def test_service_account_fe_disable(session, standard_graph, http_client,
base_url):
graph = standard_graph
admin = "*****@*****.**"
owner = "*****@*****.**"
plebe = "*****@*****.**"
# Unrelated people cannot disable the service account.
fe_url = url(base_url,
"/groups/security-team/service/[email protected]/disable")
with pytest.raises(HTTPError):
yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": plebe},
body=urlencode({}))
# Group members can disable the service account.
resp = yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": owner},
body=urlencode({}))
assert resp.code == 200
graph.update_from_db(session)
metadata = graph.user_metadata["*****@*****.**"]
assert not metadata["enabled"]
group_details = graph.get_group_details("team-sre")
assert "service_accounts" not in group_details
# The group owner cannot enable the account, since the group ownership has been lost
fe_url = url(base_url, "/service/[email protected]/enable")
with pytest.raises(HTTPError):
yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": owner},
body=urlencode({"owner": "team-sre"}))
# A global admin can enable the account.
resp = yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": admin},
body=urlencode({"owner": "team-sre"}))
assert resp.code == 200
graph.update_from_db(session)
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["enabled"]
assert metadata["service_account"]["owner"] == "team-sre"
group_details = graph.get_group_details("team-sre")
assert group_details["service_accounts"] == ["*****@*****.**"]
# And can also disable the account even though they're not a member of the group.
fe_url = url(base_url,
"/groups/security-team/service/[email protected]/disable")
resp = yield http_client.fetch(fe_url,
method="POST",
headers={"X-Grouper-User": admin},
body=urlencode({}))
assert resp.code == 200
graph.update_from_db(session)
metadata = graph.user_metadata["*****@*****.**"]
assert not metadata["enabled"]
def test_group_audited(standard_graph, session, groups, permissions): # noqa
""" Ensure that the audited flag gets set appropriate only groups and inherited down the
graph. """
graph = standard_graph # noqa
assert not graph.get_group_details("security-team")["audited"]
assert graph.get_group_details("serving-team")["audited"]
assert graph.get_group_details("team-sre")["audited"]
def test_graph_edit_role(session, graph, standard_graph, groups, users):
"""Test that membership role changes are refected in the graph."""
username = "******"
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "np-owner"
groups["tech-ops"].edit_member(users["*****@*****.**"], users[username], "a reason",
role="owner")
graph.update_from_db(session)
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "owner"
def test_graph_edit_role(session, graph, standard_graph, groups, users):
"""Test that membership role changes are refected in the graph."""
username = "******"
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "np-owner"
groups["tech-ops"].edit_member(users["*****@*****.**"], users[username], "a reason",
role="owner")
graph.update_from_db(session)
user_role = graph.get_group_details("tech-ops")["users"][username]["rolename"]
assert user_role == "owner"
def test_service_accounts(session, standard_graph, users, groups, permissions):
graph = standard_graph
# Create a service account.
service_account = ServiceAccount.get(session, name="*****@*****.**")
assert service_account.description == "some service account"
assert service_account.machine_set == "some machines"
assert service_account.user.name == "*****@*****.**"
assert service_account.user.enabled == True
assert service_account.user.is_service_account == True
service_accounts = get_service_accounts(session, groups["team-sre"])
assert len(service_accounts) == 1
assert service_accounts[0].user.name == "*****@*****.**"
assert is_service_account(session, service_account.user)
# Duplicates should raise an exception.
with pytest.raises(DuplicateServiceAccount):
create_service_account(session, users["*****@*****.**"], "*****@*****.**",
"dup", "dup", groups["team-sre"])
# zorkian should be able to manage the account, as should gary, but oliver (not a member of the
# group) should not.
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert not can_manage_service_account(session, service_account,
users["*****@*****.**"])
# Check that the user appears in the graph.
graph.update_from_db(session)
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["enabled"]
assert metadata["service_account"]["description"] == "some service account"
assert metadata["service_account"]["machine_set"] == "some machines"
assert metadata["service_account"]["owner"] == "team-sre"
group_details = graph.get_group_details("team-sre")
assert group_details["service_accounts"] == ["*****@*****.**"]
# Grant a permission to the service account and check it in the graph.
grant_permission_to_service_account(session, service_account,
permissions["team-sre"], "*")
graph.update_from_db(session)
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"][0]["permission"] == "team-sre"
assert user_details["permissions"][0]["argument"] == "*"
# Diabling the service account should remove the link to the group.
disable_service_account(session, users["*****@*****.**"], service_account)
assert service_account.user.enabled == False
assert get_service_accounts(session, groups["team-sre"]) == []
# The user should also be gone from the graph and have its permissions removed.
graph.update_from_db(session)
group_details = graph.get_group_details("team-sre")
assert "service_accounts" not in group_details
metadata = graph.user_metadata["*****@*****.**"]
assert not metadata["enabled"]
assert "owner" not in metadata["service_account"]
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
# We can re-enable and attach to a different group.
new_group = groups["security-team"]
enable_service_account(session, users["*****@*****.**"], service_account,
new_group)
assert service_account.user.enabled == True
assert get_service_accounts(session, groups["team-sre"]) == []
service_accounts = get_service_accounts(session, new_group)
assert len(service_accounts) == 1
assert service_accounts[0].user.name == "*****@*****.**"
# Check that this is reflected in the graph and the user has no permissions.
graph.update_from_db(session)
group_details = graph.get_group_details("security-team")
assert group_details["service_accounts"] == ["*****@*****.**"]
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["service_account"]["owner"] == "security-team"
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
def test_expire_nonauditors(standard_graph, users, groups, session, permissions):
""" Test expiration auditing and notification. """
graph = standard_graph # noqa
# Test audit autoexpiration for all approvers
approver_roles = ["owner", "np-owner", "manager"]
for role in approver_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundProcessor(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is not None
assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days)
assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1)
assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1)
revoke_member(groups["audited-team"], users["*****@*****.**"])
# Ensure nonauditor, nonapprovers in audited groups do not get set to expired
member_roles = ["member"]
for role in member_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundProcessor(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is None
assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * len(approver_roles)
revoke_member(groups["audited-team"], users["*****@*****.**"])
def test_expire_nonauditors(standard_graph, users, groups, session, permissions):
""" Test expiration auditing and notification. """
graph = standard_graph # noqa
# Test audit autoexpiration for all approvers
approver_roles = ["owner", "np-owner", "manager"]
for role in approver_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundThread(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is not None
assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days)
assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1)
assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1)
revoke_member(groups["audited-team"], users["*****@*****.**"])
# Ensure nonauditor, nonapprovers in audited groups do not get set to expired
member_roles = ["member"]
for role in member_roles:
# Add non-auditor as an owner to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
session.commit()
graph.update_from_db(session)
group_md = graph.get_group_details("audited-team")
assert group_md.get('audited', False)
# Expire the edges.
background = BackgroundThread(settings, None)
background.expire_nonauditors(session)
# Check that the edges are now marked as inactive.
edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
assert edge.expiration is None
assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])
audits = AuditLog.get_entries(session, action="nonauditor_flagged")
assert len(audits) == 3 + 1 * len(approver_roles)
revoke_member(groups["audited-team"], users["*****@*****.**"])
