From 4d459b8b157c6399f3b9044b590d32d2722265dc Mon Sep 17 00:00:00 2001 From: Ryan Koo Date: Fri, 30 Aug 2024 16:01:12 -0400 Subject: [PATCH] python/authn: Remove non-accepted derived roles - Remove unsupported (only internally used) derived roles in `AccessAttr` class. Signed-off-by: Ryan Koo --- python/aistore/sdk/authn/access_attr.py | 10 +-- .../unit/sdk/authn/test_authn_access_attr.py | 66 +++++++++++-------- 2 files changed, 45 insertions(+), 31 deletions(-) diff --git a/python/aistore/sdk/authn/access_attr.py b/python/aistore/sdk/authn/access_attr.py index 2b8b03b6e5..3540c4c88e 100644 --- a/python/aistore/sdk/authn/access_attr.py +++ b/python/aistore/sdk/authn/access_attr.py @@ -29,19 +29,21 @@ class AccessAttr(IntFlag): MOVE_BUCKET = 1 << 16 ADMIN = 1 << 17 + # Derived Roles ACCESS_RO = GET | OBJ_HEAD | LIST_BUCKETS | BCK_HEAD | OBJ_LIST ACCESS_RW = ACCESS_RO | PUT | APPEND | OBJ_DELETE | OBJ_MOVE - ACCESS_CLUSTER = LIST_BUCKETS | CREATE_BUCKET | DESTROY_BUCKET | MOVE_BUCKET | ADMIN - ACCESS_ALL = ( + ACCESS_SU = ( ACCESS_RW - | ACCESS_CLUSTER | PROMOTE | OBJ_UPDATE | PATCH | BCK_SET_ACL | SHOW_CLUSTER + | CREATE_BUCKET + | DESTROY_BUCKET + | MOVE_BUCKET + | ADMIN ) - ACCESS_NONE = 0 @staticmethod def describe(perms: int) -> str: diff --git a/python/tests/unit/sdk/authn/test_authn_access_attr.py b/python/tests/unit/sdk/authn/test_authn_access_attr.py index d967702308..91558c3ef4 100644 --- a/python/tests/unit/sdk/authn/test_authn_access_attr.py +++ b/python/tests/unit/sdk/authn/test_authn_access_attr.py @@ -11,13 +11,6 @@ class TestAuthNAccessAttr(unittest.TestCase): Unit tests for AccessAttr, verifying bitwise flag combinations, inclusion, and descriptions. """ - def test_access_none(self): - self.assertFalse(AccessAttr.ACCESS_NONE & AccessAttr.GET) - self.assertFalse(AccessAttr.ACCESS_NONE & AccessAttr.PUT) - self.assertFalse(AccessAttr.ACCESS_NONE & AccessAttr.ACCESS_RO) - self.assertFalse(AccessAttr.ACCESS_NONE & AccessAttr.ACCESS_RW) - self.assertEqual(AccessAttr.ACCESS_NONE, AccessAttr(0)) - def test_simple_combination_of_access_attrs(self): combined = AccessAttr.GET | AccessAttr.PUT | AccessAttr.OBJ_DELETE self.assertTrue(combined & AccessAttr.GET) @@ -25,11 +18,6 @@ def test_simple_combination_of_access_attrs(self): self.assertTrue(combined & AccessAttr.OBJ_DELETE) self.assertFalse(combined & AccessAttr.ADMIN) - def test_access_all(self): - self.assertTrue(AccessAttr.ACCESS_ALL & AccessAttr.GET) - self.assertTrue(AccessAttr.ACCESS_ALL & AccessAttr.ADMIN) - self.assertEqual(AccessAttr.ACCESS_ALL & AccessAttr.ACCESS_NONE, 0) - def test_describe_combined_access(self): combined = AccessAttr.GET | AccessAttr.PUT | AccessAttr.OBJ_DELETE description = AccessAttr.describe(combined) @@ -61,6 +49,26 @@ def test_describe_derived_access(self): self.assertNotIn("ADMIN", description) self.assertNotIn("PROMOTE", description) + description = AccessAttr.describe(AccessAttr.ACCESS_SU) + self.assertIn("GET", description) + self.assertIn("OBJ_HEAD", description) + self.assertIn("LIST_BUCKETS", description) + self.assertIn("BCK_HEAD", description) + self.assertIn("OBJ_LIST", description) + self.assertIn("PUT", description) + self.assertIn("APPEND", description) + self.assertIn("OBJ_DELETE", description) + self.assertIn("OBJ_MOVE", description) + self.assertIn("PROMOTE", description) + self.assertIn("OBJ_UPDATE", description) + self.assertIn("PATCH", description) + self.assertIn("BCK_SET_ACL", description) + self.assertIn("SHOW_CLUSTER", description) + self.assertIn("CREATE_BUCKET", description) + self.assertIn("DESTROY_BUCKET", description) + self.assertIn("MOVE_BUCKET", description) + self.assertIn("ADMIN", description) + def test_access_ro(self): self.assertTrue(AccessAttr.ACCESS_RO & AccessAttr.GET) self.assertTrue(AccessAttr.ACCESS_RO & AccessAttr.OBJ_HEAD) @@ -73,18 +81,22 @@ def test_access_rw(self): self.assertTrue(AccessAttr.ACCESS_RW & AccessAttr.OBJ_DELETE) self.assertFalse(AccessAttr.ACCESS_RW & AccessAttr.ADMIN) - def test_access_cluster(self): - self.assertTrue(AccessAttr.ACCESS_CLUSTER & AccessAttr.LIST_BUCKETS) - self.assertTrue(AccessAttr.ACCESS_CLUSTER & AccessAttr.CREATE_BUCKET) - self.assertTrue(AccessAttr.ACCESS_CLUSTER & AccessAttr.ADMIN) - self.assertFalse(AccessAttr.ACCESS_CLUSTER & AccessAttr.GET) - - def test_access_all_includes_all_derived_roles(self): - self.assertTrue(AccessAttr.ACCESS_ALL & AccessAttr.ACCESS_RW) - self.assertTrue(AccessAttr.ACCESS_ALL & AccessAttr.ACCESS_CLUSTER) - self.assertTrue(AccessAttr.ACCESS_ALL & AccessAttr.PROMOTE) - self.assertFalse(AccessAttr.ACCESS_ALL & AccessAttr.ACCESS_NONE) - - -if __name__ == "__main__": - unittest.main() + def test_access_su(self): + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.GET) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.OBJ_HEAD) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.LIST_BUCKETS) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.BCK_HEAD) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.OBJ_LIST) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.PUT) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.APPEND) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.OBJ_DELETE) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.OBJ_MOVE) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.PROMOTE) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.OBJ_UPDATE) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.PATCH) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.BCK_SET_ACL) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.SHOW_CLUSTER) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.CREATE_BUCKET) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.DESTROY_BUCKET) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.MOVE_BUCKET) + self.assertTrue(AccessAttr.ACCESS_SU & AccessAttr.ADMIN)