mirror of
https://github.com/VinylDNS/vinyldns
synced 2025-09-03 15:55:42 +00:00
Record type filter for shared zones (#479)
This commit is contained in:
Britney Wright
GitHub
@@ -1874,28 +1874,44 @@ def test_create_in_shared_zone_without_owner_group_id_succeeds(shared_zone_test_
|
||||
delete_result = dummy_client.delete_recordset(create_rs['zoneId'], create_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
|
||||
def test_create_in_shared_zone_by_unassociated_user_succeeds(shared_zone_test_context):
|
||||
def test_create_in_shared_zone_by_unassociated_user_succeeds_if_record_type_is_approved(shared_zone_test_context):
|
||||
"""
|
||||
Test that creating a record in a shared zone by an unassociated user succeeds
|
||||
Test that creating a record in a shared zone by a user with no write permissions succeeds if the record type is approved
|
||||
"""
|
||||
|
||||
dummy_client = shared_zone_test_context.dummy_vinyldns_client
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
client = shared_zone_test_context.dummy_vinyldns_client
|
||||
zone = shared_zone_test_context.shared_zone
|
||||
group = shared_zone_test_context.dummy_group
|
||||
|
||||
record_json = get_recordset_json(zone, 'test_shared_approved_record_type', 'A', [{'address': '1.1.1.1'}])
|
||||
record_json['ownerGroupId'] = group['id']
|
||||
|
||||
create_rs = None
|
||||
|
||||
record_json = get_recordset_json(zone, 'test_shared_bad_user', 'A', [{'address': '1.1.1.1'}], ownergroup_id=group['id'])
|
||||
|
||||
try:
|
||||
create_response = dummy_client.create_recordset(record_json, status=202)
|
||||
create_rs = shared_client.wait_until_recordset_change_status(create_response, 'Complete')['recordSet']
|
||||
create_response = client.create_recordset(record_json, status=202)
|
||||
create_rs = client.wait_until_recordset_change_status(create_response, 'Complete')['recordSet']
|
||||
assert_that(create_rs['ownerGroupId'], is_(group['id']))
|
||||
|
||||
finally:
|
||||
if create_rs:
|
||||
delete_result = dummy_client.delete_recordset(create_rs['zoneId'], create_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
delete_result = client.delete_recordset(zone['id'], create_rs['id'], status=202)
|
||||
client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
|
||||
|
||||
def test_create_in_shared_zone_by_unassociated_user_fails_if_record_type_is_not_approved(shared_zone_test_context):
|
||||
"""
|
||||
Test that creating a record in a shared zone by a user with no write permissions fails if the record type is not approved
|
||||
"""
|
||||
|
||||
client = shared_zone_test_context.dummy_vinyldns_client
|
||||
zone = shared_zone_test_context.shared_zone
|
||||
group = shared_zone_test_context.dummy_group
|
||||
|
||||
record_json = get_recordset_json(zone, 'test_shared_not_approved_record_type', 'MX', [{'preference': 3, 'exchange': 'mx'}])
|
||||
record_json['ownerGroupId'] = group['id']
|
||||
error = client.create_recordset(record_json, status=403)
|
||||
assert_that(error, is_('User dummy does not have access to create test-shared-not-approved-record-type.shared.'))
