category["id"], my_subject_scope["id"] ) @@ -280,14 +1207,14 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an object assignment and test ActionCategoryAssignmentUnknown self.manager.add_object_assignment_list( - admin_user['id'], - self.ref["id"], - demo_user["id"], + admin_subject_id, + authz_ie_dict["id"], + my_object["id"], my_object_category["id"], my_object_scope["id"] ) @@ -295,14 +1222,14 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"] ) # Add an action assignment and test RuleUnknown self.manager.add_action_assignment_list( - admin_user['id'], - self.ref["id"], - demo_user["id"], + admin_subject_id, + authz_ie_dict["id"], + my_action["id"], my_action_category["id"], my_action_scope["id"] ) @@ -310,828 +1237,1172 @@ class TestIntraExtensionAuthzManagerAuthz(tests.TestCase): self.assertRaises( AuthzException, self.manager.authz, - ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"] + tenant["name"], admin_subject_dict["name"], my_object["name"], my_action["name"] ) # Add the correct rule and test that no exception is raised my_meta_rule = { - "relation_super": { - "subject_categories": [my_subject_category["id"], ], - "action_categories": [my_object_category["id"], ], - "object_categories": [my_action_category["id"], ], - "relation": "relation_super" - } + "name": "my_meta_rule", + "algorithm": "test", + "subject_categories": [my_subject_category["id"], ], + "action_categories": [my_action_category["id"], ], + "object_categories": [my_object_category["id"], ] } - self.manager.get_sub_meta_rule_dict( - admin_user['id'], - self.ref["id"], + print("my_meta_rule", my_meta_rule) + sub_meta_rules_dict = self.manager.get_sub_meta_rules_dict( + admin_subject_id, + authz_ie_dict["id"] + ) + + self.assertRaises( + SubMetaRuleAlgorithmNotExisting, + self.manager.add_sub_meta_rule_dict, + admin_subject_id, + authz_ie_dict["id"], my_meta_rule ) - self.manager.set_sub_rule( - admin_user['id'], - self.ref["id"], - "relation_super", - [my_subject_scope, my_object_scope, my_action_scope] + + # TODO: the next request should be called with demo_subject_id + # but the demo user has no right in the root intra_extension + algorithms = self.configuration_api.get_sub_meta_rule_algorithms_dict(admin_subject_id) + for algorithm_id in algorithms: + if algorithms[algorithm_id]["name"] == "inclusion": + my_meta_rule["algorithm"] = algorithm_id + + sub_meta_rule = self.manager.add_sub_meta_rule_dict( + admin_subject_id, + authz_ie_dict["id"], + my_meta_rule ) + sub_meta_rule_id, sub_meta_rule_dict = sub_meta_rule.iteritems().next() - result = self.manager.authz(ie_authz["id"], demo_user["id"], my_object["id"], my_action["id"]) + rule = self.manager.add_rule_dict( + admin_subject_id, + authz_ie_dict["id"], + sub_meta_rule_id, + [my_subject_scope["id"], my_action_scope["id"], my_object_scope["id"], True] + ) + + self.assertRaises( + AuthzException, + self.manager.authz, + tenant["name"], admin_subject_dict["name"], my_object["name"], my_action["name"] + ) + + result = self.manager.authz(tenant["name"], demo_subject_dict["name"], my_object["name"], my_action["name"]) self.assertEqual(True, result) def test_subjects(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - subjects = self.manager.get_subjects_dict(admin_user["id"], tenant["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subjects, dict) - self.assertIn("subjects", subjects) - self.assertIn("id", subjects) - self.assertIn("intra_extension_uuid", subjects) - self.assertEqual(ref["id"], subjects["intra_extension_uuid"]) - self.assertIsInstance(subjects["subjects"], dict) - - new_subject = self.create_user("my_user") - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + self.assertIn("keystone_name", value) + self.assertIn("keystone_id", value) + + create_user(self, "subject_test") + new_subject = {"name": "subject_test", "description": "subject_test"} self.assertRaises( AuthzException, - self.manager.set_subject_dict, - admin_user["id"], ref["id"], new_subjects) + self.manager.add_subject_dict, + demo_subject_id, admin_ie_dict["id"], new_subject) + + subjects = self.admin_manager.add_subject_dict(admin_subject_id, authz_ie_dict["id"], new_subject) + _subjects = dict(subjects) + self.assertEqual(len(_subjects.keys()), 1) + new_subject["id"] = _subjects.keys()[0] + value = subjects[new_subject["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject["description"]) # Delete the new subject self.assertRaises( AuthzException, self.manager.del_subject, - admin_user["id"], ref["id"], new_subject["id"]) + demo_subject_id, authz_ie_dict["id"], new_subject["id"]) - # Add a particular subject - self.assertRaises( - AuthzException, - self.manager.add_subject_dict, - admin_user["id"], ref["id"], new_subject["id"]) + self.admin_manager.del_subject(admin_subject_id, authz_ie_dict["id"], new_subject["id"]) + subjects = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subjects.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject["name"], value["name"]) + self.assertIn("description", value) def test_objects(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - objects = self.manager.get_objects_dict(admin_user["id"], tenant["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + objects = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + objects_id_list = [] self.assertIsInstance(objects, dict) - self.assertIn("objects", objects) - self.assertIn("id", objects) - self.assertIn("intra_extension_uuid", objects) - self.assertEqual(ref["id"], objects["intra_extension_uuid"]) - self.assertIsInstance(objects["objects"], dict) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] + for key, value in objects.iteritems(): + objects_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_object = {"name": "object_test", "description": "object_test"} self.assertRaises( AuthzException, - self.manager.set_object_dict, - admin_user["id"], ref["id"], new_object["id"]) + self.manager.add_object_dict, + demo_subject_id, admin_ie_dict["id"], new_object) - # Delete the new object self.assertRaises( - AuthzException, - self.manager.del_object, - admin_user["id"], ref["id"], new_object["id"]) + ObjectsWriteNoAuthorized, + self.admin_manager.add_object_dict, + admin_subject_id, authz_ie_dict["id"], new_object + ) - # Add a particular object - self.assertRaises( - AuthzException, - self.manager.add_object_dict, - admin_user["id"], ref["id"], new_object["name"]) + # Delete the new object + for key in objects_id_list: + self.assertRaises( + AuthzException, + self.manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) - def test_actions(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) + for key in objects_id_list: + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ObjectsWriteNoAuthorized, + self.admin_manager.del_object, + admin_subject_id, authz_ie_dict["id"], key) - actions = self.manager.get_actions_dict(admin_user["id"], tenant["id"]) + def test_actions(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + actions = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + actions_id_list = [] self.assertIsInstance(actions, dict) - self.assertIn("actions", actions) - self.assertIn("id", actions) - self.assertIn("intra_extension_uuid", actions) - self.assertEqual(ref["id"], actions["intra_extension_uuid"]) - self.assertIsInstance(actions["actions"], dict) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] + for key, value in actions.iteritems(): + actions_id_list.append(key) + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + create_user(self, "subject_test") + new_action = {"name": "action_test", "description": "action_test"} self.assertRaises( AuthzException, - self.manager.set_action_dict, - admin_user["id"], ref["id"], new_actions) + self.manager.add_action_dict, + demo_subject_id, admin_ie_dict["id"], new_action) - # Delete the new action self.assertRaises( - AuthzException, - self.manager.del_action, - admin_user["id"], ref["id"], new_action["id"]) + ActionsWriteNoAuthorized, + self.admin_manager.add_action_dict, + admin_subject_id, authz_ie_dict["id"], new_action + ) - # Add a particular action - self.assertRaises( - AuthzException, - self.manager.add_action_dict, - admin_user["id"], ref["id"], new_action["id"]) + # Delete all actions + for key in actions_id_list: + self.assertRaises( + AuthzException, + self.manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + AuthzException, + self.manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) - def test_subject_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) + for key in actions_id_list: + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + demo_subject_id, authz_ie_dict["id"], key) + self.assertRaises( + ActionsWriteNoAuthorized, + self.admin_manager.del_action, + admin_subject_id, authz_ie_dict["id"], key) - subject_categories = self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]) + def test_subject_categories(self): + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIsInstance(subject_categories["subject_categories"], dict) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - new_subject_categories = dict() - new_subject_categories[new_subject_category["id"]] = new_subject_category["name"] + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_subject_category = {"name": "subject_category_test", "description": "subject_category_test"} self.assertRaises( AuthzException, - self.manager.set_subject_category_dict, - admin_user["id"], ref["id"], new_subject_categories) + self.manager.add_subject_category, + demo_subject_id, admin_ie_dict["id"], new_subject_category) + + subject_categories = self.admin_manager.add_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category) + _subject_categories = dict(subject_categories) + self.assertEqual(len(_subject_categories.keys()), 1) + new_subject_category["id"] = _subject_categories.keys()[0] + value = subject_categories[new_subject_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_subject_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_subject_category["description"]) # Delete the new subject_category self.assertRaises( AuthzException, self.manager.del_subject_category, - admin_user["id"], ref["id"], new_subject_category["id"]) + demo_subject_id, authz_ie_dict["id"], new_subject_category["id"]) - # Add a particular subject_category - self.assertRaises( - AuthzException, - self.manager.add_subject_category, - admin_user["id"], ref["id"], new_subject_category["name"]) + self.admin_manager.del_subject_category(admin_subject_id, authz_ie_dict["id"], new_subject_category["id"]) + subject_categories = self.manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in subject_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_subject_category["name"], value["name"]) + self.assertIn("description", value) def test_object_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - object_categories = self.manager.get_object_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(object_categories, dict) - self.assertIn("object_categories", object_categories) - self.assertIn("id", object_categories) - self.assertIn("intra_extension_uuid", object_categories) - self.assertEqual(ref["id"], object_categories["intra_extension_uuid"]) - self.assertIsInstance(object_categories["object_categories"], dict) - - new_object_category = {"id": uuid.uuid4().hex, "name": "object_category_test"} - new_object_categories = dict() - new_object_categories[new_object_category["id"]] = new_object_category["name"] + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_object_category = {"name": "object_category_test", "description": "object_category_test"} self.assertRaises( AuthzException, - self.manager.set_object_category_dict, - admin_user["id"], ref["id"], new_object_categories) + self.manager.add_object_category, + demo_subject_id, admin_ie_dict["id"], new_object_category) + + object_categories = self.admin_manager.add_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category) + _object_categories = dict(object_categories) + self.assertEqual(len(_object_categories.keys()), 1) + new_object_category["id"] = _object_categories.keys()[0] + value = object_categories[new_object_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_object_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_object_category["description"]) # Delete the new object_category self.assertRaises( AuthzException, self.manager.del_object_category, - admin_user["id"], ref["id"], new_object_category["id"]) + demo_subject_id, authz_ie_dict["id"], new_object_category["id"]) - # Add a particular object_category - self.assertRaises( - AuthzException, - self.manager.add_object_category, - admin_user["id"], ref["id"], new_object_category["name"]) + self.admin_manager.del_object_category(admin_subject_id, authz_ie_dict["id"], new_object_category["id"]) + object_categories = self.manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in object_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_object_category["name"], value["name"]) + self.assertIn("description", value) def test_action_categories(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - action_categories = self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(action_categories, dict) - self.assertIn("action_categories", action_categories) - self.assertIn("id", action_categories) - self.assertIn("intra_extension_uuid", action_categories) - self.assertEqual(ref["id"], action_categories["intra_extension_uuid"]) - self.assertIsInstance(action_categories["action_categories"], dict) - - new_action_category = {"id": uuid.uuid4().hex, "name": "action_category_test"} - new_action_categories = dict() - new_action_categories[new_action_category["id"]] = new_action_category["name"] + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + new_action_category = {"name": "action_category_test", "description": "action_category_test"} self.assertRaises( AuthzException, - self.manager.set_action_category_dict, - admin_user["id"], ref["id"], new_action_categories) + self.manager.add_action_category, + demo_subject_id, admin_ie_dict["id"], new_action_category) + + action_categories = self.admin_manager.add_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category) + _action_categories = dict(action_categories) + self.assertEqual(len(_action_categories.keys()), 1) + new_action_category["id"] = _action_categories.keys()[0] + value = action_categories[new_action_category["id"]] + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertEqual(value["name"], new_action_category["name"]) + self.assertIn("description", value) + self.assertEqual(value["description"], new_action_category["description"]) # Delete the new action_category self.assertRaises( AuthzException, self.manager.del_action_category, - admin_user["id"], ref["id"], new_action_category["id"]) + demo_subject_id, authz_ie_dict["id"], new_action_category["id"]) - # Add a particular action_category - self.assertRaises( - AuthzException, - self.manager.add_action_category, - admin_user["id"], ref["id"], new_action_category["name"]) + self.admin_manager.del_action_category(admin_subject_id, authz_ie_dict["id"], new_action_category["id"]) + action_categories = self.manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in action_categories.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIsNot(new_action_category["name"], value["name"]) + self.assertIn("description", value) def test_subject_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - subject_categories = self.admin_manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: admin_user["id"], - uuid.uuid4().hex: "dev", + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = "new_subject_category_scope" - self.assertRaises( - AuthzException, - self.manager.set_subject_scope_dict, - admin_user["id"], ref["id"], subject_category, new_subject_category_scope) + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope = { + "name": "france", + "description": "france", + } - # Delete the new subject_category_scope self.assertRaises( AuthzException, - self.manager.del_subject_scope, - admin_user["id"], ref["id"], subject_category, new_subject_category_scope_uuid) + self.admin_manager.add_subject_scope_dict, + demo_subject_id, authz_ie_dict["id"], subject_category_id, new_subject_category_scope) - # Add a particular subject_category_scope + subject_category_scope = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope) + self.assertIsInstance(subject_category_scope, dict) + self.assertEqual(len(subject_category_scope.keys()), 1) + subject_category_scope_id = subject_category_scope.keys()[0] + subject_category_scope_value = subject_category_scope[subject_category_scope_id] + self.assertIn("name", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["name"], subject_category_scope_value["name"]) + self.assertIn("description", subject_category_scope_value) + self.assertEqual(new_subject_category_scope["description"], subject_category_scope_value["description"]) + + # Delete the new subject_category_scope self.assertRaises( AuthzException, - self.manager.add_subject_scope_dict, - admin_user["id"], ref["id"], subject_category, new_subject_category_scope[new_subject_category_scope_uuid]) + self.admin_manager.del_subject_scope, + demo_subject_id, authz_ie_dict["id"], subject_category_id, subject_category_scope_id) + + self.admin_manager.del_subject_scope( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + subject_category_scope_id) + subject_category_scope = self.admin_manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) + self.assertIsInstance(subject_category_scope, dict) + self.assertNotIn(subject_category_scope_id, subject_category_scope.keys()) def test_object_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - object_categories = self.admin_manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "id", - uuid.uuid4().hex: "domain", + "name": "country", + "description": "country", } ) - for object_category in object_categories["object_categories"]: + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = "new_object_category_scope" - self.assertRaises( - AuthzException, - self.manager.set_object_scope_dict, - admin_user["id"], ref["id"], object_category, new_object_category_scope) + self.assertEqual({}, object_category_scope) + + new_object_category_scope = { + "name": "france", + "description": "france", + } - # Delete the new object_category_scope self.assertRaises( AuthzException, - self.manager.del_object_scope, - admin_user["id"], ref["id"], object_category, new_object_category_scope_uuid) + self.admin_manager.add_object_scope_dict, + demo_subject_id, authz_ie_dict["id"], object_category_id, new_object_category_scope) + + object_category_scope = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope) + self.assertIsInstance(object_category_scope, dict) + self.assertEqual(len(object_category_scope.keys()), 1) + object_category_scope_id = object_category_scope.keys()[0] + object_category_scope_value = object_category_scope[object_category_scope_id] + self.assertIn("name", object_category_scope_value) + self.assertEqual(new_object_category_scope["name"], object_category_scope_value["name"]) + self.assertIn("description", object_category_scope_value) + self.assertEqual(new_object_category_scope["description"], object_category_scope_value["description"]) - # Add a particular object_category_scope + # Delete the new object_category_scope self.assertRaises( AuthzException, - self.manager.add_object_scope_dict, - admin_user["id"], ref["id"], object_category, new_object_category_scope[new_object_category_scope_uuid]) + self.admin_manager.del_object_scope, + demo_subject_id, authz_ie_dict["id"], object_category_id, object_category_scope_id) + + self.admin_manager.del_object_scope( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + object_category_scope_id) + object_category_scope = self.admin_manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) + self.assertIsInstance(object_category_scope, dict) + self.assertNotIn(object_category_scope_id, object_category_scope.keys()) def test_action_category_scope(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - action_categories = self.admin_manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - uuid.uuid4().hex: "compute", - uuid.uuid4().hex: "identity", + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = "new_action_category_scope" - self.assertRaises( - AuthzException, - self.manager.set_action_scope_dict, - admin_user["id"], ref["id"], action_category, new_action_category_scope) + self.assertEqual({}, action_category_scope) + + new_action_category_scope = { + "name": "get", + "description": "get swift files", + } - # Delete the new action_category_scope self.assertRaises( AuthzException, - self.manager.del_action_scope, - admin_user["id"], ref["id"], action_category, new_action_category_scope_uuid) + self.admin_manager.add_action_scope_dict, + demo_subject_id, authz_ie_dict["id"], action_category_id, new_action_category_scope) - # Add a particular action_category_scope + action_category_scope = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope) + self.assertIsInstance(action_category_scope, dict) + self.assertEqual(len(action_category_scope.keys()), 1) + action_category_scope_id = action_category_scope.keys()[0] + action_category_scope_value = action_category_scope[action_category_scope_id] + self.assertIn("name", action_category_scope_value) + self.assertEqual(new_action_category_scope["name"], action_category_scope_value["name"]) + self.assertIn("description", action_category_scope_value) + self.assertEqual(new_action_category_scope["description"], action_category_scope_value["description"]) + + # Delete the new action_category_scope self.assertRaises( AuthzException, - self.manager.add_action_scope_dict, - admin_user["id"], ref["id"], action_category, new_action_category_scope[new_action_category_scope_uuid]) + self.admin_manager.del_action_scope, + demo_subject_id, authz_ie_dict["id"], action_category_id, action_category_scope_id) + + self.admin_manager.del_action_scope( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + action_category_scope_id) + action_category_scope = self.admin_manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) + self.assertIsInstance(action_category_scope, dict) + self.assertNotIn(action_category_scope_id, action_category_scope.keys()) def test_subject_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - new_subject = self.create_user() - new_subjects = dict() - new_subjects[new_subject["id"]] = new_subject["name"] - subjects = self.admin_manager.set_subject_dict(admin_user["id"], ref["id"], new_subjects) - - new_subject_category_uuid = uuid.uuid4().hex - new_subject_category_value = "role" - subject_categories = self.admin_manager.set_subject_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + admin_authz_subject_id, admin_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + demo_authz_subject_id, demo_authz_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], authz_ie_dict['id'], 'demo').iteritems().next() + + subjects_dict = self.manager.get_subjects_dict(admin_subject_id, authz_ie_dict["id"]) + + subject_categories = self.admin_manager.add_subject_category( + admin_subject_id, + authz_ie_dict["id"], { - new_subject_category_uuid: new_subject_category_value + "name": "country", + "description": "country", } ) - for subject_category in subject_categories["subject_categories"]: - subject_category_scope = self.admin_manager.get_subject_scopes_dict( - admin_user["id"], - ref["id"], - subject_category) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIsInstance(subject_category_scope["subject_category_scope"], dict) - - new_subject_category_scope = dict() - new_subject_category_scope_uuid = uuid.uuid4().hex - new_subject_category_scope[new_subject_category_scope_uuid] = admin_user["id"] - subject_category_scope = self.admin_manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope) - self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope[new_subject_category_scope_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - new_subject_category_scope2 = dict() - new_subject_category_scope2_uuid = uuid.uuid4().hex - new_subject_category_scope2[new_subject_category_scope2_uuid] = "dev" - subject_category_scope = self.admin_manager.set_subject_scope_dict( - admin_user["id"], - ref["id"], - subject_category, - new_subject_category_scope2) + for subject_category_id in subject_categories: + subject_category_scope = self.manager.get_subject_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id) self.assertIsInstance(subject_category_scope, dict) - self.assertIn("subject_category_scope", subject_category_scope) - self.assertIn("id", subject_category_scope) - self.assertIn("intra_extension_uuid", subject_category_scope) - self.assertEqual(ref["id"], subject_category_scope["intra_extension_uuid"]) - self.assertIn(new_subject_category_scope2[new_subject_category_scope2_uuid], - subject_category_scope["subject_category_scope"][subject_category].values()) - - subject_category_assignments = self.manager.get_subject_assignment_dict( - admin_user["id"], - ref["id"], - new_subject["id"] + self.assertEqual({}, subject_category_scope) + + new_subject_category_scope_1 = { + "name": "france", + "description": "france", + } + + subject_category_scope_1 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_1) + subject_category_scope_1_id = subject_category_scope_1.keys()[0] + + new_subject_category_scope_2 = { + "name": "china", + "description": "china", + } + + subject_category_scope_2 = self.admin_manager.add_subject_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + subject_category_id, + new_subject_category_scope_2) + subject_category_scope_2_id = subject_category_scope_2.keys()[0] + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, + subject_category_id ) - self.assertIsInstance(subject_category_assignments, dict) - self.assertIn("subject_category_assignments", subject_category_assignments) - self.assertIn("id", subject_category_assignments) - self.assertIn("intra_extension_uuid", subject_category_assignments) - self.assertEqual(ref["id"], subject_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, subject_category_assignments["subject_category_assignments"][new_subject["id"]]) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) + + subject_category_assignments = self.manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, + subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual([], subject_category_assignments) self.assertRaises( AuthzException, - self.manager.set_subject_assignment_dict, - admin_user["id"], ref["id"], new_subject["id"], - { - new_subject_category_uuid: [new_subject_category_scope_uuid, new_subject_category_scope2_uuid], - }) + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id + ) self.assertRaises( AuthzException, - self.manager.del_subject_assignment, - admin_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid) + self.manager.add_subject_assignment_list, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_1_id + ) + self.assertIsInstance(subject_category_assignments, list) + + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) + + subject_category_assignments = self.admin_manager.add_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_subject_assignment_list, - admin_user["id"], ref["id"], new_subject["id"], - new_subject_category_uuid, - new_subject_category_scope_uuid) + self.admin_manager.del_subject_assignment, + demo_subject_id, authz_ie_dict["id"], + demo_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + + self.admin_manager.del_subject_assignment( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) + subject_category_assignments = self.admin_manager.get_subject_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id + ) + self.assertIsInstance(subject_category_assignments, list) + self.assertEqual(len(subject_category_assignments), 1) + + self.assertRaises( + SubjectAssignmentUnknown, + self.admin_manager.del_subject_assignment, + admin_subject_id, + authz_ie_dict["id"], + admin_authz_subject_id, subject_category_id, subject_category_scope_2_id + ) def test_object_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - new_object = {"id": uuid.uuid4().hex, "name": "my_object"} - new_objects = dict() - new_objects[new_object["id"]] = new_object["name"] - objects = self.admin_manager.set_object_dict(admin_user["id"], ref["id"], new_objects) - - new_object_category_uuid = uuid.uuid4().hex - new_object_category_value = "role" - object_categories = self.admin_manager.set_object_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + objects_dict = self.manager.get_objects_dict(admin_subject_id, authz_ie_dict["id"]) + + object_vm1_id = None + object_vm2_id = None + for _object_id in objects_dict: + if objects_dict[_object_id]['name'] == 'vm1': + object_vm1_id = _object_id + if objects_dict[_object_id]['name'] == 'vm2': + object_vm2_id = _object_id + if not object_vm1_id or not object_vm2_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in objects)") + + object_categories = self.admin_manager.add_object_category( + admin_subject_id, + authz_ie_dict["id"], { - new_object_category_uuid: new_object_category_value + "name": "location", + "description": "location", } ) - for object_category in object_categories["object_categories"]: - object_category_scope = self.admin_manager.get_object_scopes_dict( - admin_user["id"], - ref["id"], - object_category) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIsInstance(object_category_scope["object_category_scope"], dict) - - new_object_category_scope = dict() - new_object_category_scope_uuid = uuid.uuid4().hex - new_object_category_scope[new_object_category_scope_uuid] = admin_user["id"] - object_category_scope = self.admin_manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope) - self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope[new_object_category_scope_uuid], - object_category_scope["object_category_scope"][object_category].values()) - - new_object_category_scope2 = dict() - new_object_category_scope2_uuid = uuid.uuid4().hex - new_object_category_scope2[new_object_category_scope2_uuid] = "dev" - object_category_scope = self.admin_manager.set_object_scope_dict( - admin_user["id"], - ref["id"], - object_category, - new_object_category_scope2) + for object_category_id in object_categories: + object_category_scope = self.manager.get_object_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id) self.assertIsInstance(object_category_scope, dict) - self.assertIn("object_category_scope", object_category_scope) - self.assertIn("id", object_category_scope) - self.assertIn("intra_extension_uuid", object_category_scope) - self.assertEqual(ref["id"], object_category_scope["intra_extension_uuid"]) - self.assertIn(new_object_category_scope2[new_object_category_scope2_uuid], - object_category_scope["object_category_scope"][object_category].values()) + self.assertEqual({}, object_category_scope) + + new_object_category_scope_1 = { + "name": "france", + "description": "france", + } + + object_category_scope_1 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_1) + object_category_scope_1_id = object_category_scope_1.keys()[0] + + new_object_category_scope_2 = { + "name": "china", + "description": "china", + } + + object_category_scope_2 = self.admin_manager.add_object_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + object_category_id, + new_object_category_scope_2) + object_category_scope_2_id = object_category_scope_2.keys()[0] object_category_assignments = self.manager.get_object_assignment_list( - admin_user["id"], - ref["id"], - new_object["id"] + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, + object_category_id ) - self.assertIsInstance(object_category_assignments, dict) - self.assertIn("object_category_assignments", object_category_assignments) - self.assertIn("id", object_category_assignments) - self.assertIn("intra_extension_uuid", object_category_assignments) - self.assertEqual(ref["id"], object_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, object_category_assignments["object_category_assignments"][new_object["id"]]) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) + + object_category_assignments = self.manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, + object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual([], object_category_assignments) self.assertRaises( AuthzException, - self.manager.set_object_category_assignment_dict, - admin_user["id"], ref["id"], new_object["id"], - { - new_object_category_uuid: [new_object_category_scope_uuid, new_object_category_scope2_uuid], - }) + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id + ) self.assertRaises( AuthzException, - self.manager.del_object_assignment, - admin_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid) + self.manager.add_object_assignment_list, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_1_id + ) + self.assertIsInstance(object_category_assignments, list) + + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) + + object_category_assignments = self.admin_manager.add_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.add_object_assignment_list, - admin_user["id"], ref["id"], new_object["id"], - new_object_category_uuid, - new_object_category_scope_uuid) + self.admin_manager.del_object_assignment, + demo_subject_id, authz_ie_dict["id"], + object_vm2_id, object_category_id, object_category_scope_2_id + ) + + self.admin_manager.del_object_assignment( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) + object_category_assignments = self.admin_manager.get_object_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id + ) + self.assertIsInstance(object_category_assignments, list) + self.assertEqual(len(object_category_assignments), 1) + + self.assertRaises( + ObjectAssignmentUnknown, + self.admin_manager.del_object_assignment, + admin_subject_id, + authz_ie_dict["id"], + object_vm1_id, object_category_id, object_category_scope_2_id + ) def test_action_category_assignment(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - new_action = {"id": uuid.uuid4().hex, "name": "my_action"} - new_actions = dict() - new_actions[new_action["id"]] = new_action["name"] - actions = self.admin_manager.set_action_dict(admin_user["id"], ref["id"], new_actions) - - new_action_category_uuid = uuid.uuid4().hex - new_action_category_value = "role" - action_categories = self.admin_manager.set_action_category_dict( - admin_user["id"], - ref["id"], + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + actions_dict = self.manager.get_actions_dict(admin_subject_id, authz_ie_dict["id"]) + + action_upload_id = None + action_list_id = None + for _action_id in actions_dict: + if actions_dict[_action_id]['name'] == 'upload': + action_upload_id = _action_id + if actions_dict[_action_id]['name'] == 'list': + action_list_id = _action_id + if not action_upload_id or not action_list_id: + raise Exception("Cannot run tests, database is corrupted ? (need upload and list in actions)") + + action_categories = self.admin_manager.add_action_category( + admin_subject_id, + authz_ie_dict["id"], { - new_action_category_uuid: new_action_category_value + "name": "swift", + "description": "swift actions", } ) - for action_category in action_categories["action_categories"]: - action_category_scope = self.admin_manager.get_action_scopes_dict( - admin_user["id"], - ref["id"], - action_category) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIsInstance(action_category_scope["action_category_scope"], dict) - - new_action_category_scope = dict() - new_action_category_scope_uuid = uuid.uuid4().hex - new_action_category_scope[new_action_category_scope_uuid] = admin_user["id"] - action_category_scope = self.admin_manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope) - self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope[new_action_category_scope_uuid], - action_category_scope["action_category_scope"][action_category].values()) - - new_action_category_scope2 = dict() - new_action_category_scope2_uuid = uuid.uuid4().hex - new_action_category_scope2[new_action_category_scope2_uuid] = "dev" - action_category_scope = self.admin_manager.set_action_scope_dict( - admin_user["id"], - ref["id"], - action_category, - new_action_category_scope2) + for action_category_id in action_categories: + action_category_scope = self.manager.get_action_scopes_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id) self.assertIsInstance(action_category_scope, dict) - self.assertIn("action_category_scope", action_category_scope) - self.assertIn("id", action_category_scope) - self.assertIn("intra_extension_uuid", action_category_scope) - self.assertEqual(ref["id"], action_category_scope["intra_extension_uuid"]) - self.assertIn(new_action_category_scope2[new_action_category_scope2_uuid], - action_category_scope["action_category_scope"][action_category].values()) + self.assertEqual({}, action_category_scope) + + new_action_category_scope_1 = { + "name": "swift_admin", + "description": "action require admin rights", + } + + action_category_scope_1 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_1) + action_category_scope_1_id = action_category_scope_1.keys()[0] + + new_action_category_scope_2 = { + "name": "swift_anonymous", + "description": "action require no right", + } + + action_category_scope_2 = self.admin_manager.add_action_scope_dict( + admin_subject_id, + authz_ie_dict["id"], + action_category_id, + new_action_category_scope_2) + action_category_scope_2_id = action_category_scope_2.keys()[0] action_category_assignments = self.manager.get_action_assignment_list( - admin_user["id"], - ref["id"], - new_action["id"] + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, + action_category_id ) - self.assertIsInstance(action_category_assignments, dict) - self.assertIn("action_category_assignments", action_category_assignments) - self.assertIn("id", action_category_assignments) - self.assertIn("intra_extension_uuid", action_category_assignments) - self.assertEqual(ref["id"], action_category_assignments["intra_extension_uuid"]) - self.assertEqual({}, action_category_assignments["action_category_assignments"][new_action["id"]]) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) + + action_category_assignments = self.manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, + action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual([], action_category_assignments) self.assertRaises( AuthzException, - self.manager.set_action_assignment_dict, - admin_user["id"], ref["id"], new_action["id"], - { - new_action_category_uuid: [new_action_category_scope_uuid, new_action_category_scope2_uuid], - }) + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id + ) + + self.assertRaises( + AuthzException, + self.manager.add_action_assignment_list, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_1_id + ) + self.assertIsInstance(action_category_assignments, list) + + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) + + action_category_assignments = self.admin_manager.add_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) + + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 2) self.assertRaises( AuthzException, - self.manager.del_action_assignment, - admin_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid) + self.admin_manager.del_action_assignment, + demo_subject_id, authz_ie_dict["id"], + action_list_id, action_category_id, action_category_scope_2_id + ) + + self.admin_manager.del_action_assignment( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) + action_category_assignments = self.admin_manager.get_action_assignment_list( + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id + ) + self.assertIsInstance(action_category_assignments, list) + self.assertEqual(len(action_category_assignments), 1) self.assertRaises( - ActionCategoryAssignmentAddNotAuthorized, - self.manager.add_action_assignment_list, - admin_user["id"], ref["id"], new_action["id"], - new_action_category_uuid, - new_action_category_scope_uuid) + ActionAssignmentUnknown, + self.admin_manager.del_action_assignment, + admin_subject_id, + authz_ie_dict["id"], + action_upload_id, action_category_id, action_category_scope_2_id + ) def test_sub_meta_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - aggregation_algorithms = self.manager.get_aggregation_algorithms(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithms, dict) - self.assertIsInstance(aggregation_algorithms["aggregation_algorithms"], list) - self.assertIn("and_true_aggregation", aggregation_algorithms["aggregation_algorithms"]) - self.assertIn("test_aggregation", aggregation_algorithms["aggregation_algorithms"]) - - aggregation_algorithm = self.manager.get_aggregation_algorithm_dict(admin_user["id"], ref["id"]) - self.assertIsInstance(aggregation_algorithm, dict) - self.assertIn("aggregation", aggregation_algorithm) - self.assertIn(aggregation_algorithm["aggregation"], aggregation_algorithms["aggregation_algorithms"]) - - _aggregation_algorithm = list(aggregation_algorithms["aggregation_algorithms"]) - _aggregation_algorithm.remove(aggregation_algorithm["aggregation"]) - self.assertRaises( - AuthzException, - self.manager.set_aggregation_algorithm_dict, - admin_user["id"], ref["id"], _aggregation_algorithm[0]) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + aggregation_algorithms = self.admin_manager.get_aggregation_algorithm_dict(admin_subject_id, authz_ie_dict["id"]) + for key, value in aggregation_algorithms.