def test_group_disable(session, groups, http_client, base_url):
# create global audit
fe_url = url(base_url, '/audits/create')
ends_at = date.today() + timedelta(days=7)
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"},
body=urlencode({"ends_at": ends_at.strftime("%m/%d/%Y")}))
assert resp.code == 200
serving_team, just_created = Group.get_or_create(session, groupname="serving-team")
assert not just_created
assert serving_team.audit
assert not serving_team.audit.complete
# disable with insufficient permissions
fe_url = url(base_url, '/groups/serving-team/disable')
with pytest.raises(HTTPError):
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({"name": "serving-team"}))
# disable
fe_url = url(base_url, '/groups/serving-team/disable')
resp = yield http_client.fetch(fe_url, method="POST",
headers={"X-Grouper-User": "******"}, body=urlencode({"name": "serving-team"}))
assert resp.code == 200
serving_team, just_created = Group.get_or_create(session, groupname="serving-team")
assert not just_created
assert serving_team.audit
assert serving_team.audit.complete, "disabling group should complete any outstanding audit"
def run(self, session, **kwargs):
if kwargs.get("group"):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get("key") == "valuewith=":
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
def run(self, session, **kwargs):
if kwargs.get('group'):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get('key') == 'valuewith=':
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
def run(self, session, **kwargs):
if kwargs.get('group'):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get('key') == 'valuewith=':
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
def run(self, session, **kwargs):
if kwargs.get("group"):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get("key") == "valuewith=":
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
def groups(session):
groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in ("team-sre", "tech-ops", "team-infra", "all-teams", "serving-team",
"security-team", "auditors", "sad-team", "audited-team", "user-admins",
"group-admins")
}
session.commit()
return groups
def groups(session):
groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in ("team-sre", "tech-ops", "team-infra", "all-teams",
"serving-team", "security-team", "auditors",
"sad-team", "audited-team", "user-admins",
"group-admins")
}
session.commit()
return groups
def test_group_disable(session, groups, http_client, base_url): # noqa: F811
# create global audit
fe_url = url(base_url, "/audits/create")
ends_at = date.today() + timedelta(days=7)
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": "******"},
body=urlencode({"ends_at": ends_at.strftime("%m/%d/%Y")}),
)
assert resp.code == 200
serving_team, just_created = Group.get_or_create(session, groupname="serving-team")
assert not just_created
assert serving_team.audit
assert not serving_team.audit.complete
# disable with insufficient permissions
fe_url = url(base_url, "/groups/serving-team/disable")
with pytest.raises(HTTPError):
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": "******"},
body=urlencode({"name": "serving-team"}),
)
# disable
fe_url = url(base_url, "/groups/serving-team/disable")
resp = yield http_client.fetch(
fe_url,
method="POST",
headers={"X-Grouper-User": "******"},
body=urlencode({"name": "serving-team"}),
)
assert resp.code == 200
serving_team, just_created = Group.get_or_create(session, groupname="serving-team")
assert not just_created
assert serving_team.audit
assert serving_team.audit.complete, "disabling group should complete any outstanding audit"
def groups(session):
groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in ("team-sre", "tech-ops", "team-infra", "all-teams",
"serving-team", "security-team", "auditors",
"sad-team", "audited-team", "user-admins",
"group-admins")
}
groups_with_emails = ("team-sre", "serving-team", "security-team")
for group in groups_with_emails:
groups[group].email_address = "{}@a.co".format(group)
session.commit()
return groups
def groups(session):
groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in (
"team-sre",
"tech-ops",
"team-infra",
"all-teams",
"serving-team",
"security-team",
"auditors",
"sad-team",
"audited-team",
"user-admins",
"group-admins",
"permission-admins",
)
}
groups_with_emails = ("team-sre", "serving-team", "security-team")
for group in groups_with_emails:
groups[group].email_address = "{}@a.co".format(group)
session.commit()
return groups
def test_auditor_promotion(mock_nnp, mock_gagn, session, graph, permissions, users): # noqa: F811
"""Test automatic promotion of non-auditor approvers
We set up our own group/user/permission for testing instead of
using the `standard_graph` fixture---retrofitting it to work for
us and also not break existing tests is too cumbersome.
