def test_inspect_ldap_roles(mocker): ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap') from ldap2pg.manager import SyncManager from ldap2pg.role import Role ql.return_value = [('dn', {}, {})] manager = SyncManager( ldapconn=mocker.Mock(), inspector=mocker.Mock(name='inspector'), ) manager.inspector.roles_blacklist = ['blacklisted'] rule0 = mocker.Mock(name='rule0', all_fields=[]) rule0.generate.return_value = [Role('alice', options=dict(LOGIN=True))] rule1 = mocker.Mock(name='rule1', all_fields=[]) rule1.generate.return_value = [Role('bob')] rule2 = mocker.Mock(name='rule2', all_fields=[]) rule2.generate.return_value = [Role('blacklisted')] # Minimal effective syncmap syncmap = [ dict(roles=[]), dict( ldap=dict(base='ou=users,dc=tld', filter='*', attributes=['cn']), roles=[rule0, rule1, rule2], ), ] ldaproles, _ = manager.inspect_ldap(syncmap=syncmap) assert 'alice' in ldaproles assert 'bob' in ldaproles
def test_rename(): from ldap2pg.role import Role a = Role(name='Alan') queries = [q.args[0] for q in a.rename()] alter = queries[0] assert 'RENAME TO' in alter
def test_rename_query(): from ldap2pg.role import Role a = Role(name='alan') b = Role(name='Alan') queries = [q.args[0] for q in a.rename(b)] assert '"alan" RENAME TO "Alan"' in queries[0]
def test_comment(): from ldap2pg.role import Role a = Role(name='alan') b = Role(name='alan', comment='New comment') queries = [q.args[0] for q in a.alter(b)] assert 'COMMENT ON ROLE "alan"' in queries[0]
def test_drop(): from ldap2pg.role import Role role = Role(name='toto', members=['titi']) queries = [q.args[0] for q in role.drop()] assert fnfilter(queries, '*REASSIGN OWNED*DROP OWNED BY "toto";*') assert fnfilter(queries, 'DROP ROLE "toto";')
def test_create(): from ldap2pg.role import Role role = Role(name='toto', members=['titi'], comment='Mycom') queries = [q.args[0] for q in role.create()] assert fnfilter(queries, 'CREATE ROLE "toto" *;') assert fnfilter(queries, 'GRANT "toto" TO "titi";') assert fnfilter(queries, '*Mycom*')
def test_role(): from ldap2pg.role import Role role = Role(name='toto') assert 'toto' == role.name assert 'toto' == str(role) assert 'toto' in repr(role) roles = sorted([Role('b'), Role('a')]) assert ['a', 'b'] == roles
def test_alter(): from ldap2pg.role import Role a = Role(name='toto', members=['titi'], options=dict(LOGIN=True)) b = Role(name='toto', members=['tata'], options=dict(LOGIN=False)) queries = [q.args[0] for q in a.alter(a)] assert not queries queries = [q.args[0] for q in a.alter(b)] assert fnfilter(queries, 'ALTER ROLE "toto" *;') assert fnfilter(queries, 'GRANT "toto" TO "tata";') assert fnfilter(queries, 'REVOKE "toto" FROM "titi";')
def test_resolve_membership(): from ldap2pg.role import RoleSet, Role alice = Role('alice') bob = Role('bob', members=['oscar']) oscar = Role('oscar', parents=['alice', 'bob']) roles = RoleSet([alice, bob, oscar]) roles.resolve_membership() assert not oscar.parents assert 'oscar' in alice.members alice.parents = ['unknown'] with pytest.raises(ValueError): roles.resolve_membership()
def test_merge(): from ldap2pg.role import Role a = Role(name='daniel', parents=['group0']) b = Role(name='daniel', parents=['group1']) c = Role(name='daniel', members=['group2']) a.merge(b) assert 2 == len(a.parents) a.merge(c) assert 1 == len(a.members)
def test_role(): from ldap2pg.role import Role, RoleOptions role = Role(name='toto') assert 'toto' == role.name assert 'toto' == str(role) assert 'toto' in repr(role) roles = sorted([Role('b'), Role('a')]) assert ['a', 'b'] == roles row = ['name', ('member0', )] row += [True] * len(RoleOptions.SUPPORTED_COLUMNS) row += ['Managed by ldap2pg.'] role = Role.from_row(*row) assert 'Managed by ldap2pg.' == role.comment
def test_grant_object(): from ldap2pg.privilege import Privilege, Grant from ldap2pg.role import Role priv = Privilege(name='connect', grant='GRANT {database} TO {role};') item = Grant(priv.name, dbname='backend', schema=None, role='daniel') qry = priv.grant(item) assert 'GRANT "backend"' in qry.args[0] assert 'daniel' in qry.args[0] assert 'db' in repr(Grant('p', ['db'], ['schema'])) # Test hash with Role object. str_h = hash(Grant('priv', ['db'], ['schema'], role=Role(u'rôle'))) obj_h = hash(Grant('priv', ['db'], ['schema'], role=u'rôle')) assert str_h == obj_h
