def test_duplicate_role_with_spaces():
    """Create a new fake role resource with varying spaces in between the name"""
    insert_role(
        {
            "name": "    Manager0501201901    ",
            "owners": "12345",
            "administrators": "12345",
        }
    )
    with requests.Session() as session:
        user_payload = {
            "name": "Susan Susanson",
            "username": "******",
            "password": "******",
            "email": "*****@*****.**",
        }
        create_next_admin(session)
        user_response = create_test_user(session, user_payload)
        user_id = user_response.json()["data"]["user"]["id"]
        role_resource = {
            "name": "Manager0501201901",
            "owners": user_id,
            "administrators": user_id,
        }
        insert_role(role_resource)
        response = session.post("http://rbac-server:8000/api/roles", json=role_resource)
        assert (
            response.json()["message"]
            == "Error: Could not create this role because the role name already exists."
        )
        assert response.json()["code"] == 409
        delete_user_by_username("susan22")
        delete_role_by_name("Manager0501201901")
def test_add_role_owner():
    """Test adding an owner to a role.

    Creates two test users and a role with user1 as owner/admin,
    then adds the second user as role owner."""
    user1_payload = {
        "name": "Test User 3",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    user2_payload = {
        "name": "Test User 4",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    with requests.Session() as session:
        create_next_admin(session)
        user_response1 = create_test_user(session, user1_payload)
        user1_result = assert_api_success(user_response1)
        user1_id = user1_result["data"]["user"]["id"]
        user2_response = create_test_user(session, user2_payload)
        user2_result = assert_api_success(user2_response)
        user2_id = user2_result["data"]["user"]["id"]
        role_payload = {
            "name": "TestRole0501201902",
            "owners": user1_id,
            "administrators": user1_id,
            "description": "Test Role 2",
        }
        role_response = create_test_role(session, role_payload)
        role_result = assert_api_success(role_response)
        role_id = role_result["data"]["id"]
        role_update_payload = {
            "id": user2_id,
            "reason": "Integration test of adding role owner.",
            "metadata": "",
        }

        response = session.post(
            "http://rbac-server:8000/api/roles/{}/owners".format(role_id),
            json=role_update_payload,
        )
        result = assert_api_success(response)
        proposal_response = get_proposal_with_retry(session, result["proposal_id"])
        proposal = assert_api_success(proposal_response)
        assert proposal["data"]["assigned_approver"][0] == user1_id

        # Logging in as role owner
        user_login(session, user1_payload["username"], user1_payload["password"])
        # Approve proposal as role owner
        approve_proposal(session, result["proposal_id"])
        proposal_response = get_proposal_with_retry(session, result["proposal_id"])
        proposal = assert_api_success(proposal_response)
        assert proposal["data"]["status"] == "CONFIRMED"
        delete_role_by_name("TestRole0501201902")
        delete_user_by_username("testuser3")
        delete_user_by_username("testuser4")
Example #3
0
def teardown_module():
    """actions to be performed to clear configurations after tests are run.
    """
    # delete the user(s)
    for user in TEST_USERS:
        delete_user_by_username(user["username"])
    # delete the role(s)
    for role in TEST_ROLES:
        delete_role_by_name(role["name"])
def test_add_role_task():
    """Test adding a new task to a role.

    Creates a test user and a role, then creates
    a task, to add to the role."""
    user1_payload = {
        "name": "Test Owner 2",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    with requests.Session() as session:
        create_next_admin(session)
        user1_response = create_test_user(session, user1_payload)
        user1_result = assert_api_success(user1_response)
        user1_id = user1_result["data"]["user"]["id"]

    with requests.Session() as session:
        user_login(session, "testowner2", "123456")
        task1_payload = {
            "name": "TestTask1",
            "administrators": user1_id,
            "owners": user1_id,
            "metadata": "",
        }
        task_response = create_test_task(session, task1_payload)
        task_result = assert_api_success(task_response)
        task_id = task_result["data"]["id"]
        role_payload = {
            "name": "TestRole0501201904",
            "owners": user1_id,
            "administrators": user1_id,
            "description": "Test Role 4",
        }
        role_response = create_test_role(session, role_payload)
        role_result = assert_api_success(role_response)
        role_id = role_result["data"]["id"]
        role_update_payload = {
            "id": task_id,
            "reason": "Integration test of adding a task.",
            "metadata": "",
        }
        response = session.post(
            "http://rbac-server:8000/api/roles/{}/tasks".format(role_id),
            json=role_update_payload,
        )
        result = assert_api_success(response)
        proposal_response = get_proposal_with_retry(session, result["proposal_id"])
        proposal = assert_api_success(proposal_response)
        assert proposal["data"]["assigned_approver"][0] == user1_id
        delete_role_by_name("TestRole0501201904")
        delete_user_by_username("testowner2")
        delete_task_by_name("TestTask1")
def test_role_owner_and_mem():
    """Create a new fake role and try to add yourself to role you created"""
    with requests.Session() as session:
        # create test user
        user_payload = {
            "name": "Susan S",
            "username": "******",
            "password": "******",
            "email": "*****@*****.**",
        }
        create_next_admin(session)
        user_response = create_test_user(session, user_payload)
        assert user_response.status_code == 200, (
            "Error creating user: %s" % user_response.json()
        )

