def setUp(self):
super(AppTestBase, self).setUp()
self.bot_version = None
self.source_ip = '192.168.2.2'
self.testbed.init_user_stub()
self.testbed.init_search_stub()
# By default requests in tests are coming from bot with fake IP.
# WSGI app that implements auth REST API.
self.auth_app = webtest.TestApp(
auth.create_wsgi_application(debug=True),
extra_environ={
'REMOTE_ADDR': self.source_ip,
'SERVER_SOFTWARE': os.environ['SERVER_SOFTWARE'],
})
# Note that auth.ADMIN_GROUP != acl.ADMINS_GROUP.
auth.bootstrap_group(
auth.ADMIN_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
acl.ADMINS_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
acl.PRIVILEGED_USERS_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
acl.USERS_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
acl.BOTS_GROUP, [auth.Identity(auth.IDENTITY_BOT, self.source_ip)])
self.mock(stats_framework, 'add_entry', self._parse_line)
def test_get_pool_config(self):
self.mock_config(TEST_CONFIG)
self.assertTrue(pools_config.forbid_unknown_pools())
self.assertEqual(None, pools_config.get_pool_config('unknown'))
expected1 = pools_config.PoolConfig(
name=u'pool_name',
rev='rev',
scheduling_users=frozenset([
auth.Identity('user', '*****@*****.**'),
auth.Identity('user', '*****@*****.**'),
]),
scheduling_groups=frozenset([u'group2', u'group1']),
trusted_delegatees={
auth.Identity('user', '*****@*****.**'):
pools_config.TrustedDelegatee(
peer_id=auth.Identity('user', '*****@*****.**'),
required_delegation_tags=frozenset([u'k:tag1', u'k:tag2']),
),
},
service_accounts=frozenset([u'*****@*****.**', u'*****@*****.**']),
service_accounts_groups=(u'accounts_group1', u'accounts_group2'),
task_template_deployment=None)
expected2 = expected1._replace(name='another_name')
self.assertEqual(expected1, pools_config.get_pool_config('pool_name'))
self.assertEqual(expected2,
pools_config.get_pool_config('another_name'))
def setUp(self):
super(IsolateServiceTest, self).setUp()
self.testbed.init_blobstore_stub()
self.testbed.init_urlfetch_stub()
# It seems like there is a singleton state preserved across the tests,
# making it hard to re-run the complete setUp procedure. Therefore we pre-
# register all the possible identities being used in the tests.
all_authed_ids = [
auth.Identity(auth.IDENTITY_USER, '*****@*****.**'),
auth.Identity(auth.IDENTITY_USER,
'*****@*****.**'),
auth.Identity(auth.IDENTITY_SERVICE, 'adminapp'),
]
admin = all_authed_ids[0]
full_access_group = config.settings().auth.full_access_group
auth.bootstrap_group(full_access_group, all_authed_ids)
auth_testing.mock_get_current_identity(self, admin)
version = utils.get_app_version()
self.mock(utils, 'get_task_queue_host', lambda: version)
self.testbed.setup_env(current_version_id='testbed.version')
self.source_ip = '127.0.0.1'
# It is needed solely for self.execute_tasks(), which processes tasks queues
# on the backend application.
self.app = webtest.TestApp(
handlers_backend.create_application(debug=True),
extra_environ={'REMOTE_ADDR': self.source_ip})
# add a private key; signing depends on config.settings()
make_private_key()
# Remove the check for dev server in should_push_to_gs().
self.mock(utils, 'is_local_dev_server', lambda: False)
def bootstrap_dev_server_acls():
"""Adds default pools.cfg."""
