Exemple #1
0
def test_aggregate_request(graph, groups, permissions, session, standard_graph, users):
    gary = users["*****@*****.**"]
    testuser = users["*****@*****.**"]
    not_involved = [user for name,user in users.items() if name not in ("*****@*****.**",
            "*****@*****.**")]

    assert not any([user_requests_aggregate(session, u).all() for u in users.values()]), \
            "should have no pending requests to begin with"

    # one request to one team
    groups["team-sre"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # two request to two teams, same owner
    groups["team-infra"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    session.commit()

    request_gary = user_requests_aggregate(session, gary).all()
    assert len(request_gary) == 2, "two pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # resolving one request should reflect
    request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
    request.update_status(users["*****@*****.**"], "actioned", "for being a good person")
    session.commit()

    assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # requests to dependent teams should reflect apprpriately
    groups["security-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(session, gary).all()) == 1, "super owner should not get request"
    assert len(user_requests_aggregate(session, users["*****@*****.**"]).all()) == 1, "owner should get request"
    user_not_gary_oliver = [u for n,u in users.items() if n not in ("*****@*****.**","*****@*****.**")]
    assert not any([user_requests_aggregate(session, u).all() for u in user_not_gary_oliver])

    # manager and np-owner should get requests
    figurehead = users["*****@*****.**"]
    add_member(groups["audited-team"], figurehead, role="manager")
    assert len(user_requests_aggregate(session, figurehead).all()) == 0, "no request for np-owner at first"

    groups["tech-ops"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    assert len(user_requests_aggregate(session, figurehead).all()) == 1, "request for np-owner"

    groups["audited-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    assert len(user_requests_aggregate(session, figurehead).all()) == 2, "request for np-owner and manager"
Exemple #2
0
def test_service_accounts(users, http_client, base_url):
    api_url = url(base_url, '/service_accounts')
    resp = yield http_client.fetch(api_url)
    body = json.loads(resp.body)
    service_accounts = sorted([user.name for user in users.values() if user.role_user])

    assert resp.code == 200
    assert body["status"] == "ok"
    assert sorted(body["data"]["service_accounts"]) == service_accounts
Exemple #3
0
def test_service_accounts(users, http_client, base_url):
    api_url = url(base_url, '/service_accounts')
    resp = yield http_client.fetch(api_url)
    body = json.loads(resp.body)
    service_accounts = sorted([user.name for user in users.values() if user.role_user])

    assert resp.code == 200
    assert body["status"] == "ok"
    assert sorted(body["data"]["service_accounts"]) == service_accounts
Exemple #4
0
def test_aggregate_request(graph, groups, permissions, session, standard_graph, users):
    gary = users["gary"]
    testuser = users["testuser"]
    not_involved = [user for name,user in users.items() if name not in ("gary","testuser")]

    print "users! {}".format(users.values())
    assert not any([u.my_requests_aggregate().all() for u in users.values()]), \
            "should have no pending requests to begin with"

    # one request to one team
    groups["team-sre"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
    session.commit()

    assert len(gary.my_requests_aggregate().all()) == 1, "one pending request for owner"
    assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # two request to two teams, same owner
    groups["team-infra"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
    session.commit()

    request_gary = gary.my_requests_aggregate().all()
    assert len(request_gary) == 2, "two pending request for owner"
    assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # resolving one request should reflect
    request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
    request.update_status(users["gary"], "actioned", "for being a good person")
    session.commit()

    assert len(gary.my_requests_aggregate().all()) == 1, "one pending request for owner"
    assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # requests to dependent teams should reflect apprpriately
    groups["security-team"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
    session.commit()

    assert len(gary.my_requests_aggregate().all()) == 1, "super owner should not get request"
    assert len(users["oliver"].my_requests_aggregate().all()) == 1, "owner should get request"
    user_not_gary_oliver = [u for n,u in users.items() if n not in ("gary","oliver")]
    assert not any([u.my_requests_aggregate().all() for u in user_not_gary_oliver])
def test_service_accounts(session, standard_graph, users, http_client,
                          base_url):
    graph = standard_graph
    service_accounts = sorted([u.name for u in users.values() if u.role_user] +
                              ["*****@*****.**"])

    api_url = url(base_url, "/service_accounts")
    resp = yield http_client.fetch(api_url)
    body = json.loads(resp.body)
    assert resp.code == 200
    assert body["status"] == "ok"
    assert sorted(body["data"]["service_accounts"]) == service_accounts

