def is_role_ready(role_name, attempts=4, delay=5):
"""Checks to see if the given role is present in rethinkdb. retries for the
given number of attempts before returning False.
Args:
role_name:
str: the name of a given role in NEXT
attempts:
int: the number of times to chekc for the role before giving up
- defaults to 4
delay:
int: the number of seconds to wait between attempts
- defaults to 5
Returns:
role_status:
bool:
True: if the role was found in the db
False: if hte roel was not found in the db
"""
role_status = False
i = 0
while i < attempts:
if is_group_in_db(role_name):
role_status = True
return role_status
time.sleep(delay)
i += 1
return role_status
def test_delete_role(ldap_connection):
"""Deletes a AD role in NEXT
Args:
ldap_connection:
obj: A bound mock mock_ldap_connection
"""
create_fake_group(ldap_connection, "sysadmins", "sysadmins")
fake_group = get_fake_group(ldap_connection, "sysadmins")
put_in_inbound_queue(fake_group, "group")
insert_deleted_entries(
["CN=sysadmins,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB"],
"group_deleted",
)
result = is_group_in_db("sysadmins")
assert result is False
def test_delete_role(ldap_connection):
"""Delete a AD role in NEXT and all related tables
Args:
ldap_connection:
obj: A bound mock mock_ldap_connection
"""
create_fake_user(ldap_connection, "jchan", "Jackie C", "Jackiec")
user_remote_id = "CN=jchan,OU=Users,OU=Accounts,DC=AD2012,DC=LAB"
fake_user = get_fake_user(ldap_connection, "jchan")
put_in_inbound_queue(fake_user, "user")
create_fake_group(ldap_connection, "sysadmins", "sysadmins",
user_remote_id)
fake_group = get_fake_group(ldap_connection, "sysadmins")
put_in_inbound_queue(fake_group, "group")
time.sleep(3)
group_distinct_name = "CN=sysadmins,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB"
addMembersToGroups.ad_add_members_to_groups(ldap_connection,
user_remote_id,
group_distinct_name,
fix=True)
assert is_user_the_role_owner("sysadmins", "jchan") is True
assert is_group_in_db("sysadmins") is True
role = get_role("sysadmins")
role_id = role[0]["role_id"]
insert_deleted_entries(
["CN=sysadmins,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB"],
"group_deleted",
)
time.sleep(3)
is_role_removed = wait_for_resource_removal_in_db("roles", "name",
"sysadmins")
assert is_role_removed is True
is_owner_removed = wait_for_resource_removal_in_db("role_owners",
"role_id", role_id)
assert is_owner_removed is True
is_member_removed = wait_for_resource_removal_in_db(
"role_members", "role_id", role_id)
assert is_member_removed is True
def test_create_fake_group(ldap_connection, group):
"""Creates a fake group and inserts it to the inbound queue for ingestion
by rbac_ledger_sync. Waits 15 seconds. Checks if the fake group exists in
the groups table in rethinkDB.
Args:
ldap_connection:
obj: A bound mock ldap connection
group:
obj: dict:
common_name:
str: A common name of a group AD object.
name:
str: A name of a group AD object.
"""
create_fake_group(ldap_connection, **group)
fake_group = get_fake_group(ldap_connection, group["common_name"])
put_in_inbound_queue(fake_group, "group")
# wait for the fake group to be ingested by rbac_ledger_sync
time.sleep(3)
result = is_group_in_db(group["common_name"])
assert result is True
def test_delete_user(ldap_connection):
"""Deletes a AD user in NEXT
Args:
ldap_connection:
obj: A bound mock mock_ldap_connection
"""
# Create fake user and attach as owner to a role
create_fake_user(ldap_connection, "jchan20", "Jackie Chan", "Jackie")
user_remote_id = "CN=jchan20,OU=Users,OU=Accounts,DC=AD2012,DC=LAB"
create_fake_group(ldap_connection, "jchan_role", "jchan_role",
user_remote_id)
group_distinct_name = (
"CN=jchan_role,OU=Roles,OU=Security,OU=Groups,DC=AD2012,DC=LAB")
addMembersToGroups.ad_add_members_to_groups(ldap_connection,
user_remote_id,
group_distinct_name,
fix=True)
fake_user = get_fake_user(ldap_connection, "jchan20")
put_in_inbound_queue(fake_user, "user")
fake_group = get_fake_group(ldap_connection, "jchan_role")
put_in_inbound_queue(fake_group, "group")
time.sleep(3)
# See if owner and role are in the system
email = "*****@*****.**"
assert is_user_in_db(email) is True
assert is_group_in_db("jchan_role") is True
# See if all LDAP user has entries in the following
# off chain tables: user_mapping and metadata
user = get_user_in_db_by_email(email)
next_id = user[0]["next_id"]
assert get_user_mapping_entry(next_id)
assert get_user_metadata_entry(next_id)
# See that the owner is assigned to correct role
role = get_role("jchan_role")
owners = get_role_owners(role[0]["role_id"])
members = get_role_members(role[0]["role_id"])
assert owners[0]["related_id"] == next_id
assert members[0]["related_id"] == next_id
# Create a NEXT role with LDAP user as an admin and
# check for LDAP user's entry in auth table
next_role_id = create_next_role_ldap(user=user[0], role_name="managers")
admins = get_role_admins(next_role_id)
assert admins[0]["related_id"] == next_id
assert get_auth_entry(next_id)
# Create a NEXT pack with LDAP user as an owner
next_pack_id = create_pack_ldap(user=user[0],
pack_name="technology department")
assert check_user_is_pack_owner(next_pack_id, next_id)
# Delete user and verify LDAP user and related off chain
# table entries have been deleted, role still exists
# and role relationships have been deleted
insert_deleted_entries([user_remote_id], "user_deleted")
time.sleep(3)
assert get_deleted_user_entries(next_id) == []
assert get_pack_owners_by_user(next_id) == []
assert is_group_in_db("jchan_role") is True
assert get_role_owners(role[0]["role_id"]) == []
assert get_role_admins(next_role_id) == []
assert get_role_members(role[0]["role_id"]) == []
delete_role_by_name("managers")
delete_pack_by_name("technology department")
