def user_admin_perm_to_auditors(session, groups): # noqa: F811
"""Adds a USER_ADMIN permission to the "auditors" group"""
user_admin_perm, is_new = get_or_create_permission(
session, USER_ADMIN, description="grouper.admin.users permission")
session.commit()
grant_permission(groups["auditors"], user_admin_perm)
def user_enable_perm_to_sre(session, groups): # noqa: F811
"""Adds the (USER_ENABLE, *) permission to the group `team-sre` """
user_enable_perm, is_new = get_or_create_permission(
session, USER_ENABLE, description="grouper.user.enable perm")
session.commit()
grant_permission(groups["team-sre"], user_enable_perm, argument="*")
def user_enable_perm_to_sre(session, groups): # noqa: F811
"""Adds the (USER_ENABLE, *) permission to the group `team-sre` """
user_enable_perm, is_new = get_or_create_permission(
session, USER_ENABLE, description="grouper.user.enable perm"
)
session.commit()
grant_permission(groups["team-sre"], user_enable_perm, argument="*")
def user_admin_perm_to_auditors(session, groups): # noqa: F811
"""Adds a USER_ADMIN permission to the "auditors" group"""
user_admin_perm, is_new = get_or_create_permission(
session, USER_ADMIN, description="grouper.admin.users permission"
)
session.commit()
grant_permission(groups["auditors"], user_admin_perm)
def do_request_perms(groups, permissions, session, users): # noqa: F811
# Create the two test perms + PERMISSION_GRANT + PERMISSION_ADMIN, give GRANTING_TEAM
# appropriate PERMISSION_GRANT, and make sure there's an admin (has PERMISSION_ADMIN)
test_perm_granter = get_or_create_permission(
session, PERM_WITH_GRANTER, description="perm with granter"
)[0]
test_perm_nogranter = get_or_create_permission(
session, PERM_NO_GRANTER, description="perm without granter"
)[0]
grant_perm = get_or_create_permission(session, PERMISSION_GRANT)[0]
admin_perm = get_or_create_permission(session, PERMISSION_ADMIN)[0]
session.commit()
grant_permission(
groups[GRANTING_TEAM], grant_perm, argument="{}/{}".format(PERM_WITH_GRANTER, ARGUMENT)
)
grant_permission(groups[ADMIN_TEAM], admin_perm, argument="")
# Request the two test perms from REQUESTING_TEAM
create_request(
session,
users[REQUESTING_USER],
groups[REQUESTING_TEAM],
test_perm_granter,
ARGUMENT,
REASON,
)
create_request(
session,
users[REQUESTING_USER],
groups[REQUESTING_TEAM],
test_perm_nogranter,
ARGUMENT,
REASON,
)
# Finally make one more request from a user other than REQUESTING_USER
create_request(
session, users[GRANTING_USER], groups[GRANTING_TEAM], admin_perm, ARGUMENT, REASON
)
session.commit()
def do_request_perms(groups, permissions, session, users): # noqa: F811
# Create the two test perms + PERMISSION_GRANT + PERMISSION_ADMIN, give GRANTING_TEAM
# appropriate PERMISSION_GRANT, and make sure there's an admin (has PERMISSION_ADMIN)
test_perm_granter = get_or_create_permission(
session, PERM_WITH_GRANTER, description="perm with granter")[0]
test_perm_nogranter = get_or_create_permission(
session, PERM_NO_GRANTER, description="perm without granter")[0]
grant_perm = get_or_create_permission(session, PERMISSION_GRANT)[0]
admin_perm = get_or_create_permission(session, PERMISSION_ADMIN)[0]
session.commit()
grant_permission(groups[GRANTING_TEAM],
grant_perm,
argument="{}/{}".format(PERM_WITH_GRANTER, ARGUMENT))
grant_permission(groups[ADMIN_TEAM], admin_perm, argument="")
