18 |
18 |
from django.contrib.contenttypes.models import ContentType
|
19 |
19 |
from django.core.exceptions import ValidationError
|
20 |
20 |
from django.core.management import call_command
|
|
21 |
from django.db import connection
|
|
22 |
from django.test.utils import CaptureQueriesContext
|
21 |
23 |
|
22 |
24 |
from authentic2.a2_rbac.models import Operation
|
23 |
25 |
from authentic2.a2_rbac.models import OrganizationalUnit as OU
|
... | ... | |
26 |
28 |
from authentic2.custom_user.models import User
|
27 |
29 |
from authentic2.models import Service
|
28 |
30 |
from authentic2.utils.misc import get_hex_uuid
|
|
31 |
from django_rbac import backends
|
29 |
32 |
|
30 |
33 |
from .utils import login, request_select2
|
31 |
34 |
|
... | ... | |
518 |
521 |
update_user_permissions()
|
519 |
522 |
assert simple_user.has_perm('custom_user.manage_authorizations_user')
|
520 |
523 |
assert [x for x in simple_user.get_all_permissions() if x == 'custom_user.manage_authorizations_user']
|
|
524 |
|
|
525 |
|
|
526 |
def test_rbac_backend_with_a2_operation_model(db):
|
|
527 |
ou1 = OU.objects.create(name='ou1', slug='ou1')
|
|
528 |
ou2 = OU.objects.create(name='ou2', slug='ou2')
|
|
529 |
user1 = User.objects.create(username='john.doe')
|
|
530 |
ct_ct = ContentType.objects.get_for_model(ContentType)
|
|
531 |
role_ct = ContentType.objects.get_for_model(Role)
|
|
532 |
change_op = Operation.objects.get(slug='change')
|
|
533 |
view_op = Operation.objects.get(slug='view')
|
|
534 |
delete_op = Operation.objects.get(slug='delete')
|
|
535 |
add_op = Operation.objects.get(slug='add')
|
|
536 |
admin_op = Operation.objects.get(slug='admin')
|
|
537 |
perm1 = Permission.objects.create(operation=change_op, target_ct=ct_ct, target_id=role_ct.pk)
|
|
538 |
perm2 = Permission.objects.create(operation=view_op, target_ct=ct_ct, target_id=role_ct.pk)
|
|
539 |
role1 = Role.objects.create(name='role1')
|
|
540 |
role2 = Role.objects.create(name='role2', ou=ou1)
|
|
541 |
role1.permissions.add(perm1)
|
|
542 |
role2.permissions.add(perm2)
|
|
543 |
role1.add_child(role2)
|
|
544 |
role2.members.add(user1)
|
|
545 |
perm3 = Permission.objects.create(operation=delete_op, target_ct=role_ct, target_id=role1.pk)
|
|
546 |
perm4 = Permission.objects.create(operation=add_op, ou=ou1, target_ct=ct_ct, target_id=role_ct.pk)
|
|
547 |
role1.permissions.add(perm3)
|
|
548 |
role1.permissions.add(perm4)
|
|
549 |
|
|
550 |
rbac_backend = backends.DjangoRBACBackend()
|
|
551 |
ctx = CaptureQueriesContext(connection)
|
|
552 |
with ctx:
|
|
553 |
assert rbac_backend.get_all_permissions(user1) == {
|
|
554 |
'a2_rbac.change_role',
|
|
555 |
'a2_rbac.search_role',
|
|
556 |
'a2_rbac.view_role',
|
|
557 |
'a2_rbac.manage_members_role',
|
|
558 |
}
|
|
559 |
assert rbac_backend.get_all_permissions(user1, obj=role1) == {
|
|
560 |
'a2_rbac.delete_role',
|
|
561 |
'a2_rbac.change_role',
|
|
562 |
'a2_rbac.search_role',
|
|
563 |
'a2_rbac.view_role',
|
|
564 |
'a2_rbac.manage_members_role',
|
|
565 |
}
|
|
566 |
assert rbac_backend.get_all_permissions(user1, obj=role2) == {
|
|
567 |
'a2_rbac.change_role',
|
|
568 |
'a2_rbac.view_role',
|
|
569 |
'a2_rbac.search_role',
|
|
570 |
'a2_rbac.add_role',
|
|
571 |
'a2_rbac.manage_members_role',
|
|
572 |
}
|
|
573 |
assert not rbac_backend.has_perm(user1, 'a2_rbac.delete_role', obj=role2)
|
|
574 |
assert rbac_backend.has_perm(user1, 'a2_rbac.delete_role', obj=role1)
|
|
575 |
assert rbac_backend.has_perms(
|
|
576 |
user1, ['a2_rbac.delete_role', 'a2_rbac.change_role', 'a2_rbac.view_role'], obj=role1
|
|
577 |
)
|
|
578 |
assert rbac_backend.has_module_perms(user1, 'a2_rbac')
|
|
579 |
assert not rbac_backend.has_module_perms(user1, 'contenttypes')
|
|
580 |
assert len(ctx.captured_queries) == 1
|
|
581 |
|
|
582 |
# Test admin op as a generalization of other ops
|
|
583 |
user2 = User.objects.create(username='donald.knuth')
|
|
584 |
role3 = Role.objects.create(name='role3')
|
|
585 |
role3.members.add(user2)
|
|
586 |
|
|
587 |
# four objects returned by filter? xxx unicity issues
|
|
588 |
perms5 = Permission.objects.filter(operation=admin_op, target_ct=ct_ct, target_id=role_ct.pk)
|
|
589 |
# iteration needed here?? xxx
|
|
590 |
for perm in perms5:
|
|
591 |
role3.permissions.add(perm)
|
|
592 |
assert rbac_backend.get_all_permissions(user2) == {
|
|
593 |
'a2_rbac.add_role',
|
|
594 |
'a2_rbac.change_role',
|
|
595 |
'a2_rbac.search_role',
|
|
596 |
'a2_rbac.admin_role',
|
|
597 |
'a2_rbac.view_role',
|
|
598 |
'a2_rbac.delete_role',
|
|
599 |
'a2_rbac.manage_members_role',
|
|
600 |
'a2_rbac.reset_password_role',
|
|
601 |
'a2_rbac.manage_authorizations_role',
|
|
602 |
'a2_rbac.activate_role',
|
|
603 |
'a2_rbac.change_password_role',
|
|
604 |
'a2_rbac.change_email_role',
|
|
605 |
}
|
|
606 |
|
|
607 |
# test ous_with_perm
|
|
608 |
assert set(rbac_backend.ous_with_perm(user1, 'a2_rbac.add_role')) == {ou1}
|
|
609 |
assert set(rbac_backend.ous_with_perm(user1, 'a2_rbac.view_role')) == {ou1, ou2, get_default_ou()}
|
|
610 |
assert set(rbac_backend.ous_with_perm(user1, 'a2_rbac.delete_role')) == set()
|
521 |
|
-
|