def test_require_clickthru(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups")) groups_page = GroupsViewPage(browser) groups_page.click_create_group_button() create_group_modal = groups_page.get_create_group_modal() create_group_modal.set_group_name("test-group") create_group_modal.set_join_policy(GroupJoinPolicy.CAN_JOIN) create_group_modal.click_require_clickthru_checkbox() create_group_modal.confirm() with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/test-group/join")) join_page = GroupJoinPage(browser) join_page.set_reason("Testing") join_page.submit() clickthru_modal = join_page.get_clickthru_modal() clickthru_modal.confirm() group_page = GroupViewPage(browser) assert group_page.current_url.endswith( "/groups/test-group?refresh=yes") assert group_page.find_member_row("*****@*****.**")
def test_disabling_group_clears_audit(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: future = datetime.utcnow() + timedelta(days=60) with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group", role="owner") setup.add_user_to_group("*****@*****.**", "some-group") setup.create_permission("some-permission", audited=True) setup.grant_permission_to_group("some-permission", "argument", "some-group") setup.add_user_to_group("*****@*****.**", "auditors") setup.grant_permission_to_group(AUDIT_VIEWER, "", "auditors") setup.grant_permission_to_group(AUDIT_MANAGER, "", "auditors") setup.grant_permission_to_group(PERMISSION_AUDITOR, "", "auditors") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/audits/create")) create_page = AuditsCreatePage(browser) create_page.set_end_date(future.strftime("%m/%d/%Y")) create_page.submit() browser.get(url(frontend_url, "/groups/some-group")) group_page = GroupViewPage(browser) assert group_page.subheading == "some-group AUDIT IN PROGRESS" # Check that this created email reminder messages to the group owner. We have to refresh the # session since otherwise SQLite may not see changes. setup.reopen_database() group = Group.get(setup.session, name="some-group") assert group expected_key = f"audit-{group.id}" emails = setup.session.query(AsyncNotification).filter_by( sent=False, email="*****@*****.**").all() assert len(emails) > 0 assert all((e.key is None or e.key == expected_key for e in emails)) assert all(("Group Audit" in e.subject for e in emails)) # Now, disable the group, which should complete the audit. with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group")) page = GroupViewPage(browser) audit_modal = page.get_audit_modal() audit_modal.click_close_button() page.wait_until_audit_modal_clears() page.click_disable_button() modal = page.get_disable_modal() modal.confirm() assert page.subheading == "some-group (disabled)" # And now all of the email messages should be marked sent except the immediate one (the one # that wasn't created with async_send_email). setup.reopen_database() emails = setup.session.query(AsyncNotification).filter_by( sent=False, email="*****@*****.**").all() assert len(emails) == 1 assert emails[0].key is None
def test_require_clickthru(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups")) groups_page = GroupsViewPage(browser) groups_page.click_create_group_button() create_group_modal = groups_page.get_create_group_modal() create_group_modal.set_group_name("test-group") create_group_modal.set_join_policy(GroupJoinPolicy.CAN_JOIN) create_group_modal.click_require_clickthru_checkbox() create_group_modal.confirm() with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/test-group/join")) join_page = GroupJoinPage(browser) join_page.set_reason("Testing") join_page.submit() clickthru_modal = join_page.get_clickthru_modal() clickthru_modal.confirm() group_page = GroupViewPage(browser) assert group_page.current_url.endswith("/groups/test-group?refresh=yes") assert group_page.find_member_row("*****@*****.**")
def test_permission_grant_denied(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.add_user_to_group("*****@*****.**", "other-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "some-group") # Member of the owning team will get denied when trying to grant a perm the team doesn't have with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]/grant")) page = ServiceAccountGrantPermissionPage(browser) page.select_permission("some-permission (foo)") page.set_argument("bar") page.submit() assert page.has_alert("Permission denied") # Unrelated user can click the Add Permission button but will get a 403 with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) view_page = ServiceAccountViewPage(browser) assert len(view_page.permission_rows) == 0 view_page.click_add_permission_button() forbidden_page = ErrorPage(browser) assert forbidden_page.heading == "Error" assert forbidden_page.subheading == "403 Forbidden"