|
||||
|
||||
def test_create_with_not_found_owner_group_fails(shared_zone_test_context):
|
||||
"""
|
||||
|
||||
@@ -662,53 +662,6 @@ def test_no_delete_access_non_test_zone(shared_zone_test_context):
|
||||
|
||||
client.delete_recordset(zone_id, record_delete['id'], status=403)
|
||||
|
||||
def test_delete_for_user_not_in_record_owner_group_in_shared_zone_fails(shared_zone_test_context):
|
||||
"""
|
||||
Test that a user cannot delete a record in a shared zone if not part of record owner group
|
||||
"""
|
||||
|
||||
dummy_client = shared_zone_test_context.dummy_vinyldns_client
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
shared_zone = shared_zone_test_context.shared_zone
|
||||
result_rs = None
|
||||
|
||||
record_json = get_recordset_json(shared_zone, 'test_shared_del_nonog', 'A', [{'address': '1.1.1.1'}], ownergroup_id = shared_zone_test_context.shared_record_group['id'])
|
||||
|
||||
try:
|
||||
create_rs = shared_client.create_recordset(record_json, status=202)
|
||||
result_rs = shared_client.wait_until_recordset_change_status(create_rs, 'Complete')['recordSet']
|
||||
|
||||
error = dummy_client.delete_recordset(shared_zone['id'], result_rs['id'], status=403)
|
||||
assert_that(error, is_('User dummy does not have access to delete test-shared-del-nonog.shared.'))
|
||||
|
||||
finally:
|
||||
if result_rs:
|
||||
delete_rs = shared_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_rs, 'Complete')
|
||||
|
||||
def test_delete_for_user_in_record_owner_group_in_non_shared_zone_fails(shared_zone_test_context):
|
||||
"""
|
||||
Test that a user in record owner group cannot delete a record in a non-shared zone
|
||||
"""
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
ok_zone = shared_zone_test_context.ok_zone
|
||||
result_rs = None
|
||||
|
||||
record_json = get_recordset_json(ok_zone, 'test_non_shared_del_og', 'A', [{'address': '1.1.1.1'}], ownergroup_id = shared_zone_test_context.shared_record_group['id'])
|
||||
|
||||
try:
|
||||
create_rs = ok_client.create_recordset(record_json, status=202)
|
||||
result_rs = ok_client.wait_until_recordset_change_status(create_rs, 'Complete')['recordSet']
|
||||
|
||||
error = shared_client.delete_recordset(ok_zone['id'], result_rs['id'], status=403)
|
||||
assert_that(error, is_('User sharedZoneUser does not have access to delete test-non-shared-del-og.ok.'))
|
||||
|
||||
finally:
|
||||
if result_rs:
|
||||
delete_rs = ok_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
ok_client.wait_until_recordset_change_status(delete_rs, 'Complete')
|
||||
|
||||
def test_delete_for_user_in_record_owner_group_in_shared_zone_succeeds(shared_zone_test_context):
|
||||
"""
|
||||
Test that a user in record owner group can delete a record in a shared zone
|
||||
@@ -740,3 +693,90 @@ def test_delete_for_zone_admin_in_shared_zone_succeeds(shared_zone_test_context)
|
||||
|
||||
delete_rs = shared_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_rs, 'Complete')
|
||||
|
||||
def test_delete_for_unowned_record_with_approved_record_type_in_shared_zone_succeeds(shared_zone_test_context):
|
||||
"""
|
||||
Test that a user not associated with a unowned record can delete it in a shared zone
|
||||
"""
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
shared_zone = shared_zone_test_context.shared_zone
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
|
||||
record_json = get_recordset_json(shared_zone, 'test_shared_approved_record_type', 'A', [{'address': '1.1.1.1'}])
|
||||
|
||||
create_rs = shared_client.create_recordset(record_json, status=202)
|
||||
result_rs = shared_client.wait_until_recordset_change_status(create_rs, 'Complete')['recordSet']
|
||||
|
||||
delete_rs = ok_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
ok_client.wait_until_recordset_change_status(delete_rs, 'Complete')
|
||||
|
||||
def test_delete_for_user_not_in_record_owner_group_in_shared_zone_fails(shared_zone_test_context):
|
||||
"""
|
||||
Test that a user cannot delete a record in a shared zone if not part of record owner group
|
||||
"""
|
||||
|
||||
dummy_client = shared_zone_test_context.dummy_vinyldns_client
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
shared_zone = shared_zone_test_context.shared_zone
|
||||
result_rs = None
|
||||
|
||||
record_json = get_recordset_json(shared_zone, 'test_shared_del_nonog', 'A', [{'address': '1.1.1.1'}], ownergroup_id = shared_zone_test_context.shared_record_group['id'])
|
||||
|
||||
try:
|
||||
create_rs = shared_client.create_recordset(record_json, status=202)
|
||||
result_rs = shared_client.wait_until_recordset_change_status(create_rs, 'Complete')['recordSet']
|
||||
|
||||
error = dummy_client.delete_recordset(shared_zone['id'], result_rs['id'], status=403)
|
||||
assert_that(error, is_('User dummy does not have access to delete test-shared-del-nonog.shared.'))
