Esempio n. 1
0
def test_expire_edges(expired_graph, session):  # noqa
    """ Test expiration auditing and notification. """
    email = session.query(AsyncNotification).all()
    assert email == []
    for edge in session.query(GroupEdge).all():
        assert edge.active == True

    # Expire the edges.
    background = BackgroundThread(settings, None)
    background.expire_edges(session)

    # Check that the edges are now marked as inactive.
    edges = session.query(GroupEdge).filter(
            GroupEdge.group_id == Group.id,
            Group.enabled == True,
            GroupEdge.expiration != None
            ).all()
    for edge in edges:
        assert edge.active == False

    # Check that we have two queued email messages.
    #
    # TODO(rra): It would be nice to check the contents as well.
    email = session.query(AsyncNotification).all()
    assert len(email) == 2

    # Check that we have three audit log entries: one for the expired user and
    # two for both "sides" of the expired group membership.
    audits = AuditLog.get_entries(session, action="expired_from_group")
    assert len(audits) == 3
Esempio n. 2
0
def test_edit_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    assert tag.description == "Test Tag Please Ignore", "The description should match what we created it with"

    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/tags/{}/edit'.format(tag.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"description": "Don't tag me bro"}),
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    assert tag.description == "Don't tag me bro", "The description should have been updated"
Esempio n. 3
0
def test_expire_edges(expired_graph, session):  # noqa
    """ Test expiration auditing and notification. """
    email = session.query(AsyncNotification).all()
    assert email == []
    for edge in session.query(GroupEdge).all():
        assert edge.active == True

    # Expire the edges.
    background = BackgroundProcessor(settings, None)
    background.expire_edges(session)

    # Check that the edges are now marked as inactive.
    edges = session.query(GroupEdge).filter(
            GroupEdge.group_id == Group.id,
            Group.enabled == True,
            GroupEdge.expiration != None
            ).all()
    for edge in edges:
        assert edge.active == False

    # Check that we have two queued email messages.
    #
    # TODO(rra): It would be nice to check the contents as well.
    email = session.query(AsyncNotification).all()
    assert len(email) == 2

    # Check that we have three audit log entries: one for the expired user and
    # two for both "sides" of the expired group membership.
    audits = AuditLog.get_entries(session, action="expired_from_group")
    assert len(audits) == 3
Esempio n. 4
0
def test_fe_password_add(session, users, http_client, base_url):
    user = users["*****@*****.**"]

    fe_url = url(base_url, "/users/{}/passwords/add".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"name": "test", "password": TEST_PASSWORD}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "The user should have a password now"
    assert user_passwords(session, user)[0].name == "test", "The password should have the name given"
    assert (
        user_passwords(session, user)[0].password_hash != TEST_PASSWORD
    ), "The password should not be available as plain text"

    with pytest.raises(HTTPError):
        fe_url = url(base_url, "/users/{}/passwords/add".format(user.username))
        resp = yield http_client.fetch(
            fe_url,
            method="POST",
            body=urlencode({"name": "test", "password": TEST_PASSWORD}),
            headers={"X-Grouper-User": "******"},
        )

    fe_url = url(base_url, "/users/{}/passwords/add".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"name": "test", "password": TEST_PASSWORD}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "Adding a password with the same name should fail"

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    fe_url = url(base_url, "/users/{}/passwords/add".format(user.username))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({"name": "test", "password": TEST_PASSWORD}),
        headers={"X-Grouper-User": user.username},
    )
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert (
        len(user_passwords(session, user)) == 1
    ), "The user should have a password now (duplicate names are permitted for distinct users)"
    assert user_passwords(session, user)[0].name == "test", "The password should have the name given"
    assert (
        user_passwords(session, user)[0].password_hash != TEST_PASSWORD
    ), "The password should not be available as plain text"
Esempio n. 5
0
def test_revoke_permission_from_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(
        session.query(Group).filter_by(groupname="all-teams").scalar(),
        session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "tyler_was_here",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'permission': TAG_EDIT,
                                       "argument": "*"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    perm = Permission.get(session, TAG_EDIT)
    assert len(get_public_key_tag_permissions(
        session, tag)) == 1, "The tag should have exactly 1 permission"

    user = session.query(User).filter_by(username="******").scalar()

    mapping = get_public_key_tag_permissions(session, tag)[0]
    fe_url = url(
        base_url,
        '/permissions/{}/revoke_tag/{}'.format(TAG_EDIT, mapping.mapping_id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body="",
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    assert len(get_public_key_tag_permissions(
        session, tag)) == 0, "The tag should have no permissions"
Esempio n. 6
0
def test_basic_request(graph, groups, permissions, session, standard_graph,
                       users):
    group_sre = groups["team-sre"]
    group_not_sre = [g for name, g in groups.items() if name != "team-sre"]

    assert not any([
        get_requests_by_group(session, group, status="pending").all()
        for group in groups.values()
    ]), "no group should start with pending requests"

    group_sre.add_member(users["*****@*****.**"],
                         users["*****@*****.**"],
                         reason="for the lulz")
    session.commit()

    request_not_sre = [
        get_requests_by_group(session, group, status="pending").all()
        for group in group_not_sre
    ]
    assert not any(
        request_not_sre), "only affected group should show pending requests"
    request_sre = get_requests_by_group(session, group_sre,
                                        status="pending").all()
    assert len(request_sre) == 1, "affected group should have request"

    request = session.query(Request).filter_by(id=request_sre[0].id).scalar()
    request.update_status(users["*****@*****.**"], "actioned",
                          "for being a good person")
    session.commit()

    assert not any([
        get_requests_by_group(session, group, status="pending").all()
        for group in groups.values()
    ]), "no group should have requests after being actioned"
def test_request_emails_reference(session, groups, permissions, users,
                                  base_url, http_client):
    tech = groups["tech-ops"]

    tech.canjoin = "canask"
    tech.add(session)
    session.commit()

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name)
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    zay_emails = _get_unsent_and_mark_as_sent_emails_with_username(
        session, "*****@*****.**")
    assert any(["References: " in email.body for email in zay_emails])
Esempio n. 8
0
def test_aggregate_request(graph, groups, permissions, session, standard_graph, users):
    gary = users["*****@*****.**"]
    testuser = users["*****@*****.**"]
    not_involved = [user for name,user in users.items() if name not in ("*****@*****.**",
            "*****@*****.**")]

    assert not any([user_requests_aggregate(session, u).all() for u in users.values()]), \
            "should have no pending requests to begin with"

    # one request to one team
    groups["team-sre"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # two request to two teams, same owner
    groups["team-infra"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    session.commit()

    request_gary = user_requests_aggregate(session, gary).all()
    assert len(request_gary) == 2, "two pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # resolving one request should reflect
    request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
    request.update_status(users["*****@*****.**"], "actioned", "for being a good person")
    session.commit()

    assert len(user_requests_aggregate(session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # requests to dependent teams should reflect apprpriately
    groups["security-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(session, gary).all()) == 1, "super owner should not get request"
    assert len(user_requests_aggregate(session, users["*****@*****.**"]).all()) == 1, "owner should get request"
    user_not_gary_oliver = [u for n,u in users.items() if n not in ("*****@*****.**","*****@*****.**")]
    assert not any([user_requests_aggregate(session, u).all() for u in user_not_gary_oliver])

