def test_google_bucket_access_denied_new_proxy_group(
app,
google_storage_client_mocker,
client,
cloud_manager,
db_session,
encoded_jwt_no_proxy_group,
monkeypatch,
):
monkeypatch.setitem(config, "MOCK_AUTH", False)
user_id = encoded_jwt_no_proxy_group["user_id"]
proj = Project(id=129, name="test_proj")
ap = AccessPrivilege(user_id=user_id,
project_id=proj.id,
privilege=["read-storage"])
cloud = CloudProvider(id=129, name="google")
bucket = Bucket(id=129, provider_id=cloud.id)
gbag = GoogleBucketAccessGroup(id=129,
bucket_id=bucket.id,
email="*****@*****.**",
privileges=["write"])
ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id)
sa = StorageAccess(project_id=proj.id, provider_id=cloud.id)
db_session.add(proj)
db_session.add(ap)
db_session.add(cloud)
db_session.add(bucket)
db_session.add(gbag)
db_session.add(ptob)
db_session.add(sa)
db_session.commit()
encoded_credentials_jwt = encoded_jwt_no_proxy_group["jwt"]
new_service_account = {
"uniqueId": "987654321",
"email": "*****@*****.**",
"projectId": "1",
}
new_proxy_group = {"id": "123456789", "email": "*****@*****.**"}
path = "/credentials/google/"
data = {}
# return new service account
(cloud_manager.return_value.__enter__.return_value.
create_service_account_for_proxy_group.return_value) = new_service_account
(cloud_manager.return_value.__enter__.return_value.
create_proxy_group_for_user.return_value) = new_proxy_group
response = client.post(
path,
data=data,
headers={"Authorization": "Bearer " + encoded_credentials_jwt})
assert google_storage_client_mocker.delete_bucket_acl.called is True
assert response.status_code == 200
def test_google_bucket_access_existing_proxy_group(
app,
google_storage_client_mocker,
client,
cloud_manager,
db_session,
encoded_creds_jwt,
monkeypatch,
):
monkeypatch.setitem(app.config, "MOCK_AUTH", False)
user_id = encoded_creds_jwt["user_id"]
client_id = encoded_creds_jwt["client_id"]
service_account_id = "123456789"
path = "/credentials/google/"
proj = Project(id=129, name="test_proj")
ap = AccessPrivilege(
user_id=user_id, project_id=proj.id, privilege=["write-storage"]
)
cloud = CloudProvider(id=129, name="google")
bucket = Bucket(id=129, provider_id=cloud.id)
gbag = GoogleBucketAccessGroup(
id=129, bucket_id=bucket.id, email="*****@*****.**", privileges=["write"]
)
ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id)
sa = StorageAccess(project_id=proj.id, provider_id=cloud.id)
service_account = GoogleServiceAccount(
google_unique_id=service_account_id,
client_id=client_id,
user_id=user_id,
email=(client_id + "-" + str(user_id) + "@test.com"),
google_project_id="projectId-0",
)
db_session.add(service_account)
db_session.commit()
db_session.add(proj)
db_session.add(ap)
db_session.add(cloud)
db_session.add(bucket)
db_session.add(gbag)
db_session.add(ptob)
db_session.add(sa)
db_session.add(service_account)
db_session.commit()
encoded_credentials_jwt = encoded_creds_jwt["jwt"]
path = "/credentials/google/"
data = {}
response = client.post(
path, data=data, headers={"Authorization": "Bearer " + encoded_credentials_jwt}
)
assert google_storage_client_mocker.add_bucket_acl.called is False
assert response.status_code == 200
def test_service_account_relationsips(db_session):
"""
test service account tables have proper relationships/fields
"""
project = Project(id=1)
bucket = Bucket(id=1)
user_sa = UserServiceAccount(
id=1,
google_unique_id="guid",
email="*****@*****.**",
google_project_id="gpid",
)
sa_access_privilege = ServiceAccountAccessPrivilege(id=1,
project_id=1,
service_account_id=1)
gbag = GoogleBucketAccessGroup(id=1, bucket_id=1, email="*****@*****.**")
sa_to_gbag = ServiceAccountToGoogleBucketAccessGroup(id=1,
service_account_id=1,
expires=0,
access_group_id=1)
db_session.add(project)
db_session.add(bucket)
db_session.add(user_sa)
db_session.add(sa_access_privilege)
db_session.add(gbag)
db_session.add(sa_to_gbag)
db_session.commit()
assert project.sa_access_privileges[
0].__class__ == ServiceAccountAccessPrivilege
assert project.sa_access_privileges[0].id == 1
assert sa_access_privilege.project.__class__ == Project
assert sa_access_privilege.project.id == 1
assert sa_access_privilege.service_account.__class__ == UserServiceAccount
assert sa_access_privilege.service_account.id == 1
assert user_sa.access_privileges[
0].__class__ == ServiceAccountAccessPrivilege
assert user_sa.access_privileges[0].id == 1
assert (user_sa.to_access_groups[0].__class__ ==
ServiceAccountToGoogleBucketAccessGroup)
assert user_sa.to_access_groups[0].id == 1
assert sa_to_gbag.service_account.__class__ == UserServiceAccount
assert sa_to_gbag.service_account.id == 1
assert sa_to_gbag.access_group.__class__ == GoogleBucketAccessGroup
assert sa_to_gbag.access_group.id == 1
assert gbag.to_access_groups[
0].__class__ == ServiceAccountToGoogleBucketAccessGroup
assert gbag.to_access_groups[0].id == 1
def test_google_bucket_access_existing_proxy_group(
app,
google_storage_client_mocker,
client,
cloud_manager,
db_session,
encoded_creds_jwt,
monkeypatch,
):
monkeypatch.setitem(config, "MOCK_AUTH", False)
user_id = encoded_creds_jwt["user_id"]
client_id = encoded_creds_jwt["client_id"]
service_account_id = "123456789"
path = "/credentials/google/"
proj = Project(id=129, name="test_proj")
ap = AccessPrivilege(user_id=user_id,
project_id=proj.id,
privilege=["write-storage"])
cloud = CloudProvider(id=129, name="google")
bucket = Bucket(id=129, provider_id=cloud.id)
gbag = GoogleBucketAccessGroup(id=129,
bucket_id=bucket.id,
email="*****@*****.**",
privileges=["write"])
ptob = ProjectToBucket(id=129, project_id=proj.id, bucket_id=bucket.id)
sa = StorageAccess(project_id=proj.id, provider_id=cloud.id)
service_account = GoogleServiceAccount(
google_unique_id=service_account_id,
client_id=client_id,
user_id=user_id,
email=(client_id + "-" + str(user_id) + "@test.com"),
google_project_id="projectId-0",
)
db_session.add(service_account)
db_session.commit()
db_session.add(proj)
db_session.add(ap)
db_session.add(cloud)
db_session.add(bucket)
db_session.add(gbag)
db_session.add(ptob)
db_session.add(sa)
db_session.add(service_account)
db_session.commit()
# make function return the service account we created and don't try to update db
# since we already did it in the test
mock = MagicMock()
mock.return_value = service_account
patch("fence.resources.google.utils.get_or_create_service_account",
mock).start()
patch("fence.resources.google.utils._update_service_account_db_entry",
mock).start()
encoded_credentials_jwt = encoded_creds_jwt["jwt"]
path = "/credentials/google/"
data = {}
response = client.post(
path,
data=data,
headers={"Authorization": "Bearer " + encoded_credentials_jwt})
assert google_storage_client_mocker.add_bucket_acl.called is False
assert response.status_code == 200