def service_account_grants_for_permission(self, name):
# type: (str) -> List[ServiceAccountPermissionGrant]
permission = Permission.get(self.session, name=name)
if not permission or not permission.enabled:
return []
grants = (self.session.query(
User.username,
ServiceAccountPermissionMap.argument,
ServiceAccountPermissionMap.granted_on,
ServiceAccountPermissionMap.id,
).filter(
ServiceAccountPermissionMap.permission_id == permission.id,
ServiceAccount.id ==
ServiceAccountPermissionMap.service_account_id,
User.id == ServiceAccount.user_id,
).order_by(User.username, ServiceAccountPermissionMap.argument))
return [
ServiceAccountPermissionGrant(
service_account=g.username,
permission=name,
argument=g.argument,
granted_on=g.granted_on,
is_alias=False,
grant_id=g.id,
) for g in grants.all()
]
def permission_grants_for_service_account(self, name):
# type: (str) -> List[ServiceAccountPermissionGrant]
"""Return all permission grants for a service account.
TODO(rra): Currently does not expand permission aliases.
"""
grants = self.session.query(
Permission.name,
ServiceAccountPermissionMap.argument,
ServiceAccountPermissionMap.granted_on,
ServiceAccountPermissionMap.id,
).filter(
User.username == name,
User.enabled == True,
ServiceAccount.user_id == User.id,
Permission.id == ServiceAccountPermissionMap.permission_id,
ServiceAccountPermissionMap.service_account_id ==
ServiceAccount.id,
)
return [
ServiceAccountPermissionGrant(
service_account=name,
permission=g.name,
argument=g.argument,
granted_on=g.granted_on,
is_alias=False,
grant_id=g.id,
) for g in grants.all()
]
def revoke_all_service_account_grants(self, permission):
# type: (str) -> List[ServiceAccountPermissionGrant]
sql_permission = Permission.get(self.session, name=permission)
if not sql_permission:
return []
grants = (self.session.query(
ServiceAccountPermissionMap.id,
User.username,
ServiceAccountPermissionMap.argument,
ServiceAccountPermissionMap.granted_on,
).filter(
User.id == ServiceAccount.user_id,
ServiceAccount.id ==
ServiceAccountPermissionMap.service_account_id,
PermissionMap.permission_id == sql_permission.id,
).all())
ids = [g.id for g in grants]
self.session.query(ServiceAccountPermissionMap).filter(
ServiceAccountPermissionMap.id.in_(ids)).delete(
synchronize_session="fetch")
return [
ServiceAccountPermissionGrant(
service_account=g.username,
permission=permission,
argument=g.argument,
granted_on=g.granted_on,
is_alias=False,
grant_id=g.id,
) for g in grants
]
def all_service_account_permissions(session):
# type: (Session) -> Dict[str, List[ServiceAccountPermissionGrant]]
"""Return a dict of service account names to their permissions."""
grants = session.query(
User.username,
Permission.name,
ServiceAccountPermissionMap.argument,
ServiceAccountPermissionMap.granted_on,
ServiceAccountPermissionMap.id,
).filter(
Permission.id == ServiceAccountPermissionMap.permission_id,
ServiceAccountPermissionMap.service_account_id == ServiceAccount.id,
ServiceAccount.user_id == User.id,
User.enabled == True,
)
out = defaultdict(
list) # type: Dict[str, List[ServiceAccountPermissionGrant]]
for grant in grants:
out[grant.username].append(
ServiceAccountPermissionGrant(
service_account=grant.username,
permission=grant.name,
argument=grant.argument,
granted_on=grant.granted_on,
is_alias=False,
grant_id=grant.id,
))
return out
def service_account_permissions(session, service_account):
# type: (Session, ServiceAccount) -> List[ServiceAccountPermissionGrant]
"""Return the permissions of a service account, including mapping IDs.
This is used to display the permission grants on a service account page, which has to generate
revocation links, so return ServiceAccountPermissionGrant objects that include the mapping ID.