|
||||
|
||||
finally:
|
||||
if result_rs:
|
||||
delete_rs = shared_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_rs, 'Complete')
|
||||
|
||||
def test_delete_for_user_not_in_unowned_record_in_shared_zone_fails_if_record_type_is_not_approved(shared_zone_test_context):
|
||||
"""
|
||||
Test that a user cannot delete a record in a shared zone if the record is unowned and the record type is not approved
|
||||
"""
|
||||
|
||||
dummy_client = shared_zone_test_context.dummy_vinyldns_client
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
shared_zone = shared_zone_test_context.shared_zone
|
||||
result_rs = None
|
||||
|
||||
record_json = get_recordset_json(shared_zone, 'test_shared_del_not_approved_record_type', 'MX', [{'preference': 3, 'exchange': 'mx'}])
|
||||
|
||||
try:
|
||||
create_rs = shared_client.create_recordset(record_json, status=202)
|
||||
result_rs = shared_client.wait_until_recordset_change_status(create_rs, 'Complete')['recordSet']
|
||||
|
||||
error = dummy_client.delete_recordset(shared_zone['id'], result_rs['id'], status=403)
|
||||
assert_that(error, is_('User dummy does not have access to delete test-shared-del-not-approved-record-type.shared.'))
|
||||
|
||||
finally:
|
||||
if result_rs:
|
||||
delete_rs = shared_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_rs, 'Complete')
|
||||
|
||||
def test_delete_for_user_in_record_owner_group_in_non_shared_zone_fails(shared_zone_test_context):
|
||||
"""
|
||||
Test that a user in record owner group cannot delete a record in a non-shared zone
|
||||
"""
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
ok_zone = shared_zone_test_context.ok_zone
|
||||
result_rs = None
|
||||
|
||||
record_json = get_recordset_json(ok_zone, 'test_non_shared_del_og', 'A', [{'address': '1.1.1.1'}], ownergroup_id = shared_zone_test_context.shared_record_group['id'])
|
||||
|
||||
try:
|
||||
create_rs = ok_client.create_recordset(record_json, status=202)
|
||||
result_rs = ok_client.wait_until_recordset_change_status(create_rs, 'Complete')['recordSet']
|
||||
|
||||
error = shared_client.delete_recordset(ok_zone['id'], result_rs['id'], status=403)
|
||||
assert_that(error, is_('User sharedZoneUser does not have access to delete test-non-shared-del-og.ok.'))