def test_permission_revoke_denied(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.create_service_account("*****@*****.**", "some-group") setup.grant_permission_to_service_account("some-permission", "*", "*****@*****.**") setup.create_user("*****@*****.**") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.owner == "some-group" permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] assert permission.permission == "some-permission" assert permission.argument == "*" # The button doesn't show for someone who can't manage the service account. with pytest.raises(NoSuchElementException): permission.click_revoke_button() # Add the user to the group so that the revoke button will show up, and then revoke it before # attempting to click the button. We can't just directly initiate a request to the revoke URL # without making the button appear because Python Selenium doesn't support a test-initiated # POST (only GET). with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.owner == "some-group" permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] with setup.transaction(): setup.remove_user_from_group("*****@*****.**", "some-group") permission.click_revoke_button() permission_revoke_modal = page.get_revoke_permission_modal() permission_revoke_modal.confirm() assert page.has_text( "The operation you tried to complete is unauthorized")
def test_request_permission(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group", "owner") setup.create_permission("some-permission") setup.add_user_to_group("*****@*****.**", "admins") setup.grant_permission_to_group(PERMISSION_GRANT, "some-permission", "admins") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group")) group_page = GroupViewPage(browser) group_page.click_request_permission_button() request_page = PermissionRequestPage(browser) request_page.set_permission("some-permission") request_page.set_argument_freeform("some-argument") request_page.set_reason("testing") request_page.submit() assert browser.current_url.endswith("/permissions/requests/1") update_page = PermissionRequestUpdatePage(browser) assert update_page.has_text("some-group") assert update_page.has_text("some-argument") assert update_page.has_text("testing")
def test_csp(tmpdir, setup): # type: (LocalPath, SetupTest) -> None with setup.transaction(): setup.create_user("*****@*****.**") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: r = urlopen(url(frontend_url, "/")) assert r.getcode() == 200 headers = r.info() # Some basic sanity checks on the Content-Security-Policy. assert "Content-Security-Policy" in headers csp_header = str(headers["Content-Security-Policy"]) csp_directive = {} for parameter in csp_header.split(";"): directive, value = parameter.strip().split(None, 1) csp_directive[directive] = value assert csp_directive["default-src"] == "'none'" assert "unsafe-inline" not in csp_directive["script-src"] assert "unsafe-inline" not in csp_directive["style-src"] assert "script" in csp_directive["require-sri-for"] assert "style" in csp_directive["require-sri-for"] # Make sure the cdnjs_prefix setting was honored. settings = FrontendSettings() assert settings.cdnjs_prefix in csp_directive["script-src"]
def test_remove_last_owner_via_audit(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: future = datetime.utcnow() + timedelta(1) with setup.transaction(): setup.add_user_to_group("*****@*****.**", "audited-team", role="owner") setup.create_permission("audited", audited=True) setup.grant_permission_to_group("audited", "", "audited-team") setup.add_user_to_group("*****@*****.**", "auditors") setup.add_user_to_group("*****@*****.**", "auditors", role="owner") setup.grant_permission_to_group(AUDIT_VIEWER, "", "auditors") setup.grant_permission_to_group(AUDIT_MANAGER, "", "auditors") setup.grant_permission_to_group(PERMISSION_AUDITOR, "", "auditors") setup.add_user_to_group("*****@*****.**", "audited-team", role="owner", expiration=future) with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/audits/create")) create_page = AuditsCreatePage(browser) create_page.set_end_date(future.strftime("%m/%d/%Y")) create_page.submit() browser.get(url(frontend_url, "/groups/audited-team")) group_page = GroupViewPage(browser) audit_modal = group_page.get_audit_modal() audit_modal.find_member_row("*****@*****.**").set_audit_status("remove") audit_modal.confirm() assert group_page.current_url.endswith("/groups/audited-team") assert group_page.has_alert(group_ownership_policy.EXCEPTION_MESSAGE)
