0003-a2_rbac-move-tests-35391.patch
src/authentic2/a2_rbac/tests.py | ||
---|---|---|
1 |
# authentic2 - versatile identity manager |
|
2 |
# Copyright (C) 2010-2019 Entr'ouvert |
|
3 |
# |
|
4 |
# This program is free software: you can redistribute it and/or modify it |
|
5 |
# under the terms of the GNU Affero General Public License as published |
|
6 |
# by the Free Software Foundation, either version 3 of the License, or |
|
7 |
# (at your option) any later version. |
|
8 |
# |
|
9 |
# This program is distributed in the hope that it will be useful, |
|
10 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
11 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
12 |
# GNU Affero General Public License for more details. |
|
13 |
# |
|
14 |
# You should have received a copy of the GNU Affero General Public License |
|
15 |
# along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
16 | ||
17 |
from django.test import TestCase |
|
18 |
from django.contrib.contenttypes.models import ContentType |
|
19 |
from django.contrib.auth import get_user_model |
|
20 |
from django.core.exceptions import ValidationError |
|
21 | ||
22 |
from django_rbac.utils import get_permission_model, get_role_model |
|
23 | ||
24 |
Permission = get_permission_model() |
|
25 |
Role = get_role_model() |
|
26 |
User = get_user_model() |
|
27 | ||
28 | ||
29 |
class A2RBACTestCase(TestCase): |
|
30 |
def test_update_rbac(self): |
|
31 |
# 3 content types managers and 1 global manager |
|
32 |
self.assertEquals(Role.objects.count(), 4) |
|
33 |
# 3 content type global permissions, 1 role administration permissions (for the main manager |
|
34 |
# role which is self-administered) |
|
35 |
# and 1 user view permission (for the role administrator) |
|
36 |
# and 1 ou view permission (for the user and role administrators) |
|
37 |
self.assertEquals(Permission.objects.count(), 6) |
|
38 | ||
39 |
def test_delete_role(self): |
|
40 |
rcount = Role.objects.count() |
|
41 |
pcount = Permission.objects.count() |
|
42 |
new_role = Role.objects.create(name='Coucou') |
|
43 |
admin_role = new_role.get_admin_role() |
|
44 | ||
45 |
# There should two more roles, the role and its admin counterpart |
|
46 |
self.assertEquals(Role.objects.count(), rcount+2) |
|
47 | ||
48 |
# There should be two more permissions the admin permission on the role |
|
49 |
# and the admin permission on the admin role |
|
50 |
admin_perm = Permission.objects.by_target(new_role) \ |
|
51 |
.get(operation__slug='admin') |
|
52 |
admin_role = Role.objects.get( |
|
53 |
admin_scope_ct=ContentType.objects.get_for_model(admin_perm), |
|
54 |
admin_scope_id=admin_perm.pk) |
|
55 |
admin_admin_perm = Permission.objects.by_target(admin_role) \ |
|
56 |
.get(operation__slug='change') |
|
57 |
self.assertEquals(Permission.objects.count(), pcount+2) |
|
58 |
new_role.delete() |
|
59 |
with self.assertRaises(Permission.DoesNotExist): |
|
60 |
Permission.objects.get(pk=admin_perm.pk) |
|
61 |
with self.assertRaises(Role.DoesNotExist): |
|
62 |
Role.objects.get(pk=admin_role.pk) |
|
63 |
with self.assertRaises(Permission.DoesNotExist): |
|
64 |
Permission.objects.get(pk=admin_admin_perm.pk) |
|
65 |
self.assertEquals(Role.objects.count(), rcount) |
|
66 |
self.assertEquals(Permission.objects.count(), pcount) |
|
67 | ||
68 |
def test_access_control(self): |
|
69 |
role_ct = ContentType.objects.get_for_model(Role) |
|
70 |
role_admin_role = Role.objects.get_admin_role( |
|
71 |
role_ct, 'admin %s' % role_ct, 'admin-role') |
|
72 |
user1 = User.objects.create(username='john.doe') |
|
73 |
self.assertTrue(not user1.has_perm('a2_rbac.change_role')) |
|
74 |
self.assertTrue(not user1.has_perm('a2_rbac.view_role')) |
|
75 |
self.assertTrue(not user1.has_perm('a2_rbac.delete_role')) |
|
76 |
self.assertTrue(not user1.has_perm('a2_rbac.add_role')) |
|
77 |
role_admin_role.members.add(user1) |
|
78 |