So here are our groups:
very-special-auditors:
* user14
group-1:
* user11 (o)
* user12
* user13 (np-o)
* user14 (o, a)
group-2:
* user13 (np-o)
* user21 (o)
* user22
group-3:
* user22 (o)
* user12 (o)
group-4:
* user21 (np-o)
* user41
* user42 (o)
* user43 (np-o)
o: owner, np-o: no-permission owner, a: auditor
group-1 and group-2 have the permission that we will enable
auditing. group-4 will be a subgroup of group-1 and thus will
inherit the audited permission from group-1.
The expected outcome is: user11, user13, user21, user42, and
user43 will be added to the auditors group.
"""
settings = BackgroundSettings()
set_global_settings(settings)
#
# set up our test part of the graph
#
# create groups
AUDITED_GROUP = "audited"
AUDITORS_GROUP = mock_gagn.return_value = "very-special-auditors"
PERMISSION_NAME = "test-permission"
all_groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in ("group-1", "group-2", "group-3", "group-4", AUDITORS_GROUP)
}
# create users
users.update(
{
username + "@a.co": User.get_or_create(session, username=username + "@a.co")[0]
for username in (
"user11",
"user12",
"user13",
"user14",
"user21",
"user22",
"user23",
"user41",
"user42",
"user43",
)
}
)
# create permissions
permissions.update(
{
permission: get_or_create_permission(
session, permission, description="{} permission".format(permission)
)[0]
for permission in [PERMISSION_NAME]
}
)
# add users to groups
for (groupname, username, role) in (
("group-1", "user11", "owner"),
("group-1", "user12", "member"),
("group-1", "user13", "np-owner"),
("group-1", "user14", "owner"),
("group-2", "user13", "np-owner"),
("group-2", "user21", "owner"),
("group-2", "user22", "member"),
("group-3", "user12", "owner"),
("group-3", "user22", "owner"),
("group-4", "user21", "np-owner"),
("group-4", "user41", "member"),
("group-4", "user42", "owner"),
("group-4", "user43", "np-owner"),
):
add_member(all_groups[groupname], users[username + "@a.co"], role=role)
# add group-4 as member of group-1
add_member(all_groups["group-1"], all_groups["group-4"])
# add user14 to auditors group
add_member(all_groups[AUDITORS_GROUP], users["*****@*****.**"])
# grant permissions to groups
#
# give the test permission to groups 1 and 2, and group 4 should
# also inherit from group 1
grant_permission(all_groups["group-1"], permissions[PERMISSION_NAME])
grant_permission(all_groups["group-2"], permissions[PERMISSION_NAME])
grant_permission(all_groups[AUDITORS_GROUP], permissions[PERMISSION_AUDITOR])
graph.update_from_db(session)
# done setting up
# now a few pre-op checks
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert get_users(graph, "group-3") == set(["*****@*****.**", "*****@*****.**"])
#
# run the promotion logic -> nothing should happen because the
# test-permission is not yet audited
#
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# nothing should have happened
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert mock_nnp.call_count == 0
#
# now enable auditing for the permission and run the promotion
# logic again
#
enable_permission_auditing(session, PERMISSION_NAME, users["*****@*****.**"].id)
graph.update_from_db(session)
assert graph.get_group_details("group-1").get(AUDITED_GROUP)
assert graph.get_group_details("group-4").get(AUDITED_GROUP)
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# check that stuff happened
assert get_users(graph, AUDITORS_GROUP) == set(
["*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**"]
)
expected_calls = [
call(
settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-1"])
),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-1", "group-2"]),
),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-2", "group-4"]),
),
call(
settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"])
),
call(
settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"])
),
]
assert mock_nnp.call_count == len(expected_calls)
mock_nnp.assert_has_calls(expected_calls, any_order=True)
#
# run the background promotion logic again, and nothing should
# happen
#
mock_nnp.reset_mock()
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
assert mock_nnp.call_count == 0
def test_auditor_promotion(mock_nnp, mock_gagn, session, graph, permissions,
users): # noqa: F811
"""Test automatic promotion of non-auditor approvers
We set up our own group/user/permission for testing instead of
using the `standard_graph` fixture---retrofitting it to work for
us and also not break existing tests is too cumbersome.
