def test_get_user(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group(GROUP_ADMIN, "", "admins")
setup.grant_permission_to_group(USER_ADMIN, "", "admins")
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "one", "some-group")
setup.add_group_to_group("some-group", "parent-group")
setup.grant_permission_to_group("some-permission", "two", "some-group")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
user = api_client.users.get("*****@*****.**")
assert sorted(user.groups) == ["admins", "parent-group", "some-group"]
assert user.passwords == []
assert user.public_keys == []
assert user.enabled
assert user.service_account is None
assert user.metadata == {}
permissions = [(p.permission, p.argument) for p in user.permissions]
assert sorted(permissions) == sorted([
(GROUP_ADMIN, ""),
(USER_ADMIN, ""),
("some-permission", "one"),
("some-permission", "two"),
])
def test_get_groups(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
create_graph(setup)
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(api_client.groups) == ["all-teams", "serving-team", "team-infra", "team-sre"]
def test_request_kwargs(service_account_response): # noqa: F811
# type: (Dict[Text, Any]) -> None
mock_fetch = Mock()
resp = Mock()
resp.body = json.dumps(service_account_response)
def check_request_obj(request):
# type: (HTTPRequest) -> Mock
assert request.user_agent == "a string"
assert request.follow_redirects is False
return resp
mock_fetch.side_effect = check_request_obj
with patch.object(HTTPClient, "fetch", mock_fetch):
# Confirm basic HTTPRequest construction with kwargs works
http_req_kwargs = {"user_agent": "a string", "follow_redirects": False}
client = Groupy(["localhost:8000"], request_kwargs=http_req_kwargs)
client.users.get("*****@*****.**")
assert mock_fetch.call_count == 1
# Confirm overwriting kwargs in individual _fetch calls works
with pytest.raises(AssertionError):
client._fetch("/some/path", user_agent="a different string")
assert mock_fetch.call_count == 2
def test_user_metadata(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.create_user("*****@*****.**")
setup.add_public_key_to_user(SSH_KEY_1, "*****@*****.**")
setup.add_public_key_to_user(SSH_KEY_2, "*****@*****.**")
setup.add_metadata_to_user("some-key", "some-value", "*****@*****.**")
setup.create_user("*****@*****.**")
setup.add_metadata_to_user("github_username", "zorkian",
"*****@*****.**")
setup.add_metadata_to_user("shell", "/usr/bin/fish", "*****@*****.**")
setup.create_user("*****@*****.**")
setup.session.flush()
setup.disable_user("*****@*****.**")
setup.create_role_user("*****@*****.**", "Some role user")
setup.create_service_account("*****@*****.**", "some-group")
ssh_key_1 = key_to_public_key(SSH_KEY_1)
ssh_key_2 = key_to_public_key(SSH_KEY_2)
expected = {
"*****@*****.**": {
"role_user":
False,
"metadata": {
"some-key": "some-value"
},
"public_keys": [
{
"public_key": ssh_key_1.public_key,
"fingerprint": ssh_key_1.fingerprint,
"fingerprint_sha256": ssh_key_1.fingerprint_sha256,
},
{
"public_key": ssh_key_2.public_key,
"fingerprint": ssh_key_2.fingerprint,
"fingerprint_sha256": ssh_key_2.fingerprint_sha256,
},
],
},
"*****@*****.**": {
"role_user": True,
"metadata": {},
"public_keys": []
},
"*****@*****.**": {
"role_user": False,
"metadata": {
"github_username": "******",
"shell": "/usr/bin/fish"
},
"public_keys": [],
},
}
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
result = api_client._fetch("/user-metadata")
assert result["status"] == "ok"
assert result["data"]["users"] == expected
def test_get_permissions(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.create_permission("some-permission")
setup.create_permission("another-permission")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(api_client.permissions) == [
"another-permission", "some-permission"
]
def test_get_service_accounts(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.create_user("*****@*****.**")
setup.create_role_user("*****@*****.**")
setup.create_service_account("*****@*****.**", "team-sre")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(
api_client.service_accounts) == ["*****@*****.**", "*****@*****.**"]
