def test_service_accounts(session, standard_graph, users, http_client, base_url): # noqa: F811
api_url = url(base_url, "/service_accounts")
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
assert sorted(body["data"]["service_accounts"]) == sorted(
[u.name for u in itervalues(users) if u.role_user] + ["*****@*****.**"]
)
# Retrieve a single service account and check its metadata.
api_url = url(base_url, "/service_accounts/[email protected]")
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
data = body["data"]["user"]
assert "service_account" in data
assert data["service_account"]["description"] == "some service account"
assert data["service_account"]["machine_set"] == "some machines"
assert data["service_account"]["owner"] == "team-sre"
assert body["data"]["permissions"] == []
# Delegate a permission to the service account and check for it.
service_account = ServiceAccount.get(session, name="*****@*****.**")
permission = get_permission(session, "team-sre")
grant_permission_to_service_account(session, service_account, permission, "*")
standard_graph.update_from_db(session)
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
perms = body["data"]["permissions"]
assert perms[0]["permission"] == "team-sre"
assert perms[0]["argument"] == "*"
def test_grant_permission(session, standard_graph, groups, permissions):
grant_permission(groups["sad-team"], permissions["ssh"], argument="host +other-host")
with pytest.raises(AssertionError):
grant_permission(groups["sad-team"], permissions["ssh"], argument="question?")
account = ServiceAccount.get(session, name="*****@*****.**")
grant_permission_to_service_account(session, account, permissions["ssh"], argument="*")
with pytest.raises(AssertionError):
grant_permission_to_service_account(
session, account, permissions["ssh"], argument="question?")
def test_grant_permission(session, standard_graph, groups, permissions): # noqa: F811
grant_permission(groups["sad-team"], permissions["ssh"], argument="host +other-host")
with pytest.raises(AssertionError):
grant_permission(groups["sad-team"], permissions["ssh"], argument="question?")
account = ServiceAccount.get(session, name="*****@*****.**")
grant_permission_to_service_account(session, account, permissions["ssh"], argument="*")
with pytest.raises(AssertionError):
grant_permission_to_service_account(
session, account, permissions["ssh"], argument="question?"
)
def post(self, group_id=None, name=None, account_id=None, accountname=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
service_account = ServiceAccount.get(self.session, account_id, accountname)
if not service_account:
return self.notfound()
user = service_account.user
if not self.check_access(self.session, self.current_user, service_account):
return self.forbidden()
grantable = group.my_permissions()
form = self.get_form(grantable)
if not form.validate():
return self.render(
"service-account-permission-grant.html", form=form, user=user, group=group,
alerts=self.get_form_alerts(form.errors)
)
permission = Permission.get(self.session, form.data["permission"])
if not permission:
return self.notfound()
allowed = False
for perm in grantable:
if perm[1] == permission.name:
if matches_glob(perm[3], form.data["argument"]):
allowed = True
break
if not allowed:
form.argument.errors.append(
"The group {} does not have that permission".format(group.name))
return self.render(
"service-account-permission-grant.html", form=form, user=user, group=group,
alerts=self.get_form_alerts(form.errors)
)
try:
grant_permission_to_service_account(
self.session, service_account, permission, form.data["argument"])
except IntegrityError:
self.session.rollback()
return self.render(
"service-account-permission-grant.html", form=form, user=user,
alerts=self.get_form_alerts(form.errors)
)
AuditLog.log(self.session, self.current_user.id, "grant_permission",
"Granted permission with argument: {}".format(form.data["argument"]),
on_permission_id=permission.id, on_group_id=group.id,
on_user_id=service_account.user.id)
return self.redirect("/groups/{}/service/{}?refresh=yes".format(
group.name, service_account.user.username))
def test_service_accounts(session, standard_graph, users, http_client,
base_url):
graph = standard_graph
service_accounts = sorted([u.name for u in users.values() if u.role_user] +
["*****@*****.**"])
api_url = url(base_url, "/service_accounts")
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
assert sorted(body["data"]["service_accounts"]) == service_accounts
# TODO: test cutoff
# Retrieve a single service account and check its metadata.
api_url = url(base_url, "/service_accounts/[email protected]")
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
data = body["data"]["user"]
assert "service_account" in data
assert data["service_account"]["description"] == "some service account"
assert data["service_account"]["machine_set"] == "some machines"
assert data["service_account"]["owner"] == "team-sre"
assert body["data"]["permissions"] == []
# Delegate a permission to the service account and check for it.
service_account = ServiceAccount.get(session, name="*****@*****.**")
permission = Permission.get(session, name="team-sre")
grant_permission_to_service_account(session, service_account, permission,
"*")
graph.update_from_db(session)
resp = yield http_client.fetch(api_url)
body = json.loads(resp.body)
assert resp.code == 200
assert body["status"] == "ok"
permissions = body["data"]["permissions"]
assert permissions[0]["permission"] == "team-sre"
assert permissions[0]["argument"] == "*"
def test_service_accounts(
session,
standard_graph,
graph,
users,
groups,
permissions # noqa: F811
):
