def test_get_pack_resource_file_abs_path(self):
# Mock the packs path to point to the fixtures directory
cfg.CONF.content.packs_base_paths = get_fixtures_base_path()
# Invalid resource type
expected_msg = 'Invalid resource type: fooo'
self.assertRaisesRegexp(ValueError, expected_msg, get_pack_resource_file_abs_path,
pack_name='dummy_pack_1',
resource_type='fooo',
file_path='test.py')
# Invalid paths (directory traversal and absolute paths)
file_paths = ['/tmp/foo.py', '../foo.py', '/etc/passwd', '../../foo.py']
for file_path in file_paths:
expected_msg = 'Invalid file path: .*%s' % (file_path)
self.assertRaisesRegexp(ValueError, expected_msg, get_pack_resource_file_abs_path,
pack_name='dummy_pack_1',
resource_type='action',
file_path=file_path)
# Valid paths
file_paths = ['foo.py', 'a/foo.py', 'a/b/foo.py']
for file_path in file_paths:
expected = os.path.join(get_fixtures_base_path(), 'dummy_pack_1/actions', file_path)
result = get_pack_resource_file_abs_path(pack_name='dummy_pack_1',
resource_type='action',
file_path=file_path)
self.assertEqual(result, expected)
def test_load_role_definitions_duplicate_role_definition(self):
loader = RBACDefinitionsLoader()
# Try to load all the roles from disk where two definitions refer to the same role
file_path1 = os.path.join(get_fixtures_base_path(), 'rbac_invalid/roles/role_three1.yaml')
file_path2 = os.path.join(get_fixtures_base_path(), 'rbac_invalid/roles/role_three2.yaml')
file_paths = [file_path1, file_path2]
loader._get_role_definitions_file_paths = mock.Mock()
loader._get_role_definitions_file_paths.return_value = file_paths
expected_msg = 'Duplicate definition file found for role "role_three_name_conflict"'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_role_definitions)
def test_load_role_definition_validation_error(self):
loader = RBACDefinitionsLoader()
# Invalid permission which doesn't apply to the resource in question
file_path = os.path.join(get_fixtures_base_path(), "rbac_invalid/roles/role_one.yaml")
expected_msg = 'Invalid permission type "rule_all" for resource type "action"'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_role_definition_from_file, file_path=file_path)
# Invalid permission type which doesn't exist
file_path = os.path.join(get_fixtures_base_path(), "rbac_invalid/roles/role_two.yaml")
expected_msg = ".*Failed validating 'enum'.*"
self.assertRaisesRegexp(
jsonschema.ValidationError, expected_msg, loader.load_role_definition_from_file, file_path=file_path
)
def test_load_user_role_assignments_duplicate_user_definition(self):
loader = RBACDefinitionsLoader()
# Try to load all the user role assignments from disk where two definitions refer to the
# same user
file_path1 = os.path.join(get_fixtures_base_path(), "rbac_invalid/assignments/user_foo1.yaml")
file_path2 = os.path.join(get_fixtures_base_path(), "rbac_invalid/assignments/user_foo2.yaml")
file_paths = [file_path1, file_path2]
loader._get_role_assiginments_file_paths = mock.Mock()
loader._get_role_assiginments_file_paths.return_value = file_paths
expected_msg = 'Duplicate definition file found for user "userfoo"'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_user_role_assignments)
def test_register_from_pack_action_metadata_fails_validation(self):
# No fail on failure flag, should succeed
pack_dir = os.path.join(get_fixtures_base_path(), "dummy_pack_4")
cmd = BASE_CMD_ARGS + ["--register-pack=%s" % (pack_dir)]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue("Registered 0 actions." in stderr)
self.assertEqual(exit_code, 0)
# Fail on failure, should fail
pack_dir = os.path.join(get_fixtures_base_path(), "dummy_pack_4")
cmd = BASE_CMD_ARGS + ["--register-pack=%s" % (pack_dir), "--register-fail-on-failure"]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue("object has no attribute 'get'" in stderr)
self.assertEqual(exit_code, 1)
def test_register_from_pack_action_metadata_fails_validation(self):
# No fail on failure flag, should succeed
pack_dir = os.path.join(get_fixtures_base_path(), 'dummy_pack_4')
cmd = BASE_REGISTER_ACTIONS_CMD_ARGS + ['--register-pack=%s' % (pack_dir)]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue('Registered 0 actions.' in stderr)
self.assertEqual(exit_code, 0)
# Fail on failure, should fail
pack_dir = os.path.join(get_fixtures_base_path(), 'dummy_pack_4')
cmd = BASE_REGISTER_ACTIONS_CMD_ARGS + ['--register-pack=%s' % (pack_dir),
'--register-fail-on-failure']
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue('object has no attribute \'get\'' in stderr)
self.assertEqual(exit_code, 1)
def test_load_role_definitions_duplicate_role_definition(self):
loader = RBACDefinitionsLoader()
# Try to load all the roles from disk where two definitions refer to the same role
file_path1 = os.path.join(get_fixtures_base_path(),
'rbac_invalid/roles/role_three1.yaml')
file_path2 = os.path.join(get_fixtures_base_path(),
'rbac_invalid/roles/role_three2.yaml')
