def test_aggregate_request(graph, groups, permissions, session, standard_graph, users):
gary = users["*****@*****.**"]
testuser = users["*****@*****.**"]
not_involved = [user for name,user in users.items() if name not in ("*****@*****.**",
"*****@*****.**")]
assert not any([user_requests_aggregate(session, u).all() for u in users.values()]), \
"should have no pending requests to begin with"
# one request to one team
groups["team-sre"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# two request to two teams, same owner
groups["team-infra"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
session.commit()
request_gary = user_requests_aggregate(session, gary).all()
assert len(request_gary) == 2, "two pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# resolving one request should reflect
request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
request.update_status(users["*****@*****.**"], "actioned", "for being a good person")
session.commit()
assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# requests to dependent teams should reflect apprpriately
groups["security-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert len(user_requests_aggregate(session, gary).all()) == 1, "super owner should not get request"
assert len(user_requests_aggregate(session, users["*****@*****.**"]).all()) == 1, "owner should get request"
user_not_gary_oliver = [u for n,u in users.items() if n not in ("*****@*****.**","*****@*****.**")]
assert not any([user_requests_aggregate(session, u).all() for u in user_not_gary_oliver])
# manager and np-owner should get requests
figurehead = users["*****@*****.**"]
add_member(groups["audited-team"], figurehead, role="manager")
assert len(user_requests_aggregate(session, figurehead).all()) == 0, "no request for np-owner at first"
groups["tech-ops"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
assert len(user_requests_aggregate(session, figurehead).all()) == 1, "request for np-owner"
groups["audited-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
reason="for the lulz")
assert len(user_requests_aggregate(session, figurehead).all()) == 2, "request for np-owner and manager"
def test_service_accounts(users, http_client, base_url):
api_url = url(base_url, '/service_accounts')
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
service_accounts = sorted([user.name for user in users.values() if user.role_user])
assert resp.code == 200
assert body["status"] == "ok"
assert sorted(body["data"]["service_accounts"]) == service_accounts
def test_service_accounts(users, http_client, base_url):
api_url = url(base_url, '/service_accounts')
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
service_accounts = sorted([user.name for user in users.values() if user.role_user])
assert resp.code == 200
assert body["status"] == "ok"
assert sorted(body["data"]["service_accounts"]) == service_accounts
def test_aggregate_request(graph, groups, permissions, session, standard_graph, users):
gary = users["gary"]
testuser = users["testuser"]
not_involved = [user for name,user in users.items() if name not in ("gary","testuser")]
print "users! {}".format(users.values())
assert not any([u.my_requests_aggregate().all() for u in users.values()]), \
"should have no pending requests to begin with"
# one request to one team
groups["team-sre"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
session.commit()
assert len(gary.my_requests_aggregate().all()) == 1, "one pending request for owner"
assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
"no pending requests if you're not the owner"
# two request to two teams, same owner
groups["team-infra"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
session.commit()
request_gary = gary.my_requests_aggregate().all()
assert len(request_gary) == 2, "two pending request for owner"
assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
"no pending requests if you're not the owner"
# resolving one request should reflect
request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
request.update_status(users["gary"], "actioned", "for being a good person")
session.commit()
assert len(gary.my_requests_aggregate().all()) == 1, "one pending request for owner"
assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
"no pending requests if you're not the owner"
# requests to dependent teams should reflect apprpriately
groups["security-team"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
session.commit()
assert len(gary.my_requests_aggregate().all()) == 1, "super owner should not get request"
assert len(users["oliver"].my_requests_aggregate().all()) == 1, "owner should get request"
user_not_gary_oliver = [u for n,u in users.items() if n not in ("gary","oliver")]
assert not any([u.my_requests_aggregate().all() for u in user_not_gary_oliver])
def test_service_accounts(session, standard_graph, users, http_client,
base_url):
graph = standard_graph
service_accounts = sorted([u.name for u in users.values() if u.role_user] +
["*****@*****.**"])
api_url = url(base_url, "/service_accounts")
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
assert sorted(body["data"]["service_accounts"]) == service_accounts
# TODO: test cutoff
# Retrieve a single service account and check its metadata.
api_url = url(base_url, "/service_accounts/[email protected]")
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
data = body["data"]["user"]
assert "service_account" in data
assert data["service_account"]["description"] == "some service account"
assert data["service_account"]["machine_set"] == "some machines"
assert data["service_account"]["owner"] == "team-sre"
assert body["data"]["permissions"] == []
# Delegate a permission to the service account and check for it.
service_account = ServiceAccount.get(session, name="*****@*****.**")
permission = Permission.get(session, name="team-sre")
grant_permission_to_service_account(session, service_account, permission,
"*")
graph.update_from_db(session)
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
permissions = body["data"]["permissions"]
assert permissions[0]["permission"] == "team-sre"
assert permissions[0]["argument"] == "*"
def test_aggregate_request(graph, groups, permissions, session, standard_graph,
users):
gary = users["*****@*****.**"]
testuser = users["*****@*****.**"]
not_involved = [
user for name, user in users.items()
if name not in ("*****@*****.**", "*****@*****.**")
]
assert not any([user_requests_aggregate(session, u).all() for u in users.values()]), \
"should have no pending requests to begin with"
# one request to one team
groups["team-sre"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert len(user_requests_aggregate(
session, gary).all()) == 1, "one pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# two request to two teams, same owner
groups["team-infra"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
session.commit()
request_gary = user_requests_aggregate(session, gary).all()
assert len(request_gary) == 2, "two pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# resolving one request should reflect
request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
request.update_status(users["*****@*****.**"], "actioned",
"for being a good person")
session.commit()
assert len(user_requests_aggregate(
session, gary).all()) == 1, "one pending request for owner"
assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
"no pending requests if you're not the owner"
# requests to dependent teams should reflect apprpriately
groups["security-team"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
session.commit()
assert len(user_requests_aggregate(
session, gary).all()) == 1, "super owner should not get request"
assert len(user_requests_aggregate(
session, users["*****@*****.**"]).all()) == 1, "owner should get request"
user_not_gary_oliver = [
u for n, u in users.items() if n not in ("*****@*****.**", "*****@*****.**")
]
assert not any([
user_requests_aggregate(session, u).all() for u in user_not_gary_oliver
])
# manager and np-owner should get requests
figurehead = users["*****@*****.**"]
add_member(groups["audited-team"], figurehead, role="manager")
assert len(user_requests_aggregate(
session, figurehead).all()) == 0, "no request for np-owner at first"
groups["tech-ops"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
assert len(user_requests_aggregate(
session, figurehead).all()) == 1, "request for np-owner"
groups["audited-team"].add_member(users["*****@*****.**"],
users["*****@*****.**"],
reason="for the lulz")
assert len(user_requests_aggregate(
session, figurehead).all()) == 2, "request for np-owner and manager"