|
||||
|
||||
finally:
|
||||
if result_rs:
|
||||
delete_rs = ok_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
ok_client.wait_until_recordset_change_status(delete_rs, 'Complete')
|
||||
|
||||
@@ -158,22 +158,47 @@ def test_get_recordset_from_shared_zone(shared_zone_test_context):
|
||||
delete_result = client.delete_recordset(retrieved_rs['zoneId'], retrieved_rs['id'], status=202)
|
||||
client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
|
||||
def test_get_unowned_recordset_from_shared_zone(shared_zone_test_context):
|
||||
def test_get_unowned_recordset_from_shared_zone_succeeds_if_record_type_approved(shared_zone_test_context):
|
||||
"""
|
||||
Test getting an unowned recordset with no admin rights succeeds
|
||||
Test getting an unowned recordset with no admin rights succeeds if the record type is approved
|
||||
"""
|
||||
client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
result_rs = None
|
||||
try:
|
||||
new_rs = get_recordset_json(shared_zone_test_context.shared_zone,
|
||||
"test_get_unowned_recordset_approved_type", "A", [{"address": "1.2.3.4"}])
|
||||
|
||||
result = client.create_recordset(new_rs, status=202)
|
||||
result_rs = client.wait_until_recordset_change_status(result, 'Complete')['recordSet']
|
||||
|
||||
# Get the recordset we just made and verify
|
||||
retrieved = ok_client.get_recordset(result_rs['zoneId'], result_rs['id'], status=200)
|
||||
retrieved_rs = retrieved['recordSet']
|
||||
verify_recordset(retrieved_rs, new_rs)
|
||||
|
||||
finally:
|
||||
if result_rs:
|
||||
delete_result = ok_client.delete_recordset(result_rs['zoneId'], result_rs['id'], status=202)
|
||||
ok_client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
|
||||
def test_get_unowned_recordset_from_shared_zone_fails_if_record_type_not_approved(shared_zone_test_context):
|
||||
"""
|
||||
Test getting an unowned recordset with no admin rights fails if the record type is not approved
|
||||
"""
|
||||
client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
result_rs = None
|
||||
try:
|
||||
new_rs = get_recordset_json(shared_zone_test_context.shared_zone,
|
||||
"test_get_unowned_recordset", "TXT", [{'text':'should-not-work'}])
|
||||
"test_get_unowned_recordset", "MX", [{'preference': 3, 'exchange': 'mx'}])
|
||||
|
||||
result = client.create_recordset(new_rs, status=202)
|
||||
result_rs = client.wait_until_recordset_change_status(result, 'Complete')['recordSet']
|
||||
|
||||
# Get the recordset we just made and verify
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
ok_client.get_recordset(result_rs['zoneId'], result_rs['id'], status=200)
|
||||
error = ok_client.get_recordset(result_rs['zoneId'], result_rs['id'], status=403)
|
||||
assert_that(error, is_("User ok does not have access to view test-get-unowned-recordset.shared."))
|
||||
|
||||
finally:
|
||||
if result_rs:
|
||||
|
||||
@@ -2032,11 +2032,11 @@ def test_update_owner_group_from_user_in_record_owner_group_for_shared_zone_pass
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
shared_record_group = shared_zone_test_context.shared_record_group
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
zone = shared_zone_test_context.shared_zone
|
||||
shared_zone = shared_zone_test_context.shared_zone
|
||||
update_rs = None
|
||||
|
||||
try:
|
||||
record_json = get_recordset_json(zone, 'test_shared_success', 'A', [{'address': '1.1.1.1'}])
|
||||
record_json = get_recordset_json(shared_zone, 'test_shared_success', 'A', [{'address': '1.1.1.1'}])
|
||||
record_json['ownerGroupId'] = shared_record_group['id']
|
||||
create_response = shared_client.create_recordset(record_json, status=202)
|
||||
update = shared_client.wait_until_recordset_change_status(create_response, 'Complete')['recordSet']
|
||||
@@ -2051,7 +2051,7 @@ def test_update_owner_group_from_user_in_record_owner_group_for_shared_zone_pass
|
||||
|
||||
finally:
|
||||
if update_rs:
|
||||
delete_result = shared_client.delete_recordset(zone['id'], update_rs['id'], status=202)
|
||||
