def test_shell(session, users, http_client, base_url, graph):
user = users['*****@*****.**']
assert not get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/bash")
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] != [], "There should be metadata"
assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/bash", "The shell should be set to the correct value"
set_user_metadata(session, user.id, USER_METADATA_SHELL_KEY, "/bin/zsh")
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
assert body["data"]["user"]["metadata"] != [], "There should be metadata"
assert body["data"]["user"]["metadata"][0]["data_key"] == "shell", "There should only be 1 metadata!"
assert body["data"]["user"]["metadata"][0]["data_value"] == "/bin/zsh", "The shell should be set to the correct value"
assert len(body["data"]["user"]["metadata"]) == 1, "There should only be 1 metadata!"
def test_graph_desc_to_ances(session, graph, users, groups): # noqa
""" Test adding members where all descendants already exist."""
setup_desc_to_ances(session, users, groups)
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "all-teams") == set(["*****@*****.**", "*****@*****.**", "*****@*****.**"])
assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops",
"team-infra"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**") == set(["all-teams"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_passwords_api(session, users, http_client, base_url, graph):
user = users['*****@*****.**']
TEST_PASSWORD = "******"
add_new_user_password(session, "test", TEST_PASSWORD, user.id)
assert len(user_passwords(session, user)) == 1, "The user should only have a single password"
graph.update_from_db(session)
c = Counter.get(session, name="updates")
api_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert body["checkpoint"] == c.count, "The API response is not up to date"
assert body["data"]["user"]["passwords"] != [], "The user should not have an empty passwords field"
assert body["data"]["user"]["passwords"][0]["name"] == "test", "The password should have the same name"
assert body["data"]["user"]["passwords"][0]["func"] == "crypt(3)-$6$", "This test does not support any hash functions other than crypt(3)-$6$"
assert body["data"]["user"]["passwords"][0]["hash"] == crypt.crypt(TEST_PASSWORD, body["data"]["user"]["passwords"][0]["salt"]), "The hash should be the same as hashing the password and the salt together using the hashing function"
assert body["data"]["user"]["passwords"][0]["hash"] != crypt.crypt("hello", body["data"]["user"]["passwords"][0]["salt"]), "The hash should not be the same as hashing the wrong password and the salt together using the hashing function"
delete_user_password(session, "test", user.id)
c = Counter.get(session, name="updates")
graph.update_from_db(session)
api_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert body["checkpoint"] == c.count, "The API response is not up to date"
assert body["data"]["user"]["passwords"] == [], "The user should not have any passwords"
def test_user_disable(session, graph, users, user_admin_perm_to_auditors, http_client, base_url):
username = u"*****@*****.**"
old_groups = sorted(get_groups(graph, username))
# disable user
fe_url = url(base_url, "/users/{}/disable".format(username))
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({}))
assert resp.code == 200
# enable user, PRESERVE groups
fe_url = url(base_url, "/users/{}/enable".format(username))
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"},
body=urlencode({"preserve_membership": "true"}))
assert resp.code == 200
graph.update_from_db(session)
assert old_groups == sorted(get_groups(graph, username)), 'nothing should be removed'
# disable and enable, PURGE groups
fe_url = url(base_url, "/users/{}/disable".format(username))
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({}))
assert resp.code == 200
fe_url = url(base_url, "/users/{}/enable".format(username))
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({}))
assert resp.code == 200
graph.update_from_db(session)
assert len(get_groups(graph, username)) == 0, 'all group membership should be removed'
def test_graph_desc_to_ances(session, graph, users, groups): # noqa
""" Test adding members where all descendants already exist."""
setup_desc_to_ances(session, users, groups)
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "all-teams") == set(
["*****@*****.**", "*****@*****.**", "*****@*****.**"])
assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"])
assert get_groups(graph, "*****@*****.**") == set(
["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**",
cutoff=1) == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**") == set(
["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**",
cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**") == set(["all-teams"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_graph_edit_role(session, graph, standard_graph, groups, users):
"""Test that membership role changes are refected in the graph."""