    with requests.Session() as session:
        user_login(session, "susans2224", "12345678")
        # create test role
        user_id = user_response.json()["data"]["user"]["id"]
        role_resource = {
            "name": "Office_Assistant",
            "owners": user_id,
            "administrators": user_id,
        }
        role_response = session.post(
            "http://rbac-server:8000/api/roles", json=role_resource
        )
        assert role_response.status_code == 200, (
            "Error creating role: %s" % role_response.json()
        )

        # Wait for role in rethinkdb
        role_id = role_response.json()["data"]["id"]
        is_role_in_db = wait_for_role_in_db(role_id)
        assert (
            is_role_in_db is True
        ), "Couldn't find role in rethinkdb, maximum attempts exceeded."

        # create a membership proposal to test autoapproval
        response = add_role_member(session, role_id, {"id": user_id})
        assert (
            response.json()["message"]
            == "Owner is the requester. Proposal is autoapproved."
        )

        # clean up
        delete_user_by_username("susans2224")
        delete_role_by_name("Office_Assistant")
def test_role_outq_insertion():
    """ Test the insertion of a new fake role resource which is unique
        into the outbound_queue table.
        This test will only run if ENABLE_NEXT_BASE_USE is set to 1.
    """
    user1_payload = {
        "name": "Test Unique User",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    with requests.Session() as session:
        create_next_admin(session)
        user_response1 = create_test_user(session, user1_payload)
        user1_result = assert_api_success(user_response1)
        user1_id = user1_result["data"]["user"]["id"]
        role_payload = {
            "name": "TestUniqueRole0501201903",
            "owners": user1_id,
            "administrators": user1_id,
            "description": "Test Unique Role 1",
        }
        role_response = create_test_role(session, role_payload)
        assert_api_success(role_response)

        outbound_queue_data = {"members": [], "remote_id": ""}
        expected_payload = {
            "data": outbound_queue_data,
            "data_type": "group",
            "provider_id": "NEXT-created",
            "status": "UNCONFIRMED",
            "action": "",
        }

        outbound_entry = get_outbound_queue_entry(outbound_queue_data)
        outbound_entry[0].pop("timestamp")
        outbound_entry[0].pop("id")
        assert outbound_entry[0] == expected_payload

        delete_role_by_name("TestUniqueRole0501201903")
        delete_user_by_username("testuniqueuser0501201901")
def test_syncdirectionflag_rolename():
    """ Testing the presence and the value of syncdirection flag
        is set to OUTBOUND of a role in roles table.
    """
    new_rolename = "ManagerRandom0501201902"
    new_username = "******"
    expected_metadata = {"metadata": {"sync_direction": "OUTBOUND"}}
    time.sleep(3)
    conn = connect_to_db()
    metadata_object = (
        r.db("rbac")
        .table("roles")
        .filter({"name": new_rolename})
        .pluck("metadata")
        .coerce_to("array")
        .run(conn)
    )
    actual_metadata = metadata_object[0]
    assert actual_metadata == expected_metadata
    conn.close()
    delete_user_by_username(new_username)
    delete_role_by_name(new_rolename)
Example #8
0
def test_delete_user(ldap_connection):
    """Deletes a AD user in NEXT

    Args:
        ldap_connection:
            obj: A bound mock mock_ldap_connection
    """
    # Create fake user and attach as owner to a role
    with requests.Session() as session:
        create_next_admin(session)
        create_fake_user(ldap_connection, "jchan20", "Jackie Chan", "Jackie")
        user_remote_id = "CN=jchan20,OU=Users,OU=Accounts,DC=AD2012,DC=LAB"
        create_fake_group(ldap_connection, "jchan_role", "jchan_role",
                          user_remote_id)
        group_distinct_name = (
            "CN=jchan_role,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB")
        addMembersToGroups.ad_add_members_to_groups(ldap_connection,
                                                    user_remote_id,
                                                    group_distinct_name,
                                                    fix=True)
        fake_user = get_fake_user(ldap_connection, "jchan20")
        put_in_inbound_queue(fake_user, "user")
        fake_group = get_fake_group(ldap_connection, "jchan_role")
        put_in_inbound_queue(fake_group, "group")
        time.sleep(3)

