0003-a2_rbac-move-tests-35391.patch
| src/authentic2/a2_rbac/tests.py | ||
|---|---|---|
| 1 |
# authentic2 - versatile identity manager |
|
| 2 |
# Copyright (C) 2010-2019 Entr'ouvert |
|
| 3 |
# |
|
| 4 |
# This program is free software: you can redistribute it and/or modify it |
|
| 5 |
# under the terms of the GNU Affero General Public License as published |
|
| 6 |
# by the Free Software Foundation, either version 3 of the License, or |
|
| 7 |
# (at your option) any later version. |
|
| 8 |
# |
|
| 9 |
# This program is distributed in the hope that it will be useful, |
|
| 10 |
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
|
| 11 |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
|
| 12 |
# GNU Affero General Public License for more details. |
|
| 13 |
# |
|
| 14 |
# You should have received a copy of the GNU Affero General Public License |
|
| 15 |
# along with this program. If not, see <http://www.gnu.org/licenses/>. |
|
| 16 | ||
| 17 |
from django.test import TestCase |
|
| 18 |
from django.contrib.contenttypes.models import ContentType |
|
| 19 |
from django.contrib.auth import get_user_model |
|
| 20 |
from django.core.exceptions import ValidationError |
|
| 21 | ||
| 22 |
from django_rbac.utils import get_permission_model, get_role_model |
|
| 23 | ||
| 24 |
Permission = get_permission_model() |
|
| 25 |
Role = get_role_model() |
|
| 26 |
User = get_user_model() |
|
| 27 | ||
| 28 | ||
| 29 |
class A2RBACTestCase(TestCase): |
|
| 30 |
def test_update_rbac(self): |
|
| 31 |
# 3 content types managers and 1 global manager |
|
| 32 |
self.assertEquals(Role.objects.count(), 4) |
|
| 33 |
# 3 content type global permissions, 1 role administration permissions (for the main manager |
|
| 34 |
# role which is self-administered) |
|
| 35 |
# and 1 user view permission (for the role administrator) |
|
| 36 |
# and 1 ou view permission (for the user and role administrators) |
|
| 37 |
self.assertEquals(Permission.objects.count(), 6) |
|
| 38 | ||
| 39 |
def test_delete_role(self): |
|
| 40 |
rcount = Role.objects.count() |
|
| 41 |
pcount = Permission.objects.count() |
|
| 42 |
new_role = Role.objects.create(name='Coucou') |
|
| 43 |
admin_role = new_role.get_admin_role() |
|
| 44 | ||
| 45 |
# There should two more roles, the role and its admin counterpart |
|
| 46 |
self.assertEquals(Role.objects.count(), rcount+2) |
|
| 47 | ||
| 48 |
# There should be two more permissions the admin permission on the role |
|
| 49 |
# and the admin permission on the admin role |
|
| 50 |
admin_perm = Permission.objects.by_target(new_role) \ |
|
| 51 |
.get(operation__slug='admin') |
|
| 52 |
admin_role = Role.objects.get( |
|
| 53 |
admin_scope_ct=ContentType.objects.get_for_model(admin_perm), |
|
| 54 |
admin_scope_id=admin_perm.pk) |
|
| 55 |
admin_admin_perm = Permission.objects.by_target(admin_role) \ |
|
| 56 |
.get(operation__slug='change') |
|
| 57 |
self.assertEquals(Permission.objects.count(), pcount+2) |
|
| 58 |
new_role.delete() |
|
| 59 |
with self.assertRaises(Permission.DoesNotExist): |