del user1._rbac_perms_cache |
|
79 |
self.assertTrue(user1.has_perm('a2_rbac.change_role')) |
|
80 |
self.assertTrue(user1.has_perm('a2_rbac.view_role')) |
|
81 |
self.assertTrue(user1.has_perm('a2_rbac.delete_role')) |
|
82 |
self.assertTrue(user1.has_perm('a2_rbac.add_role')) |
|
83 | ||
84 |
def test_admin_roles_startswith_a2(self): |
|
85 |
coin = Role.objects.create(name='Coin', slug='coin') |
|
86 |
coin.get_admin_role() |
|
87 |
for role in Role.objects.filter(admin_scope_ct__isnull=False): |
|
88 |
self.assertTrue(role.slug.startswith('_a2'), u'role %s slug must ' |
|
89 |
'start with _a2: %s' % (role.name, role.slug)) |
|
90 | ||
91 |
def test_admin_roles_update_slug(self): |
|
92 |
user = User.objects.create(username='john.doe') |
|
93 |
name1 = 'Can manage john.doe' |
|
94 |
slug1 = 'can-manage-john-doe' |
|
95 |
admin_role1 = Role.objects.get_admin_role(user, name1, slug1) |
|
96 |
self.assertEqual(admin_role1.name, name1) |
|
97 |
self.assertEqual(admin_role1.slug, slug1) |
|
98 |
name2 = 'Should manage john.doe' |
|
99 |
slug2 = 'should-manage-john-doe' |
|
100 |
admin_role2 = Role.objects.get_admin_role(user, name2, slug2, update_slug=True) |
|
101 |
self.assertEqual(admin_role2.name, name1) |
|
102 |
self.assertEqual(admin_role2.slug, slug2) |
|
103 |
admin_role3 = Role.objects.get_admin_role(user, name2, slug2, update_name=True) |
|
104 |
self.assertEqual(admin_role3.name, name2) |
|
105 |
self.assertEqual(admin_role3.slug, slug2) |
|
106 | ||
107 |
def test_role_clean(self): |
|
108 |
coin = Role(name=u'Coin') |
|
109 |
coin.clean() |
|
110 |
coin.save() |
|
111 |
self.assertEqual(coin.slug, 'coin') |
|
112 |
with self.assertRaises(ValidationError): |
|
113 |
Role(name='Coin2', slug='coin').clean() |
|
114 |
with self.assertRaises(ValidationError): |
|
115 |
Role(name='Coin', slug='coin2').clean() |
|
116 |
with self.assertRaises(ValidationError): |
|
117 |
Role(name='Coin', slug='_coin').clean() |
|
118 |
Role(name='Coin', slug='_coin').clean() |
tests/test_a2_rbac.py | ||
---|---|---|
16 | 16 | |
17 | 17 |
import pytest |
18 | 18 | |
19 |
from django.contrib.contenttypes.models import ContentType
|
|
19 |
from django.core.exceptions import ValidationError
|
|
20 | 20 |
from django.core.management import call_command |
21 | 21 | |
22 |
from django.contrib.contenttypes.models import ContentType |
|
23 | ||
22 | 24 |
from django_rbac.utils import get_permission_model |
23 | 25 |
from django_rbac.models import Operation |
26 |
from authentic2.custom_user.models import User |
|
27 |
from authentic2.models import Service |
|
24 | 28 |
from authentic2.a2_rbac.models import ( |
25 | 29 |
Role, |
26 | 30 |
Permission, |
27 | 31 |
OrganizationalUnit as OU, |
28 | 32 |
RoleAttribute) |
29 |
from authentic2.models import Service |
|
30 | 33 |
from authentic2.utils import get_hex_uuid |
31 | 34 | |
32 | 35 | |
36 |
def test_update_rbac(db): |
|
37 |
# 3 content types managers and 1 global manager |
|
38 |
assert Role.objects.count() == 4 |
|
39 |
# 3 content type global permissions, 1 role administration permissions (for the main manager |
|
40 |
# role which is self-administered) |
|
41 |
# and 1 user view permission (for the role administrator) |
|
42 |
# and 1 ou view permission (for the user and role administrators) |
|
43 |
assert Permission.objects.count() == 6 |
|
44 | ||
45 | ||
46 |
def test_delete_role(db): |
|
47 |
rcount = Role.objects.count() |
|
48 |
pcount = Permission.objects.count() |
|
49 |
new_role = Role.objects.create(name='Coucou') |
|
50 |
admin_role = new_role.get_admin_role() |
|
51 | ||
52 |
# There should two more roles, the role and its admin counterpart |
|
53 |
assert Role.objects.count() == rcount + 2 |
|
54 | ||
55 |
# There should be two more permissions the admin permission on the role |
|
56 |
# and the admin permission on the admin role |
|
57 |
admin_perm = Permission.objects.by_target(new_role) \ |
