Revision 5e12acfe test/ganeti.server.rapi_unittest.py
| b/test/ganeti.server.rapi_unittest.py | ||
|---|---|---|
| 168 | 168 |
else: |
| 169 | 169 |
return None |
| 170 | 170 |
|
| 171 |
def _LookupUserWithWrite(name): |
|
| 172 |
if name == username: |
|
| 173 |
return http.auth.PasswordFileUser(name, password, [ |
|
| 174 |
rapi.RAPI_ACCESS_WRITE, |
|
| 175 |
]) |
|
| 176 |
else: |
|
| 177 |
return None |
|
| 178 |
|
|
| 179 |
for qr in constants.QR_VIA_RAPI: |
|
| 180 |
# The /2/query resource has somewhat special rules for authentication as |
|
| 181 |
# it can be used to retrieve critical information |
|
| 182 |
path = "/2/query/%s" % qr |
|
| 183 |
|
|
| 184 |
for method in rapi.baserlib._SUPPORTED_METHODS: |
|
| 185 |
# No authorization |
|
| 186 |
(code, _, _) = self._Test(method, path, "", "") |
|
| 187 |
|
|
| 188 |
if method in (http.HTTP_DELETE, http.HTTP_POST): |
|
| 189 |
self.assertEqual(code, http.HttpNotImplemented.code) |
|
| 190 |
continue |
|
| 191 |
|
|
| 192 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 193 |
|
|
| 194 |
# Incorrect user |
|
| 195 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
| 196 |
user_fn=self._LookupWrongUser) |
|
| 197 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 198 |
|
|
| 199 |
# User has no write access, but the password is correct |
|
| 200 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
| 201 |
user_fn=_LookupUserNoWrite) |
|
| 202 |
self.assertEqual(code, http.HttpForbidden.code) |
|
| 203 |
|
|
| 204 |
# Wrong password and no write access |
|
| 205 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
| 206 |
user_fn=_LookupUserNoWrite) |
|
| 207 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 208 |
|
|
| 209 |
# Wrong password with write access |
|
| 210 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
| 211 |
user_fn=_LookupUserWithWrite) |
|
| 212 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 213 |
|
|
| 214 |
# Prepare request information |
|
| 215 |
if method == http.HTTP_PUT: |
|
| 216 |
reqpath = path |
|
| 217 |
body = serializer.DumpJson({
|
|
| 218 |
"fields": ["name"], |
|
| 219 |
}) |
|
| 220 |
elif method == http.HTTP_GET: |
|
| 221 |
reqpath = "%s?fields=name" % path |
|
| 222 |
body = "" |
|
| 171 |
for access in [rapi.RAPI_ACCESS_WRITE, rapi.RAPI_ACCESS_READ]: |
|
| 172 |
def _LookupUserWithWrite(name): |
|
| 173 |
if name == username: |
|
| 174 |
return http.auth.PasswordFileUser(name, password, [ |
|
| 175 |
access, |
|
| 176 |
]) |
|
| 223 | 177 |
else: |
| 224 |
self.fail("Unknown method '%s'" % method)
|
|
| 225 |
|
|
| 226 |
# User has write access, password is correct |
|
| 227 |
(code, _, data) = self._Test(method, reqpath, header_fn(True), body, |
|
| 228 |
user_fn=_LookupUserWithWrite, |
|
| 229 |
luxi_client=_FakeLuxiClientForQuery) |
|
| 230 |
self.assertEqual(code, http.HTTP_OK) |
|
| 231 |
self.assertTrue(objects.QueryResponse.FromDict(data)) |
|
| 178 |
return None |
|
| 179 |
|
|
| 180 |
for qr in constants.QR_VIA_RAPI: |
|
| 181 |
# The /2/query resource has somewhat special rules for authentication as |
|
| 182 |
# it can be used to retrieve critical information |
|
| 183 |
path = "/2/query/%s" % qr |
|
| 184 |
|
|
| 185 |
for method in rapi.baserlib._SUPPORTED_METHODS: |
|
| 186 |
# No authorization |
|
| 187 |
(code, _, _) = self._Test(method, path, "", "") |
|
| 188 |
|
|
| 189 |
if method in (http.HTTP_DELETE, http.HTTP_POST): |
|
| 190 |
self.assertEqual(code, http.HttpNotImplemented.code) |
|
| 191 |
continue |
|
| 192 |
|
|
| 193 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 194 |
|
|
| 195 |
# Incorrect user |
|
| 196 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
| 197 |
user_fn=self._LookupWrongUser) |
|
| 198 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 199 |
|
|
| 200 |
# User has no write access, but the password is correct |
|
| 201 |
(code, _, _) = self._Test(method, path, header_fn(True), "", |
|
| 202 |
user_fn=_LookupUserNoWrite) |
|
| 203 |
self.assertEqual(code, http.HttpForbidden.code) |
|
| 204 |
|
|
| 205 |
# Wrong password and no write access |
|
| 206 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
| 207 |
user_fn=_LookupUserNoWrite) |
|
| 208 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 209 |
|
|
| 210 |
# Wrong password with write access |
|
| 211 |
(code, _, _) = self._Test(method, path, header_fn(False), "", |
|
| 212 |
user_fn=_LookupUserWithWrite) |
|
| 213 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 214 |
|
|
| 215 |
# Prepare request information |
|
| 216 |
if method == http.HTTP_PUT: |
|
| 217 |
reqpath = path |
|
| 218 |
body = serializer.DumpJson({
|
|
| 219 |
"fields": ["name"], |
|
| 220 |
}) |
|
| 221 |
elif method == http.HTTP_GET: |
|
| 222 |
reqpath = "%s?fields=name" % path |
|
| 223 |
body = "" |
|
| 224 |
else: |
|
| 225 |
self.fail("Unknown method '%s'" % method)
|
|
| 226 |
|
|
| 227 |
# User has write access, password is correct |
|
| 228 |
(code, _, data) = self._Test(method, reqpath, header_fn(True), body, |
|
| 229 |
user_fn=_LookupUserWithWrite, |
|
| 230 |
luxi_client=_FakeLuxiClientForQuery) |
|
| 231 |
self.assertEqual(code, http.HTTP_OK) |
|
| 232 |
self.assertTrue(objects.QueryResponse.FromDict(data)) |
|
| 233 |
|
|
| 234 |
def testConsole(self): |
|
| 235 |
path = "/2/instances/inst1.example.com/console" |
|
| 236 |
|
|
| 237 |
for method in rapi.baserlib._SUPPORTED_METHODS: |
|
| 238 |
# No authorization |
|
| 239 |
(code, _, _) = self._Test(method, path, "", "") |
|
| 240 |
|
|
| 241 |
if method == http.HTTP_GET: |
|
| 242 |
self.assertEqual(code, http.HttpUnauthorized.code) |
|
| 243 |
else: |
|
| 244 |
self.assertEqual(code, http.HttpNotImplemented.code) |
|
| 232 | 245 |
|
| 233 | 246 |
|
| 234 | 247 |
class _FakeLuxiClientForQuery: |
Also available in: Unified diff