assert utils.is_local_dev_server()
global _LOCAL_FAKE_CONFIG
_LOCAL_FAKE_CONFIG = _PoolsCfg(
{
'default': PoolConfig(
name='default',
rev='pools_cfg_rev',
scheduling_users=frozenset([
auth.Identity(auth.IDENTITY_USER, '*****@*****.**'),
auth.Identity(auth.IDENTITY_BOT, 'whitelisted-ip'),
]),
scheduling_groups=frozenset(),
trusted_delegatees={},
service_accounts=frozenset(),
service_accounts_groups=tuple(),
task_template_deployment=None,
bot_monitoring=None,
default_isolate=None,
default_cipd=None,
external_schedulers=None,
),
},
(None, None),
)
def test_success(self):
expected_task_def = self.task_def.copy()
expected_secrets = launcher_pb2.BuildSecrets(
build_token=self.build_token)
expected_task_def[u'task_slices'][0][u'properties'][
u'secret_bytes'] = (base64.b64encode(
expected_secrets.SerializeToString()))
net.json_request_async.return_value = future({'task_id': 'x'})
swarming._create_swarming_task(1)
actual_task_def = net.json_request_async.call_args[1]['payload']
self.assertEqual(actual_task_def, expected_task_def)
self.assertEqual(
net.json_request_async.call_args[0][0],
'https://swarming.example.com/_ah/api/swarming/v1/tasks/new')
# Test delegation token params.
self.assertEqual(auth.delegate_async.mock_calls, [
mock.call(
services=[u'https://swarming.example.com'],
audience=[auth.Identity('user', 'test@localhost')],
impersonate=auth.Identity('user', '*****@*****.**'),
tags=['buildbucket:bucket:chromium/try'],
)
])
def setUp(self):
"""Creates a new app instance for every test case."""
super(MainTest, self).setUp()
self.testbed.init_user_stub()
self.source_ip = '192.168.0.1'
self.app = webtest.TestApp(
handlers_frontend.create_application(debug=True),
extra_environ={'REMOTE_ADDR': self.source_ip})
self.auth_app = webtest.TestApp(
auth.create_wsgi_application(debug=True),
extra_environ={
'REMOTE_ADDR': self.source_ip,
'SERVER_SOFTWARE': os.environ['SERVER_SOFTWARE'],
})
full_access_group = config.settings().auth.full_access_group
readonly_access_group = config.settings().auth.readonly_access_group
auth.bootstrap_group(
auth.ADMIN_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
readonly_access_group,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
full_access_group,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
self.set_as_anonymous()
def bootstrap_dev_server_acls():
"""Adds localhost to IP whitelist and Swarming groups."""
assert utils.is_local_dev_server()
if auth.is_replica():
return
bots = auth.bootstrap_loopback_ips()
auth_settings = config.settings().auth
admins_group = auth_settings.admins_group
users_group = auth_settings.users_group
bot_bootstrap_group = auth_settings.bot_bootstrap_group
auth.bootstrap_group(users_group, bots, 'Swarming users')
auth.bootstrap_group(bot_bootstrap_group, bots, 'Bot bootstrap')
# Add a swarming admin. [email protected] is used in
# server_smoke_test.py
admin = auth.Identity(auth.IDENTITY_USER, '*****@*****.**')
auth.bootstrap_group(admins_group, [admin], 'Swarming administrators')
# Add an instance admin (for easier manual testing when running dev server).
auth.bootstrap_group(
auth.ADMIN_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')],
'Users that can manage groups')
def test_recipients_from_auth_group(self):
fake_listing = auth.GroupListing([
auth.Identity(auth.IDENTITY_USER, '*****@*****.**'),
auth.Identity(auth.IDENTITY_USER, '*****@*****.**'),
auth.Identity(auth.IDENTITY_SERVICE, 'blah-service'),
], [], [])
self.mock(auth, 'list_group', lambda _: fake_listing)
self.assertEqual(['*****@*****.**', '*****@*****.**'],
acl.get_ereporter2_recipients())
def test_modify_acl_ok(self):
self.mock(utils, 'utcnow', lambda: datetime.datetime(2014, 1, 1))
resp = self.call_api(
'modify_acl', {
'package_path':
'a/b',
'changes': [
{
'action': 'GRANT',
'role': 'OWNER',
'principal': 'user:[email protected]',
},
{
'action': 'GRANT',
'role': 'READER',
'principal': 'group:readers-group',
},
{
'action': 'REVOKE',
'role': 'WRITER',
'principal': 'anonymous:anonymous',
},
],
})
self.assertEqual(200, resp.status_code)
self.assertEqual({'status': 'SUCCESS'}, resp.json_body)
owner = acl.get_package_acls('a/b/c', 'OWNER')
self.assertEqual(1, len(owner))
self.assertEqual(
{
'groups': [],
'modified_by':
auth.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 0, 0),
'rev':
1,
'users': [auth.Identity(kind='user', name='*****@*****.**')],
}, owner[0].to_dict())
reader = acl.get_package_acls('a/b/c', 'READER')
self.assertEqual(1, len(reader))
self.assertEqual(
{
'groups': ['readers-group'],
'modified_by':
auth.Identity(kind='user', name='*****@*****.**'),
'modified_ts':
datetime.datetime(2014, 1, 1, 0, 0),
'rev':
1,
'users': [],
}, reader[0].to_dict())
def test_create_task(self):
expected_task_def = self.task_def.copy()
expected_secrets = launcher_pb2.BuildSecrets(build_token=self.build_token)
expected_task_def[u'task_slices'][0][u'properties'][u'secret_bytes'] = (
base64.b64encode(expected_secrets.SerializeToString())
)
net.json_request_async.return_value = future({'task_id': 'x'})
swarming._sync_build_and_swarming(1, 0)
actual_task_def = net.json_request_async.call_args[1]['payload']
self.assertEqual(actual_task_def, expected_task_def)
self.assertEqual(
net.json_request_async.call_args[0][0],
'https://swarming.example.com/_ah/api/swarming/v1/tasks/new'
)
