func (r *PermissionSuite) TestNoUserTagLacksPermission(c *gc.C) { nonUser := names.NewModelTag("beef1beef1-0000-0000-000011112222") target := names.NewModelTag("beef1beef2-0000-0000-000011112222") hasPermission, err := common.HasPermission((&fakeUserAccess{}).call, nonUser, permission.ReadAccess, target) c.Assert(hasPermission, jc.IsFalse) c.Assert(err, jc.ErrorIsNil) }
func (r *PermissionSuite) TestEveryoneAtExternal(c *gc.C) { testCases := []struct { title string userGetterAccess permission.Access everyoneAccess permission.Access user names.UserTag target names.Tag access permission.Access expected bool }{ { title: "user has lesser permissions than everyone", userGetterAccess: permission.LoginAccess, everyoneAccess: permission.AddModelAccess, user: names.NewUserTag("validuser@external"), target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), access: permission.AddModelAccess, expected: true, }, { title: "user has greater permissions than everyone", userGetterAccess: permission.AddModelAccess, everyoneAccess: permission.LoginAccess, user: names.NewUserTag("validuser@external"), target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), access: permission.AddModelAccess, expected: true, }, { title: "everibody not considered if user is local", userGetterAccess: permission.LoginAccess, everyoneAccess: permission.AddModelAccess, user: names.NewUserTag("validuser"), target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), access: permission.AddModelAccess, expected: false, }, } for i, t := range testCases { userGetter := &fakeEveryoneUserAccess{ user: permission.UserAccess{ Access: t.userGetterAccess, }, everyone: permission.UserAccess{ Access: t.everyoneAccess, }, } c.Logf(`HasPermission "everyone" test n %d: %s`, i, t.title) hasPermission, err := common.HasPermission(userGetter.call, t.user, t.access, t.target) c.Assert(err, jc.ErrorIsNil) c.Assert(hasPermission, gc.Equals, t.expected) } }
func (r *PermissionSuite) TestUserGetterErrorReturns(c *gc.C) { user := names.NewUserTag("validuser") target := names.NewModelTag("beef1beef2-0000-0000-000011112222") userGetter := &fakeUserAccess{ user: permission.UserAccess{}, err: errors.NotFoundf("a user"), } hasPermission, err := common.HasPermission(userGetter.call, user, permission.ReadAccess, target) c.Assert(err, jc.ErrorIsNil) c.Assert(hasPermission, jc.IsFalse) c.Assert(userGetter.subjects, gc.HasLen, 1) c.Assert(userGetter.subjects[0], gc.DeepEquals, user) c.Assert(userGetter.objects, gc.HasLen, 1) c.Assert(userGetter.objects[0], gc.DeepEquals, target) }
// UserHasPermission returns true if the passed in user can perform <operation> on <target>. func (r *apiHandler) UserHasPermission(user names.UserTag, operation permission.Access, target names.Tag) (bool, error) { return common.HasPermission(r.state.UserAccess, user, operation, target) }
// HasPermission returns true if the logged in user can perform <operation> on <target>. func (r *apiHandler) HasPermission(operation permission.Access, target names.Tag) (bool, error) { return common.HasPermission(r.state.UserAccess, r.entity.Tag(), operation, target) }
func (r *PermissionSuite) TestHasPermission(c *gc.C) { testCases := []struct { title string userGetterAccess permission.Access user names.UserTag target names.Tag access permission.Access expected bool }{ { title: "user has lesser permissions than required", userGetterAccess: permission.ReadAccess, user: names.NewUserTag("validuser"), target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), access: permission.WriteAccess, expected: false, }, { title: "user has equal permission than required", userGetterAccess: permission.WriteAccess, user: names.NewUserTag("validuser"), target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), access: permission.WriteAccess, expected: true, }, { title: "user has greater permission than required", userGetterAccess: permission.AdminAccess, user: names.NewUserTag("validuser"), target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), access: permission.WriteAccess, expected: true, }, { title: "user requests model permission on controller", userGetterAccess: permission.AdminAccess, user: names.NewUserTag("validuser"), target: names.NewModelTag("beef1beef2-0000-0000-000011112222"), access: permission.AddModelAccess, expected: false, }, { title: "user requests controller permission on model", userGetterAccess: permission.AdminAccess, user: names.NewUserTag("validuser"), target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), access: permission.AdminAccess, // notice user has this permission for model. expected: false, }, { title: "controller permissions also work", userGetterAccess: permission.AddModelAccess, user: names.NewUserTag("validuser"), target: names.NewControllerTag("beef1beef2-0000-0000-000011112222"), access: permission.AddModelAccess, expected: true, }, } for i, t := range testCases { userGetter := &fakeUserAccess{ user: permission.UserAccess{ Access: t.userGetterAccess, }} c.Logf("HasPermission test n %d: %s", i, t.title) hasPermission, err := common.HasPermission(userGetter.call, t.user, t.access, t.target) c.Assert(hasPermission, gc.Equals, t.expected) c.Assert(err, jc.ErrorIsNil) } }