# Request the two test perms from REQUESTING_TEAM
create_request(
session,
users[REQUESTING_USER],
groups[REQUESTING_TEAM],
test_perm_granter,
ARGUMENT,
REASON,
)
create_request(
session,
users[REQUESTING_USER],
groups[REQUESTING_TEAM],
test_perm_nogranter,
ARGUMENT,
REASON,
)
# Finally make one more request from a user other than REQUESTING_USER
create_request(session, users[GRANTING_USER], groups[GRANTING_TEAM],
admin_perm, ARGUMENT, REASON)
session.commit()
def test_list_public_keys(async_server, browser, session, users,
groups): # noqa: F811
permission = get_or_create_permission(session, AUDIT_SECURITY)[0]
user = users["*****@*****.**"]
group = groups["group-admins"]
add_member(group, user, role="owner")
grant_permission(group, permission, "public_keys")
# Pagination defaults to 100 keys per page
for i in range(120):
key = PublicKey(
user=user,
public_key="KEY:{}".format(i),
fingerprint="MD5:{}".format(i),
fingerprint_sha256="SHA256:{}".format(i),
key_size=4096,
key_type="ssh-rsa",
comment="",
)
key.add(session)
session.commit()
fe_url = url(async_server, "/users/public-keys")
browser.get(fe_url)
page = PublicKeysPage(browser)
row = page.find_public_key_row("SHA256:0")
assert row.user == user.username
assert row.key_size == "4096"
assert row.key_type == "ssh-rsa"
assert page.find_public_key_row("SHA256:99")
with pytest.raises(NoSuchElementException):
page.find_public_key_row("SHA256:100")
def test_list_public_keys(async_server, browser, session, users, groups): # noqa: F811
permission = get_or_create_permission(session, AUDIT_SECURITY)[0]
user = users["*****@*****.**"]
group = groups["group-admins"]
add_member(group, user, role="owner")
grant_permission(group, permission, "public_keys")
# Pagination defaults to 100 keys per page
for i in range(120):
key = PublicKey(
user=user,
public_key="KEY:{}".format(i),
fingerprint="MD5:{}".format(i),
fingerprint_sha256="SHA256:{}".format(i),
key_size=4096,
key_type="ssh-rsa",
comment="",
)
key.add(session)
session.commit()
fe_url = url(async_server, "/users/public-keys")
browser.get(fe_url)
page = PublicKeysPage(browser)
row = page.find_public_key_row("SHA256:0")
assert row.user == user.username
assert row.key_size == "4096"
assert row.key_type == "ssh-rsa"
assert page.find_public_key_row("SHA256:99")
with pytest.raises(NoSuchElementException):
page.find_public_key_row("SHA256:100")
def test_auditor_promotion(mock_nnp, mock_gagn, session, graph, permissions, users): # noqa: F811
"""Test automatic promotion of non-auditor approvers
We set up our own group/user/permission for testing instead of
using the `standard_graph` fixture---retrofitting it to work for
us and also not break existing tests is too cumbersome.
So here are our groups:
very-special-auditors:
* user14
group-1:
* user11 (o)
* user12
* user13 (np-o)
* user14 (o, a)
group-2:
* user13 (np-o)
* user21 (o)
* user22
group-3:
* user22 (o)
* user12 (o)
group-4:
* user21 (np-o)
* user41
* user42 (o)
* user43 (np-o)
o: owner, np-o: no-permission owner, a: auditor
group-1 and group-2 have the permission that we will enable
auditing. group-4 will be a subgroup of group-1 and thus will
inherit the audited permission from group-1.
The expected outcome is: user11, user13, user21, user42, and
user43 will be added to the auditors group.