file_paths = [file_path1, file_path2]
loader._get_role_definitions_file_paths = mock.Mock()
loader._get_role_definitions_file_paths.return_value = file_paths
expected_msg = 'Duplicate definition file found for role "role_three_name_conflict"'
self.assertRaisesRegexp(ValueError, expected_msg,
loader.load_role_definitions)
def test_load_role_definition_success(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(),
'rbac/roles/role_three.yaml')
role_definition_api = loader.load_role_definition_from_file(
file_path=file_path)
self.assertEqual(role_definition_api.name, 'role_three')
self.assertTrue('all the pack permissions on pack dummy_pack_1' in
role_definition_api.description)
self.assertEqual(len(role_definition_api.permission_grants), 4)
self.assertEqual(
role_definition_api.permission_grants[0]['resource_uid'],
'pack:dummy_pack_1')
self.assertEqual(
role_definition_api.permission_grants[1]['resource_uid'],
'pack:dummy_pack_2')
self.assertTrue('rule_view' in role_definition_api.permission_grants[1]
['permission_types'])
self.assertEqual(
role_definition_api.permission_grants[2]['permission_types'],
['action_execute'])
self.assertTrue(
'resource_uid' not in role_definition_api.permission_grants[3])
self.assertEqual(
role_definition_api.permission_grants[3]['permission_types'],
['action_list', 'rule_list'])
def test_register_from_pack_success(self):
pack_dir = os.path.join(get_fixtures_base_path(), 'dummy_pack_1')
cmd = BASE_REGISTER_ACTIONS_CMD_ARGS + ['--register-pack=%s' % (pack_dir)]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue('Registered 1 actions.' in stderr)
self.assertEqual(exit_code, 0)
def test_register_from_pack_success(self):
pack_dir = os.path.join(get_fixtures_base_path(), "dummy_pack_1")
cmd = BASE_CMD_ARGS + ["--register-pack=%s" % (pack_dir)]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue("Registered 1 actions." in stderr)
self.assertEqual(exit_code, 0)
def test_load_role_definition_with_all_global_permission_types(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/roles/role_seven.yaml')
role_definition_api = loader.load_role_definition_from_file(file_path=file_path)
self.assertEqual(role_definition_api.name, 'role_seven')
def test_load_role_definition_with_all_global_permission_types(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/roles/role_seven.yaml')
role_definition_api = loader.load_role_definition_from_file(file_path=file_path)
self.assertEqual(role_definition_api.name, 'role_seven')
def test_load_user_role_assignments_duplicate_user_definition(self):
loader = RBACDefinitionsLoader()
# Try to load all the user role assignments from disk where two definitions refer to the
# same user
file_path1 = os.path.join(get_fixtures_base_path(),
'rbac_invalid/assignments/user_foo1.yaml')
file_path2 = os.path.join(get_fixtures_base_path(),
'rbac_invalid/assignments/user_foo2.yaml')
file_paths = [file_path1, file_path2]
loader._get_role_assiginments_file_paths = mock.Mock()
loader._get_role_assiginments_file_paths.return_value = file_paths
expected_msg = 'Duplicate definition file found for user "userfoo"'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_user_role_assignments)
def test_register_triggers_from_pack(self):
base_path = get_fixtures_base_path()
pack_dir = os.path.join(base_path, 'dummy_pack_1')
trigger_type_dbs = TriggerType.get_all()
self.assertEqual(len(trigger_type_dbs), 0)
count = triggers_registrar.register_triggers(pack_dir=pack_dir)
self.assertEqual(count, 2)
# Verify TriggerTypeDB and corresponding TriggerDB objects have been created
trigger_type_dbs = TriggerType.get_all()
trigger_dbs = Trigger.get_all()
self.assertEqual(len(trigger_type_dbs), 2)
self.assertEqual(len(trigger_dbs), 2)
self.assertEqual(trigger_type_dbs[0].name, 'event_handler')
self.assertEqual(trigger_type_dbs[0].pack, 'dummy_pack_1')
self.assertEqual(trigger_dbs[0].name, 'event_handler')
self.assertEqual(trigger_dbs[0].pack, 'dummy_pack_1')
self.assertEqual(trigger_dbs[0].type, 'dummy_pack_1.event_handler')
self.assertEqual(trigger_type_dbs[1].name, 'head_sha_monitor')
self.assertEqual(trigger_type_dbs[1].pack, 'dummy_pack_1')
self.assertEqual(trigger_type_dbs[1].payload_schema['type'], 'object')
def test_register_from_pack_success(self):
pack_dir = os.path.join(get_fixtures_base_path(), 'dummy_pack_1')
cmd = BASE_CMD_ARGS + ['--register-pack=%s' % (pack_dir)]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue('Registered 1 actions.' in stderr)
self.assertEqual(exit_code, 0)
def test_register_from_pack_action_metadata_fails_validation(self):
# No fail on failure flag, should succeed
pack_dir = os.path.join(get_fixtures_base_path(), 'dummy_pack_4')
cmd = BASE_CMD_ARGS + ['--register-pack=%s' % (pack_dir)]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue('Registered 0 actions.' in stderr)
self.assertEqual(exit_code, 0)
# Fail on failure, should fail
pack_dir = os.path.join(get_fixtures_base_path(), 'dummy_pack_4')
