def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
good_key = ('ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
# bad key
username = '******'
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
def test_group_logdump(make_session, session, users, groups, tmpdir):
make_session.return_value = session
groupname = "team-sre"
group_id = groups[groupname].id
yesterday = date.today() - timedelta(days=1)
fn = tmpdir.join("out.csv").strpath
call_main("group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn)
with open(fn, "r") as fh:
out = fh.read()
assert not out, "nothing yet"
AuditLog.log(session, users["*****@*****.**"].id, "make_noise", "making some noise", on_group_id=group_id)
session.commit()
call_main("group", "log_dump", groupname, yesterday.isoformat(), "--outfile", fn)
with open(fn, "r") as fh:
entries = [x for x in csv.reader(fh)]
assert len(entries) == 1, "should capture our new audit log entry"
log_time, actor, description, action, extra = entries[0]
assert groupname in extra
def test_group_logdump(make_session, session, users, groups, tmpdir):
make_session.return_value = session
groupname = 'team-sre'
group_id = groups[groupname].id
yesterday = date.today() - timedelta(days=1)
fn = tmpdir.join('out.csv').strpath
call_main('group', 'log_dump', groupname, yesterday.isoformat(),
'--outfile', fn)
with open(fn, 'r') as fh:
out = fh.read()
assert not out, 'nothing yet'
AuditLog.log(session,
users['*****@*****.**'].id,
'make_noise',
'making some noise',
on_group_id=group_id)
session.commit()
call_main('group', 'log_dump', groupname, yesterday.isoformat(),
'--outfile', fn)
with open(fn, 'r') as fh:
entries = [x for x in csv.reader(fh)]
assert len(entries) == 1, 'should capture our new audit log entry'
log_time, actor, description, action, extra = entries[0]
assert groupname in extra
def test_oneoff(mock_make_session, mock_annex, mock_load_plugins, session):
mock_make_session.return_value = session
username = '******'
other_username = '******'
groupname = 'fake_group'
class FakeOneOff(object):
def configure(self, service_name):
pass
def run(self, session, **kwargs):
if kwargs.get('group'):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get('key') == 'valuewith=':
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
mock_annex.return_value = [FakeOneOff()]
# dry_run
call_main('oneoff', 'run', 'FakeOneOff')
assert User.get(session,
name=username) is None, 'default dry_run means no writes'
assert User.get(session,
name=other_username) is None, '"valuewith= not in arg'
assert Group.get(
session,
name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, create a user
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff')
assert User.get(session,
name=username) is not None, 'dry_run off means writes'
assert User.get(session,
name=other_username) is None, '"valuewith= not in arg'
assert Group.get(
session,
name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, use kwarg to create a group
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff', 'group=1')
assert User.get(session,
name=username) is not None, 'dry_run off means writes'
assert User.get(session,
name=other_username) is None, '"valuewith= not in arg'
assert Group.get(
session, name=groupname) is not None, '"group" in arg so group created'
# invalid format for argument should result in premature system exit
with pytest.raises(SystemExit):
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff', 'bad_arg')
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff', 'key=valuewith=')
assert User.get(
session,
name=other_username) is not None, '"valuewith= in arg, create user2'
def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
good_key = (
'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDCUQeasspT/etEJR2WUoR+h2sMOQYbJgr0Q'
'E+J8p97gEhmz107KWZ+3mbOwyIFzfWBcJZCEg9wy5Paj+YxbGONqbpXAhPdVQ2TLgxr41bNXvbcR'
'AxZC+Q12UZywR4Klb2kungKz4qkcmSZzouaKK12UxzGB3xQ0N+3osKFj3xA1+B6HqrVreU19XdVo'
'AJh0xLZwhw17/NDM+dAcEdMZ9V89KyjwjraXtOVfFhQF0EDF0ame8d6UkayGrAiXC2He0P2Cja+J'
'371P27AlNLHFJij8WGxvcGGSeAxMLoVSDOOllLCYH5UieV8mNpX1kNe2LeA58ciZb0AXHaipSmCH'
'gh/ some-comment')
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
# bad key
username = '******'
bad_key = 'ssh-rsa AAAblahblahkey some-comment'
call_main('user', 'add_public_key', username, good_key)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == good_key
def test_group_logdump(make_session, session, users, groups, tmpdir):
make_session.return_value = session
groupname = 'team-sre'
group_id = groups[groupname].id
yesterday = date.today() - timedelta(days=1)
fn = tmpdir.join('out.csv').strpath
call_main('group', 'log_dump', groupname, yesterday.isoformat(), '--outfile', fn)
with open(fn, 'r') as fh:
out = fh.read()
assert not out, 'nothing yet'
AuditLog.log(session, users['*****@*****.**'].id, 'make_noise', 'making some noise',
on_group_id=group_id)
session.commit()
call_main('group', 'log_dump', groupname, yesterday.isoformat(), '--outfile', fn)
with open(fn, 'r') as fh:
entries = [x for x in csv.reader(fh)]
assert len(entries) == 1, 'should capture our new audit log entry'
log_time, actor, description, action, extra = entries[0]
assert groupname in extra
def test_sync_db_default_group(make_session, session, users, groups):
