Introduced role-based capability system.

It's still rather limited and hard-coded, but it works.
2017-08-18 14:47:42 +02:00
parent 566a23d3b6
commit 575a7ed1a7
14 changed files with 137 additions and 27 deletions
--- a/tests/test_api/test_auth.py
+++ b/tests/test_api/test_auth.py
@@ -526,7 +526,6 @@ class PermissionComputationTest(AbstractPillarTest):

 class RequireRolesTest(AbstractPillarTest):
    def test_no_roles_required(self):
-        from flask import g
        from pillar.api.utils.authorization import require_login

        called = [False]
@@ -604,6 +603,40 @@ class RequireRolesTest(AbstractPillarTest):
            self.assertFalse(user_has_role('admin', make_user(None)))
            self.assertFalse(user_has_role('admin', None))

+    def test_cap_required(self):
+        from pillar.api.utils.authorization import require_login
+
+        called = [False]
+
+        @require_login(require_cap='subscriber')
+        def call_me():
+            called[0] = True
+
+        with self.app.test_request_context():
+            self.login_api_as(ObjectId(24 * 'a'), ['succubus'])
+            self.assertRaises(Forbidden, call_me)
+        self.assertFalse(called[0])
+
+        with self.app.test_request_context():
+            self.login_api_as(ObjectId(24 * 'a'), ['admin'])
+            call_me()
+        self.assertTrue(called[0])
+
+    def test_invalid_combinations(self):
+        from pillar.api.utils.authorization import require_login
+
+        with self.assertRaises(TypeError):
+            require_login(require_roles=['abc', 'def'])
+
+        with self.assertRaises(TypeError):
+            require_login(require_cap={'multiple', 'caps'})
+
+        with self.assertRaises(ValueError):
+            require_login(require_roles=set(), require_all=True)
+
+        with self.assertRaises(ValueError):
+            require_login(require_roles={'admin'}, require_cap='hey')
+

 class UserCreationTest(AbstractPillarTest):
    @responses.activate