username = "******"
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "np-owner"
groups["tech-ops"].edit_member(users["*****@*****.**"], users[username], "a reason",
role="owner")
graph.update_from_db(session)
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "owner"
def test_graph_edit_role(session, graph, standard_graph, groups, users):
"""Test that membership role changes are refected in the graph."""
username = "******"
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "np-owner"
groups["tech-ops"].edit_member(users["*****@*****.**"], users[username], "a reason",
role="owner")
graph.update_from_db(session)
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "owner"
def test_tags(session, users, http_client, base_url, graph):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
grant_permission_to_tag(session, tag.id, perm.id, "prod")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, key1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_tags(session, http_client, base_url, graph):
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert pub_key['fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_grant_and_revoke(session, standard_graph, graph, groups, permissions,
http_client, base_url):
"""Test that permission grant and revokes are reflected correctly."""
group_name = "team-sre"
permission_name = "sudo"
user_name = "*****@*****.**"
def _check_graph_for_perm(graph):
return any(map(lambda x: x.permission == permission_name,
graph.permission_metadata[group_name]))
# make some permission admins
perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="")
session.commit()
grant_permission(groups["security-team"], perm_admin)
# grant attempt by non-permission admin
fe_url = url(base_url, "/permissions/grant/{}".format(group_name))
with pytest.raises(HTTPError):
yield http_client.fetch(fe_url, method="POST",
body=urlencode({"permission": permission_name, "argument": "specific_arg"}),
headers={'X-Grouper-User': "******"})
graph.update_from_db(session)
assert not _check_graph_for_perm(graph), "no permissions granted"
# grant by permission admin
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({"permission": permission_name, "argument": "specific_arg"}),
headers={'X-Grouper-User': user_name})
assert resp.code == 200
graph.update_from_db(session)
assert _check_graph_for_perm(graph), "permissions granted, successfully"
# figure out mapping_id of grant
permission_id = Permission.get(session, name=permission_name).id
group_id = Group.get(session, name=group_name).id
mapping = session.query(PermissionMap).filter(
PermissionMap.permission_id == permission_id,
PermissionMap.group_id == group_id).first()
# revoke permission by non-admin
fe_url = url(base_url, "/permissions/{}/revoke/{}".format(permission_name, mapping.id))
with pytest.raises(HTTPError):
yield http_client.fetch(fe_url, method="POST", body=urlencode({}),
headers={'X-Grouper-User': "******"})
graph.update_from_db(session)
assert _check_graph_for_perm(graph), "permissions not revoked"
# revoke permission for realz
resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({}),
headers={'X-Grouper-User': user_name})
assert resp.code == 200
graph.update_from_db(session)
assert not _check_graph_for_perm(graph), "permissions revoked successfully"
def test_graph_disable(session, graph, users, groups, user_admin_perm_to_auditors,
http_client, base_url):
graph.update_from_db(session)
old_users = graph.users
assert sorted(old_users) == sorted(users.keys())
# disable a user
username = u"*****@*****.**"
fe_url = url(base_url, "/users/{}/disable".format(username))
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({}))
assert resp.code == 200
graph.update_from_db(session)
assert len(graph.users) == (len(old_users) - 1), 'disabled user removed from graph'
assert username not in graph.users
def test_graph_cycle_indirect(session, graph, users, groups): # noqa
""" Test adding a member that will create a cycle.