cmd = BASE_CMD_ARGS + [
'--register-pack=%s' % (pack_dir), '--register-fail-on-failure'
]
exit_code, _, stderr = run_command(cmd=cmd)
self.assertTrue('object has no attribute \'get\'' in stderr)
self.assertEqual(exit_code, 1)
def test_register_triggers_from_pack(self):
base_path = get_fixtures_base_path()
pack_dir = os.path.join(base_path, 'dummy_pack_1')
trigger_type_dbs = TriggerType.get_all()
self.assertEqual(len(trigger_type_dbs), 0)
count = triggers_registrar.register_triggers(pack_dir=pack_dir)
self.assertEqual(count, 2)
# Verify TriggerTypeDB and corresponding TriggerDB objects have been created
trigger_type_dbs = TriggerType.get_all()
trigger_dbs = Trigger.get_all()
self.assertEqual(len(trigger_type_dbs), 2)
self.assertEqual(len(trigger_dbs), 2)
self.assertEqual(trigger_type_dbs[0].name, 'event_handler')
self.assertEqual(trigger_type_dbs[0].pack, 'dummy_pack_1')
self.assertEqual(trigger_dbs[0].name, 'event_handler')
self.assertEqual(trigger_dbs[0].pack, 'dummy_pack_1')
self.assertEqual(trigger_dbs[0].type, 'dummy_pack_1.event_handler')
self.assertEqual(trigger_type_dbs[1].name, 'head_sha_monitor')
self.assertEqual(trigger_type_dbs[1].pack, 'dummy_pack_1')
self.assertEqual(trigger_type_dbs[1].payload_schema['type'], 'object')
def _override_common_opts():
packs_base_path = get_fixtures_base_path()
CONF.set_override(name='system_packs_base_path',
override=packs_base_path,
group='content')
CONF.set_override(name='api_url',
override='http://localhost',
group='auth')
def _override_common_opts():
packs_base_path = get_fixtures_base_path()
CONF.set_override(name="system_packs_base_path", override=packs_base_path, group="content")
CONF.set_override(name="api_url", override="http://localhost", group="auth")
CONF.set_override(name="admin_users", override=["admin_user"], group="system")
CONF.set_override(name="mask_secrets", override=True, group="log")
CONF.set_override(name="url", override="zake://", group="coordination")
CONF.set_override(name="lock_timeout", override=1, group="coordination")
def _override_common_opts():
packs_base_path = get_fixtures_base_path()
CONF.set_override(name='system_packs_base_path', override=packs_base_path, group='content')
CONF.set_override(name='api_url', override='http://localhost', group='auth')
CONF.set_override(name='admin_users', override=['admin_user'], group='system')
CONF.set_override(name='mask_secrets', override=True, group='log')
CONF.set_override(name='url', override='zake://', group='coordination')
CONF.set_override(name='lock_timeout', override=1, group='coordination')
def test_load_user_role_assignments_success(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), "rbac/assignments/user3.yaml")
user_role_assignment_api = loader.load_user_role_assignments_from_file(file_path=file_path)
self.assertEqual(user_role_assignment_api.username, "user3")
self.assertEqual(user_role_assignment_api.description, "Observer assignments")
self.assertEqual(user_role_assignment_api.roles, ["observer"])
def test_script_with_paramters_parameter_serialization(self):
models = self.fixtures_loader.load_models(
fixtures_pack="generic", fixtures_dict={"actions": ["local_script_with_params.yaml"]}
)
action_db = models["actions"]["local_script_with_params.yaml"]
entry_point = os.path.join(get_fixtures_base_path(), "generic/actions/local_script_with_params.sh")
action_parameters = {
"param_string": "test string",
"param_integer": 1,
"param_float": 2.55,
"param_boolean": True,
"param_list": ["a", "b", "c"],
"param_object": {"foo": "bar"},
}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(status, action_constants.LIVEACTION_STATUS_SUCCEEDED)
self.assertTrue("PARAM_STRING=test string" in result["stdout"])
self.assertTrue("PARAM_INTEGER=1" in result["stdout"])
self.assertTrue("PARAM_FLOAT=2.55" in result["stdout"])
self.assertTrue("PARAM_BOOLEAN=1" in result["stdout"])
self.assertTrue("PARAM_LIST=a,b,c" in result["stdout"])
self.assertTrue('PARAM_OBJECT={"foo": "bar"}' in result["stdout"])
action_parameters = {
"param_string": "test string",
"param_integer": 1,
"param_float": 2.55,
"param_boolean": False,
"param_list": ["a", "b", "c"],
"param_object": {"foo": "bar"},
}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(status, action_constants.LIVEACTION_STATUS_SUCCEEDED)
self.assertTrue("PARAM_BOOLEAN=0" in result["stdout"])
action_parameters = {"param_string": "", "param_integer": None, "param_float": None}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(status, action_constants.LIVEACTION_STATUS_SUCCEEDED)
self.assertTrue("PARAM_STRING=\n" in result["stdout"])
self.assertTrue("PARAM_INTEGER=\n" in result["stdout"])
self.assertTrue("PARAM_FLOAT=\n" in result["stdout"])
def test_load_group_to_role_mappings_missing_mandatory_attribute(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(),
'rbac_invalid/mappings/mapping_one_missing_roles.yaml')
expected_msg = '\'roles\' is a required property'
