[Zope-CVS] CVS: Products/VerboseSecurity/tests - testPermissionRolePatch.py:1.1 testVerboseSecurityPolicy.py:1.1
Shane Hathaway
shane@cvs.zope.org
Thu, 22 Aug 2002 12:50:05 -0400
Update of /cvs-repository/Products/VerboseSecurity/tests
In directory cvs.zope.org:/tmp/cvs-serv10018/tests
Added Files:
testPermissionRolePatch.py testVerboseSecurityPolicy.py
Log Message:
Added unit tests and fixed corresponding failures
=== Added File Products/VerboseSecurity/tests/testPermissionRolePatch.py ===
##############################################################################
#
# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE
#
##############################################################################
"""Tests of PermissionRolePatch
"""
__rcs_id__='$Id: testPermissionRolePatch.py,v 1.1 2002/08/22 16:50:05 shane Exp $'
__version__='$Revision: 1.1 $'[11:-2]
import os, sys, unittest
from AccessControl.PermissionRole import PermissionRole
from Acquisition import Implicit, Explicit, aq_base
import Products.VerboseSecurity.PermissionRolePatch
ViewPermission = 'View'
EditThingsPermission = 'Edit Things!'
DeletePermission = 'Delete'
class AppRoot(Explicit):
_View_Permission = None
_Edit_Things__Permission = ('Manager', 'Owner')
# No default for delete permission.
class ImplicitContainer(Implicit):
pass
class ExplicitContainer(Explicit):
pass
class RestrictiveObject(Implicit):
_View_Permission = ('Manager',)
_Delete_Permission = () # Nobody
class PermissiveObject(Explicit):
_Edit_Things__Permission = ['Anonymous']
class ZClassMethodish(Implicit):
# Think of this as a method that should only be visible to users
# who have the edit permission.
_View_Permission = '_Edit_Things__Permission'
_Edit_Things__Permission = ''
_Delete_Permission = ''
def assertPRoles(ob, permission, expect):
"""
Asserts that in the context of ob, the given permission maps to
the given roles.
"""
pr = PermissionRole(permission)
roles = pr.__of__(ob)
roles2 = aq_base(pr).__of__(ob)
if roles != roles2 and tuple(roles) != tuple(roles2):
raise AssertionError, (
'Different methods of checking roles computed unequal results')
same = 0
if roles and pr._p in roles:
roles = list(roles)
roles.remove(pr._p)
if roles is None or expect is None:
if (roles is None or tuple(roles) == ('Anonymous',)) and (
expect is None or tuple(expect) == ('Anonymous',)):
same = 1
else:
got = {}
for r in roles:
got[r] = 1
expected = {}
for r in expect:
expected[r] = 1
if got == expected: # Dict compare does the Right Thing.
same = 1
if not same:
raise AssertionError, 'Expected roles: %s, got: %s' % (
`expect`, `roles`)
class PermissionRoleTests (unittest.TestCase):
def testRestrictive(self, explicit=0):
app = AppRoot()
if explicit:
app.c = ExplicitContainer()
else:
app.c = ImplicitContainer()
app.c.o = RestrictiveObject()
o = app.c.o
assertPRoles(o, ViewPermission, ('Manager',))
assertPRoles(o, EditThingsPermission, ('Manager','Owner',))
assertPRoles(o, DeletePermission, ())
def testPermissive(self, explicit=0):
app = AppRoot()
if explicit:
app.c = ExplicitContainer()
else:
app.c = ImplicitContainer()
app.c.o = PermissiveObject()
o = app.c.o
assertPRoles(o, ViewPermission, ('Anonymous',))
assertPRoles(o, EditThingsPermission, ('Anonymous','Manager','Owner',))
assertPRoles(o, DeletePermission, ('Manager',))
def testExplicit(self):
self.testRestrictive(1)
self.testPermissive(1)
def testAppDefaults(self):
o = AppRoot()
assertPRoles(o, ViewPermission, ('Anonymous',))
assertPRoles(o, EditThingsPermission, ('Manager','Owner',))
assertPRoles(o, DeletePermission, ('Manager',))
def testPermissionMapping(self):
app = AppRoot()
app.c = ImplicitContainer()
app.c.o = ZClassMethodish()
o = app.c.o
assertPRoles(o, ViewPermission, ('Manager','Owner',))
assertPRoles(o, EditThingsPermission, ())
assertPRoles(o, DeletePermission, ())
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(PermissionRoleTests))
return suite
if __name__ == '__main__':
unittest.main(defaultTest='test_suite')
