def test_role_rule():
from ldap2pg.role import RoleRule
from ldap2pg.utils import Settable
r = RoleRule(
names=['static', 'prefix_{cn}', '{uid}_{member}'],
parents=['{uid}', '{member.cn}'],
members=[],
comment='From {dn}',
options={'SUPERUSER': True},
)
assert 5 == len(r.all_fields)
assert repr(r)
d = r.as_dict()
assert 'SUPERUSER' in d['options']
assert ['static', 'prefix_{cn}', '{uid}_{member}'] == d['names']
assert [] == d['members']
assert ['{uid}', '{member.cn}'] == d['parents']
assert 'From {dn}' == d['comment']
vars_ = dict(
dn=['cn=group,ou=groups'],
cn=['cn'],
uid=['uid'],
member=[
Settable(_str='cn=m0', cn=['m0']),
Settable(_str='cn=m1', cn=['m1']),
],
)
roles = list(r.generate(vars_))
assert 4 == len(roles)
def test_role_rule_not_enough_comment():
from ldap2pg.role import RoleRule, CommentError
r = RoleRule(
names=['{member}'],
comment='From {less}',
)
vars_ = dict(dn=['cn=group,ou=groups'],
member=['m0', 'm1', 'm2'],
less=['l0', 'l1'])
with pytest.raises(CommentError):
list(r.generate(vars_))
def test_role_rule_multiple_comment():
from ldap2pg.role import RoleRule
r = RoleRule(
names=['{member}'],
comment='From {member}',
)
vars_ = dict(
dn=['cn=group,ou=groups'],
member=['m0', 'm1'],
)
roles = list(r.generate(vars_))
assert 2 == len(roles)
def test_role_rule_no_comment():
from ldap2pg.role import RoleRule, CommentError
r = RoleRule(
names=['{member}'],
comment='From {desc}',
)
vars_ = dict(
dn=['cn=group,ou=groups'],
desc=[],
member=['m0', 'm1'],
)
with pytest.raises(CommentError):
list(r.generate(vars_))
def test_role_rule_too_many_comments():
from ldap2pg.role import RoleRule, CommentError
r = RoleRule(
names=['{member}'],
comment='From {more}',
)
vars_ = dict(
dn=['cn=group,ou=groups'],
member=['m0', 'm1'],
more=['0', '1', '2'],
)
with pytest.raises(CommentError):
list(r.generate(vars_))
def test_rule():
from ldap2pg.role import RoleRule
r = RoleRule(
names=['static', 'prefix_{cn}', '{uid}_{member}'],
parents=['{uid}', '{member.cn}'],
members=[],
comment='From {dn}',
options={'SUPERUSER': True},
)
map_ = r.attributes_map
assert '__self__' in map_
assert 'uid' in map_['__self__']
assert 'member' not in map_['__self__']
assert 'member' in map_
assert 5 == len(r.all_fields)
assert repr(r)
d = r.as_dict()
assert 'SUPERUSER' in d['options']
assert ['static', 'prefix_{cn}', '{uid}_{member}'] == d['names']
assert [] == d['members']
assert ['{uid}', '{member.cn}'] == d['parents']
assert 'From {dn}' == d['comment']
vars_ = dict(
__self__=[dict(
dn=['cn=group,ou=groups'],
cn=['cn'],
uid=['uid'],
)],
member=[
dict(
dn=['cn=m0'],
cn=['m0'],
),
dict(
dn=['cn=m1'],
cn=['m1'],
),
],
)
roles = list(r.generate(vars_))
assert 4 == len(roles)
def test_inspect_roles_duplicate_differents_options(mocker):
from ldap2pg.manager import SyncManager, UserError
from ldap2pg.role import RoleRule
manager = SyncManager()
syncmap = [
dict(roles=[
RoleRule(names=['group0']),
RoleRule(names=['group1']),
RoleRule(names=['bob'], options=dict(LOGIN=True)),
RoleRule(names=['bob'], options=dict(LOGIN=False)),
])
]
with pytest.raises(UserError):
manager.inspect_ldap(syncmap=syncmap)
def test_role_rule_dynamic_comments():
from ldap2pg.role import RoleRule
r = RoleRule(
names=['{member}'],
comment='From {member}',
)
vars_ = dict(
__self__=[dict(
dn=['cn=group,ou=groups'],
member=['m0', 'm1'],
)])
roles = list(r.generate(vars_))
assert 2 == len(roles)
for role in roles:
assert role.name in role.comment
def test_inspect_ldap_unexpected_dn(mocker):
ga = mocker.patch('ldap2pg.manager.get_attribute')
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, RDNError, UserError
from ldap2pg.role import RoleRule
manager = SyncManager()
ga.side_effect = values = [
['member0_cn', RDNError(), 'member1_cn'],
]
ql.return_value = [('dn0', {}, {})]
list(
manager.inspect_ldap([
dict(
description="Test query desc",
ldap=dict(on_unexpected_dn='warn'),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
ga.reset_mock()
ga.side_effect = values
list(
manager.inspect_ldap([
dict(ldap=dict(on_unexpected_dn='ignore'),
roles=[RoleRule(names=['{member.cn}'])])
]))
ga.reset_mock()
ga.side_effect = values
with pytest.raises(UserError):
list(
manager.inspect_ldap(
[dict(
ldap=dict(),
roles=[RoleRule(names=['{member.cn}'])],
)]))
def test_inspect_roles_merge_duplicates(mocker):
from ldap2pg.manager import SyncManager
from ldap2pg.role import RoleRule
manager = SyncManager()
syncmap = [
dict(roles=[
RoleRule(names=['group0']),
RoleRule(names=['group1']),
RoleRule(names=['bob'], parents=['group0']),
RoleRule(names=['bob'], parents=['group1']),
]),
]
ldaproles, _ = manager.inspect_ldap(syncmap=syncmap)
ldaproles = {r: r for r in ldaproles}
assert 'group0' in ldaproles
assert 'group1' in ldaproles
assert 'bob' in ldaproles
assert 3 == len(ldaproles)
assert 2 == len(ldaproles['bob'].parents)
def test_inspect_ldap_unexpected_dn(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, UserError, LDAPEntry
from ldap2pg.role import RoleRule
manager = SyncManager()
ql.return_value = [
LDAPEntry('dn0', {
'member': ['cn=member0', 'baddn=o0', 'cn=member1'],
})
]
list(
manager.inspect_ldap([
dict(
description="Test query desc",
ldapsearch=dict(on_unexpected_dn='warn'),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
list(
manager.inspect_ldap([
dict(ldapsearch=dict(on_unexpected_dn='ignore'),
roles=[RoleRule(names=['{member.cn}'])])
]))
with pytest.raises(UserError):
list(
manager.inspect_ldap([
dict(
ldapsearch=dict(),
roles=[RoleRule(names=['{member.cn}'])],
)
]))
def test_inspect_ldap_missing_attribute(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager, UserError
from ldap2pg.role import RoleRule
manager = SyncManager()
# Don't return member attribute.
ql.return_value = [('dn0', {}, {})]
with pytest.raises(UserError) as ei:
list(
manager.inspect_ldap([
dict(
ldap=dict(base='...'),
# Request member attribute.
roles=[RoleRule(names=['{member.cn}'])],
)
]))
assert 'Missing attribute member' in str(ei.value)