make_session.return_value = session
call_main('sync_db')
admin_group = Group.get(session, name="grouper-administrators")
assert admin_group, "Group should have been autocreated"
admin_group_permission_names = [perm[1] for perm in admin_group.my_permissions()]
for permission in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
assert permission in admin_group_permission_names, \
"Expected permission missing: %s" % permission
def test_sync_db_default_group(make_session, session, users, groups):
make_session.return_value = session
call_main('sync_db')
admin_group = Group.get(session, name="grouper-administrators")
assert admin_group, "Group should have been autocreated"
admin_group_permission_names = [
perm[1] for perm in admin_group.my_permissions()
]
for permission in (GROUP_ADMIN, PERMISSION_ADMIN, USER_ADMIN):
assert permission in admin_group_permission_names, \
"Expected permission missing: %s" % permission
def test_group_name_checks(make_session, session, users, groups):
make_session.return_value = session
username = '******'
groupname = 'team-sre'
# check user/group name
call_main('group', 'add_member', '--member', 'invalid group name', username)
assert (u'User', username) not in Group.get(session, name=groupname).my_members()
bad_username = '******'
call_main('group', 'add_member', '--member', groupname, bad_username)
assert (u'User', bad_username) not in Group.get(session, name=groupname).my_members()
def test_user_create(make_session, session, users):
make_session.return_value = session
# simple
username = '******'
call_main('user', 'create', username)
assert User.get(session,
name=username), 'non-existent user should be created'
# check username
bad_username = '******'
call_main('user', 'create', bad_username)
assert not User.get(session,
name=bad_username), 'bad user should not be created'
# bulk
usernames = ['*****@*****.**', '*****@*****.**', '*****@*****.**']
call_main('user', 'create', *usernames)
users = [User.get(session, name=u) for u in usernames]
assert all(users), 'all users created'
usernames_with_one_bad = ['*****@*****.**', '*****@*****.**', 'not_valid_user']
call_main('user', 'create', *usernames_with_one_bad)
users = [User.get(session, name=u) for u in usernames_with_one_bad]
assert not any(users), 'one bad seed means no users created'
def test_group_bulk_add_remove(make_session, session, users, groups):
make_session.return_value = session
groupname = 'team-sre'
# bulk add
usernames = {'*****@*****.**', '*****@*****.**', '*****@*****.**'}
call_main('group', 'add_member', '--member', groupname, *usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members().keys()}
assert usernames.issubset(members)
# bulk remove
call_main('group', 'remove_member', groupname, *usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members().keys()}
assert not members.intersection(usernames)
def test_group_disable_group_owner(user_make_session, group_make_session, get_plugin_proxy, session,
users, groups):
group_make_session.return_value = session
user_make_session.return_value = session
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
username = '******'
groupname = 'team-sre'
# add
call_main('group', 'add_member', '--owner', groupname, username)
assert (u'User', username) in Group.get(session, name=groupname).my_members()
# disable (fails)
call_main('user', 'disable', username)
assert (u'User', username) in Group.get(session, name=groupname).my_members()
def test_oneoff(mock_make_session, mock_annex, session):
mock_make_session.return_value = session
username = '******'
other_username = '******'
groupname = 'fake_group'
class FakeOneOff(object):
def configure(self, service_name):
pass
def run(self, session, **kwargs):
if kwargs.get('group'):
Group.get_or_create(session, groupname=groupname)
session.commit()
elif kwargs.get('key') == 'valuewith=':
User.get_or_create(session, username=other_username)
session.commit()
else:
User.get_or_create(session, username=username)
session.commit()
mock_annex.return_value = [FakeOneOff()]
# dry_run
call_main('oneoff', 'run', 'FakeOneOff')
assert User.get(session, name=username) is None, 'default dry_run means no writes'
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, create a user
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff')
assert User.get(session, name=username) is not None, 'dry_run off means writes'
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is None, '"group" not in arg so no group created'
# not dry_run, use kwarg to create a group
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff', 'group=1')
assert User.get(session, name=username) is not None, 'dry_run off means writes'
assert User.get(session, name=other_username) is None, '"valuewith= not in arg'
assert Group.get(session, name=groupname) is not None, '"group" in arg so group created'
# invalid format for argument should result in premature system exit
with pytest.raises(SystemExit):
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff', 'bad_arg')
call_main('oneoff', 'run', '--no-dry_run', 'FakeOneOff', 'key=valuewith=')
assert User.get(session, name=other_username) is not None, '"valuewith= in arg, create user2'
def test_group_name_checks(make_session, session, users, groups):
make_session.return_value = session