def test_list_pagination(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None """Test pagination. This forces the pagination to specific values, rather than using the page controls, since we don't create more than 100 permissions for testing. """ permissions = create_test_data(setup) settings = FrontendSettings() settings.update_from_config(src_path("config", "dev.yaml")) expected_permissions = [ (p.name, p.description, format_date(settings, p.created_on)) for p in permissions ] with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions?limit=1&offset=1")) page = PermissionsPage(browser) seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] assert seen_permissions == sorted(expected_permissions)[1:2] assert page.limit_label == "Limit: 1" # Retrieve the last permission but with a larger limit to test that the limit isn't capped # to the number of returned items. browser.get(url(frontend_url, "/permissions?limit=10&offset=2")) page = PermissionsPage(browser) seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] assert seen_permissions == sorted(expected_permissions)[2:] assert page.limit_label == "Limit: 10"
def test_view_change_audited(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "audit-managers") setup.grant_permission_to_group(AUDIT_MANAGER, "", "audit-managers") setup.create_permission("some-permission", "Some permission") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/some-permission")) page = PermissionViewPage(browser) assert not page.has_disable_permission_button assert not page.has_audited_warning assert page.has_enable_auditing_button page.click_enable_auditing_button() enable_auditing_modal = page.get_enable_auditing_modal() enable_auditing_modal.confirm() assert page.subheading == "some-permission" assert page.has_audited_warning assert not page.has_enable_auditing_button assert page.has_disable_auditing_button page.click_disable_auditing_button() disable_auditing_modal = page.get_disable_auditing_modal() disable_auditing_modal.confirm() assert page.subheading == "some-permission" assert not page.has_audited_warning assert page.has_enable_auditing_button assert not page.has_disable_auditing_button
def test_service_account_edit(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) view_page = ServiceAccountViewPage(browser) assert view_page.owner == "some-group" assert view_page.description == "" assert view_page.machine_set == "" view_page.click_edit_button() edit_page = ServiceAccountEditPage(browser) edit_page.set_description("some description") edit_page.set_machine_set("some machines bad-machine") edit_page.submit() assert edit_page.has_alert("machine_set") assert edit_page.has_alert( "[email protected] has invalid machine set") edit_page.set_machine_set("some machines") edit_page.submit() assert browser.current_url.endswith( "/groups/some-group/service/[email protected]") assert view_page.description == "some description" assert view_page.machine_set == "some machines"
def test_list_groups(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_group("one-group", "Some group", GroupJoinPolicy.CAN_JOIN) setup.create_group("another-group", "Another group", GroupJoinPolicy.CAN_ASK) setup.create_group("private", join_policy=GroupJoinPolicy.NOBODY) with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups")) page = GroupsViewPage(browser) group_row = page.find_group_row("one-group") assert group_row.name == "one-group" assert group_row.href == url(frontend_url, "/groups/one-group") assert group_row.description == "Some group" assert group_row.can_join == "Anyone" group_row = page.find_group_row("another-group") assert group_row.name == "another-group" assert group_row.href == url(frontend_url, "/groups/another-group") assert group_row.description == "Another group" assert group_row.can_join == "Must Ask" group_row = page.find_group_row("private") assert group_row.name == "private" assert group_row.href == url(frontend_url, "/groups/private") assert group_row.description == "" assert group_row.can_join == "Nobody"
def test_group_create(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups")) # First create a group from the view page with an error (an invalid name, doubling as a # test that @ in group names is rejected). This should leave that page and go to the # dedicated group creation page with the form already set up. groups_page = GroupsViewPage(browser) groups_page.click_create_group_button() create_group_modal = groups_page.get_create_group_modal() create_group_modal.set_group_name("test-group@something") create_group_modal.set_description("some description") create_group_modal.confirm() create_page = GroupCreatePage(browser) create_page.has_alert("Group names cannot contain @") create_page.set_group_name("test-group") create_page.submit() view_page = GroupViewPage(browser) assert view_page.subheading == "test-group" row = view_page.find_member_row("*****@*****.**") assert row.role == "owner" assert row.href.endswith("/users/[email protected]")
