Exemple #1
0
def test_basic_permission(
        standard_graph,
        graph,
        session,
        users,
        groups,
        permissions  # noqa: F811
):
    """ Test adding some permissions to various groups and ensuring that the permissions are all
        implemented as expected. This also tests permissions inheritance in the graph. """

    assert sorted(get_group_permissions(graph, "team-sre")) == [
        "audited:",
        "ssh:*",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_group_permissions(graph, "tech-ops")) == [
        "audited:",
        "ssh:shell",
        "sudo:shell",
    ]
    assert sorted(get_group_permissions(graph, "team-infra")) == ["sudo:shell"]
    assert sorted(get_group_permissions(graph, "all-teams")) == []

    assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
        "audited:",
        PERMISSION_ADMIN + ":",
        "ssh:*",
        "ssh:shell",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
        "audited:",
        "ssh:*",
        "ssh:shell",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
        "audited:",
        AUDIT_MANAGER + ":",
        AUDIT_VIEWER + ":",
        PERMISSION_AUDITOR + ":",
        "owner:sad-team",
        "ssh:*",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_user_permissions(graph, "*****@*****.**")) == []
    assert sorted(get_user_permissions(graph,
                                       "*****@*****.**")) == ["sudo:shell"]
Exemple #2
0
def test_basic_permission(
    standard_graph, graph, session, users, groups, permissions  # noqa: F811
):
    """ Test adding some permissions to various groups and ensuring that the permissions are all
        implemented as expected. This also tests permissions inheritance in the graph. """

    assert sorted(get_group_permissions(graph, "team-sre")) == [
        "audited:",
        "ssh:*",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_group_permissions(graph, "tech-ops")) == [
        "audited:",
        "ssh:shell",
        "sudo:shell",
    ]
    assert sorted(get_group_permissions(graph, "team-infra")) == ["sudo:shell"]
    assert sorted(get_group_permissions(graph, "all-teams")) == []

    assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
        "audited:",
        PERMISSION_ADMIN + ":",
        "ssh:*",
        "ssh:shell",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
        "audited:",
        "ssh:*",
        "ssh:shell",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_user_permissions(graph, "*****@*****.**")) == [
        "audited:",
        AUDIT_MANAGER + ":",
        AUDIT_VIEWER + ":",
        PERMISSION_AUDITOR + ":",
        "owner:sad-team",
        "ssh:*",
        "sudo:shell",
        "team-sre:*",
    ]
    assert sorted(get_user_permissions(graph, "*****@*****.**")) == []
    assert sorted(get_user_permissions(graph, "*****@*****.**")) == ["sudo:shell"]
Exemple #3
0
def test_disabling_permission(
    session, groups, standard_graph, graph, http_client, base_url  # noqa: F811
):
    """
    This tests disabling via the front-end route, including checking
    that the user is authorized to disable permissions.
    """
    perm_name = "sudo"
    nonpriv_user_name = "*****@*****.**"  # user without PERMISSION_ADMIN
    nonpriv_headers = {"X-Grouper-User": nonpriv_user_name}
    priv_user_name = "*****@*****.**"  # user with PERMISSION_ADMIN
    priv_headers = {"X-Grouper-User": priv_user_name}
    disable_url = url(base_url, "/permissions/{}/disable".format(perm_name))
    disable_url_non_exist_perm = url(base_url, "/permissions/no.exists/disable")

    assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")
    assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")

    # attempt to disable the permission -> should fail cuz actor
    # doesn't have PERMISSION_ADMIN
    with pytest.raises(HTTPError) as exc:
        yield http_client.fetch(disable_url, method="POST", headers=nonpriv_headers, body="")
    assert exc.value.code == 403
    # check that no change
    assert get_permission(session, perm_name).enabled
    graph.update_from_db(session)
    assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")
    assert "sudo:shell" in get_user_permissions(graph, "*****@*****.**")

    # an actor with PERMISSION_ADMIN is allowed to disable the
    # permission
    resp = yield http_client.fetch(disable_url, method="POST", headers=priv_headers, body="")
    assert resp.code == 200
    assert not get_permission(session, perm_name).enabled
    graph.update_from_db(session)
    assert "sudo:shell" not in get_user_permissions(graph, "*****@*****.**")
    assert "sudo:shell" not in get_user_permissions(graph, "*****@*****.**")

    with pytest.raises(HTTPError) as exc:
        yield http_client.fetch(
            disable_url_non_exist_perm, method="POST", headers=priv_headers, body=""
        )
    assert exc.value.code == 404

    #
    # make sure that when disabling the permission, all mappings of
    # it, i.e., with different arguments, are disabled
    #

    # the standard_graph grants 'ssh' with args '*' and 'shell' to two
    # different groups
    assert "ssh:*" in get_group_permissions(graph, "team-sre")
    assert "ssh:shell" in get_group_permissions(graph, "tech-ops")
    # disable the perm
    disable_url_ssh_pem = url(base_url, "/permissions/ssh/disable")
    resp = yield http_client.fetch(
        disable_url_ssh_pem, method="POST", headers=priv_headers, body=""
    )
    assert resp.code == 200
    assert not get_permission(session, "ssh").enabled
    graph.update_from_db(session)
    assert "ssh:*" not in get_group_permissions(graph, "team-sre")
    assert "ssh:shell" not in get_group_permissions(graph, "tech-ops")