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("name", value) + self.assertIn("description", value) + + # TODO: need more tests on aggregation_algorithms (set and del) + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - sub_meta_rules_conf = json.load(open(os.path.join(self.policy_directory, ref["model"], "metarule.json"))) - metarule = dict() categories = { - "subject_categories": self.manager.get_subject_categories_dict(admin_user["id"], ref["id"]), - "object_categories": self.manager.get_object_category_dict(admin_user["id"], ref["id"]), - "action_categories": self.manager.get_action_category_dict(admin_user["id"], ref["id"]) + "subject_categories": self.admin_manager.get_subject_categories_dict(admin_subject_id, authz_ie_dict["id"]), + "object_categories": self.admin_manager.get_object_category_dict(admin_subject_id, authz_ie_dict["id"]), + "action_categories": self.admin_manager.get_action_category_dict(admin_subject_id, authz_ie_dict["id"]) } - for relation in sub_meta_rules_conf["sub_meta_rules"]: - metarule[relation] = dict() - for item in ("subject_categories", "object_categories", "action_categories"): - metarule[relation][item] = list() - for element in sub_meta_rules_conf["sub_meta_rules"][relation][item]: - metarule[relation][item].append(self.__get_key_from_value( - element, - categories[item][item] - )) - - for relation in sub_meta_rules["sub_meta_rules"]: - self.assertIn(relation, metarule) - for item in ("subject_categories", "object_categories", "action_categories"): - self.assertEqual( - sub_meta_rules["sub_meta_rules"][relation][item], - metarule[relation][item] - ) - - new_subject_category = {"id": uuid.uuid4().hex, "name": "subject_category_test"} - # Add a particular subject_category - data = self.admin_manager.add_subject_category( - admin_user["id"], - ref["id"], - new_subject_category["name"]) - new_subject_category["id"] = data["subject_category"]["uuid"] - subject_categories = self.manager.get_subject_categories_dict( - admin_user["id"], - ref["id"]) - self.assertIsInstance(subject_categories, dict) - self.assertIn("subject_categories", subject_categories) - self.assertIn("id", subject_categories) - self.assertIn("intra_extension_uuid", subject_categories) - self.assertEqual(ref["id"], subject_categories["intra_extension_uuid"]) - self.assertIn(new_subject_category["id"], subject_categories["subject_categories"]) - metarule[relation]["subject_categories"].append(new_subject_category["id"]) - self.assertRaises( - AuthzException, - self.manager.get_sub_meta_rule_dict, - admin_user["id"], ref["id"], metarule) + for key, value in sub_meta_rules.iteritems(): + self.assertIsInstance(value, dict) + self.assertIn("action_categories", value) + self.assertIn("object_categories", value) + self.assertIn("subject_categories", value) + self.assertIn("algorithm", value) + self.assertIn("name", value) + for action_category_id in value["action_categories"]: + self.assertIn(action_category_id, categories["action_categories"]) + for object_category_id in value["object_categories"]: + self.assertIn(object_category_id, categories["object_categories"]) + for subject_category_id in value["subject_categories"]: + self.assertIn(subject_category_id, categories["subject_categories"]) + # TODO: need more tests (set and del) def test_sub_rules(self): - demo_user = self.create_user("demo") - admin_user = self.create_user() - tenant = self.create_tenant() - ref = self.create_intra_extension("policy_authz") - ref_admin = self.create_intra_extension("policy_admin") - self.create_mapping(tenant, ref["id"], ref_admin["id"]) - - sub_meta_rules = self.manager.get_sub_meta_rules_dict(admin_user["id"], ref["id"]) + authz_ie_dict = create_intra_extension(self, "policy_authz") + admin_ie_dict = create_intra_extension(self, "policy_admin") + tenant, mapping = create_mapping(self, "demo", authz_ie_dict['id'], admin_ie_dict['id']) + + admin_subject_id, admin_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'admin').iteritems().next() + demo_subject_dict = self.admin_manager.add_subject_dict(admin_subject_id, admin_ie_dict["id"], + {"name": "demo", "description": "demo"}) + demo_subject_id, demo_subject_dict = \ + self.tenant_api.get_subject_from_keystone_name(tenant['id'], admin_ie_dict['id'], 'demo').iteritems().next() + + sub_meta_rules = self.admin_manager.get_sub_meta_rules_dict(admin_subject_id, authz_ie_dict["id"]) self.assertIsInstance(sub_meta_rules, dict) - self.assertIn("sub_meta_rules", sub_meta_rules) - - sub_rules = self.manager.get_sub_rules(admin_user["id"], ref["id"]) - self.assertIsInstance(sub_rules, dict) - self.assertIn("rules", sub_rules) - rules = dict() - for relation in sub_rules["rules"]: - self.assertIn(relation, self.manager.get_sub_meta_rule_relations(admin_user["id"], ref["id"])["sub_meta_rule_relations"]) - rules[relation] = list() - for rule in sub_rules["rules"][relation]: + + for relation_id in sub_meta_rules: + rules = self.admin_manager.get_rules_dict(admin_subject_id, authz_ie_dict["id"], relation_id) + rule_length = len(sub_meta_rules[relation_id]["subject_categories"]) + \ + len(sub_meta_rules[relation_id]["object_categories"]) + \ + len(sub_meta_rules[relation_id]["action_categories"]) + 1 + for rule_id in rules: + self.assertEqual(rule_length, len(rules[rule_id])) + rule = list(rules[rule_id]) for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: + for cat_value in sub_meta_rules[relation_id][cat]: scope = cat_func( - admin_user["id"], - ref["id"], + admin_subject_id, + authz_ie_dict["id"], cat_value ) a_scope = rule.pop(0) - self.assertIn(a_scope, scope[func_name][cat_value]) - - # add a new subrule - - relation = sub_rules["rules"].keys()[0] - sub_rule = [] - for cat, cat_func, func_name in ( - ("subject_categories", self.manager.get_subject_scopes_dict, "subject_category_scope"), - ("action_categories", self.manager.get_action_scopes_dict, "action_category_scope"), - ("object_categories", self.manager.get_object_scopes_dict, "object_category_scope"), - ): - for cat_value in sub_meta_rules["sub_meta_rules"][relation][cat]: - scope = cat_func( - admin_user["id"], - ref["id"], - cat_value - ) - sub_rule.append(scope[func_name][cat_value].keys()[0]) + if type(a_scope) is not bool: + self.assertIn(a_scope, scope.keys()) + + # add