    # manager and np-owner should get requests
    figurehead = users["*****@*****.**"]
    add_member(groups["audited-team"], figurehead, role="manager")
    assert len(user_requests_aggregate(session, figurehead).all()) == 0, "no request for np-owner at first"

    groups["tech-ops"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    assert len(user_requests_aggregate(session, figurehead).all()) == 1, "request for np-owner"

    groups["audited-team"].add_member(users["*****@*****.**"], users["*****@*****.**"],
            reason="for the lulz")
    assert len(user_requests_aggregate(session, figurehead).all()) == 2, "request for np-owner and manager"
Esempio n. 9
0
def test_grant_and_revoke(session, standard_graph, graph, groups, permissions,
        http_client, base_url):
    """Test that permission grant and revokes are reflected correctly."""
    group_name = "team-sre"
    permission_name = "sudo"
    user_name = "*****@*****.**"

    def _check_graph_for_perm(graph):
        return any(map(lambda x: x.permission == permission_name,
                graph.permission_metadata[group_name]))

    # make some permission admins
    perm_admin, _ = Permission.get_or_create(session, name=PERMISSION_ADMIN, description="")
    session.commit()
    grant_permission(groups["security-team"], perm_admin)

    # grant attempt by non-permission admin
    fe_url = url(base_url, "/permissions/grant/{}".format(group_name))
    with pytest.raises(HTTPError):
        yield http_client.fetch(fe_url, method="POST",
                body=urlencode({"permission": permission_name, "argument": "specific_arg"}),
                headers={'X-Grouper-User': "******"})

    graph.update_from_db(session)
    assert not _check_graph_for_perm(graph), "no permissions granted"

    # grant by permission admin
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"permission": permission_name, "argument": "specific_arg"}),
            headers={'X-Grouper-User': user_name})
    assert resp.code == 200

    graph.update_from_db(session)
    assert _check_graph_for_perm(graph), "permissions granted, successfully"

    # figure out mapping_id of grant
    permission_id = Permission.get(session, name=permission_name).id
    group_id = Group.get(session, name=group_name).id
    mapping = session.query(PermissionMap).filter(
            PermissionMap.permission_id == permission_id,
            PermissionMap.group_id == group_id).first()

    # revoke permission by non-admin
    fe_url = url(base_url, "/permissions/{}/revoke/{}".format(permission_name, mapping.id))
    with pytest.raises(HTTPError):
        yield http_client.fetch(fe_url, method="POST", body=urlencode({}),
                headers={'X-Grouper-User': "******"})

    graph.update_from_db(session)
    assert _check_graph_for_perm(graph), "permissions not revoked"

    # revoke permission for realz
    resp = yield http_client.fetch(fe_url, method="POST", body=urlencode({}),
            headers={'X-Grouper-User': user_name})
    assert resp.code == 200

    graph.update_from_db(session)
    assert not _check_graph_for_perm(graph), "permissions revoked successfully"
Esempio n. 10
0
def _get_unsent_and_mark_as_sent_emails_with_username(session, username):
    """Helper to count unsent emails and then mark them as sent."""
    emails = session.query(AsyncNotification).filter_by(sent=False, email=username).all()

    for email in emails:
        email.sent = True

    session.commit()
    return emails
Esempio n. 11
0
def _get_unsent_and_mark_as_sent_emails(session):
    """Helper to count unsent emails and then mark them as sent."""
    emails = session.query(AsyncNotification).filter(AsyncNotification.sent == False).all()

    for email in emails:
        email.sent = True

    session.commit()
    return emails
Esempio n. 12
0
def _get_unsent_and_mark_as_sent_emails_with_username(session, username):
    """Helper to count unsent emails and then mark them as sent."""
    emails = session.query(AsyncNotification).filter_by(sent=False, email=username).all()

    for email in emails:
        email.sent = True

    session.commit()
    return emails
Esempio n. 13
0
def _get_unsent_emails_and_send(session):
    """Helper to count unsent emails and then mark them as sent."""
    emails = session.query(AsyncNotification).filter_by(sent=False).all()

    for email in emails:
        email.sent = True

    session.commit()
    return emails
Esempio n. 14
0
def test_merge(session, initial_items, items_to_merge):
    items = {
        1: {'id': 1, 'change': '1', 'a': 'a', 'b': 'b'},
    }
    session.execute(insert(Foo, initial_items.values()))
    session.execute(Merge(Foo, items.values()))
    session.commit()
    foos = {
        foo.id: foo._asdict()
        for foo in session.query(Foo.id, Foo.change, Foo.a, Foo.b).all()
    }
    assert dict(initial_items, **items) == foos
Esempio n. 15
0
def test_fe_password_add(session, users, http_client, base_url):
    user = users['*****@*****.**']

    fe_url = url(base_url, '/users/{}/passwords/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': "test", "password": TEST_PASSWORD}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "The user should have a password now"
    assert user_passwords(session, user)[0].name == "test", "The password should have the name given"
    assert user_passwords(session, user)[0].password_hash != TEST_PASSWORD, "The password should not be available as plain text"

    with pytest.raises(HTTPError):
        fe_url = url(base_url, '/users/{}/passwords/add'.format(user.username))
        resp = yield http_client.fetch(fe_url, method="POST",
                body=urlencode({'name': "test", "password": TEST_PASSWORD}),
                headers={'X-Grouper-User': "******"})

    fe_url = url(base_url, '/users/{}/passwords/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': "test", "password": TEST_PASSWORD}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "Adding a password with the same name should fail"

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    fe_url = url(base_url, '/users/{}/passwords/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': "test", "password": TEST_PASSWORD}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "The user should have a password now (duplicate names are permitted for distinct users)"
    assert user_passwords(session, user)[0].name == "test", "The password should have the name given"
    assert user_passwords(session, user)[0].password_hash != TEST_PASSWORD, "The password should not be available as plain text"
Esempio n. 16
0
def test_grant_permission_to_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    perm = Permission.get(session, TAG_EDIT)
    assert len(get_public_key_tag_permissions(session, tag)) == 1, "The tag should have exactly 1 permission"
    assert get_public_key_tag_permissions(session, tag)[0].name == perm.name, "The tag's permission should be the one we added"
    assert get_public_key_tag_permissions(session, tag)[0].argument == "*", "The tag's permission should be the one we added"

    # Make sure trying to add a permission to a tag doesn't fail horribly if it's already there
    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200
Esempio n. 17
0
def test_edit_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(
        session.query(Group).filter_by(groupname="all-teams").scalar(),
        session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "tyler_was_here",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    assert tag.description == "Test Tag Please Ignore", "The description should match what we created it with"