def test_permission_grant_revoke(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.permission_rows == [] page.click_add_permission_button() grant_page = ServiceAccountGrantPermissionPage(browser) grant_page.select_permission("some-permission (foo)") grant_page.set_argument("foo") grant_page.submit() page = ServiceAccountViewPage(browser) permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] assert permission.permission == "some-permission" assert permission.argument == "foo" permission.click_revoke_button() permission_revoke_modal = page.get_revoke_permission_modal() permission_revoke_modal.confirm() assert page.permission_rows == []
def test_show_group(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "team-sre", role="owner") setup.add_user_to_group("*****@*****.**", "team-sre") setup.grant_permission_to_group("ssh", "*", "team-sre") setup.grant_permission_to_group("team-sre", "foo", "team-sre") setup.grant_permission_to_group("team-sre", "bar", "team-sre") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/team-sre")) page = GroupViewPage(browser) row = page.find_member_row("*****@*****.**") assert row.role == "owner" assert row.href.endswith("/users/[email protected]") row = page.find_member_row("*****@*****.**") assert row.role == "member" assert row.href.endswith("/users/[email protected]") rows = page.find_permission_rows("ssh") assert len(rows) == 1 assert rows[0].argument == "*" assert rows[0].href.endswith("/permissions/ssh") rows = page.find_permission_rows("team-sre") for permission_row in rows: assert permission_row.href.endswith("/permissions/team-sre") assert sorted([r.argument for r in rows]) == ["bar", "foo"]
def test_permission_grant_revoke(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.owner == "some-group" assert page.permission_rows == [] page.click_add_permission_button() grant_page = ServiceAccountGrantPermissionPage(browser) grant_page.select_permission("some-permission (foo)") grant_page.set_argument("foo") grant_page.submit() assert page.owner == "some-group" permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] assert permission.permission == "some-permission" assert permission.argument == "foo" permission.click_revoke_button() permission_revoke_modal = page.get_revoke_permission_modal() permission_revoke_modal.confirm() assert page.owner == "some-group" assert page.permission_rows == []
def test_referrer_policy(tmpdir, setup): # type: (LocalPath, SetupTest) -> None with frontend_server(tmpdir, "*****@*****.**") as frontend_url: r = urlopen(url(frontend_url, "/")) assert r.getcode() == 200 headers = r.info() assert str(headers["Referrer-Policy"]) == "same-origin"
def test_view_change_audited(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "audit-managers") setup.grant_permission_to_group(AUDIT_MANAGER, "", "audit-managers") setup.create_permission("some-permission", "Some permission") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/some-permission")) page = PermissionViewPage(browser) assert not page.has_disable_permission_button assert not page.has_audited_warning assert page.has_enable_auditing_button page.click_enable_auditing_button() enable_auditing_modal = page.get_enable_auditing_modal() enable_auditing_modal.confirm() assert page.subheading == "some-permission" assert page.has_audited_warning assert not page.has_enable_auditing_button assert page.has_disable_auditing_button page.click_disable_auditing_button() disable_auditing_modal = page.get_disable_auditing_modal() disable_auditing_modal.confirm() assert page.subheading == "some-permission" assert not page.has_audited_warning assert page.has_enable_auditing_button assert not page.has_disable_auditing_button
def test_request_options(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group", role="owner") setup.create_group("other-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/other-group/join")) page = GroupJoinPage(browser) options = [o.get_attribute("value") for o in page.get_member_options()] assert options == ["User: [email protected]", "Group: some-group"] page.set_reason("Testing") page.submit() # Now that there is a pending request, the first option should be blank and there should be # a notice saying that there is already a pending membership request. browser.get(url(frontend_url, "/groups/other-group/join")) options = [o.get_attribute("value") for o in page.get_member_options()] assert options == ["", "Group: some-group"] alerts = page.get_alerts() assert len(alerts) == 1 assert "already a member" in alerts[0].text # Attempting to submit the form should fail, asking the user to select a value. page.set_reason("Testing") page.submit() assert page.current_url == url(frontend_url, "/groups/other-group/join")