def test_diff_rename_members(): from ldap2pg.role import Role, RoleSet pgmanagedroles = RoleSet() pgallroles = pgmanagedroles.union({ Role('parent', members=['min2mix', 'min2min']), Role('min2mix'), Role('min2min'), }) ldaproles = RoleSet([ Role('parent', members=['Min2Mix', 'min2min']), Role('Min2Mix'), Role('min2min'), ]) queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)] # Don't modify membership. assert not fnfilter(queries, '*GRANT*') assert not fnfilter(queries, '*REVOKE*')
def test_diff(): from ldap2pg.role import Role, RoleSet pgmanagedroles = RoleSet([ Role('drop-me'), Role('alter-me', members=['rename-me']), Role('nothing'), Role('public'), Role('rename-me'), ]) pgallroles = pgmanagedroles.union({ Role('reuse-me'), Role('dont-touch-me'), }) ldaproles = RoleSet([ Role('reuse-me'), Role('alter-me', options=dict(LOGIN=True), members=['Rename-Me']), Role('nothing'), Role('create-me'), Role('Rename-Me'), ]) queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)] assert fnfilter(queries, 'ALTER ROLE "alter-me" WITH* LOGIN*;') assert fnfilter(queries, 'CREATE ROLE "create-me" *;') assert fnfilter(queries, '*DROP ROLE "drop-me";*') assert not fnfilter(queries, 'CREATE ROLE "reuse-me" *') assert not fnfilter(queries, '*nothing*') assert not fnfilter(queries, '*dont-touch-me*') assert not fnfilter(queries, '*public*')
def test_diff_rename(): from ldap2pg.role import Role, RoleSet pgmanagedroles = RoleSet([ Role('min2min'), Role('min2mix'), Role('min2maj'), ]) pgallroles = pgmanagedroles.union({ Role('Mix2Min'), Role('Mix2Mix'), Role('Mix2Maj'), Role('MAJ2MIN'), Role('MAJ2MIX'), Role('MAJ2MAJ'), }) ldaproles = RoleSet([ Role('min2min'), Role('Min2Mix'), Role('MIN2MAJ'), Role('mix2min'), Role('Mix2Mix'), Role('MIX2MAJ'), Role('maj2min'), Role('Maj2Mix'), Role('MAJ2MAJ'), ]) queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)] assert fnfilter(queries, '*"MAJ2MIX" RENAME TO "Maj2Mix";') assert fnfilter(queries, '*"MAJ2MIN" RENAME TO "maj2min";') assert fnfilter(queries, '*"min2mix" RENAME TO "Min2Mix";') assert fnfilter(queries, '*"min2maj" RENAME TO "MIN2MAJ";') assert fnfilter(queries, '*"Mix2Maj" RENAME TO "MIX2MAJ";') assert fnfilter(queries, '*"Mix2Min" RENAME TO "mix2min";') assert not fnfilter(queries, '*CREATE ROLE*')
def test_diff_not_rename(): from ldap2pg.role import Role, RoleSet pgmanagedroles = RoleSet() pgallroles = pgmanagedroles.union({ Role('ambigue_from'), Role('AMBIGUE_FROM'), Role('Ambigue_To'), Role('bothmin'), Role('BothMix'), }) ldaproles = RoleSet([ Role('Ambigue_From'), Role('ambigue_to'), Role('AMBIGUE_TO'), Role('bothmin'), Role('Bothmin'), Role('BothMix'), Role('bothmix'), ]) queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)] assert not fnfilter(queries, '* RENAME TO *') assert fnfilter(queries, '*CREATE ROLE "Ambigue_From"*') assert fnfilter(queries, '*CREATE ROLE "ambigue_to"*') assert fnfilter(queries, '*CREATE ROLE "AMBIGUE_TO"*')
def test_merge_options(): from ldap2pg.role import Role a = Role(name='daniel', options=dict(SUPERUSER=True)) b = Role(name='daniel', options=dict(SUPERUSER=False)) c = Role(name='daniel', options=dict(SUPERUSER=None)) d = Role(name='daniel', options=dict(SUPERUSER=None)) with pytest.raises(ValueError): a.merge(b) # True is kept a.merge(c) assert a.options['SUPERUSER'] is True # False is kept b.merge(c) assert b.options['SUPERUSER'] is False # None is kept c.merge(d) assert c.options['SUPERUSER'] is None # None is replaced. d.merge(a) assert d.options['SUPERUSER'] is True
def test_flatten(): from ldap2pg.role import RoleSet, Role roles = RoleSet() roles.add(Role('parent0', members=['child0', 'child1'])) roles.add(Role('parent1', members=['child2', 'child3'])) roles.add(Role('parent2', members=['child4'])) roles.add(Role('child0', members=['subchild0'])) roles.add(Role('child1', members=['subchild1', 'subchild2'])) roles.add(Role('child2', members=['outer0'])) roles.add(Role('child3')) roles.add(Role('child4')) roles.add(Role('subchild0')) roles.add(Role('subchild1')) roles.add(Role('subchild2')) order = list(roles.flatten()) wanted = [ 'subchild0', 'child0', 'subchild1', 'subchild2', 'child1', 'child2', 'child3', 'child4', 'parent0', 'parent1', 'parent2', ] assert wanted == order