def test_role_sql_is_correct(self):
f = open(os.path.join(settings.EXAMPLES_DIR, 'role.yml'))
conf = yaml.safe_load(f)
perms = new(conf)
postgres_perms = postgres.new(perms)
plan = postgres_perms.plan()
sql = [x.sql for x in plan]
self.assertEqual([
'''DO
$do$
BEGIN
IF NOT EXISTS (
SELECT FROM pg_catalog.pg_roles
WHERE rolname = 'test_group') THEN
CREATE GROUP test_group;
END IF;
END
$do$;''', '''DO
$do$
BEGIN
IF NOT EXISTS (
SELECT FROM pg_catalog.pg_roles
WHERE rolname = 'test_group_2') THEN
CREATE GROUP test_group_2;
END IF;
END
$do$;'''
], sql)
def test_role_permissions_sql_is_correct(self):
f = open(os.path.join(settings.EXAMPLES_DIR, 'role_permissions.yml'))
conf = yaml.safe_load(f)
perms = new(conf)
postgres_perms = postgres.new(perms)
plan = postgres_perms.plan()
sql = [x.sql for x in plan]
self.assertEqual([
'''DO
$do$
BEGIN
IF NOT EXISTS (
SELECT FROM pg_catalog.pg_roles
WHERE rolname = 'admin') THEN
CREATE GROUP admin;
END IF;
END
$do$;''', 'ALTER GROUP admin ADD USER user_admin;', '''DO
$do$
BEGIN
IF NOT EXISTS (
SELECT FROM pg_catalog.pg_roles
WHERE rolname = 'readonly') THEN
CREATE GROUP readonly;
END IF;
END
$do$;''', 'ALTER GROUP readonly ADD USER user_reg;',
'\nGRANT ALL ON SCHEMA public TO admin;\n\n',
'GRANT SELECT ON ALL TABLES IN SCHEMA public TO readonly;'
], sql)
def main():
parser = argparse.ArgumentParser(description='Manage database permissions')
parser.add_argument('operation',
type=str,
choices=('apply', 'plan', 'graph', 'export'),
help='dpt operation to perform')
parser.add_argument('--db',
type=str,
choices=('postgres', 'redshift'),
help='target database system')
parser.add_argument('--connection-string',
type=str,
help='db connection string')
parser.add_argument('--config', type=str, help='config file')
cli_args = parser.parse_args()
if cli_args.operation == 'export':
raise NotImplementedError
'''
if cli_args.db == 'redshift':
redshift.export(cli_args.connection_string)
else:
return
'''
# load the config file
conf = None
with open(cli_args.config, 'r') as stream:
try:
conf = yaml.safe_load(stream)
except yaml.YAMLError as exc:
print(exc)
# parse the config file into a dpt graph
perms = graph.new(conf)
if cli_args.operation == 'graph':
pdot = nx.drawing.nx_pydot.to_pydot(perms.graph)
name = 'build/{}.png'.format('out')
print('saving graph: "{}"'.format(name))
pdot.write_png(name)
return
if cli_args.db == 'postgres':
postgres_perms = postgres.new(
perms,
cli_args.connection_string,
)
if cli_args.operation == 'plan':
print('\n\n'.join(stmnt.sql for stmnt in postgres_perms.plan()))
elif cli_args.operation == 'apply':
postgres_perms.apply()
else:
raise NotImplementedError
def test_new_graph_policies(self):
f = open(os.path.join(settings.EXAMPLES_DIR, 'role_permissions.yml'))
conf = yaml.safe_load(f)
perms = new(conf)
nodes = perms.graph.nodes(data=True)
attrs = [attr for n, attr in nodes]
self.assertEqual([{
'id': 'user_admin',
'type': 'USER'
}, {
'id': 'user_reg',
'type': 'USER'
}, {
'id': 'public',
'type': 'SCHEMA'
}, {
'id': 'admin',
'type': 'ROLE'
}, {
'id': 'readonly',
'type': 'ROLE'
}, {
'id': 'admin',
'type': 'POLICY',
'subject': {
'id': 'admin',
'type': 'ROLE'
},
'target': {
'id': 'public',
'type': 'SCHEMA'
},
'permissions': {
'all': True
}
}, {
'id': 'readonly',
'type': 'POLICY',
'subject': {
'id': 'readonly',
'type': 'ROLE'
},
'target': {
'id': 'public',
'type': 'SCHEMA'
},
'permissions': {
'select': True
}
}], attrs)
def test_new_graph_with_users_correct_node_count(self):
perms = new({
'users': [{
'id': 'user_id_1'
}],
'roles': [{
'id': 'new_group',
'users': [{
'id': 'user_id_1',
}]
}]
})
nodes = perms.graph.nodes(data=True)
self.assertEqual(2, len(nodes), nodes)
attrs = [attr for n, attr in nodes]
self.assertEqual([{
'id': 'user_id_1',
'type': 'USER'
}, {
'id': 'new_group',
'type': 'ROLE'
}], attrs)