def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
call_main('user', 'add_public_key', username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main('user', 'add_public_key', username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main('user', 'add_public_key', username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def test_public_key(session, users, http_client, base_url): # noqa: F811
user = users["*****@*****.**"]
assert not get_public_keys_of_user(session, user.id)
# add it
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_ED25519}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_ED25519
assert keys[0].fingerprint == "fa:d9:ca:40:bd:f7:64:37:a7:99:3a:8e:50:8a:c5:94"
assert keys[0].fingerprint_sha256 == "ExrCZ0nqSJv+LqAEh8CWeKUxiAeZA+N0bKC18dK7Adg"
assert keys[0].comment == "comment"
# delete it
fe_url = url(base_url, "/users/{}/public-key/{}/delete".format(user.username, keys[0].id))
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": user.username}
)
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
call_main('user', 'add_public_key', username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main('user', 'add_public_key', username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main('user', 'add_public_key', username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def test_sa_pubkeys(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
assert not get_public_keys_of_user(session, user.id)
with pytest.raises(HTTPError):
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': "******"})
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_BAD}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
keys = get_public_keys_of_user(session, sa.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
with pytest.raises(HTTPError):
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': "******"})
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
assert not get_public_keys_of_user(session, sa.id)
def test_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
assert not get_public_keys_of_user(session, user.id)
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
assert keys[0].fingerprint == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert keys[0].fingerprint_sha256 == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert keys[0].comment == 'some-comment'
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
good_key = (
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
# bad key
username = '******'
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
good_key = ('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
# bad key
username = '******'
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
def test_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
assert not get_public_keys_of_user(session, user.id)
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
assert keys[
0].fingerprint == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
assert keys[
0].fingerprint_sha256 == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
assert keys[0].comment == 'some-comment'
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
def test_public_key_admin(session, users, http_client, base_url):
user = users['*****@*****.**']
assert not get_public_keys_of_user(session, user.id)
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# have an admin delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body='',
headers={'X-Grouper-User': "******"})
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
def test_public_key_admin(session, users, http_client, base_url): # noqa: F811
user = users["*****@*****.**"]
assert not get_public_keys_of_user(session, user.id)
# add it
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_1}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# have an admin delete it
fe_url = url(base_url, "/users/{}/public-key/{}/delete".format(user.username, keys[0].id))
resp = yield http_client.fetch(
fe_url, method="POST", body="", headers={"X-Grouper-User": "******"}
)
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
def test_user_public_key(make_session, session, users): # noqa: F811
make_session.return_value = session
# good key
username = "******"
call_main(session, "user", "add_public_key", username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main(session, "user", "add_public_key", username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main(session, "user", "add_public_key", username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def test_duplicate_key(session, users):
user = users["*****@*****.**"]
add_public_key(session, user, SSH_KEY_1)
assert len(get_public_keys_of_user(session, user.id)) == 1
with pytest.raises(DuplicateKey):
add_public_key(session, user, SSH_KEY_1)
assert len(get_public_keys_of_user(session, user.id)) == 1
def test_bad_key(session, users):
user = users["*****@*****.**"]
with pytest.raises(PublicKeyParseError):
add_public_key(session, user, SSH_KEY_BAD)
assert get_public_keys_of_user(session, user.id) == []
def get_user_view_template_vars(session, actor, user, graph):
# type: (Session, User, User, GroupGraph) -> Dict[str, Any]
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {} # type: Dict[str, Any]
if user.is_service_account:
ret["can_control"] = can_manage_service_account(
session, user.service_account, actor
) or user_is_user_admin(session, actor)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["can_enable_preserving_membership"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = user.name == actor.name or user_is_user_admin(session, actor)
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable_preserving_membership"] = UserEnable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access_without_membership(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests(
session, status="pending", limit=1, offset=0, owner=actor
)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell_metadata = get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
