def test_delete(self):
now = datetime.now()
role_model = RoleModel.objects.create(
id=RoleModel.MASTER_ID,
role_name="test_role",
created_at=now,
updated_at=now
)
tenant_model = TenantModel.objects.create(
tenant_name="test_tenant",
created_at=now,
updated_at=now
)
user_model = UserModel(
email="test_email",
name="test_name",
password="******",
tenant=tenant_model,
role=role_model,
created_at=now,
updated_at=now
)
user_model.save()
saved_user_model = UserModel.objects.all()
saved_user_model.all().delete()
deleted_user_model = UserModel.objects.all()
self.assertEqual(deleted_user_model.count(), 0)
def save_aws_environment(self, request_user: UserModel,
aws_environment: AwsEnvironmentModel):
self.logger.info("START: save_aws_environment")
if not request_user.is_belong_to_tenant(aws_environment.tenant):
raise PermissionDenied(
"request user can't save aws_environments. user_id:{} tenant_id: {}"
.format(request_user.id, aws_environment.tenant.id))
if not request_user.can_control_aws():
raise PermissionDenied(
"request user can't save aws_environments. id:{}".format(
request_user.id))
# ロールの確認
iam = Iam(aws_environment, None)
iam.validate_role(aws_environment.aws_account_id,
aws_environment.aws_role)
# 保存
aws_environment.save()
# SCHEDULERにAWS環境を登録する
scheduler = UserModel.get_scheduler(aws_environment.tenant)
scheduler.aws_environments.add(aws_environment)
scheduler.save()
self.logger.info("END: save_aws_environment")
return aws_environment
def test_delete_protect_role(self):
now = datetime.now()
role_model = RoleModel.objects.create(
id=RoleModel.MASTER_ID,
role_name="test_role",
created_at=now,
updated_at=now
)
tenant_model = TenantModel.objects.create(
tenant_name="test_tenant",
created_at=now,
updated_at=now
)
user_model = UserModel(
email="test_email",
name="test_name",
password="******",
tenant=tenant_model,
role=role_model,
created_at=now,
updated_at=now
)
user_model.save()
# 登録されたことを確認する
model_objects_all = UserModel.objects.all()
self.assertEqual(model_objects_all.count(), 1)
# 削除できないことを確認する
with self.assertRaises(ProtectedError):
role_model.delete()
model_objects_all = UserModel.objects.all()
self.assertEqual(model_objects_all.count(), 1)
def test_update(self):
now = datetime.now()
role_model = RoleModel.objects.create(
id=RoleModel.MASTER_ID,
role_name="test_role",
created_at=now,
updated_at=now
)
tenant_model = TenantModel.objects.create(
tenant_name="test_tenant",
created_at=now,
updated_at=now
)
user_model = UserModel(
email="test_email",
name="test_name",
password="******",
tenant=tenant_model,
role=role_model,
created_at=now,
updated_at=now
)
user_model.save()
saved_user_model = UserModel.objects.all()
actual_user_model = saved_user_model[0]
actual_user_model.email = "updated_email"
actual_user_model.save()
user_model_objects_get = UserModel.objects.get(email="updated_email")
self.assertEqual(user_model_objects_get.email, "updated_email")
def _create_user_model(email, name, password, tenant, role):
now = datetime.now()
user_model = UserModel(email=email,
name=name,
password=password,
tenant=tenant,
role=role,
created_at=now,
updated_at=now)
user_model.save()
return user_model
def delete_aws_environment(self, request_user: UserModel, aws_environment: AwsEnvironmentModel):
self.logger.info("START: delete_aws_environment")
if not request_user.is_belong_to_tenant(aws_environment.tenant):
raise PermissionDenied("request user can't delete aws_environments. user_id:{} tenant_id: {}".
format(request_user.id, aws_environment.tenant.id))
if not request_user.can_control_aws():
raise PermissionDenied("request user can't delete aws_environments. id:{}".format(request_user.id))
# 削除
aws_environment.delete()
self.logger.info("END: delete_aws_environment")
def fetch_destinations(self, request_user: UserModel, tenant: TenantModel):
self.logger.info("START: fetch_destinations")
if not request_user.can_control_notification():
raise PermissionDenied
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied(
"request user doesn't belong to tenant. user_id:{}, tenant_id: {}"
.format(request_user.id, tenant.id))
destinations = NotificationDestinationModel.all().filter(tenant=tenant)
self.logger.info("END: fetch_destinations")
return destinations
def delete_schedule(self, request_user: UserModel, tenant: TenantModel, aws_environment: AwsEnvironmentModel,
event_id: int):
self.logger.info("START: delete")
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied("request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied("request user doesn't have aws environments. id:{}".format(request_user.id))
EventRepository.delete(event_id)
self.logger.info("END: delete")
def fetch_aws_environments(self, request_user: UserModel, tenant: TenantModel):
self.logger.info("START: fetch_aws_environments")
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied("request user can't fetch aws_environments. user_id:{} tenant_id: {}".