    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/tags/{}/edit'.format(tag.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode(
                                       {"description": "Don't tag me bro"}),
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    assert tag.description == "Don't tag me bro", "The description should have been updated"
Esempio n. 18
0
def test_revoke_permission_from_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'permission': TAG_EDIT, "argument": "*"}),
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    perm = Permission.get(session, TAG_EDIT)
    assert len(get_public_key_tag_permissions(session, tag)) == 1, "The tag should have exactly 1 permission"

    user = session.query(User).filter_by(username="******").scalar()

    mapping = get_public_key_tag_permissions(session, tag)[0]
    fe_url = url(base_url, '/permissions/{}/revoke_tag/{}'.format(TAG_EDIT, mapping.mapping_id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body="",
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    assert len(get_public_key_tag_permissions(session, tag)) == 0, "The tag should have no permissions"
Esempio n. 19
0
def test_create_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    tag = PublicKeyTag.get(session, name="tyler_was_here")
    assert tag is not None, "The tag should be created"
    assert tag.name == "tyler_was_here", "The tag's name should be tyler_was_here"
Esempio n. 20
0
def test_tags(session, http_client, base_url, graph):
    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
    perm2.add(session)
    session.commit()

    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")

    tag = PublicKeyTag(name="tyler_was_here")
    tag.add(session)
    session.commit()

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    grant_permission_to_tag(session, tag.id, perm.id, "prod")
    with pytest.raises(AssertionError):
        grant_permission_to_tag(session, tag.id, perm.id, "question?")

    user = session.query(User).filter_by(username="******").scalar()

    add_public_key(session, user, SSH_KEY_1)

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()

    add_tag_to_public_key(session, key, tag)

    user = session.query(User).filter_by(username="******").scalar()

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
    assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
    assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
    assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"

    graph.update_from_db(session)

    fe_url = url(base_url, '/users/{}'.format(user.username))
    resp = yield http_client.fetch(fe_url)
    assert resp.code == 200
    body = json.loads(resp.body)
    pub_key = body['data']['user']['public_keys'][0]
    assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
    assert pub_key['fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
    assert pub_key['fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
    assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
Esempio n. 21
0
def test_merge(session, initial_items, items_to_merge):
    items = {
        1: {
            'id': 1,
            'change': '1',
            'a': 'a',
            'b': 'b'
        },
    }
    session.execute(insert(Foo, initial_items.values()))
    session.execute(Merge(Foo, items.values()))
    session.commit()
    foos = {
        foo.id: foo._asdict()
        for foo in session.query(Foo.id, Foo.change, Foo.a, Foo.b).all()
    }
    assert dict(initial_items, **items) == foos
Esempio n. 22
0
def test_create_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "tyler_was_here",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    tag = PublicKeyTag.get(session, name="tyler_was_here")
    assert tag is not None, "The tag should be created"
    assert tag.name == "tyler_was_here", "The tag's name should be tyler_was_here"
Esempio n. 23
0
def test_aggregate_request(graph, groups, permissions, session, standard_graph, users):
    gary = users["gary"]
    testuser = users["testuser"]
    not_involved = [user for name,user in users.items() if name not in ("gary","testuser")]

    print "users! {}".format(users.values())
    assert not any([u.my_requests_aggregate().all() for u in users.values()]), \
            "should have no pending requests to begin with"

    # one request to one team
    groups["team-sre"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
    session.commit()

    assert len(gary.my_requests_aggregate().all()) == 1, "one pending request for owner"
    assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # two request to two teams, same owner
    groups["team-infra"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
    session.commit()

    request_gary = gary.my_requests_aggregate().all()
    assert len(request_gary) == 2, "two pending request for owner"
    assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # resolving one request should reflect
    request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
    request.update_status(users["gary"], "actioned", "for being a good person")
    session.commit()

    assert len(gary.my_requests_aggregate().all()) == 1, "one pending request for owner"
    assert not any([u.my_requests_aggregate().all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # requests to dependent teams should reflect apprpriately
    groups["security-team"].add_member(users["testuser"], users["testuser"], reason="for the lulz")
    session.commit()

    assert len(gary.my_requests_aggregate().all()) == 1, "super owner should not get request"
    assert len(users["oliver"].my_requests_aggregate().all()) == 1, "owner should get request"
    user_not_gary_oliver = [u for n,u in users.items() if n not in ("gary","oliver")]
    assert not any([u.my_requests_aggregate().all() for u in user_not_gary_oliver])
Esempio n. 24
0
def test_request_emails_reference(session, groups, permissions, users, base_url, http_client):
    tech = groups["tech-ops"]

    tech.canjoin = "canask"
    tech.add(session)
    session.commit()

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name)}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    zay_emails = _get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**")
    assert any(
        ["References: " in email.body
         for email in zay_emails]
    )
Esempio n. 25
0
def test_fe_password_delete(session, users, http_client, base_url):
    user = users['*****@*****.**']

    fe_url = url(base_url, '/users/{}/passwords/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': "test", "password": TEST_PASSWORD}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "The user should have a password now"
    assert user_passwords(session, user)[0].name == "test", "The password should have the name given"
    assert user_passwords(session, user)[0].password_hash != TEST_PASSWORD, "The password should not be available as plain text"

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    fe_url = url(base_url, '/users/{}/passwords/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'name': "test", "password": TEST_PASSWORD}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "The user should have a password now (duplicate names are permitted for distinct users)"
    assert user_passwords(session, user)[0].name == "test", "The password should have the name given"
    assert user_passwords(session, user)[0].password_hash != TEST_PASSWORD, "The password should not be available as plain text"

    with pytest.raises(HTTPError):
        user = session.query(User).filter_by(name="*****@*****.**").scalar()
        fe_url = url(base_url, '/users/{}/passwords/{}/delete'.format(user.username, user_passwords(session, user)[0].id))
        resp = yield http_client.fetch(fe_url, method="POST",
                body="",
                headers={'X-Grouper-User': "******"})

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    fe_url = url(base_url, '/users/{}/passwords/{}/delete'.format(user.username, user_passwords(session, user)[0].id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body="",
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 0, "The password should have been deleted"
    user = session.query(User).filter_by(name="*****@*****.**").scalar()
    assert len(user_passwords(session, user)) == 1, "Other user's passwords should not have been deleted"
Esempio n. 26
0
def test_basic_request(graph, groups, permissions, session, standard_graph, users):
    group_sre = groups["team-sre"]
    group_not_sre = [g for name,g in groups.items() if name != "team-sre"]

    assert not any([group.my_requests(status="pending").all() for group in groups.values()]), \
            "no group should start with pending requests"

    group_sre.add_member(users["*****@*****.**"], users["*****@*****.**"], reason="for the lulz")
    session.commit()

    request_not_sre = [group.my_requests(status="pending").all() for group in group_not_sre]
    assert not any(request_not_sre), "only affected group should show pending requests"
    request_sre = group_sre.my_requests(status="pending").all()
    assert len(request_sre) == 1, "affected group should have request"

    request = session.query(Request).filter_by(id=request_sre[0].id).scalar()
    request.update_status(users["*****@*****.**"], "actioned", "for being a good person")
    session.commit()

    assert not any([group.my_requests(status="pending").all() for group in groups.values()]), \
            "no group should have requests after being actioned"
Esempio n. 27
0
def test_add_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': key_1}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': key_2}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "dont_tag_me_bro", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="dont_tag_me_bro")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here"}),
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
    assert len(get_public_key_tags(session, key2)) == 0, "Keys other than the one with the added tag should not gain tags"

