Beispiel #1
0
def test_group_metadata_permission_policy(key, separator):
    sep = separator or ' '
    remotes = {
        'web-1': Remote(
            'ubuntu', '192.168.0.5',
            metadata={key: sep.join(['web', 'a']), 'other': 'ignore'}
        ),
        'web-2': Remote(
            'ubuntu', '192.168.0.6',
            metadata={key: sep.join(['web', 'b']), 'other': 'ignore'}
        ),
        'web-3': Remote(
            'ubuntu', '192.168.0.7',
            metadata={key: sep.join(['web', 'c']), 'other': 'ignore'}
        ),
        'worker-1': Remote(
            'ubuntu', '192.168.0.25',
            metadata={key: sep.join(['worker', 'a']), 'other': 'ignore'}
        ),
        'worker-2': Remote(
            'ubuntu', '192.168.0.26',
            metadata={key: sep.join(['worker', 'b']), 'other': 'ignore'}
        ),
        'db-1': Remote(
            'ubuntu', '192.168.0.50',
            metadata={key: sep.join(['db', 'a']), 'other': 'ignore'}
        ),
        'db-2': Remote(
            'ubuntu', '192.168.0.51',
            metadata={key: sep.join(['db', 'b']), 'other': 'ignore'}
        )
    }

    def subset(*keys):
        return {a: r for a, r in remotes.items() if a in keys}
    p = GroupMetadataPermissionPolicy(key, separator)
    identity = Identity(DummyTeam, 1)
    assert (p.filter(remotes, identity, {'web', 'a'}) ==
            subset('web-1', 'web-2', 'web-3', 'worker-1', 'db-1'))
    assert (p.filter(remotes, identity, {'db', 'c'}) ==
            subset('web-3', 'worker-3', 'db-1', 'db-2'))
    assert p.permit(remotes['db-1'], identity, {'web', 'a'})
    assert not p.permit(remotes['db-1'], identity, {'web', 'b'})
    assert p.permit(remotes['db-1'], identity, {'db', 'a'})
    assert p.permit(remotes['db-1'], identity, {'db', 'b'})
Beispiel #2
0
def test_group_metadata_permission_policy(key, separator):
    sep = separator or ' '
    remotes = {
        'web-1': Remote(
            'ubuntu', '192.168.0.5',
            metadata={key: sep.join(['web', 'a']), 'other': 'ignore'}
        ),
        'web-2': Remote(
            'ubuntu', '192.168.0.6',
            metadata={key: sep.join(['web', 'b']), 'other': 'ignore'}
        ),
        'web-3': Remote(
            'ubuntu', '192.168.0.7',
            metadata={key: sep.join(['web', 'c']), 'other': 'ignore'}
        ),
        'worker-1': Remote(
            'ubuntu', '192.168.0.25',
            metadata={key: sep.join(['worker', 'a']), 'other': 'ignore'}
        ),
        'worker-2': Remote(
            'ubuntu', '192.168.0.26',
            metadata={key: sep.join(['worker', 'b']), 'other': 'ignore'}
        ),
        'db-1': Remote(
            'ubuntu', '192.168.0.50',
            metadata={key: sep.join(['db', 'a']), 'other': 'ignore'}
        ),
        'db-2': Remote(
            'ubuntu', '192.168.0.51',
            metadata={key: sep.join(['db', 'b']), 'other': 'ignore'}
        )
    }

    def subset(*keys):
        return {a: r for a, r in remotes.items() if a in keys}
    p = GroupMetadataPermissionPolicy(key, separator)
    identity = Identity(DummyTeam, 1)
    assert (p.filter(remotes, identity, {'web', 'a'}) ==
            subset('web-1', 'web-2', 'web-3', 'worker-1', 'db-1'))
    assert (p.filter(remotes, identity, {'db', 'c'}) ==
            subset('web-3', 'worker-3', 'db-1', 'db-2'))
    assert p.permit(remotes['db-1'], identity, {'web', 'a'})
    assert not p.permit(remotes['db-1'], identity, {'web', 'b'})
    assert p.permit(remotes['db-1'], identity, {'db', 'a'})
    assert p.permit(remotes['db-1'], identity, {'db', 'b'})
Beispiel #3
0
# but you'll get the list dynamically from EC2 API.  Assume our all
# AMIs are Amazon Linux, so the usernames are always ec2-user.
# If you're using Ubuntu AMIs it should be ubuntu instead.
from geofront.backends.cloud import CloudRemoteSet
from libcloud.compute.types import Provider
from libcloud.compute.providers import get_driver

driver_cls = get_driver(Provider.EC2)
driver = driver_cls('aws access id', 'aws secret key', region='uest-east-1')
REMOTE_SET = CloudRemoteSet(driver, user='******')

# Suppose your team is divided by several subgroups, and these subgroups are
# represented in teams of the GitHub organization.  So you can control
# who can access each remote by specifying allowed groups to its metadata.
# CloudRemoteSet which is used for above REMOTE_SET exposes each EC2 instance's
# metadata as it has.  We suppose every EC2 instance has Allowed-Groups
# metadata key and its value is space-separated list of group slugs.
# The following settings will allow only members who belong to corresponding
# groups to access.
from geofront.remote import GroupMetadataPermissionPolicy

PERMISSION_POLICY = GroupMetadataPermissionPolicy('Allowed-Groups')

# Geofront provisions access tokens (or you can think them as sessions)
# for Geofront clients.  Assume you already have a Redis server running
# on the same host.  We'd store tokens to the db 0 on that Redis server
# in the example.
from werkzeug.contrib.cache import RedisCache

TOKEN_STORE = RedisCache(host='localhost', db=0)