def test_inspect_ldap_roles(mocker):
ql = mocker.patch('ldap2pg.manager.SyncManager.query_ldap')
from ldap2pg.manager import SyncManager
from ldap2pg.role import Role
ql.return_value = [('dn', {}, {})]
manager = SyncManager(
ldapconn=mocker.Mock(),
inspector=mocker.Mock(name='inspector'),
)
manager.inspector.roles_blacklist = ['blacklisted']
rule0 = mocker.Mock(name='rule0', all_fields=[])
rule0.generate.return_value = [Role('alice', options=dict(LOGIN=True))]
rule1 = mocker.Mock(name='rule1', all_fields=[])
rule1.generate.return_value = [Role('bob')]
rule2 = mocker.Mock(name='rule2', all_fields=[])
rule2.generate.return_value = [Role('blacklisted')]
# Minimal effective syncmap
syncmap = [
dict(roles=[]),
dict(
ldap=dict(base='ou=users,dc=tld', filter='*', attributes=['cn']),
roles=[rule0, rule1, rule2],
),
]
ldaproles, _ = manager.inspect_ldap(syncmap=syncmap)
assert 'alice' in ldaproles
assert 'bob' in ldaproles
def test_rename():
from ldap2pg.role import Role
a = Role(name='Alan')
queries = [q.args[0] for q in a.rename()]
alter = queries[0]
assert 'RENAME TO' in alter
def test_rename_query():
from ldap2pg.role import Role
a = Role(name='alan')
b = Role(name='Alan')
queries = [q.args[0] for q in a.rename(b)]
assert '"alan" RENAME TO "Alan"' in queries[0]
def test_comment():
from ldap2pg.role import Role
a = Role(name='alan')
b = Role(name='alan', comment='New comment')
queries = [q.args[0] for q in a.alter(b)]
assert 'COMMENT ON ROLE "alan"' in queries[0]
def test_drop():
from ldap2pg.role import Role
role = Role(name='toto', members=['titi'])
queries = [q.args[0] for q in role.drop()]
assert fnfilter(queries, '*REASSIGN OWNED*DROP OWNED BY "toto";*')
assert fnfilter(queries, 'DROP ROLE "toto";')
def test_create():
from ldap2pg.role import Role
role = Role(name='toto', members=['titi'], comment='Mycom')
queries = [q.args[0] for q in role.create()]
assert fnfilter(queries, 'CREATE ROLE "toto" *;')
assert fnfilter(queries, 'GRANT "toto" TO "titi";')
assert fnfilter(queries, '*Mycom*')
def test_role():
from ldap2pg.role import Role
role = Role(name='toto')
assert 'toto' == role.name
assert 'toto' == str(role)
assert 'toto' in repr(role)
roles = sorted([Role('b'), Role('a')])
assert ['a', 'b'] == roles
def test_alter():
from ldap2pg.role import Role
a = Role(name='toto', members=['titi'], options=dict(LOGIN=True))
b = Role(name='toto', members=['tata'], options=dict(LOGIN=False))
queries = [q.args[0] for q in a.alter(a)]
assert not queries
queries = [q.args[0] for q in a.alter(b)]
assert fnfilter(queries, 'ALTER ROLE "toto" *;')
assert fnfilter(queries, 'GRANT "toto" TO "tata";')
assert fnfilter(queries, 'REVOKE "toto" FROM "titi";')
def test_resolve_membership():
from ldap2pg.role import RoleSet, Role
alice = Role('alice')
bob = Role('bob', members=['oscar'])
oscar = Role('oscar', parents=['alice', 'bob'])
roles = RoleSet([alice, bob, oscar])
roles.resolve_membership()
assert not oscar.parents
assert 'oscar' in alice.members
alice.parents = ['unknown']
with pytest.raises(ValueError):
roles.resolve_membership()
def test_merge():
from ldap2pg.role import Role
a = Role(name='daniel', parents=['group0'])
b = Role(name='daniel', parents=['group1'])
c = Role(name='daniel', members=['group2'])
a.merge(b)
assert 2 == len(a.parents)
a.merge(c)
assert 1 == len(a.members)
def test_role():
from ldap2pg.role import Role, RoleOptions
role = Role(name='toto')
assert 'toto' == role.name
assert 'toto' == str(role)
assert 'toto' in repr(role)
roles = sorted([Role('b'), Role('a')])
assert ['a', 'b'] == roles
row = ['name', ('member0', )]
row += [True] * len(RoleOptions.SUPPORTED_COLUMNS)
row += ['Managed by ldap2pg.']
role = Role.from_row(*row)
assert 'Managed by ldap2pg.' == role.comment
def test_grant_object():
from ldap2pg.privilege import Privilege, Grant
from ldap2pg.role import Role
priv = Privilege(name='connect', grant='GRANT {database} TO {role};')
item = Grant(priv.name, dbname='backend', schema=None, role='daniel')
qry = priv.grant(item)
assert 'GRANT "backend"' in qry.args[0]
assert 'daniel' in qry.args[0]
assert 'db' in repr(Grant('p', ['db'], ['schema']))
# Test hash with Role object.
str_h = hash(Grant('priv', ['db'], ['schema'], role=Role(u'rôle')))
obj_h = hash(Grant('priv', ['db'], ['schema'], role=u'rôle'))
assert str_h == obj_h
def test_diff_rename_members():
from ldap2pg.role import Role, RoleSet
pgmanagedroles = RoleSet()
pgallroles = pgmanagedroles.union({
Role('parent', members=['min2mix', 'min2min']),
Role('min2mix'),
Role('min2min'),
})
ldaproles = RoleSet([
Role('parent', members=['Min2Mix', 'min2min']),
Role('Min2Mix'),
Role('min2min'),
])
queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)]
