Beispiel #1
0
def test_expand_defacl():
    from ldap2pg.privilege import DefAcl, Acl, Grant, UserError

    priv = DefAcl('select', grant='ALTER FOR GRANT SELECT')
    item0 = Grant('select', Grant.ALL_DATABASES, schema=Grant.ALL_SCHEMAS)
    item1 = Grant('select', ['postgres'], schema=['information_schema'])

    assert repr(item0.schema)

    set_ = Acl([item0, item1])

    items = sorted(
        set_.expandgrants(
            aliases=dict(select=['select']),
            privileges={priv.name: priv},
            databases=dict(
                postgres=dict(information_schema=['postgres'], ),
                template1=dict(information_schema=['postgres'], ),
            ),
        ),
        key=lambda x: x.dbname,
    )

    assert 3 == len(items)
    assert 'postgres' == items[0].dbname
    assert 'template1' == items[2].dbname

    with pytest.raises(UserError):
        list(
            set_.expandgrants(
                aliases=dict(select=['select']),
                privileges={priv.name: priv},
                databases=dict(),
            ))
Beispiel #2
0
def test_grant_object():
    from ldap2pg.privilege import Privilege, Grant

    priv = Privilege(name='connect', grant='GRANT {database} TO {role};')
    item = Grant(priv.name, dbname='backend', schema=None, role='daniel')
    qry = priv.grant(item)

    assert 'GRANT "backend"' in qry.args[0]
    assert 'daniel' in qry.args[0]

    assert 'db' in repr(Grant('p', ['db'], ['schema']))
Beispiel #3
0
def test_grant_set():
    from ldap2pg.privilege import Grant, Acl

    acl0 = Grant('ro', 'postgres', None, 'alice')
    acl1 = Grant.from_row('ro', 'postgres', None, 'bob')
    assert acl0 < acl1

    duplicata = Grant('ro', 'postgres', None, 'alice')
    set_ = Acl([acl0, acl1, duplicata])

    assert 2 == len(set_)
    assert 'postgres' in str(acl0)
    assert 'ro' in repr(acl0)
    assert acl0 != acl1
    assert acl0 == duplicata
Beispiel #4
0
def test_expand_global_defacl():
    from ldap2pg.inspector import Database, Schema
    from ldap2pg.privilege import GlobalDefAcl, Grant

    priv = GlobalDefAcl('c', grant='GRANT CONNECT')
    item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)

    dbmap = {}
    db = Database('postgres', 'postgres')
    dbmap[db.name] = db
    nsp = Schema('public', ['admin'])
    db.schemas[nsp.name] = nsp
    db = Database('template1', 'postgres')
    dbmap[db.name] = db
    nsp = Schema('public', ['postgres'])
    db.schemas[nsp.name] = nsp

    items = sorted(
        priv.expand(item, databases=dbmap),
        key=lambda x: x.owner,
    )

    assert 2 == len(items)
    item = items[0]
    assert 'postgres' == item.dbname
    assert item.schema is None
    assert 'admin' == item.owner

    item = items[1]
    assert 'template1' == item.dbname
    assert item.schema is None
    assert 'postgres' == item.owner
Beispiel #5
0
def test_grant_object():
    from ldap2pg.privilege import Privilege, Grant
    from ldap2pg.role import Role

    priv = Privilege(name='connect', grant='GRANT {database} TO {role};')
    item = Grant(priv.name, dbname='backend', schema=None, role='daniel')
    qry = priv.grant(item)

    assert 'GRANT "backend"' in qry.args[0]
    assert 'daniel' in qry.args[0]

    assert 'db' in repr(Grant('p', ['db'], ['schema']))

    # Test hash with Role object.
    str_h = hash(Grant('priv', ['db'], ['schema'], role=Role(u'rôle')))
    obj_h = hash(Grant('priv', ['db'], ['schema'], role=u'rôle'))
    assert str_h == obj_h
Beispiel #6
0
def test_revoke():
    from ldap2pg.privilege import Privilege, Grant

    priv = Privilege(name='connect', revoke='REVOKE {database} FROM {role};')
    item = Grant(priv.name, dbname='backend', schema=None, role='daniel')
    qry = priv.revoke(item)

    assert 'REVOKE "backend"' in qry.args[0]
    assert 'daniel' in qry.args[0]
Beispiel #7
0
def test_postprocess_acl_inexistant_privilege():
    from ldap2pg.manager import SyncManager, UserError
    from ldap2pg.privilege import Acl, Grant

    manager = SyncManager()

    with pytest.raises(UserError):
        manager.postprocess_acl(
            acl=Acl([Grant('inexistant')]),
            schemas=dict(postgres=dict(public=['postgres'])),
        )
Beispiel #8
0
def test_expand_nok():
    from ldap2pg.privilege import Acl, Grant

    set_ = Acl([Grant('inexistant')])

    with pytest.raises(ValueError):
        list(set_.expandgrants(
            aliases=dict(),
            privileges=dict(),
            databases=dict(),
        ))

    set_ = Acl([Grant('inexistant_dep')])

    with pytest.raises(ValueError):
        list(set_.expandgrants(
            aliases=dict(inexistant_dep=['inexistant']),
            privileges=dict(),
            databases=dict(),
        ))
Beispiel #9
0
def test_diff(mocker):
    from ldap2pg.privilege import Privilege, Grant, Acl

