diff options
| author | Chris McDonough <chrism@agendaless.com> | 2008-11-02 17:27:33 +0000 |
|---|---|---|
| committer | Chris McDonough <chrism@agendaless.com> | 2008-11-02 17:27:33 +0000 |
| commit | 17ce5747ea36df10ec78e0af7140b55f691f5016 (patch) | |
| tree | 10c3a5ca6b460c59ecd72d29a4e2db587ce550e8 /repoze/bfg/tests | |
| parent | 2fc5d11826931435cfb42e2f334391c783f31f1d (diff) | |
| download | pyramid-17ce5747ea36df10ec78e0af7140b55f691f5016.tar.gz pyramid-17ce5747ea36df10ec78e0af7140b55f691f5016.tar.bz2 pyramid-17ce5747ea36df10ec78e0af7140b55f691f5016.zip | |
Features
- The ``BFG_DEBUG_AUTHORIZATION`` envvar and the
``debug_authorization`` config file value now only imply debugging
of view-invoked security checks. Previously, information was
printed for every call to ``has_permission`` as well, which made
output confusing. To debug ``has_permission`` checks and other
manual permission checks, use the debugger and print statements in
your own code.
- Authorization debugging info is now only present in the HTTP
response body oif ``debug_authorization`` is true.
- The format of authorization debug messages was improved.
- A new ``BFG_DEBUG_NOTFOUND`` envvar was added and a symmetric
``debug_notfound`` config file value was added. When either is
true, and a NotFound response is returned by the BFG router
(because a view could not be found), debugging information is
printed to stderr. When this value is set true, the body of
HTTPNotFound responses will also contain the same debugging
information.
- ``Allowed`` and ``Denied`` responses from the security machinery
are now specialized into two types: ACL types, and non-ACL types.
The ACL-related responses are instances of
``repoze.bfg.security.ACLAllowed`` and
``repoze.bfg.security.ACLDenied``. The non-ACL-related responses
are ``repoze.bfg.security.Allowed`` and
``repoze.bfg.security.Denied``. The allowed-type responses
continue to evaluate equal to things that themselves evaluate
equal to the ``True`` boolean, while the denied-type responses
continue to evaluate equal to things that themselves evaluate
equal to the ``False`` boolean. The only difference between the
two types is the information attached to them for debugging
purposes.
- Added a new ``BFG_DEBUG_ALL`` envvar and a symmetric ``debug_all``
config file value. When either is true, all other debug-related
flags are set true unconditionally (e.g. ``debug_notfound`` and
``debug_authorization``).
Documentation
- Added info about debug flag changes.
- Added a section to the security chapter named "Debugging
Imperative Authorization Failures" (for e.g. ``has_permssion``).
Diffstat (limited to 'repoze/bfg/tests')
| -rw-r--r-- | repoze/bfg/tests/test_registry.py | 38 | ||||
| -rw-r--r-- | repoze/bfg/tests/test_router.py | 165 | ||||
| -rw-r--r-- | repoze/bfg/tests/test_security.py | 205 | ||||
| -rw-r--r-- | repoze/bfg/tests/test_view.py | 64 |
4 files changed, 372 insertions, 100 deletions
diff --git a/repoze/bfg/tests/test_registry.py b/repoze/bfg/tests/test_registry.py index 86977e941..73bdc40fe 100644 --- a/repoze/bfg/tests/test_registry.py +++ b/repoze/bfg/tests/test_registry.py @@ -79,6 +79,44 @@ class TestGetOptions(unittest.TestCase): {'BFG_DEBUG_AUTHORIZATION':'1'}) self.assertEqual(result['debug_authorization'], True) + def test_debug_notfound(self): + get_options = self._getFUT() + result = get_options({}) + self.assertEqual(result['debug_notfound'], False) + result = get_options({'debug_notfound':'false'}) + self.assertEqual(result['debug_notfound'], False) + result = get_options({'debug_notfound':'t'}) + self.assertEqual(result['debug_notfound'], True) + result = get_options({'debug_notfound':'1'}) + self.assertEqual(result['debug_notfound'], True) + result = get_options({}, {'BFG_DEBUG_NOTFOUND':'1'}) + self.assertEqual(result['debug_notfound'], True) + result = get_options({'debug_notfound':'false'}, + {'BFG_DEBUG_NOTFOUND':'1'}) + self.assertEqual(result['debug_notfound'], True) + + def test_debug_all(self): + get_options = self._getFUT() + result = get_options({}) + self.assertEqual(result['debug_notfound'], False) + self.assertEqual(result['debug_authorization'], False) + result = get_options({'debug_all':'false'}) + self.assertEqual(result['debug_notfound'], False) + self.assertEqual(result['debug_authorization'], False) + result = get_options({'debug_all':'t'}) + self.assertEqual(result['debug_notfound'], True) + self.assertEqual(result['debug_authorization'], True) + result = get_options({'debug_all':'1'}) + self.assertEqual(result['debug_notfound'], True) + self.assertEqual(result['debug_authorization'], True) + result = get_options({}, {'BFG_DEBUG_ALL':'1'}) + self.assertEqual(result['debug_notfound'], True) + self.assertEqual(result['debug_authorization'], True) + result = get_options({'debug_all':'false'}, + {'BFG_DEBUG_ALL':'1'}) + self.assertEqual(result['debug_notfound'], True) + self.assertEqual(result['debug_authorization'], True) + class TestThreadLocalRegistryManager(unittest.TestCase, PlacelessSetup): def setUp(self): PlacelessSetup.setUp(self) diff --git a/repoze/bfg/tests/test_router.py b/repoze/bfg/tests/test_router.py index a1c2b0cfb..c61694fd1 100644 --- a/repoze/bfg/tests/test_router.py +++ b/repoze/bfg/tests/test_router.py @@ -9,6 +9,33 @@ class RouterTests(unittest.TestCase, PlacelessSetup): def tearDown(self): PlacelessSetup.tearDown(self) + def _registerLogger(self): + import zope.component + gsm = zope.component.getGlobalSiteManager() + from repoze.bfg.interfaces import ILogger + class Logger: + def __init__(self): + self.messages = [] + def info(self, msg): + self.messages.append(msg) + debug = info + logger = Logger() + gsm.registerUtility(logger, ILogger, name='repoze.bfg.debug') + return logger + + def _registerSettings(self, **kw): + import zope.component + gsm = zope.component.getGlobalSiteManager() + from repoze.bfg.interfaces import ISettings + class Settings: + def __init__(self, **kw): + self.__dict__.update(kw) + + defaultkw = {'debug_authorization':False, 'debug_notfound':False} + defaultkw.update(kw) + settings = Settings(**defaultkw) + gsm.registerUtility(settings, ISettings) + def _registerTraverserFactory(self, app, name, *for_): import zope.component gsm = zope.component.getGlobalSiteManager() @@ -56,12 +83,51 @@ class RouterTests(unittest.TestCase, PlacelessSetup): environ.update(extras) return environ - def test_call_no_view_registered(self): + def test_call_no_view_registered_no_isettings(self): + rootpolicy = make_rootpolicy(None) + environ = self._makeEnviron() + context = DummyContext() + traversalfactory = make_traversal_factory(context, '', []) + self._registerTraverserFactory(traversalfactory, '', None) + logger = self._registerLogger() + router = self._makeOne(rootpolicy, None) + start_response = DummyStartResponse() + result = router(environ, start_response) + headers = start_response.headers + self.assertEqual(len(headers), 2) + status = start_response.status + self.assertEqual(status, '404 Not Found') + self.failUnless('http://localhost:8080' in result[0], result) + self.failIf('debug_notfound' in result[0]) + self.assertEqual(len(logger.messages), 0) + + def test_call_no_view_registered_debug_notfound_false(self): + rootpolicy = make_rootpolicy(None) + environ = self._makeEnviron() + context = DummyContext() + traversalfactory = make_traversal_factory(context, '', []) + self._registerTraverserFactory(traversalfactory, '', None) + logger = self._registerLogger() + self._registerSettings(debug_notfound=False) + router = self._makeOne(rootpolicy, None) + start_response = DummyStartResponse() + result = router(environ, start_response) + headers = start_response.headers + self.assertEqual(len(headers), 2) + status = start_response.status + self.assertEqual(status, '404 Not Found') + self.failUnless('http://localhost:8080' in result[0], result) + self.failIf('debug_notfound' in result[0]) + self.assertEqual(len(logger.messages), 0) + + def test_call_no_view_registered_debug_notfound_true(self): rootpolicy = make_rootpolicy(None) environ = self._makeEnviron() context = DummyContext() traversalfactory = make_traversal_factory(context, '', []) self._registerTraverserFactory(traversalfactory, '', None) + self._registerSettings(debug_notfound=True) + logger = self._registerLogger() router = self._makeOne(rootpolicy, None) start_response = DummyStartResponse() result = router(environ, start_response) @@ -69,7 +135,19 @@ class RouterTests(unittest.TestCase, PlacelessSetup): self.assertEqual(len(headers), 2) status = start_response.status self.assertEqual(status, '404 Not Found') + self.failUnless( + "debug_notfound of url http://localhost:8080; path_info: '', " + "context:" in result[0]) + self.failUnless( + "view_name: '', subpath: []" in result[0]) self.failUnless('http://localhost:8080' in result[0], result) + self.assertEqual(len(logger.messages), 1) + message = logger.messages[0] + self.failUnless('of url http://localhost:8080' in message) + self.failUnless("path_info: ''" in message) + self.failUnless('DummyContext instance at' in message) + self.failUnless("view_name: ''" in message) + self.failUnless("subpath: []" in message) def test_call_view_registered_nonspecific_default_path(self): rootpolicy = make_rootpolicy(None) @@ -207,7 +285,68 @@ class RouterTests(unittest.TestCase, PlacelessSetup): self.assertEqual(start_response.status, '200 OK') self.assertEqual(permissionfactory.checked_with, secpol) - def test_call_view_registered_security_policy_permission_fails(self): + def test_call_view_permission_fails_nosettings(self): + rootpolicy = make_rootpolicy(None) + from zope.interface import Interface + from zope.interface import directlyProvides + class IContext(Interface): + pass + from repoze.bfg.interfaces import IRequest + context = DummyContext() + directlyProvides(context, IContext) + traversalfactory = make_traversal_factory(context, '', ['']) + response = DummyResponse() + view = make_view(response) + secpol = DummySecurityPolicy() + from repoze.bfg.security import ACLDenied + permissionfactory = make_permission_factory( + ACLDenied('ace', 'acl', 'permission', ['principals'], context) + ) + environ = self._makeEnviron() + self._registerTraverserFactory(traversalfactory, '', None) + self._registerView(view, '', IContext, IRequest) + self._registerSecurityPolicy(secpol) + self._registerPermission(permissionfactory, '', IContext, IRequest) + router = self._makeOne(rootpolicy, None) + start_response = DummyStartResponse() + result = router(environ, start_response) + self.assertEqual(start_response.status, '401 Unauthorized') + message = result[0] + self.failUnless('failed security policy check' in message) + self.assertEqual(permissionfactory.checked_with, secpol) + + def test_call_view_permission_fails_no_debug_auth(self): + rootpolicy = make_rootpolicy(None) + from zope.interface import Interface + from zope.interface import directlyProvides + class IContext(Interface): + pass + from repoze.bfg.interfaces import IRequest + context = DummyContext() + directlyProvides(context, IContext) + traversalfactory = make_traversal_factory(context, '', ['']) + response = DummyResponse() + view = make_view(response) + secpol = DummySecurityPolicy() + from repoze.bfg.security import ACLDenied + permissionfactory = make_permission_factory( + ACLDenied('ace', 'acl', 'permission', ['principals'], context) + ) + environ = self._makeEnviron() + self._registerTraverserFactory(traversalfactory, '', None) + self._registerView(view, '', IContext, IRequest) + self._registerSecurityPolicy(secpol) + self._registerPermission(permissionfactory, '', IContext, IRequest) + self._registerSettings(debug_authorization=False) + router = self._makeOne(rootpolicy, None) + start_response = DummyStartResponse() + result = router(environ, start_response) + self.assertEqual(start_response.status, '401 Unauthorized') + message = result[0] + self.failUnless('failed security policy check' in message) + self.assertEqual(permissionfactory.checked_with, secpol) + + def test_call_view_permission_fails_with_debug_auth(self): rootpolicy = make_rootpolicy(None) from zope.interface import Interface from zope.interface import directlyProvides @@ -220,21 +359,37 @@ class RouterTests(unittest.TestCase, PlacelessSetup): response = DummyResponse() view = make_view(response) secpol = DummySecurityPolicy() - from repoze.bfg.security import Denied + from repoze.bfg.security import ACLDenied permissionfactory = make_permission_factory( - Denied('ace', 'acl', 'permission', ['principals'], context) + ACLDenied('ace', 'acl', 'permission', ['principals'], context) ) environ = self._makeEnviron() self._registerTraverserFactory(traversalfactory, '', None) self._registerView(view, '', IContext, IRequest) self._registerSecurityPolicy(secpol) self._registerPermission(permissionfactory, '', IContext, IRequest) + self._registerSettings(debug_authorization=True) + logger = self._registerLogger() router = self._makeOne(rootpolicy, None) start_response = DummyStartResponse() result = router(environ, start_response) self.assertEqual(start_response.status, '401 Unauthorized') - self.failUnless('permission' in result[0]) + message = result[0] + self.failUnless( + "ACLDenied permission 'permission' via ACE 'ace' in ACL 'acl' " + "on context" in message) + self.failUnless("for principals ['principals']" in message) self.assertEqual(permissionfactory.checked_with, secpol) + self.assertEqual(len(logger.messages), 1) + logged = logger.messages[0] + self.failUnless( + "debug_authorization of url http://localhost:8080 (view name " + "'' against context" in logged) + self.failUnless( + "ACLDenied permission 'permission' via ACE 'ace' in ACL 'acl' on " + "context" in logged) + self.failUnless( + "for principals ['principals']" in logged) def test_call_eventsends(self): rootpolicy = make_rootpolicy(None) diff --git a/repoze/bfg/tests/test_security.py b/repoze/bfg/tests/test_security.py index a9a30ee6f..43dc38890 100644 --- a/repoze/bfg/tests/test_security.py +++ b/repoze/bfg/tests/test_security.py @@ -11,72 +11,85 @@ class TestACLAuthorizer(unittest.TestCase): klass = self._getTargetClass() return klass(*arg, **kw) + def test_deny_implicit(self): + context = DummyContext() + from repoze.bfg.security import Allow + ace = (Allow, 'somebodyelse', 'read') + acl = [ace] + context.__acl__ = acl + authorizer = self._makeOne(context) + principals = ['fred'] + result = authorizer.permits('read', *principals) + + def test_deny_explicit(self): + context = DummyContext() + from repoze.bfg.security import Deny + ace = (Deny, 'somebodyelse', 'read') + acl = [ace] + context.__acl__ = acl + authorizer = self._makeOne(context) + principals = ['somebodyelse'] + result = authorizer.permits('read', *principals) + def test_permits_no_acl_raises(self): context = DummyContext() - logger = DummyLogger() - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) from repoze.bfg.interfaces import NoAuthorizationInformation self.assertRaises(NoAuthorizationInformation, authorizer.permits, (), None) def test_permits_deny_implicit_empty_acl(self): context = DummyContext() - logger = DummyLogger() context.__acl__ = [] - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits((), None) self.assertEqual(result, False) self.assertEqual(result.ace, None) def test_permits_deny_no_principals_implicit(self): context = DummyContext() - logger = DummyLogger() from repoze.bfg.security import Allow from repoze.bfg.security import Everyone acl = [(Allow, Everyone, 'view')] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits(None) self.assertEqual(result, False) self.assertEqual(result.ace, None) def test_permits_deny_oneacl_implicit(self): context = DummyContext() - logger = DummyLogger() from repoze.bfg.security import Allow acl = [(Allow, 'somebody', 'view')] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits('view', 'somebodyelse') self.assertEqual(result, False) self.assertEqual(result.ace, None) def test_permits_deny_twoacl_implicit(self): context = DummyContext() - logger = DummyLogger() from repoze.bfg.security import Allow acl = [(Allow, 'somebody', 'view'), (Allow, 'somebody', 'write')] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits('view', 'somebodyelse') self.assertEqual(result, False) self.assertEqual(result.ace, None) def test_permits_deny_oneacl_explcit(self): context = DummyContext() - logger = DummyLogger() from repoze.bfg.security import Deny ace = (Deny, 'somebody', 'view') acl = [ace] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits('view', 'somebody') self.assertEqual(result, False) self.assertEqual(result.ace, ace) def test_permits_deny_oneacl_multiperm_explcit(self): context = DummyContext() - logger = DummyLogger() acl = [] from repoze.bfg.security import Deny from repoze.bfg.security import Allow @@ -84,14 +97,13 @@ class TestACLAuthorizer(unittest.TestCase): allow = (Allow, 'somebody', 'view') acl = [deny, allow] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits('view', 'somebody') self.assertEqual(result, False) self.assertEqual(result.ace, deny) def test_permits_deny_twoacl_explicit(self): context = DummyContext() - logger = DummyLogger() acl = [] from repoze.bfg.security import Deny from repoze.bfg.security import Allow @@ -99,34 +111,32 @@ class TestACLAuthorizer(unittest.TestCase): deny = (Deny, 'somebody', 'view') acl = [allow, deny] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits('view', 'somebody') self.assertEqual(result, False) self.assertEqual(result.ace, deny) def test_permits_allow_twoacl_explicit(self): context = DummyContext() - logger = DummyLogger() from repoze.bfg.security import Deny from repoze.bfg.security import Allow allow = (Allow, 'somebody', 'read') deny = (Deny, 'somebody', 'view') acl = [allow, deny] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) result = authorizer.permits('read', 'somebody') self.assertEqual(result, True) self.assertEqual(result.ace, allow) def test_permits_nested_principals_list_allow(self): context = DummyContext() - logger = DummyLogger() acl = [] from repoze.bfg.security import Allow ace = (Allow, 'larry', 'read') acl = [ace] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) principals = (['fred', ['jim', ['bob', 'larry']]]) result = authorizer.permits('read', *principals) self.assertEqual(result, True) @@ -134,12 +144,11 @@ class TestACLAuthorizer(unittest.TestCase): def test_permits_nested_principals_list_deny_explicit(self): context = DummyContext() - logger = DummyLogger() from repoze.bfg.security import Deny ace = (Deny, 'larry', 'read') acl = [ace] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) principals = (['fred', ['jim', ['bob', 'larry']]]) result = authorizer.permits('read', *principals) self.assertEqual(result, False) @@ -147,12 +156,11 @@ class TestACLAuthorizer(unittest.TestCase): def test_permits_nested_principals_list_deny_implicit(self): context = DummyContext() - logger = DummyLogger() from repoze.bfg.security import Allow ace = (Allow, 'somebodyelse', 'read') acl = [ace] context.__acl__ = acl - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) principals = (['fred', ['jim', ['bob', 'larry']]]) result = authorizer.permits('read', *principals) self.assertEqual(result, False) @@ -161,7 +169,6 @@ class TestACLAuthorizer(unittest.TestCase): context = DummyContext() context.__parent__ = None context.__name__ = None - logger = DummyLogger() from repoze.bfg.security import Allow ace = (Allow, 'fred', 'read') acl = [ace] @@ -169,46 +176,11 @@ class TestACLAuthorizer(unittest.TestCase): context2 = DummyContext() context2.__parent__ = context context2.__name__ = 'myname' - authorizer = self._makeOne(context, logger) + authorizer = self._makeOne(context) principals = ['fred'] result = authorizer.permits('read', *principals) self.assertEqual(result, True) - def test_logging_deny_implicit(self): - context = DummyContext() - logger = DummyLogger() - from repoze.bfg.security import Allow - ace = (Allow, 'somebodyelse', 'read') - acl = [ace] - context.__acl__ = acl - authorizer = self._makeOne(context, logger) - principals = ['fred'] - result = authorizer.permits('read', *principals) - self.assertEqual(len(logger.messages), 1) - - def test_logging_deny_explicit(self): - context = DummyContext() - logger = DummyLogger() - from repoze.bfg.security import Deny - ace = (Deny, 'somebodyelse', 'read') - acl = [ace] - context.