[pve-devel] [PATCH v2 access-control 19/23] API token: add tests

Thu Nov 21 15:43:37 CET 2019

Signed-off-by: Fabian Grünbichler <f.gruenbichler at proxmox.com>
---

Notes:
    new in v2

 test/Makefile      |  1 +
 test/perm-test8.pl | 68 ++++++++++++++++++++++++++++++++++++++++++++++
 test/test8.cfg     | 28 +++++++++++++++++++
 3 files changed, 97 insertions(+)
 create mode 100644 test/perm-test8.pl
 create mode 100644 test/test8.cfg

diff --git a/test/Makefile b/test/Makefile
index 5c9c94e..11e78b1 100644
--- a/test/Makefile
+++ b/test/Makefile
@@ -10,4 +10,5 @@ check:
 	perl -I.. perm-test5.pl
 	perl -I.. perm-test6.pl
 	perl -I.. perm-test7.pl
+	perl -I.. perm-test8.pl
 
diff --git a/test/perm-test8.pl b/test/perm-test8.pl
new file mode 100644
index 0000000..67e0cb1
--- /dev/null
+++ b/test/perm-test8.pl
@@ -0,0 +1,68 @@
+#!/usr/bin/perl -w
+
+use strict;
+use PVE::Tools;
+use PVE::AccessControl;
+use PVE::RPCEnvironment;
+
+my $rpcenv = PVE::RPCEnvironment->init('cli');
+
+my $cfgfn = "test8.cfg";
+$rpcenv->init_request(userconfig => $cfgfn);
+
+sub check_roles {
+    my ($user, $path, $expected_result) = @_;
+
+    my $roles = PVE::AccessControl::roles($rpcenv->{user_cfg}, $user, $path);
+    my $res = join(',', sort keys %$roles);
+
+    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
+	if $res ne $expected_result;
+
+    print "ROLES:$path:$user:$res\n";
+}
+
+sub check_permission {
+    my ($user, $path, $expected_result) = @_;
+
+    my $perm = $rpcenv->permissions($user, $path);
+    my $res = join(',', sort keys %$perm);
+
+    die "unexpected result\nneed '${expected_result}'\ngot '$res'\n"
+	if $res ne $expected_result;
+
+    $perm = $rpcenv->permissions($user, $path);
+    $res = join(',', sort keys %$perm);
+    die "unexpected result (compiled)\nneed '${expected_result}'\ngot '$res'\n"
+	if $res ne $expected_result;
+
+    print "PERM:$path:$user:$res\n";
+}
+
+check_roles('max at pve', '/', '');
+check_roles('max at pve', '/vms', 'vm_admin');
+
+#user permissions overrides group permissions
+check_roles('max at pve', '/vms/100', 'customer');
+check_roles('max at pve', '/vms/101', 'vm_admin');
+
+check_permission('max at pve', '/', '');
+check_permission('max at pve', '/vms', 'Permissions.Modify,VM.Allocate,VM.Audit,VM.Console');
+check_permission('max at pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
+
+check_permission('alex at pve', '/vms', '');
+check_permission('alex at pve', '/vms/100', 'VM.Audit,VM.PowerMgmt');
+
+check_roles('max at pve', '/vms/200', 'storage_manager');
+check_roles('joe at pve', '/vms/200', 'vm_admin');
+check_roles('sue at pve', '/vms/200', 'NoAccess');
+
+check_roles('carol at pam', '/vms/200', 'NoAccess');
+check_roles('carol at pam!token', '/vms/200', 'NoAccess');
+check_roles('max at pve!token', '/vms/200', 'storage_manager');
+check_roles('max at pve!token2', '/vms/200', 'customer');
+
+print "all tests passed\n";
+
+exit (0);
+
diff --git a/test/test8.cfg b/test/test8.cfg
new file mode 100644
index 0000000..6b0eac6
--- /dev/null
+++ b/test/test8.cfg
@@ -0,0 +1,28 @@
+user:joe at pve:1:
+user:max at pve:1:
+token:max at pve!token::0:
+token:max at pve!token2::1:
+user:alex at pve:1:
+user:sue at pve:1:
+user:carol at pam:1:
+token:carol at pam!token:
+
+group:testgroup1:joe at pve,max at pve,sue at pve:
+group:testgroup2:alex at pve,carol at pam,sue at pve:
+group:testgroup3:max at pve:
+
+role:storage_manager:Datastore.AllocateSpace,Datastore.Audit:
+role:customer:VM.Audit,VM.PowerMgmt:
+role:vm_admin:VM.Audit,VM.Allocate,Permissions.Modify,VM.Console:
+
+acl:1:/vms:@testgroup1:vm_admin:
+acl:1:/vms/100/:alex at pve,max at pve:customer:
+acl:1:/storage/nfs1:@testgroup2:storage_manager:
+acl:1:/users:max at pve:Administrator:
+
+acl:1:/vms/200:@testgroup3:storage_manager:
+acl:1:/vms/200:@testgroup2:NoAccess:
+
+acl:1:/vms/200:carol at pam!token:vm_admin
+acl:1:/vms/200:max at pve!token:storage_manager
+acl:1:/vms/200:max at pve!token2:customer
-- 
2.20.1