=== Added File Products/VerboseSecurity/tests/testVerboseSecurityPolicy.py ===
##############################################################################
#
# Copyright (c) 2001 Zope Corporation and Contributors. All Rights Reserved.
#
# This software is subject to the provisions of the Zope Public License,
# Version 2.0 (ZPL). A copy of the ZPL should accompany this distribution.
# THIS SOFTWARE IS PROVIDED "AS IS" AND ANY AND ALL EXPRESS OR IMPLIED
# WARRANTIES ARE DISCLAIMED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
# WARRANTIES OF TITLE, MERCHANTABILITY, AGAINST INFRINGEMENT, AND FITNESS
# FOR A PARTICULAR PURPOSE
#
##############################################################################
"""Tests of ZopeSecurityPolicy
"""
__rcs_id__='$Id: testVerboseSecurityPolicy.py,v 1.1 2002/08/22 16:50:05 shane Exp $'
__version__='$Revision: 1.1 $'[11:-2]
import os, sys, unittest
import ZODB
from zExceptions import Unauthorized
from Products.VerboseSecurity.VerboseSecurityPolicy \
import VerboseSecurityPolicy
from AccessControl.User import UserFolder
from AccessControl.SecurityManagement import SecurityContext
from Acquisition import Implicit, Explicit, aq_base
from MethodObject import Method
from ComputedAttribute import ComputedAttribute
user_roles = ('RoleOfUser',)
eo_roles = ('RoleOfExecutableOwner',)
sysadmin_roles = ('RoleOfSysAdmin',)
class App(Explicit):
pass
class PublicMethod (Method):
def getOwner(self):
return None
__roles__ = None
class ProtectedMethod (PublicMethod):
__roles__ = user_roles
class OwnedMethod (PublicMethod):
__roles__ = eo_roles
def getOwner(self):
return self.aq_parent.aq_parent.acl_users.getUserById('theowner')
class setuidMethod (PublicMethod):
_proxy_roles = sysadmin_roles
class DangerousMethod (PublicMethod):
# Only accessible to sysadmin or people who use proxy roles
__roles__ = sysadmin_roles
class SimpleItemish (Implicit):
public_m = PublicMethod()
protected_m = ProtectedMethod()
owned_m = OwnedMethod()
setuid_m = setuidMethod()
dangerous_m = DangerousMethod()
public_prop = 'Public Value'
private_prop = 'Private Value'
class UnprotectedSimpleItem (SimpleItemish):
__allow_access_to_unprotected_subobjects__ = 1
class RestrictedSimpleItem (SimpleItemish):
__allow_access_to_unprotected_subobjects__ = 0
_View_Permission = eo_roles
class PartlyProtectedSimpleItem1 (SimpleItemish):
__allow_access_to_unprotected_subobjects__ = {'public_prop': 1,}
class PartlyProtectedSimpleItem2 (SimpleItemish):
def __allow_access_to_unprotected_subobjects__(self, name, value):
if name == 'public_prop':
return 1
return 0
class PartlyProtectedSimpleItem3 (PartlyProtectedSimpleItem1):
# Set the roles of objects that are accessible because of
# __allow_access_to_unprotected_subobjects__ .
__roles__ = sysadmin_roles
class SimpleClass:
attr = 1
class ZopeSecurityPolicyTests (unittest.TestCase):
policy = VerboseSecurityPolicy()
def setUp(self):
a = App()
self.a = a
a.item = UnprotectedSimpleItem()
self.item = a.item
a.r_item = RestrictedSimpleItem()
a.item1 = PartlyProtectedSimpleItem1()
a.item2 = PartlyProtectedSimpleItem2()
a.item3 = PartlyProtectedSimpleItem3()
uf = UserFolder()
a.acl_users = uf
self.uf = a.acl_users
uf._addUser('joe', 'password', 'password', user_roles, ())
uf._addUser('theowner', 'password', 'password', eo_roles, ())
user = uf.getUserById('joe')
self.user = user
context = SecurityContext(user)
self.context = context
def assertPolicyAllows(self, ob, attrname):
res = self.policy.validate(ob, ob, attrname, getattr(ob, attrname),
self.context)
if not res:
assert 0, 'Policy quietly denied %s' % attrname
def assertPolicyDenies(self, ob, attrname):
try:
res = self.policy.validate(ob, ob, attrname, getattr(ob, attrname),
self.context)
except Unauthorized:
# Passed the test.
pass
else:
if res:
assert 0, 'Policy quietly allowed %s' % attrname
else:
assert 0, ('Policy denied %s, but did not '
'throw an exception.' % attrname)
def testUserAccess(self):
item = self.item
self.assertPolicyAllows(item, 'public_m')
self.assertPolicyAllows(item, 'protected_m')
self.assertPolicyDenies(item, 'owned_m')
self.assertPolicyAllows(item, 'setuid_m')
self.assertPolicyDenies(item, 'dangerous_m')
def testOwnerAccess(self):
self.context = SecurityContext(self.uf.getUserById('theowner'))
item = self.item
self.assertPolicyAllows(item, 'public_m')
self.assertPolicyDenies(item, 'protected_m')
self.assertPolicyAllows(item, 'owned_m')
self.assertPolicyAllows(item, 'setuid_m')
self.assertPolicyDenies(item, 'dangerous_m')
def testProxyAccess(self):
item = self.item
self.context.stack.append(item.setuid_m)
self.assertPolicyAllows(item, 'public_m')
self.assertPolicyDenies(item, 'protected_m')
self.assertPolicyDenies(item, 'owned_m')
self.assertPolicyAllows(item, 'setuid_m')
self.assertPolicyAllows(item, 'dangerous_m')
def testAccessToUnprotectedSubobjects(self):
item = self.item
r_item = self.a.r_item
item1 = self.a.item1
item2 = self.a.item2
item3 = self.a.item3
self.assertPolicyAllows(item, 'public_prop')
self.assertPolicyDenies(r_item,'public_prop')
self.assertPolicyAllows(item1, 'public_prop')
self.assertPolicyAllows(item2, 'public_prop')
self.assertPolicyDenies(item3,'public_prop')
self.assertPolicyAllows(item, 'private_prop')
self.assertPolicyDenies(r_item,'private_prop')
self.assertPolicyDenies(item1, 'private_prop')
self.assertPolicyDenies(item2, 'private_prop')
self.assertPolicyDenies(item3, 'private_prop')
def testAccessToSimpleContainer(self):
self.assertPolicyAllows({}, 'keys')
self.assertPolicyAllows([], 'append')
self.assertPolicyDenies(SimpleClass, 'attr')
self.assertPolicyDenies(SimpleClass(), 'attr')
c = SimpleClass()
c.attr = PublicMethod()
self.assertPolicyAllows(c, 'attr')
def testRolesForPermission(self):
# Test of policy.checkPermission().
r_item = self.a.r_item
context = self.context
v = self.policy.checkPermission('View', r_item, context)
assert not v, '_View_Permission should deny access to user'
o_context = SecurityContext(self.uf.getUserById('theowner'))
v = self.policy.checkPermission('View', r_item, o_context)
assert v, '_View_Permission should grant access to theowner'
def testAqNames(self):
policy = self.policy
assert not policy.validate('', '', 'aq_self', '', None)
assert not policy.validate('', '', 'aq_base', '', None)
assert policy.validate('', '', 'aq_parent', '', None)
assert policy.validate('', '', 'aq_explicit', '', None)
assert policy.validate('', '', 'aq_inner', '', None)
if 1:
def testInsaneRoles(self):
# Makes sure the policy doesn't blow up on bad input.
c = SimpleClass()
m = PublicMethod()
c.m = m
# Test good roles
self.assertPolicyAllows(c, 'm')
# Test bad roles
m.__roles__ = 1950
try:
self.assertPolicyAllows(c, 'm')
except TypeError:
pass
else:
assert 0, 'Policy accepted bad __roles__'
def test_suite():
suite = unittest.TestSuite()
suite.addTest(unittest.makeSuite(ZopeSecurityPolicyTests))
return suite
if __name__ == '__main__':
unittest.main(defaultTest='test_suite')