ret["shell"] = shell_metadata.data_value if shell_metadata else "No shell configured"
github_username = get_user_metadata_by_key(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY)
ret["github_username"] = github_username.data_value if github_username else "(Unset)"
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [
{"name": g.name, "type": "Group", "role": ge._role} for g, ge in group_edge_list
]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get("permissions", [])
for permission in ret["permissions"]:
permission["granted_on"] = datetime.fromtimestamp(permission["granted_on"])
return ret
def get_user_view_template_vars(session, actor, user, graph):
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {}
if user.is_service_account:
ret["can_control"] = (
can_manage_service_account(session, user.service_account, actor) or
user_is_user_admin(session, actor)
)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = (user.name == actor.name or user_is_user_admin(session, actor))
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests_by_owner(session, actor,
status='pending', limit=1, offset=0)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
else "No shell configured")
ret["shell"] = shell
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [{'name': g.name, 'type': 'Group', 'role': ge._role}
for g, ge in group_edge_list]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
for key in ret["public_keys"]:
key.tags = get_public_key_tags(session, key)
key.pretty_permissions = ["{} ({})".format(perm.name,
perm.argument if perm.argument else "unargumented")
for perm in get_public_key_permissions(session, key)]
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get('permissions', [])
return ret
def test_rejected_key(get_plugin_proxy, session, users):
get_plugin_proxy.return_value = PluginProxy([PublicKeyPlugin()])
user = users["*****@*****.**"]
with pytest.raises(BadPublicKey):
add_public_key(session, user, SSH_KEY_1)
assert get_public_keys_of_user(session, user.id) == []
def test_bad_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_BAD}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Public key appears to be invalid" in resp.body
assert not get_public_keys_of_user(session, user.id)
def test_bad_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_BAD}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Public key appears to be invalid" in resp.body
assert not get_public_keys_of_user(session, user.id)
def test_bad_public_key(session, users, http_client, base_url): # noqa: F811
user = users["*****@*****.**"]
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_BAD}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
assert b"Public key appears to be invalid" in resp.body
assert not get_public_keys_of_user(session, user.id)
def test_rejected_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
with patch('grouper.public_key.add_public_key') as add_public_key:
add_public_key.side_effect = BadPublicKey("Your key is bad and you should feel bad")
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Your key is bad and you should feel bad" in resp.body
assert not get_public_keys_of_user(session, user.id)
def test_user_public_key(session, tmpdir, users): # noqa: F811
# good key
username = "******"
call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main(session, tmpdir, "user", "add_public_key", username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def get_user_view_template_vars(session, actor, user, graph):
ret = {}
ret["can_control"] = (user.name == actor.name
or user_is_user_admin(session, actor))
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(
session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests_by_owner(
session, actor, status='pending', limit=1, offset=0)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (get_user_metadata_by_key(session, user.id,
USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id,
USER_METADATA_SHELL_KEY) else
"No shell configured")
ret["shell"] = shell
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [{
'name': g.name,
'type': 'Group',
'role': ge._role
} for g, ge in group_edge_list]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
for key in ret["public_keys"]:
key.tags = get_public_key_tags(session, key)
key.pretty_permissions = [
"{} ({})".format(
perm.name, perm.argument if perm.argument else "unargumented")
for perm in get_public_key_permissions(session, key)
]
ret["permissions"] = user_md.get('permissions', [])
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
return ret
def test_rejected_public_key(session, users, http_client, base_url): # noqa: F811
user = users["*****@*****.**"]
with patch("grouper.public_key.add_public_key") as add_public_key:
add_public_key.side_effect = BadPublicKey("Your key is bad and you should feel bad")
fe_url = url(base_url, "/users/{}/public-key/add".format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({"public_key": SSH_KEY_1}),
headers={"X-Grouper-User": user.username},
)
assert resp.code == 200
assert b"Your key is bad and you should feel bad" in resp.body
assert not get_public_keys_of_user(session, user.id)
def test_rejected_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
with patch('grouper.public_key.add_public_key') as add_public_key:
add_public_key.side_effect = BadPublicKey(
"Your key is bad and you should feel bad")
fe_url = url(base_url,
'/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(
fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert "Your key is bad and you should feel bad" in resp.body
assert not get_public_keys_of_user(session, user.id)
def get_user_view_template_vars(session, actor, user, graph):
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {}
if user.is_service_account:
ret["can_control"] = can_manage_service_account(
session, user.service_account, actor
) or user_is_user_admin(session, actor)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["can_enable_preserving_membership"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = user.name == actor.name or user_is_user_admin(session, actor)