def test_get_permission(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.grant_permission_to_group("ssh", "foo", "sad-team")
setup.grant_permission_to_group("ssh", "bar", "team-sre")
setup.grant_permission_to_group("ssh", "*", "tech-ops")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
permission = api_client.permissions.get("ssh")
assert sorted(
permission.groups) == ["sad-team", "team-sre", "tech-ops"]
def test_permission(permission_response): # noqa: F811
# type: (Dict[Text, Any]) -> None
res = Mock()
res.body = json.dumps(permission_response)
mock_fetch = Mock()
mock_fetch.side_effect = [res]
with patch.object(HTTPClient, "fetch", mock_fetch):
client = Groupy(["localhost:8000"])
permission = client.permissions.get("grouper.audit.security")
assert permission.groups == {}
assert isinstance(permission.audited, bool)
assert permission.audited is False
def test_checkpoint(user_response): # noqa: F811
# type: (Dict[Text, Any]) -> None
res1 = Mock()
res1.body = json.dumps({
u"checkpoint": 10,
u"checkpoint_time": 1000,
u"data": user_response["data"],
u"status": u"ok",
})
res2 = Mock()
res2.body = json.dumps({
u"checkpoint": 11,
u"checkpoint_time": 1001,
u"data": user_response["data"],
u"status": u"ok",
})
# sunny day
mock_fetch = Mock()
mock_fetch.side_effect = [res1, res2]
with patch.object(HTTPClient, "fetch", mock_fetch):
client = Groupy(["localhost:8000"])
client.users.get("*****@*****.**")
client.users.get("*****@*****.**")
# time travel not allowed
mock_fetch.side_effect = [res2, res1]
with patch.object(HTTPClient, "fetch",
mock_fetch), pytest.raises(TimeTravelNotAllowed):
client = Groupy(["localhost:8000"])
client.users.get("*****@*****.**")
client.users.get("*****@*****.**")
# time travel allowed
mock_fetch.side_effect = [res2, res1]
with patch.object(HTTPClient, "fetch", mock_fetch):
client = Groupy(["localhost:8000"], allow_time_travel=True)
client.users.get("*****@*****.**")
client.users.get("*****@*****.**")
def test_checkpoint(user_response):
res1 = Mock()
res1.body = json.dumps({
u'checkpoint': 10,
u'checkpoint_time': 1000,
u'data': user_response['data'],
u'status': u'ok',
})
res2 = Mock()
res2.body = json.dumps({
u'checkpoint': 11,
u'checkpoint_time': 1001,
u'data': user_response['data'],
u'status': u'ok',
})
# sunny day
mock_fetch = Mock()
mock_fetch.side_effect = [res1, res2]
with patch.object(HTTPClient, 'fetch', mock_fetch):
client = Groupy(['localhost:8000'])
client.users.get('*****@*****.**')
client.users.get('*****@*****.**')
# time travel not allowed
mock_fetch.side_effect = [res2, res1]
with patch.object(HTTPClient, 'fetch',
mock_fetch), pytest.raises(TimeTravelNotAllowed):
client = Groupy(['localhost:8000'])
client.users.get('*****@*****.**')
client.users.get('*****@*****.**')
# time travel allowed
mock_fetch.side_effect = [res2, res1]
with patch.object(HTTPClient, 'fetch', mock_fetch):
client = Groupy(['localhost:8000'], allow_time_travel=True)
client.users.get('*****@*****.**')
client.users.get('*****@*****.**')
def test_get_users(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.create_user("*****@*****.**")
setup.create_user("*****@*****.**")
setup.disable_user("*****@*****.**")
setup.create_service_account("*****@*****.**", "some-group")
setup.create_role_user("*****@*****.**")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(api_client.users) == [
"*****@*****.**", "*****@*****.**", "*****@*****.**"
]
def test_get_role_user(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.create_role_user("*****@*****.**")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
role_user = api_client.service_accounts.get("*****@*****.**")
assert sorted(role_user.groups) == ["*****@*****.**"]
assert role_user.passwords == []
assert role_user.public_keys == []
assert role_user.enabled
assert role_user.service_account is None
assert role_user.permissions == []
assert role_user.metadata == {}
def test_list_grants(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
create_graph(setup)
expected = {
"not-gary": {
"users": {
"*****@*****.**": ["foo"]
},
"role_users": {},
"service_accounts": {}
},
"other-permission": {
"users": {
"*****@*****.**": [""]
},
"role_users": {},
"service_accounts": {},
},