a new subrule + + sub_rule = [] + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + sub_rule.append(scope.keys()[0]) + + sub_rule.append(False) + self.assertRaises( + AuthzException, + self.admin_manager.add_rule_dict, + demo_subject_id, authz_ie_dict["id"], relation_id, sub_rule + ) - self.assertRaises( - AuthzException, - self.manager.set_sub_rule, - admin_user["id"], ref["id"], relation, sub_rule) + sub_rules = self.admin_manager.add_rule_dict(admin_subject_id, authz_ie_dict["id"], relation_id, sub_rule) + self.assertIsInstance(sub_rules, dict) + self.assertIn(sub_rule, sub_rules.values()) + + for rule_id, rule_value in sub_rules.iteritems(): + for cat, cat_func, func_name in ( + ("subject_categories", self.admin_manager.get_subject_scopes_dict, "subject_category_scope"), + ("action_categories", self.admin_manager.get_action_scopes_dict, "action_category_scope"), + ("object_categories", self.admin_manager.get_object_scopes_dict, "object_category_scope"), + ): + for cat_value in sub_meta_rules[relation_id][cat]: + scope = cat_func( + admin_subject_id, + authz_ie_dict["id"], + cat_value + ) + a_scope = rule_value.pop(0) + self.assertIn(a_scope, scope.keys()) + # TODO: add test for the delete function diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py index aa584a65..17e70018 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_log.py @@ -17,7 +17,7 @@ from keystone import resource from keystone.contrib.moon.exception import * from keystone.tests.unit import default_fixtures from keystone.contrib.moon.core import LogManager, TenantManager -from keystone.contrib.moon.core import DEFAULT_USER_ID +from keystone.contrib.moon.core import ADMIN_ID CONF = cfg.CONF @@ -35,6 +35,7 @@ IE = { TIME_FORMAT = '%Y-%m-%d-%H:%M:%S' +@dependency.requires('admin_api', 'tenant_api', 'configuration_api') class TestIntraExtensionAdminManager(tests.TestCase): def setUp(self): @@ -42,6 +43,12 @@ class TestIntraExtensionAdminManager(tests.TestCase): super(TestIntraExtensionAdminManager, self).setUp() self.load_backends() self.load_fixtures(default_fixtures) + self.admin = self.create_user(username="admin") + self.demo = self.create_user(username="demo") + self.root_intra_extension = self.create_intra_extension(policy_model="policy_root") + # force re-initialization of the ADMIN_ID variable + from keystone.contrib.moon.core import ADMIN_ID + self.ADMIN_ID = ADMIN_ID self.manager = IntraExtensionAdminManager() def __get_key_from_value(self, value, values_dict): @@ -68,7 +75,7 @@ class TestIntraExtensionAdminManager(tests.TestCase): # Create the admin user because IntraExtension needs it self.admin = self.identity_api.create_user(USER_ADMIN) IE["policymodel"] = policy_model - self.ref = self.manager.load_intra_extension_dict(DEFAULT_USER_ID, intra_extension_dict=IE) + self.ref = self.manager.load_intra_extension_dict(ADMIN_ID, intra_extension_dict=IE) self.assertIsInstance(self.ref, dict) self.create_tenant(self.ref["id"]) diff --git a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py index 6d656488..995b6a54 100644 --- a/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py +++ b/keystone-moon/keystone/tests/moon/unit/test_unit_core_tenant.py @@ -30,7 +30,7 @@ IE = { "description": "a simple description." } -@dependency.requires('admin_api') +@dependency.requires('admin_api', 'tenant_api', 'configuration_api') class TestTenantManager(tests.TestCase): ADMIN_ID = None @@ -45,8 +45,8 @@ class TestTenantManager(tests.TestCase): # force re-initialization of the ADMIN_ID variable from keystone.contrib.moon.core import ADMIN_ID self.ADMIN_ID = ADMIN_ID - self.manager = TenantManager() - self.configuration_api = ConfigurationManager() + self.manager = self.tenant_api + # self.configuration_api = self.configuration_api # self.configuration_api.init_default_variables() def load_extra_backends(self): @@ -95,20 +95,20 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) - data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_authz_extension"], data["id"]) - data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_admin_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data["id"]) + data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data["id"]) + data = self.admin_api.get_intra_extension_dict(self.ADMIN_ID, new_tenant["intra_admin_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data["id"]) def test_del_tenant(self): authz_intra_extension = self.create_intra_extension(policy_model="policy_authz") @@ -117,14 +117,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) self.manager.del_tenant(self.ADMIN_ID, new_tenant["id"]) @@ -138,14 +138,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) @@ -153,8 +153,8 @@ class TestTenantManager(tests.TestCase): data = self.manager.set_tenant_dict(user_id=self.ADMIN_ID, tenant_id=new_tenant["id"], tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) def test_exception_tenant_unknown(self): self.assertRaises(TenantUnknown, self.manager.get_tenant_dict, self.ADMIN_ID, uuid.uuid4().hex) @@ -167,14 +167,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) @@ -187,14 +187,14 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) @@ -207,20 +207,20 @@ class TestTenantManager(tests.TestCase): "id": uuid.uuid4().hex, "name": "demo", "description": uuid.uuid4().hex, - "intra_authz_extension": authz_intra_extension['id'], - "intra_admin_extension": admin_intra_extension['id'], + "intra_authz_extension_id": authz_intra_extension['id'], + "intra_admin_extension_id": admin_intra_extension['id'], } - new_tenant['intra_authz_extension'] = None + new_tenant['intra_authz_extension_id'] = None self.assertRaises(TenantNoIntraAuthzExtension, self.manager.add_tenant_dict, self.ADMIN_ID, new_tenant) - new_tenant['intra_authz_extension'] = authz_intra_extension['id'] + new_tenant['intra_authz_extension_id'] = authz_intra_extension['id'] data = self.manager.add_tenant_dict(user_id=self.ADMIN_ID, tenant_dict=new_tenant) self.assertEquals(new_tenant["id"], data["id"]) self.assertEquals(new_tenant["name"], data['tenant']["name"]) - self.assertEquals(new_tenant["intra_authz_extension"], data['tenant']["intra_authz_extension"]) - self.assertEquals(new_tenant["intra_admin_extension"], data['tenant']["intra_admin_extension"]) + self.assertEquals(new_tenant["intra_authz_extension_id"], data['tenant']["intra_authz_extension_id"]) + self.assertEquals(new_tenant["intra_admin_extension_id"], data['tenant']["intra_admin_extension_id"]) data = self.manager.get_tenants_dict(self.ADMIN_ID) self.assertNotEqual(data, {}) - new_tenant['intra_authz_extension'] = None + new_tenant['intra_authz_extension_id'] = None new_tenant['name'] = "demo2" self.assertRaises(TenantNoIntraAuthzExtension, self.manager.set_tenant_dict, self.ADMIN_ID, new_tenant["id"], new_tenant) -- cgit 1.2.3-korg