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable_preserving_membership"] = UserEnable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access_without_membership(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests(
session, status="pending", limit=1, offset=0, owner=actor
)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (
get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
else "No shell configured"
)
ret["shell"] = shell
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [
{"name": g.name, "type": "Group", "role": ge._role} for g, ge in group_edge_list
]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
for key in ret["public_keys"]:
key.tags = get_public_key_tags(session, key)
key.pretty_permissions = [
"{} ({})".format(perm.name, perm.argument if perm.argument else "unargumented")
for perm in get_public_key_permissions(session, key)
]
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get("permissions", [])
return ret
def test_sa_pubkeys(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert User.get(session, name="*****@*****.**") is None
assert Group.get(session, name="*****@*****.**") is None
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'name': '*****@*****.**', "description": "Hi", "canjoin": "canjoin"}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_service_account(session, user=u)
assert is_service_account(session, group=g)
assert get_service_account(session, user=u).group.id == g.id
assert get_service_account(session, group=g).user.id == u.id
assert not is_service_account(session, user=user)
assert not is_service_account(session, group=Group.get(session, name="team-sre"))
assert not get_public_keys_of_user(session, user.id)
good_key = ('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
with pytest.raises(HTTPError):
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': good_key}),
headers={'X-Grouper-User': "******"})
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': good_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url, '/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': bad_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
keys = get_public_keys_of_user(session, sa.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
with pytest.raises(HTTPError):
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': "******"})
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format("*****@*****.**", keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
assert not get_public_keys_of_user(session, sa.id)
def test_sa_pubkeys(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
create_role_user(session, user, '*****@*****.**', 'Hi', 'canjoin')
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_role_user(session, user=u)
assert is_role_user(session, group=g)
assert get_role_user(session, user=u).group.id == g.id
assert get_role_user(session, group=g).user.id == u.id
assert not is_role_user(session, user=user)
assert not is_role_user(session, group=Group.get(session, name="team-sre"))
assert not get_public_keys_of_user(session, user.id)
with pytest.raises(HTTPError):
# add it
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode(
{'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': "******"})
# add it
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_1}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': SSH_KEY_BAD}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
keys = get_public_keys_of_user(session, sa.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
with pytest.raises(HTTPError):
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format("*****@*****.**",
keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': "******"})
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format("*****@*****.**",
keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
assert not get_public_keys_of_user(session, sa.id)
def test_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
assert not get_public_keys_of_user(session, user.id)
good_key = ('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': good_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': bad_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
# delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url, method="POST",
body=urlencode({'public_key': good_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
# have an admin delete it
fe_url = url(base_url, '/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
resp = yield http_client.fetch(fe_url, method="POST", body='',
headers={'X-Grouper-User': "******"})
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
def get_user_view_template_vars(session, actor, user, graph):
# type: (Session, User, User, GroupGraph) -> Dict[str, Any]
# TODO(cbguder): get around circular dependencies
from grouper.fe.handlers.user_disable import UserDisable
from grouper.fe.handlers.user_enable import UserEnable
ret = {} # type: Dict[str, Any]
if user.is_service_account:
ret["can_control"] = can_manage_service_account(
session, user.service_account, actor
) or user_is_user_admin(session, actor)
ret["can_disable"] = ret["can_control"]
ret["can_enable"] = user_is_user_admin(session, actor)
ret["can_enable_preserving_membership"] = user_is_user_admin(session, actor)
ret["account"] = user.service_account
else:
ret["can_control"] = user.name == actor.name or user_is_user_admin(session, actor)
ret["can_disable"] = UserDisable.check_access(session, actor, user)
ret["can_enable_preserving_membership"] = UserEnable.check_access(session, actor, user)
ret["can_enable"] = UserEnable.check_access_without_membership(session, actor, user)
if user.id == actor.id:
ret["num_pending_group_requests"] = user_requests_aggregate(session, actor).count()
_, ret["num_pending_perm_requests"] = get_requests(
session, status="pending", limit=1, offset=0, owner=actor
)
else:
ret["num_pending_group_requests"] = None
ret["num_pending_perm_requests"] = None
try:
user_md = graph.get_user_details(user.name)
except NoSuchUser:
# Either user is probably very new, so they have no metadata yet, or
# they're disabled, so we've excluded them from the in-memory graph.
user_md = {}
shell = (
get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY).data_value
if get_user_metadata_by_key(session, user.id, USER_METADATA_SHELL_KEY)
else "No shell configured"
)
ret["shell"] = shell
github_username = get_user_metadata_by_key(session, user.id, USER_METADATA_GITHUB_USERNAME_KEY)
ret["github_username"] = github_username.data_value if github_username else "(Unset)"
ret["open_audits"] = user_open_audits(session, user)
group_edge_list = get_groups_by_user(session, user) if user.enabled else []
ret["groups"] = [
{"name": g.name, "type": "Group", "role": ge._role} for g, ge in group_edge_list
]
ret["passwords"] = user_passwords(session, user)
ret["public_keys"] = get_public_keys_of_user(session, user.id)
ret["log_entries"] = get_log_entries_by_user(session, user)
ret["user_tokens"] = user.tokens
if user.is_service_account:
service_account = user.service_account
ret["permissions"] = service_account_permissions(session, service_account)
else:
ret["permissions"] = user_md.get("permissions", [])
for permission in ret["permissions"]:
permission["granted_on"] = datetime.fromtimestamp(permission["granted_on"])
return ret
def test_sa_pubkeys(session, users, http_client, base_url):
user = users['*****@*****.**']
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'name': '*****@*****.**',
"description": "Hi",
"canjoin": "canjoin"
}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
assert User.get(session, name="*****@*****.**") is None
assert Group.get(session, name="*****@*****.**") is None
# Add account
fe_url = url(base_url, '/service/create')
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({
'name': '*****@*****.**',
"description": "Hi",
"canjoin": "canjoin"
}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
u = User.get(session, name="*****@*****.**")
g = Group.get(session, name="*****@*****.**")
assert u is not None
assert g is not None
assert is_service_account(session, user=u)
assert is_service_account(session, group=g)
assert get_service_account(session, user=u).group.id == g.id
assert get_service_account(session, group=g).user.id == u.id
assert not is_service_account(session, user=user)
assert not is_service_account(session,
group=Group.get(session, name="team-sre"))
assert not get_public_keys_of_user(session, user.id)
good_key = (
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
with pytest.raises(HTTPError):
# add it
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key':
good_key}),
headers={'X-Grouper-User': "******"})
# add it
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': good_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url,
'/users/{}/public-key/add'.format("*****@*****.**"))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': bad_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
keys = get_public_keys_of_user(session, sa.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
with pytest.raises(HTTPError):
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format("*****@*****.**",
keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': "******"})
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format("*****@*****.**",
keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
sa = User.get(session, name="*****@*****.**")
assert not get_public_keys_of_user(session, sa.id)
def test_public_key(session, users, http_client, base_url):
user = users['*****@*****.**']
assert not get_public_keys_of_user(session, user.id)
good_key = (
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': good_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
# add bad key -- shouldn't add
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': bad_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
assert keys[
0].fingerprint == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
# delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
resp = yield http_client.fetch(fe_url,
method="POST",
body='',
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
# add it
fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
resp = yield http_client.fetch(fe_url,
method="POST",
body=urlencode({'public_key': good_key}),
headers={'X-Grouper-User': user.username})
assert resp.code == 200
user = User.get(session, name=user.username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
# have an admin delete it
fe_url = url(
base_url,
'/users/{}/public-key/{}/delete'.format(user.username, keys[0].id))
resp = yield http_client.fetch(
fe_url,
method="POST",
body='',
headers={'X-Grouper-User': "******"})
assert resp.code == 200
user = User.get(session, name=user.username)
assert not get_public_keys_of_user(session, user.id)