"some-permission": {
"users": {
"*****@*****.**": ["bar", "foo"],
"*****@*****.**": ["*"]
},
"role_users": {
"*****@*****.**": ["foo", "role"]
},
"service_accounts": {
"*****@*****.**": ["*"]
},
},
"twice": {
"users": {
"*****@*****.**": ["*"]
},
"role_users": {},
"service_accounts": {}
},
}
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
result = api_client._fetch("/grants")
assert result["status"] == "ok"
assert result["data"]["permissions"] == expected
def test_includes_disabled_service_accounts(tmpdir: LocalPath,
setup: SetupTest) -> None:
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group",
"some machines", "an account")
setup.disable_service_account("*****@*****.**")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert list(api_client.service_accounts) == ["*****@*****.**"]
service_account = api_client.service_accounts.get("*****@*****.**")
assert service_account.groups == {}
assert not service_account.enabled
assert service_account.service_account == {
"description": "an account",
"machine_set": "some machines",
}
assert service_account.permissions == []
def test_service_account(service_account_response):
res = Mock()
res.body = json.dumps(service_account_response)
mock_fetch = Mock()
mock_fetch.side_effect = [res]
with patch.object(HTTPClient, 'fetch', mock_fetch):
client = Groupy(['localhost:8000'])
service = client.users.get('*****@*****.**')
assert service.enabled
assert service.groups == {}
assert service.passwords == []
assert len(service.permissions) == 1
assert service.permissions[0].permission == 'sudo'
assert service.permissions[0].argument == 'shell'
assert service.permissions[0].granted_on == 1452796706.894347
assert service.permissions[0].distance is None
assert service.permissions[0].path is None
expected = service_account_response['data']['user']['service_account']
assert service.service_account == expected
def test_service_account(service_account_response): # noqa: F811
# type: (Dict[Text, Any]) -> None
res = Mock()
res.body = json.dumps(service_account_response)
mock_fetch = Mock()
mock_fetch.side_effect = [res]
with patch.object(HTTPClient, "fetch", mock_fetch):
client = Groupy(["localhost:8000"])
service = client.users.get("*****@*****.**")
assert service.enabled
assert service.groups == {}
assert service.passwords == []
assert len(service.permissions) == 1
assert service.permissions[0].permission == "sudo"
assert service.permissions[0].argument == "shell"
assert service.permissions[0].granted_on == 1452796706.894347
assert service.permissions[0].distance is None
assert service.permissions[0].path is None
expected = service_account_response["data"]["user"]["service_account"]
assert service.service_account == expected
def test_get_service_account(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.create_service_account(
"*****@*****.**",
owner="team-sre",
machine_set="some machines",
description="some service account",
)
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
service_account = api_client.service_accounts.get("*****@*****.**")
assert service_account.groups == {}
assert service_account.passwords == []
assert service_account.public_keys == []
assert service_account.enabled
assert service_account.service_account == {
"description": "some service account",
"machine_set": "some machines",
"owner": "team-sre",
}
assert service_account.permissions == []
assert service_account.metadata == {}
def test_get_group(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
create_graph(setup)
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
group = api_client.groups.get("team-sre")
assert sorted(group.groups) == ["all-teams", "serving-team", "team-infra"]
assert sorted(group.users) == ["*****@*****.**", "*****@*****.**", "*****@*****.**"]
assert group.subgroups == {}
assert group.audited
assert group.contacts == {"email": "*****@*****.**"}
permissions = [(p.permission, p.argument) for p in group.permissions]
assert sorted(permissions) == [
("audited", ""),
("ssh", "*"),
("sudo", "shell"),
("team-sre", "*"),
]
group = api_client.groups.get("serving-team")
assert sorted(group.subgroups) == ["team-sre"]
def api_client(async_api_server):
return Groupy(async_api_server)