__acl__ = acl - authorizer = self._makeOne(context, logger) - principals = ['somebodyelse'] - result = authorizer.permits('read', *principals) - self.assertEqual(len(logger.messages), 1) - - def test_logging_allow(self): - context = DummyContext() - logger = DummyLogger() - from repoze.bfg.security import Allow - ace = (Allow, 'somebodyelse', 'read') - acl = [ace] - context.__acl__ = acl - authorizer = self._makeOne(context, logger) - principals = ['somebodyelse'] - result = authorizer.permits('read', *principals) - self.assertEqual(len(logger.messages), 1) class TestACLSecurityPolicy(unittest.TestCase, PlacelessSetup): def _getTargetClass(self): @@ -219,12 +191,6 @@ class TestACLSecurityPolicy(unittest.TestCase, PlacelessSetup): klass = self._getTargetClass() return klass(*arg, **kw) - def _registerLogger(self, logger): - import zope.component - gsm = zope.component.getGlobalSiteManager() - from repoze.bfg.interfaces import ILogger - gsm.registerUtility(logger, ILogger, name='repoze.bfg.debug') - def setUp(self): PlacelessSetup.setUp(self) @@ -305,26 +271,6 @@ class TestACLSecurityPolicy(unittest.TestCase, PlacelessSetup): self.assertEqual(authorizer_factory.permission, 'view') self.assertEqual(authorizer_factory.context, context) - def test_permits_with_logger(self): - logger = DummyLogger() - self._registerLogger(logger) - context = DummyContext() - request = DummyRequest({}) - policy = self._makeOne(lambda *arg: None) - authorizer_factory = make_authorizer_factory(context) - policy.authorizer_factory = authorizer_factory - policy.permits(context, request, 'view') - self.assertEqual(authorizer_factory.logger, logger) - - def test_permits_no_logger(self): - context = DummyContext() - request = DummyRequest({}) - policy = self._makeOne(lambda *arg: None) - authorizer_factory = make_authorizer_factory(context) - policy.authorizer_factory = authorizer_factory - policy.permits(context, request, 'view') - self.assertEqual(authorizer_factory.logger, None) - def test_principals_allowed_by_permission_direct(self): from repoze.bfg.security import Allow context = DummyContext() @@ -526,6 +472,82 @@ class TestViewPermissionFactory(unittest.TestCase): self.assertEqual(result.permission_name, 'repoze.view') self.assertEqual(result.context, context) self.assertEqual(result.request, request) + +class TestAllowed(unittest.TestCase): + def _getTargetClass(self): + from repoze.bfg.security import Allowed + return Allowed + + def _makeOne(self, *arg, **kw): + klass = self._getTargetClass() + return klass(*arg, **kw) + + def test_it(self): + allowed = self._makeOne('hello') + self.assertEqual(allowed.msg, 'hello') + self.assertEqual(allowed, True) + self.failUnless(allowed) + self.assertEqual(str(allowed), 'hello') + self.failUnless('<Allowed instance at ' in repr(allowed)) + self.failUnless("with msg 'hello'>" in repr(allowed)) + +class TestDenied(unittest.TestCase): + def _getTargetClass(self): + from repoze.bfg.security import Denied + return Denied + + def _makeOne(self, *arg, **kw): + klass = self._getTargetClass() + return klass(*arg, **kw) + + def test_it(self): + denied = self._makeOne('hello') + self.assertEqual(denied.msg, 'hello') + self.assertEqual(denied, False) + self.failIf(denied) + self.assertEqual(str(denied), 'hello') + self.failUnless('<Denied instance at ' in repr(denied)) + self.failUnless("with msg 'hello'>" in repr(denied)) + +class TestACLAllowed(unittest.TestCase): + def _getTargetClass(self): + from repoze.bfg.security import ACLAllowed + return ACLAllowed + + def _makeOne(self, *arg, **kw): + klass = self._getTargetClass() + return klass(*arg, **kw) + + def test_it(self): + msg = ("ACLAllowed permission 'permission' via ACE 'ace' in ACL 'acl' " + "on context 'ctx' for principals 'principals'") + allowed = self._makeOne('ace', 'acl', 'permission', 'principals', 'ctx') + self.failUnless(msg in allowed.msg) + self.assertEqual(allowed, True) + self.failUnless(allowed) + self.assertEqual(str(allowed), msg) + self.failUnless('<ACLAllowed instance at ' in repr(allowed)) + self.failUnless("with msg %r>" % msg in repr(allowed)) + +class