def test_grants(mocker):
pg = mocker.patch('ldap2pg.inspector.PostgresInspector.process_grants',
autospec=True)
from ldap2pg.inspector import PostgresInspector, Grant
from ldap2pg.privilege import NspAcl
privileges = dict(
noinspect=NspAcl(name='noinspect'),
ro=NspAcl(name='ro', inspect='SQL'),
)
pg.return_value = [
Grant('ro', 'db', None, 'alice'),
Grant('ro', 'db', None, 'public'),
Grant('ro', 'db', None, 'unmanaged'),
Grant('ro', 'db', 'unmanaged', 'alice'),
Grant('ro', 'db', None, 'alice', owner='unmanaged'),
]
psql = mocker.MagicMock(name='psql')
psql.itersessions.return_value = [('db', psql)]
inspector = PostgresInspector(psql=psql, privileges=privileges)
grants = inspector.fetch_grants(
schemas=dict(db=dict(public=['owner'])),
roles=['alice', 'public'],
)
assert 2 == len(grants)
grantees = [a.role for a in grants]
assert 'public' in grantees
assert 'alice' in grantees
def test_grants_cached(mocker):
cls = 'ldap2pg.inspector.PostgresInspector'
pg = mocker.patch(cls + '.process_grants', autospec=True)
mocker.patch(cls + '.fetch_shared_query', autospec=True)
from ldap2pg.inspector import Database, PostgresInspector, Schema
from ldap2pg.privilege import NspAcl
privileges = dict(cached=NspAcl(
'cached', inspect=dict(shared_query='shared', keys=['CACHED'])))
pg.return_value = []
pool = mocker.Mock(name='pool')
conn = pool.getconn.return_value
conn.query.return_value = []
inspector = PostgresInspector(pool=pool, privileges=privileges)
db = Database('db', owner='postgres')
db.schemas['public'] = Schema('public', owners=['owner'])
grants = inspector.fetch_grants(
databases=[db],
roles=['alice', 'public'],
)
assert 0 == len(grants)
def test_grants(mocker):
pg = mocker.patch('ldap2pg.inspector.PostgresInspector.process_grants',
autospec=True)
from ldap2pg.inspector import Database, Grant, PostgresInspector, Schema
from ldap2pg.privilege import NspAcl
privileges = dict(
noinspect=NspAcl(name='noinspect'),
ro=NspAcl(name='ro', inspect='SQL'),
)
pg.return_value = [
Grant('ro', 'db', None, 'alice'),
Grant('ro', 'db', None, 'public'),
Grant('ro', 'db', None, 'unmanaged'),
Grant('ro', 'db', 'unmanaged', 'alice'),
Grant('ro', 'db', None, 'alice', owner='unmanaged'),
]
pool = mocker.Mock(name='pool')
conn = pool.getconn.return_value
conn.query.return_value = []
inspector = PostgresInspector(pool=pool, privileges=privileges)
db = Database('db', owner='postgres')
db.schemas['public'] = Schema('public', owners=['owner'])
grants = inspector.fetch_grants(
databases=[db],
roles=['alice', 'public'],
)
assert 2 == len(grants)
grantees = [a.role for a in grants]
assert 'public' in grantees
assert 'alice' in grantees
def test_postprocess_acl_bad_database():
from ldap2pg.manager import SyncManager, Grant, Acl, UserError
from ldap2pg.privilege import NspAcl
from ldap2pg.utils import make_group_map
privileges = dict(ro=NspAcl(name='ro', inspect='SQL'))
manager = SyncManager(
privileges=privileges, privilege_aliases=make_group_map(privileges),
)
acl = Acl([Grant('ro', ['inexistantdb'], None, 'alice')])
schemas = dict(postgres=dict(public=['postgres']))
with pytest.raises(UserError) as ei:
manager.postprocess_acl(acl, schemas)
assert 'inexistantdb' in str(ei.value)
def test_inspect_ldap_grants(mocker):
la = mocker.patch(
'ldap2pg.manager.SyncManager.apply_grant_rules', autospec=True)
from ldap2pg.manager import SyncManager, Grant
from ldap2pg.privilege import NspAcl
from ldap2pg.utils import make_group_map
privileges = dict(ro=NspAcl(name='ro'))
la.return_value = [Grant('ro', 'postgres', None, 'alice')]
manager = SyncManager(
psql=mocker.Mock(), ldapconn=mocker.Mock(), privileges=privileges,
privilege_aliases=make_group_map(privileges)
)
syncmap = [dict(roles=[], grant=dict(privilege='ro'))]
_, grants = manager.inspect_ldap(syncmap=syncmap)
assert 1 == len(grants)
def test_grants_cached(mocker):
cls = 'ldap2pg.inspector.PostgresInspector'
pg = mocker.patch(cls + '.process_grants', autospec=True)
mocker.patch(cls + '.fetch_shared_query', autospec=True)
from ldap2pg.inspector import PostgresInspector
from ldap2pg.privilege import NspAcl
privileges = dict(cached=NspAcl(
'cached', inspect=dict(shared_query='shared', keys=['CACHED'])))
pg.return_value = []
psql = mocker.MagicMock(name='psql')
psql.itersessions.return_value = [('db', mocker.Mock())]
inspector = PostgresInspector(psql=psql, privileges=privileges)
grants = inspector.fetch_grants(
schemas=dict(db=dict(public=['owner'])),
roles=['alice', 'public'],
)
assert 0 == len(grants)
def test_inspect_ldap_grants(mocker):
from ldap2pg.manager import SyncManager
from ldap2pg.privilege import Grant, NspAcl
from ldap2pg.utils import make_group_map
privileges = dict(ro=NspAcl(name='ro'))
manager = SyncManager(
psql=mocker.Mock(),
ldapconn=mocker.Mock(),
privileges=privileges,
privilege_aliases=make_group_map(privileges),
inspector=mocker.Mock(name='inspector'),
)
manager.inspector.roles_blacklist = ['blacklisted']
rule = mocker.Mock(name='grant')
rule.generate.return_value = [
Grant('ro', 'postgres', None, 'alice'),
Grant('ro', 'postgres', None, 'blacklisted'),
]
syncmap = [dict(roles=[], grant=[rule])]
_, grants = manager.inspect_ldap(syncmap=syncmap)
assert 1 == len(grants)
