def expiring_graph(session, graph, users, groups, permissions): # noqa: F811
now = datetime.utcnow()
note_exp_now = now + timedelta(settings().expiration_notice_days)
week = timedelta(7)
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["team-sre"], users["*****@*****.**"], role="owner")
add_member(groups["team-sre"], users["*****@*****.**"], expiration=note_exp_now + week)
add_member(groups["team-sre"], users["*****@*****.**"])
add_member(
groups["team-sre"], users["*****@*****.**"], role="owner", expiration=note_exp_now + week
)
revoke_member(groups["team-sre"], users["*****@*****.**"])
grant_permission(groups["team-sre"], permissions["ssh"], argument="*")
add_member(groups["serving-team"], users["*****@*****.**"], role="owner")
add_member(groups["serving-team"], groups["team-sre"], expiration=note_exp_now + week)
add_member(groups["serving-team"], groups["tech-ops"])
grant_permission(groups["serving-team"], permissions["audited"])
add_member(groups["tech-ops"], users["*****@*****.**"], role="owner")
add_member(groups["tech-ops"], users["*****@*****.**"], expiration=note_exp_now + 2 * week)
grant_permission(groups["tech-ops"], permissions["ssh"], argument="shell")
return graph
def test_can_always_revoke_members(get_plugin_proxy, groups, users): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
owner = users["*****@*****.**"]
member = users["*****@*****.**"]
expiration = datetime.utcnow() + timedelta(1)
add_member(group, owner, role="owner", expiration=expiration)
add_member(group, member)
revoke_member(group, member)
def test_cant_revoke_last_permanent_owner(get_plugin_proxy, groups, users): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
first_owner = users["*****@*****.**"]
second_owner = users["*****@*****.**"]
expiration = datetime.utcnow() + timedelta(1)
add_member(group, first_owner, role="owner", expiration=expiration)
add_member(group, second_owner, role="owner")
with pytest.raises(PluginRejectedGroupMembershipUpdate):
revoke_member(group, second_owner)
def test_can_always_revoke_members(get_plugin_proxy, groups,
users): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
owner = users["*****@*****.**"]
member = users["*****@*****.**"]
expiration = datetime.utcnow() + timedelta(1)
add_member(group, owner, role="owner", expiration=expiration)
add_member(group, member)
revoke_member(group, member)
def test_cant_revoke_last_permanent_owner(get_plugin_proxy, groups,
users): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
first_owner = users["*****@*****.**"]
second_owner = users["*****@*****.**"]
expiration = datetime.utcnow() + timedelta(1)
add_member(group, first_owner, role="owner", expiration=expiration)
add_member(group, second_owner, role="owner")
with pytest.raises(PluginRejectedGroupMembershipUpdate):
revoke_member(group, second_owner)
def test_cant_revoke_last_npowner(get_plugin_proxy, session, groups, users): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
first_owner = users["*****@*****.**"]
second_owner = users["*****@*****.**"]
add_member(group, first_owner, role="np-owner")
add_member(group, second_owner, role="np-owner")
# Revoking the first owner does not raise an exception
revoke_member(group, first_owner)
session.commit()
with pytest.raises(PluginRejectedGroupMembershipUpdate):
revoke_member(group, second_owner)
def test_cant_revoke_last_npowner(get_plugin_proxy, session, groups,
users): # noqa: F811
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
group = groups["team-infra"]
first_owner = users["*****@*****.**"]
second_owner = users["*****@*****.**"]
add_member(group, first_owner, role="np-owner")
add_member(group, second_owner, role="np-owner")
# Revoking the first owner does not raise an exception
revoke_member(group, first_owner)
session.commit()
with pytest.raises(PluginRejectedGroupMembershipUpdate):
revoke_member(group, second_owner)
def test_promote_nonauditors(
mock_gagn,
standard_graph,
graph,
users,
groups,
session,
permissions # noqa: F811
):
""" Test expiration auditing and notification. """
assert graph.get_group_details("audited-team")["audited"]
#
# Ensure auditors promotion for all approvers
#
approver_roles = ["owner", "np-owner", "manager"]
affected_users = set(
["*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**"])
for idx, role in enumerate(approver_roles):
# Add non-auditor as an approver to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
graph.update_from_db(session)
assert not affected_users.intersection(get_users(graph, "auditors"))
# do the promotion logic
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
# Check that the users now added to auditors group
graph.update_from_db(session)
assert affected_users.intersection(get_users(
graph, "auditors")) == affected_users
unsent_emails = _get_unsent_emails_and_send(session)
assert any([
'Subject: Added as member to group "auditors"' in email.body
and "To: [email protected]" in email.body for email in unsent_emails
])
assert any([
'Subject: Added as member to group "auditors"' in email.body
and "To: [email protected]" in email.body for email in unsent_emails
])
assert any([
'Subject: Added as member to group "auditors"' in email.body
and "To: [email protected]" in email.body for email in unsent_emails
])
audits = AuditLog.get_entries(session, action="nonauditor_promoted")
assert len(audits) == len(affected_users) * (idx + 1)
# reset for next iteration
revoke_member(groups["audited-team"], users["*****@*****.**"])
for username in affected_users:
revoke_member(groups["auditors"], users[username])
#
# Ensure nonauditor, nonapprovers in audited groups do not get promoted
#
# first, run a promotion to get any other promotion that we don't
# care about out of the way
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
prev_audit_log_count = len(
AuditLog.get_entries(session, action="nonauditor_promoted"))
member_roles = ["member"]
for idx, role in enumerate(member_roles):
# Add non-auditor as a non-approver to an audited group
add_member(groups["audited-team"], users["*****@*****.**"], role=role)
# do the promotion logic
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
# Check that the user is not added to auditors group
graph.update_from_db(session)
assert "*****@*****.**" not in get_users(graph, "auditors")
assert not any([
'Subject: Added as member to group "auditors"' in email.body
and "To: [email protected]" in email.body
for email in _get_unsent_emails_and_send(session)
])
audits = AuditLog.get_entries(session, action="nonauditor_promoted")
assert len(audits) == prev_audit_log_count
revoke_member(groups["audited-team"], users["*****@*****.**"])