    # Non-admin and not user adding tag should fail
    fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    with pytest.raises(HTTPError):
        resp = yield http_client.fetch(fe_url, method="POST",
                body=urlencode({'tagname': "tyler_was_here"}),
                headers={'X-Grouper-User': "******"})

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    # User admins test
    fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "dont_tag_me_bro"}),
            headers={'X-Grouper-User': "******"})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 2, "The key should have 2 tags now"
    assert set([x.name for x in get_public_key_tags(session, key)]) == set(["tyler_was_here",
        "dont_tag_me_bro"])
Esempio n. 28
0
def test_grant_and_revoke(session, standard_graph, graph, groups, permissions,
                          http_client, base_url):
    """Test that permission grant and revokes are reflected correctly."""
    group_name = "team-sre"
    permission_name = "sudo"
    user_name = "*****@*****.**"

    def _check_graph_for_perm(graph):
        return any(
            map(lambda x: x.permission == permission_name,
                graph.permission_metadata[group_name]))

    # make some permission admins
    perm_admin, _ = Permission.get_or_create(session,
                                             name=PERMISSION_ADMIN,
                                             description="")
    session.commit()
    grant_permission(groups["security-team"], perm_admin)

    # grant attempt by non-permission admin
    fe_url = url(base_url, "/permissions/grant/{}".format(group_name))
    with pytest.raises(HTTPError):
        yield http_client.fetch(fe_url,
                                method="POST",
                                body=urlencode({
                                    "permission": permission_name,
                                    "argument": "specific_arg"
                                }),
                                headers={'X-Grouper-User': "******"})

    graph.update_from_db(session)
    assert not _check_graph_for_perm(graph), "no permissions granted"

    # grant by permission admin
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "permission": permission_name,
                                       "argument": "specific_arg"
                                   }),
                                   headers={'X-Grouper-User': user_name})
    assert resp.code == 200

    graph.update_from_db(session)
    assert _check_graph_for_perm(graph), "permissions granted, successfully"

    # figure out mapping_id of grant
    permission_id = Permission.get(session, name=permission_name).id
    group_id = Group.get(session, name=group_name).id
    mapping = session.query(PermissionMap).filter(
        PermissionMap.permission_id == permission_id,
        PermissionMap.group_id == group_id).first()

    # revoke permission by non-admin
    fe_url = url(
        base_url, "/permissions/{}/revoke/{}".format(permission_name,
                                                     mapping.id))
    with pytest.raises(HTTPError):
        yield http_client.fetch(fe_url,
                                method="POST",
                                body=urlencode({}),
                                headers={'X-Grouper-User': "******"})

    graph.update_from_db(session)
    assert _check_graph_for_perm(graph), "permissions not revoked"

    # revoke permission for realz
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({}),
                                   headers={'X-Grouper-User': user_name})
    assert resp.code == 200

    graph.update_from_db(session)
    assert not _check_graph_for_perm(graph), "permissions revoked successfully"
Esempio n. 29
0
def test_request_emails(graph, groups, permissions, session, standard_graph, users, base_url,
                        http_client):
    tech = groups["tech-ops"]

    tech.canjoin = "canask"
    tech.add(session)
    session.commit()

    # REQUEST 1

    before_reqs = session.query(Request).count()

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name)}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    zaya_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))
    fh_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))

    assert zaya_emails + fh_emails == 2, "Only approvers for the requested group should receive an email"
    assert zaya_emails == 1, "Owners should receive exactly one email per canask request"
    assert fh_emails == 1, "NP-Owners should receive exactly one email per canask request"

    assert session.query(Request).count() == before_reqs + 1, "There should only be one added request"

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request_id = session.query(Request).filter_by(requesting_id=tech.id, requester_id=user.id).scalar().id
    fe_url = url(base_url, '/groups/{}/requests/{}'.format(tech.groupname, request_id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Response Please Ignore", "status": "actioned"}),
            headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    fh_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))
    testuser_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))

    assert fh_emails + testuser_emails == 2, "Only the approver that didn't action the request and the reqester should get an email"
    assert fh_emails == 1, "NP-owners that did not action the request should receive an email"
    assert testuser_emails == 1, "The requester should receive an email when the request is handled"

    # REQUEST 2

    before_reqs = session.query(Request).count()

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore 2", "member": "User: {}".format(user.name)}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    zaya_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))
    fh_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))

    assert zaya_emails + fh_emails == 2, "Only approvers for the requested group should receive an email"
    assert zaya_emails == 1, "Owners should receive exactly one email per canask request"
    assert fh_emails == 1, "NP-Owners should receive exactly one email per canask request"

    assert session.query(Request).count() == before_reqs + 1, "There should only be one added request"

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request_id = session.query(Request).filter_by(requesting_id=tech.id, requester_id=user.id).scalar().id
    fe_url = url(base_url, '/groups/{}/requests/{}'.format(tech.groupname, request_id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Response Please Ignore 2", "status": "actioned"}),
            headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    zaya_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))
    oliver_emails = len(_get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))

    assert zaya_emails + oliver_emails == 2, "Only the approver that didn't action the request and the reqester should get an email"
    assert zaya_emails == 1, "NP-owners that did not action the request should receive an email"
    assert oliver_emails == 1, "The requester should receive an email when the request is handled"
Esempio n. 30
0
def test_tags(session, http_client, base_url, graph):
    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    perm2 = Permission(name="it.literally.does.not.matter",
                       description="Why is this not nullable?")
    perm2.add(session)
    session.commit()

    grant_permission(
        session.query(Group).filter_by(groupname="all-teams").scalar(),
        session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
    grant_permission(
        session.query(Group).filter_by(groupname="all-teams").scalar(),
        session.query(Permission).filter_by(
            name="it.literally.does.not.matter").scalar(), "*")

    tag = PublicKeyTag(name="tyler_was_here")
    tag.add(session)
    session.commit()

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    grant_permission_to_tag(session, tag.id, perm.id, "prod")
    with pytest.raises(AssertionError):
        grant_permission_to_tag(session, tag.id, perm.id, "question?")

    user = session.query(User).filter_by(username="******").scalar()

    add_public_key(session, user, SSH_KEY_1)

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()

    add_tag_to_public_key(session, key, tag)

    user = session.query(User).filter_by(username="******").scalar()