gary zay testuser
| | |
sre <----- tech-ops <----- team-infra <--
| |
| |
--------> all-teams --------------------
"""
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["tech-ops"], users["*****@*****.**"])
add_member(groups["team-infra"], users["*****@*****.**"])
add_member(groups["team-sre"], groups["tech-ops"])
add_member(groups["tech-ops"], groups["team-infra"])
add_member(groups["team-infra"], groups["all-teams"])
add_member(groups["all-teams"], groups["team-sre"])
session.commit()
graph.update_from_db(session)
all_users = set(["*****@*****.**", "*****@*****.**", "*****@*****.**"])
all_groups = set(["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_users(graph, "team-sre") == all_users
assert get_users(graph, "team-sre", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "tech-ops") == all_users
assert get_users(graph, "tech-ops", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "team-infra") == all_users
assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "all-teams") == all_users
assert get_users(graph, "all-teams", cutoff=1) == set([])
assert get_groups(graph, "*****@*****.**") == all_groups
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre"])
assert get_groups(graph, "*****@*****.**") == all_groups
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["tech-ops"])
assert get_groups(graph, "*****@*****.**") == all_groups
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-infra"])
def test_graph_cycle_indirect(session, graph, users, groups): # noqa
""" Test adding a member that will create a cycle.
gary zay testuser
| | |
sre <----- tech-ops <----- team-infra <--
| |
| |
--------> all-teams --------------------
"""
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["tech-ops"], users["*****@*****.**"])
add_member(groups["team-infra"], users["*****@*****.**"])
add_member(groups["team-sre"], groups["tech-ops"])
add_member(groups["tech-ops"], groups["team-infra"])
add_member(groups["team-infra"], groups["all-teams"])
add_member(groups["all-teams"], groups["team-sre"])
session.commit()
graph.update_from_db(session)
all_users = set(["*****@*****.**", "*****@*****.**", "*****@*****.**"])
all_groups = set(["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_users(graph, "team-sre") == all_users
assert get_users(graph, "team-sre", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "tech-ops") == all_users
assert get_users(graph, "tech-ops", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "team-infra") == all_users
assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "all-teams") == all_users
assert get_users(graph, "all-teams", cutoff=1) == set([])
assert get_groups(graph, "*****@*****.**") == all_groups
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre"])
assert get_groups(graph, "*****@*****.**") == all_groups
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["tech-ops"])
assert get_groups(graph, "*****@*****.**") == all_groups
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-infra"])
def test_graph_disable(session, graph, groups, http_client, base_url): # noqa
""" Test that disabled groups work with the graph as expected."""
groupname = u'serving-team'
graph.update_from_db(session)
old_groups = graph.groups
assert sorted(old_groups) == sorted(groups.keys())
assert groupname in graph.permission_metadata
# disable a group
fe_url = url(base_url, '/groups/{}/disable'.format(groupname))
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({"name": groupname}))
assert resp.code == 200
graph.update_from_db(session)
assert len(graph.groups) == (len(old_groups) - 1), 'disabled group removed from graph'
assert groupname not in graph.groups
assert groupname not in graph.permission_metadata
def test_graph_disable(session, graph, groups, http_client, base_url): # noqa
""" Test that disabled groups work with the graph as expected."""
groupname = u'serving-team'
graph.update_from_db(session)
old_groups = graph.groups
assert sorted(old_groups) == sorted(groups.keys())
assert groupname in graph.permission_metadata
# disable a group
fe_url = url(base_url, '/groups/{}/disable'.format(groupname))
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({"name": groupname}))
assert resp.code == 200
graph.update_from_db(session)
assert len(graph.groups) == (len(old_groups) - 1), 'disabled group removed from graph'
assert groupname not in graph.groups
assert groupname not in graph.permission_metadata
def test_graph_add_member_existing(session, graph, users, groups): # noqa
""" Test adding members to an existing relationship."""
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["tech-ops"], users["*****@*****.**"], role="owner")
add_member(groups["team-infra"], users["*****@*****.**"], role="owner")
add_member(groups["team-infra"], groups["team-sre"])
add_member(groups["team-infra"], groups["tech-ops"])
add_member(groups["all-teams"], users["*****@*****.**"], role="owner")
add_member(groups["all-teams"], groups["team-infra"])
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["tech-ops"], users["*****@*****.**"])
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "all-teams") == set(
["*****@*****.**", "*****@*****.**", "*****@*****.**"])
assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"])
assert get_groups(graph, "*****@*****.**") == set(
["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**",
cutoff=1) == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**") == set(
["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**",
cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**") == set(["all-teams"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_graph_cycle_direct(session, graph, users, groups): # noqa
""" Test adding members where all descendants already exist."""