|
| 60 |
Permission.objects.get(pk=admin_perm.pk) |
|
| 61 |
with self.assertRaises(Role.DoesNotExist): |
|
| 62 |
Role.objects.get(pk=admin_role.pk) |
|
| 63 |
with self.assertRaises(Permission.DoesNotExist): |
|
| 64 |
Permission.objects.get(pk=admin_admin_perm.pk) |
|
| 65 |
self.assertEquals(Role.objects.count(), rcount) |
|
| 66 |
self.assertEquals(Permission.objects.count(), pcount) |
|
| 67 | ||
| 68 |
def test_access_control(self): |
|
| 69 |
role_ct = ContentType.objects.get_for_model(Role) |
|
| 70 |
role_admin_role = Role.objects.get_admin_role( |
|
| 71 |
role_ct, 'admin %s' % role_ct, 'admin-role') |
|
| 72 |
user1 = User.objects.create(username='john.doe') |
|
| 73 |
self.assertTrue(not user1.has_perm('a2_rbac.change_role'))
|
|
| 74 |
self.assertTrue(not user1.has_perm('a2_rbac.view_role'))
|
|
| 75 |
self.assertTrue(not user1.has_perm('a2_rbac.delete_role'))
|
|
| 76 |
self.assertTrue(not user1.has_perm('a2_rbac.add_role'))
|
|
| 77 |
role_admin_role.members.add(user1) |
|
| 78 |
del user1._rbac_perms_cache |
|
| 79 |
self.assertTrue(user1.has_perm('a2_rbac.change_role'))
|
|
| 80 |
self.assertTrue(user1.has_perm('a2_rbac.view_role'))
|
|
| 81 |
self.assertTrue(user1.has_perm('a2_rbac.delete_role'))
|
|
| 82 |
self.assertTrue(user1.has_perm('a2_rbac.add_role'))
|
|
| 83 | ||
| 84 |
def test_admin_roles_startswith_a2(self): |
|
| 85 |
coin = Role.objects.create(name='Coin', slug='coin') |
|
| 86 |
coin.get_admin_role() |
|
| 87 |
for role in Role.objects.filter(admin_scope_ct__isnull=False): |
|
| 88 |
self.assertTrue(role.slug.startswith('_a2'), u'role %s slug must '
|
|
| 89 |
'start with _a2: %s' % (role.name, role.slug)) |
|
| 90 | ||
| 91 |
def test_admin_roles_update_slug(self): |
|
| 92 |
user = User.objects.create(username='john.doe') |
|
| 93 |
name1 = 'Can manage john.doe' |
|
| 94 |
slug1 = 'can-manage-john-doe' |
|
| 95 |
admin_role1 = Role.objects.get_admin_role(user, name1, slug1) |
|
| 96 |
self.assertEqual(admin_role1.name, name1) |
|
| 97 |
self.assertEqual(admin_role1.slug, slug1) |
|
| 98 |
name2 = 'Should manage john.doe' |
|
| 99 |
slug2 = 'should-manage-john-doe' |
|
| 100 |
admin_role2 = Role.objects.get_admin_role(user, name2, slug2, update_slug=True) |
|
| 101 |
self.assertEqual(admin_role2.name, name1) |
|
| 102 |
self.assertEqual(admin_role2.slug, slug2) |
|
| 103 |
admin_role3 = Role.objects.get_admin_role(user, name2, slug2, update_name=True) |
|
| 104 |
self.assertEqual(admin_role3.name, name2) |
|
| 105 |
self.assertEqual(admin_role3.slug, slug2) |
|
| 106 | ||
| 107 |
def test_role_clean(self): |
|
| 108 |
coin = Role(name=u'Coin') |
|
| 109 |
coin.clean() |
|
| 110 |
coin.save() |
|
| 111 |
self.assertEqual(coin.slug, 'coin') |
|
| 112 |
with self.assertRaises(ValidationError): |
|
| 113 |
Role(name='Coin2', slug='coin').clean() |
|
| 114 |
with self.assertRaises(ValidationError): |
|
| 115 |
Role(name='Coin', slug='coin2').clean() |
|
| 116 |
with self.assertRaises(ValidationError): |
|
| 117 |
Role(name='Coin', slug='_coin').clean() |
|
| 118 |