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    assert len(get_public_key_permissions(
        session, key)) == 1, "The SSH Key should have only 1 permission"
    assert get_public_key_permissions(
        session,
        key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
    assert get_public_key_permissions(
        session, key
    )[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
    assert len(user_permissions(
        session, user)) > 1, "The user should have more than 1 permission"

    graph.update_from_db(session)

    fe_url = url(base_url, '/users/{}'.format(user.username))
    resp = yield http_client.fetch(fe_url)
    assert resp.code == 200
    body = json.loads(resp.body)
    pub_key = body['data']['user']['public_keys'][0]
    assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
    assert pub_key[
        'fingerprint'] == 'e9:ae:c5:8f:39:9b:3a:9c:6a:b8:33:6b:cb:6f:ba:35'
    assert pub_key[
        'fingerprint_sha256'] == 'MP9uWaujW96EWxbjDtPdPWheoMDu6BZ8FZj0+CBkVWU'
    assert pub_key['tags'][
        0] == 'tyler_was_here', "The public key should have the tag we gave it"
Esempio n. 31
0
def test_add_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({'public_key': key_1}),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({'public_key': key_2}),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "tyler_was_here",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(
        session, key
    ) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "dont_tag_me_bro",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="dont_tag_me_bro")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(
        session, key
    ) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url,
                 '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode(
                                       {'tagname': "tyler_was_here"}),
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(
        session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
    assert len(
        get_public_key_tags(session, key2)
    ) == 0, "Keys other than the one with the added tag should not gain tags"

    # Non-admin and not user adding tag should fail
    fe_url = url(base_url,
                 '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    with pytest.raises(HTTPError):
        resp = yield http_client.fetch(
            fe_url,
            method="POST",
            body=urlencode({'tagname': "tyler_was_here"}),
            headers={'X-Grouper-User': "******"})

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(
        session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    # User admins test
    fe_url = url(base_url,
                 '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({'tagname': "dont_tag_me_bro"}),
        headers={'X-Grouper-User': "******"})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session,
                                   key)) == 2, "The key should have 2 tags now"
    assert set([x.name for x in get_public_key_tags(session, key)
                ]) == set(["tyler_was_here", "dont_tag_me_bro"])
Esempio n. 32
0
def test_aggregate_request(graph, groups, permissions, session, standard_graph,
                           users):
    gary = users["*****@*****.**"]
    testuser = users["*****@*****.**"]
    not_involved = [
        user for name, user in users.items()
        if name not in ("*****@*****.**", "*****@*****.**")
    ]

    assert not any([user_requests_aggregate(session, u).all() for u in users.values()]), \
            "should have no pending requests to begin with"

    # one request to one team
    groups["team-sre"].add_member(users["*****@*****.**"],
                                  users["*****@*****.**"],
                                  reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(
        session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # two request to two teams, same owner
    groups["team-infra"].add_member(users["*****@*****.**"],
                                    users["*****@*****.**"],
                                    reason="for the lulz")
    session.commit()

    request_gary = user_requests_aggregate(session, gary).all()
    assert len(request_gary) == 2, "two pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # resolving one request should reflect
    request = session.query(Request).filter_by(id=request_gary[0].id).scalar()
    request.update_status(users["*****@*****.**"], "actioned",
                          "for being a good person")
    session.commit()

    assert len(user_requests_aggregate(
        session, gary).all()) == 1, "one pending request for owner"
    assert not any([user_requests_aggregate(session, u).all() for u in not_involved]), \
            "no pending requests if you're not the owner"

    # requests to dependent teams should reflect apprpriately
    groups["security-team"].add_member(users["*****@*****.**"],
                                       users["*****@*****.**"],
                                       reason="for the lulz")
    session.commit()

    assert len(user_requests_aggregate(
        session, gary).all()) == 1, "super owner should not get request"
    assert len(user_requests_aggregate(
        session, users["*****@*****.**"]).all()) == 1, "owner should get request"
    user_not_gary_oliver = [
        u for n, u in users.items() if n not in ("*****@*****.**", "*****@*****.**")
    ]
    assert not any([
        user_requests_aggregate(session, u).all() for u in user_not_gary_oliver
    ])

    # manager and np-owner should get requests
    figurehead = users["*****@*****.**"]
    add_member(groups["audited-team"], figurehead, role="manager")
    assert len(user_requests_aggregate(
        session, figurehead).all()) == 0, "no request for np-owner at first"

    groups["tech-ops"].add_member(users["*****@*****.**"],
                                  users["*****@*****.**"],
                                  reason="for the lulz")
    assert len(user_requests_aggregate(
        session, figurehead).all()) == 1, "request for np-owner"

    groups["audited-team"].add_member(users["*****@*****.**"],
                                      users["*****@*****.**"],
                                      reason="for the lulz")
    assert len(user_requests_aggregate(
        session, figurehead).all()) == 2, "request for np-owner and manager"
Esempio n. 33
0
def test_request_autoexpiration(graph, groups, permissions, session,
                                standard_graph, users, base_url, http_client):
    tech = groups["tech-ops"]
    sre = groups["team-sre"]
    security = groups["security-team"]
    sad = groups["sad-team"]
    infra = groups["team-infra"]

    tech.canjoin = "canask"
    tech.auto_expire = timedelta(days=5)
    tech.add(session)
    session.commit()

    sre.canjoin = "canjoin"
    sre.auto_expire = timedelta(days=500)
    sre.add(session)
    session.commit()

    security.canjoin = "canjoin"
    security.add(session)
    session.commit()

    sad.canjoin = "canjoin"
    sad.add(session)
    session.commit()

    infra.canjoin = "canjoin"
    infra.add(session)
    session.commit()

    # REQUEST 1

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    tech = session.query(Group).filter_by(groupname="tech-ops").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name)
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=tech.id,
                                               requester_id=user.id).scalar()
    assert datetime.strptime(request.changes['expiration'], "%m/%d/%Y").date(
    ) == (
        datetime.utcnow().date() + tech.auto_expire
    ), "Request expirations should be the current date + group.auto_expire for canask groups"

    # REQUEST 2

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    sre = session.query(Group).filter_by(groupname="team-sre").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(sre.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name)
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=sre.id,
                                               requester_id=user.id).scalar()
    assert datetime.strptime(request.changes['expiration'], "%m/%d/%Y").date(
    ) == (
        datetime.utcnow().date() + sre.auto_expire
    ), "Request expirations should be the current date + group.auto_expire for canjoin groups"

    # REQUEST 3

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    security = session.query(Group).filter_by(
        groupname="security-team").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(security.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name)
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=security.id,
                                               requester_id=user.id).scalar()
    assert "expiration" not in request.changes, "The request should not have an expiration if none is provided and there is no auto_expiration"

    # REQUEST 4

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    sad = session.query(Group).filter_by(groupname="sad-team").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(sad.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name),
                                       "expiration":
                                       "01/19/2038"
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=sad.id,
                                               requester_id=user.id).scalar()
    assert datetime.strptime(request.changes['expiration'], "%m/%d/%Y").date(
    ) == date(
        year=2038, month=1, day=19
    ), "User provided expiration times should not be overwritten by the auto_expiration"

    # REQUEST 5

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    infra = session.query(Group).filter_by(groupname="team-infra").scalar()
    fe_url = url(base_url, '/groups/{}/add'.format(infra.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name)
                                   }),
                                   headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=infra.id,
                                               requester_id=user.id).scalar()
    assert "expiration" not in request.changes, "The request should not have an expiration if none is provided and the request was created by adding a member"

