def test_get_auditors_group(session, standard_graph): # noqa: F811 with pytest.raises(NoSuchGroup) as exc: get_auditors_group(Mock(auditors_group=None), session) assert str( exc.value ) == "Please ask your admin to configure the `auditors_group` settings" with pytest.raises(NoSuchGroup) as exc: get_auditors_group(Mock(auditors_group="do-not-exist"), session) assert str( exc.value ) == "Please ask your admin to configure the default group for auditors" # now should be able to get the group auditors_group = get_auditors_group(Mock(auditors_group="auditors"), session) assert auditors_group is not None # revoke the permission and make sure we raise the # GroupDoesNotHaveAuditPermission exception perms = [ p for p in auditors_group.my_permissions() if p.name == PERMISSION_AUDITOR ] assert len(perms) == 1 mapping = PermissionMap.get(session, id=perms[0].mapping_id) mapping.delete(session) with pytest.raises(GroupDoesNotHaveAuditPermission): get_auditors_group(Mock(auditors_group="auditors"), session)
def promote_nonauditors(self, session): # type: (Session) -> None """Checks all enabled audited groups and ensures that all approvers for that group have the PERMISSION_AUDITOR permission. All non-auditor approvers of audited groups will be promoted to be auditors, i.e., added to the auditors group. Args: session (Session): database session """ graph = Graph() # Hack to ensure the graph is loaded before we access it graph.update_from_db(session) # map from user object to names of audited groups in which # user is a nonauditor approver nonauditor_approver_to_groups = defaultdict( set) # type: Dict[User, Set[str]] user_is_auditor = {} # type: Dict[str, bool] for group_tuple in graph.get_groups(audited=True, directly_audited=False): group_md = graph.get_group_details(group_tuple.groupname, expose_aliases=False) for username, user_md in iteritems(group_md["users"]): if username not in user_is_auditor: user_perms = graph.get_user_details( username)["permissions"] user_is_auditor[username] = any([ p["permission"] == PERMISSION_AUDITOR for p in user_perms ]) if user_is_auditor[username]: # user is already auditor so can skip continue if user_md["role"] in APPROVER_ROLE_INDICES: # non-auditor approver. BAD! nonauditor_approver_to_groups[username].add( group_tuple.groupname) if nonauditor_approver_to_groups: auditors_group = get_auditors_group(self.settings, session) for username, group_names in iteritems( nonauditor_approver_to_groups): reason = "auto-added due to having approver role(s) in group(s): {}".format( ", ".join(group_names)) user = User.get(session, name=username) assert user auditors_group.add_member(user, user, reason, status="actioned") notify_nonauditor_promoted(self.settings, session, user, auditors_group, group_names) session.commit()
def promote_nonauditors(self, session): # type: (Session) -> None """Checks all enabled audited groups and ensures that all approvers for that group have the PERMISSION_AUDITOR permission. All non-auditor approvers of audited groups will be promoted to be auditors, i.e., added to the auditors group. Args: session (Session): database session """ graph = Graph() # Hack to ensure the graph is loaded before we access it graph.update_from_db(session) # map from user object to names of audited groups in which # user is a nonauditor approver nonauditor_approver_to_groups = defaultdict(set) # type: Dict[User, Set[str]] user_is_auditor = {} # type: Dict[str, bool] for group_tuple in graph.get_groups(audited=True, directly_audited=False): group_md = graph.get_group_details(group_tuple.name, expose_aliases=False) for username, user_md in iteritems(group_md["users"]): if username not in user_is_auditor: user_perms = graph.get_user_details(username)["permissions"] user_is_auditor[username] = any( [p["permission"] == PERMISSION_AUDITOR for p in user_perms] ) if user_is_auditor[username]: # user is already auditor so can skip continue if user_md["role"] in APPROVER_ROLE_INDICES: # non-auditor approver. BAD! nonauditor_approver_to_groups[username].add(group_tuple.name) if nonauditor_approver_to_groups: auditors_group = get_auditors_group(self.settings, session) for username, group_names in iteritems(nonauditor_approver_to_groups): reason = "auto-added due to having approver role(s) in group(s): {}".format( ", ".join(group_names) ) user = User.get(session, name=username) assert user auditors_group.add_member(user, user, reason, status="actioned") notify_nonauditor_promoted( self.settings, session, user, auditors_group, group_names ) session.commit()
def test_get_auditors_group(session, standard_graph): # noqa: F811 with pytest.raises(NoSuchGroup) as exc: get_auditors_group(Mock(auditors_group=None), session) assert str(exc.value) == "Please ask your admin to configure the `auditors_group` settings" with pytest.raises(NoSuchGroup) as exc: get_auditors_group(Mock(auditors_group="do-not-exist"), session) assert str(exc.value) == "Please ask your admin to configure the default group for auditors" # now should be able to get the group auditors_group = get_auditors_group(Mock(auditors_group="auditors"), session) assert auditors_group is not None # revoke the permission and make sure we raise the # GroupDoesNotHaveAuditPermission exception perms = [p for p in auditors_group.my_permissions() if p.name == PERMISSION_AUDITOR] assert len(perms) == 1 mapping = PermissionMap.get(session, id=perms[0].mapping_id) mapping.delete(session) with pytest.raises(GroupDoesNotHaveAuditPermission): get_auditors_group(Mock(auditors_group="auditors"), session)