"""
settings = BackgroundSettings()
set_global_settings(settings)
#
# set up our test part of the graph
#
# create groups
AUDITED_GROUP = "audited"
AUDITORS_GROUP = mock_gagn.return_value = "very-special-auditors"
PERMISSION_NAME = "test-permission"
all_groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in ("group-1", "group-2", "group-3", "group-4", AUDITORS_GROUP)
}
# create users
users.update(
{
username + "@a.co": User.get_or_create(session, username=username + "@a.co")[0]
for username in (
"user11",
"user12",
"user13",
"user14",
"user21",
"user22",
"user23",
"user41",
"user42",
"user43",
)
}
)
# create permissions
permissions.update(
{
permission: get_or_create_permission(
session, permission, description="{} permission".format(permission)
)[0]
for permission in [PERMISSION_NAME]
}
)
# add users to groups
for (groupname, username, role) in (
("group-1", "user11", "owner"),
("group-1", "user12", "member"),
("group-1", "user13", "np-owner"),
("group-1", "user14", "owner"),
("group-2", "user13", "np-owner"),
("group-2", "user21", "owner"),
("group-2", "user22", "member"),
("group-3", "user12", "owner"),
("group-3", "user22", "owner"),
("group-4", "user21", "np-owner"),
("group-4", "user41", "member"),
("group-4", "user42", "owner"),
("group-4", "user43", "np-owner"),
):
add_member(all_groups[groupname], users[username + "@a.co"], role=role)
# add group-4 as member of group-1
add_member(all_groups["group-1"], all_groups["group-4"])
# add user14 to auditors group
add_member(all_groups[AUDITORS_GROUP], users["*****@*****.**"])
# grant permissions to groups
#
# give the test permission to groups 1 and 2, and group 4 should
# also inherit from group 1
grant_permission(all_groups["group-1"], permissions[PERMISSION_NAME])
grant_permission(all_groups["group-2"], permissions[PERMISSION_NAME])
grant_permission(all_groups[AUDITORS_GROUP], permissions[PERMISSION_AUDITOR])
graph.update_from_db(session)
# done setting up
# now a few pre-op checks
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert get_users(graph, "group-3") == set(["*****@*****.**", "*****@*****.**"])
#
# run the promotion logic -> nothing should happen because the
# test-permission is not yet audited
#
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# nothing should have happened
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert mock_nnp.call_count == 0
#
# now enable auditing for the permission and run the promotion
# logic again
#
enable_permission_auditing(session, PERMISSION_NAME, users["*****@*****.**"].id)
graph.update_from_db(session)
assert graph.get_group_details("group-1").get(AUDITED_GROUP)
assert graph.get_group_details("group-4").get(AUDITED_GROUP)
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# check that stuff happened
assert get_users(graph, AUDITORS_GROUP) == set(
["*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**"]
)
expected_calls = [
call(
settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-1"])
),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-1", "group-2"]),
),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-2", "group-4"]),
),
call(
settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"])
),
call(
settings, session, users["*****@*****.**"], all_groups[AUDITORS_GROUP], set(["group-4"])
),
]
assert mock_nnp.call_count == len(expected_calls)
mock_nnp.assert_has_calls(expected_calls, any_order=True)
#
# run the background promotion logic again, and nothing should
# happen
#
mock_nnp.reset_mock()
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
assert mock_nnp.call_count == 0
def test_auditor_promotion(mock_nnp, mock_gagn, session, graph, permissions,
users): # noqa: F811
"""Test automatic promotion of non-auditor approvers
We set up our own group/user/permission for testing instead of
using the `standard_graph` fixture---retrofitting it to work for
us and also not break existing tests is too cumbersome.
So here are our groups:
very-special-auditors:
* user14
group-1:
* user11 (o)
* user12
* user13 (np-o)
* user14 (o, a)
group-2:
* user13 (np-o)
* user21 (o)
* user22
group-3:
* user22 (o)
* user12 (o)
group-4:
* user21 (np-o)
* user41
* user42 (o)
* user43 (np-o)
o: owner, np-o: no-permission owner, a: auditor
group-1 and group-2 have the permission that we will enable
auditing. group-4 will be a subgroup of group-1 and thus will
inherit the audited permission from group-1.
The expected outcome is: user11, user13, user21, user42, and
user43 will be added to the auditors group.