        # See if owner and role are in the system
        email = "*****@*****.**"
        assert is_user_in_db(email) is True
        assert is_group_in_db("jchan_role") is True

        # See if all LDAP user has entries in the following
        # off chain tables: user_mapping and metadata
        user = get_user_in_db_by_email(email)
        next_id = user[0]["next_id"]
        assert get_user_mapping_entry(next_id)
        assert get_user_metadata_entry(next_id)

        # See that the owner is assigned to correct role
        role = get_role_by_name("jchan_role")
        owners = get_role_owners(role[0]["role_id"])
        members = get_role_members(role[0]["role_id"])
        assert owners[0]["related_id"] == next_id
        assert members[0]["related_id"] == next_id

        # Create a NEXT role with LDAP user as an admin and
        # check for LDAP user's entry in auth table
        next_role_id = create_next_role_ldap(user=user[0],
                                             role_name="managers")
        admins = get_role_admins(next_role_id)
        assert admins[0]["related_id"] == next_id
        assert get_auth_entry(next_id)

        # Create a NEXT pack with LDAP user as an owner
        next_pack_id = create_pack_ldap(user=user[0],
                                        pack_name="technology department")
        assert check_user_is_pack_owner(next_pack_id, next_id)

        # Delete user and verify LDAP user and related off chain
        # table entries have been deleted, role still exists
        # and role relationships have been deleted
        insert_deleted_entries([user_remote_id], "user_deleted")
        time.sleep(3)

        assert get_deleted_user_entries(next_id) == []
        assert get_pack_owners_by_user(next_id) == []
        assert is_group_in_db("jchan_role") is True
        assert get_role_owners(role[0]["role_id"]) == []
        assert get_role_admins(next_role_id) == []
        assert get_role_members(role[0]["role_id"]) == []

        delete_role_by_name("managers")
        delete_pack_by_name("technology department")
def test_add_role_member_outqueue():
    """ Test adding a new member to a role in NEXT-only mode.
    Creates two test users and a role using the first user,
    then adds the second user as member to role. This test will
    only run if ENABLE_NEXT_BASE_USE is set to 1.
    """
    user1_payload = {
        "name": "Test Owner 0521201905",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    user2_payload = {
        "name": "Test Member 0521201906",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    with requests.Session() as session:
        start_depth = get_outbound_queue_depth()
        create_next_admin(session)
        user_response1 = create_test_user(session, user1_payload)
        user1_result = assert_api_success(user_response1)
        user1_id = user1_result["data"]["user"]["id"]
        user2_response = create_test_user(session, user2_payload)
        user2_result = assert_api_success(user2_response)
        user2_id = user2_result["data"]["user"]["id"]
        role_payload = {
            "name": "TestRole0521201902",
            "owners": user1_id,
            "administrators": user1_id,
            "description": "Test Role 3",
        }
        role_response = create_test_role(session, role_payload)
        role_result = assert_api_success(role_response)
        role_id = role_result["data"]["id"]
        role_update_payload = {
            "id": user2_id,
            "reason": "Integration test of adding a member.",
            "metadata": "",
        }
        response = session.post(
            "http://rbac-server:8000/api/roles/{}/members".format(role_id),
            json=role_update_payload,
        )
        result = assert_api_success(response)
        proposal_response = get_proposal_with_retry(session,
                                                    result["proposal_id"])
        assert_api_success(proposal_response)
        # Logging in as role owner
        user_login(session, user1_payload["username"],
                   user1_payload["password"])
        # Approve proposal as role owner
        approve_proposal(session, result["proposal_id"])
        end_depth = get_outbound_queue_depth()
        assert end_depth > start_depth

        # NOTE: members field contains an empty string because in NEXT
        # mode all user's remote_ids are set to an empty string
        outbound_queue_data = {"members": [""], "remote_id": ""}
        expected_payload = {
            "data": outbound_queue_data,
            "data_type": "group",
            "provider_id": "NEXT-created",
            "status": "UNCONFIRMED",
            "action": "",
        }