|
58 |
.get(operation__slug='admin') |
|
59 |
admin_role = Role.objects.get( |
|
60 |
admin_scope_ct=ContentType.objects.get_for_model(admin_perm), |
|
61 |
admin_scope_id=admin_perm.pk) |
|
62 |
admin_admin_perm = Permission.objects.by_target(admin_role) \ |
|
63 |
.get(operation__slug='change') |
|
64 |
assert Permission.objects.count() == pcount + 2 |
|
65 |
new_role.delete() |
|
66 |
with pytest.raises(Permission.DoesNotExist): |
|
67 |
Permission.objects.get(pk=admin_perm.pk) |
|
68 |
with pytest.raises(Role.DoesNotExist): |
|
69 |
Role.objects.get(pk=admin_role.pk) |
|
70 |
with pytest.raises(Permission.DoesNotExist): |
|
71 |
Permission.objects.get(pk=admin_admin_perm.pk) |
|
72 |
assert Role.objects.count() == rcount |
|
73 |
assert Permission.objects.count() == pcount |
|
74 | ||
75 | ||
76 |
def test_access_control(db): |
|
77 |
role_ct = ContentType.objects.get_for_model(Role) |
|
78 |
role_admin_role = Role.objects.get_admin_role( |
|
79 |
role_ct, 'admin %s' % role_ct, 'admin-role') |
|
80 |
user1 = User.objects.create(username='john.doe') |
|
81 |
assert not user1.has_perm('a2_rbac.change_role') |
|
82 |
assert not user1.has_perm('a2_rbac.view_role') |
|
83 |
assert not user1.has_perm('a2_rbac.delete_role') |
|
84 |
assert not user1.has_perm('a2_rbac.add_role') |
|
85 |
role_admin_role.members.add(user1) |
|
86 |
del user1._rbac_perms_cache |
|
87 |
assert user1.has_perm('a2_rbac.change_role') |
|
88 |
assert user1.has_perm('a2_rbac.view_role') |
|
89 |
assert user1.has_perm('a2_rbac.delete_role') |
|
90 |
assert user1.has_perm('a2_rbac.add_role') |
|
91 | ||
92 | ||
93 |
def test_admin_roles_startswith_a2(db): |
|
94 |
coin = Role.objects.create(name='Coin', slug='coin') |
|
95 |
coin.get_admin_role() |
|
96 |
for role in Role.objects.filter(admin_scope_ct__isnull=False): |
|
97 |
assert role.slug.startswith('_a2'), u'role %s slug must start with _a2: %s' % (role.name, role.slug) |
|
98 | ||
99 | ||
100 |
def test_admin_roles_update_slug(db): |
|
101 |
user = User.objects.create(username='john.doe') |
|
102 |
name1 = 'Can manage john.doe' |
|
103 |
slug1 = 'can-manage-john-doe' |
|
104 |
admin_role1 = Role.objects.get_admin_role(user, name1, slug1) |
|
105 |
assert admin_role1.name == name1 |
|
106 |
assert admin_role1.slug == slug1 |
|
107 |
name2 = 'Should manage john.doe' |
|
108 |
slug2 = 'should-manage-john-doe' |
|
109 |
admin_role2 = Role.objects.get_admin_role(user, name2, slug2, update_slug=True) |
|
110 |
assert admin_role2.name == name1 |
|
111 |
assert admin_role2.slug == slug2 |
|
112 |
admin_role3 = Role.objects.get_admin_role(user, name2, slug2, update_name=True) |
|
113 |
assert admin_role3.name == name2 |
|
114 |
assert admin_role3.slug == slug2 |
|
115 | ||
116 | ||
117 |
def test_role_clean(db): |
|
118 |
coin = Role(name=u'Coin') |
|
119 |
coin.clean() |
|
120 |
coin.save() |
|
121 |
assert coin.slug == 'coin' |
|
122 |
with pytest.raises(ValidationError) as exc_info: |
|
123 |
Role(name='Coin2', slug='coin').full_clean() |
|
124 |
assert 'slug' in exc_info.value.error_dict |
|
125 |
with pytest.raises(ValidationError) as exc_info: |
|
126 |
Role(name='Coin', slug='coin2').full_clean() |
|
127 |
assert 'name' in exc_info.value.error_dict |
|
128 | ||
129 | ||
33 | 130 |
def test_role_natural_key(db): |
34 | 131 |
ou = OU.objects.create(name='ou1', slug='ou1') |
35 | 132 |
s1 = Service.objects.create(name='s1', slug='s1') |
... | ... | |
85 | 182 |
role = Role.objects.create(name='some role', service=service) |
86 | 183 |
role_dict = role.export_json() |
87 | 184 |
assert role_dict['service'] == { |
88 |
'slug': service.slug, 'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}} |
|
185 |
'slug': service.slug, |
|
186 |
'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}} |
|
89 | 187 | |
90 | 188 | |
91 | 189 |
def test_role_with_attributes_export_json(db): |
92 |
- |