def test_get_user(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "admins")
setup.grant_permission_to_group(GROUP_ADMIN, "", "admins")
setup.grant_permission_to_group(USER_ADMIN, "", "admins")
setup.add_user_to_group("*****@*****.**", "some-group")
setup.grant_permission_to_group("some-permission", "one", "some-group")
setup.add_group_to_group("some-group", "parent-group")
setup.grant_permission_to_group("some-permission", "two", "some-group")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
user = api_client.users.get("*****@*****.**")
assert sorted(user.groups) == ["admins", "parent-group", "some-group"]
assert user.passwords == []
assert user.public_keys == []
assert user.enabled
assert user.service_account is None
assert user.metadata == {}
permissions = [(p.permission, p.argument) for p in user.permissions]
assert sorted(permissions) == sorted([
(GROUP_ADMIN, ""),
(USER_ADMIN, ""),
("some-permission", "one"),
("some-permission", "two"),
])
def test_get_groups(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
create_graph(setup)
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(api_client.groups) == ["all-teams", "serving-team", "team-infra", "team-sre"]
def test_user_metadata(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.create_user("*****@*****.**")
setup.add_public_key_to_user(SSH_KEY_1, "*****@*****.**")
setup.add_public_key_to_user(SSH_KEY_2, "*****@*****.**")
setup.add_metadata_to_user("some-key", "some-value", "*****@*****.**")
setup.create_user("*****@*****.**")
setup.add_metadata_to_user("github_username", "zorkian",
"*****@*****.**")
setup.add_metadata_to_user("shell", "/usr/bin/fish", "*****@*****.**")
setup.create_user("*****@*****.**")
setup.session.flush()
setup.disable_user("*****@*****.**")
setup.create_role_user("*****@*****.**", "Some role user")
setup.create_service_account("*****@*****.**", "some-group")
ssh_key_1 = key_to_public_key(SSH_KEY_1)
ssh_key_2 = key_to_public_key(SSH_KEY_2)
expected = {
"*****@*****.**": {
"role_user":
False,
"metadata": {
"some-key": "some-value"
},
"public_keys": [
{
"public_key": ssh_key_1.public_key,
"fingerprint": ssh_key_1.fingerprint,
"fingerprint_sha256": ssh_key_1.fingerprint_sha256,
},
{
"public_key": ssh_key_2.public_key,
"fingerprint": ssh_key_2.fingerprint,
"fingerprint_sha256": ssh_key_2.fingerprint_sha256,
},
],
},
"*****@*****.**": {
"role_user": True,
"metadata": {},
"public_keys": []
},
"*****@*****.**": {
"role_user": False,
"metadata": {
"github_username": "******",
"shell": "/usr/bin/fish"
},
"public_keys": [],
},
}
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
result = api_client._fetch("/user-metadata")
assert result["status"] == "ok"
assert result["data"]["users"] == expected
def test_get_permissions(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.create_permission("some-permission")
setup.create_permission("another-permission")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(api_client.permissions) == ["another-permission", "some-permission"]
def test_get_service_accounts(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.create_user("*****@*****.**")
setup.create_role_user("*****@*****.**")
setup.create_service_account("*****@*****.**", "team-sre")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(
api_client.service_accounts) == ["*****@*****.**", "*****@*****.**"]
def test_get_permissions(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.create_permission("some-permission")
setup.create_permission("another-permission")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(api_client.permissions) == [
"another-permission", "some-permission"
]
def test_get_permission(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.grant_permission_to_group("ssh", "foo", "sad-team")
setup.grant_permission_to_group("ssh", "bar", "team-sre")
setup.grant_permission_to_group("ssh", "*", "tech-ops")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
permission = api_client.permissions.get("ssh")
assert sorted(permission.groups) == ["sad-team", "team-sre", "tech-ops"]
def test_get_permission(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.grant_permission_to_group("ssh", "foo", "sad-team")
setup.grant_permission_to_group("ssh", "bar", "team-sre")
setup.grant_permission_to_group("ssh", "*", "tech-ops")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
permission = api_client.permissions.get("ssh")
assert sorted(
permission.groups) == ["sad-team", "team-sre", "tech-ops"]
def test_get_role_user(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.create_role_user("*****@*****.**")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
role_user = api_client.service_accounts.get("*****@*****.**")
assert sorted(role_user.groups) == ["*****@*****.**"]
assert role_user.passwords == []