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["tech-ops"], users["*****@*****.**"])
add_member(groups["team-sre"], groups["tech-ops"])
add_member(groups["tech-ops"], groups["team-sre"])
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-sre", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "tech-ops", cutoff=1) == set(["*****@*****.**"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["tech-ops"])
def test_graph_cycle_direct(session, graph, users, groups): # noqa
""" Test adding members where all descendants already exist."""
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["tech-ops"], users["*****@*****.**"])
add_member(groups["team-sre"], groups["tech-ops"])
add_member(groups["tech-ops"], groups["team-sre"])
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-sre", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "tech-ops", cutoff=1) == set(["*****@*****.**"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["tech-ops"])
def test_basic_permission(standard_graph, session, users, groups, permissions): # noqa
""" Test adding some permissions to various groups and ensuring that the permissions are all
implemented as expected. This also tests permissions inheritance in the graph. """
graph = standard_graph # noqa
grant_permission(groups["team-sre"], permissions["ssh"], argument="*")
grant_permission(groups["tech-ops"], permissions["ssh"], argument="shell")
grant_permission(groups["team-infra"], permissions["sudo"], argument="shell")
session.commit()
graph.update_from_db(session)
assert sorted(get_group_permissions(graph, "team-sre")) == ["ssh:*", "sudo:shell"]
assert sorted(get_group_permissions(graph, "tech-ops")) == ["ssh:shell", "sudo:shell"]
assert sorted(get_group_permissions(graph, "team-infra")) == ["sudo:shell"]
assert sorted(get_group_permissions(graph, "all-teams")) == []
assert sorted(get_user_permissions(graph, "gary")) == ["ssh:*", "ssh:shell", "sudo:shell"]
assert sorted(get_user_permissions(graph, "zay")) == ["ssh:*", "ssh:shell", "sudo:shell"]
assert sorted(get_user_permissions(graph, "zorkian")) == ["ssh:*", "sudo:shell"]
assert sorted(get_user_permissions(graph, "testuser")) == []
def test_graph_add_member_existing(session, graph, users, groups): # noqa
""" Test adding members to an existing relationship."""
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["tech-ops"], users["*****@*****.**"], role="owner")
add_member(groups["team-infra"], users["*****@*****.**"], role="owner")
add_member(groups["team-infra"], groups["team-sre"])
add_member(groups["team-infra"], groups["tech-ops"])
add_member(groups["all-teams"], users["*****@*****.**"], role="owner")
add_member(groups["all-teams"], groups["team-infra"])
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(groups["tech-ops"], users["*****@*****.**"])
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "tech-ops") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra") == set(["*****@*****.**", "*****@*****.**"])
assert get_users(graph, "team-infra", cutoff=1) == set(["*****@*****.**"])
assert get_users(graph, "all-teams") == set(["*****@*****.**", "*****@*****.**", "*****@*****.**"])
assert get_users(graph, "all-teams", cutoff=1) == set(["*****@*****.**"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops",
"team-infra"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**") == set(["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "*****@*****.**") == set(["all-teams"])
assert get_groups(graph, "*****@*****.**", cutoff=1) == set(["all-teams"])
def test_graph_with_removes(session, graph, users, groups): # noqa
""" Test adding members where all descendants already exist."""
