1
# vim: tabstop=4 shiftwidth=4 softtabstop=4
3
# Copyright 2010 United States Government as represented by the
4
# Administrator of the National Aeronautics and Space Administration.
7
# Licensed under the Apache License, Version 2.0 (the "License"); you may
8
# not use this file except in compliance with the License. You may obtain
9
# a copy of the License at
11
# http://www.apache.org/licenses/LICENSE-2.0
13
# Unless required by applicable law or agreed to in writing, software
14
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
16
# License for the specific language governing permissions and limitations
21
from nova.api import ec2
22
from nova.auth import manager
23
from nova import context
24
from nova import flags
30
class FakeControllerClass(object):
34
class FakeApiRequest(object):
35
def __init__(self, action):
36
self.controller = FakeControllerClass()
40
class AccessTestCase(test.TestCase):
41
def _env_for(self, ctxt, action):
43
env['nova.context'] = ctxt
44
env['ec2.request'] = FakeApiRequest(action)
48
super(AccessTestCase, self).setUp()
49
um = manager.AuthManager()
51
self.testadmin = um.create_user('testadmin')
52
self.testpmsys = um.create_user('testpmsys')
53
self.testnet = um.create_user('testnet')
54
self.testsys = um.create_user('testsys')
56
um.add_role('testadmin', 'cloudadmin')
57
um.add_role('testpmsys', 'sysadmin')
58
um.add_role('testnet', 'netadmin')
59
um.add_role('testsys', 'sysadmin')
62
self.project = um.create_project('testproj',
65
['testpmsys', 'testnet', 'testsys'])
66
self.project.add_role(self.testnet, 'netadmin')
67
self.project.add_role(self.testsys, 'sysadmin')
68
#user is set in each test
70
def noopWSGIApp(environ, start_response):
71
start_response('200 OK', [])
74
self.mw = ec2.Authorizer(noopWSGIApp)
75
self.mw.action_roles = {'FakeControllerClass': {
76
'_allow_all': ['all'],
78
'_allow_project_manager': ['projectmanager'],
79
'_allow_sys_and_net': ['sysadmin', 'netadmin'],
80
'_allow_sysadmin': ['sysadmin']}}
83
um = manager.AuthManager()
84
# Delete the test project
85
um.delete_project('testproj')
86
# Delete the test user
87
um.delete_user('testadmin')
88
um.delete_user('testpmsys')
89
um.delete_user('testnet')
90
um.delete_user('testsys')
91
super(AccessTestCase, self).tearDown()
93
def response_status(self, user, methodName):
94
roles = manager.AuthManager().get_active_roles(user, self.project)
95
ctxt = context.RequestContext(user.id,
97
is_admin=user.is_admin(),
99
environ = self._env_for(ctxt, methodName)
100
req = webob.Request.blank('/', environ)
101
resp = req.get_response(self.mw)
102
return resp.status_int
104
def shouldAllow(self, user, methodName):
105
self.assertEqual(200, self.response_status(user, methodName))
107
def shouldDeny(self, user, methodName):
108
self.assertEqual(401, self.response_status(user, methodName))
110
def test_allow_all(self):
111
users = [self.testadmin, self.testpmsys, self.testnet, self.testsys]
113
self.shouldAllow(user, '_allow_all')
115
def test_allow_none(self):
116
self.shouldAllow(self.testadmin, '_allow_none')
117
users = [self.testpmsys, self.testnet, self.testsys]
119
self.shouldDeny(user, '_allow_none')
121
def test_allow_project_manager(self):
122
for user in [self.testadmin, self.testpmsys]:
123
self.shouldAllow(user, '_allow_project_manager')
124
for user in [self.testnet, self.testsys]:
125
self.shouldDeny(user, '_allow_project_manager')
127
def test_allow_sys_and_net(self):
128
for user in [self.testadmin, self.testnet, self.testsys]:
129
self.shouldAllow(user, '_allow_sys_and_net')
130
# denied because it doesn't have the per project sysadmin
131
for user in [self.testpmsys]:
132
self.shouldDeny(user, '_allow_sys_and_net')