format(request_user.id, tenant.id))
if not request_user.can_control_aws():
raise PermissionDenied("request user can't fetch aws_environments. id:{}".format(request_user.id))
aws_environments = AwsEnvironmentModel.objects.filter(tenant_id=tenant.id)
self.logger.info("END: fetch_aws_environments")
return aws_environments
def billing_graph(self, request_user: UserModel, aws: AwsEnvironmentModel,
start_time, end_time, period, stat):
self.logger.info("START: graph")
# 使用できるAWSアカウントか
if not request_user.has_aws_env(aws):
raise PermissionDenied(
"request user can't use aws account. user_id: {}, aws_id: {}".
format(request_user.id, aws.id))
# 請求情報を取得する権限を持っているか
if not request_user.can_fetch_billing():
raise PermissionDenied(
"request user can't fetch aws_environments. id:{}".format(
request_user.id))
# 請求情報のリストメトリクスを一覧で取得
metrics = CloudWatch(aws,
'us-east-1').list_metrics('AWS/Billing',
'EstimatedCharges', [])
# APIの引数を充足
# ここは配列じゃなくて辞書型にして、どのサービスかわかるように!
metric_data_queries = []
for metric in metrics:
metric_data_queries.append(
dict(metric_name=metric['MetricName'],
dimensions=metric['Dimensions']))
params = dict(name_space='AWS/Billing',
period=period,
stat=stat,
start_time=start_time,
end_time=end_time,
metric_data_queries=metric_data_queries)
monitor_graphs = CloudWatch(aws,
'us-east-1').get_multi_charts(**params)
self.logger.info("END: graph")
# 成型を行う config内から情報を絞りこむ
# 総計はserviceがUSDとなるので、これをTotalに変換
def pick_service_name(dimensions):
return next((dimension['Value'] for dimension in dimensions
if dimension['Name'] == 'ServiceName'), 'Total')
result = map(
lambda graph: dict(service=pick_service_name(graph['config'][
'dimensions']),
timestamps=graph['timestamps'],
values=graph['values']), monitor_graphs)
return list(result)
def delete_user(self, request_user: UserModel, user: UserModel):
self.logger.info("START: delete_user")
if not request_user.is_belong_to_tenant(user.tenant):
raise PermissionDenied(
"request user can't fetch users. user_id:{} tenant_id: {}".
format(request_user.id, user.tenant.id))
if not request_user.can_delete_user(user):
raise PermissionDenied(
"request user can't delete user. id:{}".format(
request_user.id))
user.delete()
self.logger.info("END: delete_user")
def fetch_schedules(self, request_user: UserModel, tenant: TenantModel, aws_environment: AwsEnvironmentModel,
resource: Resource):
self.logger.info("START: fetch_schedules")
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied("request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied("request user doesn't have aws environments. id:{}".format(request_user.id))
schedules = EventRepository.fetch_schedules_by_resource(resource, aws_environment)
self.logger.info("END: fetch_schedules")
return schedules
def fetch_logs(self, request_user: UserModel, tenant: TenantModel):
self.logger.info("START: fetch_logs")
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied("request user can't fetch aws_environments. user_id:{} tenant_id: {}".
