def test_edit_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Test Tag Please Ignore", "The description should match what we created it with"
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/tags/{}/edit'.format(tag.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({"description": "Don't tag me bro"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert tag.description == "Don't tag me bro", "The description should have been updated"
def create_permission(
self, name, description="", audited=False, enabled=True, created_on=None
):
# type: (str, str, bool, bool, Optional[datetime]) -> None
permission = SQLPermission(
name=name, description=description, audited=audited, enabled=enabled
)
if created_on:
permission.created_on = created_on
permission.add(self.session)
def post(self):
can_create = self.current_user.my_creatable_permissions()
if not can_create:
return self.forbidden()
form = PermissionCreateForm(self.request.arguments)
if not form.validate():
return self.render(
"permission-create.html", form=form,
alerts=self.get_form_alerts(form.errors)
)
# A user is allowed to create a permission if the name matches any of the globs that they
# are given access to via PERMISSION_CREATE, as long as the permission does not match a
# reserved name. (Unless specifically granted.)
allowed = False
for creatable in can_create:
if matches_glob(creatable, form.data["name"]):
allowed = True
for failure_message in test_reserved_names(form.data["name"]):
form.name.errors.append(failure_message)
if not allowed:
form.name.errors.append(
"Permission name does not match any of your allowed patterns."
)
if form.name.errors:
return self.render(
"permission-create.html", form=form,
alerts=self.get_form_alerts(form.errors),
)
permission = Permission(name=form.data["name"], description=form.data["description"])
try:
permission.add(self.session)
self.session.flush()
except IntegrityError:
self.session.rollback()
form.name.errors.append(
"Name already in use. Permissions must be unique."
)
return self.render(
"permission-create.html", form=form, can_create=can_create,
alerts=self.get_form_alerts(form.errors),
)
self.session.commit()
AuditLog.log(self.session, self.current_user.id, 'create_permission',
'Created permission.', on_permission_id=permission.id)
# No explicit refresh because handler queries SQL.
return self.redirect("/permissions/{}".format(permission.name))
def test_permissions(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "prod"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
# add SSH key
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': key_1}),
headers={'X-Grouper-User': user.username})
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here"}),
headers={'X-Grouper-User': user.username})
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
def test_tags(session, users, http_client, base_url, graph):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
grant_permission_to_tag(session, tag.id, perm.id, "prod")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, key1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
user = session.query(User).filter_by(username="******").scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def test_tags(session, http_client, base_url, graph):
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
perm2.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")
tag = PublicKeyTag(name="tyler_was_here")
tag.add(session)
session.commit()
tag = PublicKeyTag.get(session, name="tyler_was_here")
grant_permission_to_tag(session, tag.id, perm.id, "prod")
with pytest.raises(AssertionError):
grant_permission_to_tag(session, tag.id, perm.id, "question?")
user = session.query(User).filter_by(username="******").scalar()
add_public_key(session, user, SSH_KEY_1)
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
add_tag_to_public_key(session, key, tag)
user = session.query(User).filter_by(username="******").scalar()
key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
graph.update_from_db(session)
fe_url = url(base_url, '/users/{}'.format(user.username))
resp = yield http_client.fetch(fe_url)
assert resp.code == 200
body = json.loads(resp.body)
pub_key = body['data']['user']['public_keys'][0]
assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
assert pub_key['fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert pub_key['fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
def create_permission(session, name, description=""):
# type: (Session, str, Optional[str]) -> Permission
"""Create and add a new permission to database
Arg(s):
session(models.base.session.Session): database session
name(str): the name of the permission
description(str): the description of the permission
Returns:
The created permission that has been added to the session
"""
permission = Permission(name=name, description=description or "")
permission.add(session)
return permission
def sync_db_command(args):
# Models not implicitly or explictly imported above are explicitly imported
# here:
from grouper.models.perf_profile import PerfProfile # noqa
db_engine = get_db_engine(get_database_url(settings))
Model.metadata.create_all(db_engine)
# Add some basic database structures we know we will need if they don't exist.
session = make_session()
for name, description in SYSTEM_PERMISSIONS:
test = Permission.get(session, name)
if test:
continue
permission = Permission(name=name, description=description)
try:
permission.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create permission: %s' % (name, ))
session.commit()
# This group is needed to bootstrap a Grouper installation.
admin_group = Group.get(session, name="grouper-administrators")
if not admin_group:
admin_group = Group(
groupname="grouper-administrators",
description="Administrators of the Grouper system.",
canjoin="nobody",
)
try:
admin_group.add(session)
session.flush()
except IntegrityError:
session.rollback()
raise Exception('Failed to create group: grouper-administrators')
for permission_name in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
permission = Permission.get(session, permission_name)
assert permission, "Permission should have been created earlier!"
grant_permission(session, admin_group.id, permission.id)
session.commit()
def test_revoke_permission_from_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
perm = Permission.get(session, TAG_EDIT)
assert len(get_public_key_tag_permissions(session, tag)) == 1, "The tag should have exactly 1 permission"
user = session.query(User).filter_by(username="******").scalar()
mapping = get_public_key_tag_permissions(session, tag)[0]
fe_url = url(base_url, '/permissions/{}/revoke_tag/{}'.format(TAG_EDIT, mapping.mapping_id))
resp = yield http_client.fetch(fe_url, method="POST",
body="",
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
assert len(get_public_key_tag_permissions(session, tag)) == 0, "The tag should have no permissions"
def test_grant_permission_to_tag(users, http_client, base_url, session):
user = session.query(User).filter_by(username="******").scalar()
perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
perm.add(session)
session.commit()
grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
fe_url = url(base_url, '/tags')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
headers={'X-Grouper-User': user.username})
tag = PublicKeyTag.get(session, name="tyler_was_here")
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
tag = PublicKeyTag.get(session, name="tyler_was_here")
perm = Permission.get(session, TAG_EDIT)
assert len(get_public_key_tag_permissions(session, tag)) == 1, "The tag should have exactly 1 permission"
assert get_public_key_tag_permissions(session, tag)[0].name == perm.name, "The tag's permission should be the one we added"
assert get_public_key_tag_permissions(session, tag)[0].argument == "*", "The tag's permission should be the one we added"
# Make sure trying to add a permission to a tag doesn't fail horribly if it's already there
user = session.query(User).filter_by(username="******").scalar()
fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
def permissions(session, users):
# type: (Session, Dict[str, User]) -> Dict[str, Permission]
"""Create a standard set of test permissions.
Go to a bit of effort to use unique timestamps for the creation date of permissions, since it
makes it easier to test sorting. Similarly, don't sort the list of permissions to create by
name so that the date sort and the name sort are different.
Do not use milliseconds in the creation timestamps, since the result will be different in
SQLite (where they are preserved) and MySQL (where they are stripped).
"""
all_permissions = [
"owner",
"ssh",
"sudo",
"audited",
AUDIT_MANAGER,
AUDIT_VIEWER,
PERMISSION_AUDITOR,
PERMISSION_ADMIN,
"team-sre",
USER_ADMIN,
GROUP_ADMIN,
]
created_on_seconds = int(time() - 1000)
permissions = {}
for name in all_permissions:
permission = Permission.get(session, name=name)
if not permission:
created_on = datetime.utcfromtimestamp(created_on_seconds)
created_on_seconds += 1
description = "{} permission".format(name)
permission = Permission(name=name, description=description, created_on=created_on)
permission.add(session)
permissions[name] = permission
enable_permission_auditing(session, permissions["audited"].name, users["*****@*****.**"].id)
return permissions