        # Check outbound_queue entry is formatted correctly
        outbound_entry = get_outbound_queue_entry(outbound_queue_data)
        outbound_entry[0].pop("timestamp")
        outbound_entry[0].pop("id")
        assert outbound_entry[0] == expected_payload

        delete_role_by_name("TestRole0521201902")
        delete_user_by_username("test0521201905")
        delete_user_by_username("test0521201906")
def test_add_role_member_ldap():
    """ Test adding a new member to a role in LDAP-only mode.
    Creates two test users and a role using the first user,
    then adds the second user as member to role. This test will
    only run if ENABLE_LDAP_SYNC is set to 1.
    """
    user1_payload = {
        "name": "Michael Scott",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    user2_payload = {
        "name": "Jim Halpert",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    with requests.Session() as session:
        start_depth = get_outbound_queue_depth()
        create_next_admin(session)
        user1_response = create_test_user(session, user1_payload)
        user1_result = assert_api_success(user1_response)
        user1_id = user1_result["data"]["user"]["id"]
        user2_response = create_test_user(session, user2_payload)
        user2_result = assert_api_success(user2_response)
        user2_id = user2_result["data"]["user"]["id"]
        role_payload = {
            "name": "Michael_Scott_Paper_Company",
            "owners": user1_id,
            "administrators": user1_id,
            "description": "Infinite ideas await....",
        }
        role_response = create_test_role(session, role_payload)
        role_result = assert_api_success(role_response)
        role_id = role_result["data"]["id"]
        role_update_payload = {
            "id": user2_id,
            "reason": "Integration test of adding a member.",
            "metadata": "",
        }
        response = session.post(
            "http://rbac-server:8000/api/roles/{}/members".format(role_id),
            json=role_update_payload,
        )
        result = assert_api_success(response)
        proposal_response = get_proposal_with_retry(session,
                                                    result["proposal_id"])
        assert_api_success(proposal_response)
        # Logging in as role owner
        user_login(session, user1_payload["username"],
                   user1_payload["password"])
        # Approve proposal as role owner
        approve_proposal(session, result["proposal_id"])
        end_depth = get_outbound_queue_depth()
        assert end_depth > start_depth

        # NOTE: members field contains an empty string because in NEXT
        # mode all user's remote_ids are set to an empty string
        outbound_queue_data = {
            "description": "Infinite ideas await....",
            "name": "Michael_Scott_Paper_Company",
            "group_types": -2147483646,
            "members": [""],
            "owners": "",
            "remote_id":
            "CN=Michael_Scott_Paper_Company," + ENV("GROUP_BASE_DN"),
        }
        expected_payload = {
            "data": outbound_queue_data,
            "data_type": "group",
            "provider_id": ENV("LDAP_DC"),
            "status": "UNCONFIRMED",
            "action": "",
        }

        # Check outbound_queue entry is formatted correctly
        outbound_entry = get_outbound_queue_entry(outbound_queue_data)
        outbound_entry[0].pop("timestamp")
        outbound_entry[0].pop("id")
        assert outbound_entry[0] == expected_payload

        delete_role_by_name("Michael_Scott_Paper_Company")
        delete_user_by_username("jimh062619")
        delete_user_by_username("michaels062619")
def test_user_delete_api():
    """Test that user has been removed from database when users delete api is hit"""
    user = {
        "name": "nadia one",
        "username": "******",
        "password": "******",
        "email": "*****@*****.**",
    }
    with requests.Session() as session:
        create_next_admin(session)
        response = create_test_user(session, user)
        next_id = response.json()["data"]["user"]["id"]
        wait_for_resource_in_db("users", "next_id", next_id)
    with requests.Session() as session:
        user_login(session, "nadia1", "test11")
        role_payload = {
            "name": "test_role",
            "owners": [next_id],
            "administrators": [next_id],
            "description": "This is a test Role",
        }
        role_resp = create_test_role(session, role_payload)
        role_id = role_resp.json()["data"]["id"]
        pack = {
            "name": "michael pack one",
            "owners": [next_id],
            "roles": [],
            "description": "Michael's test pack",
        }
        pack_response = create_test_pack(session, pack)
        add_role_member_payload = {
            "id": next_id,
            "reason": "Integration test of adding a member.",
            "metadata": "",
        }

        add_role_member(session, role_id, add_role_member_payload)

        wait_for_resource_in_db("role_members", "role_id", role_id)
        conn = connect_to_db()
        user_exists = (r.table("users").filter({
            "next_id": next_id
        }).coerce_to("array").run(conn))
        role_owner_exists = (r.table("role_owners").filter({
            "identifiers": [next_id],
            "role_id":
            role_id
        }).coerce_to("array").run(conn))

