def test_grants(mocker): pg = mocker.patch('ldap2pg.inspector.PostgresInspector.process_grants', autospec=True) from ldap2pg.inspector import PostgresInspector, Grant from ldap2pg.privilege import NspAcl privileges = dict( noinspect=NspAcl(name='noinspect'), ro=NspAcl(name='ro', inspect='SQL'), ) pg.return_value = [ Grant('ro', 'db', None, 'alice'), Grant('ro', 'db', None, 'public'), Grant('ro', 'db', None, 'unmanaged'), Grant('ro', 'db', 'unmanaged', 'alice'), Grant('ro', 'db', None, 'alice', owner='unmanaged'), ] psql = mocker.MagicMock(name='psql') psql.itersessions.return_value = [('db', psql)] inspector = PostgresInspector(psql=psql, privileges=privileges) grants = inspector.fetch_grants( schemas=dict(db=dict(public=['owner'])), roles=['alice', 'public'], ) assert 2 == len(grants) grantees = [a.role for a in grants] assert 'public' in grantees assert 'alice' in grantees
def test_grants_cached(mocker): cls = 'ldap2pg.inspector.PostgresInspector' pg = mocker.patch(cls + '.process_grants', autospec=True) mocker.patch(cls + '.fetch_shared_query', autospec=True) from ldap2pg.inspector import Database, PostgresInspector, Schema from ldap2pg.privilege import NspAcl privileges = dict(cached=NspAcl( 'cached', inspect=dict(shared_query='shared', keys=['CACHED']))) pg.return_value = [] pool = mocker.Mock(name='pool') conn = pool.getconn.return_value conn.query.return_value = [] inspector = PostgresInspector(pool=pool, privileges=privileges) db = Database('db', owner='postgres') db.schemas['public'] = Schema('public', owners=['owner']) grants = inspector.fetch_grants( databases=[db], roles=['alice', 'public'], ) assert 0 == len(grants)
def test_grants(mocker): pg = mocker.patch('ldap2pg.inspector.PostgresInspector.process_grants', autospec=True) from ldap2pg.inspector import Database, Grant, PostgresInspector, Schema from ldap2pg.privilege import NspAcl privileges = dict( noinspect=NspAcl(name='noinspect'), ro=NspAcl(name='ro', inspect='SQL'), ) pg.return_value = [ Grant('ro', 'db', None, 'alice'), Grant('ro', 'db', None, 'public'), Grant('ro', 'db', None, 'unmanaged'), Grant('ro', 'db', 'unmanaged', 'alice'), Grant('ro', 'db', None, 'alice', owner='unmanaged'), ] pool = mocker.Mock(name='pool') conn = pool.getconn.return_value conn.query.return_value = [] inspector = PostgresInspector(pool=pool, privileges=privileges) db = Database('db', owner='postgres') db.schemas['public'] = Schema('public', owners=['owner']) grants = inspector.fetch_grants( databases=[db], roles=['alice', 'public'], ) assert 2 == len(grants) grantees = [a.role for a in grants] assert 'public' in grantees assert 'alice' in grantees
def test_postprocess_acl_bad_database(): from ldap2pg.manager import SyncManager, Grant, Acl, UserError from ldap2pg.privilege import NspAcl from ldap2pg.utils import make_group_map privileges = dict(ro=NspAcl(name='ro', inspect='SQL')) manager = SyncManager( privileges=privileges, privilege_aliases=make_group_map(privileges), ) acl = Acl([Grant('ro', ['inexistantdb'], None, 'alice')]) schemas = dict(postgres=dict(public=['postgres'])) with pytest.raises(UserError) as ei: manager.postprocess_acl(acl, schemas) assert 'inexistantdb' in str(ei.value)
def test_inspect_ldap_grants(mocker): la = mocker.patch( 'ldap2pg.manager.SyncManager.apply_grant_rules', autospec=True) from ldap2pg.manager import SyncManager, Grant from ldap2pg.privilege import NspAcl from ldap2pg.utils import make_group_map privileges = dict(ro=NspAcl(name='ro')) la.return_value = [Grant('ro', 'postgres', None, 'alice')] manager = SyncManager( psql=mocker.Mock(), ldapconn=mocker.Mock(), privileges=privileges, privilege_aliases=make_group_map(privileges) ) syncmap = [dict(roles=[], grant=dict(privilege='ro'))] _, grants = manager.inspect_ldap(syncmap=syncmap) assert 1 == len(grants)
def test_grants_cached(mocker): cls = 'ldap2pg.inspector.PostgresInspector' pg = mocker.patch(cls + '.process_grants', autospec=True) mocker.patch(cls + '.fetch_shared_query', autospec=True) from ldap2pg.inspector import PostgresInspector from ldap2pg.privilege import NspAcl privileges = dict(cached=NspAcl( 'cached', inspect=dict(shared_query='shared', keys=['CACHED']))) pg.return_value = [] psql = mocker.MagicMock(name='psql') psql.itersessions.return_value = [('db', mocker.Mock())] inspector = PostgresInspector(psql=psql, privileges=privileges) grants = inspector.fetch_grants( schemas=dict(db=dict(public=['owner'])), roles=['alice', 'public'], ) assert 0 == len(grants)
def test_inspect_ldap_grants(mocker): from ldap2pg.manager import SyncManager from ldap2pg.privilege import Grant, NspAcl from ldap2pg.utils import make_group_map privileges = dict(ro=NspAcl(name='ro')) manager = SyncManager( psql=mocker.Mock(), ldapconn=mocker.Mock(), privileges=privileges, privilege_aliases=make_group_map(privileges), inspector=mocker.Mock(name='inspector'), ) manager.inspector.roles_blacklist = ['blacklisted'] rule = mocker.Mock(name='grant') rule.generate.return_value = [ Grant('ro', 'postgres', None, 'alice'), Grant('ro', 'postgres', None, 'blacklisted'), ] syncmap = [dict(roles=[], grant=[rule])] _, grants = manager.inspect_ldap(syncmap=syncmap) assert 1 == len(grants)