# Test delegation token params.
self.assertEqual(
auth.delegate_async.mock_calls, [
mock.call(
services=[u'https://swarming.example.com'],
audience=[auth.Identity('user', 'test@localhost')],
impersonate=auth.Identity('user', '*****@*****.**'),
tags=['buildbucket:bucket:chromium/try'],
)
]
)
# Assert that we've persisted information about the new task.
bundle = model.BuildBundle.get(1, infra=True)
self.assertIsNotNone(bundle)
self.assertTrue(bundle.build.swarming_task_key)
self.assertTrue(bundle.infra.parse().swarming.task_id)
expected_continuation_payload = {
'id': 1,
'generation': 1,
}
expected_continuation = {
'name': 'sync-task-1-1',
'url': '/internal/task/swarming/sync-build/1',
'payload': json.dumps(expected_continuation_payload, sort_keys=True),
'retry_options': {
'task_age_limit': model.BUILD_TIMEOUT.total_seconds()
},
'countdown': 60,
}
tq.enqueue_async.assert_called_with(
swarming.SYNC_QUEUE_NAME, [expected_continuation], transactional=False
)
def testGetGraphs(self):
self.mock(config, 'get_project_config', mock.Mock())
self.mock(auth, 'get_current_identity', mock.Mock())
self.mock(auth, 'is_group_member', mock.Mock(return_value=False))
mock_class1 = mock.Mock(
access=['group:all', '*****@*****.**', 'user:[email protected]'])
mock_class1.configure_mock(name="infra.git")
cfg = ("888", mock_class1)
config.get_project_config.return_value = cfg
auth.get_current_identity.return_value = auth.Identity(
'user', '*****@*****.**')
namespace_manager.set_namespace('projects.infra')
points = [main.PointModel(time=1.0, value=10.0)]
fields = [main.FieldModel(field_key='project_id', value='infra')]
ts = main.TimeSeriesModel(points=points,
fields=fields,
metric='disk_used')
ts.put()
response = self.call_api('get_graphs', {
"project_id": 'infra'
}).json_body
self.assertEquals(len(response['timeseries']), 1)
# User doesn't have access to the project.
auth.get_current_identity.return_value = auth.Identity(
'user', '*****@*****.**')
response = self.call_api('get_graphs', {
"project_id": 'infra'
}).json_body
self.assertEquals(len(response.keys()), 0)
auth.is_group_member.return_value = True
response = self.call_api('get_graphs', {
"project_id": 'infra'
}).json_body
self.assertEquals(len(response['timeseries']), 1)
auth.is_group_member.return_value = True
config.get_project_config.return_value = (None, None)
response = self.call_api('get_graphs', {"project_id": 'v8'}).json_body
self.assertEquals(len(response.keys()), 0)
