blob: e2059ce27caf9cc9250ecadbbab6e1c81bfbb5fd [file] [log] [blame]
#!/usr/bin/env vpython
# Copyright 2016 The LUCI Authors. All rights reserved.
# Use of this source code is governed under the Apache License, Version 2.0
# that can be found in the LICENSE file.
import logging
import sys
import unittest
import test_env
test_env.setup_test_env()
# from components.auth import api
from components import auth
from components import auth_testing
from components import utils
from server import config
from test_support import test_case
from proto.config import config_pb2
from server import acl
from server import task_request
# Default names of authorization groups.
ADMINS_GROUP = 'administrators'
PRIVILEGED_USERS_GROUP = ADMINS_GROUP
USERS_GROUP = ADMINS_GROUP
BOT_BOOTSTRAP_GROUP = ADMINS_GROUP
class AclTest(test_case.TestCase):
def setUp(self):
super(AclTest, self).setUp()
auth_testing.reset_local_state()
auth_testing.mock_get_current_identity(self)
def settings():
return config_pb2.SettingsCfg(
auth=config_pb2.AuthSettings(
admins_group='admins',
bot_bootstrap_group='bot_bootstrap',
privileged_users_group='privileged_users',
users_group='users',
view_all_bots_group='view_all_bots',
view_all_tasks_group='view_all_tasks'))
self.mock(config, 'settings', settings)
@staticmethod
def _add_to_group(group):
auth.bootstrap_group(group, [auth.get_current_identity()])
auth_testing.reset_local_state()
def test_nobody(self):
auth_testing.mock_get_current_identity(self, auth.Anonymous)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_one_task())
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self):
auth_testing.mock_is_admin(self, True)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertTrue(acl.can_view_config())
self.assertTrue(acl.can_edit_config())
self.assertTrue(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertTrue(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_one_task())
self.assertTrue(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_all_tasks())
def test_ip_whitelisted(self):
self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True)
self.assertTrue(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_one_task())
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_all_tasks())
def test_admins(self):
self._add_to_group('admins')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertTrue(acl.can_view_config())
self.assertTrue(acl.can_edit_config())
self.assertTrue(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertTrue(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_one_task())
self.assertTrue(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_all_tasks())
def test_bot_bootstrap(self):
self._add_to_group('bot_bootstrap')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertTrue(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_one_task())
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_all_tasks())
def test_privileged_users(self):
self._add_to_group('privileged_users')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_one_task())
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_all_tasks())
def test_users(self):
self._add_to_group('users')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_one_task())
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_all_tasks())
def test_view_all_bots(self):
self._add_to_group('view_all_bots')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_one_task())
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self):
self._add_to_group('view_all_tasks')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_one_task())
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_all_tasks())
if __name__ == '__main__':
if '-v' in sys.argv:
unittest.TestCase.maxDiff = None
logging.basicConfig(
level=logging.DEBUG if '-v' in sys.argv else logging.CRITICAL)
unittest.main()