def test_list_pagination(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None """Test pagination. This forces the pagination to specific values, rather than using the page controls, since we don't create more than 100 permissions for testing. """ permissions = create_test_data(setup) settings = FrontendSettings() settings.update_from_config(src_path("config", "dev.yaml")) expected_permissions = [ (p.name, p.description, format_date(settings, p.created_on)) for p in permissions ] with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions?limit=1&offset=1")) page = PermissionsPage(browser) seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] assert seen_permissions == sorted(expected_permissions)[1:2] assert page.limit_label == "Limit: 1" # Retrieve the last permission but with a larger limit to test that the limit isn't capped # to the number of returned items. browser.get(url(frontend_url, "/permissions?limit=10&offset=2")) page = PermissionsPage(browser) seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] assert seen_permissions == sorted(expected_permissions)[2:] assert page.limit_label == "Limit: 10"
def test_service_account_lifecycle(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "user-admins") setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group(USER_ADMIN, "", "user-admins") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/user-admins")) group_page = GroupViewPage(browser) group_page.click_add_service_account_button() # Test with an invalid machine set. create_page = ServiceAccountCreatePage(browser) create_page.set_name("my-special-service-account") create_page.set_description("some description") create_page.set_machine_set("some machines bad-machine") create_page.submit() assert create_page.has_alert("machine_set") expected = "[email protected] has invalid machine set" assert create_page.has_alert(expected) # Fix the machine set but test with an invalid name. create_page.set_name("service@service@service") create_page.set_machine_set("some machines") create_page.submit() assert create_page.has_alert("name") # Fix the name and then creation should succeed. create_page.set_name("my-special-service-account") create_page.submit() view_page = ServiceAccountViewPage(browser) assert view_page.owner == "user-admins" assert view_page.description == "some description" assert view_page.machine_set == "some machines" view_page.click_disable_button() disable_modal = view_page.get_disable_modal() disable_modal.confirm() browser.get(url(frontend_url, "/users")) users_page = UsersViewPage(browser) users_page.click_show_disabled_users_button() users_page.click_show_service_accounts_button() user_row = users_page.find_user_row( "[email protected] (service)") user_row.click() view_page = ServiceAccountViewPage(browser) view_page.click_enable_button() enable_page = ServiceAccountEnablePage(browser) enable_page.select_owner("Group: some-group") enable_page.submit() view_page = ServiceAccountViewPage(browser) assert view_page.owner == "some-group"
def test_invalid_user(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/")) page = ErrorPage(browser) assert page.heading == "Error" assert page.subheading == "403 Forbidden" assert "[email protected] does not match" in page.content
def test_grant_permission(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group(PERMISSION_GRANT, "some-permission", "some-group") setup.create_permission("some-permission") setup.create_group("other-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group")) group_page = GroupViewPage(browser) assert group_page.find_permission_rows("some-permission") == [] group_page.click_add_permission_button() grant_page = PermissionGrantPage(browser) grant_page.set_permission("some-permission") grant_page.set_argument("foo") grant_page.submit() rows = group_page.find_permission_rows("some-permission") assert len(rows) == 1 assert rows[0].argument == "foo" # Grant a permission with surrounding and internal whitespace to test whitespace handling. browser.get(url(frontend_url, "/groups/other-group")) assert group_page.find_permission_rows("some-permission") == [] group_page.click_add_permission_button() grant_page.set_permission("some-permission") grant_page.set_argument(" arg u ment ") grant_page.submit() rows = group_page.find_permission_rows("some-permission") assert len(rows) == 1 assert rows[0].argument in ("arg u ment", "arg u ment" ) # browser messes with whitespace # Check directly in the database to make sure the whitespace is stripped, since we may not be # able to see it via the browser. We need to explicitly reopen the database since otherwise # SQLite doesn't always see changes written by the frontend. setup.reopen_database() permission_grant_repository = setup.sql_repository_factory.create_permission_grant_repository( ) grants = permission_grant_repository.permission_grants_for_group( "other-group") assert grants == [ GroupPermissionGrant( group="other-group", permission="some-permission", argument="arg u ment", granted_on=ANY, is_alias=False, grant_id=ANY, ) ]