username = '******'
groupname = 'team-sre'
# check user/group name
call_main('group', 'add_member', '--member', 'invalid group name',
username)
assert (u'User', username) not in Group.get(session,
name=groupname).my_members()
bad_username = '******'
call_main('group', 'add_member', '--member', groupname, bad_username)
assert (u'User',
bad_username) not in Group.get(session,
name=groupname).my_members()
def test_group_add_remove_member(make_session, session, users, groups):
make_session.return_value = session
username = '******'
groupname = 'team-sre'
# add
assert (u'User', username) not in groups[groupname].my_members()
call_main('group', 'add_member', '--member', groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u'User', username) in all_members
_, _, _, role, _, _ = all_members[(u'User', username)]
assert GROUP_EDGE_ROLES[role] == "member"
# remove
call_main('group', 'remove_member', groupname, username)
assert (u'User', username) not in Group.get(session, name=groupname).my_members()
def test_group_add_remove_member(make_session, session, users, groups):
make_session.return_value = session
username = '******'
groupname = 'team-sre'
# add
assert (u'User', username) not in groups[groupname].my_members()
call_main('group', 'add_member', '--member', groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u'User', username) in all_members
_, _, _, role, _, _ = all_members[(u'User', username)]
assert GROUP_EDGE_ROLES[role] == "member"
# remove
call_main('group', 'remove_member', groupname, username)
assert (u'User', username) not in Group.get(session,
name=groupname).my_members()
def test_group_add_remove_owner(make_session, get_plugin_proxy, session, users, groups):
make_session.return_value = session
get_plugin_proxy.return_value = PluginProxy([GroupOwnershipPolicyPlugin()])
username = '******'
groupname = 'team-sre'
# add
assert (u'User', username) not in groups[groupname].my_members()
call_main('group', 'add_member', '--owner', groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u'User', username) in all_members
_, _, _, role, _, _ = all_members[(u'User', username)]
assert GROUP_EDGE_ROLES[role] == "owner"
# remove (fails)
call_main('group', 'remove_member', groupname, username)
assert (u'User', username) in Group.get(session, name=groupname).my_members()
def test_group_add_remove_owner(make_session, get_plugins, session, users,
groups):
make_session.return_value = session
get_plugins.return_value = [GroupOwnershipPolicyPlugin()]
username = '******'
groupname = 'team-sre'
# add
assert (u'User', username) not in groups[groupname].my_members()
call_main('group', 'add_member', '--owner', groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u'User', username) in all_members
_, _, _, role, _, _ = all_members[(u'User', username)]
assert GROUP_EDGE_ROLES[role] == "owner"
# remove (fails)
call_main('group', 'remove_member', groupname, username)
assert (u'User', username) in Group.get(session,
name=groupname).my_members()
def test_group_bulk_add_remove(make_session, session, users, groups):
make_session.return_value = session
groupname = 'team-sre'
# bulk add
usernames = {'*****@*****.**', '*****@*****.**', '*****@*****.**'}
call_main('group', 'add_member', '--member', groupname, *usernames)
members = {
u
for _, u in Group.get(session, name=groupname).my_members().keys()
}
assert usernames.issubset(members)
# bulk remove
call_main('group', 'remove_member', groupname, *usernames)
members = {
u
for _, u in Group.get(session, name=groupname).my_members().keys()
}
assert not members.intersection(usernames)
def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
call_main('user', 'add_public_key', username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main('user', 'add_public_key', username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main('user', 'add_public_key', username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def test_user_public_key(make_session, session, users):
make_session.return_value = session
# good key
username = '******'
call_main('user', 'add_public_key', username, SSH_KEY_1)
user = User.get(session, name=username)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# duplicate key
call_main('user', 'add_public_key', username, SSH_KEY_1)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
# bad key
call_main('user', 'add_public_key', username, SSH_KEY_BAD)
keys = get_public_keys_of_user(session, user.id)
assert len(keys) == 1
assert keys[0].public_key == SSH_KEY_1
def test_user_create(make_session, session, users):
make_session.return_value = session
# simple
username = '******'
call_main('user', 'create', username)
assert User.get(session, name=username), 'non-existent user should be created'
# check username
bad_username = '******'
call_main('user', 'create', bad_username)
assert not User.get(session, name=bad_username), 'bad user should not be created'
# bulk
usernames = ['*****@*****.**', '*****@*****.**', '*****@*****.**']
call_main('user', 'create', *usernames)
users = [User.get(session, name=u) for u in usernames]
assert all(users), 'all users created'
usernames_with_one_bad = ['*****@*****.**', '*****@*****.**', 'not_valid_user']
call_main('user', 'create', *usernames_with_one_bad)