    # REQUEST 6

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    sre = session.query(Group).filter_by(groupname="team-sre").scalar()
    fe_url = url(base_url,
                 '/groups/{}/edit/user/{}'.format(sre.groupname, user.name))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name),
                                       "role":
                                       "member",
                                       "expiration":
                                       ""
                                   }),
                                   headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    group_edge = session.query(GroupEdge).filter_by(
        group_id=sre.id, member_pk=user.id).scalar()
    assert group_edge.expiration is None, "The request should not have an expiration if none is provided and the user was edited by an approver"
Esempio n. 34
0
def test_expire_nonauditors(standard_graph, users, groups, session, permissions):
    """ Test expiration auditing and notification. """

    graph = standard_graph  # noqa

    # Test audit autoexpiration for all approvers

    approver_roles = ["owner", "np-owner", "manager"]

    for role in approver_roles:

        # Add non-auditor as an owner to an audited group
        add_member(groups["audited-team"], users["*****@*****.**"], role=role)
        session.commit()
        graph.update_from_db(session)

        group_md = graph.get_group_details("audited-team")

        assert group_md.get('audited', False)

        # Expire the edges.
        background = BackgroundThread(settings, None)
        background.expire_nonauditors(session)

        # Check that the edges are now marked as inactive.
        edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
        assert edge.expiration is not None
        assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days)
        assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1)

        assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])

        audits = AuditLog.get_entries(session, action="nonauditor_flagged")
        assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1)

        revoke_member(groups["audited-team"], users["*****@*****.**"])

    # Ensure nonauditor, nonapprovers in audited groups do not get set to expired

    member_roles = ["member"]

    for role in member_roles:

        # Add non-auditor as an owner to an audited group
        add_member(groups["audited-team"], users["*****@*****.**"], role=role)
        session.commit()
        graph.update_from_db(session)

        group_md = graph.get_group_details("audited-team")

        assert group_md.get('audited', False)

        # Expire the edges.
        background = BackgroundThread(settings, None)
        background.expire_nonauditors(session)

        # Check that the edges are now marked as inactive.
        edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
        assert edge.expiration is None

        assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])

        audits = AuditLog.get_entries(session, action="nonauditor_flagged")
        assert len(audits) == 3 + 1 * len(approver_roles)

        revoke_member(groups["audited-team"], users["*****@*****.**"])
Esempio n. 35
0
def test_permissions(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    perm = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'permission': TAG_EDIT, "argument": "prod"}),
            headers={'X-Grouper-User': user.username})

    user = session.query(User).filter_by(username="******").scalar()
    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': key_1}),
            headers={'X-Grouper-User': user.username})

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here"}),
            headers={'X-Grouper-User': user.username})
    
    user = session.query(User).filter_by(username="******").scalar()

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
    assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
    assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
    assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"
Esempio n. 36
0
def test_request_autoexpiration(graph, groups, permissions, session, standard_graph, users,
                                base_url, http_client):
    tech = groups["tech-ops"]
    sre = groups["team-sre"]
    security = groups["security-team"]
    sad = groups["sad-team"]
    infra = groups["team-infra"]

    tech.canjoin = "canask"
    tech.auto_expire = timedelta(days=5)
    tech.add(session)
    session.commit()

    sre.canjoin = "canjoin"
    sre.auto_expire = timedelta(days=500)
    sre.add(session)
    session.commit()

    security.canjoin = "canjoin"
    security.add(session)
    session.commit()

    sad.canjoin = "canjoin"
    sad.add(session)
    session.commit()

    infra.canjoin = "canjoin"
    infra.add(session)
    session.commit()

    # REQUEST 1

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    tech = session.query(Group).filter_by(groupname="tech-ops").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name)}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=tech.id, requester_id=user.id).scalar()
    assert datetime.strptime(request.changes['expiration'], "%m/%d/%Y").date() == (datetime.utcnow().date() + tech.auto_expire), "Request expirations should be the current date + group.auto_expire for canask groups"

    # REQUEST 2

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    sre = session.query(Group).filter_by(groupname="team-sre").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(sre.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name)}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=sre.id, requester_id=user.id).scalar()
    assert datetime.strptime(request.changes['expiration'], "%m/%d/%Y").date() == (datetime.utcnow().date() + sre.auto_expire), "Request expirations should be the current date + group.auto_expire for canjoin groups"

    # REQUEST 3

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    security = session.query(Group).filter_by(groupname="security-team").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(security.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name)}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=security.id, requester_id=user.id).scalar()
    assert "expiration" not in request.changes, "The request should not have an expiration if none is provided and there is no auto_expiration"

    # REQUEST 4

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    sad = session.query(Group).filter_by(groupname="sad-team").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(sad.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name), "expiration": "01/19/2038"}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=sad.id, requester_id=user.id).scalar()
    assert datetime.strptime(request.changes['expiration'], "%m/%d/%Y").date() == date(year=2038, month=1, day=19), "User provided expiration times should not be overwritten by the auto_expiration"

    # REQUEST 5

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    infra = session.query(Group).filter_by(groupname="team-infra").scalar()
    fe_url = url(base_url, '/groups/{}/add'.format(infra.groupname))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name)}),
            headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request = session.query(Request).filter_by(requesting_id=infra.id, requester_id=user.id).scalar()
    assert "expiration" not in request.changes, "The request should not have an expiration if none is provided and the request was created by adding a member"

    # REQUEST 6

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    sre = session.query(Group).filter_by(groupname="team-sre").scalar()
    fe_url = url(base_url, '/groups/{}/edit/user/{}'.format(sre.groupname, user.name))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({"reason": "Test Request Please Ignore", "member": "User: {}".format(user.name), "role": "member", "expiration": ""}),
            headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    group_edge = session.query(GroupEdge).filter_by(group_id=sre.id, member_pk=user.id).scalar()
    assert group_edge.expiration is None, "The request should not have an expiration if none is provided and the user was edited by an approver"
Esempio n. 37
0
def test_permissions(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    perm = Permission(name="it.literally.does.not.matter",
                      description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(
        session.query(Group).filter_by(groupname="all-teams").scalar(),
        session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
    grant_permission(
        session.query(Group).filter_by(groupname="all-teams").scalar(),
        session.query(Permission).filter_by(
            name="it.literally.does.not.matter").scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "tyler_was_here",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'permission': TAG_EDIT,
                                       "argument": "prod"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    user = session.query(User).filter_by(username="******").scalar()
    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({'public_key': key_1}),
                                   headers={'X-Grouper-User': user.username})

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url,
                 '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode(
                                       {'tagname': "tyler_was_here"}),
                                   headers={'X-Grouper-User': user.username})

    user = session.query(User).filter_by(username="******").scalar()