# Project does not exist.
auth.is_group_member.return_value = True
config.get_project_config.return_value = (None, None)
response = self.call_api('get_graphs', {"project_id": '123'}).json_body
self.assertEquals(len(response.keys()), 0)
def test_config_service_is_trusted_requester(self):
self.mock(auth, 'is_admin', lambda: False)
config_identity = auth.Identity(
'user', '*****@*****.**')
self.mock(auth, 'get_current_identity', lambda: config_identity)
self.assertFalse(endpoint.is_trusted_requester())
common.ConfigSettings().modify(
service_hostname='luci-config.appspot.com',
trusted_config_account=auth.Identity(
'user', '*****@*****.**'),
)
common.ConfigSettings.clear_cache()
self.assertTrue(endpoint.is_trusted_requester())
def test_get_pool_config(self):
self.mock_config(TEST_CONFIG)
self.assertEqual(None, pools_config.get_pool_config('unknown'))
expected1 = pools_config.init_pool_config(
name=u'pool_name',
rev='rev',
scheduling_users=frozenset([
auth.Identity('user', '*****@*****.**'),
auth.Identity('user', '*****@*****.**'),
]),
scheduling_groups=frozenset([u'group2', u'group1']),
trusted_delegatees={
auth.Identity('user', '*****@*****.**'):
pools_config.TrustedDelegatee(
peer_id=auth.Identity('user', '*****@*****.**'),
required_delegation_tags=frozenset([u'k:tag1', u'k:tag2']),
),
},
service_accounts=frozenset([u'*****@*****.**', u'*****@*****.**']),
service_accounts_groups=(u'accounts_group1', u'accounts_group2'),
realm='test:pool/realm',
enforced_realm_permissions=frozenset(
[realms_pb2.REALM_PERMISSION_POOLS_CREATE_TASK]),
default_isolate=pools_config.IsolateServer(
server='https://isolate.server.example.com',
namespace='default-gzip',
),
default_cipd=pools_config.CipdServer(
server='https://cipd.server.example.com',
package_name='some-cipd-client',
client_version='latest',
),
external_schedulers=(pools_config.ExternalSchedulerConfig(
address=u'externalscheduler.google.com',
id=u'ext1',
dimensions=frozenset(['key2:value2', 'key1:value1']),
all_dimensions=frozenset(),
any_dimensions=frozenset(),
enabled=True,
allow_es_fallback=True,
), ),
)
expected2 = expected1._replace(name='another_name')
self.assertEqual(expected1, pools_config.get_pool_config('pool_name'))
self.assertEqual(expected2,
pools_config.get_pool_config('another_name'))
self.assertEqual(['another_name', 'pool_name'], pools_config.known())
def test_register_instance_new(self):
self.assertIsNone(self.service.get_instance('a/b', 'a' * 40))
self.assertIsNone(self.service.get_package('a/b'))
inst, registered = self.service.register_instance(
package_name='a/b',
instance_id='a' * 40,
caller=auth.Identity.from_bytes('user:[email protected]'),
now=datetime.datetime(2014, 1, 1, 0, 0))
self.assertTrue(registered)
self.assertEqual(
ndb.Key('Package', 'a/b', 'PackageInstance', 'a' * 40), inst.key)
self.assertEqual('a/b', inst.package_name)
self.assertEqual('a' * 40, inst.instance_id)
expected = {
'registered_by': auth.Identity(kind='user',
name='*****@*****.**'),
'registered_ts': datetime.datetime(2014, 1, 1, 0, 0),
'processors_failure': [],
'processors_pending': [],
'processors_success': [],
}
self.assertEqual(expected, inst.to_dict())
self.assertEqual(expected,
self.service.get_instance('a/b', 'a' * 40).to_dict())
pkg = self.service.get_package('a/b')
self.assertTrue(pkg)
self.assertEqual('a/b', pkg.package_name)
def test_register_new_instance_flow(self):
self.mock(utils, 'utcnow', lambda: datetime.datetime(2014, 1, 1))
request = {
'package_name': 'good/name',
'instance_id': 'a' * 40,
}
# Package is not uploaded yet. Should ask to upload.
resp = self.call_api('register_instance', request)
self.assertEqual(200, resp.status_code)
self.assertEqual(
{
'status': 'UPLOAD_FIRST',
'upload_session_id': 'upload_session_id',
'upload_url': 'http://upload_url',
}, resp.json_body)
# Pretend it is upload now.
self.repo_service.uploaded.add('a' * 40)
# Should register the package.
resp = self.call_api('register_instance', request)
self.assertEqual(200, resp.status_code)
self.assertEqual(
{
'status': 'REGISTERED',
'instance': {
'instance_id': 'a' * 40,
'package_name': 'good/name',
'registered_by': 'user:[email protected]',
'registered_ts': '1388534400000000',
},
}, resp.json_body)
