def test_forbidden_actions(sdk_client_fs: ADCMClient):
"""
Check that forbidden caller-context combinations fail as actions
and don't affect any ADCM objects
"""
name = "first"
with allure.step(f'Check forbidden from cluster "{name}" context actions'):
cluster = sdk_client_fs.cluster(name=name)
for forbidden_action in ('change_service', 'change_component'):
with check_config_changed(sdk_client_fs):
run_cluster_action_and_assert_result(cluster,
forbidden_action,
status='failed')
with allure.step(f'Check forbidden from service "{name}" context actions'):
service = cluster.service(name=name)
with check_config_changed(sdk_client_fs):
run_service_action_and_assert_result(service,
'change_component',
status='failed')
with allure.step(
f'Check forbidden from provider "{name}" context actions'):
provider = sdk_client_fs.provider(name=name)
with check_config_changed(sdk_client_fs):
run_provider_action_and_assert_result(provider,
'change_host',
status='failed')
first_host, second_host, *_ = provider.host_list()
with check_config_changed(sdk_client_fs):
run_host_action_and_assert_result(
first_host,
'change_host_from_provider',
status='failed',
config={'host_id': second_host.id})
def test_change_child_role(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if change policy role
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step(
"Change role from 'View configuration' to 'View imports'"):
role = sdk_client_fs.role_create(
name="Another role",
display_name="Another role",
child=[{
"id":
sdk_client_fs.role(
name=BusinessRoles.ViewImports.value.role_name).id
}],
)
policy.update(role={"id": role.id})
is_allowed(cluster, BusinessRoles.ViewImports)
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def test_forbidden_multi_state_set_actions(sdk_client_fs: ADCMClient):
"""
Check that forbidden caller-context combinations fail as actions
and don't affect any ADCM objects
"""
name = "first"
with allure.step(f'Check forbidden from cluster "{name}" context actions'):
cluster = sdk_client_fs.cluster(name=name)
# missing is used because it should fail for misconfiguration reasons, not because state not set
for forbidden_action in ('set_service', 'set_component',
'unset_service_missing',
'unset_component_missing'):
with check_objects_multi_state_changed(sdk_client_fs):
run_cluster_action_and_assert_result(cluster,
forbidden_action,
status='failed')
with allure.step(f'Check forbidden from service "{name}" context actions'):
service = cluster.service(name=name)
for forbidden_action in ('set_component', 'unset_component_missing'):
with check_objects_multi_state_changed(sdk_client_fs):
run_service_action_and_assert_result(service,
forbidden_action,
status='failed')
with allure.step(
f'Check forbidden from provider "{name}" context actions'):
provider = sdk_client_fs.provider(name=name)
for forbidden_action in ('set_host', 'unset_host_missing'):
with check_objects_multi_state_changed(sdk_client_fs):
run_provider_action_and_assert_result(provider,
forbidden_action,
status='failed')
def _check_hc_map_is_correct(self, adcm_client: ADCMClient):
"""Check that hc map is correct after adcm_hc action"""
actual_hc_map = {
(hc['host'], hc['service_name'], hc['component'])
for hc in adcm_client.cluster(name=CLUSTER_NAME).hostcomponent()
}
assert (
actual_hc_map == self.EXPECTED_HC_MAP
), f"Host-Component map isn't the same as expected. Got: {actual_hc_map}. Expected: {self.EXPECTED_HC_MAP}"
def get_cluster_related_object(
client: ADCMClient,
cluster: str = 'first',
service: Optional[str] = None,
component: Optional[str] = None) -> ClusterRelatedObject:
"""
Get function to get one of ADCM cluster objects:
- Cluster (when all args are None)
- Service (when only service argument is not None)
- Component (when both arguments are not None)
"""
if service is None and component is None:
return client.cluster(name=cluster)
if service and component is None:
return client.cluster(name=cluster).service(name=service)
if service and component:
return client.cluster(name=cluster).service(name=service).component(
name=component)
raise ValueError(
'You can provide either only "service" argument or both "service" and "component" argument'
)
def test_remove_user_from_policy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if user removed from policy user list