assert role_user.public_keys == []
assert role_user.enabled
assert role_user.service_account is None
assert role_user.permissions == []
assert role_user.metadata == {}
def test_get_users(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.add_user_to_group("*****@*****.**", "some-group")
setup.create_user("*****@*****.**")
setup.create_user("*****@*****.**")
setup.disable_user("*****@*****.**")
setup.create_service_account("*****@*****.**", "some-group")
setup.create_role_user("*****@*****.**")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert sorted(api_client.users) == [
"*****@*****.**", "*****@*****.**", "*****@*****.**"
]
def test_list_grants_of_permission(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
create_graph(setup)
expected = {
"users": {"*****@*****.**": ["bar", "foo"], "*****@*****.**": ["*"]},
"service_accounts": {"*****@*****.**": ["*"]},
}
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
result = api_client._fetch("/grants/some-permission")
assert result["status"] == "ok"
assert result["data"]["permission"] == "some-permission"
assert result["data"]["grants"] == expected
def test_list_grants(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
create_graph(setup)
expected = {
"not-gary": {
"users": {
"*****@*****.**": ["foo"]
},
"role_users": {},
"service_accounts": {}
},
"other-permission": {
"users": {
"*****@*****.**": [""]
},
"role_users": {},
"service_accounts": {},
},
"some-permission": {
"users": {
"*****@*****.**": ["bar", "foo"],
"*****@*****.**": ["*"]
},
"role_users": {
"*****@*****.**": ["foo", "role"]
},
"service_accounts": {
"*****@*****.**": ["*"]
},
},
"twice": {
"users": {
"*****@*****.**": ["*"]
},
"role_users": {},
"service_accounts": {}
},
}
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
result = api_client._fetch("/grants")
assert result["status"] == "ok"
assert result["data"]["permissions"] == expected
def test_includes_disabled_service_accounts(tmpdir: LocalPath,
setup: SetupTest) -> None:
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group",
"some machines", "an account")
setup.disable_service_account("*****@*****.**")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
assert list(api_client.service_accounts) == ["*****@*****.**"]
service_account = api_client.service_accounts.get("*****@*****.**")
assert service_account.groups == {}
assert not service_account.enabled
assert service_account.service_account == {
"description": "an account",
"machine_set": "some machines",
}
assert service_account.permissions == []
def test_includes_disabled_service_accounts(tmpdir, setup):
# type: (LocalPath, SetupTest) -> None
with setup.transaction():
setup.create_service_account("*****@*****.**", "some-group", "an account", "some machines")
with setup.transaction():
setup.disable_service_account("*****@*****.**")
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url) # noqa: F811
assert list(api_client.service_accounts) == ["*****@*****.**"]
service_account = api_client.service_accounts.get("*****@*****.**")
assert service_account.groups == {}
assert not service_account.enabled
assert service_account.service_account == {
"description": "an account",
"machine_set": "some machines",
}
assert service_account.permissions == []
def test_get_service_account(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
setup.create_service_account(
"*****@*****.**",
owner="team-sre",
machine_set="some machines",
description="some service account",
)
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
service_account = api_client.service_accounts.get("*****@*****.**")
assert service_account.groups == {}
assert service_account.passwords == []
assert service_account.public_keys == []
assert service_account.enabled
assert service_account.service_account == {
"description": "some service account",
"machine_set": "some machines",
"owner": "team-sre",
}
assert service_account.permissions == []
assert service_account.metadata == {}
def test_get_group(tmpdir: LocalPath, setup: SetupTest) -> None:
with setup.transaction():
create_graph(setup)
with api_server(tmpdir) as api_url:
api_client = Groupy(api_url)
group = api_client.groups.get("team-sre")
assert sorted(group.groups) == ["all-teams", "serving-team", "team-infra"]
assert sorted(group.users) == ["*****@*****.**", "*****@*****.**", "*****@*****.**"]
assert group.subgroups == {}
assert group.audited
assert group.contacts == {"email": "*****@*****.**"}
permissions = [(p.permission, p.argument) for p in group.permissions]
assert sorted(permissions) == [
("audited", ""),
("ssh", "*"),
("sudo", "shell"),
("team-sre", "*"),
]
group = api_client.groups.get("serving-team")
assert sorted(group.subgroups) == ["team-sre"]
def async_api_server(standard_graph, tmpdir):
with api_server(tmpdir) as api_url:
yield api_url