# Check that it is indeed there.
pkg = self.repo_service.get_instance('good/name', 'a' * 40)
self.assertTrue(pkg)
expected = {
'registered_by': auth.Identity(kind='user',
name='*****@*****.**'),
'registered_ts': datetime.datetime(2014, 1, 1, 0, 0),
'processors_failure': [],
'processors_pending': [],
'processors_success': [],
}
self.assertEqual(expected, pkg.to_dict())
# Attempt to register it again.
resp = self.call_api('register_instance', request)
self.assertEqual(200, resp.status_code)
self.assertEqual(
{
'status': 'ALREADY_REGISTERED',
'instance': {
'instance_id': 'a' * 40,
'package_name': 'good/name',
'registered_by': 'user:[email protected]',
'registered_ts': '1388534400000000',
},
}, resp.json_body)
def test_log_non_user_id(self, logfunc):
"""Assert that non-user identity is being logged."""
admin = auth.Identity(auth.IDENTITY_SERVICE, 'adminapp')
auth_testing.mock_get_current_identity(self, admin)
collection = generate_collection('default', ['foobar'])
self.call_api('preupload', message_to_dict(collection), 200)
logfunc.assert_any_call('Accessed from service:adminapp')
def test_create_task_async_override_cfg(self):
build = model.Build(
id=1,
bucket='bucket',
create_time=utils.utcnow(),
created_by=auth.Identity('user', '*****@*****.**'),
parameters={
'builder_name': 'linux_chromium_rel_ng',
'swarming': {
'override_builder_cfg': {
# Override cores dimension.
'dimensions': ['cores:16'],
'recipe': {
'revision': 'badcoffee'
},
},
}
},
)
self.json_response = {
'task_id': 'deadbeef',
'request': {
'properties': {
'dimensions': [
{
'key': 'cores',
'value': '16'
},
{
'key': 'os',
'value': 'Linux'
},
{
'key': 'pool',
'value': 'Chrome'
},
],
},
'tags': [
'build_address:bucket/linux_chromium_rel_ng/1',
'builder:linux_chromium_rel_ng',
'buildertag:yes',
'commontag:yes',
'master:master.bucket',
'priority:108',
'recipe_name:recipe',
'recipe_repository:https://example.com/repo',
'recipe_revision:badcoffee',
]
}
}
swarming.create_task_async(build).get_result()
actual_task_def = net.json_request_async.call_args[1]['payload']
self.assertIn({
'key': 'cores',
'value': '16'
}, actual_task_def['properties']['dimensions'])
def create_application(debug):
replication.configure_as_primary()
rest_api.set_config_locked(config.is_remote_configured)
# Configure UI appearance, add all custom tabs.
ui.configure_ui(app_name='Auth Service',
ui_tabs=[
ui.GroupsHandler,
ui.ChangeLogHandler,
ui.LookupHandler,
ServicesHandler,
ui.OAuthConfigHandler,
ui.IPWhitelistsHandler,
ConfigHandler,
ui.ApiDocHandler,
],
ui_data_callback=get_additional_ui_data)
template.bootstrap({'auth_service': TEMPLATES_DIR})
# Add a fake admin for local dev server.
if utils.is_local_dev_server():
auth.bootstrap_group(
auth.ADMIN_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')],
'Users that can manage groups')
return webapp2.WSGIApplication(get_routes(), debug=debug)
def test_shared_cache(self):
builder_cfg = self.bucket_cfg.swarming.builders[0]
builder_cfg.caches.add(path='builder', name='shared_builder_cache')
build = model.Build(
id=1,
bucket='bucket',
create_time=utils.utcnow(),
created_by=auth.Identity('user', '*****@*****.**'),
parameters={
'builder_name': 'linux_chromium_rel_ng',
},
)
_, _, task_def = swarming.prepare_task_def_async(build).get_result()
self.assertEqual(task_def['properties']['caches'], [
{
'path': 'cache/a',
'name': 'a'
},
{
'path': 'cache/builder',
'name': 'shared_builder_cache'
},
{
'path': 'cache/git_cache',
'name': 'git_chromium'
},
{
'path': 'cache/out',
'name': 'build_chromium'
},
])
def test_log_normal_users(self, logfunc):
"""Assert that user identity is being logged."""
