added unit-tests for defaultDeny and pattern-matching

master/buildbot/test/unit/test_www_authz.py

@@ -104,6 +104,13 @@ def setUp(self):
                          buildrequestid=82, number=5),
         ])
 
+    def setAllowRules(self, allow_rules):
+        # we should add links to autz and master instances in each new rule
+        for r in allow_rules:
+            r.setAuthz(self.authz)
+
+        self.authz.allowRules = allow_rules
+
     def assertUserAllowed(self, ep, action, options, user):
         return self.authz.assertUserAllowed(tuple(ep.split("/")), action, options, self.users[user])
 
@@ -140,3 +147,72 @@ def test_rebuildBuild(self):
         # not owner cannot rebuild
         yield self.assertUserForbidden("builds/13", "rebuild", {}, "eightuser")
         yield self.assertUserForbidden("buildrequests/82", "rebuild", {}, "eightuser")
+
+    @defer.inlineCallbacks
+    def test_fnmatchPatternRoleCheck(self):
+        # set defaultDeny to True so action is denied if no match
+        allow_rules = [
+                        AnyEndpointMatcher(role="[a,b]dmin?", defaultDeny=True)
+        ]
+
+        self.setAllowRules(allow_rules)
+
+        yield self.assertUserAllowed("builds/13", "rebuild", {}, "homer")
+
+        # check if action is denied
+        with self.assertRaises(authz.Forbidden):
+            yield self.assertUserAllowed("builds/13", "rebuild", {}, "nineuser")
+
+        with self.assertRaises(authz.Forbidden):
+            yield self.assertUserAllowed("builds/13", "rebuild", {}, "eightuser")
+
+    @defer.inlineCallbacks
+    def test_regexPatternRoleCheck(self):
+        # change matcher
+        self.authz.match = authz.reStrMatcher
+        # set defaultDeny to True so action is denied if no match
+        allow_rules = [
+            AnyEndpointMatcher(role="(admin|agent)s", defaultDeny=True),
+        ]
+
+        self.setAllowRules(allow_rules)
+
+        yield self.assertUserAllowed("builds/13", "rebuild", {}, "homer")
+        yield self.assertUserAllowed("builds/13", "rebuild", {}, "bond")
+
+        # check if action is denied
+        with self.assertRaises(authz.Forbidden):
+            yield self.assertUserAllowed("builds/13", "rebuild", {}, "nineuser")
+
+        with self.assertRaises(authz.Forbidden):
+            yield self.assertUserAllowed("builds/13", "rebuild", {}, "eightuser")
+
+    @defer.inlineCallbacks
+    def test_DefaultDenyFalseContinuesCheck(self):
+        # set defaultDeny to True in last rule so action is denied in this test
+        allow_rules = [
+            AnyEndpointMatcher(role="not-exists1", defaultDeny=False),
+            AnyEndpointMatcher(role="not-exists2", defaultDeny=False),
+            AnyEndpointMatcher(role="not-exists3", defaultDeny=True)
+        ]
+
+        self.setAllowRules(allow_rules)
+
+        # check if action is denied and last check was exact against not-exist3
+        with self.assertRaisesRegexp(authz.Forbidden, '.*not-exists3.*'):
+            yield self.assertUserAllowed("builds/13", "rebuild", {}, "nineuser")
+
+    @defer.inlineCallbacks
+    def test_DefaultDenyTrueStopsCheckIfFailed(self):
+        # set defaultDeny to True in last rule so action is denied in this test
+        allow_rules = [
+            AnyEndpointMatcher(role="not-exists1", defaultDeny=True),
+            AnyEndpointMatcher(role="not-exists2", defaultDeny=False),
+            AnyEndpointMatcher(role="not-exists3", defaultDeny=False)
+        ]
+
+        self.setAllowRules(allow_rules)
+
+        # check if action is denied and last check was exact against not-exist3
+        with self.assertRaisesRegexp(authz.Forbidden, '.*not-exists1.*'):
+            yield self.assertUserAllowed("builds/13", "rebuild", {}, "nineuser")