def test_permission_exclude_inactive(session, standard_graph):
"""Ensure disabled groups are excluded from permission data."""
group = Group.get(session, name="team-sre")
permission = Permission.get(session, name="ssh")
assert "team-sre" in [g[0] for g in get_groups_by_permission(session, permission)]
group.disable()
assert "team-sre" not in [g[0] for g in get_groups_by_permission(session, permission)]
def get(self, name=None):
# TODO: use cached data instead, add refresh to appropriate redirects.
permission = Permission.get(self.session, name)
if not permission:
return self.notfound()
can_delete = self.current_user.permission_admin
mapped_groups = get_groups_by_permission(self.session, permission)
log_entries = get_log_entries_by_permission(self.session, permission)
self.render(
"permission.html", permission=permission, can_delete=can_delete,
mapped_groups=mapped_groups, log_entries=log_entries,
)
def get(self, name=None):
# TODO: use cached data instead, add refresh to appropriate redirects.
permission = Permission.get(self.session, name)
if not permission:
return self.notfound()
can_change_audit_status = user_is_permission_admin(
self.session, self.current_user)
can_delete = user_is_permission_admin(self.session, self.current_user)
mapped_groups = get_groups_by_permission(self.session, permission)
log_entries = get_log_entries_by_permission(self.session, permission)
self.render(
"permission.html",
permission=permission,
can_delete=can_delete,
mapped_groups=mapped_groups,
log_entries=log_entries,
can_change_audit_status=can_change_audit_status,
)
def test_exclude_disabled_permissions(
session, standard_graph, graph, users, groups, permissions # noqa: F811
):
"""
Ensure that disabled permissions are excluded from various
functions/methods that return data from the models.
"""
perm_ssh = get_permission(session, "ssh")
perm_grant = create_permission(session, PERMISSION_GRANT)
session.commit()
# this user has grouper.permission.grant with argument "ssh/*"
grant_permission(groups["group-admins"], perm_grant, argument="ssh/*")
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert "ssh" == filter_grantable_permissions(session, grant_perms)[0][0].name
assert "ssh" in (p.name for p in get_all_permissions(session))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" in get_grantable_permissions(session, [])
assert "team-sre" in [g[0] for g in get_groups_by_permission(session, perm_ssh)]
assert get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" in get_owners_by_grantable_permission(session)
assert "ssh" in (x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"]))
assert user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" in (p["permission"] for p in graph.get_group_details("team-sre")["permissions"])
assert "ssh" in (pt.name for pt in graph.get_permissions())
assert "team-sre" in graph.get_permission_details("ssh")["groups"]
assert "ssh" in (p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"])
# now disable the ssh permission
disable_permission(session, "ssh", users["*****@*****.**"].id)
graph.update_from_db(session)
grant_perms = [
x for x in user_permissions(session, users["*****@*****.**"]) if x.name == PERMISSION_GRANT
]
assert not filter_grantable_permissions(session, grant_perms)
assert "ssh" not in (p.name for p in get_all_permissions(session))
assert "ssh" not in (p.name for p in get_all_permissions(session, include_disabled=False))
assert "ssh" in (p.name for p in get_all_permissions(session, include_disabled=True))
assert "ssh" not in get_grantable_permissions(session, [])
assert not get_groups_by_permission(session, perm_ssh)
assert not get_owner_arg_list(session, perm_ssh, "*")
assert "ssh" not in get_owners_by_grantable_permission(session)
assert "ssh" not in (
x[0].name for x in user_grantable_permissions(session, users["*****@*****.**"])
)
assert not user_has_permission(session, users["*****@*****.**"], "ssh")
assert "ssh" not in (p.name for p in user_permissions(session, users["*****@*****.**"]))
assert "ssh" not in (
p["permission"] for p in graph.get_group_details("team-sre")["permissions"]
)
assert "ssh" not in (pt.name for pt in graph.get_permissions())
assert not graph.get_permission_details("ssh")["groups"]
assert "ssh" not in (
p["permission"] for p in graph.get_user_details("*****@*****.**")["permissions"]
)