setup_desc_to_ances(session, users, groups)
groups["team-infra"].revoke_member(users["gary"], users["gary"], "Unit Testing")
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["gary", "zay"])
assert get_users(graph, "tech-ops") == set(["gary", "zay"])
assert get_users(graph, "team-infra") == set(["gary", "zay"])
assert get_users(graph, "team-infra", cutoff=1) == set()
assert get_users(graph, "all-teams") == set(["gary", "zay", "testuser"])
assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"])
assert get_groups(graph, "gary") == set(["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "zay") == set(["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "testuser") == set(["all-teams"])
assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
groups["all-teams"].revoke_member(users["gary"], groups["team-infra"], "Unit Testing")
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["gary", "zay"])
assert get_users(graph, "tech-ops") == set(["gary", "zay"])
assert get_users(graph, "team-infra") == set(["gary", "zay"])
assert get_users(graph, "team-infra", cutoff=1) == set([])
assert get_users(graph, "all-teams") == set(["testuser"])
assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"])
assert get_groups(graph, "gary") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "zay") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "testuser") == set(["all-teams"])
assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
groups["team-infra"].revoke_member(users["gary"], groups["tech-ops"], "Unit Testing")
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["gary", "zay"])
assert get_users(graph, "tech-ops") == set(["gary", "zay"])
assert get_users(graph, "team-infra") == set(["gary", "zay"])
assert get_users(graph, "team-infra", cutoff=1) == set([])
assert get_users(graph, "all-teams") == set(["testuser"])
assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"])
assert get_groups(graph, "gary") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "zay") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "testuser") == set(["all-teams"])
assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
def test_audit_end_to_end(session, users, groups, http_client, base_url, graph): # noqa
""" Tests an end-to-end audit cycle. """
groupname = "audited-team"
zay_id = users["*****@*****.**"].id
gary_id = users["*****@*****.**"].id
# make everyone an auditor or global audit will have issues
add_member(groups["auditors"], users["*****@*****.**"])
add_member(groups["auditors"], users["*****@*****.**"])
add_member(groups["auditors"], users["*****@*****.**"])
add_member(groups["auditors"], users["*****@*****.**"])
# add some users to test removal
add_member(groups[groupname], users["*****@*****.**"])
add_member(groups[groupname], users["*****@*****.**"])
graph.update_from_db(session)
# start the audit
end_at_str = (datetime.now() + timedelta(days=10)).strftime("%m/%d/%Y")
fe_url = url(base_url, "/audits/create")
resp = yield http_client.fetch(
fe_url, method="POST", body=urlencode({"ends_at": end_at_str}), headers={"X-Grouper-User": "******"}
)
assert resp.code == 200
open_audits = get_audits(session, only_open=True).all()
assert len(open_audits) == 4, "audits created"
assert groupname in [x.group.name for x in open_audits], "group we expect also gets audit"
# pull all the info we need to resolve audits, avoids detached sqlalchemy sessions
AuditMember = namedtuple("AuditMember", "am_id, edge_type, edge_id")
Audit = namedtuple("Audit", "audit_id, owner_name, group_name, audit_members")
all_group_ids = [x.group.id for x in open_audits]
open_audits = [
Audit(
x.id,
x.group.my_owners().iterkeys().next(),
x.group.name,
[AuditMember(am.id, am.edge.member_type, am.edge_id) for am in x.my_members()],
)
for x in open_audits
]
# approve everything but the one we added members to
for one_audit in open_audits:
fe_url = url(base_url, "/audits/{}/complete".format(one_audit.audit_id))
if one_audit.group_name == groupname:
continue
# blanket approval
body = urlencode({"audit_{}".format(am.am_id): "approved" for am in one_audit.audit_members})
resp = yield http_client.fetch(
fe_url, method="POST", body=body, headers={"X-Grouper-User": one_audit.owner_name}
)
assert resp.code == 200
open_audits = get_audits(session, only_open=True).all()
assert len(open_audits) == 1, "only our test group remaining"
one_audit = open_audits[0]
one_audit.id
body_dict = {}
for am in one_audit.my_members():
if gary_id == am.member.id:
# deny
body_dict["audit_{}".format(am.id)] = "remove"
else:
# approve
body_dict["audit_{}".format(am.id)] = "approved"
owner_name = one_audit.group.my_owners().iterkeys().next()
fe_url = url(base_url, "/audits/{}/complete".format(one_audit.id))
resp = yield http_client.fetch(
fe_url, method="POST", body=urlencode(body_dict), headers={"X-Grouper-User": owner_name}
)
assert resp.code == 200
# check all the logs
assert len(AuditLog.get_entries(session, action="start_audit")) == 1, "global start is logged"
assert len(AuditLog.get_entries(session, action="complete_global_audit")) == 1, "global complete is logged"
for group_id in all_group_ids:
assert (
len(
AuditLog.get_entries(
session, on_group_id=group_id, action="complete_audit", category=AuditLogCategory.audit
)
)
== 1
), "complete entry for each group"
assert (
len(AuditLog.get_entries(session, on_user_id=gary_id, category=AuditLogCategory.audit)) == 1
), "removal AuditLog entry on user"
def test_graph_with_removes(session, graph, users, groups): # noqa
""" Test adding members where all descendants already exist."""