def test_view(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_permission("audited-permission", "", audited=True) setup.create_permission("some-permission", "Some permission") setup.create_permission("disabled-permission", "", enabled=False) setup.grant_permission_to_group("some-permission", "", "another-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "owner-group") setup.grant_permission_to_service_account("audited-permission", "argument", "*****@*****.**") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/some-permission/groups")) page = PermissionViewPage(browser) assert page.subheading == "some-permission 2 grant(s)" assert page.description == "Some permission" assert not page.has_disable_permission_button assert not page.has_disable_auditing_button assert not page.has_enable_auditing_button assert not page.has_audited_warning assert not page.has_disabled_warning grants = [(r.group, r.argument) for r in page.group_permission_grant_rows] assert grants == [("another-group", "(unargumented)"), ("some-group", "foo")] browser.get( url(frontend_url, "/permissions/some-permission/service_accounts")) page = PermissionViewPage(browser) assert page.has_no_service_account_grants browser.get(url(frontend_url, "/permissions/audited-permission/groups")) page = PermissionViewPage(browser) assert page.subheading == "audited-permission 0 grant(s)" assert not page.description assert page.has_audited_warning assert not page.has_disable_auditing_button assert not page.has_enable_auditing_button assert page.has_no_group_grants browser.get( url(frontend_url, "/permissions/audited-permission/service_accounts")) page = PermissionViewPage(browser) grants = [(r.service_account, r.argument) for r in page.service_account_permission_grant_rows] assert grants == [("*****@*****.**", "argument")] browser.get(url(frontend_url, "/permissions/disabled-permission")) page = PermissionViewPage(browser) assert page.subheading == "disabled-permission" assert not page.has_disable_permission_button assert page.has_disabled_warning
def test_service_account(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/")) page = ErrorPage(browser) assert page.heading == "Error" assert page.subheading == "403 Forbidden" assert "[email protected] is a service account" in page.content
def test_no_requests(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: create_permission_requests(setup) action_permission_requests(setup) with frontend_server(tmpdir, "*****@*****.**") as frontend_url: request_url = "/permissions/requests?status=pending&direction=Requested+by+me" browser.get(url(frontend_url, request_url)) page = PermissionRequestsPage(browser) assert page.no_requests_row is not None assert len(page.request_rows) == 0 assert len(page.status_change_rows) == 0
def test_list_create_button(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions")) page = PermissionsPage(browser) assert not page.has_create_permission_button with setup.transaction(): setup.grant_permission_to_group(PERMISSION_CREATE, "*", "admins") setup.add_user_to_group("*****@*****.**", "admins") browser.get(url(frontend_url, "/permissions?refresh=yes")) assert page.has_create_permission_button
def test_escaped_at_sign(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/service%40svc.localhost")) page = ServiceAccountViewPage(browser) assert page.subheading == "Service Account: [email protected]" assert page.owner == "some-group"
def test_disable_must_be_owner(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group", role="owner") setup.add_user_to_group("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group")) page = GroupViewPage(browser) with pytest.raises(NoSuchElementException): page.click_disable_button()
def test_leave_as_last_owner(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group", role="owner") setup.add_user_to_group("*****@*****.**", "some-group", role="manager") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group")) view_page = GroupViewPage(browser) with pytest.raises(NoSuchElementException): view_page.click_leave_button()
def test_search_escaping(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/")) page = UserViewPage(browser) page.search_input.send_keys('SEARCH"><marquee>foo</marquee>') page.click_search_button() results_page = SearchResultsPage(browser) with pytest.raises(NoSuchElementException): results_page.find_element_by_tag_name("marquee")
def test_disabled_user(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_user("*****@*****.**") setup.session.flush() setup.disable_user("*****@*****.**") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/")) page = ErrorPage(browser) assert page.heading == "Error" assert page.subheading == "403 Forbidden" assert "[email protected] is not an active account" in page.content