delete_result = shared_client.delete_recordset(shared_zone['id'], update_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
|
||||
|
||||
@@ -2084,10 +2084,35 @@ def test_update_owner_group_from_admin_in_shared_zone_passes(shared_zone_test_co
|
||||
delete_result = shared_client.delete_recordset(zone['id'], update_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
|
||||
|
||||
def test_update_from_unassociated_user_in_shared_zone_succeeds(shared_zone_test_context):
|
||||
def test_update_from_unassociated_user_in_shared_zone_passes_when_record_type_is_approved(shared_zone_test_context):
|
||||
"""
|
||||
Test that an unassociated user updating record without existing owner group ID in shared zone succeeds
|
||||
Test that updating with a user that does not have write access succeeds in a shared zone if the record type is approved
|
||||
"""
|
||||
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
shared_client = shared_zone_test_context.shared_zone_vinyldns_client
|
||||
zone = shared_zone_test_context.shared_zone
|
||||
update_rs = None
|
||||
|
||||
try:
|
||||
record_json = get_recordset_json(zone, 'test_shared_approved_record_type', 'A', [{'address': '1.1.1.1'}])
|
||||
create_response = shared_client.create_recordset(record_json, status=202)
|
||||
create_rs = shared_client.wait_until_recordset_change_status(create_response, 'Complete')['recordSet']
|
||||
assert_that(create_rs, is_not(has_key('ownerGroupId')))
|
||||
|
||||
update = create_rs
|
||||
update['ttl'] = update['ttl'] + 100
|
||||
update_response = ok_client.update_recordset(update, status=202)
|
||||
update_rs = shared_client.wait_until_recordset_change_status(update_response, 'Complete')['recordSet']
|
||||
|
||||
finally:
|
||||
if update_rs:
|
||||
delete_result = shared_client.delete_recordset(zone['id'], update_rs['id'], status=202)
|
||||
shared_client.wait_until_recordset_change_status(delete_result, 'Complete')
|
||||
|
||||
def test_update_from_unassociated_user_in_shared_zone_fails(shared_zone_test_context):
|
||||
"""
|
||||
Test that updating with a user that does not have write access fails in a shared zone
|
||||
"""
|
||||
|
||||
ok_client = shared_zone_test_context.ok_vinyldns_client
|
||||
@@ -2096,16 +2121,15 @@ def test_update_from_unassociated_user_in_shared_zone_succeeds(shared_zone_test_
|
||||
create_rs = None
|
||||
|
||||
try:
|
||||
record_json = get_recordset_json(zone, 'test_shared_success', 'A', [{'address': '1.1.1.1'}])
|
||||
record_json = get_recordset_json(zone, 'test_shared_unapproved_record_type', 'MX', [{'preference': 3, 'exchange': 'mx'}])
|
||||
create_response = shared_client.create_recordset(record_json, status=202)
|
||||
create_rs = shared_client.wait_until_recordset_change_status(create_response, 'Complete')['recordSet']
|
||||
assert_that(create_rs, is_not(has_key('ownerGroupId')))
|
||||
|
||||
update = create_rs
|
||||
update['ttl'] = update['ttl'] + 100
|
||||
update_response = ok_client.update_recordset(update, status=202)
|
||||
update_rs = shared_client.wait_until_recordset_change_status(update_response, 'Complete')
|
||||
assert_that(update_rs, is_not(has_key('ownerGroupId')))
|
||||
error = ok_client.update_recordset(update, status=403)
|
||||
assert_that(error, is_('User ok does not have access to update test-shared-unapproved-record-type.shared.'))
|
||||
|
||||
finally:
|
||||
if create_rs:
|
||||
@@ -2127,7 +2151,7 @@ def test_update_from_acl_for_shared_zone_passes(shared_zone_test_context):
|
||||
try:
|
||||
add_shared_zone_acl_rules(shared_zone_test_context, [acl_rule])
|
||||
|
||||
record_json = get_recordset_json(zone, 'test_shared_success', 'A', [{'address': '1.1.1.1'}])
|
||||
record_json = get_recordset_json(zone, 'test_shared_acl', 'A', [{'address': '1.1.1.1'}])
|
||||
create_response = shared_client.create_recordset(record_json, status=202)
|
||||
update = shared_client.wait_until_recordset_change_status(create_response, 'Complete')['recordSet']
|
||||
assert_that(update, is_not(has_key('ownerGroupId')))
|
||||
|
||||
Reference in New Issue
Block a user