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewComponentConfigurations)
with allure.step("Remove user from policy"):
policy.update(user=[{"id": sdk_client_fs.user(username="******").id}])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def test_remove_user_from_group(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if user removed from group with policy
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}])
create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[],
groups=[group])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove user from group"):
group.update(user=[])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
def test_remove_user_from_policy_but_still_in_group(user_sdk: ADCMClient, user,
prepare_objects,
sdk_client_fs):
"""
Test that user is still have access if user removed from policy but is in group
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}])
policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[group])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove user from policy"):
policy.update(user=[{"id": sdk_client_fs.user(username="******").id}])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
def test_upgrade_application_bundle(user_policy, user_sdk: ADCMClient,
prepare_objects, sdk_client_fs, user):
"""Test that Upgrade application bundle role is ok"""
cluster, *_, provider, _ = as_user_objects(user_sdk, *prepare_objects)
cluster_via_admin, *_ = prepare_objects
second_cluster = user_sdk.cluster(
id=cluster_via_admin.bundle().cluster_create(name="Second cluster").id)
is_allowed(cluster, BR.UpgradeClusterBundle)
is_denied(provider, BR.UpgradeClusterBundle)
is_denied(second_cluster, BR.UpgradeClusterBundle)
new_policy = create_policy(sdk_client_fs,
BR.UpgradeClusterBundle,
objects=[second_cluster],
users=[user],
groups=[])
delete_policy(new_policy)
is_denied(second_cluster, BR.UpgradeClusterBundle)
def test_remove_another_object_from_policy(user_sdk: ADCMClient, user,
prepare_objects, sdk_client_fs):
"""
Test that user is still have access if object removed from policy but exists high-level object
"""
cluster_via_admin, service_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
service = user_sdk.service(id=service_via_admin.id)
policy = create_policy(sdk_client_fs,
CLUSTER_VIEW_CONFIG_ROLES,
objects=[cluster, service],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
with allure.step("Remove object from policy"):
policy.update(object=[{"id": cluster.id, "type": "cluster"}])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewServiceConfigurations)
def test_save_groups(ui_config, sdk_client_fs: ADCMClient):
"""Test save config with groups"""
app_fields = ui_config.get_app_fields()
for textbox in app_fields:
if "field_for_group_without_options:" in textbox.text:
input_element = textbox.find_element(*Common.mat_input_element)
ui_config.clear_element(input_element)
time.sleep(2)
input_element.send_keys("new value")
break
ui_config.save_configuration()
service = sdk_client_fs.cluster(name="group_ui_options_test").service(name="group_ui_options_test")
config = service.config()
with allure.step('Check that configuration was saved'):
assert (
config['group_ui_options_disabled']['field_for_group_without_options'] == 'new value'
), "New configuration value wasn't applied"
assert len(config.keys()) == 12
for group in INVISIBLE_GROUPS:
assert group in config.keys(), "Invisible group should be present in config object"
def test_save_groups(group_elements, ui_config, sdk_client_fs: ADCMClient):
"""Click save configuration button and check that configuration was saved
"""
app_fields = ui_config.get_app_fields()
for textbox in app_fields:
if "field_for_group_without_options:" in textbox.text:
input_element = textbox.find_element(*Common.mat_input_element)
ui_config.clear_element(input_element)
time.sleep(2)
input_element.send_keys("shalalala")
break
ui_config.save_configuration()
service = sdk_client_fs.cluster(name="group_ui_options_test").service(
name="group_ui_options_test")
config = service.config()
assert config['group_ui_options_disabled']['field_for_group_without_options'] == 'shalalala', \
config['group_ui_options_disabled']['field_for_group_without_options']
assert len(config.keys()) == 12