users = [User.get(session, name=u) for u in usernames_with_one_bad]
assert not any(users), 'one bad seed means no users created'
def test_user_status_changes(make_user_session, make_group_session, session,
users, groups):
make_user_session.return_value = session
make_group_session.return_value = session
username = '******'
groupname = 'team-sre'
# add user to a group
call_main('group', 'add_member', '--member', groupname, username)
# disable the account
call_main('user', 'disable', username)
assert not User.get(session, name=username).enabled
# double disabling is a no-op
call_main('user', 'disable', username)
assert not User.get(session, name=username).enabled
# re-enable the account, preserving memberships
call_main('user', 'enable', '--preserve-membership', username)
assert User.get(session, name=username).enabled
assert (u'User', username) in groups[groupname].my_members()
# enabling an active account is a no-op
call_main('user', 'enable', username)
assert User.get(session, name=username).enabled
# disable and re-enable without the --preserve-membership flag
call_main('user', 'disable', username)
call_main('user', 'enable', username)
assert User.get(session, name=username).enabled
assert (u'User', username) not in groups[groupname].my_members()
def test_group_add_remove_member(make_session, session, users, groups):
make_session.return_value = session
username = "******"
groupname = "team-sre"
# add
assert (u"User", username) not in groups[groupname].my_members()
call_main("group", "add_member", "--owner", groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u"User", username) in all_members
_, _, _, role, _, _ = all_members[(u"User", username)]
assert GROUP_EDGE_ROLES[role] == "owner"
# remove
call_main("group", "remove_member", groupname, username)
assert (u"User", username) not in Group.get(session, name=groupname).my_members()
# bulk add
usernames = {"*****@*****.**", "*****@*****.**", "*****@*****.**"}
call_main("group", "add_member", "--member", groupname, *usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members().keys()}
assert usernames.issubset(members)
# bulk remove
call_main("group", "remove_member", groupname, *usernames)
members = {u for _, u in Group.get(session, name=groupname).my_members().keys()}
assert not members.intersection(usernames)
# check user/group name
call_main("group", "add_member", "--member", "invalid group name", username)
assert (u"User", username) not in Group.get(session, name=groupname).my_members()
bad_username = "******"
call_main("group", "add_member", "--member", groupname, bad_username)
assert (u"User", bad_username) not in Group.get(session, name=groupname).my_members()
def test_group_add_remove_member(make_session, session, users, groups):
make_session.return_value = session
username = '******'
groupname = 'team-sre'
# add
assert (u'User', username) not in groups[groupname].my_members()
call_main('group', 'add_member', '--owner', groupname, username)
all_members = Group.get(session, name=groupname).my_members()
assert (u'User', username) in all_members
_, _, _, role, _, _ = all_members[(u'User', username)]
assert GROUP_EDGE_ROLES[role] == "owner"
# remove
call_main('group', 'remove_member', groupname, username)
assert (u'User', username) not in Group.get(session,
name=groupname).my_members()
# bulk add
usernames = {'*****@*****.**', '*****@*****.**', '*****@*****.**'}
call_main('group', 'add_member', '--member', groupname, *usernames)
members = {
u
for _, u in Group.get(session, name=groupname).my_members().keys()
}
assert usernames.issubset(members)
# bulk remove
call_main('group', 'remove_member', groupname, *usernames)
members = {
u
for _, u in Group.get(session, name=groupname).my_members().keys()
}
assert not members.intersection(usernames)
# check user/group name
call_main('group', 'add_member', '--member', 'invalid group name',
username)
assert (u'User', username) not in Group.get(session,
name=groupname).my_members()
bad_username = '******'
call_main('group', 'add_member', '--member', groupname, bad_username)
assert (u'User',
bad_username) not in Group.get(session,
name=groupname).my_members()
def test_user_status_changes(make_user_session, make_group_session, session, users, groups):
make_user_session.return_value = session
make_group_session.return_value = session
username = '******'
groupname = 'team-sre'
# add user to a group
call_main('group', 'add_member', '--member', groupname, username)
# disable the account
call_main('user', 'disable', username)
assert not User.get(session, name=username).enabled
# double disabling is a no-op
call_main('user', 'disable', username)
assert not User.get(session, name=username).enabled
# re-enable the account, preserving memberships
call_main('user', 'enable', '--preserve-membership', username)
assert User.get(session, name=username).enabled
assert (u'User', username) in groups[groupname].my_members()
# enabling an active account is a no-op
call_main('user', 'enable', username)
assert User.get(session, name=username).enabled
# disable and re-enable without the --preserve-membership flag
call_main('user', 'disable', username)
call_main('user', 'enable', username)
assert User.get(session, name=username).enabled
assert (u'User', username) not in groups[groupname].my_members()