# Create a service account.
service_account = ServiceAccount.get(session, name="*****@*****.**")
assert service_account.description == "some service account"
assert service_account.machine_set == "some machines"
assert service_account.user.name == "*****@*****.**"
assert service_account.user.enabled == True
assert service_account.user.is_service_account == True
accounts = get_service_accounts(session, groups["team-sre"])
assert len(accounts) == 1
assert accounts[0].user.name == "*****@*****.**"
assert is_service_account(session, service_account.user)
# Duplicates should raise an exception.
with pytest.raises(DuplicateServiceAccount):
create_service_account(session, users["*****@*****.**"], "*****@*****.**",
"dup", "dup", groups["team-sre"])
# zorkian should be able to manage the account, as should gary, but oliver (not a member of the
# group) should not.
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert can_manage_service_account(session, service_account,
users["*****@*****.**"])
assert not can_manage_service_account(session, service_account,
users["*****@*****.**"])
# Check that the user appears in the graph.
graph.update_from_db(session)
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["enabled"]
assert metadata["service_account"]["description"] == "some service account"
assert metadata["service_account"]["machine_set"] == "some machines"
assert metadata["service_account"]["owner"] == "team-sre"
group_details = graph.get_group_details("team-sre")
assert group_details["service_accounts"] == ["*****@*****.**"]
# Grant a permission to the service account and check it in the graph.
grant_permission_to_service_account(session, service_account,
permissions["team-sre"], "*")
graph.update_from_db(session)
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"][0]["permission"] == "team-sre"
assert user_details["permissions"][0]["argument"] == "*"
# Diabling the service account should remove the link to the group.
disable_service_account(session, users["*****@*****.**"], service_account)
assert service_account.user.enabled == False
assert get_service_accounts(session, groups["team-sre"]) == []
# The user should also be gone from the graph and have its permissions removed.
graph.update_from_db(session)
group_details = graph.get_group_details("team-sre")
assert "service_accounts" not in group_details
metadata = graph.user_metadata["*****@*****.**"]
assert not metadata["enabled"]
assert "owner" not in metadata["service_account"]
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
# We can re-enable and attach to a different group.
new_group = groups["security-team"]
enable_service_account(session, users["*****@*****.**"], service_account,
new_group)
assert service_account.user.enabled == True
assert get_service_accounts(session, groups["team-sre"]) == []
accounts = get_service_accounts(session, new_group)
assert len(accounts) == 1
assert accounts[0].user.name == "*****@*****.**"
# Check that this is reflected in the graph and the user has no permissions.
graph.update_from_db(session)
group_details = graph.get_group_details("security-team")
assert group_details["service_accounts"] == ["*****@*****.**"]
metadata = graph.user_metadata["*****@*****.**"]
assert metadata["service_account"]["owner"] == "security-team"
user_details = graph.get_user_details("*****@*****.**")
assert user_details["permissions"] == []
def post(self,
group_id=None,
name=None,
account_id=None,
accountname=None):
group = Group.get(self.session, group_id, name)
if not group:
return self.notfound()
service_account = ServiceAccount.get(self.session, account_id,
accountname)
if not service_account:
return self.notfound()
user = service_account.user
if not self.check_access(self.session, self.current_user,
service_account):
return self.forbidden()
grantable = group.my_permissions()
form = self.get_form(grantable)
if not form.validate():
return self.render("service-account-permission-grant.html",
form=form,
user=user,
group=group,
alerts=self.get_form_alerts(form.errors))
permission = Permission.get(self.session, form.data["permission"])
if not permission:
return self.notfound()
allowed = False
for perm in grantable:
if perm[1] == permission.name:
if matches_glob(perm[3], form.data["argument"]):
allowed = True
break
if not allowed:
form.argument.errors.append(
"The group {} does not have that permission".format(
group.name))
return self.render("service-account-permission-grant.html",
form=form,
user=user,
group=group,
alerts=self.get_form_alerts(form.errors))
try:
grant_permission_to_service_account(self.session, service_account,
permission,
form.data["argument"])
except IntegrityError:
self.session.rollback()
return self.render("service-account-permission-grant.html",
form=form,
user=user,
alerts=self.get_form_alerts(form.errors))
AuditLog.log(self.session,
self.current_user.id,
"grant_permission",
"Granted permission with argument: {}".format(
form.data["argument"]),
on_permission_id=permission.id,
on_group_id=group.id,
on_user_id=service_account.user.id)
return self.redirect("/groups/{}/service/{}?refresh=yes".format(
group.name, service_account.user.username))