Role(name='Coin', slug='_coin').clean() |
|
| tests/test_a2_rbac.py | ||
|---|---|---|
| 16 | 16 | |
| 17 | 17 |
import pytest |
| 18 | 18 | |
| 19 |
from django.contrib.contenttypes.models import ContentType
|
|
| 19 |
from django.core.exceptions import ValidationError
|
|
| 20 | 20 |
from django.core.management import call_command |
| 21 | 21 | |
| 22 |
from django.contrib.contenttypes.models import ContentType |
|
| 23 | ||
| 22 | 24 |
from django_rbac.utils import get_permission_model |
| 23 | 25 |
from django_rbac.models import Operation |
| 26 |
from authentic2.custom_user.models import User |
|
| 27 |
from authentic2.models import Service |
|
| 24 | 28 |
from authentic2.a2_rbac.models import ( |
| 25 | 29 |
Role, |
| 26 | 30 |
Permission, |
| 27 | 31 |
OrganizationalUnit as OU, |
| 28 | 32 |
RoleAttribute) |
| 29 |
from authentic2.models import Service |
|
| 30 | 33 |
from authentic2.utils import get_hex_uuid |
| 31 | 34 | |
| 32 | 35 | |
| 36 |
def test_update_rbac(db): |
|
| 37 |
# 3 content types managers and 1 global manager |
|
| 38 |
assert Role.objects.count() == 4 |
|
| 39 |
# 3 content type global permissions, 1 role administration permissions (for the main manager |
|
| 40 |
# role which is self-administered) |
|
| 41 |
# and 1 user view permission (for the role administrator) |
|
| 42 |
# and 1 ou view permission (for the user and role administrators) |
|
| 43 |
assert Permission.objects.count() == 6 |
|
| 44 | ||
| 45 | ||
| 46 |
def test_delete_role(db): |
|
| 47 |
rcount = Role.objects.count() |
|
| 48 |
pcount = Permission.objects.count() |
|
| 49 |
new_role = Role.objects.create(name='Coucou') |
|
| 50 |
admin_role = new_role.get_admin_role() |
|
| 51 | ||
| 52 |
# There should two more roles, the role and its admin counterpart |
|
| 53 |
assert Role.objects.count() == rcount + 2 |
|
| 54 | ||
| 55 |
# There should be two more permissions the admin permission on the role |
|
| 56 |
# and the admin permission on the admin role |
|
| 57 |
admin_perm = Permission.objects.by_target(new_role) \ |
|
| 58 |
.get(operation__slug='admin') |
|
| 59 |
admin_role = Role.objects.get( |
|
| 60 |
admin_scope_ct=ContentType.objects.get_for_model(admin_perm), |
|
| 61 |
admin_scope_id=admin_perm.pk) |
|
| 62 |
admin_admin_perm = Permission.objects.by_target(admin_role) \ |
|
| 63 |
.get(operation__slug='change') |
|
| 64 |
assert Permission.objects.count() == pcount + 2 |
|
| 65 |
new_role.delete() |
|
| 66 |
with pytest.raises(Permission.DoesNotExist): |
|
| 67 |
Permission.objects.get(pk=admin_perm.pk) |
|
| 68 |
with pytest.raises(Role.DoesNotExist): |
|
| 69 |
Role.objects.get(pk=admin_role.pk) |
|
| 70 |
with pytest.raises(Permission.DoesNotExist): |
|
| 71 |
Permission.objects.get(pk=admin_admin_perm.pk) |
|
| 72 |
assert Role.objects.count() == rcount |
|
| 73 |
assert Permission.objects.count() == pcount |
|
| 74 | ||
| 75 | ||
| 76 |
def test_access_control(db): |
|
| 77 |
role_ct = ContentType.objects.get_for_model(Role) |
|
| 78 |
role_admin_role = Role.objects.get_admin_role( |
