def test_permission_grant_revoke(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.owner == "some-group"
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
assert page.owner == "some-group"
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.owner == "some-group"
assert page.permission_rows == []
def test_service_account_edit(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
view_page = ServiceAccountViewPage(browser)
assert view_page.owner == "some-group"
assert view_page.description == ""
assert view_page.machine_set == ""
view_page.click_edit_button()
edit_page = ServiceAccountEditPage(browser)
edit_page.set_description("some description")
edit_page.set_machine_set("some machines bad-machine")
edit_page.submit()
assert edit_page.has_alert("machine_set")
assert edit_page.has_alert(
"[email protected] has invalid machine set")
edit_page.set_machine_set("some machines")
edit_page.submit()
assert browser.current_url.endswith(
"/groups/some-group/service/[email protected]")
assert view_page.description == "some description"
assert view_page.machine_set == "some machines"
def test_permission_grant_denied(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.add_user_to_group("*****@*****.**", "other-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
# Member of the owning team will get denied when trying to grant a perm the team doesn't have
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]/grant"))
page = ServiceAccountGrantPermissionPage(browser)
page.select_permission("some-permission (foo)")
page.set_argument("bar")
page.submit()
assert page.has_alert("Permission denied")
# Unrelated user can click the Add Permission button but will get a 403
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
view_page = ServiceAccountViewPage(browser)
assert len(view_page.permission_rows) == 0
view_page.click_add_permission_button()
forbidden_page = ErrorPage(browser)
assert forbidden_page.heading == "Error"
assert forbidden_page.subheading == "403 Forbidden"
def test_service_account_lifecycle(async_server, browser): # noqa: F811
browser.get(url(async_server, "/groups/user-admins"))
page = GroupViewPage(browser)
page.click_add_service_account_button()
page = ServiceAccountCreatePage(browser)
page.set_name("my-special-service-account")
page.submit()
page = ServiceAccountViewPage(browser)
page.click_disable_button()
disable_modal = page.get_disable_modal()
disable_modal.confirm()
browser.get(url(async_server, "/users"))
page = UsersViewPage(browser)
page.click_show_disabled_users_button()
page.click_show_service_accounts_button()
user_row = page.find_user_row(
"[email protected] (service)")
user_row.click()
page = ServiceAccountViewPage(browser)
page.click_enable_button()
page = ServiceAccountEnablePage(browser)
page.select_owner("Group: user-admins")
page.submit()
def test_permission_grant_revoke(tmpdir, setup, browser):
# type: (LocalPath, SetupTest, Chrome) -> None
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
page = ServiceAccountViewPage(browser)
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.permission_rows == []
def test_escaped_at_sign(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/service%40svc.localhost"))
page = ServiceAccountViewPage(browser)
assert page.subheading == "Service Account: [email protected]"
assert page.owner == "some-group"
def test_permission_revoke_denied(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group")
setup.grant_permission_to_service_account("some-permission", "*",
"*****@*****.**")
setup.create_user("*****@*****.**")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.owner == "some-group"
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "*"
# The button doesn't show for someone who can't manage the service account.
with pytest.raises(NoSuchElementException):
permission.click_revoke_button()
# Add the user to the group so that the revoke button will show up, and then revoke it before
# attempting to click the button. We can't just directly initiate a request to the revoke URL
# without making the button appear because Python Selenium doesn't support a test-initiated
# POST (only GET).
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.owner == "some-group"
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
with setup.transaction():
setup.remove_user_from_group("*****@*****.**", "some-group")
permission.click_revoke_button()
permission_revoke_modal = page.get_revoke_permission_modal()
permission_revoke_modal.confirm()
assert page.has_text(
"The operation you tried to complete is unauthorized")
def test_service_account_lifecycle(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "user-admins")
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group(USER_ADMIN, "", "user-admins")
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(url(frontend_url, "/groups/user-admins"))
group_page = GroupViewPage(browser)
group_page.click_add_service_account_button()
# Test with an invalid machine set.
create_page = ServiceAccountCreatePage(browser)
create_page.set_name("my-special-service-account")
create_page.set_description("some description")
create_page.set_machine_set("some machines bad-machine")
create_page.submit()
assert create_page.has_alert("machine_set")
expected = "[email protected] has invalid machine set"
assert create_page.has_alert(expected)
# Fix the machine set but test with an invalid name.
create_page.set_name("service@service@service")
create_page.set_machine_set("some machines")
create_page.submit()
assert create_page.has_alert("name")
# Fix the name and then creation should succeed.
create_page.set_name("my-special-service-account")
create_page.submit()
view_page = ServiceAccountViewPage(browser)
assert view_page.owner == "user-admins"
assert view_page.description == "some description"
assert view_page.machine_set == "some machines"
view_page.click_disable_button()
disable_modal = view_page.get_disable_modal()
disable_modal.confirm()
browser.get(url(frontend_url, "/users"))
users_page = UsersViewPage(browser)
users_page.click_show_disabled_users_button()
users_page.click_show_service_accounts_button()
user_row = users_page.find_user_row(
"[email protected] (service)")
user_row.click()
view_page = ServiceAccountViewPage(browser)
view_page.click_enable_button()
enable_page = ServiceAccountEnablePage(browser)
enable_page.select_owner("Group: some-group")
enable_page.submit()
view_page = ServiceAccountViewPage(browser)
assert view_page.owner == "some-group"
def test_permission_grant(tmpdir: LocalPath, setup: SetupTest,
browser: Chrome) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.add_user_to_group("*****@*****.**", "other-group")
setup.add_user_to_group("*****@*****.**", "permission-admins")
setup.grant_permission_to_group("some-permission", "foo", "some-group")
setup.grant_permission_to_group("grouper.permission.grant",
"some-permission/bar", "other-group")
setup.grant_permission_to_group(PERMISSION_ADMIN, "",
"permission-admins")
setup.create_service_account("*****@*****.**", "some-group")
# Member of the owning group should be able to delegate perms down from the owning group
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert page.permission_rows == []
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (foo)")
grant_page.set_argument("foo")
grant_page.submit()
permission_rows = page.permission_rows
assert len(permission_rows) == 1
permission = permission_rows[0]
assert permission.permission == "some-permission"
assert permission.argument == "foo"
# Unrelated user can grant perms for which they have the appropriate grouper.permission.grant
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert len(page.permission_rows) == 1
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (bar)")
grant_page.set_argument("bar")
grant_page.submit()
permission_rows = page.permission_rows
assert len(permission_rows) == 2
permission = permission_rows[1]
assert permission.permission == "some-permission"
assert permission.argument == "bar"
# Permission admin can grant any permission with any argument to any service account
with frontend_server(tmpdir, "*****@*****.**") as frontend_url:
browser.get(
url(frontend_url,
"/groups/some-group/service/[email protected]"))
page = ServiceAccountViewPage(browser)
assert len(page.permission_rows) == 2
page.click_add_permission_button()
grant_page = ServiceAccountGrantPermissionPage(browser)
grant_page.select_permission("some-permission (*)")
grant_page.set_argument("weewoo")
grant_page.submit()
permission_rows = page.permission_rows
assert len(permission_rows) == 3
permission = permission_rows[2]
assert permission.permission == "some-permission"
assert permission.argument == "weewoo"