self.assertRaisesRegexp(jsonschema.ValidationError, expected_msg,
loader.load_group_to_role_map_assignment_from_file,
file_path=file_path)
file_path = os.path.join(get_fixtures_base_path(),
'rbac_invalid/mappings/mapping_two_missing_group.yaml')
expected_msg = '\'group\' is a required property'
self.assertRaisesRegexp(jsonschema.ValidationError, expected_msg,
loader.load_group_to_role_map_assignment_from_file,
file_path=file_path)
def test_load_group_to_role_mappings_missing_mandatory_attribute(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(),
'rbac_invalid/mappings/mapping_one_missing_roles.yaml')
expected_msg = '\'roles\' is a required property'
self.assertRaisesRegexp(jsonschema.ValidationError, expected_msg,
loader.load_group_to_role_map_assignment_from_file,
file_path=file_path)
file_path = os.path.join(get_fixtures_base_path(),
'rbac_invalid/mappings/mapping_two_missing_group.yaml')
expected_msg = '\'group\' is a required property'
self.assertRaisesRegexp(jsonschema.ValidationError, expected_msg,
loader.load_group_to_role_map_assignment_from_file,
file_path=file_path)
def test_load_user_role_assignments_success(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/assignments/user3.yaml')
user_role_assignment_api = loader.load_user_role_assignments_from_file(file_path=file_path)
self.assertEqual(user_role_assignment_api.username, 'user3')
self.assertEqual(user_role_assignment_api.description, 'Observer assignments')
self.assertEqual(user_role_assignment_api.roles, ['observer'])
def test_load_group_to_role_mappings_success(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/mappings/mapping_one.yaml')
role_mapping_api = loader.load_group_to_role_map_assignment_from_file(file_path=file_path)
self.assertEqual(role_mapping_api.group, 'some ldap group')
self.assertEqual(role_mapping_api.roles, ['pack_admin'])
self.assertEqual(role_mapping_api.description, None)
self.assertTrue(role_mapping_api.enabled)
file_path = os.path.join(get_fixtures_base_path(), 'rbac/mappings/mapping_two.yaml')
role_mapping_api = loader.load_group_to_role_map_assignment_from_file(file_path=file_path)
self.assertEqual(role_mapping_api.group, 'CN=stormers,OU=groups,DC=stackstorm,DC=net')
self.assertEqual(role_mapping_api.roles, ['role_one', 'role_two', 'role_three'])
self.assertEqual(role_mapping_api.description, 'Grant 3 roles to stormers group members')
self.assertFalse(role_mapping_api.enabled)
def _override_common_opts():
packs_base_path = get_fixtures_base_path()
CONF.set_override(name='base_path', override=packs_base_path, group='system')
CONF.set_override(name='system_packs_base_path', override=packs_base_path, group='content')
CONF.set_override(name='packs_base_paths', override=packs_base_path, group='content')
CONF.set_override(name='api_url', override='http://127.0.0.1', group='auth')
CONF.set_override(name='mask_secrets', override=True, group='log')
CONF.set_override(name='url', override='zake://', group='coordination')
CONF.set_override(name='lock_timeout', override=1, group='coordination')
def test_register_policy_invalid_policy_type_references(self):
# Policy references an invalid (inexistent) policy type
registrar = PolicyRegistrar()
policy_path = os.path.join(get_fixtures_base_path(), "dummy_pack_1/policies/policy_2.yaml")
expected_msg = 'Referenced policy_type "action.mock_policy_error" doesnt exist'
self.assertRaisesRegexp(
ValueError, expected_msg, registrar._register_policy, pack="dummy_pack_1", policy=policy_path
)
def test_make_sure_policy_parameters_are_validated_during_register(self):
# Policy where specified parameters fail schema validation
registrar = PolicyRegistrar()
policy_path = os.path.join(get_fixtures_base_path(),
'dummy_pack_1/policies/policy_3.yaml')
expected_msg = '100 is greater than the maximum of 5'
self.assertRaisesRegexp(jsonschema.ValidationError, expected_msg,
registrar._register_policy, pack='dummy_pack_1',
policy=policy_path)
def test_load_user_role_assignments_success(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/assignments/user3.yaml')
user_role_assignment_api = loader.load_user_role_assignments_from_file(file_path=file_path)
self.assertEqual(user_role_assignment_api.username, 'user3')
self.assertEqual(user_role_assignment_api.description, 'Observer assignments')
self.assertEqual(user_role_assignment_api.roles, ['observer'])
self.assertEqual(user_role_assignment_api.file_path, 'assignments/user3.yaml')
def test_load_sample_role_definition(self):
"""
Validate that the sample role definition which we ship with default installation works.
"""
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/roles/role_sample.yaml')
role_api = loader.load_role_definition_from_file(file_path=file_path)
self.assertEqual(role_api.name, 'sample')
self.assertFalse(role_api.enabled)
def test_load_sample_role_definition(self):
"""
Validate that the sample role definition which we ship with default installation works.