"""
settings = BackgroundSettings()
set_global_settings(settings)
#
# set up our test part of the graph
#
# create groups
AUDITED_GROUP = "audited"
AUDITORS_GROUP = mock_gagn.return_value = "very-special-auditors"
PERMISSION_NAME = "test-permission"
all_groups = {
groupname: Group.get_or_create(session, groupname=groupname)[0]
for groupname in ("group-1", "group-2", "group-3", "group-4",
AUDITORS_GROUP)
}
# create users
users.update({
username + "@a.co": User.get_or_create(session,
username=username + "@a.co")[0]
for username in (
"user11",
"user12",
"user13",
"user14",
"user21",
"user22",
"user23",
"user41",
"user42",
"user43",
)
})
# create permissions
permissions.update({
permission: get_or_create_permission(
session,
permission,
description="{} permission".format(permission))[0]
for permission in [PERMISSION_NAME]
})
# add users to groups
for (groupname, username, role) in (
("group-1", "user11", "owner"),
("group-1", "user12", "member"),
("group-1", "user13", "np-owner"),
("group-1", "user14", "owner"),
("group-2", "user13", "np-owner"),
("group-2", "user21", "owner"),
("group-2", "user22", "member"),
("group-3", "user12", "owner"),
("group-3", "user22", "owner"),
("group-4", "user21", "np-owner"),
("group-4", "user41", "member"),
("group-4", "user42", "owner"),
("group-4", "user43", "np-owner"),
):
add_member(all_groups[groupname], users[username + "@a.co"], role=role)
# add group-4 as member of group-1
add_member(all_groups["group-1"], all_groups["group-4"])
# add user14 to auditors group
add_member(all_groups[AUDITORS_GROUP], users["*****@*****.**"])
# grant permissions to groups
#
# give the test permission to groups 1 and 2, and group 4 should
# also inherit from group 1
grant_permission(all_groups["group-1"], permissions[PERMISSION_NAME])
grant_permission(all_groups["group-2"], permissions[PERMISSION_NAME])
grant_permission(all_groups[AUDITORS_GROUP],
permissions[PERMISSION_AUDITOR])
graph.update_from_db(session)
# done setting up
# now a few pre-op checks
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert get_users(graph, "group-3") == set(["*****@*****.**", "*****@*****.**"])
#
# run the promotion logic -> nothing should happen because the
# test-permission is not yet audited
#
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# nothing should have happened
assert not graph.get_group_details("group-1").get(AUDITED_GROUP)
assert not graph.get_group_details("group-4").get(AUDITED_GROUP)
assert get_users(graph, AUDITORS_GROUP) == set(["*****@*****.**"])
assert mock_nnp.call_count == 0
#
# now enable auditing for the permission and run the promotion
# logic again
#
enable_permission_auditing(session, PERMISSION_NAME,
users["*****@*****.**"].id)
graph.update_from_db(session)
assert graph.get_group_details("group-1").get(AUDITED_GROUP)
assert graph.get_group_details("group-4").get(AUDITED_GROUP)
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
graph.update_from_db(session)
# check that stuff happened
assert get_users(graph, AUDITORS_GROUP) == set([
"*****@*****.**", "*****@*****.**", "*****@*****.**", "*****@*****.**",
"*****@*****.**", "*****@*****.**"
])
expected_calls = [
call(settings, session, users["*****@*****.**"],
all_groups[AUDITORS_GROUP], set(["group-1"])),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-1", "group-2"]),
),
call(
settings,
session,
users["*****@*****.**"],
all_groups[AUDITORS_GROUP],
set(["group-2", "group-4"]),
),
call(settings, session, users["*****@*****.**"],
all_groups[AUDITORS_GROUP], set(["group-4"])),
call(settings, session, users["*****@*****.**"],
all_groups[AUDITORS_GROUP], set(["group-4"])),
]
assert mock_nnp.call_count == len(expected_calls)
mock_nnp.assert_has_calls(expected_calls, any_order=True)
#
# run the background promotion logic again, and nothing should
# happen
#
mock_nnp.reset_mock()
background = BackgroundProcessor(settings, None)
background.promote_nonauditors(session)
assert mock_nnp.call_count == 0
def test_reject_disabling_system_permissions(perm_name, session, permissions): # noqa: F811
get_or_create_permission(session, perm_name)
with pytest.raises(CannotDisableASystemPermission) as exc:
disable_permission(session, perm_name, 0)
assert exc.value.name == perm_name