"""
grants = session.query(
User.username,
Permission.name,
ServiceAccountPermissionMap.argument,
ServiceAccountPermissionMap.granted_on,
ServiceAccountPermissionMap.id,
).filter(
Permission.id == ServiceAccountPermissionMap.permission_id,
ServiceAccountPermissionMap.service_account_id == service_account.id,
ServiceAccountPermissionMap.service_account_id == ServiceAccount.id,
ServiceAccount.user_id == User.id,
User.enabled == True,
)
out = []
for grant in grants:
out.append(
ServiceAccountPermissionGrant(
service_account=grant.username,
permission=grant.name,
argument=grant.argument,
granted_on=grant.granted_on,
is_alias=False,
grant_id=grant.id,
))
return out
def test_permission_disable_existing_grants(setup):
# type: (SetupTest) -> None
with setup.transaction():
setup.grant_permission_to_group(PERMISSION_ADMIN, "", "admins")
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group("some-permission", "argument",
"some-group")
setup.create_service_account("*****@*****.**", "some-group")
setup.grant_permission_to_service_account("some-permission", "",
"*****@*****.**")
mock_ui = MagicMock()
usecase = setup.usecase_factory.create_disable_permission_usecase(
"*****@*****.**", mock_ui)
usecase.disable_permission("some-permission")
assert mock_ui.mock_calls == [
call.disable_permission_failed_existing_grants(
"some-permission",
[
GroupPermissionGrant("some-group", "some-permission",
"argument")
],
[
ServiceAccountPermissionGrant("*****@*****.**",
"some-permission", "")
],
)
]
def test_wildcard(setup):
# type: (SetupTest) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "*", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
mock_ui = MagicMock()
usecase = setup.usecase_factory.create_grant_permission_to_service_account_usecase(
"*****@*****.**", mock_ui)
usecase.grant_permission_to_service_account("some-permission", "argument",
"*****@*****.**")
assert mock_ui.mock_calls == [
call.granted_permission_to_service_account("some-permission",
"argument",
"*****@*****.**")
]
expected = [
ServiceAccountPermissionGrant(
service_account="*****@*****.**",
permission="some-permission",
argument="argument",
granted_on=ANY,
is_alias=False,
grant_id=ANY,
)
]
setup.graph.update_from_db(setup.session)
service = setup.service_factory.create_service_account_service()
assert service.permission_grants_for_service_account(
"*****@*****.**") == expected
def permission_grants_for_service_account(self, name):
# type: (str) -> List[ServiceAccountPermissionGrant]
"""Return all permission grants for a service account.
TODO(rra): Currently does not expand permission aliases because they are not expanded by
the graph.
"""
user_details = self.graph.get_user_details(name)
permissions = []
for permission_data in user_details["permissions"]:
permission = ServiceAccountPermissionGrant(
service_account=name,
permission=permission_data["permission"],
argument=permission_data["argument"],
granted_on=datetime.utcfromtimestamp(
permission_data["granted_on"]),
is_alias=False,
)
permissions.append(permission)
return permissions
def test_success(setup):
# type: (SetupTest) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "argument",
"some-group")
setup.create_permission("other-permission")
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group(PERMISSION_ADMIN, "", "admins")
setup.create_service_account("*****@*****.**", "some-group")
setup.create_service_account("*****@*****.**", "admins")
setup.grant_permission_to_service_account(PERMISSION_ADMIN, "",
"*****@*****.**")
service = setup.service_factory.create_service_account_service()
assert service.permission_grants_for_service_account(
"*****@*****.**") == []
# Delegation from a group member.
mock_ui = MagicMock()
usecase = setup.usecase_factory.create_grant_permission_to_service_account_usecase(
"*****@*****.**", mock_ui)
assert usecase.can_grant_permissions_for_service_account(
"*****@*****.**")
usecase.grant_permission_to_service_account("some-permission", "argument",
"*****@*****.**")
assert mock_ui.mock_calls == [
call.granted_permission_to_service_account("some-permission",
"argument",
"*****@*****.**")
]
expected = [
ServiceAccountPermissionGrant(
service_account="*****@*****.**",
permission="some-permission",
argument="argument",
granted_on=ANY,
is_alias=False,
grant_id=ANY,
)
]
setup.graph.update_from_db(setup.session)
assert service.permission_grants_for_service_account(
"*****@*****.**") == expected
# Delegation from permission admin.
mock_ui.reset_mock()
usecase = setup.usecase_factory.create_grant_permission_to_service_account_usecase(
"*****@*****.**", mock_ui)
assert usecase.can_grant_permissions_for_service_account(
"*****@*****.**")
usecase.grant_permission_to_service_account("other-permission", "argument",
"*****@*****.**")
assert mock_ui.mock_calls == [
call.granted_permission_to_service_account("other-permission",
"argument",
"*****@*****.**")
]
expected.append(
ServiceAccountPermissionGrant(
service_account="*****@*****.**",
permission="other-permission",
argument="argument",
granted_on=ANY,
is_alias=False,
grant_id=ANY,
))
setup.graph.update_from_db(setup.session)
assert service.permission_grants_for_service_account(
"*****@*****.**") == expected
# Delegation from a permission admin that happens to be a service account.
mock_ui.reset_mock()
assert usecase.can_grant_permissions_for_service_account(
"*****@*****.**")
usecase = setup.usecase_factory.create_grant_permission_to_service_account_usecase(
"*****@*****.**", mock_ui)
usecase.grant_permission_to_service_account("other-permission", "*",
"*****@*****.**")
assert mock_ui.mock_calls == [
call.granted_permission_to_service_account("other-permission", "*",
"*****@*****.**")
]
expected.append(
ServiceAccountPermissionGrant(
service_account="*****@*****.**",
permission="other-permission",
argument="*",
granted_on=ANY,
is_alias=False,
grant_id=ANY,
))
setup.graph.update_from_db(setup.session)
assert service.permission_grants_for_service_account(
"*****@*****.**") == expected