So here are our groups:
very-special-auditors:
* user14
group-1:
* user11 (o)
* user12
* user13 (np-o)
* user14 (o, a)
group-2:
* user13 (np-o)
* user21 (o)
* user22
group-3:
* user22 (o)
* user12 (o)
group-4:
* user21 (np-o)
* user41
* user42 (o)
* user43 (np-o)
o: owner, np-o: no-permission owner, a: auditor
group-1 and group-2 have the permission that we will enable
auditing. group-4 will be a subgroup of group-1 and thus will
inherit the audited permission from group-1.
The expected outcome is: user11, user13, user21, user42, and
user43 will be added to the auditors group.
"""
settings = BackgroundSettings()
set_global_settings(settings)
#
# set up our test part of the graph
#
# create groups
AUDITED_GROUP = "audited"
AUDITORS_GROUP = mock_gagn.return_value = "very-special-auditors"
PERMISSION_NAME = "test-permission"
all_groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in ("group-1", "group-2", "group-3", "group-4",
AUDITORS_GROUP)
}
# create users
users.update({
username + "@a.co": User.get_or_create(session,
username=username + "@a.co")[0]
for username in (
"user11",
"user12",
"user13",
"user14",
"user21",
"user22",
"user23",
"user41",
"user42",
"user43",
)
})
# create permissions
permissions.update({
permission: get_or_create_permission(
session,
permission,
description="{} permission".format(permission))[0]
for permission in [PERMISSION_NAME]
})
# add users to groups
for (groupname, username, role) in (
("group-1", "user11", "owner"),
("group-1", "user12", "member"),
("group-1", "user13", "np-owner"),
("group-1", "user14", "owner"),
("group-2", "user13", "np-owner"),
("group-2", "user21", "owner"),
("group-2", "user22", "member"),
("group-3", "user12", "owner"),
("group-3", "user22", "owner"),
("group-4", "user21", "np-owner"),
("group-4", "user41", "member"),
("group-4", "user42", "owner"),
("group-4", "user43", "np-owner"),
):
add_member(all_groups[groupname], users[username + "@a.co"], role=role)
# add group-4 as member of group-1
add_member(all_groups["group-1"], all_groups["group-4"])
# add user14 to auditors group
add_member(all_groups[AUDITORS_GROUP], users["*****@*****.**"])
# grant permissions to groups
#
# give the test permission to groups 1 and 2, and group 4 should
# also inherit from group 1
grant_permission(all_groups["group-1"], permissions[PERMISSION_NAME])
grant_permission(all_groups["group-2"], permissions[PERMISSION_NAME])
grant_permission(all_groups[AUDITORS_GROUP],
permissions[PERMISSION_AUDITOR])
graph.update_from_db(session)
# done setting up
# now a few pre-op checks
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert get_users(graph, "group-3") == set(["*****@*****.**", "*****@*****.**"])
#
# run the promotion logic -> nothing should happen because the
# test-permission is not yet audited
#
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# nothing should have happened
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert mock_nnp.call_count == 0
#
# now enable auditing for the permission and run the promotion
# logic again
#
enable_permission_auditing(session, PERMISSION_NAME,
users["*****@*****.**"].id)
graph.update_from_db(session)
assert graph.get_group_details("group-1").get(AUDITED_GROUP)
assert graph.get_group_details("group-4").get(AUDITED_GROUP)
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# check that stuff happened
assert get_users(graph, AUDITORS_GROUP) == set([
"*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**",
"*****@*****.**", "*****@*****.**"
])
expected_calls = [
call(settings, session, users["*****@*****.**"],
all_groups[AUDITORS_GROUP], set(["group-1"])),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-1", "group-2"]),
),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-2", "group-4"]),
),
call(settings, session, users["*****@*****.**"],
all_groups[AUDITORS_GROUP], set(["group-4"])),
call(settings, session, users["*****@*****.**"],
all_groups[AUDITORS_GROUP], set(["group-4"])),
]
assert mock_nnp.call_count == len(expected_calls)
mock_nnp.assert_has_calls(expected_calls, any_order=True)
#
# run the background promotion logic again, and nothing should
# happen
#
mock_nnp.reset_mock()
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
assert mock_nnp.call_count == 0