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    assert len(get_public_key_permissions(
        session, key)) == 1, "The SSH Key should have only 1 permission"
    assert get_public_key_permissions(
        session,
        key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
    assert get_public_key_permissions(
        session, key
    )[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
    assert len(user_permissions(
        session, user)) > 1, "The user should have more than 1 permission"
Esempio n. 38
0
def test_remove_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': key_1}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'public_key': key_2}),
            headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "dont_tag_me_bro", "description": "Test Tag Please Ignore"}),
            headers={'X-Grouper-User': user.username})

    tag2 = PublicKeyTag.get(session, name="dont_tag_me_bro")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(session, key) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here"}),
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
    assert len(get_public_key_tags(session, key2)) == 0, "Keys other than the one with the added tag should not gain tags"

    fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key2.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here"}),
            headers={'X-Grouper-User': user.username})

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    # Fail Remove tag
    tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
    fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
    with pytest.raises(HTTPError):
        resp = yield http_client.fetch(fe_url, method="POST",
                body="",
                headers={'X-Grouper-User': "******"})

    # Remove tag that isn't on key: should fail silently
    tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
    fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body="",
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200

    # Remove tag
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body="",
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 0, "The key should have exactly 0 tags"

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
    assert len(get_public_key_tags(session, key2)) == 1, "Removing a tag from one key should not affect other keys"

    # User admin remove tag

    # readd tag
    fe_url = url(base_url, '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body=urlencode({'tagname': "tyler_was_here"}),
            headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    # Nonuser admin fail Remove tag
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
    with pytest.raises(HTTPError):
        resp = yield http_client.fetch(fe_url, method="POST",
                body="",
                headers={'X-Grouper-User': "******"})

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 1, "The key should have exactly 1 tags"

    # Remove tag
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    fe_url = url(base_url, '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id, tag.id))
    resp = yield http_client.fetch(fe_url, method="POST",
            body="",
            headers={'X-Grouper-User': "******"})

    assert resp.code == 200

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(session, key)) == 0, "The key should have exactly 0 tags"
Esempio n. 39
0
def test_expire_nonauditors(standard_graph, users, groups, session, permissions):
    """ Test expiration auditing and notification. """

    graph = standard_graph  # noqa

    # Test audit autoexpiration for all approvers

    approver_roles = ["owner", "np-owner", "manager"]

    for role in approver_roles:

        # Add non-auditor as an owner to an audited group
        add_member(groups["audited-team"], users["*****@*****.**"], role=role)
        session.commit()
        graph.update_from_db(session)

        group_md = graph.get_group_details("audited-team")

        assert group_md.get('audited', False)

        # Expire the edges.
        background = BackgroundProcessor(settings, None)
        background.expire_nonauditors(session)

        # Check that the edges are now marked as inactive.
        edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
        assert edge.expiration is not None
        assert edge.expiration < datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days)
        assert edge.expiration > datetime.utcnow() + timedelta(days=settings.nonauditor_expiration_days - 1)

        assert any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])

        audits = AuditLog.get_entries(session, action="nonauditor_flagged")
        assert len(audits) == 3 + 1 * (approver_roles.index(role) + 1)

        revoke_member(groups["audited-team"], users["*****@*****.**"])

    # Ensure nonauditor, nonapprovers in audited groups do not get set to expired

    member_roles = ["member"]

    for role in member_roles:

        # Add non-auditor as an owner to an audited group
        add_member(groups["audited-team"], users["*****@*****.**"], role=role)
        session.commit()
        graph.update_from_db(session)

        group_md = graph.get_group_details("audited-team")

        assert group_md.get('audited', False)

        # Expire the edges.
        background = BackgroundProcessor(settings, None)
        background.expire_nonauditors(session)

        # Check that the edges are now marked as inactive.
        edge = session.query(GroupEdge).filter_by(group_id=groups["audited-team"].id, member_pk=users["*****@*****.**"].id).scalar()
        assert edge.expiration is None

        assert not any(["Subject: Membership in audited-team set to expire" in email.body and "To: [email protected]" in email.body for email in _get_unsent_emails_and_send(session)])

        audits = AuditLog.get_entries(session, action="nonauditor_flagged")
        assert len(audits) == 3 + 1 * len(approver_roles)

        revoke_member(groups["audited-team"], users["*****@*****.**"])
Esempio n. 40
0
def test_request_emails(graph, groups, permissions, session, standard_graph,
                        users, base_url, http_client):
    tech = groups["tech-ops"]

    tech.canjoin = "canask"
    tech.add(session)
    session.commit()

    # REQUEST 1

    before_reqs = session.query(Request).count()

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore",
                                       "member":
                                       "User: {}".format(user.name)
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    zaya_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))
    fh_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(
            session, "*****@*****.**"))

    assert zaya_emails + fh_emails == 2, "Only approvers for the requested group should receive an email"
    assert zaya_emails == 1, "Owners should receive exactly one email per canask request"
    assert fh_emails == 1, "NP-Owners should receive exactly one email per canask request"

    assert session.query(Request).count(
    ) == before_reqs + 1, "There should only be one added request"

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request_id = session.query(Request).filter_by(
        requesting_id=tech.id, requester_id=user.id).scalar().id
    fe_url = url(base_url,
                 '/groups/{}/requests/{}'.format(tech.groupname, request_id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason": "Test Response Please Ignore",
                                       "status": "actioned"
                                   }),
                                   headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    fh_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(
            session, "*****@*****.**"))
    testuser_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(
            session, "*****@*****.**"))

    assert fh_emails + testuser_emails == 2, "Only the approver that didn't action the request and the reqester should get an email"
    assert fh_emails == 1, "NP-owners that did not action the request should receive an email"
    assert testuser_emails == 1, "The requester should receive an email when the request is handled"

    # REQUEST 2

    before_reqs = session.query(Request).count()

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    fe_url = url(base_url, '/groups/{}/join'.format(tech.groupname))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       "reason":
                                       "Test Request Please Ignore 2",
                                       "member":
                                       "User: {}".format(user.name)
                                   }),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    zaya_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))
    fh_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(
            session, "*****@*****.**"))

    assert zaya_emails + fh_emails == 2, "Only approvers for the requested group should receive an email"
    assert zaya_emails == 1, "Owners should receive exactly one email per canask request"
    assert fh_emails == 1, "NP-Owners should receive exactly one email per canask request"

    assert session.query(Request).count(
    ) == before_reqs + 1, "There should only be one added request"

    # Explicitly requery because pulling from the users dict causes DetachedSessionErrors
    user = session.query(User).filter_by(username="******").scalar()
    request_id = session.query(Request).filter_by(
        requesting_id=tech.id, requester_id=user.id).scalar().id
    fe_url = url(base_url,
                 '/groups/{}/requests/{}'.format(tech.groupname, request_id))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body=urlencode({
            "reason": "Test Response Please Ignore 2",
            "status": "actioned"
        }),
        headers={'X-Grouper-User': "******"})
    assert resp.code == 200

    zaya_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(session, "*****@*****.**"))
    oliver_emails = len(
        _get_unsent_and_mark_as_sent_emails_with_username(
            session, "*****@*****.**"))

    assert zaya_emails + oliver_emails == 2, "Only the approver that didn't action the request and the reqester should get an email"
    assert zaya_emails == 1, "NP-owners that did not action the request should receive an email"
    assert oliver_emails == 1, "The requester should receive an email when the request is handled"
Esempio n. 41
0
def test_remove_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({'public_key': key_1}),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()