    # TODO: test cutoff

    # Retrieve a single service account and check its metadata.
    api_url = url(base_url, "/service_accounts/[email protected]")
    resp = yield http_client.fetch(api_url)
    body = json.loads(resp.body)
    assert resp.code == 200
    assert body["status"] == "ok"
    data = body["data"]["user"]
    assert "service_account" in data
    assert data["service_account"]["description"] == "some service account"
    assert data["service_account"]["machine_set"] == "some machines"
    assert data["service_account"]["owner"] == "team-sre"
    assert body["data"]["permissions"] == []

    # Delegate a permission to the service account and check for it.
    service_account = ServiceAccount.get(session, name="*****@*****.**")
    permission = Permission.get(session, name="team-sre")
    grant_permission_to_service_account(session, service_account, permission,
                                        "*")
    graph.update_from_db(session)
    resp = yield http_client.fetch(api_url)
    body = json.loads(resp.body)
    assert resp.code == 200
    assert body["status"] == "ok"
    permissions = body["data"]["permissions"]
    assert permissions[0]["permission"] == "team-sre"
    assert permissions[0]["argument"] == "*"
def test_aggregate_request(graph, groups, permissions, session, standard_graph,
                           users):
    gary = users["*****@*****.**"]
    testuser = users["*****@*****.**"]
    not_involved = [
        user for name, user in users.items()
        if name not in ("*****@*****.**", "*****@*****.**")
    ]

    assert not any([user_requests_aggregate(session, u).all() for u in users.values()]), \
            "should have no pending requests to begin with"

    # one request to one team
    groups["team-sre"].add_member(users["*****@*****.**"],
                                  users["*****@*****.**"],
                                  reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(
        session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # two request to two teams, same owner
    groups["team-infra"].add_member(users["*****@*****.**"],
                                    users["*****@*****.**"],
                                    reason="for the lulz")
    session.commit()

    request_gary = user_requests_aggregate(session, gary).all()
    assert len(request_gary) == 2, "two pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # resolving one request should reflect
    request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
    request.update_status(users["*****@*****.**"], "actioned",
                          "for being a good person")
    session.commit()

    assert len(user_requests_aggregate(
        session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # requests to dependent teams should reflect apprpriately
    groups["security-team"].add_member(users["*****@*****.**"],
                                       users["*****@*****.**"],
                                       reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(
        session, gary).all()) == 1, "super owner should not get request"
    assert len(user_requests_aggregate(
        session, users["*****@*****.**"]).all()) == 1, "owner should get request"
    user_not_gary_oliver = [
        u for n, u in users.items() if n not in ("*****@*****.**", "*****@*****.**")
    ]
    assert not any([
        user_requests_aggregate(session, u).all() for u in user_not_gary_oliver
    ])

    # manager and np-owner should get requests
    figurehead = users["*****@*****.**"]
    add_member(groups["audited-team"], figurehead, role="manager")
    assert len(user_requests_aggregate(
        session, figurehead).all()) == 0, "no request for np-owner at first"

    groups["tech-ops"].add_member(users["*****@*****.**"],
                                  users["*****@*****.**"],
                                  reason="for the lulz")
    assert len(user_requests_aggregate(
        session, figurehead).all()) == 1, "request for np-owner"

    groups["audited-team"].add_member(users["*****@*****.**"],
                                      users["*****@*****.**"],
                                      reason="for the lulz")
    assert len(user_requests_aggregate(
        session, figurehead).all()) == 2, "request for np-owner and manager"