admin = auth.Identity(auth.IDENTITY_USER, '*****@*****.**')
auth_testing.mock_get_current_identity(self, admin)
collection = generate_collection('default', ['foobar'])
self.call_api('preupload', message_to_dict(collection), 200)
logfunc.assert_any_call('Accessed from user:[email protected]')
def test_parse_identity(self):
self.assertEqual(
user.parse_identity('user:[email protected]'),
auth.Identity('user', '*****@*****.**'),
)
self.assertEqual(
auth.Identity('user', '*****@*****.**'),
auth.Identity('user', '*****@*****.**'),
)
self.assertEqual(
user.parse_identity('*****@*****.**'),
auth.Identity('user', '*****@*****.**'),
)
with self.assertRaises(errors.InvalidInputError):
user.parse_identity('a:b')
def mocked(request):
hdr = request.headers.get('Authorization')
if not hdr:
return None, False
if not hdr.startswith('Bearer '):
raise auth.AuthenticationError()
email = hdr[len('Bearer '):]
return auth.Identity(auth.IDENTITY_USER, email), None
def validate_bot_id_and_fetch_config(bot_id):
"""Verifies ID reported by a bot matches the credentials being used.
Expected to be called in a context of some bot API request handler. Uses
bots.cfg config to look up what credentials are expected to be used by the bot
with given ID.
Raises auth.AuthorizationError if bot_id is unknown or bot is using invalid
credentials.
On success returns the configuration for this bot (BotGroupConfig tuple), as
defined in bots.cfg
"""
cfg = bot_groups_config.get_bot_group_config(bot_id)
if not cfg:
logging.error(
'bot_auth: unknown bot_id, not in the config\nbot_id: "%s"',
bot_id)
raise auth.AuthorizationError('Unknown bot ID, not in config')
peer_ident = auth.get_peer_identity()
if cfg.require_luci_machine_token:
if not _is_valid_ident_for_bot(peer_ident, bot_id):
logging.error(
'bot_auth: bot ID doesn\'t match the machine token used\n'
'bot_id: "%s", peer_ident: "%s"', bot_id,
peer_ident.to_bytes())
raise auth.AuthorizationError(
'Bot ID doesn\'t match the token used')
elif cfg.require_service_account:
expected_id = auth.Identity(auth.IDENTITY_USER,
cfg.require_service_account)
if peer_ident != expected_id:
logging.error(
'bot_auth: bot is not using expected service account\n'
'bot_id: "%s", expected_id: "%s", peer_ident: "%s"', bot_id,
expected_id.to_bytes(), peer_ident.to_bytes())
raise auth.AuthorizationError(
'bot is not using expected service account')
elif not cfg.ip_whitelist:
# This branch should not be hit for validated configs.
logging.error(
'bot_auth: invalid bot group config, no auth method defined\n'
'bot_id: "%s"', bot_id)
raise auth.AuthorizationError('Invalid bot group config')
# Check that IP whitelist applies (in addition to credentials).
if cfg.ip_whitelist:
ip = auth.get_peer_ip()
if not auth.is_in_ip_whitelist(cfg.ip_whitelist, ip):
logging.error(
'bot_auth: bot IP is not whitelisted\n'
'bot_id: "%s", peer_ip: "%s", ip_whitelist: "%s"', bot_id,
ipaddr.ip_to_string(ip), cfg.ip_whitelist)
raise auth.AuthorizationError('Not IP whitelisted')
return cfg
def setUp(self):
"""Creates a new app instance for every test case."""
super(MainTest, self).setUp()
self.testbed.init_user_stub()
# When called during a taskqueue, the call to get_app_version() may fail so
# pre-fetch it.
version = utils.get_app_version()
self.mock(utils, 'get_task_queue_host', lambda: version)
self.source_ip = '192.168.0.1'
self.app_frontend = webtest.TestApp(
handlers_frontend.create_application(debug=True),
extra_environ={'REMOTE_ADDR': self.source_ip})
# This is awkward but both the frontend and backend applications uses the
# same template variables.
template.reset()
self.app_backend = webtest.TestApp(
handlers_backend.create_application(debug=True),
extra_environ={'REMOTE_ADDR': self.source_ip})