        role_member_exists = (r.table("role_members").filter({
            "identifiers": [next_id],
            "role_id":
            role_id
        }).coerce_to("array").run(conn))

        assert user_exists
        assert role_owner_exists
        assert role_member_exists
        assert get_user_mapping_entry(next_id)
        assert get_auth_entry(next_id)
        assert get_user_metadata_entry(next_id)
        assert check_user_is_pack_owner(
            pack_id=pack_response.json()["data"]["pack_id"], next_id=next_id)

        role_admin_is_user = (r.db("rbac").table("role_admins").filter({
            "related_id":
            next_id
        }).coerce_to("array").run(conn))
        role_admin = role_admin_is_user[0]["identifiers"][0]
        assert role_admin == next_id

        deletion = session.delete("http://rbac-server:8000/api/users/" +
                                  next_id)
        time.sleep(5)
        assert deletion.json() == {
            "message": "User {} successfully deleted".format(next_id),
            "deleted": 1,
        }

        role_admin_user = (r.db("rbac").table("role_admins").filter({
            "related_id":
            next_id
        }).coerce_to("array").run(conn))

        role_owners = (
            r.db("rbac").table("role_owners").filter(lambda doc: doc[
                "identifiers"].contains(next_id)).coerce_to("array").run(conn))

        role_members = (
            r.db("rbac").table("role_members").filter(lambda doc: doc[
                "identifiers"].contains(next_id)).coerce_to("array").run(conn))
        delete_role_by_name("test_role")
        conn.close()

        assert role_admin_user == []
        assert role_members == []
        assert role_owners == []
        assert get_deleted_user_entries(next_id) == []
        assert get_pack_owners_by_user(next_id) == []

        delete_pack_by_name("michael pack one")
def test_delete_role_not_owner():
    """
    Test the delete role api

    Create a test user for auth
    Create a test user for role membership
    Create a test role
    Attempt to delete the test role as a non role owner/admin
    Check that the deletion attempt was autorejected
    """
    with requests.Session() as session:
        # Create test user
        role_owner = {
            "name": "Fred Pirate",
            "username": "******",
            "password": "******",
            "email": "*****@*****.**",
        }
        create_next_admin(session)
        user_response = create_test_user(session, role_owner)
        assert user_response.status_code == 200, "Error creating user: %s;\n %s" % (
            role_owner["name"],
            user_response.json(),
        )
        role_owner["next_id"] = user_response.json()["data"]["user"]["id"]

        # Create test user
        test_user = {
            "name": "Meunster Monster",
            "username": "******",
            "password": "******",
            "email": "*****@*****.**",
        }
        user_response = create_test_user(session, test_user)
        assert user_response.status_code == 200, "Error creating user: %s;\n %s" % (
            test_user["name"],
            user_response.json(),
        )
        test_user["next_id"] = user_response.json()["data"]["user"]["id"]

        # Auth as new_member
        payload = {"id": role_owner["username"], "password": role_owner["password"]}
        auth_response = session.post(
            "http://rbac-server:8000/api/authorization/", json=payload
        )
        assert auth_response.status_code == 200, "Failed to authenticate as %s. %s" % (
            test_user["name"],
            auth_response.json(),
        )

        # Create test role
        role_resource = {
            "name": "Men of Low Moral Fiber",
            "owners": role_owner["next_id"],
            "administrators": role_owner["next_id"],
        }
        role_response = session.post(
            "http://rbac-server:8000/api/roles", json=role_resource
        )
        assert role_response.status_code == 200, (
            "Error creating role: %s" % role_response.json()
        )

        # Wait for role in db
        role_id = role_response.json()["data"]["id"]
        is_role_in_db = wait_for_role_in_db(role_id)
        assert (
            is_role_in_db is True
        ), "Couldn't find role in rethinkdb, maximum attempts exceeded."

        # Auth as test_user
        payload = {"id": test_user["username"], "password": test_user["password"]}
        auth_response = session.post(
            "http://rbac-server:8000/api/authorization/", json=payload
        )
        assert auth_response.status_code == 200, "Failed to authenticate as %s. %s" % (
            role_owner["name"],
            auth_response.json(),
        )

        # Delete test role
        delete_role_response = session.delete(
            "http://rbac-server:8000/api/roles/%s" % role_id
        )
        assert delete_role_response.status_code == 403, (
            "Unexpected response: %s" % delete_role_response.json()
        )

    # clean up
    delete_user_by_username("fred1")
    delete_user_by_username("meunster1")
    delete_role_by_name("Men of Low Moral Fiber")