|
| 79 |
role_ct, 'admin %s' % role_ct, 'admin-role') |
|
| 80 |
user1 = User.objects.create(username='john.doe') |
|
| 81 |
assert not user1.has_perm('a2_rbac.change_role')
|
|
| 82 |
assert not user1.has_perm('a2_rbac.view_role')
|
|
| 83 |
assert not user1.has_perm('a2_rbac.delete_role')
|
|
| 84 |
assert not user1.has_perm('a2_rbac.add_role')
|
|
| 85 |
role_admin_role.members.add(user1) |
|
| 86 |
del user1._rbac_perms_cache |
|
| 87 |
assert user1.has_perm('a2_rbac.change_role')
|
|
| 88 |
assert user1.has_perm('a2_rbac.view_role')
|
|
| 89 |
assert user1.has_perm('a2_rbac.delete_role')
|
|
| 90 |
assert user1.has_perm('a2_rbac.add_role')
|
|
| 91 | ||
| 92 | ||
| 93 |
def test_admin_roles_startswith_a2(db): |
|
| 94 |
coin = Role.objects.create(name='Coin', slug='coin') |
|
| 95 |
coin.get_admin_role() |
|
| 96 |
for role in Role.objects.filter(admin_scope_ct__isnull=False): |
|
| 97 |
assert role.slug.startswith('_a2'), u'role %s slug must start with _a2: %s' % (role.name, role.slug)
|
|
| 98 | ||
| 99 | ||
| 100 |
def test_admin_roles_update_slug(db): |
|
| 101 |
user = User.objects.create(username='john.doe') |
|
| 102 |
name1 = 'Can manage john.doe' |
|
| 103 |
slug1 = 'can-manage-john-doe' |
|
| 104 |
admin_role1 = Role.objects.get_admin_role(user, name1, slug1) |
|
| 105 |
assert admin_role1.name == name1 |
|
| 106 |
assert admin_role1.slug == slug1 |
|
| 107 |
name2 = 'Should manage john.doe' |
|
| 108 |
slug2 = 'should-manage-john-doe' |
|
| 109 |
admin_role2 = Role.objects.get_admin_role(user, name2, slug2, update_slug=True) |
|
| 110 |
assert admin_role2.name == name1 |
|
| 111 |
assert admin_role2.slug == slug2 |
|
| 112 |
admin_role3 = Role.objects.get_admin_role(user, name2, slug2, update_name=True) |
|
| 113 |
assert admin_role3.name == name2 |
|
| 114 |
assert admin_role3.slug == slug2 |
|
| 115 | ||
| 116 | ||
| 117 |
def test_role_clean(db): |
|
| 118 |
coin = Role(name=u'Coin') |
|
| 119 |
coin.clean() |
|
| 120 |
coin.save() |
|
| 121 |
assert coin.slug == 'coin' |
|
| 122 |
with pytest.raises(ValidationError) as exc_info: |
|
| 123 |
Role(name='Coin2', slug='coin').full_clean() |
|
| 124 |
assert 'slug' in exc_info.value.error_dict |
|
| 125 |
with pytest.raises(ValidationError) as exc_info: |
|
| 126 |
Role(name='Coin', slug='coin2').full_clean() |
|
| 127 |
assert 'name' in exc_info.value.error_dict |
|
| 128 | ||
| 129 | ||
| 33 | 130 |
def test_role_natural_key(db): |
| 34 | 131 |
ou = OU.objects.create(name='ou1', slug='ou1') |
| 35 | 132 |
s1 = Service.objects.create(name='s1', slug='s1') |
| ... | ... | |
| 85 | 182 |
role = Role.objects.create(name='some role', service=service) |
| 86 | 183 |
role_dict = role.export_json() |
| 87 | 184 |
assert role_dict['service'] == {
|
| 88 |
'slug': service.slug, 'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}}
|
|
| 185 |
'slug': service.slug, |
|
| 186 |
'ou': {'uuid': ou.uuid, 'slug': 'ou', 'name': 'ou'}}
|
|
| 89 | 187 | |
| 90 | 188 | |
| 91 | 189 |
def test_role_with_attributes_export_json(db): |
| 92 |
- |
|