setup_desc_to_ances(session, users, groups)
groups["team-infra"].revoke_member(users["gary"], users["gary"],
"Unit Testing")
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["gary", "zay"])
assert get_users(graph, "tech-ops") == set(["gary", "zay"])
assert get_users(graph, "team-infra") == set(["gary", "zay"])
assert get_users(graph, "team-infra", cutoff=1) == set()
assert get_users(graph, "all-teams") == set(["gary", "zay", "testuser"])
assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"])
assert get_groups(graph, "gary") == set(
["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "zay") == set(
["team-sre", "all-teams", "tech-ops", "team-infra"])
assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "testuser") == set(["all-teams"])
assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
groups["all-teams"].revoke_member(users["gary"], groups["team-infra"],
"Unit Testing")
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["gary", "zay"])
assert get_users(graph, "tech-ops") == set(["gary", "zay"])
assert get_users(graph, "team-infra") == set(["gary", "zay"])
assert get_users(graph, "team-infra", cutoff=1) == set([])
assert get_users(graph, "all-teams") == set(["testuser"])
assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"])
assert get_groups(graph,
"gary") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph,
"zay") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "testuser") == set(["all-teams"])
assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
groups["team-infra"].revoke_member(users["gary"], groups["tech-ops"],
"Unit Testing")
session.commit()
graph.update_from_db(session)
assert get_users(graph, "team-sre") == set(["gary", "zay"])
assert get_users(graph, "tech-ops") == set(["gary", "zay"])
assert get_users(graph, "team-infra") == set(["gary", "zay"])
assert get_users(graph, "team-infra", cutoff=1) == set([])
assert get_users(graph, "all-teams") == set(["testuser"])
assert get_users(graph, "all-teams", cutoff=1) == set(["testuser"])
assert get_groups(graph,
"gary") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "gary", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph,
"zay") == set(["team-sre", "tech-ops", "team-infra"])
assert get_groups(graph, "zay", cutoff=1) == set(["team-sre", "tech-ops"])
assert get_groups(graph, "testuser") == set(["all-teams"])
assert get_groups(graph, "testuser", cutoff=1) == set(["all-teams"])
def test_expire_nonauditors(standard_graph, users, groups, session, permissions):
""" Test expiration auditing and notification. """
graph = standard_graph # noqa
# Test audit autoexpiration for all approvers
approver_roles = ["owner", "np-owner", "manager"]
for role in approver_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundThread(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is not None
assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days)
assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1)
assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1)
revoke_member(groups["audited-team"], users["*****@*****.**"])
# Ensure nonauditor, nonapprovers in audited groups do not get set to expired
member_roles = ["member"]
for role in member_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundThread(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is None
assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * len(approver_roles)
revoke_member(groups["audited-team"], users["*****@*****.**"])