TestACLDenied(unittest.TestCase): + def _getTargetClass(self): + from repoze.bfg.security import ACLDenied + return ACLDenied + + def _makeOne(self, *arg, **kw): + klass = self._getTargetClass() + return klass(*arg, **kw) + + def test_it(self): + msg = ("ACLDenied permission 'permission' via ACE 'ace' in ACL 'acl' " + "on context 'ctx' for principals 'principals'") + denied = self._makeOne('ace', 'acl', 'permission', 'principals', 'ctx') + self.failUnless(msg in denied.msg) + self.assertEqual(denied, False) + self.failIf(denied) + self.assertEqual(str(denied), msg) + self.failUnless('<ACLDenied instance at ' in repr(denied)) + self.failUnless("with msg %r>" % msg in repr(denied)) class DummyContext: pass @@ -551,25 +573,18 @@ class DummySecurityPolicy: def principals_allowed_by_permission(self, context, permission): return ['fred', 'bob'] -class DummyLogger: - def __init__(self): - self.messages = [] - def debug(self, msg): - self.messages.append(msg) - class make_authorizer_factory: def __init__(self, expected_context, intermediates_raise=False): self.expected_context = expected_context self.intermediates_raise = intermediates_raise - def __call__(self, context, logger): + def __call__(self, context): authorizer = self class Authorizer: def permits(self, permission, *principals): authorizer.permission = permission authorizer.principals = principals authorizer.context = context - authorizer.logger = logger result = authorizer.expected_context == context if not result and authorizer.intermediates_raise: from repoze.bfg.interfaces import NoAuthorizationInformation diff --git a/repoze/bfg/tests/test_view.py b/repoze/bfg/tests/test_view.py index 3636692a8..46687e904 100644 --- a/repoze/bfg/tests/test_view.py +++ b/repoze/bfg/tests/test_view.py @@ -372,9 +372,73 @@ class TestIsResponse(unittest.TestCase): f = self._getFUT() self.assertEqual(f(response), False) +class TestViewExecutionPermitted(unittest.TestCase, PlacelessSetup): + def setUp(self): + PlacelessSetup.setUp(self) + + def tearDown(self): + PlacelessSetup.tearDown(self) + + def _callFUT(self, *arg, **kw): + from repoze.bfg.view import view_execution_permitted + return view_execution_permitted(*arg, **kw) + + def _registerSecurityPolicy(self, secpol): + import zope.component + gsm = zope.component.getGlobalSiteManager() + from repoze.bfg.interfaces import ISecurityPolicy + gsm.registerUtility(secpol, ISecurityPolicy) + + def _registerPermission(self, permission, name, *for_): + import zope.component + gsm = zope.component.getGlobalSiteManager() + from repoze.bfg.interfaces import IViewPermission + gsm.registerAdapter(permission, for_, IViewPermission, name) + + def test_no_secpol(self): + context = DummyContext() + request = DummyRequest() + result = self._callFUT(context, request, '') + msg = result.msg + self.failUnless("Allowed: view name '' in context" in msg) + self.failUnless('(no security policy in use)' in msg) + self.assertEqual(result, True) + + def test_secpol_no_permission(self): + secpol = DummySecurityPolicy() + self._registerSecurityPolicy(secpol) + context = DummyContext() + request = DummyRequest() + result = self._callFUT(context, request, '') + msg = result.msg + self.failUnless("Allowed: view name '' in context" in msg) + self.failUnless("(no permission registered for name '')" in msg) + self.assertEqual(result, True) + + def test_secpol_and_permission(self): + from zope.interface import Interface + from zope.interface import directlyProvides + from repoze.bfg.interfaces import IRequest + class IContext(Interface): + pass + context = DummyContext() + directlyProvides(context, IContext) + permissionfactory = make_permission_factory(True) + self._registerPermission(permissionfactory, '', IContext, + IRequest) + secpol = DummySecurityPolicy() + self._registerSecurityPolicy(secpol) + request = DummyRequest() + directlyProvides(request, IRequest) + result = self._callFUT(context, request, '') + self.failUnless(result is True) + class DummyContext: pass +class DummyRequest: + pass + def make_view(response): def view(context, request): return response |