def test_expand_defacl():
from ldap2pg.privilege import DefAcl, Acl, Grant, UserError
priv = DefAcl('select', grant='ALTER FOR GRANT SELECT')
item0 = Grant('select', Grant.ALL_DATABASES, schema=Grant.ALL_SCHEMAS)
item1 = Grant('select', ['postgres'], schema=['information_schema'])
assert repr(item0.schema)
set_ = Acl([item0, item1])
items = sorted(
set_.expandgrants(
aliases=dict(select=['select']),
privileges={priv.name: priv},
databases=dict(
postgres=dict(information_schema=['postgres'], ),
template1=dict(information_schema=['postgres'], ),
),
),
key=lambda x: x.dbname,
)
assert 3 == len(items)
assert 'postgres' == items[0].dbname
assert 'template1' == items[2].dbname
with pytest.raises(UserError):
list(
set_.expandgrants(
aliases=dict(select=['select']),
privileges={priv.name: priv},
databases=dict(),
))
def test_grant_object():
from ldap2pg.privilege import Privilege, Grant
priv = Privilege(name='connect', grant='GRANT {database} TO {role};')
item = Grant(priv.name, dbname='backend', schema=None, role='daniel')
qry = priv.grant(item)
assert 'GRANT "backend"' in qry.args[0]
assert 'daniel' in qry.args[0]
assert 'db' in repr(Grant('p', ['db'], ['schema']))
def test_grant_set():
from ldap2pg.privilege import Grant, Acl
acl0 = Grant('ro', 'postgres', None, 'alice')
acl1 = Grant.from_row('ro', 'postgres', None, 'bob')
assert acl0 < acl1
duplicata = Grant('ro', 'postgres', None, 'alice')
set_ = Acl([acl0, acl1, duplicata])
assert 2 == len(set_)
assert 'postgres' in str(acl0)
assert 'ro' in repr(acl0)
assert acl0 != acl1
assert acl0 == duplicata
def test_expand_global_defacl():
from ldap2pg.inspector import Database, Schema
from ldap2pg.privilege import GlobalDefAcl, Grant
priv = GlobalDefAcl('c', grant='GRANT CONNECT')
item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)
dbmap = {}
db = Database('postgres', 'postgres')
dbmap[db.name] = db
nsp = Schema('public', ['admin'])
db.schemas[nsp.name] = nsp
db = Database('template1', 'postgres')
dbmap[db.name] = db
nsp = Schema('public', ['postgres'])
db.schemas[nsp.name] = nsp
items = sorted(
priv.expand(item, databases=dbmap),
key=lambda x: x.owner,
)
assert 2 == len(items)
item = items[0]
assert 'postgres' == item.dbname
assert item.schema is None
assert 'admin' == item.owner
item = items[1]
assert 'template1' == item.dbname
assert item.schema is None
assert 'postgres' == item.owner
def test_grant_object():
from ldap2pg.privilege import Privilege, Grant
from ldap2pg.role import Role
priv = Privilege(name='connect', grant='GRANT {database} TO {role};')
item = Grant(priv.name, dbname='backend', schema=None, role='daniel')
qry = priv.grant(item)
assert 'GRANT "backend"' in qry.args[0]
assert 'daniel' in qry.args[0]
assert 'db' in repr(Grant('p', ['db'], ['schema']))
# Test hash with Role object.
str_h = hash(Grant('priv', ['db'], ['schema'], role=Role(u'rôle')))
obj_h = hash(Grant('priv', ['db'], ['schema'], role=u'rôle'))
assert str_h == obj_h
def test_revoke():
from ldap2pg.privilege import Privilege, Grant
priv = Privilege(name='connect', revoke='REVOKE {database} FROM {role};')
item = Grant(priv.name, dbname='backend', schema=None, role='daniel')
qry = priv.revoke(item)
assert 'REVOKE "backend"' in qry.args[0]
assert 'daniel' in qry.args[0]
def test_postprocess_acl_inexistant_privilege():
from ldap2pg.manager import SyncManager, UserError
from ldap2pg.privilege import Acl, Grant
manager = SyncManager()
with pytest.raises(UserError):
manager.postprocess_acl(
acl=Acl([Grant('inexistant')]),
schemas=dict(postgres=dict(public=['postgres'])),
)
def test_expand_nok():
from ldap2pg.privilege import Acl, Grant
set_ = Acl([Grant('inexistant')])
with pytest.raises(ValueError):
list(set_.expandgrants(
aliases=dict(),
privileges=dict(),
databases=dict(),
))
set_ = Acl([Grant('inexistant_dep')])
with pytest.raises(ValueError):
list(set_.expandgrants(
aliases=dict(inexistant_dep=['inexistant']),
privileges=dict(),
databases=dict(),
))
def test_diff(mocker):
from ldap2pg.privilege import Privilege, Grant, Acl
priv = Privilege(name='priv', revoke='REVOKE {role}', grant='GRANT {role}')