"""
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/roles/role_sample.yaml')
role_api = loader.load_role_definition_from_file(file_path=file_path)
self.assertEqual(role_api.name, 'sample')
self.assertFalse(role_api.enabled)
def test_get_all(self):
packs_path = os.path.join(get_fixtures_base_path(), 'packs/')
config_schema_count = len(
glob.glob('%s/*/config.schema.yaml' % (packs_path)))
assert config_schema_count > 1
resp = self.app.get('/v1/config_schemas')
self.assertEqual(resp.status_int, 200)
self.assertEqual(len(resp.json), config_schema_count,
'/v1/config_schemas did not return all schemas.')
def test_register_all_triggers(self):
trigger_type_dbs = TriggerType.get_all()
self.assertEqual(len(trigger_type_dbs), 0)
packs_base_path = get_fixtures_base_path()
count = triggers_registrar.register_triggers(packs_base_paths=[packs_base_path])
self.assertEqual(count, 3)
trigger_type_dbs = TriggerType.get_all()
self.assertEqual(len(trigger_type_dbs), 3)
def test_load_group_to_role_mappings_success(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/mappings/mapping_one.yaml')
role_mapping_api = loader.load_group_to_role_map_assignment_from_file(file_path=file_path)
self.assertEqual(role_mapping_api.group, 'some ldap group')
self.assertEqual(role_mapping_api.roles, ['pack_admin'])
self.assertEqual(role_mapping_api.description, None)
self.assertTrue(role_mapping_api.enabled)
self.assertTrue(role_mapping_api.file_path.endswith('mappings/mapping_one.yaml'))
file_path = os.path.join(get_fixtures_base_path(), 'rbac/mappings/mapping_two.yaml')
role_mapping_api = loader.load_group_to_role_map_assignment_from_file(file_path=file_path)
self.assertEqual(role_mapping_api.group, 'CN=stormers,OU=groups,DC=stackstorm,DC=net')
self.assertEqual(role_mapping_api.roles, ['role_one', 'role_two', 'role_three'])
self.assertEqual(role_mapping_api.description, 'Grant 3 roles to stormers group members')
self.assertFalse(role_mapping_api.enabled)
self.assertEqual(role_mapping_api.file_path, 'mappings/mapping_two.yaml')
def test_load_sample_user_role_assignment_definition(self):
"""
Validate that the sample user role assignment definition which we ship with default
installation works.
"""
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/assignments/user_sample.yaml')
assignment_api = loader.load_user_role_assignments_from_file(file_path=file_path)
self.assertEqual(assignment_api.username, 'stackstorm_user')
self.assertFalse(assignment_api.enabled)
def test_load_role_definition_validation_error(self):
loader = RBACDefinitionsLoader()
# Invalid permission which doesn't apply to the resource in question
file_path = os.path.join(get_fixtures_base_path(),
'rbac_invalid/roles/role_one.yaml')
expected_msg = 'Invalid permission type "rule_all" for resource type "action"'
self.assertRaisesRegexp(ValueError,
expected_msg,
loader.load_role_definition_from_file,
file_path=file_path)
# Invalid permission type which doesn't exist
file_path = os.path.join(get_fixtures_base_path(),
'rbac_invalid/roles/role_two.yaml')
expected_msg = '.*Failed validating \'enum\'.*'
self.assertRaisesRegexp(jsonschema.ValidationError,
expected_msg,
loader.load_role_definition_from_file,
file_path=file_path)
def test_load_group_to_role_mappings_empty_file(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac_invalid/mappings/empty.yaml')
file_paths = [file_path]
loader._get_group_to_role_maps_file_paths = mock.Mock()
loader._get_group_to_role_maps_file_paths.return_value = file_paths
expected_msg = 'Group to role map assignment file .+? is empty and invalid'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_group_to_role_maps)
def test_load_role_definitions_empty_definition_file(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac_invalid/roles/role_empty.yaml')
file_paths = [file_path]
loader._get_role_definitions_file_paths = mock.Mock()
loader._get_role_definitions_file_paths.return_value = file_paths
expected_msg = 'Role definition file .+? is empty and invalid'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_role_definitions)
def test_load_sample_user_role_assignment_definition(self):
"""
Validate that the sample user role assignment definition which we ship with default
installation works.
"""
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac/assignments/user_sample.yaml')
assignment_api = loader.load_user_role_assignments_from_file(file_path=file_path)
self.assertEqual(assignment_api.username, 'stackstorm_user')
self.assertFalse(assignment_api.enabled)
def test_load_group_to_role_mappings_empty_file(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac_invalid/mappings/empty.yaml')
file_paths = [file_path]
loader._get_group_to_role_maps_file_paths = mock.Mock()
loader._get_group_to_role_maps_file_paths.return_value = file_paths
expected_msg = 'Group to role map assignment file .+? is empty and invalid'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_group_to_role_maps)
def test_register_all_actions(self):
try:
packs_base_path = fixtures_loader.get_fixtures_base_path()
all_actions_in_db = Action.get_all()
actions_registrar.register_actions(packs_base_paths=[packs_base_path])
except Exception as e:
print(str(e))
self.fail('All actions must be registered without exceptions.')
else:
all_actions_in_db = Action.get_all()
self.assertTrue(len(all_actions_in_db) > 0)
def test_load_role_definitions_empty_definition_file(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), 'rbac_invalid/roles/role_empty.yaml')
file_paths = [file_path]
loader._get_role_definitions_file_paths = mock.Mock()
loader._get_role_definitions_file_paths.return_value = file_paths
expected_msg = 'Role definition file .+? is empty and invalid'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_role_definitions)
def test_register_all_actions(self):
try:
packs_base_path = fixtures_loader.get_fixtures_base_path()
all_actions_in_db = Action.get_all()
actions_registrar.register_actions(packs_base_paths=[packs_base_path])
except Exception as e:
print(str(e))
self.fail('All actions must be registered without exceptions.')