def test_request_join_unicode(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group", "owner") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group/join")) page = GroupJoinPage(browser) page.set_reason("защото причини") page.submit() assert browser.current_url.endswith("/groups/some-group?refresh=yes")
def test_disable(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group", role="owner") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group")) page = GroupViewPage(browser) page.click_disable_button() modal = page.get_disable_modal() modal.confirm() assert page.subheading == "some-group (disabled)"
def test_view(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_permission("audited-permission", "", audited=True) setup.create_permission("some-permission", "Some permission") setup.create_permission("disabled-permission", "", enabled=False) setup.grant_permission_to_group("some-permission", "", "another-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "owner-group") setup.grant_permission_to_service_account( "audited-permission", "argument", "*****@*****.**" ) with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/some-permission")) page = PermissionViewPage(browser) assert page.subheading == "some-permission" assert page.description == "Some permission" assert not page.has_disable_permission_button assert not page.has_disable_auditing_button assert not page.has_enable_auditing_button assert not page.has_audited_warning assert not page.has_disabled_warning grants = [(r.group, r.argument) for r in page.group_permission_grant_rows] assert grants == [("another-group", "(unargumented)"), ("some-group", "foo")] assert page.has_no_service_account_grants browser.get(url(frontend_url, "/permissions/audited-permission")) page = PermissionViewPage(browser) assert page.subheading == "audited-permission" assert not page.description assert page.has_audited_warning assert not page.has_disable_auditing_button assert not page.has_enable_auditing_button assert page.has_no_group_grants grants = [ (r.service_account, r.argument) for r in page.service_account_permission_grant_rows ] assert grants == [("*****@*****.**", "argument")] browser.get(url(frontend_url, "/permissions/disabled-permission")) page = PermissionViewPage(browser) assert page.subheading == "disabled-permission" assert not page.has_disable_permission_button assert page.has_disabled_warning
def test_limited_arguments(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_permission("sample.permission") setup.create_group("grouper-administrators") setup.add_user_to_group("*****@*****.**", "grouper-administrators") setup.add_user_to_group("*****@*****.**", "test-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/request?permission=sample.permission")) page = PermissionRequestPage(browser) page.set_select_value("group_name", "test-group") page.set_select_value("argument", "Option A") page.fill_field("reason", "Some testing reason") page.submit_request() assert browser.current_url.endswith("/permissions/requests/1")
def test_view_disable_with_grants(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "administrators") setup.grant_permission_to_group(PERMISSION_ADMIN, "", "administrators") setup.grant_permission_to_group("some-permission", "argument", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/some-permission")) page = PermissionViewPage(browser) assert page.has_disable_permission_button page.click_disable_permission_button() disable_permission_modal = page.get_disable_permission_modal() disable_permission_modal.confirm() assert page.has_alert("cannot be disabled while it is still granted") assert not page.has_disabled_warning assert page.has_disable_permission_button
def test_view_disable(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "administrators") setup.grant_permission_to_group(PERMISSION_ADMIN, "", "administrators") setup.create_permission("some-permission", "Some permission") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/some-permission")) page = PermissionViewPage(browser) assert page.has_disable_permission_button page.click_disable_permission_button() disable_permission_modal = page.get_disable_permission_modal() disable_permission_modal.confirm() assert page.subheading == "some-permission" assert page.has_disabled_warning assert not page.has_disable_permission_button