for group in INVISIBLE_GROUPS:
assert group in config.keys(), config
def test_remove_policy_but_exists_same_policy(user_sdk: ADCMClient, user,
prepare_objects, sdk_client_fs):
"""
Test that user is still have access if removed policy, but we still have another policy with the same rights
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
second_policy = create_policy(sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[user],
groups=[])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove second policy"):
second_policy.delete()
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
def test_forbidden_state_set_actions(sdk_client_fs: ADCMClient):
"""
Check that forbidden caller-context combinations fail as actions
and don't affect any ADCM objects
"""
name = "first"
first_first_fqdn = "first-first"
first_second_fqdn = "first-second"
with allure.step(f'Check forbidden from cluster "{name}" context actions'):
cluster = sdk_client_fs.cluster(name=name)
for forbidden_action in ('set_service', 'set_component'):
with check_objects_state_changed(sdk_client_fs):
run_cluster_action_and_assert_result(cluster,
forbidden_action,
status='failed')
with allure.step(f'Check forbidden from service "{name}" context actions'):
service = cluster.service(name=name)
with check_objects_state_changed(sdk_client_fs):
run_service_action_and_assert_result(service,
'set_component',
status='failed')
with allure.step(
f'Check forbidden from provider "{name}" context actions'):
provider = sdk_client_fs.provider(name=name)
with check_objects_state_changed(sdk_client_fs):
run_provider_action_and_assert_result(provider,
'set_host',
status='failed')
with allure.step(
f'Check forbidden from host "{first_first_fqdn}" context actions'):
host_first = sdk_client_fs.host(fqdn=first_first_fqdn)
host_second = sdk_client_fs.host(fqdn=first_second_fqdn)
with check_objects_state_changed(sdk_client_fs):
run_host_action_and_assert_result(
host_first,
'set_host_from_provider',
config={'host_id': host_second.id},
status='failed')
def test_remove_object_from_policy(user_sdk: ADCMClient, user, prepare_objects,
sdk_client_fs):
"""
Test that user loses access if object changed from policy
"""
cluster_via_admin, service_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
service = user_sdk.service(id=service_via_admin.id)
policy = create_policy(
sdk_client_fs,
[
BusinessRoles.ViewClusterConfigurations,
BusinessRoles.ViewServiceConfigurations
],
objects=[cluster],
users=[user],
groups=[],
)
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Change policy object from cluster to service"):
policy.update(object=[{"id": service_via_admin.id, "type": "service"}])
is_denied(cluster, BusinessRoles.ViewClusterConfigurations)
is_allowed(service, BusinessRoles.ViewClusterConfigurations)
def test_remove_group_with_user_but_still_in_another_group(
user_sdk: ADCMClient, user, prepare_objects, sdk_client_fs):
"""
Test that user is still have access if removed group with user but user is in another group
"""
cluster_via_admin, *_ = prepare_objects
cluster = user_sdk.cluster(id=cluster_via_admin.id)
group = sdk_client_fs.group_create("test_group", user=[{"id": user.id}])
another_group = sdk_client_fs.group_create("another_group",
user=[{
"id": user.id
}])
policy = create_policy(
sdk_client_fs,
BusinessRoles.ViewClusterConfigurations,
objects=[cluster],
users=[],
groups=[group, another_group],
)
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
with allure.step("Remove user from group"):
policy.update(group=[{"id": another_group.id}])
is_allowed(cluster, BusinessRoles.ViewClusterConfigurations)
def _get_cluster(self, adcm_client: ADCMClient) -> Cluster:
"""Get cluster object"""
return adcm_client.cluster(name=CLUSTER_NAME)
def test_cluster_state_after_multijob(sdk_client_ms: ADCMClient, cluster):
with allure.step('Run action: multi'):
cluster.action_run(name="multi").wait()
with allure.step('Check cluster state'):
assert sdk_client_ms.cluster(name=cluster.name).state == cluster.name
def _check_that_cluster_exists(sdk_client_fs: ADCMClient, cluster: Cluster) -> None:
assert len(sdk_client_fs.cluster_list()) == 1, "Only one cluster expected to be"
with catch_failed(ObjectNotFound, "Previously created cluster not found"):
sdk_client_fs.cluster(name=cluster.name)
