HEX
Server: Apache/2.4.41 (Ubuntu)
System: Linux ip-172-31-42-149 5.15.0-1084-aws #91~20.04.1-Ubuntu SMP Fri May 2 07:00:04 UTC 2025 aarch64
User: ubuntu (1000)
PHP: 7.4.33
Disabled: pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
Upload Files
File: //usr/lib/python3/dist-packages/macaroonbakery/tests/test_authorizer.py
# Copyright 2017 Canonical Ltd.
# Licensed under the LGPLv3, see LICENCE file for details.
from unittest import TestCase

import macaroonbakery.bakery as bakery
import macaroonbakery.checkers as checkers


class TestAuthorizer(TestCase):
    def test_authorize_func(self):
        def f(ctx, identity, op):
            self.assertEqual(identity.id(), 'bob')
            if op.entity == 'a':
                return False, None
            elif op.entity == 'b':
                return True, None
            elif op.entity == 'c':
                return True, [checkers.Caveat(location='somewhere',
                                              condition='c')]
            elif op.entity == 'd':
                return True, [checkers.Caveat(location='somewhere',
                                              condition='d')]
            else:
                self.fail('unexpected entity: ' + op.Entity)

        ops = [bakery.Op('a', 'x'), bakery.Op('b', 'x'),
               bakery.Op('c', 'x'), bakery.Op('d', 'x')]
        allowed, caveats = bakery.AuthorizerFunc(f).authorize(
            checkers.AuthContext(),
            bakery.SimpleIdentity('bob'),
            ops
        )
        self.assertEqual(allowed, [False, True, True, True])
        self.assertEqual(caveats, [
            checkers.Caveat(location='somewhere', condition='c'),
            checkers.Caveat(location='somewhere', condition='d')
        ])

    def test_acl_authorizer(self):
        ctx = checkers.AuthContext()
        tests = [
            ('no ops, no problem',
             bakery.ACLAuthorizer(allow_public=True, get_acl=lambda x, y: []),
             None,
             [],
             []),
            ('identity that does not implement ACLIdentity; '
             'user should be denied except for everyone group',
             bakery.ACLAuthorizer(
                 allow_public=True,
                 get_acl=lambda ctx, op: [bakery.EVERYONE] if op.entity == 'a' else ['alice'],
             ),
             SimplestIdentity('bob'),
             [bakery.Op(entity='a', action='a'),
              bakery.Op(entity='b', action='b')],
             [True, False]),
            ('identity that does not implement ACLIdentity with user == Id; '
             'user should be denied except for everyone group',
             bakery.ACLAuthorizer(
                 allow_public=True,
                 get_acl=lambda ctx, op: [bakery.EVERYONE] if op.entity == 'a' else ['bob'],
             ),
             SimplestIdentity('bob'),
             [bakery.Op(entity='a', action='a'),
              bakery.Op(entity='b', action='b')],
             [True, False]),
            ('permission denied for everyone without AllowPublic',
             bakery.ACLAuthorizer(
                 allow_public=False,
                 get_acl=lambda x, y: [bakery.EVERYONE],
             ),
             SimplestIdentity('bob'),
             [bakery.Op(entity='a', action='a')],
             [False]),
            ('permission granted to anyone with no identity with AllowPublic',
             bakery.ACLAuthorizer(
                 allow_public=True,
                 get_acl=lambda x, y: [bakery.EVERYONE],
             ),
             None,
             [bakery.Op(entity='a', action='a')],
             [True])
        ]
        for test in tests:
            allowed, caveats = test[1].authorize(ctx, test[2], test[3])
            self.assertEqual(len(caveats), 0)
            self.assertEqual(allowed, test[4])

    def test_context_wired_properly(self):
        ctx = checkers.AuthContext({'a': 'aval'})

        class Visited:
            in_f = False
            in_allow = False
            in_get_acl = False

        def f(ctx, identity, op):
            self.assertEqual(ctx.get('a'), 'aval')
            Visited.in_f = True
            return False, None

        bakery.AuthorizerFunc(f).authorize(
            ctx, bakery.SimpleIdentity('bob'), ['op1']
        )
        self.assertTrue(Visited.in_f)

        class TestIdentity(SimplestIdentity, bakery.ACLIdentity):
            def allow(other, ctx, acls):
                self.assertEqual(ctx.get('a'), 'aval')
                Visited.in_allow = True
                return False

        def get_acl(ctx, acl):
            self.assertEqual(ctx.get('a'), 'aval')
            Visited.in_get_acl = True
            return []

        bakery.ACLAuthorizer(
            allow_public=False,
            get_acl=get_acl,
        ).authorize(ctx, TestIdentity('bob'), ['op1'])
        self.assertTrue(Visited.in_get_acl)
        self.assertTrue(Visited.in_allow)


class SimplestIdentity(bakery.Identity):
    # SimplestIdentity implements Identity for a string. Unlike
    # SimpleIdentity, it does not implement ACLIdentity.
    def __init__(self, user):
        self._identity = user

    def domain(self):
        return ''

    def id(self):
        return self._identity