def test_permission_grant_revoke(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.owner == "some-group" assert page.permission_rows == [] page.click_add_permission_button() grant_page = ServiceAccountGrantPermissionPage(browser) grant_page.select_permission("some-permission (foo)") grant_page.set_argument("foo") grant_page.submit() assert page.owner == "some-group" permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] assert permission.permission == "some-permission" assert permission.argument == "foo" permission.click_revoke_button() permission_revoke_modal = page.get_revoke_permission_modal() permission_revoke_modal.confirm() assert page.owner == "some-group" assert page.permission_rows == []
def test_service_account_edit(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) view_page = ServiceAccountViewPage(browser) assert view_page.owner == "some-group" assert view_page.description == "" assert view_page.machine_set == "" view_page.click_edit_button() edit_page = ServiceAccountEditPage(browser) edit_page.set_description("some description") edit_page.set_machine_set("some machines bad-machine") edit_page.submit() assert edit_page.has_alert("machine_set") assert edit_page.has_alert( "[email protected] has invalid machine set") edit_page.set_machine_set("some machines") edit_page.submit() assert browser.current_url.endswith( "/groups/some-group/service/[email protected]") assert view_page.description == "some description" assert view_page.machine_set == "some machines"
def test_permission_grant_denied(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.add_user_to_group("*****@*****.**", "other-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "some-group") # Member of the owning team will get denied when trying to grant a perm the team doesn't have with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]/grant")) page = ServiceAccountGrantPermissionPage(browser) page.select_permission("some-permission (foo)") page.set_argument("bar") page.submit() assert page.has_alert("Permission denied") # Unrelated user can click the Add Permission button but will get a 403 with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) view_page = ServiceAccountViewPage(browser) assert len(view_page.permission_rows) == 0 view_page.click_add_permission_button() forbidden_page = ErrorPage(browser) assert forbidden_page.heading == "Error" assert forbidden_page.subheading == "403 Forbidden"
def test_service_account_lifecycle(async_server, browser): # noqa: F811 browser.get(url(async_server, "/groups/user-admins")) page = GroupViewPage(browser) page.click_add_service_account_button() page = ServiceAccountCreatePage(browser) page.set_name("my-special-service-account") page.submit() page = ServiceAccountViewPage(browser) page.click_disable_button() disable_modal = page.get_disable_modal() disable_modal.confirm() browser.get(url(async_server, "/users")) page = UsersViewPage(browser) page.click_show_disabled_users_button() page.click_show_service_accounts_button() user_row = page.find_user_row( "[email protected] (service)") user_row.click() page = ServiceAccountViewPage(browser) page.click_enable_button() page = ServiceAccountEnablePage(browser) page.select_owner("Group: user-admins") page.submit()
def test_permission_grant_revoke(tmpdir, setup, browser): # type: (LocalPath, SetupTest, Chrome) -> None with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.permission_rows == [] page.click_add_permission_button() grant_page = ServiceAccountGrantPermissionPage(browser) grant_page.select_permission("some-permission (foo)") grant_page.set_argument("foo") grant_page.submit() page = ServiceAccountViewPage(browser) permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] assert permission.permission == "some-permission" assert permission.argument == "foo" permission.click_revoke_button() permission_revoke_modal = page.get_revoke_permission_modal() permission_revoke_modal.confirm() assert page.permission_rows == []
def test_escaped_at_sign(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.create_service_account("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/service%40svc.localhost")) page = ServiceAccountViewPage(browser) assert page.subheading == "Service Account: [email protected]" assert page.owner == "some-group"
def test_permission_revoke_denied(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.create_service_account("*****@*****.**", "some-group") setup.grant_permission_to_service_account("some-permission", "*", "*****@*****.**") setup.create_user("*****@*****.**") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.owner == "some-group" permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] assert permission.permission == "some-permission" assert permission.argument == "*" # The button doesn't show for someone who can't manage the service account. with pytest.raises(NoSuchElementException): permission.click_revoke_button() # Add the user to the group so that the revoke button will show up, and then revoke it before # attempting to click the button. We can't just directly initiate a request to the revoke URL # without making the button appear because Python Selenium doesn't support a test-initiated # POST (only GET). with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.owner == "some-group" permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] with setup.transaction(): setup.remove_user_from_group("*****@*****.**", "some-group") permission.click_revoke_button() permission_revoke_modal = page.get_revoke_permission_modal() permission_revoke_modal.confirm() assert page.has_text( "The operation you tried to complete is unauthorized")