format(request_user.id, tenant.id))
if request_user.can_control_other_user():
# 他のユーザーを管理できる権限ならばテナント内のログを取得
logs = OperationLogModel.objects.filter(tenant=tenant)
else:
# そうでなければ自身のログを取得
logs = OperationLogModel.objects.filter(tenant=tenant, executor=request_user)
self.logger.info("END: fetch_logs")
return logs
def delete_group(self, request_user: UserModel,
group: NotificationGroupModel):
self.logger.info("START: delete_group")
if not request_user.can_control_notification():
raise PermissionDenied
if not request_user.is_belong_to_tenant(group.tenant):
raise PermissionDenied(
"request user doesn't belong to tenant. user_id:{}, tenant_id: {}"
.format(request_user.id, group.tenant.id))
# 作成
group.delete()
self.logger.info("END: delete_group")
def delete_destination(self, request_user: UserModel,
destination: NotificationDestinationModel):
self.logger.info("START: delete_destination")
if not request_user.can_control_notification():
raise PermissionDenied
if not request_user.is_belong_to_tenant(destination.tenant):
raise PermissionDenied(
"request user doesn't belong to tenant. user_id:{}, tenant_id: {}"
.format(request_user.id, destination.tenant.id))
# 削除
destination.delete()
self.logger.info("END: delete_destination")
def test_update_user_no_user(self, use_case: mock.Mock):
# Company1のユーザーで認証
api_client = APIClient()
api_client.force_authenticate(user=UserModel.objects.get(
email="test_email"))
# Company1のユーザーを更新
user = UserModel.objects.get(email="test_email_USER")
user_name = "putman"
user_password = "******"
user_email = "*****@*****.**"
aws_models = AwsEnvironmentModel.objects.filter(tenant=user.tenant)
aws_ids = [aws.id for aws in aws_models]
update_user = use_case.return_value.update_user
update_user.return_value = UserModel(id=100)
response = api_client.put(
path=self.api_path_in_tenant.format(-100, -100) + "/",
data={
"email": user_email,
"name": user_name,
"password": user_password,
"role": RoleModel.USER_ID,
"aws_environments": aws_ids
},
format='json')
use_case.return_value.update_user.assert_not_called()
# ステータスコードの確認
self.assertEqual(response.status_code, 404)
def test_create_tenant_master(self, tenant_serializer, user_serializer,
usecase):
# MASTERユーザーで認証
api_client = APIClient()
api_client.force_authenticate(user=UserModel.objects.get(
email="master_email"))
# 作成するテナント
data = dict(tenant=dict(tenant_name='test_tenant',
email='*****@*****.**',
tel='03-1234-1234'),
user=dict(name="test_user", email="*****@*****.**"))
usecase.return_value.create_tenant.return_value = (
TenantModel(tenant_name="test_tenant",
email="*****@*****.**",
tel='03-1234-1234'),
UserModel(email="*****@*****.**", name="test_user"))
usecase.return_value.create_tenant.return_value = (mock.Mock(
spec=TenantModel), mock.Mock(spec=UserModel))
tenant_serializer.return_value.data = "TEST"
user_serializer.return_value.data = "TEST"
# Company1の情報を取得
response = api_client.post(self.api_path_in_tenant,
data=data,
format='json')
self.assertEqual(response.status_code, 201)
def stop_resource(self, request_user: UserModel,
aws_environment: AwsEnvironmentModel,
resource: Resource):
self.logger.info("START: stop_resource")
tenant = aws_environment.tenant
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied(
"request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied(
"request user doesn't have aws environments. id:{}".format(
request_user.id))
resource.stop(aws_environment)
self.logger.info("END: stop_resource")
def run_command(self, request_user: UserModel,
aws_environment: AwsEnvironmentModel, command: Command):
self.logger.info("START: run_command")
tenant = aws_environment.tenant
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied(
"request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied(
"request user doesn't have aws environments. id:{}".format(
request_user.id))
command.run(aws_environment)
self.logger.info("END: run_command")
return command
def fetch_users(self, request_user: UserModel, tenant: TenantModel):
self.logger.info("START: fetch_users")
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied(
"request user can't fetch users. user_id:{} tenant_id: {}".
format(request_user.id, tenant.id))
if not request_user.can_control_other_user():
raise PermissionDenied(
"request user can't fetch users. id:{}".format(
request_user.id))
# スケジューラーは一覧に表示しない
response = [
user_model for user_model in UserModel.objects.filter(
tenant=tenant).exclude(role_id=RoleModel.SCHEDULER_ID)
]
self.logger.info("END: fetch_users")
return response
def delete_tenant(self, request_user: UserModel, tenant: TenantModel):
self.logger.info("START: delete_tenant")
if not request_user.can_control_tenant():
raise InvalidRoleException(
"request user can't create tenant. id:{}".format(
request_user.id))
tenant.delete()
self.logger.info("END: delete_tenant")
def create_backup(self, request_user: UserModel,
aws_environment: AwsEnvironmentModel, resource: Resource,
no_reboot: bool):
self.logger.info("START: create_backup")
tenant = aws_environment.tenant
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied(
"request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied(
"request user doesn't have aws environments. id:{}".format(
request_user.id))
backup_id = resource.create_backup(aws_environment,
no_reboot=no_reboot)
self.logger.info("END: create_backup")
return backup_id
def reset_password(self, user: UserModel):
self.logger.info("START: reset password")
# パスワード変更
reset_password = user.reset_password()
user.save()
try:
# メール送信
self.logger.info("START: Send mail by SES.")
self.logger.info("using address. {}".format(settings.SES_ADDRESS))
ses = Ses(settings.SES_ADDRESS, settings.SES_ADDRESS)
ses.send_password_reset_mail(user.email, reset_password)
self.logger.info("END: Send mail by SES.")