    # add SSH key
    fe_url = url(base_url, '/users/{}/public-key/add'.format(user.username))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({'public_key': key_2}),
                                   headers={'X-Grouper-User': user.username})
    assert resp.code == 200

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "tyler_was_here",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(
        session, key
    ) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "dont_tag_me_bro",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag2 = PublicKeyTag.get(session, name="dont_tag_me_bro")

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert get_public_key_tags(
        session, key
    ) == [], "No public keys should have a tag unless it's been added to the key"

    fe_url = url(base_url,
                 '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode(
                                       {'tagname': "tyler_was_here"}),
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(
        session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
    assert len(
        get_public_key_tags(session, key2)
    ) == 0, "Keys other than the one with the added tag should not gain tags"

    fe_url = url(base_url,
                 '/users/{}/public-key/{}/tag'.format(user.username, key2.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode(
                                       {'tagname': "tyler_was_here"}),
                                   headers={'X-Grouper-User': user.username})

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    # Fail Remove tag
    tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
    fe_url = url(
        base_url,
        '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id,
                                                       tag.id))
    with pytest.raises(HTTPError):
        resp = yield http_client.fetch(
            fe_url,
            method="POST",
            body="",
            headers={'X-Grouper-User': "******"})

    # Remove tag that isn't on key: should fail silently
    tag = PublicKeyTag.get(session, name="dont_tag_me_bro")
    fe_url = url(
        base_url,
        '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id,
                                                       tag.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body="",
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200

    # Remove tag
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    fe_url = url(
        base_url,
        '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id,
                                                       tag.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body="",
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(
        session, key)) == 0, "The key should have exactly 0 tags"

    key2 = session.query(PublicKey).filter_by(public_key=key_2).scalar()
    assert len(get_public_key_tags(
        session,
        key2)) == 1, "Removing a tag from one key should not affect other keys"

    # User admin remove tag

    # readd tag
    fe_url = url(base_url,
                 '/users/{}/public-key/{}/tag'.format(user.username, key.id))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode(
                                       {'tagname': "tyler_was_here"}),
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(
        session, key)) == 1, "The key should have exactly 1 tag"
    assert get_public_key_tags(session, key)[0].name == "tyler_was_here"

    # Nonuser admin fail Remove tag
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    fe_url = url(
        base_url,
        '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id,
                                                       tag.id))
    with pytest.raises(HTTPError):
        resp = yield http_client.fetch(
            fe_url,
            method="POST",
            body="",
            headers={'X-Grouper-User': "******"})

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(
        session, key)) == 1, "The key should have exactly 1 tags"

    # Remove tag
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    fe_url = url(
        base_url,
        '/users/{}/public-key/{}/delete_tag/{}'.format(user.username, key.id,
                                                       tag.id))
    resp = yield http_client.fetch(
        fe_url,
        method="POST",
        body="",
        headers={'X-Grouper-User': "******"})

    assert resp.code == 200

    key = session.query(PublicKey).filter_by(public_key=key_1).scalar()
    assert len(get_public_key_tags(
        session, key)) == 0, "The key should have exactly 0 tags"
Esempio n. 42
0
def test_tags(session, users, http_client, base_url, graph):
    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    perm2 = Permission(name="it.literally.does.not.matter", description="Why is this not nullable?")
    perm2.add(session)
    session.commit()

    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")
    grant_permission(session.query(Group).filter_by(groupname="all-teams").scalar(), session.query(Permission).filter_by(name="it.literally.does.not.matter").scalar(), "*")

    tag = PublicKeyTag(name="tyler_was_here")
    tag.add(session)
    session.commit()

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    user = session.query(User).filter_by(username="******").scalar()

    grant_permission_to_tag(session, tag.id, perm.id, "prod")

    user = session.query(User).filter_by(username="******").scalar()

    add_public_key(session, user, key1)

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    user = session.query(User).filter_by(username="******").scalar()

    add_tag_to_public_key(session, key, tag)

    user = session.query(User).filter_by(username="******").scalar()

    key = session.query(PublicKey).filter_by(user_id=user.id).scalar()
    assert len(get_public_key_permissions(session, key)) == 1, "The SSH Key should have only 1 permission"
    assert get_public_key_permissions(session, key)[0].name == TAG_EDIT, "The SSH key's permission should be TAG_EDIT"
    assert get_public_key_permissions(session, key)[0].argument == "prod", "The SSH key's permission argument should be restricted to the tag's argument"
    assert len(user_permissions(session, user)) > 1, "The user should have more than 1 permission"

    graph.update_from_db(session)

    fe_url = url(base_url, '/users/{}'.format(user.username))
    resp = yield http_client.fetch(fe_url)
    assert resp.code == 200
    body = json.loads(resp.body)
    pub_key = body['data']['user']['public_keys'][0]
    assert len(pub_key['tags']) == 1, "The public key should only have 1 tag"
    assert pub_key['tags'][0] == 'tyler_was_here', "The public key should have the tag we gave it"
Esempio n. 43
0
def test_grant_permission_to_tag(users, http_client, base_url, session):

    user = session.query(User).filter_by(username="******").scalar()

    perm = Permission(name=TAG_EDIT, description="Why is this not nullable?")
    perm.add(session)
    session.commit()

    grant_permission(
        session.query(Group).filter_by(groupname="all-teams").scalar(),
        session.query(Permission).filter_by(name=TAG_EDIT).scalar(), "*")

    fe_url = url(base_url, '/tags')
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'tagname':
                                       "tyler_was_here",
                                       "description":
                                       "Test Tag Please Ignore"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    tag = PublicKeyTag.get(session, name="tyler_was_here")

    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'permission': TAG_EDIT,
                                       "argument": "*"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200
    tag = PublicKeyTag.get(session, name="tyler_was_here")
    perm = Permission.get(session, TAG_EDIT)
    assert len(get_public_key_tag_permissions(
        session, tag)) == 1, "The tag should have exactly 1 permission"
    assert get_public_key_tag_permissions(
        session, tag
    )[0].name == perm.name, "The tag's permission should be the one we added"
    assert get_public_key_tag_permissions(
        session, tag
    )[0].argument == "*", "The tag's permission should be the one we added"

    # Make sure trying to add a permission to a tag doesn't fail horribly if it's already there
    user = session.query(User).filter_by(username="******").scalar()

    fe_url = url(base_url, '/permissions/grant_tag/{}'.format(tag.name))
    resp = yield http_client.fetch(fe_url,
                                   method="POST",
                                   body=urlencode({
                                       'permission': TAG_EDIT,
                                       "argument": "*"
                                   }),
                                   headers={'X-Grouper-User': user.username})

    assert resp.code == 200