def test_service_account_lifecycle(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "user-admins") setup.add_user_to_group("*****@*****.**", "some-group") setup.grant_permission_to_group(USER_ADMIN, "", "user-admins") with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get(url(frontend_url, "/groups/user-admins")) group_page = GroupViewPage(browser) group_page.click_add_service_account_button() # Test with an invalid machine set. create_page = ServiceAccountCreatePage(browser) create_page.set_name("my-special-service-account") create_page.set_description("some description") create_page.set_machine_set("some machines bad-machine") create_page.submit() assert create_page.has_alert("machine_set") expected = "[email protected] has invalid machine set" assert create_page.has_alert(expected) # Fix the machine set but test with an invalid name. create_page.set_name("service@service@service") create_page.set_machine_set("some machines") create_page.submit() assert create_page.has_alert("name") # Fix the name and then creation should succeed. create_page.set_name("my-special-service-account") create_page.submit() view_page = ServiceAccountViewPage(browser) assert view_page.owner == "user-admins" assert view_page.description == "some description" assert view_page.machine_set == "some machines" view_page.click_disable_button() disable_modal = view_page.get_disable_modal() disable_modal.confirm() browser.get(url(frontend_url, "/users")) users_page = UsersViewPage(browser) users_page.click_show_disabled_users_button() users_page.click_show_service_accounts_button() user_row = users_page.find_user_row( "[email protected] (service)") user_row.click() view_page = ServiceAccountViewPage(browser) view_page.click_enable_button() enable_page = ServiceAccountEnablePage(browser) enable_page.select_owner("Group: some-group") enable_page.submit() view_page = ServiceAccountViewPage(browser) assert view_page.owner == "some-group"
def test_permission_grant(tmpdir: LocalPath, setup: SetupTest, browser: Chrome) -> None: with setup.transaction(): setup.add_user_to_group("*****@*****.**", "some-group") setup.add_user_to_group("*****@*****.**", "other-group") setup.add_user_to_group("*****@*****.**", "permission-admins") setup.grant_permission_to_group("some-permission", "foo", "some-group") setup.grant_permission_to_group("grouper.permission.grant", "some-permission/bar", "other-group") setup.grant_permission_to_group(PERMISSION_ADMIN, "", "permission-admins") setup.create_service_account("*****@*****.**", "some-group") # Member of the owning group should be able to delegate perms down from the owning group with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert page.permission_rows == [] page.click_add_permission_button() grant_page = ServiceAccountGrantPermissionPage(browser) grant_page.select_permission("some-permission (foo)") grant_page.set_argument("foo") grant_page.submit() permission_rows = page.permission_rows assert len(permission_rows) == 1 permission = permission_rows[0] assert permission.permission == "some-permission" assert permission.argument == "foo" # Unrelated user can grant perms for which they have the appropriate grouper.permission.grant with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert len(page.permission_rows) == 1 page.click_add_permission_button() grant_page = ServiceAccountGrantPermissionPage(browser) grant_page.select_permission("some-permission (bar)") grant_page.set_argument("bar") grant_page.submit() permission_rows = page.permission_rows assert len(permission_rows) == 2 permission = permission_rows[1] assert permission.permission == "some-permission" assert permission.argument == "bar" # Permission admin can grant any permission with any argument to any service account with frontend_server(tmpdir, "*****@*****.**") as frontend_url: browser.get( url(frontend_url, "/groups/some-group/service/[email protected]")) page = ServiceAccountViewPage(browser) assert len(page.permission_rows) == 2 page.click_add_permission_button() grant_page = ServiceAccountGrantPermissionPage(browser) grant_page.select_permission("some-permission (*)") grant_page.set_argument("weewoo") grant_page.submit() permission_rows = page.permission_rows assert len(permission_rows) == 3 permission = permission_rows[2] assert permission.permission == "some-permission" assert permission.argument == "weewoo"