# Don't modify membership.
assert not fnfilter(queries, '*GRANT*')
assert not fnfilter(queries, '*REVOKE*')
def test_diff():
from ldap2pg.role import Role, RoleSet
pgmanagedroles = RoleSet([
Role('drop-me'),
Role('alter-me', members=['rename-me']),
Role('nothing'),
Role('public'),
Role('rename-me'),
])
pgallroles = pgmanagedroles.union({
Role('reuse-me'),
Role('dont-touch-me'),
})
ldaproles = RoleSet([
Role('reuse-me'),
Role('alter-me', options=dict(LOGIN=True), members=['Rename-Me']),
Role('nothing'),
Role('create-me'),
Role('Rename-Me'),
])
queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)]
assert fnfilter(queries, 'ALTER ROLE "alter-me" WITH* LOGIN*;')
assert fnfilter(queries, 'CREATE ROLE "create-me" *;')
assert fnfilter(queries, '*DROP ROLE "drop-me";*')
assert not fnfilter(queries, 'CREATE ROLE "reuse-me" *')
assert not fnfilter(queries, '*nothing*')
assert not fnfilter(queries, '*dont-touch-me*')
assert not fnfilter(queries, '*public*')
def test_diff_rename():
from ldap2pg.role import Role, RoleSet
pgmanagedroles = RoleSet([
Role('min2min'),
Role('min2mix'),
Role('min2maj'),
])
pgallroles = pgmanagedroles.union({
Role('Mix2Min'),
Role('Mix2Mix'),
Role('Mix2Maj'),
Role('MAJ2MIN'),
Role('MAJ2MIX'),
Role('MAJ2MAJ'),
})
ldaproles = RoleSet([
Role('min2min'),
Role('Min2Mix'),
Role('MIN2MAJ'),
Role('mix2min'),
Role('Mix2Mix'),
Role('MIX2MAJ'),
Role('maj2min'),
Role('Maj2Mix'),
Role('MAJ2MAJ'),
])
queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)]
assert fnfilter(queries, '*"MAJ2MIX" RENAME TO "Maj2Mix";')
assert fnfilter(queries, '*"MAJ2MIN" RENAME TO "maj2min";')
assert fnfilter(queries, '*"min2mix" RENAME TO "Min2Mix";')
assert fnfilter(queries, '*"min2maj" RENAME TO "MIN2MAJ";')
assert fnfilter(queries, '*"Mix2Maj" RENAME TO "MIX2MAJ";')
assert fnfilter(queries, '*"Mix2Min" RENAME TO "mix2min";')
assert not fnfilter(queries, '*CREATE ROLE*')
def test_diff_not_rename():
from ldap2pg.role import Role, RoleSet
pgmanagedroles = RoleSet()
pgallroles = pgmanagedroles.union({
Role('ambigue_from'),
Role('AMBIGUE_FROM'),
Role('Ambigue_To'),
Role('bothmin'),
Role('BothMix'),
})
ldaproles = RoleSet([
Role('Ambigue_From'),
Role('ambigue_to'),
Role('AMBIGUE_TO'),
Role('bothmin'),
Role('Bothmin'),
Role('BothMix'),
Role('bothmix'),
])
queries = [q.args[0] for q in pgmanagedroles.diff(ldaproles, pgallroles)]
assert not fnfilter(queries, '* RENAME TO *')
assert fnfilter(queries, '*CREATE ROLE "Ambigue_From"*')
assert fnfilter(queries, '*CREATE ROLE "ambigue_to"*')
assert fnfilter(queries, '*CREATE ROLE "AMBIGUE_TO"*')
def test_merge_options():
from ldap2pg.role import Role
a = Role(name='daniel', options=dict(SUPERUSER=True))
b = Role(name='daniel', options=dict(SUPERUSER=False))
c = Role(name='daniel', options=dict(SUPERUSER=None))
d = Role(name='daniel', options=dict(SUPERUSER=None))
with pytest.raises(ValueError):
a.merge(b)
# True is kept
a.merge(c)
assert a.options['SUPERUSER'] is True
# False is kept
b.merge(c)
assert b.options['SUPERUSER'] is False
# None is kept
c.merge(d)
assert c.options['SUPERUSER'] is None
# None is replaced.
d.merge(a)
assert d.options['SUPERUSER'] is True
def test_flatten():
from ldap2pg.role import RoleSet, Role
roles = RoleSet()
roles.add(Role('parent0', members=['child0', 'child1']))
roles.add(Role('parent1', members=['child2', 'child3']))
roles.add(Role('parent2', members=['child4']))
roles.add(Role('child0', members=['subchild0']))
roles.add(Role('child1', members=['subchild1', 'subchild2']))
roles.add(Role('child2', members=['outer0']))
roles.add(Role('child3'))
roles.add(Role('child4'))
roles.add(Role('subchild0'))
roles.add(Role('subchild1'))
roles.add(Role('subchild2'))
order = list(roles.flatten())
wanted = [
'subchild0',
'child0',
'subchild1',
'subchild2',
'child1',
'child2',
'child3',
'child4',
'parent0',
'parent1',
'parent2',
]
assert wanted == order