    priv = Privilege(name='priv', revoke='REVOKE {role}', grant='GRANT {role}')
    nogrant = Privilege(name='nogrant', revoke='REVOKE')
    norvk = Privilege(name='norvk', grant='GRANT')
    privileges = {p.name: p for p in [priv, nogrant, norvk]}

    item0 = Grant(privilege=priv.name, dbname='backend', role='daniel')
    pgacl = Acl([
        item0,
        Grant(privilege=priv.name, dbname='backend', role='alice'),
        Grant(priv.name, dbname='backend', role='irrelevant', full=None),
        Grant(privilege=norvk.name, role='torevoke'),
    ])
    ldapacl = Acl([
        item0,
        Grant(privilege=priv.name, dbname='backend', role='david'),
        Grant(privilege=nogrant.name, role='togrant'),
    ])

    queries = [q.args[0] for q in pgacl.diff(ldapacl, privileges)]

    assert not fnfilter(queries, 'REVOKE "daniel"*')
    assert fnfilter(queries, 'REVOKE "alice"*')
    assert fnfilter(queries, 'GRANT "david"*')
Beispiel #10
0
def test_inspect_ldap_grants(mocker):
    from ldap2pg.manager import SyncManager
    from ldap2pg.privilege import Grant, NspAcl
    from ldap2pg.utils import make_group_map

    privileges = dict(ro=NspAcl(name='ro'))
    manager = SyncManager(
        psql=mocker.Mock(),
        ldapconn=mocker.Mock(),
        privileges=privileges,
        privilege_aliases=make_group_map(privileges),
        inspector=mocker.Mock(name='inspector'),
    )
    manager.inspector.roles_blacklist = ['blacklisted']
    rule = mocker.Mock(name='grant')
    rule.generate.return_value = [
        Grant('ro', 'postgres', None, 'alice'),
        Grant('ro', 'postgres', None, 'blacklisted'),
    ]
    syncmap = [dict(roles=[], grant=[rule])]

    _, grants = manager.inspect_ldap(syncmap=syncmap)

    assert 1 == len(grants)
Beispiel #11
0
def test_expand_datacl():
    from ldap2pg.privilege import DatAcl, Grant

    priv = DatAcl('c', grant='GRANT CONNECT')
    item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)

    items = sorted(priv.expand(
        item, databases=dict(postgres=0xbad, template1="ignored value"),
    ),    key=lambda x: x.dbname)

    assert 2 == len(items)
    assert 'postgres' == items[0].dbname
    assert items[0].schema is None
    assert 'template1' == items[1].dbname
    assert items[1].schema is None
Beispiel #12
0
def test_postprocess_acl_bad_database():
    from ldap2pg.manager import SyncManager, UserError
    from ldap2pg.privilege import NspAcl, Grant, Acl
    from ldap2pg.utils import make_group_map

    privileges = dict(ro=NspAcl(name='ro', inspect='SQL'))
    manager = SyncManager(
        privileges=privileges,
        privilege_aliases=make_group_map(privileges),
    )

    acl = Acl([Grant('ro', ['inexistantdb'], None, 'alice')])
    schemas = dict(postgres=dict(public=['postgres']))

    with pytest.raises(UserError) as ei:
        manager.postprocess_acl(acl, schemas)
    assert 'inexistantdb' in str(ei.value)
Beispiel #13
0
def test_expand_global_defacl():
    from ldap2pg.privilege import GlobalDefAcl, Grant

    priv = GlobalDefAcl('c', grant='GRANT CONNECT')
    item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)

    items = sorted(priv.expand(
        item, databases=dict(postgres=dict(public=['postgres', 'admin'])),
    ), key=lambda x: x.owner)

    assert 2 == len(items)
    item = items[0]
    assert 'postgres' == item.dbname
    assert item.schema is None
    assert 'admin' == item.owner

    item = items[1]
    assert 'postgres' == item.dbname
    assert item.schema is None
    assert 'postgres' == item.owner
Beispiel #14
0
def test_expand_datacl():
    from ldap2pg.inspector import Database
    from ldap2pg.privilege import DatAcl, Grant

    priv = DatAcl('c', grant='GRANT CONNECT')
    item = Grant('c', dbname=Grant.ALL_DATABASES, schema=None)

    dbmap = {}
    db = Database('postgres', 'postgres')
    dbmap[db.name] = db
    db = Database('template1', 'postgres')
    dbmap[db.name] = db

    items = sorted(priv.expand(
        item, databases=dbmap,
    ),    key=lambda x: x.dbname)

    assert 2 == len(items)
    assert 'postgres' == items[0].dbname
    assert items[0].schema is None
    assert 'template1' == items[1].dbname
    assert items[1].schema is None
Beispiel #15
0
def test_postprocess_grants():
    from ldap2pg.manager import SyncManager
    from ldap2pg.privilege import DefAcl, Grant, Acl

    manager = SyncManager(
        privileges=dict(ro=DefAcl(name='ro')),
        privilege_aliases=dict(ro=['ro']),
    )

    # No owners
    acl = manager.postprocess_acl(Acl(), schemas=dict())
    assert 0 == len(acl)

    acl = Acl([Grant(privilege='ro', dbname=['db'], schema=None)])
    acl = manager.postprocess_acl(
        acl,
        schemas=dict(db=dict(
            public=['postgres', 'owner'],
            ns=['owner'],
        )),
    )

    # One grant per schema, per owner
    assert 3 == len(acl)