Revision 5e12acfe test/ganeti.server.rapi_unittest.py
b/test/ganeti.server.rapi_unittest.py | ||
---|---|---|
168 | 168 |
else: |
169 | 169 |
return None |
170 | 170 |
|
171 |
def _LookupUserWithWrite(name): |
|
172 |
if name == username: |
|
173 |
return http.auth.PasswordFileUser(name, password, [ |
|
174 |
rapi.RAPI_ACCESS_WRITE, |
|
175 |
]) |
|
176 |
else: |
|
177 |
return None |
|
178 |
|
|
179 |
for qr in constants.QR_VIA_RAPI: |
|
180 |
# The /2/query resource has somewhat special rules for authentication as |
|
181 |
# it can be used to retrieve critical information |
|
182 |
path = "/2/query/%s" % qr |
|
183 |
|
|
184 |
for method in rapi.baserlib._SUPPORTED_METHODS: |
|
185 |
# No authorization |
|
186 |
(code, _, _) = self._Test(method, path, "", "") |
|
187 |
|
|
188 |
if method in (http.HTTP_DELETE, http.HTTP_POST): |
|
189 |
self.assertEqual(code, http.HttpNotImplemented.code) |
|
190 |
continue |
|
191 |
|
|
192 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
193 |
|
|
194 |
# Incorrect user |
|
195 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
196 |
user_fn=self._LookupWrongUser) |
|
197 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
198 |
|
|
199 |
# User has no write access, but the password is correct |
|
200 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
201 |
user_fn=_LookupUserNoWrite) |
|
202 |
self.assertEqual(code, http.HttpForbidden.code) |
|
203 |
|
|
204 |
# Wrong password and no write access |
|
205 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
206 |
user_fn=_LookupUserNoWrite) |
|
207 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
208 |
|
|
209 |
# Wrong password with write access |
|
210 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
211 |
user_fn=_LookupUserWithWrite) |
|
212 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
213 |
|
|
214 |
# Prepare request information |
|
215 |
if method == http.HTTP_PUT: |
|
216 |
reqpath = path |
|
217 |
body = serializer.DumpJson({ |
|
218 |
"fields": ["name"], |
|
219 |
}) |
|
220 |
elif method == http.HTTP_GET: |
|
221 |
reqpath = "%s?fields=name" % path |
|
222 |
body = "" |
|
171 |
for access in [rapi.RAPI_ACCESS_WRITE, rapi.RAPI_ACCESS_READ]: |
|
172 |
def _LookupUserWithWrite(name): |
|
173 |
if name == username: |
|
174 |
return http.auth.PasswordFileUser(name, password, [ |
|
175 |
access, |
|
176 |
]) |
|
223 | 177 |
else: |
224 |
self.fail("Unknown method '%s'" % method) |
|
225 |
|
|
226 |
# User has write access, password is correct |
|
227 |
(code, _, data) = self._Test(method, reqpath, header_fn(True), body, |
|
228 |
user_fn=_LookupUserWithWrite, |
|
229 |
luxi_client=_FakeLuxiClientForQuery) |
|
230 |
self.assertEqual(code, http.HTTP_OK) |
|
231 |
self.assertTrue(objects.QueryResponse.FromDict(data)) |
|
178 |
return None |
|
179 |
|
|
180 |
for qr in constants.QR_VIA_RAPI: |
|
181 |
# The /2/query resource has somewhat special rules for authentication as |
|
182 |
# it can be used to retrieve critical information |
|
183 |
path = "/2/query/%s" % qr |
|
184 |
|
|
185 |
for method in rapi.baserlib._SUPPORTED_METHODS: |
|
186 |
# No authorization |
|
187 |
(code, _, _) = self._Test(method, path, "", "") |
|
188 |
|
|
189 |
if method in (http.HTTP_DELETE, http.HTTP_POST): |
|
190 |
self.assertEqual(code, http.HttpNotImplemented.code) |
|
191 |
continue |
|
192 |
|
|
193 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
194 |
|
|
195 |
# Incorrect user |
|
196 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
197 |
user_fn=self._LookupWrongUser) |
|
198 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
199 |
|
|
200 |
# User has no write access, but the password is correct |
|
201 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
202 |
user_fn=_LookupUserNoWrite) |
|
203 |
self.assertEqual(code, http.HttpForbidden.code) |
|
204 |
|
|
205 |
# Wrong password and no write access |
|
206 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
207 |
user_fn=_LookupUserNoWrite) |
|
208 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
209 |
|
|
210 |
# Wrong password with write access |
|
211 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
212 |
user_fn=_LookupUserWithWrite) |
|
213 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
214 |
|
|
215 |
# Prepare request information |
|
216 |
if method == http.HTTP_PUT: |
|
217 |
reqpath = path |
|
218 |
body = serializer.DumpJson({ |
|
219 |
"fields": ["name"], |
|
220 |
}) |
|
221 |
elif method == http.HTTP_GET: |
|
222 |
reqpath = "%s?fields=name" % path |
|
223 |
body = "" |
|
224 |
else: |
|
225 |
self.fail("Unknown method '%s'" % method) |
|
226 |
|
|
227 |
# User has write access, password is correct |
|
228 |
(code, _, data) = self._Test(method, reqpath, header_fn(True), body, |
|
229 |
user_fn=_LookupUserWithWrite, |
|
230 |
luxi_client=_FakeLuxiClientForQuery) |
|
231 |
self.assertEqual(code, http.HTTP_OK) |
|
232 |
self.assertTrue(objects.QueryResponse.FromDict(data)) |
|
233 |
|
|
234 |
def testConsole(self): |
|
235 |
path = "/2/instances/inst1.example.com/console" |
|
236 |
|
|
237 |
for method in rapi.baserlib._SUPPORTED_METHODS: |
|
238 |
# No authorization |
|
239 |
(code, _, _) = self._Test(method, path, "", "") |
|
240 |
|
|
241 |
if method == http.HTTP_GET: |
|
242 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
243 |
else: |
|
244 |
self.assertEqual(code, http.HttpNotImplemented.code) |
|
232 | 245 |
|
233 | 246 |
|
234 | 247 |
class _FakeLuxiClientForQuery: |
Also available in: Unified diff