else:
all_actions_in_db = Action.get_all()
self.assertTrue(len(all_actions_in_db) > 0)
def test_register_policy_invalid_policy_type_references(self):
# Policy references an invalid (inexistent) policy type
registrar = PolicyRegistrar()
policy_path = os.path.join(get_fixtures_base_path(),
'dummy_pack_1/policies/policy_2.yaml')
expected_msg = 'Referenced policy_type "action.mock_policy_error" doesnt exist'
self.assertRaisesRegexp(ValueError,
expected_msg,
registrar._register_policy,
pack='dummy_pack_1',
policy=policy_path)
def test_make_sure_policy_parameters_are_validated_during_register(self):
# Policy where specified parameters fail schema validation
registrar = PolicyRegistrar()
policy_path = os.path.join(get_fixtures_base_path(),
'dummy_pack_1/policies/policy_3.yaml')
expected_msg = '100 is greater than the maximum of 5'
self.assertRaisesRegexp(jsonschema.ValidationError,
expected_msg,
registrar._register_policy,
pack='dummy_pack_1',
policy=policy_path)
def test_load_role_definition_validation_error(self):
loader = RBACDefinitionsLoader()
# Invalid permission which doesn't apply to the resource in question
file_path = os.path.join(get_fixtures_base_path(), 'rbac_invalid/roles/role_one.yaml')
expected_msg = 'Invalid permission type "rule_all" for resource type "action"'
self.assertRaisesRegexp(ValueError, expected_msg, loader.load_role_definition_from_file,
file_path=file_path)
# Invalid permission type which doesn't exist
file_path = os.path.join(get_fixtures_base_path(), 'rbac_invalid/roles/role_two.yaml')
expected_msg = '.*Failed validating \'enum\'.*'
self.assertRaisesRegexp(jsonschema.ValidationError, expected_msg,
loader.load_role_definition_from_file, file_path=file_path)
# Only list permissions can be used without a resource_uid
file_path = os.path.join(get_fixtures_base_path(), 'rbac_invalid/roles/role_four.yaml')
expected_msg = ('Invalid permission type "action_create". Valid global '
'permission types which can be used without a resource id are:')
self.assertRaisesRegexp(ValueError, expected_msg,
loader.load_role_definition_from_file, file_path=file_path)
def test_load_user_role_assignments_disabled_assignment(self):
loader = RBACDefinitionsLoader()
# Disabled role assignment which means this method shouldn't include it in the result
file_path = os.path.join(get_fixtures_base_path(), 'rbac/assignments/user_disabled.yaml')
file_paths = [file_path]
loader._get_role_assiginments_file_paths = mock.Mock()
loader._get_role_assiginments_file_paths.return_value = file_paths
result = loader.load_user_role_assignments()
self.assertItemsEqual(result, [])
def test_load_user_role_assignments_disabled_assignment(self):
loader = RBACDefinitionsLoader()
# Disabled role assignment which means this method shouldn't include it in the result
file_path = os.path.join(get_fixtures_base_path(), 'rbac/assignments/user_disabled.yaml')
file_paths = [file_path]
loader._get_role_assiginments_file_paths = mock.Mock()
loader._get_role_assiginments_file_paths.return_value = file_paths
result = loader.load_user_role_assignments()
self.assertItemsEqual(result, [])
def test_register_all_triggers(self):
trigger_type_dbs = TriggerType.get_all()
self.assertEqual(len(trigger_type_dbs), 0)
packs_base_path = get_fixtures_base_path()
count = triggers_registrar.register_triggers(packs_base_paths=[packs_base_path])
self.assertEqual(count, 3)
# Verify TriggerTypeDB and corresponding TriggerDB objects have been created
trigger_type_dbs = TriggerType.get_all()
trigger_dbs = Trigger.get_all()
self.assertEqual(len(trigger_type_dbs), 3)
self.assertEqual(len(trigger_dbs), 3)
def test_register_policies(self):
# Note: Only one policy should be registered since second one fails validation
pack_dir = os.path.join(fixturesloader.get_fixtures_base_path(), "dummy_pack_1")
self.assertEqual(register_policies(pack_dir=pack_dir), 1)
p1 = Policy.get_by_ref("dummy_pack_1.test_policy_1")
self.assertEqual(p1.name, "test_policy_1")
self.assertEqual(p1.pack, "dummy_pack_1")
self.assertEqual(p1.resource_ref, "dummy_pack_1.local")
self.assertEqual(p1.policy_type, "action.concurrency")
p2 = Policy.get_by_ref("dummy_pack_1.test_policy_2")
self.assertEqual(p2, None)
def test_load_role_definition_success(self):
loader = RBACDefinitionsLoader()
file_path = os.path.join(get_fixtures_base_path(), "rbac/roles/role_three.yaml")
role_definition_api = loader.load_role_definition_from_file(file_path=file_path)
self.assertEqual(role_definition_api.name, "role_three")
self.assertTrue("all the pack permissions on pack dummy_pack_1" in role_definition_api.description)
self.assertEqual(len(role_definition_api.permission_grants), 3)
