def _update_service_account_permissions(self, sa): """ Update the given service account's permissions. WARNING: NO AUTHORIZATION CHECK DONE HERE. This will blindly update given service account. Args: sa ( fence.resources.google.service_account.GoogleServiceAccountRegistration ): the service account object with its email, project_access, a google project, and optionally a user who is attempting to modify/add """ try: patch_user_service_account(sa.google_project_id, sa.email, sa.project_access) except CirrusNotFound as exc: return ( "Can not update the service accout {}. Detail {}".format( sa.email, exc), 404, ) except GoogleAPIError as exc: return ( "Can not update the service accout {}. Detail {}".format( sa.email, exc), 400, ) except Exception: return ("Can not update the service account {}".format(sa.email), 500) return ("Successfully update service account {}".format(sa.email), 200)
def test_update_user_service_account_success3(cloud_manager, db_session, setup_data): """ [email protected] has access to test_auth_1 and test_auth_2 already Test that there is no add and delete operations when client try to update with projects already granted access """ service_account = (db_session.query(UserServiceAccount).filter_by( email="*****@*****.**").first()) patch_user_service_account("test", "*****@*****.**", ["test_auth_1", "test_auth_2"]) assert not (cloud_manager.return_value.__enter__.return_value. add_member_to_group.called) assert not (cloud_manager.return_value.__enter__.return_value. remove_member_from_group.called) project_ids1 = { project.id for project in (db_session.query(Project).filter( or_(Project.auth_id == "test_auth_1", Project.auth_id == "test_auth_2")).all()) } project_ids2 = { access_privilege.project_id for access_privilege in ( db_session.query(ServiceAccountAccessPrivilege).filter_by( service_account_id=service_account.id).all()) } assert project_ids1 == project_ids2
def test_update_user_service_account_success3(cloud_manager, db_session, setup_data): """ [email protected] has access to test_auth_1 and test_auth_2 already Test that there are no delete operations when client try to update with projects already granted access (This test used to also check that no Google-side add operations occurred given the same situation, but this is no longer expected as we are now adding SA to every project/GBAG every time--see #670) """ service_account = (db_session.query(UserServiceAccount).filter_by( email="*****@*****.**").first()) patch_user_service_account("test", "*****@*****.**", ["test_auth_1", "test_auth_2"]) assert not (cloud_manager.return_value.__enter__.return_value. remove_member_from_group.called) project_ids1 = { project.id for project in (db_session.query(Project).filter( or_(Project.auth_id == "test_auth_1", Project.auth_id == "test_auth_2")).all()) } project_ids2 = { access_privilege.project_id for access_privilege in ( db_session.query(ServiceAccountAccessPrivilege).filter_by( service_account_id=service_account.id).all()) } assert project_ids1 == project_ids2
def test_update_user_service_account_success2(cloud_manager, db_session, setup_data): """ [email protected] has access to test_auth_1 and test_auth_2 already Test that successfully update service account access so that the 'test_auth1, test_auth2' will be removed from access project list while 'test_auth3' is added to the list """ ( cloud_manager.return_value.__enter__.return_value.add_member_to_group.return_value ) = { "kind": "admin#directory#member", "etag": "test_etag", "id": "test_id", "email": "test@g,ail.com", "role": "test_role", "type": "test_type", } ( cloud_manager.return_value.__enter__.return_value.remove_member_from_group.return_value ) = {} service_account = ( db_session.query(UserServiceAccount).filter_by(email="*****@*****.**").first() ) accessed_projects = ( db_session.query(ServiceAccountAccessPrivilege) .filter_by(service_account_id=service_account.id) .all() ) accessed_bucket_grps = ( db_session.query(ServiceAccountToGoogleBucketAccessGroup) .filter_by(service_account_id=service_account.id) .all() ) assert len(accessed_projects) == 2 assert len(accessed_bucket_grps) == 2 patch_user_service_account("test", "*****@*****.