except ClientError as e:
self.logger.exception(e)
raise InvalidEmailException
self.logger.info("END: reset password")
return user
def describe_document(self, request_user: UserModel,
aws_environment: AwsEnvironmentModel, region: str,
document_name: str):
self.logger.info("START: describe_document")
tenant = aws_environment.tenant
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied(
"request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied(
"request user doesn't have aws environments. id:{}".format(
request_user.id))
ssm = Ssm(aws_environment=aws_environment, region=region)
document = ssm.describe_document(document_name)
self.logger.info("END: describe_document")
return document
def fetch_tenants(self, request_user: UserModel):
self.logger.info("START: fetch_tenants")
if not request_user.can_control_tenant():
raise InvalidRoleException(
"request user can't create tenant. id:{}".format(
request_user.id))
response = [tenant_model for tenant_model in TenantModel.objects.all()]
self.logger.info("END: fetch_tenants")
return response
def fetch_documents(self, request_user: UserModel,
aws_environment: AwsEnvironmentModel, region: str):
self.logger.info("START: fetch_documents")
tenant = aws_environment.tenant
if not request_user.is_belong_to_tenant(tenant):
raise PermissionDenied(
"request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied(
"request user doesn't have aws environments. id:{}".format(
request_user.id))
ssm = Ssm(aws_environment=aws_environment, region=region)
documents = []
for generator in ssm.list_documents():
documents.extend(generator)
self.logger.info("END: fetch_documents")
return documents
def create_user(self, request_user: UserModel, user: UserModel,
aws_envs: AwsEnvironmentModel, password: str):
self.logger.info("START: create_user")
if not request_user.is_belong_to_tenant(user.tenant):
raise PermissionDenied(
"request user can't fetch users. user_id:{} tenant_id: {}".
format(request_user.id, user.tenant.id))
# 作成しようとしているユーザーを作成できるロールを持つか
if not request_user.can_save_user(user):
raise PermissionDenied(
"request user can't create user. id:{}".format(
request_user.id))
# パスワードを暗号化して登録
if not user.set_password(password):
raise InvalidPasswordException(
"invalid password. {}".format(password))
user.save()
# ユーザーにAWS環境を登録
if not request_user.realignment_aws_environments(user, aws_envs):
raise PermissionDenied(
"request user can't control aws environments. id:{}".format(
request_user.id))
self.logger.info("END: create_user")
return user
def fetch_resources(self, request_user: UserModel,
aws_environment: AwsEnvironmentModel,
region: str) -> list:
self.logger.info("START: fetch resources")
if not request_user.is_belong_to_tenant(aws_environment.tenant):
raise PermissionDenied(
"request user is not belong to tenant. user_id:{} tenant_id:{}"
.format(request_user.id, aws_environment.tenant.id))
if not request_user.has_aws_env(aws_environment):
raise PermissionDenied(
"request user doesn't have aws environments. id:{}".format(
request_user.id))
tagging = ResourceGroupTagging(aws_environment=aws_environment,
region=region)
self.logger.info("ResourceGroupTagging Client Created.")
resources = []
resources_status = None
for get_resources in tagging.get_resources(
Resource.get_all_services()):
self.logger.info("got resource tags")
if resources_status is None and get_resources:
resources_status = CloudWatch(
aws_environment=aws_environment,
region=region).get_resources_status()
self.logger.info("got cloudwatch alarms")
for get_resource in get_resources:
self.logger.info("resource tag convert response")
# アラームがなければ未設定とする
get_resource.status = resources_status[get_resource.get_service_name()].\
get(get_resource.resource_id, "UNSET")
resources.append(get_resource)
self.logger.info("END: fetch resources")
return resources
def fetch_monitors(self, request_user: UserModel, aws: AwsEnvironmentModel,
resource: Resource):
self.logger.info("START: fetch_monitors")
# 使用できるAWSアカウントか
if not request_user.has_aws_env(aws):
raise PermissionDenied(
"request user can't use aws account. user_id: {}, aws_id: {}".
format(request_user.id, aws.id))
monitors = CloudWatch(
aws, resource.region).describe_resource_monitors(resource)
self.logger.info("END: fetch_monitors")
return monitors
def graph(self, request_user: UserModel, resource: Resource,
aws: AwsEnvironmentModel, monitor_graph: MonitorGraph):
self.logger.info("START: graph")
# 使用できるAWSアカウントか
if not request_user.has_aws_env(aws):
raise PermissionDenied(
"request user can't use aws account. user_id: {}, aws_id: {}".
format(request_user.id, aws.id))
if monitor_graph.metric_name not in resource.get_metrics():
raise ObjectDoesNotExist(
"service doesn't have metric service_type: {} metric: {}".
format(resource.get_service_name(), monitor_graph.metric_name))
monitor_graph = CloudWatch(aws, resource.region).get_chart(
monitor_graph, resource)
self.logger.info("END: graph")
return monitor_graph
