def test_get_auditors_group(session, standard_graph): # noqa: F811
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group=None), session)
assert str(
exc.value
) == "Please ask your admin to configure the `auditors_group` settings"
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group="do-not-exist"), session)
assert str(
exc.value
) == "Please ask your admin to configure the default group for auditors"
# now should be able to get the group
auditors_group = get_auditors_group(Mock(auditors_group="auditors"),
session)
assert auditors_group is not None
# revoke the permission and make sure we raise the
# GroupDoesNotHaveAuditPermission exception
perms = [
p for p in auditors_group.my_permissions()
if p.name == PERMISSION_AUDITOR
]
assert len(perms) == 1
mapping = PermissionMap.get(session, id=perms[0].mapping_id)
mapping.delete(session)
with pytest.raises(GroupDoesNotHaveAuditPermission):
get_auditors_group(Mock(auditors_group="auditors"), session)
def promote_nonauditors(self, session):
# type: (Session) -> None
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All non-auditor approvers of audited groups will be
promoted to be auditors, i.e., added to the auditors group.
Args:
session (Session): database session
"""
graph = Graph()
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# map from user object to names of audited groups in which
# user is a nonauditor approver
nonauditor_approver_to_groups = defaultdict(
set) # type: Dict[User, Set[str]]
user_is_auditor = {} # type: Dict[str, bool]
for group_tuple in graph.get_groups(audited=True,
directly_audited=False):
group_md = graph.get_group_details(group_tuple.groupname,
expose_aliases=False)
for username, user_md in iteritems(group_md["users"]):
if username not in user_is_auditor:
user_perms = graph.get_user_details(
username)["permissions"]
user_is_auditor[username] = any([
p["permission"] == PERMISSION_AUDITOR
for p in user_perms
])
if user_is_auditor[username]:
# user is already auditor so can skip
continue
if user_md["role"] in APPROVER_ROLE_INDICES:
# non-auditor approver. BAD!
nonauditor_approver_to_groups[username].add(
group_tuple.groupname)
if nonauditor_approver_to_groups:
auditors_group = get_auditors_group(self.settings, session)
for username, group_names in iteritems(
nonauditor_approver_to_groups):
reason = "auto-added due to having approver role(s) in group(s): {}".format(
", ".join(group_names))
user = User.get(session, name=username)
assert user
auditors_group.add_member(user,
user,
reason,
status="actioned")
notify_nonauditor_promoted(self.settings, session, user,
auditors_group, group_names)
session.commit()
def promote_nonauditors(self, session):
# type: (Session) -> None
"""Checks all enabled audited groups and ensures that all approvers for that group have
the PERMISSION_AUDITOR permission. All non-auditor approvers of audited groups will be
promoted to be auditors, i.e., added to the auditors group.
Args:
session (Session): database session
"""
graph = Graph()
# Hack to ensure the graph is loaded before we access it
graph.update_from_db(session)
# map from user object to names of audited groups in which
# user is a nonauditor approver
nonauditor_approver_to_groups = defaultdict(set) # type: Dict[User, Set[str]]
user_is_auditor = {} # type: Dict[str, bool]
for group_tuple in graph.get_groups(audited=True, directly_audited=False):
group_md = graph.get_group_details(group_tuple.name, expose_aliases=False)
for username, user_md in iteritems(group_md["users"]):
if username not in user_is_auditor:
user_perms = graph.get_user_details(username)["permissions"]
user_is_auditor[username] = any(
[p["permission"] == PERMISSION_AUDITOR for p in user_perms]
)
if user_is_auditor[username]:
# user is already auditor so can skip
continue
if user_md["role"] in APPROVER_ROLE_INDICES:
# non-auditor approver. BAD!
nonauditor_approver_to_groups[username].add(group_tuple.name)
if nonauditor_approver_to_groups:
auditors_group = get_auditors_group(self.settings, session)
for username, group_names in iteritems(nonauditor_approver_to_groups):
reason = "auto-added due to having approver role(s) in group(s): {}".format(
", ".join(group_names)
)
user = User.get(session, name=username)
assert user
auditors_group.add_member(user, user, reason, status="actioned")
notify_nonauditor_promoted(
self.settings, session, user, auditors_group, group_names
)
session.commit()
def test_get_auditors_group(session, standard_graph): # noqa: F811
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group=None), session)
assert str(exc.value) == "Please ask your admin to configure the `auditors_group` settings"
with pytest.raises(NoSuchGroup) as exc:
get_auditors_group(Mock(auditors_group="do-not-exist"), session)
assert str(exc.value) == "Please ask your admin to configure the default group for auditors"
# now should be able to get the group
auditors_group = get_auditors_group(Mock(auditors_group="auditors"), session)
assert auditors_group is not None
# revoke the permission and make sure we raise the
# GroupDoesNotHaveAuditPermission exception
perms = [p for p in auditors_group.my_permissions() if p.name == PERMISSION_AUDITOR]
assert len(perms) == 1
mapping = PermissionMap.get(session, id=perms[0].mapping_id)
mapping.delete(session)
with pytest.raises(GroupDoesNotHaveAuditPermission):
get_auditors_group(Mock(auditors_group="auditors"), session)