def test_list(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None permissions = create_test_data(setup) settings = FrontendSettings() settings.update_from_config(src_path("config", "dev.yaml")) expected_permissions = [ (p.name, p.description, format_date(settings, p.created_on)) for p in permissions ] with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions")) # Check the basic permission list. page = PermissionsPage(browser) seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] assert seen_permissions == sorted(expected_permissions) assert page.heading == "Permissions" assert page.subheading == "{} permission(s)".format(len(expected_permissions)) assert page.limit_label == "Limit: 100" # Switch to only audited permissions. page.click_show_audited_button() seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] audited = [p for p in expected_permissions if p[0] == "audited-permission"] assert seen_permissions == sorted(audited) assert page.heading == "Audited Permissions" assert page.subheading == "{} permission(s)".format(len(audited)) # Switch back to all permissions and sort by date. page.click_show_all_button() page.click_sort_by_date() seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] expected_permissions_sorted_by_time = [ (p.name, p.description, format_date(settings, p.created_on)) for p in sorted(permissions, key=lambda p: p.created_on, reverse=True) ] assert seen_permissions == expected_permissions_sorted_by_time # Reverse the sort order. page.click_sort_by_date() seen_permissions = [(r.name, r.description, r.created_on) for r in page.permission_rows] assert seen_permissions == list(reversed(expected_permissions_sorted_by_time))
def test_create_permission(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group(PERMISSION_CREATE, "foo.*", "some-group") setup.grant_permission_to_group(PERMISSION_CREATE, "bar.baz", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions")) page = PermissionsPage(browser) page.click_create_permission_button() create_page = PermissionCreatePage(browser) assert create_page.allowed_patterns == ["bar.baz", "foo.*"] create_page.set_name("foo.bar") create_page.set_description("testing") create_page.form.submit() view_page = PermissionViewPage(browser) assert view_page.subheading == "foo.bar" assert view_page.description == "testing"
def test_search(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_group("group-some") setup.create_permission("awesome-permission") setup.create_user("*****@*****.**") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/")) page = UserViewPage(browser) page.search_input.send_keys("some") page.click_search_button() results_page = SearchResultsPage(browser) print(results_page.root.page_source) results = [(r.type, r.name) for r in results_page.result_rows] assert sorted(results) == [ ("Group", "group-some"), ("Permission", "awesome-permission"), ("User", "*****@*****.**"), ]
def test_list_audited_groups(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_group("one-group", "Some group") setup.create_group("audited-group", "Another group") setup.create_permission("audited", "", audited=True) setup.grant_permission_to_group("audited", "", "audited-group") setup.add_group_to_group("child-audited", "audited-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups")) page = GroupsViewPage(browser) assert page.find_group_row("one-group") assert page.find_group_row("audited-group") assert page.find_group_row("child-audited") page.click_show_audited_button() row = page.find_group_row("audited-group") assert row.audited_reason == "Direct" row = page.find_group_row("child-audited") assert row.audited_reason == "Inherited" with pytest.raises(NoSuchElementException): page.find_group_row("one-group")
def test_requesting_permission(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.create_group("dev-infra") setup.create_group("front-end") setup.create_permission(name="git.repo.read") setup.create_user("*****@*****.**") setup.add_user_to_group("*****@*****.**", "front-end") setup.grant_permission_to_group("grouper.permission.grant", "git.repo.read", "dev-infra") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/permissions/git.repo.read")) page1 = PermissionPage(browser) assert page1.heading == "Permissions" assert page1.subheading == "git.repo.read" page1.button_to_request_this_permission.click() page2 = PermissionRequestPage(browser) assert page2.heading == "Permissions" assert page2.subheading == "Request Permission" assert page2.get_option_values("group_name") == [u"", u"front-end"] assert page2.get_option_values("permission_name") == [u"git.repo.read"] page2.set_select_value("group_name", "front-end") page2.fill_field("argument", "server") page2.fill_field("reason", "So they can do development") page2.submit_request() text = " ".join(browser.find_element_by_tag_name("body").text.split()) assert browser.current_url.endswith("/permissions/requests/1") assert "[email protected] pending" in text assert ( "Group: front-end Permission: git.repo.read Argument: server " "Reason: So they can do development Waiting for approval" in text )