nogrant = Privilege(name='nogrant', revoke='REVOKE')
norvk = Privilege(name='norvk', grant='GRANT')
privileges = {p.name: p for p in [priv, nogrant, norvk]}
item0 = Grant(privilege=priv.name, dbname='backend', role='daniel')
pgacl = Acl([
item0,
Grant(privilege=priv.name, dbname='backend', role='alice'),
Grant(priv.name, dbname='backend', role='irrelevant', full=None),
Grant(privilege=norvk.name, role='torevoke'),
])
ldapacl = Acl([
item0,
Grant(privilege=priv.name, dbname='backend', role='david'),
Grant(privilege=nogrant.name, role='togrant'),
])
queries = [q.args[0] for q in pgacl.diff(ldapacl, privileges)]
assert not fnfilter(queries, 'REVOKE "daniel"*')
assert fnfilter(queries, 'REVOKE "alice"*')
assert fnfilter(queries, 'GRANT "david"*')
def test_inspect_ldap_grants(mocker):
from ldap2pg.manager import SyncManager
from ldap2pg.privilege import Grant, NspAcl
from ldap2pg.utils import make_group_map
privileges = dict(ro=NspAcl(name='ro'))
manager = SyncManager(
psql=mocker.Mock(),
ldapconn=mocker.Mock(),
privileges=privileges,
privilege_aliases=make_group_map(privileges),
inspector=mocker.Mock(name='inspector'),
)
manager.inspector.roles_blacklist = ['blacklisted']
rule = mocker.Mock(name='grant')
rule.generate.return_value = [
Grant('ro', 'postgres', None, 'alice'),
Grant('ro', 'postgres', None, 'blacklisted'),
]
syncmap = [dict(roles=[], grant=[rule])]
_, grants = manager.inspect_ldap(syncmap=syncmap)
assert 1 == len(grants)
def test_expand_datacl():
from ldap2pg.privilege import DatAcl, Grant
priv = DatAcl('c', grant='GRANT CONNECT')
item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)
items = sorted(priv.expand(
item, databases=dict(postgres=0xbad, template1="ignored value"),
), key=lambda x: x.dbname)
assert 2 == len(items)
assert 'postgres' == items[0].dbname
assert items[0].schema is None
assert 'template1' == items[1].dbname
assert items[1].schema is None
def test_postprocess_acl_bad_database():
from ldap2pg.manager import SyncManager, UserError
from ldap2pg.privilege import NspAcl, Grant, Acl
from ldap2pg.utils import make_group_map
privileges = dict(ro=NspAcl(name='ro', inspect='SQL'))
manager = SyncManager(
privileges=privileges,
privilege_aliases=make_group_map(privileges),
)
acl = Acl([Grant('ro', ['inexistantdb'], None, 'alice')])
schemas = dict(postgres=dict(public=['postgres']))
with pytest.raises(UserError) as ei:
manager.postprocess_acl(acl, schemas)
assert 'inexistantdb' in str(ei.value)
def test_expand_global_defacl():
from ldap2pg.privilege import GlobalDefAcl, Grant
priv = GlobalDefAcl('c', grant='GRANT CONNECT')
item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)
items = sorted(priv.expand(
item, databases=dict(postgres=dict(public=['postgres', 'admin'])),
), key=lambda x: x.owner)
assert 2 == len(items)
item = items[0]
assert 'postgres' == item.dbname
assert item.schema is None
assert 'admin' == item.owner
item = items[1]
assert 'postgres' == item.dbname
assert item.schema is None
assert 'postgres' == item.owner
def test_expand_datacl():
from ldap2pg.inspector import Database
from ldap2pg.privilege import DatAcl, Grant
priv = DatAcl('c', grant='GRANT CONNECT')
item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)
dbmap = {}
db = Database('postgres', 'postgres')
dbmap[db.name] = db
db = Database('template1', 'postgres')
dbmap[db.name] = db
items = sorted(priv.expand(
item, databases=dbmap,
), key=lambda x: x.dbname)
assert 2 == len(items)
assert 'postgres' == items[0].dbname
assert items[0].schema is None
assert 'template1' == items[1].dbname
assert items[1].schema is None
def test_postprocess_grants():
from ldap2pg.manager import SyncManager
from ldap2pg.privilege import DefAcl, Grant, Acl
manager = SyncManager(
privileges=dict(ro=DefAcl(name='ro')),
privilege_aliases=dict(ro=['ro']),
)
# No owners
acl = manager.postprocess_acl(Acl(), schemas=dict())
assert 0 == len(acl)
acl = Acl([Grant(privilege='ro', dbname=['db'], schema=None)])
acl = manager.postprocess_acl(
acl,
schemas=dict(db=dict(
public=['postgres', 'owner'],
ns=['owner'],
)),
)
# One grant per schema, per owner
assert 3 == len(acl)