# Tasks are enqueued on the backend.
self.app = self.app_backend
self.auth_app = webtest.TestApp(
auth.create_wsgi_application(debug=True),
extra_environ={
'REMOTE_ADDR': self.source_ip,
'SERVER_SOFTWARE': os.environ['SERVER_SOFTWARE'],
})
full_access_group = config.settings().auth.full_access_group
readonly_access_group = config.settings().auth.readonly_access_group
auth.bootstrap_group(
auth.ADMIN_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
readonly_access_group,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
full_access_group,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
# TODO(maruel): Create a BOTS_GROUP.
self.set_as_anonymous()
def setUp(self):
super(AppTestBase, self).setUp()
self.bot_version = None
self.source_ip = '192.168.2.2'
self.testbed.init_user_stub()
gae_ts_mon.reset_for_unittest(disable=True)
event_mon_metrics.initialize()
# By default requests in tests are coming from bot with fake IP.
# WSGI app that implements auth REST API.
self.auth_app = webtest.TestApp(
auth.create_wsgi_application(debug=True),
extra_environ={
'REMOTE_ADDR': self.source_ip,
'SERVER_SOFTWARE': os.environ['SERVER_SOFTWARE'],
})
admins_group = 'test_admins_group'
priv_users_group = 'test_priv_users_group'
users_group = 'test_users_group'
cfg = config_pb2.SettingsCfg(auth=config_pb2.AuthSettings(
admins_group=admins_group,
privileged_users_group=priv_users_group,
users_group=users_group,
))
self.mock(config, '_get_settings', lambda: ('test_rev', cfg))
utils.clear_cache(config.settings)
# Note that auth.ADMIN_GROUP != admins_group.
auth.bootstrap_group(
auth.ADMIN_GROUP,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
admins_group,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
priv_users_group,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
auth.bootstrap_group(
users_group,
[auth.Identity(auth.IDENTITY_USER, '*****@*****.**')])
def test_has_project_access_identity(self):
self.mock(projects, 'get_metadata', mock.Mock())
projects.get_metadata.return_value = project_config_pb2.ProjectCfg(
access=['group:googlers', '*****@*****.**'])
self.assertFalse(acl.can_read_config_set('projects/secret'))
auth.get_current_identity.return_value = auth.Identity(
'user', '*****@*****.**')
self.assertTrue(acl.can_read_config_set('projects/secret'))
def validate_identity(identity, ctx):
if ':' in identity:
kind, name = identity.split(':', 2)
else:
kind = 'user'
name = identity
try:
auth.Identity(kind, name)
except ValueError as ex:
ctx.error('%s', ex)
def mocked_get_pool_config(pool):
if pool != 'default':
return None
return pools_config.PoolConfig(
name='default',
rev='pools_cfg_rev',
scheduling_users=frozenset([
# See setUp above. We just duplicate the first ACL layer here
auth.Identity(auth.IDENTITY_USER,
'*****@*****.**'),
auth.Identity(auth.IDENTITY_USER, '*****@*****.**'),
auth.Identity(auth.IDENTITY_USER, '*****@*****.**'),
auth.Identity(auth.IDENTITY_USER, '*****@*****.**'),
]),
scheduling_groups=frozenset(),
trusted_delegatees={},
service_accounts=frozenset(service_accounts),
service_accounts_groups=(),
task_template_deployment=None)
def bootstrap_dev_server_acls():
"""Adds default pools.cfg."""
assert utils.is_local_dev_server()
global _LOCAL_FAKE_CONFIG
_LOCAL_FAKE_CONFIG = _PoolsCfg(
{
'default':
init_pool_config(
name='default',
rev='pools_cfg_rev',
scheduling_users=frozenset([
auth.Identity(auth.IDENTITY_USER,
'*****@*****.**'),
auth.Identity(auth.IDENTITY_BOT, 'whitelisted-ip'),
]),
),
},
(None, None),
)
def test_importer_ingest_tarball_ok(self):
self.mock_oauth_authentication()
calls = self.mock_ingest_tarball()
response = self.app.put(
'/auth_service/api/v1/importer/ingest_tarball/zzz',
'tar body',
headers={'Authorization': 'Bearer [email protected]'})
self.assertEqual(
{u'auth_db_rev': 123, u'groups': [u'a', u'b', u'c']}, response.json)
self.assertEqual(
[(auth.Identity(kind='user', name='*****@*****.**'), 'zzz', 'tar body')],
calls)