self.assertEqual(role_definition_api.permission_grants[0]["resource_uid"], "pack:dummy_pack_1")
self.assertEqual(role_definition_api.permission_grants[1]["resource_uid"], "pack:dummy_pack_2")
self.assertTrue("rule_view" in role_definition_api.permission_grants[1]["permission_types"])
self.assertEqual(role_definition_api.permission_grants[2]["permission_types"], ["action_execute"])
def test_register_policies(self):
# Note: Only one policy should be registered since second one fails validation
pack_dir = os.path.join(fixturesloader.get_fixtures_base_path(),
'dummy_pack_1')
self.assertEqual(register_policies(pack_dir=pack_dir), 1)
p1 = Policy.get_by_ref('dummy_pack_1.test_policy_1')
self.assertEqual(p1.name, 'test_policy_1')
self.assertEqual(p1.pack, 'dummy_pack_1')
self.assertEqual(p1.resource_ref, 'dummy_pack_1.local')
self.assertEqual(p1.policy_type, 'action.concurrency')
p2 = Policy.get_by_ref('dummy_pack_1.test_policy_2')
self.assertEqual(p2, None)
def test_register_all_triggers(self):
trigger_type_dbs = TriggerType.get_all()
self.assertEqual(len(trigger_type_dbs), 0)
packs_base_path = get_fixtures_base_path()
count = triggers_registrar.register_triggers(
packs_base_paths=[packs_base_path])
self.assertEqual(count, 3)
# Verify TriggerTypeDB and corresponding TriggerDB objects have been created
trigger_type_dbs = TriggerType.get_all()
trigger_dbs = Trigger.get_all()
self.assertEqual(len(trigger_type_dbs), 3)
self.assertEqual(len(trigger_dbs), 3)
def test_register_all_actions(self):
try:
packs_base_path = fixtures_loader.get_fixtures_base_path()
all_actions_in_db = Action.get_all()
actions_registrar.register_actions(packs_base_paths=[packs_base_path])
except Exception as e:
print(six.text_type(e))
self.fail("All actions must be registered without exceptions.")
else:
all_actions_in_db = Action.get_all()
self.assertTrue(len(all_actions_in_db) > 0)
# Assert metadata_file field is populated
expected_path = "actions/action-with-no-parameters.yaml"
self.assertEqual(all_actions_in_db[0].metadata_file, expected_path)
def _run_action(self, pack, action, params, runner_params={}):
action_db = mock.Mock()
action_db.pack = pack
runner = python_runner.get_runner()
runner.runner_parameters = {}
runner.action = action_db
runner._use_parent_args = False
for key, value in runner_params.items():
setattr(runner, key, value)
runner.entry_point = os.path.join(
get_fixtures_base_path(), "packs/%s/actions/%s" % (pack, action))
runner.pre_run()
return runner.run(params)
def test_register_setup_virtualenvs(self):
# Single pack
pack_dir = os.path.join(get_fixtures_base_path(), 'dummy_pack_1')
cmd = BASE_CMD_ARGS + ['--register-pack=%s' % (pack_dir), '--register-setup-virtualenvs']
exit_code, stdout, stderr = run_command(cmd=cmd)
self.assertTrue('Setting up virtualenv for pack "dummy_pack_1"' in stderr)
self.assertTrue('Setup virtualenv for 1 pack(s)' in stderr)
self.assertEqual(exit_code, 0)
# All packs
cmd = BASE_CMD_ARGS + ['--register-setup-virtualenvs']
exit_code, stdout, stderr = run_command(cmd=cmd)
self.assertTrue('Setup virtualenv for 4 pack(s)' in stderr)
self.assertEqual(exit_code, 0)
def test_register_policies(self):
pack_dir = os.path.join(fixturesloader.get_fixtures_base_path(),
'dummy_pack_1')
self.assertEqual(register_policies(pack_dir=pack_dir), 2)
p1 = Policy.get_by_ref('dummy_pack_1.test_policy_1')
self.assertEqual(p1.name, 'test_policy_1')
self.assertEqual(p1.pack, 'dummy_pack_1')
self.assertEqual(p1.resource_ref, 'dummy_pack_1.local')
self.assertEqual(p1.policy_type, 'action.concurrency')
p2 = Policy.get_by_ref('dummy_pack_1.test_policy_2')
self.assertEqual(p2.name, 'test_policy_2')
self.assertEqual(p2.pack, 'dummy_pack_1')
self.assertEqual(p2.resource_ref, 'dummy_pack_1.local')
self.assertEqual(p2.policy_type, 'action.mock_policy_error')
self.assertEqual(p2.resource_ref, 'dummy_pack_1.local')
def test_action_stdout_and_stderr_is_stored_in_the_db(
self, mock_spawn, mock_popen):
# Feature is enabled
cfg.CONF.set_override(name='stream_output',
group='actionrunner',
override=True)
# Note: We need to mock spawn function so we can test everything in single event loop
# iteration
mock_spawn.side_effect = blocking_eventlet_spawn
# No output to stdout and no result (implicit None)
mock_stdout = [
'stdout line 1\n', 'stdout line 2\n', 'stdout line 3\n',
'stdout line 4\n'
]
mock_stderr = ['stderr line 1\n', 'stderr line 2\n', 'stderr line 3\n']
mock_process = mock.Mock()
mock_process.returncode = 0
mock_popen.return_value = mock_process
mock_process.stdout.closed = False
mock_process.stderr.closed = False
mock_process.stdout.readline = make_mock_stream_readline(