**", ["test_auth_3"]) project = db_session.query(Project).filter_by(auth_id="test_auth_3").first() access_privileges = ( db_session.query(ServiceAccountAccessPrivilege) .filter_by(service_account_id=service_account.id) .all() ) assert len(access_privileges) == 1 assert access_privileges[0].project_id == project.id accessed_bucket_grps = ( db_session.query(ServiceAccountToGoogleBucketAccessGroup) .filter_by(service_account_id=service_account.id) .all() ) assert len(accessed_bucket_grps) == 1
def test_update_user_service_account_success(cloud_manager, db_session, setup_data): """ [email protected] has access to test_auth_1 and test_auth_2 already Test that successfully update service account access so that the 'test_auth2' will be removed from access project list """ ( cloud_manager.return_value.__enter__.return_value.add_member_to_group.return_value ) = {"email": "*****@*****.**"} ( cloud_manager.return_value.__enter__.return_value.remove_member_from_group.return_value ) = {} service_account = ( db_session.query(UserServiceAccount).filter_by(email="*****@*****.**").first() ) accessed_projects = ( db_session.query(ServiceAccountAccessPrivilege) .filter_by(service_account_id=service_account.id) .all() ) accessed_bucket_grps = ( db_session.query(ServiceAccountToGoogleBucketAccessGroup) .filter_by(service_account_id=service_account.id) .all() ) assert len(accessed_projects) == 2 assert len(accessed_bucket_grps) == 2 patch_user_service_account("test", "*****@*****.**", ["test_auth_1"]) project = db_session.query(Project).filter_by(auth_id="test_auth_1").first() project_ids = [ item.project_id for item in ( db_session.query(ServiceAccountAccessPrivilege) .filter_by(service_account_id=service_account.id) .all() ) ] assert len(project_ids) == 1 assert project_ids[0] == project.id accessed_bucket_grps = ( db_session.query(ServiceAccountToGoogleBucketAccessGroup) .filter_by(service_account_id=service_account.id) .all() ) assert len(accessed_bucket_grps) == 1
def test_update_service_account_fail_no_project(cloud_manager, db_session, setup_data): """ Test that raises an exception since a provided project does not exist """ with pytest.raises(fence.errors.NotFound): assert patch_user_service_account("google_test", "*****@*****.**", ["no_project_auth"])
def test_update_user_service_account_raise_NotFound_exc( cloud_manager, db_session, setup_data): """ Test that raises an exception since the service account does not exist """ with pytest.raises(fence.errors.NotFound): assert patch_user_service_account("google_test", "non_existed_service_account", ["test_auth_1"])
def test_update_user_service_account_raise_GoogleAPI_exc( cloud_manager, db_session, setup_data): """ Test that raises an exception due to Google API errors during removing members from google groups """ (cloud_manager.return_value.__enter__.return_value. remove_member_from_group.side_effect) = CirrusError("exception") with pytest.raises(CirrusError): assert patch_user_service_account("test", "*****@*****.**", ["test_auth_2"])
def test_update_user_service_account_raise_GoogleAPI_exc4( cloud_manager, db_session, setup_data ): """ Test that raises an exception due to Google API errors during deleting members to google groups """ ( cloud_manager.return_value.__enter__.return_value.delete_member_from_group.return_value ) = {"a": "b"} with pytest.raises(CirrusError): assert patch_user_service_account("test", "*****@*****.**", ["test_auth_1"])
def test_update_user_service_account_raise_GoogleAPI_exc2( cloud_manager, db_session, setup_data): """ Test that raises an exception due to Google API errors during adding members to google groups """ (cloud_manager.return_value.__enter__.return_value.add_member_to_group. side_effect) = Exception("exception") with pytest.raises(Exception): assert patch_user_service_account( "test", "*****@*****.**", ["test_auth_1", "test_auth_2", "test_auth_3"])