mock_process.stdout, mock_stdout, stop_counter=4)
mock_process.stderr.readline = make_mock_stream_readline(
mock_process.stderr, mock_stderr, stop_counter=3)
models = self.fixtures_loader.load_models(
fixtures_pack='generic',
fixtures_dict={'actions': ['local_script_with_params.yaml']})
action_db = models['actions']['local_script_with_params.yaml']
entry_point = os.path.join(
get_fixtures_base_path(),
'generic/actions/local_script_with_params.sh')
action_parameters = {
'param_string': 'test string',
'param_integer': 1,
'param_float': 2.55,
'param_boolean': True,
'param_list': ['a', 'b', 'c'],
'param_object': {
'foo': 'bar'
}
}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(
result['stdout'],
'stdout line 1\nstdout line 2\nstdout line 3\nstdout line 4')
self.assertEqual(result['stderr'],
'stderr line 1\nstderr line 2\nstderr line 3')
self.assertEqual(result['return_code'], 0)
# Verify stdout and stderr lines have been correctly stored in the db
output_dbs = ActionExecutionOutput.query(output_type='stdout')
self.assertEqual(len(output_dbs), 4)
self.assertEqual(output_dbs[0].data, mock_stdout[0])
self.assertEqual(output_dbs[1].data, mock_stdout[1])
self.assertEqual(output_dbs[2].data, mock_stdout[2])
self.assertEqual(output_dbs[3].data, mock_stdout[3])
output_dbs = ActionExecutionOutput.query(output_type='stderr')
self.assertEqual(len(output_dbs), 3)
self.assertEqual(output_dbs[0].data, mock_stderr[0])
self.assertEqual(output_dbs[1].data, mock_stderr[1])
self.assertEqual(output_dbs[2].data, mock_stderr[2])
def test_script_with_paramters_parameter_serialization(self):
models = self.fixtures_loader.load_models(
fixtures_pack='generic',
fixtures_dict={'actions': ['local_script_with_params.yaml']})
action_db = models['actions']['local_script_with_params.yaml']
entry_point = os.path.join(
get_fixtures_base_path(),
'generic/actions/local_script_with_params.sh')
action_parameters = {
'param_string': 'test string',
'param_integer': 1,
'param_float': 2.55,
'param_boolean': True,
'param_list': ['a', 'b', 'c'],
'param_object': {
'foo': 'bar'
}
}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(status, action_constants.LIVEACTION_STATUS_SUCCEEDED)
self.assertTrue('PARAM_STRING=test string' in result['stdout'])
self.assertTrue('PARAM_INTEGER=1' in result['stdout'])
self.assertTrue('PARAM_FLOAT=2.55' in result['stdout'])
self.assertTrue('PARAM_BOOLEAN=1' in result['stdout'])
self.assertTrue('PARAM_LIST=a,b,c' in result['stdout'])
self.assertTrue('PARAM_OBJECT={"foo": "bar"}' in result['stdout'])
action_parameters = {
'param_string': 'test string',
'param_integer': 1,
'param_float': 2.55,
'param_boolean': False,
'param_list': ['a', 'b', 'c'],
'param_object': {
'foo': 'bar'
}
}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(status, action_constants.LIVEACTION_STATUS_SUCCEEDED)
self.assertTrue('PARAM_BOOLEAN=0' in result['stdout'])
action_parameters = {
'param_string': '',
'param_integer': None,
'param_float': None,
}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(status, action_constants.LIVEACTION_STATUS_SUCCEEDED)
self.assertTrue('PARAM_STRING=\n' in result['stdout'])
self.assertTrue('PARAM_INTEGER=\n' in result['stdout'])
self.assertTrue('PARAM_FLOAT=\n' in result['stdout'])
# End result should be the same when streaming is enabled
cfg.CONF.set_override(name='stream_output',
group='actionrunner',
override=True)
# Verify initial state
output_dbs = ActionExecutionOutput.get_all()
self.assertEqual(len(output_dbs), 0)
action_parameters = {
'param_string': 'test string',
'param_integer': 1,
'param_float': 2.55,
'param_boolean': True,
'param_list': ['a', 'b', 'c'],
'param_object': {
'foo': 'bar'
}
}
runner = self._get_runner(action_db=action_db, entry_point=entry_point)
runner.pre_run()
status, result, _ = runner.run(action_parameters=action_parameters)
runner.post_run(status, result)
self.assertEqual(status, action_constants.LIVEACTION_STATUS_SUCCEEDED)
self.assertTrue('PARAM_STRING=test string' in result['stdout'])
self.assertTrue('PARAM_INTEGER=1' in result['stdout'])
self.assertTrue('PARAM_FLOAT=2.55' in result['stdout'])
self.assertTrue('PARAM_BOOLEAN=1' in result['stdout'])
self.assertTrue('PARAM_LIST=a,b,c' in result['stdout'])
self.assertTrue('PARAM_OBJECT={"foo": "bar"}' in result['stdout'])
output_dbs = ActionExecutionOutput.query(output_type='stdout')
self.assertEqual(len(output_dbs), 6)
self.assertEqual(output_dbs[0].data, 'PARAM_STRING=test string\n')
self.assertEqual(output_dbs[5].data, 'PARAM_OBJECT={"foo": "bar"}\n')
output_dbs = ActionExecutionOutput.query(output_type='stderr')
self.assertEqual(len(output_dbs), 0)
